Presentation is loading. Please wait.

Presentation is loading. Please wait.

Web application security High tech threats Ivan Marković IT Security Consultant.

Published bySarah Nettles Modified over 9 years ago

Similar presentations

Presentation on theme: "Web application security High tech threats Ivan Marković IT Security Consultant."— Presentation transcript:

1 Web application security High tech threats Ivan Marković IT Security Consultant

2 Reference

3 Web aplikacije Šta su web aplikacije i web tehnologije? Klijent Server

4 Web aplikacije Zašto su web aplikacije u većini slučajeva prva meta zlonamernih korisnika? Dostupnost, održavanje,...

5 Web aplikacije Kako web aplikacije i propusti u njima ugrožavaju online i offline sisteme? Kako zaobilaze uobičajne metode zaštite?

6 Web aplikacije / Top Threats A1: Injection A2: Cross-Site Scripting (XSS) A3: Broken Authentication and Session Management A4: Insecure Direct Object ReferencesA 5: Cross-Site Request Forgery (CSRF) A6: Security Misconfiguration A7: Insecure Cryptographic Storage A8: Failure to Restrict URL Access A9: Insufficient Transport Layer Protection A10: Unvalidated Redirects and Forwards

7 High Tech Vulnerabilities Kako kombinacija uobičajnih propusta niskog rizika postaje ulaz za hakere?

8 EverCookie  Virtually irrevocable persistent cookies - Samy Kamkar, http://samy.pl/evercookie/http://samy.pl/evercookie/  Storage mechanisms: - Standard HTTP Cookies - Local Shared Objects (Flash Cookies) - Silverlight Isolated Storage - Storing cookies in Web History - Storing cookies in HTTP ETags - Storing cookies in Web cache - window.name caching - Internet Explorer userData storage - HTML5 Session Storage, Local Storage, Global Storage, Database Storage via SQLite - Storing cookies in RGB values of auto-generated, force-cached PNGs using HTML5 Canvas tag to read pixels (cookies) back out

9 Fun with Cookies Visitor Tracking Without Cookies (or How To Abuse HTTP 301s) http://www.scatmania.org/2012/04/24/visito r-tracking-without-cookies/ http://www.scatmania.org/2012/04/24/visito r-tracking-without-cookies/ XSS: Gaining access to HttpOnly Cookie in 2012 http://seckb.yehg.net/2012/06/xss-gaining- access-to-httponly-cookie.htmlhttp://seckb.yehg.net/2012/06/xss-gaining- access-to-httponly-cookie.html

10 New DDoS tricks  Slowloris - Robert Hansen, http://ha.ckers.org/slowloris/ - Keeps connections open by sending partial HTTP requests and sends headers at regular intervals to prevent the sockets from closinghttp://ha.ckers.org/slowloris/  Slow HTTP POST Attack - Onn Chee Wong, http://www.owasp.org/images/4/43/Layer_7_DD OS.pdf http://www.owasp.org/images/4/43/Layer_7_DD OS.pdf - OSI Layer 7 - Content-Length: 1000 (bytes) / but send it 1 byte per 110 seconds

11 New DDoS tricks  Javascript LOIC - Low Orbit Ion Cannon - an open source network attack application, written in C#  HTML 5 WebWorkers and Cross Origin Requests - Lavakumar Kuppan, http://blog.andlabs.org/2010/12/performing- ddos-attacks-with-html5.html

12 Click Jacking  also known as a "UI redress attack", is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the the top level page http://www.owasp.org/index.php/Clickjackinghttp://www.owasp.org/index.php/Clickjacking

13 Click Jacking  http://www.sectheory.com/clickjacking.htm

14 Browser Auto Complete  I want to know your name, who you work for, where you live, your email address... - Jeremiah Grossman, http://jeremiahgrossman.blogspot.com/2010/08/ breaking-browsers-hacking-auto-complete.html http://jeremiahgrossman.blogspot.com/2010/08/ breaking-browsers-hacking-auto-complete.html  Safari Address Book Autofill  Internet Explorer stealing previously entered data  Writing to auto complete  Read remembered passwords

