® ibm software group © 2010 ibm corporation get ready for web application security testing alan...
Post on 04-Jan-2016
212 Views
Preview:
TRANSCRIPT
®
IBM Software Group
© 2010 IBM Corporation
Get Ready for Web Application Security Testing
Alan KanTechnical ManagerIBM Rational Softwarealankan@nz1.ibm.com
IBM Software Group | Rational software
Run Down
The Security Landscape
What does it mean for Testing Professionals
A Few Top Attacks and How to Test for Them
What You Can Do to Prepare for Security Testing
IBM Software Group | Rational software
IBM Software Group | Rational software
IBM Software Group | Rational software
IBM Software Group | Rational software
The Web Ecosystem (Simplified)
IBM Software Group | Rational software
IBM Software Group | Rational software
IBM Software Group | Rational software
LexisNexis
Data Breach
-Washington Post
Feb 17, 2008
IndiaTimes.com Malware
—InformationWeek
Feb 17,2008
Hacker breaks into
Ecuador’s
presidential website
— Thaindian, Feb 11, 2008
Hacking Stage 6 — Wikipedia, Feb 9 2007
Hacker steals Davidson
Cos client data
- Falls Tribune, Feb 4 2008
RIAA wiped off the Net— TheRegister, Jan 20 2008
Chinese hacker
steals 18M identities
- HackBase.com, Feb 10,2008
Mac blogs defaced by
XSS
• The Register, Feb 17, 2008
Your Free MacWorld Expo Platinum Pass— CNet, Jan 14, 2008
Hacker takes down Pennsylvania gvmt — AP, Jan 6, 2008
Drive-by Pharming
in the Wild
— Symantec, Jan 21 2008Italian Bank hit by XSS fraudsters
— Netcraft, Jan 8 2008
Greek Ministry
websites hit by
hacker intru
sion
— eKathimerini, Jan 31,2008
IBM Software Group | Rational software
“JB Hi-Fi's websites in Australia and New Zealand were redirecting customers to malicious web pages over the weekend in a cyber attack ”stuff.co.nz 01/12/2009
“Turkish defacers broke into the New Zealand based registrar Domainz.net …Companies which had their New Zealand web sites defaced include Microsoft, HSBC, Coca-Cola, F-secure, Bitdefender, Sony and Xerox ”
zone-h.org/news/id/4708 21/04/2009
“Security Intelligence Service director Warren Tucker revealed government department websites had been attacked and information stolen”nzherald.co.nz 12/09/2007
“A florist which does all of its business online has had its website targeted by hackers and customers' credit card details have been stolen”abc.net.au 16/9/2007
“Computer hackers have cracked the defences of dozens of top government and business sector internet sites this year, raising concerns about the safety of consumers' financial and personal information” SMH.com.au 14/10/ 2007
What about in this part of the world?
IBM Software Group | Rational software
IBM Software Group | Rational software
IBM Software Group | Rational software
Web Application Security is Neglected
of all attacks on Information Securityare directed to the Web Application Layer
75%75%of all Web Applications are vulnerable2/32/3
Network Server
WebApplication
s
% of Attacks % of Dollars
75%
10%
25%
90%
Security Spending
IBM Software Group | Rational software
Run Down
The Security Landscape
What does it mean for Testing Professionals
A Few Top Attacks and How to Test for Them
What You Can Do to Prepare for Security Testing
IBM Software Group | Rational software
Secure Applications – Who is Responsible?
System Administrator?
Network Administrator?
Security Professional?
Solution Architect?
Developers?
Testing Professional?
IBM Software Group | Rational software
The Trend – Incorporate Security into Testing
Build
Developers
SDLC
Developers
Developers
Coding QA Security Production
Incorporate Security as part of Testing
Ensure vulnerabilities are addressed before applications are put into production
IBM Software Group | Rational software
Security Testing Steps are not that different from usual
Identify possible vulnerability
Prove vulnerability
Assess risk, scope, depth, severity and impact
Create repeatable tests
Test migitation, and fixes
IBM Software Group | Rational software
Run Down
The Security Landscape
What does it mean for Testing Professionals
A Few Top Attacks and How to Test for Them
What You Can Do to Prepare for Security Testing
IBM Software Group | Rational software
OWASP and the OWASP Top 10 list
Open Web Application Security Project – an open organization dedicated to fight insecure software
“The OWASP Top Ten document represents a broad consensus about what the most critical web application security flaws are”
IBM Software Group | Rational software
IBM Software Group | Rational software
1 - Injection Flaws
What is it? User-supplied data is sent to an interpreter as part of a command, query or data.
