web security: concepts and tools used by attackers

Web Security

Why?

2.7B worldwide Internet usersProtect user’s privacy is criticalLost of trust: If we leak, users will leave

Prominent web attacks every week

Why Security is difficult

“A system is secure if it behaves precisely in the manner intended and does nothing more”

Why Security is difficult

1. Software is complex● Difficult to analyze in complex real world scenarios

Why Security is difficult

2. The web was not designed to be secure● Targeted originally to provide unlimited access● Its speed of ascent brought design flaws that remained

until present days

Know who (really) are your users

“The most striking property of web browsers is that most people who use them are overwhelmingly unskilled”

Know who (really) are your users

Research #1● Casual users are oblivious to signals that make perfect

sense to a developer.● Good phishing websites fooled 90% of participants

Know who (really) are your users

Research #2● The ‘green URL bar’ security indicator

Who’s responsible for security

Avoid the “Security Department” excuseWe are the first line of defenseKeep maintainable Security strategies

Maintainable Security strategies

Consider Security during the whole lifecycle● For each new release, the potential for new security

issues increases.

User Stories?

“As an employee, I can search for other employees by their last name”

Add EVIL User Stories

Add EVIL User Stories

“As a hacker I can send bad data in HTTP headers, so I can access data and functions for which I’m not authorized.”

OWASP List

OWASP 2013 ListA1 - InjectionA2 - Broken Authentication and Session ManagementA3 - Cross-Site ScriptingA4 - Insecure Object ReferenceA5 - Security MisconfigurationA6 - Sensitive Data ExposureA7 - Missing Function Level Access ControlA8 - Cross-Site Request ForgeryA9 - Using Components with Known VulnerabilitiesA10 - Unvalidated Redirects and Forwards

Automated attacks

Unlike the tedious hours spent hacking a network’s perimeter, attacks against Web applications can be easily automated

Prevention

Don’t write your own security controls! Reinventing the wheel leads to wasted time and massive security holes.Understand and use the tools that the attackers use

Demo timehttps://github.com/tomasperezv/web-security-tools

Demo time: WebGoat

Demo time: THC-Hydra

Demo time: webscarab

Demo time: Nessus

Demo time: w3af

Demo time: xsssniper

Conclusion

● We are responsible of the security of our web applications

● Include the EVIL user stories● Is easy to perform attacks using automated tools● Don’t write your own security controls!

Questions

https://github.com/tomasperezv/web-security-tools