x-force atlanta feb 2012 top web hacks
TRANSCRIPT
-
7/31/2019 X-Force Atlanta Feb 2012 Top Web Hacks
1/28
2011 IBM Corporation1
Top 5 Web Hacks
Adrian Owens
Certified Client Technical Professional, Southeast
-
7/31/2019 X-Force Atlanta Feb 2012 Top Web Hacks
2/28
2011 IBM Corporation2
IBM Security Solutions
The Bad Guys Want In
Black Hat Hacker: Wants to stealyour important data, especially
financial information, which theycan sell for a gain.
Hactivist: Take your website
down. Could be motivated bypolitics, religion, may wish toexpose wrongdoing, or exactrevenge.
Script Kiddie: May deface yourwebsite to make a name for themselves.
-
7/31/2019 X-Force Atlanta Feb 2012 Top Web Hacks
3/28
2011 IBM Corporation3
IBM Security Solutions
How: Right Through You The Front Door
3
Resource Access - Address BarXSS- Search Field
SQL Injection - Web Form
-
7/31/2019 X-Force Atlanta Feb 2012 Top Web Hacks
4/28
2011 IBM Corporation4
IBM Security Solutions4
OWASP and the OWASP Top 10 list
Open Web Application Security Project
an open organization dedicated to fight insecure software
The OWASP Top Ten
document represents a broad consensus about what themost critical web application security flaws are
www.owasp.org
-
7/31/2019 X-Force Atlanta Feb 2012 Top Web Hacks
5/28
2011 IBM Corporation5
IBM Security Solutions5
5
OWASP Top 10 Vulnerabilities
-
7/31/2019 X-Force Atlanta Feb 2012 Top Web Hacks
6/28
2011 IBM Corporation6
IBM Security Solutions6
Discovering the Value of Web Application Security Testing with IBM Rational AppScan 2008 IBM Corporation
TechWorks
What is it?
User-supplied data is sent to an interpreter as part of a command, query or data.
What are the implications? SQL Injection - Access/modify data in DB
SSI Injection - Execute commands on server and access sensitive data
LDAP Injection Bypass authentication
1. Injection Flaws (SQL Injection)
-
7/31/2019 X-Force Atlanta Feb 2012 Top Web Hacks
7/28
2011 IBM Corporation7
IBM Security Solutions7
Discovering the Value of Web Application Security Testing with IBM Rational AppScan 2008 IBM Corporation
TechWorks
SQL Injection
User input inserted into SQL Command:
Get product details by id:Select * from products where id=$REQUEST[id];
Hack: send param id with value or 1=1
Resulting executed SQL:Select * from products where id= or 1=1
All products returned
-
7/31/2019 X-Force Atlanta Feb 2012 Top Web Hacks
8/28
2011 IBM Corporation8
IBM Security Solutions8
Discovering the Value of Web Application Security Testing with IBM Rational AppScan 2008 IBM Corporation
TechWorks
SQL Injection Example I
Select user from tvalidateuser where
username=
-
7/31/2019 X-Force Atlanta Feb 2012 Top Web Hacks
9/28
2011 IBM Corporation9
IBM Security Solutions9
Discovering the Value of Web Application Security Testing with IBM Rational AppScan 2008 IBM Corporation
TechWorks
SQL Injection Example II
-
7/31/2019 X-Force Atlanta Feb 2012 Top Web Hacks
10/28
2011 IBM Corporation10
IBM Security Solutions10
Discovering the Value of Web Application Security Testing with IBM Rational AppScan 2008 IBM Corporation
TechWorks
SQL Injection Example - Exploit
or 1=1--
Select user from tvalidateuser where
username=or 1=1--
-
7/31/2019 X-Force Atlanta Feb 2012 Top Web Hacks
11/28
2011 IBM Corporation11
IBM Security Solutions11
Discovering the Value of Web Application Security Testing with IBM Rational AppScan 2008 IBM Corporation
TechWorks
SQL Injection Example - Outcome
-
7/31/2019 X-Force Atlanta Feb 2012 Top Web Hacks
12/28
2011 IBM Corporation12
IBM Security Solutions12
Discovering the Value of Web Application Security Testing with IBM Rational AppScan 2008 IBM Corporation
TechWorks
2. Cross-Site Scripting (XSS)
What is it?
