security applications
DESCRIPTION
TRANSCRIPT
![Page 1: Security Applications](https://reader034.vdocuments.us/reader034/viewer/2022042713/546c3435b4af9f6b2c8b4f46/html5/thumbnails/1.jpg)
11
Security in ApplicationSecurity in Application& SDLC& SDLCBarkan AsafBarkan Asaf
([email protected])([email protected])
Nov, 2006Nov, 2006
![Page 2: Security Applications](https://reader034.vdocuments.us/reader034/viewer/2022042713/546c3435b4af9f6b2c8b4f46/html5/thumbnails/2.jpg)
22F
irewall
Hardened OS
Web Server
App Server
Firew
all
Application
ApplicationClient
Net
wo
rk L
ayer
Firew
all
External Network Internal Segment
Proxy
Load Balancer
Databases
DMZ Internal Segment
Ap
plic
atio
n L
ayer
Security PerimeterSecurity Perimeter
![Page 3: Security Applications](https://reader034.vdocuments.us/reader034/viewer/2022042713/546c3435b4af9f6b2c8b4f46/html5/thumbnails/3.jpg)
33
Web Application attacks & 5 Web Security MythsWeb Application attacks & 5 Web Security Myths
Top Five myths of web security •We use 128-Bit SSL• Firewalls protect the web site• My network scanner found no issues• My application scanner found no issues• We have annual security assessments
Jeremiah Grossman
![Page 4: Security Applications](https://reader034.vdocuments.us/reader034/viewer/2022042713/546c3435b4af9f6b2c8b4f46/html5/thumbnails/4.jpg)
44
Vulnerability Stack & Security scannersVulnerability Stack & Security scanners
![Page 5: Security Applications](https://reader034.vdocuments.us/reader034/viewer/2022042713/546c3435b4af9f6b2c8b4f46/html5/thumbnails/5.jpg)
55
Technical vs. LogicalTechnical vs. LogicalVulnerabilitiesVulnerabilities
Logical FlawsSecurity vulnerabilities that arise with some contextual logic in application.Example:
• Multi step procedure that can be bypassed with direct invocation
Technical VulnerabilitySecurity vulnerabilities that can be discovered without any contextual logicExamples:
• HTML Injection• SQL Injection
Technical vs. Logical Vulnerabilities at WhiteHat
Web Application scanners limitations/challenges• Session state management - • Script parsing• Logical flows• Custom URLs• Privilege escalation• False negative/positive
![Page 6: Security Applications](https://reader034.vdocuments.us/reader034/viewer/2022042713/546c3435b4af9f6b2c8b4f46/html5/thumbnails/6.jpg)
66
Product Requirements
Functional Design
Technical Design
Implementation Testing Beta
Release Cycle
SecurityRequirements
Document
Architectural Risk Analysis
Security Tollgates
SecurityTesting
Secure Coding
Security Tollgates Security Tollgates inin Software Development Life Cycle Software Development Life Cycle (SDLC)(SDLC)
![Page 7: Security Applications](https://reader034.vdocuments.us/reader034/viewer/2022042713/546c3435b4af9f6b2c8b4f46/html5/thumbnails/7.jpg)
77
Unvalidated Input Unvalidated Input (A1)(A1)
DescriptionHTTP inputs into the application are not validated. Include URL, Headers, query strings, cookies, form fields, hidden fields. Leads to almost all web application vulnerabilities.
ThreatsClient-side Attacks (3), Command Execution (4), Denial of Service (6.2)
Counter measuresUse Application level validation that includes:
• Strong data type• Length• Logical Boundaries• Legal characters• Correct Syntax
Demonstration
![Page 8: Security Applications](https://reader034.vdocuments.us/reader034/viewer/2022042713/546c3435b4af9f6b2c8b4f46/html5/thumbnails/8.jpg)
88
Broken Access Control Broken Access Control (A2)(A2)
DescriptionAuthorization boundaries in code are broken or not properly enforced.
