Web Application Testing for Today’s Biggest and Emerging Threats

© 2011 IBM Corporation

Web Application Testing for Today’s Biggest and Emerging Threats

Alan KanTechnical ManagerIBM Rational Software

© 2011 IBM Corporation2

Software and Systems Engineering | Rational

Agenda

Let the Numbers Speak

Testing for Vulnerabilities

1

33

Top and Emerging Attacks2



The mission of the IBM X-Force® research and

development team is to:

Research and evaluate threat and protection issues

Deliver security protection for today’s security problems

Develop new technology for tomorrow’s security challenges

Educate the media and user communities

X-Force Research

14B analyzed Web pages & images

40M spam & phishing attacks

54K documented vulnerabilities

Billions of intrusion attempts daily

Millions of unique malware samples

Provides Specific Analysis of: ● Vulnerabilities & exploits● Malicious/Unwanted websites● Spam and phishing● Malware● Other emerging trends

X-Force R&D - Unmatched Security Leadership



Vendors Reporting the Largest Number of Vulnerability Disclosures in History

Vulnerability disclosures up 27%.• Web applications continue to be the

largest category of disclosure.

Significant increase across the board signifies efforts that are going on throughout the software industry to improve software quality and identify and patch vulnerabilities.



Web App Vulnerabilities Continue to Dominate

Nearly half (49%) of all vulnerabilities are Web application vulnerabilities.

Cross-Site Scripting & SQL injection vulnerabilities continue to dominate.



Patches Still Unavailable for Many Vulnerabilities

44% of all vulnerabilities disclosed in 2010 had no vendor-supplied patches to remedy the vulnerability.

Most patches become available for most vulnerabilities at the same time that they are publicly disclosed.

However some vulnerabilities are publicly disclosed for many weeks before patches are released.

Patch Release Timing – First 8 Weeks of 2010



Exploit Effort vs. Potential Reward Economics continue to play heavily into the exploitation probability of a vulnerability

All but one of the 25 vulnerabilities in the top right are vulnerabilities in the browser, the browser environment, or in email clients.

The only vulnerability in this category that is not a browser or email client side issue is the LNK file vulnerability that the Stuxnet worm used to exploit computers via malicious USB keys.



Hacking 102: Integrating Web Application Security Testing into Development 9

Desktop Transport Network Web Applications

AntivirusProtection

Encryption(SSL)

Firewalls /IDS / IPS

Firewall

Web ServersDatabases

BackendServer

ApplicationServers

Understanding the Web Application



Why are Web Applications so Vulnerable?

Network scanners won’t find application vulnerabilities

Developers are mandated to deliver functionality on-time and on-budget - but not to develop secure applications

Developers are not generally educated in secure code practices

Product innovation is driving development of increasingly complicated software for a Smarter Planet Volumes of

applications continue to be deployed that

are riddled with security flaws…

…and are non compliant with

industry regulations



Agenda



1

33




OWASP Top Ten (2010 Edition)

Source: http://www.owasp.org/index.php/Top_10



SQL Injection Attacks During each of the past three years, there has been a globally scaled SQL injection attack some time during

the months of May through August.

The anatomy of these attacks is generally the same: they target .ASP pages that are vulnerable to SQL injection.

20102009

2008



SQL Injection Attack Tools

* Automatic page-rank verification* Search engine integration for finding “vulnerable” sites* Prioritization of results based on probability for successful injection* Reverse domain name resolution* etc.



The drive-by-download process

Desktop Users

Browse The Internet Malicious iframehost

Web server withembedded iframe

Web browsertargeted

Downloaderinstalled

Malwareinstalled and activated

Exploit materialServed


Software and Systems Engineering | RationalNew exploit packs show up all the time



Hacking 102: Integrating Web Application Security Testing into Development 17

Cross Site Scripting – The Exploit Process

Evil.org

User bank.com

1) Link to bank.comsent to user viaE-mail or HTTP

2) User sends script embedded as data

3) Script/data returned, executed by browser

4) Script sends user’s cookie and session information without the user’s consent or knowledge