Malicious script echoed back into HTML returned from a trusted site, and runsunder trusted context
What are the implications?
Session Tokens stolen
Complete page content compromised
Future pages in browser compromised
-
7/31/2019 X-Force Atlanta Feb 2012 Top Web Hacks
13/28
2011 IBM Corporation13
IBM Security Solutions13
Discovering the Value of Web Application Security Testing with IBM Rational AppScan 2008 IBM Corporation
TechWorks
XSS Example I
aSdF
-
7/31/2019 X-Force Atlanta Feb 2012 Top Web Hacks
14/28
2011 IBM Corporation14
IBM Security Solutions14
Discovering the Value of Web Application Security Testing with IBM Rational AppScan 2008 IBM Corporation
TechWorks
XSS Example II
HTML code:
-
7/31/2019 X-Force Atlanta Feb 2012 Top Web Hacks
15/28
2011 IBM Corporation15
IBM Security Solutions15
Cross Site Scripting The Exploit Process
Evil.org
User bank.com
1) Link to bank.comsent to user via
E-mail or HTTP
2) User sends script embedded as data
3) Script/data returned, executed by browser
4) Script sends userscookie and sessioninformation without the usersconsent or knowledge
5) Evil.org uses stolensession information to
impersonate user
-
7/31/2019 X-Force Atlanta Feb 2012 Top Web Hacks
16/28
2011 IBM Corporation16
IBM Security Solutions16
3. Broken Authentication & Session Management
What is it?
Session tokens arent guarded and invalidated properly
What are the implications?
Session tokens can be planted by hackers in XSS/XSFR attack, hence leaked
Session tokens more easily available (valid longer, less protection) to be stolen
in different ways
-
7/31/2019 X-Force Atlanta Feb 2012 Top Web Hacks
17/28
2011 IBM Corporation17
IBM Security Solutions17
Broken Authentication and Session Management - Examples
Unprotected Session Tokens
Session ID kept in Persistent Cookie
Not using http-only value for cookies
Sessions valid for too long
Session not invalidated after logout
Session timeout too long
Session fixation possible
Session ID not replaced after login
-
7/31/2019 X-Force Atlanta Feb 2012 Top Web Hacks
18/28
2011 IBM Corporation18
IBM Security Solutions18
Discovering the Value of Web Application Security Testing with IBM Rational AppScan 2008 IBM Corporation
TechWorks
4. Insecure Direct Object ReferenceWhat is it?
Part or all of a resource (file, table, etc.) name controlled by user input.
What are the implications?
Access to sensitive resources
Information Leakage, aids future hacks
-
7/31/2019 X-Force Atlanta Feb 2012 Top Web Hacks
19/28
2011 IBM Corporation19
IBM Security Solutions19
Discovering the Value of Web Application Security Testing with IBM Rational AppScan 2008 IBM Corporation
TechWorks
Insecure Direct Object Reference - Example
Attacker may attempt to manipulate parameter Content Change to Boot.ini system file
-
7/31/2019 X-Force Atlanta Feb 2012 Top Web Hacks
20/28
2011 IBM Corporation20
IBM Security Solutions20
Discovering the Value of Web Application Security Testing with IBM Rational AppScan 2008 IBM Corporation
TechWorks
Insecure Direct Object Reference Example Cont.
Poison Null Byte
Use NULL Character rather than .htm
-
7/31/2019 X-Force Atlanta Feb 2012 Top Web Hacks
21/28
2011 IBM Corporation21
IBM Security Solutions21
Discovering the Value of Web Application Security Testing with IBM Rational AppScan 2008 IBM Corporation
TechWorks
Insecure Direct Object Reference Example Cont.
Bingo Sensitive File Information at our finger tips!
