Upload
alan-kan
View
1.960
Download
2
Tags:
Embed Size (px)
DESCRIPTION
Web Application Testing for Today’s Biggest and Emerging Threats presentation fro
Citation preview
© 2011 IBM Corporation
Web Application Testing for Today’s Biggest and Emerging Threats
Alan KanTechnical ManagerIBM Rational Software
© 2011 IBM Corporation2
Software and Systems Engineering | Rational
Agenda
Let the Numbers Speak
Testing for Vulnerabilities
1
33
Top and Emerging Attacks2
© 2011 IBM Corporation3
Software and Systems Engineering | Rational
The mission of the IBM X-Force® research and
development team is to:
Research and evaluate threat and protection issues
Deliver security protection for today’s security problems
Develop new technology for tomorrow’s security challenges
Educate the media and user communities
X-Force Research
14B analyzed Web pages & images
40M spam & phishing attacks
54K documented vulnerabilities
Billions of intrusion attempts daily
Millions of unique malware samples
Provides Specific Analysis of: ● Vulnerabilities & exploits● Malicious/Unwanted websites● Spam and phishing● Malware● Other emerging trends
X-Force R&D - Unmatched Security Leadership
© 2011 IBM Corporation4
Software and Systems Engineering | Rational
Vendors Reporting the Largest Number of Vulnerability Disclosures in History
Vulnerability disclosures up 27%.• Web applications continue to be the
largest category of disclosure.
Significant increase across the board signifies efforts that are going on throughout the software industry to improve software quality and identify and patch vulnerabilities.
© 2011 IBM Corporation5
Software and Systems Engineering | Rational
Web App Vulnerabilities Continue to Dominate
Nearly half (49%) of all vulnerabilities are Web application vulnerabilities.
Cross-Site Scripting & SQL injection vulnerabilities continue to dominate.
© 2011 IBM Corporation6
Software and Systems Engineering | Rational
Patches Still Unavailable for Many Vulnerabilities
44% of all vulnerabilities disclosed in 2010 had no vendor-supplied patches to remedy the vulnerability.
Most patches become available for most vulnerabilities at the same time that they are publicly disclosed.
However some vulnerabilities are publicly disclosed for many weeks before patches are released.
Patch Release Timing – First 8 Weeks of 2010
© 2011 IBM Corporation8
Software and Systems Engineering | Rational
Exploit Effort vs. Potential Reward Economics continue to play heavily into the exploitation probability of a vulnerability
All but one of the 25 vulnerabilities in the top right are vulnerabilities in the browser, the browser environment, or in email clients.
The only vulnerability in this category that is not a browser or email client side issue is the LNK file vulnerability that the Stuxnet worm used to exploit computers via malicious USB keys.
© 2011 IBM Corporation9
Software and Systems Engineering | Rational
Hacking 102: Integrating Web Application Security Testing into Development 9
Desktop Transport Network Web Applications
AntivirusProtection
Encryption(SSL)
Firewalls /IDS / IPS
Firewall
Web ServersDatabases
BackendServer
ApplicationServers
Understanding the Web Application
© 2011 IBM Corporation10
Software and Systems Engineering | Rational
Why are Web Applications so Vulnerable?
Network scanners won’t find application vulnerabilities
Developers are mandated to deliver functionality on-time and on-budget - but not to develop secure applications
Developers are not generally educated in secure code practices
Product innovation is driving development of increasingly complicated software for a Smarter Planet Volumes of
applications continue to be deployed that
are riddled with security flaws…
…and are non compliant with
industry regulations
© 2011 IBM Corporation11
Software and Systems Engineering | Rational
Agenda
Let the Numbers Speak
Testing for Vulnerabilities
1
33
Top and Emerging Attacks2
© 2011 IBM Corporation12
Software and Systems Engineering | Rational
OWASP Top Ten (2010 Edition)
Source: http://www.owasp.org/index.php/Top_10
© 2011 IBM Corporation13
Software and Systems Engineering | Rational
SQL Injection Attacks During each of the past three years, there has been a globally scaled SQL injection attack some time during
the months of May through August.
The anatomy of these attacks is generally the same: they target .ASP pages that are vulnerable to SQL injection.
20102009
2008
© 2011 IBM Corporation14
Software and Systems Engineering | Rational
SQL Injection Attack Tools
* Automatic page-rank verification* Search engine integration for finding “vulnerable” sites* Prioritization of results based on probability for successful injection* Reverse domain name resolution* etc.