What are the implications? SQL Injection – Access/modify data in DB
SSI Injection – Execute commands on server and access sensitive data
LDAP Injection – Bypass authentication
…
IBM Software Group | Rational software
SQL Injection
User input inserted into SQL Command: Get product details by id:
Select * from products where id=‘$REQUEST[“id”]’;
Hack: send param id with value ‘ or ‘1’=‘1
Resulting executed SQL:Select * from products where id=‘’ or ‘1’=‘1’
All products returned
IBM Software Group | Rational software
SQL Injection Example I
IBM Software Group | Rational software
SQL Injection Example II
IBM Software Group | Rational software
SQL Injection Example - Exploit
IBM Software Group | Rational software
SQL Injection Example - Outcome
IBM Software Group | Rational software
Injection Flaws (SSI Injection Example) Creating commands from input
IBM Software Group | Rational software
The return is the private SSL key of the server
IBM Software Group | Rational software
2. Cross-Site Scripting (XSS)
What is it? Malicious script echoed back into HTML returned from a trusted site, and runs under
trusted context
What are the implications? Session Tokens stolen (browser security circumvented)
Complete page content compromised
Future pages in browser compromised
IBM Software Group | Rational software
Cross Site Scripting – The Exploit Process
Evil.org
User bank.com
1) Link to bank.comsent to user viaE-mail or HTTP
2) User sends script embedded as data
3) Script/data returned, executed by browser
4) Script sends user’s cookie and session information without the user’s consent or knowledge
5) Evil.org uses stolen session information to impersonate user
IBM Software Group | Rational software
XSS Example I
HTML code:
IBM Software Group | Rational software
XSS Example II
HTML code:
IBM Software Group | Rational software
4 - Insecure Direct Object Reference
What is it? Part or all of a resource (file, table, etc.) name controlled by user input.
What are the implications? Access to sensitive resources
Information Leakage, aids future hacks
IBM Software Group | Rational software
Insecure Direct Object Reference - Example
IBM Software Group | Rational software
Insecure Direct Object Reference – Example Cont.
IBM Software Group | Rational software
Insecure Direct Object Reference – Example Cont.
IBM Software Group | Rational software
Run Down
The Security Landscape
What does it mean for Testing Professionals
A Few Top Attacks and How to Test for Them
What You Can Do to Prepare for Security Testing
IBM Software Group | Rational software
Get Educated on the Topic
Beware of legal issues
Create a Sandpit envrionment
Know the latest trends – IBM X-Force Threat Reportshttp://www-935.ibm.com/services/nz/iss/xforce/trendreports/
Study pass and current exploits – US Computer Emergency Readiness Teamhttp://www.kb.cert.org/vuls
Learn how to test for the vulnerabilities - OWASP Testing guidehttp://www.owasp.org/index.php/OWASP_Testing_Guide_v3_Table_of_Contents
Learn the syntax of operating system, databases, programming code
Experiemnet with Tools – Web Scarabhttp://www.owasp.org/index.php/Category:OWASP_WebScarab_Project
Experiment with Tools – IBM Rational AppScanhttp://www-01.ibm.com/software/rational/offerings/websecurity/webappsecurity.html
IBM Software Group | Rational software
How Does Automated Tool Work?
IBM Software Group | Rational software
Get Tools – which ones?
Automated vs Manual Do it a lot quicker in a shorter timeframe
Regression tests
Recommendations
Security-specific vs general automated testing tool Time it takes to become a security expert
Time it takes to learn coding
Time it takes to create report templates
Fix recommendations
Hard to reach places – Malware, Flash
Still needs a human being to validate results
Commercial vs Free tools It costs
Regular updates
Usability, Quality
IBM Software Group | Rational software
Tools
Manual Testing OWASP WebScarab
http://www.owasp.org/index.php/Category:OWASP_Project
Firebug
http://getfirebug.com
Automated Testing IBM Rational AppScan
http://www-01.ibm.com/software/rational/offerings/websecurity/webappsecurity.html
IBM Software Group | Rational software
© Copyright IBM Corporation 2010. All rights reserved.
The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way.
IBM, the IBM logo, the on-demand business logo, Rational, the Rational logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
IBM Software Group | Rational software
IBM Rational AppScan
The undisputed market leader Ranked #1 in Market Share by IDC
#1 in numerous industry “bake offs”
Automatically scans web applications for vulnerabilities SQL Injection
Cross-site Scripting
Provides clear recommendations on how to fix them i.e. Character sanitization
The Result?Improved security, lower costs, and the ability to meet PCI standards for application security
top related