-
7/31/2019 X-Force Atlanta Feb 2012 Top Web Hacks
22/28
-
7/31/2019 X-Force Atlanta Feb 2012 Top Web Hacks
23/28
2011 IBM Corporation23
IBM Security Solutions23
XSRF Exploit Illustration
1) User browses pagewith malicious content
2) Script (or link) isdownloaded andexecuted in browser
Evil.org
3) Money
Transferred
Bank.comWebMail
WirelessRouter
3) All mailsforwarded tohacker
3) Router opened foroutside access
4) MoneyWithdrawn
4) Private mails accessed, possibly containingpasswords
4) Firewalls surpassed, internal computers hacked
Victim
-
7/31/2019 X-Force Atlanta Feb 2012 Top Web Hacks
24/28
2011 IBM Corporation24
IBM Security Solutions
24
Security Testing Technologies... Combination of the Two Delivers
Comprehensive Solution
Static Code Analysis = Whitebox
Scanning source code for security issues
Dynamic Analysis = Blackbox
Security analysis of a compiled application
Total PotentialTotal PotentialSecurity IssuesSecurity Issues
DynamicDynamic
AnalysisAnalysisStaticStatic
AnalysisAnalysisCompleteCoverage
-
7/31/2019 X-Force Atlanta Feb 2012 Top Web Hacks
25/28
2011 IBM Corporation25
IBM Security SolutionsIBM Software Group | Watchfire SolutionsIBM Software Group | Rational softwareIBM Software Group | Rational softwareIBM Software Group | Watchfire SolutionsIBM Software Group | Rational softwareIBM Software Group | Rational software
Automated Security TestingAutomated Security TestingAppScan Standard EditionAppScan Standard Edition BlackBlack--box, dynamicbox, dynamic
Desktop VersionDesktop Version connects to Enterpriseconnects to Enterprise ReportingReporting
AppScan Enterprise EditionAppScan Enterprise Edition BlackBlack--box, dynamicbox, dynamic WebWeb--based Versionbased Version connects to Enterprise Reportingconnects to Enterprise Reporting
AppScan Source EditionAppScan Source Edition WhiteWhite--Box, StaticBox, Static
IDE, Desktop, Web BasedIDE, Desktop, Web Based connects to Enterprise Reportingconnects to Enterprise Reporting
AppScan Source For AutomationAppScan Source For Automation Build ComponentBuild Component
Part of Build EnginePart of Build Engine Build Forge EnabledBuild Forge Enabled
AppScan Policy TesterAppScan Policy Tester Quality, Privacy, AccessibilityQuality, Privacy, Accessibility WebWeb--based Versionbased Version connects to Enterprise Reportingconnects to Enterprise Reporting
25
-
7/31/2019 X-Force Atlanta Feb 2012 Top Web Hacks
26/28
2011 IBM Corporation26
IBM Security Solutions
26
Security specialists Conduct security assessments
Publish findings for remediation/trending
AppScan Standard Edition Desktop (BB)
AppScan Enterprise Web Based Views (WB & BB)
Source Edition Desktop (WB) for Assessments
AppScan
Compliance Officers Review compliance reports ASE Web Based Views (BB & WB)
Developers View assessment results
Remediate issues
Assign issue status
Languages:PHPPerlColdFusionClient-Side JavaScriptC/C++Java/JSP.NET (C#, ASP.NET, VB.NET)Classic ASP (VB6)VBScriptServer-Side JavaScript
ASE Quick Scans (BB)
Visual Studio .Net (WB)
Eclipse Java (WB)
Rational AppScanEnterprise portal AppScan Enterprise Policy Tester Enterprise Source Edition for Core
Management Review most common security issues
View trends
Assess risk
AppScan Enterprise (ASE) Web Based Views (BB & WB)
Source Edition Core
Build automation Source code analysis (WB)
Part of build verification Publish findings for remediation/trending
Headless Source Edition App integration with
Build Forge
Ant
Maven
Make
QA & Accessibility Conduct Quality / Privacy / Accessibility Tests
Publish findings for remediation/trending
AppScan Enterprise Web Based Views (BB)
Policy Tester Module in ASE (BB)
AppScan Tester Edition for RQM (BB)
QC, CQ Publish Security Defects
AppScan Enterprise Integration
ASE Scan Agents(BB)
-
7/31/2019 X-Force Atlanta Feb 2012 Top Web Hacks
27/28
2011 IBM Corporation27
IBM Security Solutions
Security testing within the application life cycle
%o
fIss
ueFoundbyS
tageofSDLC
Desired ProfileDesired Profile
-
7/31/2019 X-Force Atlanta Feb 2012 Top Web Hacks
28/28
2011 IBM Corporation28
IBM Security Solutions
Questions
&Thank You!