© 2011 IBM Corporation15
Software and Systems Engineering | Rational
The drive-by-download process
Desktop Users
Browse The Internet Malicious iframehost
Web server withembedded iframe
Web browsertargeted
Downloaderinstalled
Malwareinstalled and activated
Exploit materialServed
© 2011 IBM Corporation16
Software and Systems Engineering | RationalNew exploit packs show up all the time
© 2011 IBM Corporation17
Software and Systems Engineering | Rational
Hacking 102: Integrating Web Application Security Testing into Development 17
Cross Site Scripting – The Exploit Process
Evil.org
User bank.com
1) Link to bank.comsent to user viaE-mail or HTTP
2) User sends script embedded as data
3) Script/data returned, executed by browser
4) Script sends user’s cookie and session information without the user’s consent or knowledge
5) Evil.org uses stolen session information to impersonate user
© 2011 IBM Corporation18
Software and Systems Engineering | Rational
Application Logic is Migrating From Server to Client
We counted server-side vs. client-side LoC in popular web applications in 2005 and in 2010
© 2011 IBM Corporation19
Software and Systems Engineering | Rational
DOM-Based Cross-site Scripting
A type of XSS (the third type after “Reflected” & “Stored”)
Application doesn’t need to echo back user input like in Type I & Type II
We poison a DOM element, which is used in JavaScript code
Example
1:<HTML>2: <TITLE>Welcome!</TITLE>3: Hi4: <SCRIPT>5: var pos = document.URL.indexOf("name=") + 5;6: document.write(document.URL.substring(pos,document.URL.length));7: </SCRIPT> <BR/>8: Welcome to our system9:</HTML>
http://www.vuln.site/welcome.html?name=Joe
Source :document.URLSink :document.write()Results :document.write("Joe")
© 2011 IBM Corporation20
Software and Systems Engineering | Rational
DOM-Based Cross-site Scripting
http://www.vuln.site/welcome.html#?name=<script>alert('hacked')</script>
Attack Example
• The attack took place entirely on the client-side (# fragment identifier)
• Hacker controlled DOM elements may include: document.URL, document.location, document.referrer, window.location, etc.
1: <HTML>2: <TITLE>Welcome!</TITLE>3: Hi4: <SCRIPT>5: var pos = document.URL.indexOf("name=") + 5;6: document.write(document.URL.substring(pos,document.URL.length));7: </SCRIPT> <BR/>8: Welcome to our system9: </HTML>
Source : document.URLSink : document.write()Results : document.write("<script>alert('hacked')</script>")
© 2011 IBM Corporation21
Software and Systems Engineering | Rational
Client-side Open Redirect
JavaScript code automatically redirects the browser to a new location
New location is taken from a DOM element (URL, Query, Referrer, etc.)
Example
...12: var sData = document.location.search.substring(1);13: var sPos = sData.indexOf("url=") + 4;14: var ePos = sData.indexOf("&", sPos);15: var newURL;16: if (ePos< 0) { newURL = sData.substring(sPos);} 17: else { newURL = sData.substring(sPos, ePos);}18: window.location.href = newURL;
http://www.vuln.site/redirect.html?a=5&url=http://www.some.site
Source : document.locationSink : window.location.hrefResults : window.location.href = "http://www.some.site";
© 2011 IBM Corporation22
Software and Systems Engineering | Rational
Agenda
Let the Numbers Speak
Testing for Vulnerabilities
1
33
Top and Emerging Attacks2
© 2011 IBM Corporation23
Software and Systems Engineering | Rational
Security Testing Technologies... Combination Drives Greater Solution Accuracy
Static Code Analysis (Whitebox )
Scanning source code for security issues
Dynamic Analysis (Blackbox)
Performing security analysis of a compiled application
Total PotentialTotal PotentialSecurity IssuesSecurity Issues
DynamicDynamicAnalysisAnalysis
StaticStaticAnalysisAnalysis
Greatest accuracy
© 2011 IBM Corporation24
Software and Systems Engineering | Rational
What to Test
Black Box
Verify all user input is encoded – test with special characters in input fields (“, ‘, <, >, -)
Verify all URL variables are encoded in scripts – test with special characters on URL
Verify that SSL protects credentials and session id at all times – watch for HTTPS on all pages
Verify the user and the requested mode of access is allowed to the target object
Identify sensitive data and verify encryption exists at all times including in transit and storage
Verify the server configuration disallows requests to unauthorized file types
Verify that you can’t browse to the directory page of the website
Verify that you can’t browse to log files of the website
WhiteBox
Verify outputs from all user supplied input are encoded
Verify that the code uses stored procedures instead of dynamically constructed SQL statements
Verify that authentication and authorisation is centralised and standardised
Verify that logoff actually destroys the session
Verify security patches are applied
© 2011 IBM Corporation25
Software and Systems Engineering | Rational
Security System
Car Safety – Protect Valuable Assets
Seatbelts Safety Cage
Crash Test
© 2011 IBM Corporation26
Software and Systems Engineering | Rational
26
Building Security & Compliance into the SDLC
Build
Developers
Architects
Developers
Coding Testing Security Production
Enable Security to effectively drive remediation into development
Provides Developers and Testers with expertise and tools to detect
and remediate vulnerabilities
Ensure vulnerabilities are addressed before applications are put into production
Architecture
Provides Architects and Developers with knowledge to design and develop
more secure applications
Security penetration testing and application monitoring for on
going protection
© 2011 IBM Corporation27
Software and Systems Engineering | Rational
www.ibm.com/software/rational
© 2011 IBM Corporation28
Software and Systems Engineering | Rational
© Copyright IBM Corporation 2011. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, Rational, the Rational logo, Telelogic, the Telelogic logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
www.ibm/software/rational