ThreatsCredential/Session prediction (2.1), Insufficient Authorization (2.3)Insufficient process validation (6.4)
Counter measures
• Robust authorization management
• Do not trust client side tokens for authorization
• Authorize all requests except anonymous objects
• Block resource enumeration and Forced Browsing in application
![Page 9: Security Applications](https://reader034.vdocuments.us/reader034/viewer/2022042713/546c3435b4af9f6b2c8b4f46/html5/thumbnails/9.jpg)
99
Broken Authentication & Session Management Broken Authentication & Session Management (A3)(A3)
DescriptionA weak implementation of Authentication framework or unsecure Session management.
ThreatsBrute Force (1.1), Insufficient Authentication (1.2), Insufficient session expiration (2.3), Session fixation session (2.4), Session prediction (2.1)
Demonstration
Counter measures• Use Random GUID as session indication• Assign session id only after authentication• Assign new session id when change from HTTP<->HTTPS • Correlate session indication with valid session object in application• Use standard and robust Password policy enforcement• Use standard and robust Lockout policy enforcement• Do not trust client to send session state (session GUID only)
![Page 10: Security Applications](https://reader034.vdocuments.us/reader034/viewer/2022042713/546c3435b4af9f6b2c8b4f46/html5/thumbnails/10.jpg)
1010
Cross Site Scripting Cross Site Scripting (A4)(A4)
DescriptionAttacker is using a vulnerable web application into sending unintentionally a user (Victim) a malicious active script that will be executed on its browser and breach his security framework.
ThreatsClient-side attacks (3)
Counter measures• Use Application level validation that will either negatively or positively validate all inputs coming from untrusted clients.
• Use HTML encoding centrally in presentation layer
DemonstrationDemonstration
![Page 11: Security Applications](https://reader034.vdocuments.us/reader034/viewer/2022042713/546c3435b4af9f6b2c8b4f46/html5/thumbnails/11.jpg)
1111
Buffer Overflows Buffer Overflows (A5)(A5)
DescriptionThe attacker sends data to a program, which it stores in an undersized stack buffer. The result is that a either corrupted or malicious code is executed.
Buffer overflow vulnerabilities typically occur in code that: • Relies on external data to control its behavior• Depends upon external properties of the data • Is so complex that a programmer cannot accurately predict its behavior
ThreatsBuffer overflow (4.1)
Counter measures• Use interpreted languages as Java/Python • Validate your input boundaries and size before processing
Code Examplechar buf[BUFSIZE];gets(buf);
![Page 12: Security Applications](https://reader034.vdocuments.us/reader034/viewer/2022042713/546c3435b4af9f6b2c8b4f46/html5/thumbnails/12.jpg)
1212
Injection Flaws Injection Flaws (A6)(A6)
DescriptionAttacker is using Injection flaws to relay malicious code through a web application to another System. The code is executed on behalf of the web application.
ThreatsCommand execution (4), Denial of Service (6.2)
Counter measures• Use Application level validation that will either negatively or positively validate all inputs coming from untrusted clients.• Use prepared statements and set each parameter before use in query
Example
![Page 13: Security Applications](https://reader034.vdocuments.us/reader034/viewer/2022042713/546c3435b4af9f6b2c8b4f46/html5/thumbnails/13.jpg)
1313
Improper Error Handling Improper Error Handling (A7)(A7)
DescriptionImproper handling of errors in application can result with the application sending the attacker Error messages that reveal implementation/architecture/components information he should not know.
ThreatsInformation leakage (5.2)
Counter measures• Catch all exceptions in server side – never throw exception to client• Handle all errors in back end• Do not send the user excessive information that is not required as Platform architecture ports in use , components in use and more.
Example• throw SQL exceptions back to client• throw stack trace on Web service exceptions• throw Application server stack trace back to client
![Page 14: Security Applications](https://reader034.vdocuments.us/reader034/viewer/2022042713/546c3435b4af9f6b2c8b4f46/html5/thumbnails/14.jpg)
1414
Insecure Storage Insecure Storage (A8)(A8)DescriptionImproper usage/implementation of cryptographic in code application.
