top five web application vulnerabilities vebjørn moen selmersenteret/nowires.org norsk...
TRANSCRIPT
Top Five Web Application Vulnerabilities
Vebjørn MoenSelmersenteret/NoWires.org
Norsk KryptoseminarTrondheim09.11.2004
Top 5
● Top 5 vulnerabilities (src: http://software.newsforge.com/software/04/09/17/1527247.shtml?tid=78&tid=48)– SQL insertion
– Cross Site Scripting (CSS/XSS)
– Session management
– Default/misconfigurations
– Dangerous HTTP methods
SQL insertion
● Problem: Trusting input from client, and passing it on to a SQL server.
● E.g. :SELECT userid FROM tblusersWHERE user = ‘bleh’; EXEC master..xp_cmdshell “cmd.exe /c …”;--‘ AND pass = ‘password’
SQL insertion
• Form fields, URL parameters, cookies, and HTTP headers are all valid input vectors.
• Solution: Define acceptable data and make it as restrictive as possible. If input data is invalid then it should be rejected.
Cross Site Scripting
● Problem: a Web application accepts scripting commands as input, and returns them. – The script seems to appear to originate from the
vulnerable server, which the user trusts, and gives it access to all the user's cookie and session information.
● Example: http://mywebsite.com/login.jsp?msg=<script>alert()</script>
● Solution: Do not reflect values obtained as input back to the browser.
Session management problems
● Problem: the state between your browser and the Web site. – Used to track who are logged in and their access
privileges.● Attackers can access restricted pages without
proper authorization, or manipulate session variables to gain access to other users' accounts. – e.g. manipulating parameters in the URL
Session management problems
● Sessions should always be maintained on the server side.– Don't trust cookies and client-side session values
– Always use a strong unique identifier instead of an integer, email address or account number/name.
● Check for a valid session on each restricted access page whenever the page is requested.
Session management problems
● javascript shopping carts– price is often embedded in html code
– 3. party money collector
– it is possible to change the price (get stuff cheaper...)
Default/misconfigurations(Sample apps/dir listings)
● configuration and installation problems. ● provides an attacker with a starting point for
breaking into the server:– sample applications that are installed by default
– directory listings and permissions
– default software features and configurations
– log and swap files
Default/misconfigurations
● Sample applications that are installed by default can contain information.
● Disclosing scripts that may reveal Web site source code.
● Directory listings can reveal files. ● Default software features may have exploitable
bugs. ● Log files and swap files can be left over from
developers editing Web application pages.
Dangerous HTTP commands
● PUT, DELETE, WebDAV● PUT: upload a script● DELETE: delete all the content of a site – DoS● WebDAV: methods have been used to perform
buffer overflows on Windows servers.
Dangerous HTTP commands cont.
● To test the PUT method, use a tool like curl to attempt a file upload:
curl -T test.html www.mysite.com– try to access the file
● To test the DELETE method, telnet to the Web server and issue the command:
DELETE / HTTP/1.0
Conclusion
● Security problems are caused by errors:– configuration errors
– programming errors
– misplaced trust (e.g. in user input)● Cryptography is failing to protect
– or.. not the final answer● Awareness and theaching