15 Browser Auto Complete  Safari Address Book Autofill

16 Browser Auto Complete  Safari Address Book Autofill

17 Browser Auto Complete  Safari Address Book Autofill Name: Company: City: State: Country: Email:

18 Browser Auto Complete  I want to know your name, who you work for, where you live, your email address... - Jeremiah Grossman, http://jeremiahgrossman.blogspot.com/2010/08/ breaking-browsers-hacking-auto-complete.html http://jeremiahgrossman.blogspot.com/2010/08/ breaking-browsers-hacking-auto-complete.html  Safari Address Book Autofill  Internet Explorer stealing previously entered data  Writing to auto complete  Read remembered passwords with XSS

19 Browser and Web app plugins  Browser plugins, http://research.zscaler.com/2011/02/browser- plugins-and-security.html http://research.zscaler.com/2011/02/browser- plugins-and-security.html  Security considerations: - see login/password credentials in clear text - send back the credentials to any website - modify the web pages seen by the user - add/delete/modify files on the computer - run executables

20 Browser plugins  Malicious browser plugins examples: 2007: Firebug goes evil: http://www.gnucitizen.org/blog/firebug-goes- evil/ console.log({' alert("bing!") ':'exploit'}) 2009: NoScript vs Adblock: http://www.informationweek.com/news/internet/ browsers/showArticle.jhtml?articleID=217700105

21 Browser plugins  Malicious browser plugins examples: 2010: TROJAN: http://blog.mozilla.com/addons/2010/02/04/plea se-read-security-issue-on-amo/ - S othink Web Video Downloader / Win32.LdPinch.gen - Master Filer / Win32.Bifrose.32.Bifrose Btw, how is situation in the wild ?

22 Web app plugins  Web application plugins - Wordpress, Joomla, … http://secunia.com/advisories/search/?search=wordpress

23 Web app plugins  Web application plugins - Wordpress, Joomla, … http://secunia.com/advisories/search/?search=joomla

24 XSS in IE XSS Filter  Mistake by design, Eduardo Vela Nava and David Lindsay, http://p42.us/ie8xss/ Internet Explorer 8 implements an anti Cross-site Scripting (XSS) mechanism to detect certain types of XSS attacks. This feature can be abused by attackers in order to enable XSS on web sites and web pages that would otherwise be immune to XSS. For the most part, this neutering mechanism is effective at blocking certain types of XSS attacks from occuring. However, altering a server's response before it gets rendered by the browser may have unintended consequences.

25 XSS in IE XSS Filter  Mistake by design, Eduardo Vela Nava and David Lindsay, http://p42.us/ie8xss/ Example: Injection string: x onload=alert(0) x - will not execute the alert - will execute the alert

26 Cross Site Request Forgery  CSRF is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated http://secunia.com/advisories/search/?search=Cross+Site +Request+Forgery&sort_by=date

27 Cross Site Request Forgery  Facebook: http://www.john- jean.com/blog/advisories/facebook-csrf-and-xss- vulnerabilities-destructive-worms-on-a-social- network-350 http://www.john- jean.com/blog/advisories/facebook-csrf-and-xss- vulnerabilities-destructive-worms-on-a-social- network-350  Twitter: http://techcrunch.com/2010/09/26/dont-click- the-wtf-link-on-twitter-unless-you-do-like-sex- with-goats http://techcrunch.com/2010/09/26/dont-click- the-wtf-link-on-twitter-unless-you-do-like-sex- with-goats

28 HTTP Parameter Pollution  Stefano di Paola and Luca Carettoni, http://www.owasp.org/images/b/ba/AppsecEU09 _CarettoniDiPaola_v0.8.pdf http://www.owasp.org/images/b/ba/AppsecEU09 _CarettoniDiPaola_v0.8.pdf  How does your application respond if it receives multiple parameters all with the same name ?  Bypass firewall, Change application behaviour, …