5) Evil.org uses stolen session information to impersonate user



Application Logic is Migrating From Server to Client

We counted server-side vs. client-side LoC in popular web applications in 2005 and in 2010



DOM-Based Cross-site Scripting

A type of XSS (the third type after “Reflected” & “Stored”)

Application doesn’t need to echo back user input like in Type I & Type II

We poison a DOM element, which is used in JavaScript code

Example

1:<HTML>2: <TITLE>Welcome!</TITLE>3: Hi4: <SCRIPT>5: var pos = document.URL.indexOf("name=") + 5;6: document.write(document.URL.substring(pos,document.URL.length));7: </SCRIPT> <BR/>8: Welcome to our system9:</HTML>

http://www.vuln.site/welcome.html?name=Joe

Source :document.URLSink :document.write()Results :document.write("Joe")



DOM-Based Cross-site Scripting

http://www.vuln.site/welcome.html#?name=<script>alert('hacked')</script>

Attack Example

• The attack took place entirely on the client-side (# fragment identifier)

• Hacker controlled DOM elements may include: document.URL, document.location, document.referrer, window.location, etc.

1: <HTML>2: <TITLE>Welcome!</TITLE>3: Hi4: <SCRIPT>5: var pos = document.URL.indexOf("name=") + 5;6: document.write(document.URL.substring(pos,document.URL.length));7: </SCRIPT> <BR/>8: Welcome to our system9: </HTML>

Source : document.URLSink : document.write()Results : document.write("<script>alert('hacked')</script>")



Client-side Open Redirect

JavaScript code automatically redirects the browser to a new location

New location is taken from a DOM element (URL, Query, Referrer, etc.)

Example

...12: var sData = document.location.search.substring(1);13: var sPos = sData.indexOf("url=") + 4;14: var ePos = sData.indexOf("&", sPos);15: var newURL;16: if (ePos< 0) { newURL = sData.substring(sPos);} 17: else { newURL = sData.substring(sPos, ePos);}18: window.location.href = newURL;

http://www.vuln.site/redirect.html?a=5&url=http://www.some.site

Source : document.locationSink : window.location.hrefResults : window.location.href = "http://www.some.site";



Agenda



1

33




Security Testing Technologies... Combination Drives Greater Solution Accuracy

Static Code Analysis (Whitebox )

Scanning source code for security issues

Dynamic Analysis (Blackbox)

Performing security analysis of a compiled application

Total PotentialTotal PotentialSecurity IssuesSecurity Issues

DynamicDynamicAnalysisAnalysis

StaticStaticAnalysisAnalysis

Greatest accuracy



What to Test

Black Box

Verify all user input is encoded – test with special characters in input fields (“, ‘, <, >, -)

Verify all URL variables are encoded in scripts – test with special characters on URL

Verify that SSL protects credentials and session id at all times – watch for HTTPS on all pages

Verify the user and the requested mode of access is allowed to the target object

Identify sensitive data and verify encryption exists at all times including in transit and storage

Verify the server configuration disallows requests to unauthorized file types

Verify that you can’t browse to the directory page of the website

Verify that you can’t browse to log files of the website

WhiteBox

Verify outputs from all user supplied input are encoded

Verify that the code uses stored procedures instead of dynamically constructed SQL statements

Verify that authentication and authorisation is centralised and standardised

Verify that logoff actually destroys the session

Verify security patches are applied



Security System

Car Safety – Protect Valuable Assets

Seatbelts Safety Cage

Crash Test



26

Building Security & Compliance into the SDLC

Build

Developers

Architects

Developers

Coding Testing Security Production

Enable Security to effectively drive remediation into development

Provides Developers and Testers with expertise and tools to detect

and remediate vulnerabilities

Ensure vulnerabilities are addressed before applications are put into production

Architecture

Provides Architects and Developers with knowledge to design and develop

more secure applications

Security penetration testing and application monitoring for on

going protection



www.ibm.com/software/rational



© Copyright IBM Corporation 2011. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, Rational, the Rational logo, Telelogic, the Telelogic logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.

www.ibm/software/rational

Technology

Web Application Testing for Today’s Biggest and Emerging Threats