Embed Size (px)
DESCRIPTION
Day 7 of 7-days "JavaScript and Rich User Interfaces" training for my colleagues. It covers Cross Site Scripting, SQL injection, XSRF, etc.
Citation preview
Our roadmap
Introduction: What will we cover today?
1. Five top vulnerabilities by OWASP2. How to find them3. How to prevent them
The Open Web Application Security Project (OWASP) is a worldwide free and open community focused on improving the security of application software.
OWASP
Breach Security Network
OWASP: Top Ten 2007
1. Cross Site Scripting2. Injection Flaws3. Insecure Remote File Include4. Insecure Direct Object Reference5. Cross Site Request Forgery6. Information Leakage And Improper Error Handling7. Broken Authentication And Session Management8. Insecure Cryptographic Storage9. Insecure Communications10. Failure To Restrict URL Access
OWASP: Top Ten 2004
1. Unvalidated Input2. Broken Access Control3. Broken Authentication And Session Management4. Cross Site Scripting5. Buffer Overflows6. Injection Flaws7. Improper Error Handling8. Insecure Storage9. Denial Of Service10. Insecure Configuration Management
1. Cross Site Scripting2. Injection Flaws3. Insecure Remote File Include4. Insecure Direct Object Reference5. Cross Site Request Forgery6. Information Leakage And Improper Error Handling7. Broken Authentication And Session Management8. Insecure Cryptographic Storage9. Insecure Communications10. Failure To Restrict URL Access
4. Cross Site Scripting 6. Injection Flaws
2. Broken Access Control (split)
7. Improper Error Handling3. Broken Authentication And Session Management8. Insecure Storage
2. Broken Access Control (split)1. Unvalidated Input5. Buffer Overflows9. Denial Of Service10. Insecure Configuration Management
NEW
NEW
OWASP: 2004 & 2007
BSN: The Web Hacking Incidents Database What are the drivers for Web Hacking?
1%1%1%3%3%3%
8%
15%
23%
42%
Stealing Sensitive Information Defacement Planting MalwareUnknown Deceit BlackmailLink Spam Worm PhishingInformation Warfare
BSN: The Web Hacking Incidents Database What are the drivers for Web Hacking?
18%
8%
10%
12% 15%
17%
20%
SQL Injection Unintentional Information DisclosureKnown Vulnerability Cross Site Scripting (XSS)Insufficient Access Control Credential/Session PredictionOther
A1
A2A3
A5
A4
A7
A6
A10, 2004
Cross Site Scripting
Cross Site Scripting: OverviewCross Site Scripting (XSS) flaws occur whenever an application takes data that originated from a user and sends it to a web browser without first validating or encoding that content.
<script type="text/javascript"> alert("You've been hacked!");</script>
<script type="text/javascript"> alert("You've been hacked!");</script>
<script type="text/javascript"> alert("You've been hacked!");</script>
<script type="text/javascript"> alert("You've been hacked!");</script>
server
Cross Site Scripting: How it works.
Kate
Bad Guy
Posting malicious message
Nick
Cross Site Scripting: Demo
Demo
Cross Site Scripting: Protection
1. Input validation Use a standard input validation mechanism to validate all input data for length, type, syntax, and business rules before accepting the data to be displayed or stored.
2. Strong output encoding Ensure that all user‐supplied data is HTML entity encoded before rendering in HTML, taking the approach to encode all characters other than a very limited subset.
Questions?
Injection Flaws
Injection Flaws: Overview
Injection flaws, particularly SQL injection, are common in web applications.
Injection occurs when user‐supplied data is sent to an interpreter as part of a command or query. The attacker’s data tricks the interpreter into executing unintended commands.
SQL Injection: How it works.
server DB server
Kate
?uname=kate&pwd=123abc SELECT pwd FROM USERS WHERE uname IS '$uname';
?uname=’;%20DROP%20TABLE%20USERS;&pwd=123abc
server DB server
SELECT pwd FROM USERS WHERE uname IS '$uname';
Bad Guy
SELECT pwd FROM USERS WHERE uname IS 'kate';
SELECT pwd FROM USERS WHERE uname IS '';DROP TABLE USERS;
SQL Injection: Demo
Demo
SQL Injection
SQL Injection: Protection
1. Enforce least privilege2. Avoid detailed error messages3. Do not send dynamic queries4. Be careful when using stored procedures5. Do not use dynamic query interface6. Do not use simple escaping functions
Questions?
Insecure Remote File Include
Insecure Remote File Include: Overview
Malicious file execution vulnerabilities are found in many applications. Developers will often directly use or concatenate potentially hostile input with file or stream functions, or improperly trust input files.
include $_REQUEST['filename’];
Insecure Remote File Include: How it works.
<select name="language"> <option value="fr"></option></select>
require_once ($_REQUEST["language"]."lang.php");
<select name="language"> <option value="fr">French</option> <option value="../../../../etc/passwd%00">Show your passwords</option></select>
Insecure Remote File Include: Protection
In general, a well‐written application will not use user‐supplied input in any filename for any server‐based resource(such as images, XML and XSL transform documents, or script inclusions), and will have firewall rules in place preventing new outbound connections to the Internet or internally back to any other server.
Questions?
Insecure Direct Object Reference
Insecure Direct Object Reference: Overview
A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, database record, or key, as a URL or form parameter.
Unless an access control check is in place, an attacker can manipulate those references to access other objects without authorization.
int cartID = Integer.parseInt( request.getParameter( "cartID" ) ); String query = "SELECT * FROM table WHERE cartID=" + cartID;
Insecure Direct Object Reference: How it works.
Unauthorized user has access to any cart.
int cartID = Integer.parseInt( request.getParameter( "cartID" ) ); User user = (User)request.getSession().getAttribute( "user" ); String query = "SELECT * FROM table WHERE cartID=" + cartID + " AND userID=" + user.getID();
Preventing:
Insecure Direct Object Reference: Protection
1. Avoid exposing your private object references to users whenever possible.2. Verify authorization to all referenced objects
Questions?
Cross Site Request Forgery
Cross Site Request Forgery: Overview
A CSRF attack forces a logged‐on victim’s browser to send a request to a vulnerable web application, which then performs the chosen action on behalf of the victim, to the benefit of the attacker.
Cross Site Request Forgery: How it works.
Peterbank.com
/login.html
/auth
Cookie: sessionid:1234567
/viewbalance Cookie: sessionid:1234567
Your balance is 50 000 $
Cross Site Request Forgery: How it works.
Peterbank.com
/login.html
/auth
Cookie: sessionid:1234567
/paybill?addr=...&amount=1000 Cookie: sessionid:1234567
OK. Payment sent!
evil.com
/index.html
...<img src="http://bank.com/paybill?addr=...&amount=1000"/>...
Questions?
Others
Others
6. Information Leakage And Improper Error Handling7. Broken Authentication And Session Management8. Insecure Cryptographic Storage9. Insecure Communications10. Failure To Restrict URL Access
Questions?
![Web Security: Web Application Security [continued]courses.cs.washington.edu/courses/cse484/17sp/slides/cse484-lect… · Web Security: Web Application Security [continued] Spring](https://img.dokumen.tips/doc/110x75/5f71addc68d9d1746f7704e8/web-security-web-application-security-continued-web-security-web-application.jpg)
