Web Application Security: Threats &

CountermeasuresAung Thu Rha

Hein(g5536871)

2

Outline Fundamentals

• Principles• Practices • Three-Tiered Approach

Threats & Countermeasures• Anatomy of web attacks• Threat categories

STRIDE Network Threats & Countermeasures Host Threats & Countermeasures Application Threats & Countermeasures

Summary & Conclusion

3

FundamentalsPrinciples Defense in Depth

• Use multi layers to protect against defense failure

• E.g. firewalls, IDS, Load balancers, IP restrictions

Least Privilege• Grant fewer access to the system as possible• E.g. restrict access to DB

Least Complicated• Complexity generates mistakes

4

Fundamentals

Practices Filter input

• Ensure coming data it invalid Escape output

• Ensure outgoing data is not misinterpreted

Input Application Output

5

Three-Tiered Approach

Secure the network

Secure the hostRuntime services

Platform Services

Operating System

Secure the applicationPresentation

Logic Business Logic Data Access Logic

6

Threats & Countermeasures

Anatomy of web attack

Survey and assess

Exploit and penetrate

Escalates privileges

Deny service

Maintain access

7

Threats & Countermeasures

Threat Categories• STRIDE: based on goals and purposes of

attacker• Three categories based on the three-tiered

approach

Network

Host

Application

8

Threats & Countermeasures -STRIDE

• Gain access to system with false identitySpoofing

• Unauthorized modification of dataTampering

• Ability of user to deny of performing specific actions or transactions Repudiation

• Exposure of private dataInformation disclosure

• Making the system unavailableDenial of Service

• user with limited privileges assumes the identity of a full privileged user

Elevation of Privilege

9

Threats & Countermeasures-STRIDE

• Strong authentication, SSL, avoid plaintext to store and send sensitive dataSpoofing

• Data Hashing, Digital signature, Authorization Tampering

• Secure audit trails, Digital Signature Repudiation

• Strong authorization and encryption, avoid plaintexts, secure communication links

Information disclosure

• Validate and filter input, bandwidth throttling techniques, AAA ProtocolDenial of Service

• Follow principle of “Least Principle”Elevation of Privilege

10

Threats & Countermeasures -Network

• Discover and profile network devices to find vulnerabilities

Information gathering

• Eavesdropping data across over the network trafficSniffing

• Hide one’s true ID and access the system and work around ACLs Spoofing

• Main in the middle attackSession hijacking

• Denies legitimate access to server or servicesDenial of service

11

Threats & Countermeasures-Network

• Configure routers to restrict to footprinting, disabled unused protocols and ports

Information gathering

• Use strong physical security, network segmentation, encrypt communication Sniffing

• Filter incoming packets and outgoing packets Spoofing

• encrypted session negotiation and communication channels

Session hijacking

• IDS, appropriate registry settings of TCP/IP stackDenial of service

12

Threats & Countermeasures -Host

• perform malicious acts and cause disruption to OS

Viruses, Trojan horses, and

worms• Try to reveal valuable information of

the systemFootprinting

• try to establish an authenticated connection with server

Password cracking

• execute malicious code on the server

Arbitrary code execution

• Try to access restricted information or perform restricted operations

Unauthorized access

13

Threats & Countermeasures-Host

• Harden weak, default configuration settings, anti-virus applications

Viruses, Trojan horses, and

worms• Disable unused ports and protocols, IDS,

“defense in depth”Footprinting

• Strong passwords, lockout policies, Audit failed logins attemptsPassword craking

• Lock down system commands & utilities with restricted ACLs, update patches and updates

Arbitrary code execution

• Secure web permission, Lock down files and folders

Unauthorized access

14

Threats & Countermeasures -Application

• Cross-site scripting(XSS), SQL injectionInput Validation

• Dictionary attacks, brute-force attacksAuthentication

• Session hijacking, man in the middleSession management

• Poor key generation or key management, weak or custom encryptionCryptography

• Query string & form field manipulation, cookie manipulation, HTTP header manipulation

Parameter manipulation

• Information disclosure, denial of serviceException Management

15

Threats & Countermeasures-Application

• Validate input, Encode user output, Use parameterized stored proceduresInput Validation

• Strong passwords with hashesAuthentication

• SSL, expiration period on the session cookie, HMACs

Session management

• Secure encryption system, DPAPI, use proven cryptographic servicesCryptography

• Session identifier, HTTP Post, Encrypt query strings, HMACs

Parameter manipulation

• Exception Handling and loggingException Management

16

Summary & Conclusion

By understanding STRIDE, it is more effective when applying countermeasures.

Also understanding common threats, it can be prevented from compromising the application

Thank You!