ThreatsInformation leakage (5.2), Insufficient Authentication (1.2)
Counter measures• Use well known and proven cryptographic • Choose a suited algorithm according to security/performance trade-off • Make secrets in memory not serialized• Make keys replaceable and configurable by size if possible• Encrypt all private/confidential credentials
ExamplesSaving private key of SSL server on File system as clear textSaving DB connection object as clear text on file systemFailure to encrypt critical data Poor sources of randomness Poor choice of algorithm Attempting to invent a new encryption algorithm Failure to include support for encryption key changes
![Page 15: Security Applications](https://reader034.vdocuments.us/reader034/viewer/2022042713/546c3435b4af9f6b2c8b4f46/html5/thumbnails/15.jpg)
1515
Denial Of Service Denial Of Service (A9)(A9)
DescriptionAll actions or procedures in application that will make it unusable. Network level attacks are not Included in here.
ThreatsDenial of Service (6.2)
Counter measures• Use well known and proven cryptographic • Choose a suited algorithm according to security/performance trade-off • Make secrets in memory not serialized• Make keys replaceable and configurable by size if possible• Encrypt all private/confidential credentials
Example• Resource starvation when all concurrent users are used by zombies• HTML persistence injection causes DoS to the application main page
![Page 16: Security Applications](https://reader034.vdocuments.us/reader034/viewer/2022042713/546c3435b4af9f6b2c8b4f46/html5/thumbnails/16.jpg)
1616
Insecure Configuration Management Insecure Configuration Management (A10)(A10)
DescriptionInsecure usage of servers/components configuration. Mostly out of the box settings are not secure.
ThreatsInsufficient Authentication (1.2), Insufficient authorization (2.2), SSI Injection (4.6), Directory indexing (5.1), Information leakage (5.2), Path traversal (5.3), Predictable Recourse Location (5.4), Abuse of Functionality (6.1)
Counter measures• make hardening procedure to infrastructure before shipping
Examples • Unpatched security flaws in the server software • Web server Misconfigurations (directory listing/traversal enabled) • Unnecessary default, backup, or sample files• Improper file and directory permissions • Unnecessary services enabled• Default accounts with their default passwords • Administrative or debugging functions that are enabled or accessible • Overly informative error messages (more details in the error handling section) • Unsecre usage of certificates
![Page 17: Security Applications](https://reader034.vdocuments.us/reader034/viewer/2022042713/546c3435b4af9f6b2c8b4f46/html5/thumbnails/17.jpg)
1717
• No Such thing as Security in client side
• Validate all inputs from untrusted clients *
• Use standard security solutions/configuration
• Make sure the client gets only the responses he needs *
• Loose the naïve approach regard client’s behavior *
• Remove legacy/unnecessary resources from production app
SummarySummary
![Page 18: Security Applications](https://reader034.vdocuments.us/reader034/viewer/2022042713/546c3435b4af9f6b2c8b4f46/html5/thumbnails/18.jpg)
1818
The script, sent by the attacked client to the server was then received again by the client, now with the proper security context, and was able to send the cookie to the attacker
Cross Site Scripting Cross Site Scripting (XSS)(XSS)
![Page 19: Security Applications](https://reader034.vdocuments.us/reader034/viewer/2022042713/546c3435b4af9f6b2c8b4f46/html5/thumbnails/19.jpg)
1919
SQL Injection – Code exampleSQL Injection – Code exampleBy passing Login logic using SQL Injection flawSQLQuery = "SELECT Username FROM Users WHERE Username = ‘" & strUsername & "‘ AND Password = ‘" & strPassword & "‘" strAuthCheck = GetQueryResult(SQLQuery) If strAuthCheck = "" boolAuthenticated = FalseElse boolAuthenticated = True End If
Defending (Java example)PreparedStatement ps = null;RecordSet rs = null;try { isSafe(pUsername); ps = conn.prepareStatement(“SELECT * FROM user_table WHERE username =‘?’”); ps.setString(1, pUsername); rs = ps.execute(); if ( rs.next() ) { … }
![Page 20: Security Applications](https://reader034.vdocuments.us/reader034/viewer/2022042713/546c3435b4af9f6b2c8b4f46/html5/thumbnails/20.jpg)
2020
Validation layers Validation layers (Secure in depth)(Secure in depth)
Persistence
Business logic
Presentation