Upload
qualys
View
4.438
Download
1
Embed Size (px)
DESCRIPTION
This presentation by Mike Shame of Qualys the basics of Web Application Security and how to safeguard your web infrastructure against the most prevalent online threats and security risks, such as: cross-site scripting (XSS) attacks, SQL injection, directory traversals, and other web vulnerabilities. Learn how to proactively identify critical web application vulnerabilities and take corrective actions to minimize risks.
Citation preview
Web Security 101An overview of some common application exploits
Mike ShemaSecurity Research Engineer, Qualys Inc.
Web Security
� Web application (in)security continues to grow
� Web-related vulnerabilities pop up on Bugtraq daily. (http://www.securityfocus.com/bid/)
� Web-related attacks are large and expensive to investigate, react, and resolve.
� Web security became a requirement of PCI in 2008.
2
� Web security became a requirement of PCI in 2008.
� XSS remains a significant problem
� Original CERT advisory February 2000 (http://www.cert.org/advisories/CA-2000-02.html)
� USENET references to “malicious html” and “malicious javascript” as far back as 1996
� comp.security.unix post on March 1996: http://tinyurl.com/2s593m
� Entertaining discussion of JavaScript: http://tinyurl.com/2g2476
Web Security
� Reported web server vulnerabilities have decreased
� IIS 6.0 released April 2003
� MS06-034 (specially-crafted ASP file could cause buffer overflow)
� No resurgence of Code Red or Nimda style vulnerabilities
� Apache 2.0.45 (March 2003) to Apache 2.0.63 (January 2008)
� 40 security bugs according to changelog
3
� 40 security bugs according to changelog
� 24 specific to core or mod_ssl
� Apache 2.2.0 (November 2005) to Apache 2.2.8 (January 2008)
� 13 security bugs according to changelog
� 2 specific to core or mod_ssl
� And the number of servers continuesto grow significantly
0
5,000,000
10,000,000
15,000,000
20,000,000
25,000,000
30,000,000
35,000,000
May-03 Apr-08
Active Sites According to Netcraft
Apache
IIS
Leave the Buffer Overflows at Home
� Exploiting most web vulnerabilities has a very
low barrier to entry.
� Low sophistication attacks can still lead to high
impact exploits
4
impact exploits
� More codified lists defined in the OWASP TOP
10 and the WASC Threat Classification
Threats Evolve
� Financial motivation
� Infect rather than deface
� Increased potential for targeted attacks
5
� Increased potential for targeted attacks
� Exploit the trust between the server and browser
Attacks Adapt
� Bring the exploit to victim rather than bring the victim to the exploit.
� “Web 2.0”: More business logic and capabilities moved to the web browser.
6
� Social networking as an enabler for non-technical attacks.
� Insert malicious content into a web page
� Target the web browser
Persistent Browser Problems
� Assumption of trust in HTML and JavaScript (no “signed” content)
� No separation of UI generation and data manipulation
7
manipulation
� Few restrictions on pulling together inter-domain content, no “trusted peers” for a domain.
What do these attacks look like?
� Review some examples to see where vulnerabilities exist and how they are exploited.
8
The Usual Suspects
� SQL Injection� One of the easiest vulnerabilities to prevent.
� Occurs when users can alter the actual query.� For example, SQL queries made with strong
concatenation or even raw SQL queries in a URL
9
concatenation or even raw SQL queries in a URL parameter.
Recent Examples
� Hacking & Happiness� One password to rule them all
� Poor separation of duties
� Lack of rate limiting
� http://tinyurl.com/9f7ata
10
� http://tinyurl.com/9f7ata
Recent Examples
� Session Fixation & Stock Inflation� Buy stocks using someone else’s account.
11
Recent Examples
Session ID = 655321
Unauthenticated
Unauthenticated
Victim receives an e-mail with a legitimate link to the trading site: https://site/login.cgi?sid=65531
x.y.72.13 --> /trade.cgi?sid=655321&shares=1000&stock=FOO
Redirect to /login.cgi <-- server
x.y.72.13 --> /trade.cgi?sid=655321&shares=1000&stock=FOO
Redirect to /login.cgi <-- server
12
Unauthenticated
Unauthenticated
Authenticated
Authenticated
Redirect to /login.cgi <-- server
x.y.72.13 --> /trade.cgi?sid=655321&shares=1000&stock=FOO
Redirect to /login.cgi <-- server
a.b.101.92 --> /login.cgi?sid=655321
Redirect to /welcome.cgi?sid=655321 <-- server
x.y.72.13 --> /trade.cgi?sid=655321&shares=1000&stock=FOO
Trade executed <-- server
Recent Examples
� Inspection & Infiltration� Abusing server-side scripts
� http://tinyurl.com/d6ymuc
13
Recent Examples
../lists/admin/index.php?_SERVER[ConfigFile]=../../php.ini
� Viewing arbitrary files on the web server for sensitive content
� A confluence of programming error,
14
� A confluence of programming error, misconfiguration, and lack of host hardening
Wildly Different Vulnerabilities
� Programming errors
� Session fixation
� Cross-site request forgery
� Lack of input validation
15
� Lack of input validation
� Insecure environment
Where Are The Worms?
� Attacks like Nimda, Code Red or SQL Slammer haven’t been repeated in a while
� Exploit preferences seem to fall to the lowest common denominator
16
lowest common denominator
Manual & Automated Testing
� Complementary approaches
� What matters most for your environment?� Cost
� Scalability
17
� Repeatability
� Comprehensiveness
� Accuracy
� What to expect from each approach?
Automated Testing
� Ideal for large-scale or repetitive scans
� Primarily focuses on syntax problems,
misconfigurations, and known issues
� Several challenges to determining a good
scanner
18
scanner
� Crawling & site coverage
� Authentication & session management
� Comprehensiveness & accuracy
Manual Testing
� Ideal for in-depth security review
� Biggest advantage over automated testing is the ability to understand the application’s business logic
19
� Typically relies on some form of automated testing
Proactive Countermeasures
� Prevent the initial compromise in order to
minimize the potential for the application to be
used as a distribution point for malicious content
� Web application hardening
� Prevent unexpected HTML injection
20
� Prevent unexpected HTML injection
� Identify areas where user-generated content is
permitted
� Pre-inspect content
� Quarantine content
� Continuous site monitoring
Development Quick Reference
� Don’t store raw passwords.
� Store the salted hash
� Don’t use string concatenation when building SQL
queries.
� Use parameterized queries
21
� HTML encode user-supplied content that is written to a
web page
� Normalize input
� Work with an expected character set & encoding.
� Decode multi-level URL encoding
Summary
� The web browser continues to bear more and more functionality that used to be relegated to desktop applications -- but the browser security model hasn’t kept pace.
� Attackers placing more focus on compromising
22
� Attackers placing more focus on compromising trusted sites rather than lure victims to fake sites.
� Social networking, Web 2.0, and similar concepts place more and more personal data only a browser request away.
� Most reported compromises seem due to lack of input validation (XSS and SQL injection).
Thank you!
23