29 HTTP Parameter Pollution

30 HTTP Parameter Contamination HTTP PARAMETER CONTAMINATION (HPC) original idea comes from the innovative approach found in HPP research by exploring deeper and exploiting strange behaviors in Web Server components, Web Applications and Browsers as a result of query string parameter contamination with reserved or non expected characters. Some facts: - The term Query String is commonly used to refer to the part between the “?” and the end of the URI - As defined in the RFC 3986, it is a series of field-value pairs - Pairs are separated by “&” or “;” - RFC 2396 defines two classes of characters: Unreserved: a-z, A-Z, 0-9 and _. ! ~ * ' ( ) Reserved: ; / ? : @ & = + $, Unwise: { } | \ ^ [ ] `

31 INTRANET Hacking  From Website to LAN  Browser plugins  Cross Site Request Forgery http://netsec.rs/31/huawei-hg510-multiple- vulnerabilities/494/  CSS History Hack for Port Scanning (with and without Java Script): http://ha.ckers.org/blog/20100125/css-history-hack-in- firefox-without-javascript-for-intranet-portscanning/

32 INTRANET Hacking  From Website to LAN  Cross Site Request Forgery http://netsec.rs/31/huawei-hg510-multiple-vulnerabilities/494/

33 INTRANET Hacking  From Website to LAN  Cross Site Request Forgery http://netsec.rs/31/huawei-hg510-multiple-vulnerabilities/494/.: POC (CSRF / Change password) http://PUBLIC_IP_OF_USER/password.cgi?sysPassword=BASE64_NEW_PA SSWORD.: POC (CSRF / DoS) http://PUBLIC_IP_OF_USER/rebootinfo.cgi http://PUBLIC_IP_OF_USER/password.cgi?sysPassword=BASE64_NEW_PA SSWORD http://PUBLIC_IP_OF_USER/rebootinfo.cgi

34 Exotic threats in 2012 White Hat Security Exotic Threats http://blog.whitehatsec.com/top-ten-web- hacking-techniques-of-2012/

35 Playground Demo okruženje za analizu bezbednosti BackTrack Linux Metasploit

36 PITANJA

Download ppt "Web application security High tech threats Ivan Marković IT Security Consultant."

Similar presentations

Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
Protecting Browser State from Web Privacy Attacks Collin Jackson, Andrew Bortz, Dan Boneh, John Mitchell Stanford University.

Protecting Browser State from Web Privacy Attacks Collin Jackson, Andrew Bortz, Dan Boneh, John Mitchell Stanford University.
Cross Site Scripting (XSS)

Cross Site Scripting (XSS)
Cross-site Request Forgery (CSRF) Attacks

Cross-site Request Forgery (CSRF) Attacks
Web Security Never, ever, trust user inputs Supankar.

Web Security Never, ever, trust user inputs Supankar.
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
The OWASP Foundation Web Application Security Host Apps Firewall Host Apps Database Host Web serverApp serverDB server Securing the.

The OWASP Foundation Web Application Security Host Apps Firewall Host Apps Database Host Web serverApp serverDB server Securing the.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.

Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
OWASP Web Vulnerabilities and Auditing

OWASP Web Vulnerabilities and Auditing
Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!

Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!
SEC835 OWASP Top Ten Project.

SEC835 OWASP Top Ten Project.
Path Cutter: Severing the Self-Propagation Path of XSS JavaScript Worms in Social Web Networks Yinzhi Cao, Vinod Yegneswaran, Phillip Porras, and Yan Chen.

Path Cutter: Severing the Self-Propagation Path of XSS JavaScript Worms in Social Web Networks Yinzhi Cao, Vinod Yegneswaran, Phillip Porras, and Yan Chen.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane
Copyright © 2004 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.

Similar presentations

Ads by Google