web application security

Web Application Security

Siarhei Barysiuks.barysiuk@sam-solutions.net

Our roadmap

Introduction: What will we cover today?

1. Five top vulnerabilities by OWASP2. How to find them3. How to prevent them

The Open Web Application Security Project (OWASP) is a worldwide free and open community focused on improving the security of application software.

OWASP

Breach Security Network

OWASP: Top Ten 2007

1. Cross Site Scripting2. Injection Flaws3. Insecure Remote File Include4. Insecure Direct Object Reference5. Cross Site Request Forgery6. Information Leakage And Improper Error Handling7. Broken Authentication And Session Management8. Insecure Cryptographic Storage9. Insecure Communications10. Failure To Restrict URL Access

OWASP: Top Ten 2004

1. Unvalidated Input2. Broken Access Control3. Broken Authentication And Session Management4. Cross Site Scripting5. Buffer Overflows6. Injection Flaws7. Improper Error Handling8. Insecure Storage9. Denial Of Service10. Insecure Configuration Management

1. Cross Site Scripting2. Injection Flaws3. Insecure Remote File Include4. Insecure Direct Object Reference5. Cross Site Request Forgery6. Information Leakage And Improper Error Handling7. Broken Authentication And Session Management8. Insecure Cryptographic Storage9. Insecure Communications10. Failure To Restrict URL Access

4. Cross Site Scripting 6. Injection Flaws

2. Broken Access Control (split)

7. Improper Error Handling3. Broken Authentication And Session Management8. Insecure Storage

2. Broken Access Control (split)1. Unvalidated Input5. Buffer Overflows9. Denial Of Service10. Insecure Configuration Management

NEW

NEW

OWASP: 2004 & 2007

BSN: The Web Hacking Incidents Database What are the drivers for Web Hacking?

1%1%1%3%3%3%

8%

15%

23%

42%

Stealing Sensitive Information Defacement Planting MalwareUnknown Deceit BlackmailLink Spam Worm PhishingInformation Warfare

BSN: The Web Hacking Incidents Database What are the drivers for Web Hacking?

18%

8%

10%

12% 15%

17%

20%

SQL Injection Unintentional Information DisclosureKnown Vulnerability Cross Site Scripting (XSS)Insufficient Access Control Credential/Session PredictionOther

A1

A2A3

A5

A4

A7

A6

A10, 2004

Cross Site Scripting

Cross Site Scripting: OverviewCross Site Scripting (XSS) flaws occur whenever an application takes data that originated from a user and sends it to a web browser without first validating or encoding that content.

<script type="text/javascript"> alert("You've been hacked!");</script>

<script type="text/javascript"> alert("You've been hacked!");</script>

&lt;script type="text/javascript"&gt; alert("You've been hacked!");&lt;/script&gt;

&lt;script type="text/javascript"&gt; alert("You've been hacked!");&lt;/script&gt;

server

Cross Site Scripting: How it works.

Kate

Bad Guy

Posting malicious message

Nick

Cross Site Scripting: Demo

Demo

Cross Site Scripting: Protection

1. Input validation Use a standard input validation mechanism to validate all input data for length, type, syntax, and business rules before accepting the data to be displayed or stored.

2. Strong output encoding Ensure that all user‐supplied data is HTML entity encoded before rendering in HTML, taking the approach to encode all characters other than a very limited subset.

Questions?

Injection Flaws

Injection Flaws: Overview

Injection flaws, particularly SQL injection, are common in web applications.

Injection occurs when user‐supplied data is sent to an interpreter as part of a command or query. The attacker’s data tricks the interpreter into executing unintended commands.

SQL Injection: How it works.

server DB server

Kate

?uname=kate&pwd=123abc SELECT pwd FROM USERS WHERE uname IS '$uname';

?uname=’;%20DROP%20TABLE%20USERS;&pwd=123abc

server DB server

SELECT pwd FROM USERS WHERE uname IS '$uname';

Bad Guy

SELECT pwd FROM USERS WHERE uname IS 'kate';

SELECT pwd FROM USERS WHERE uname IS '';DROP TABLE USERS;

SQL Injection: Demo

Demo

SQL Injection

SQL Injection: Protection

1. Enforce least privilege2. Avoid detailed error messages3. Do not send dynamic queries4. Be careful when using stored procedures5. Do not use dynamic query interface6. Do not use simple escaping functions

Questions?

Insecure Remote File Include

Insecure Remote File Include: Overview

Malicious file execution vulnerabilities are found in many applications. Developers will often directly use or concatenate potentially hostile input with file or stream functions, or improperly trust input files.

include $_REQUEST['filename’];

Insecure Remote File Include: How it works.

<select name="language"> <option value="fr"></option></select>

require_once ($_REQUEST["language"]."lang.php");

<select name="language"> <option value="fr">French</option> <option value="../../../../etc/passwd%00">Show your passwords</option></select>

Insecure Remote File Include: Protection

In general, a well‐written application will not use user‐supplied input in any filename for any server‐based resource(such as images, XML and XSL transform documents, or script inclusions), and will have firewall rules in place preventing new outbound connections to the Internet or internally back to any other server.

Questions?

Insecure Direct Object Reference

Insecure Direct Object Reference: Overview

A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, database record, or key, as a URL or form parameter.

Unless an access control check is in place, an attacker can manipulate those references to access other objects without authorization.

int cartID = Integer.parseInt( request.getParameter( "cartID" ) ); String query = "SELECT * FROM table WHERE cartID=" + cartID;

Insecure Direct Object Reference: How it works.

Unauthorized user has access to any cart.

int cartID = Integer.parseInt( request.getParameter( "cartID" ) ); User user = (User)request.getSession().getAttribute( "user" ); String query = "SELECT * FROM table WHERE cartID=" + cartID + " AND userID=" + user.getID();

Preventing:

Insecure Direct Object Reference: Protection

1. Avoid exposing your private object references to users whenever possible.2. Verify authorization to all referenced objects

Questions?

Cross Site Request Forgery

Cross Site Request Forgery: Overview

A CSRF attack forces a logged‐on victim’s browser to send a request to a vulnerable web application, which then performs the chosen action on behalf of the victim, to the benefit of the attacker.

Cross Site Request Forgery: How it works.

Peterbank.com

/login.html

/auth

Cookie: sessionid:1234567

/viewbalance Cookie: sessionid:1234567

Your balance is 50 000 $

Cross Site Request Forgery: How it works.

Peterbank.com

/login.html

/auth

Cookie: sessionid:1234567

/paybill?addr=...&amount=1000 Cookie: sessionid:1234567

OK. Payment sent!

evil.com

/index.html

...<img src="http://bank.com/paybill?addr=...&amount=1000"/>...

Questions?

Others

Others

6. Information Leakage And Improper Error Handling7. Broken Authentication And Session Management8. Insecure Cryptographic Storage9. Insecure Communications10. Failure To Restrict URL Access

Questions?