Presentation is loading. Please wait.

Presentation is loading. Please wait.

Web shop security Zlatan Filipusic, Arman Nasufovic, Arturo Quesada Gil, Andres Reyes Navas and Jimmy Sjöstrand.

Similar presentations


Presentation on theme: "Web shop security Zlatan Filipusic, Arman Nasufovic, Arturo Quesada Gil, Andres Reyes Navas and Jimmy Sjöstrand."— Presentation transcript:

1 Web shop security Zlatan Filipusic, Arman Nasufovic, Arturo Quesada Gil, Andres Reyes Navas and Jimmy Sjöstrand

2 UserDeveloper / Admin Web shop security

3 User perspective Sellers trustworthiness Secure web site – https Passwords Viruses / Spyware Cookies

4 Payment options Credit Card Direct internet bank payment

5 Electronic credit card, E-card limited time limited money

6 Developers / Administrator perspective Confidentiality Integrity Availability

7 Developing secure homepages SSL / https PSP 3D Secure PCI DSS Hacking & Cracking Social Engineering Policies Physical Security

8 VULNERABILITIES IN E-COMMERCE INTRODUCTION 8 e-Commerce grows exponentially. Principally B2B and B2C. e-Commerce grows exponentially. Principally B2B and B2C. INTERNET must provides the communication at the right time in the right way. INTERNET must provides the communication at the right time in the right way. As the benefits of a enterprise increase in order to the services that it offers better and faster than their competitors, in the same line: As the benefits of a enterprise increase in order to the services that it offers better and faster than their competitors, in the same line: Information is MORE SENSITIVE and MORE DANGEROUS in the wrong people  ”Customer information is like gold to marketers”.Information is MORE SENSITIVE and MORE DANGEROUS in the wrong people  ”Customer information is like gold to marketers”. INTERNET SERVICES are growing exponentially too:INTERNET SERVICES are growing exponentially too: more COMPLEX software==more PROBLEMS DEVELOPING software. more COMPLEX software==more PROBLEMS DEVELOPING software.+ More FAST DEVELOPING==more POOR SECURITY implementation. More FAST DEVELOPING==more POOR SECURITY implementation.+ LACK of KNOWLEDGE concerning TO SECURE the customer’s personal information. LACK of KNOWLEDGE concerning TO SECURE the customer’s personal information.= WEAKNESSES IN SECURING INFORMATION ARE INCREASING "Your system is only as secure as the people who use it“

9 VULNERABILITIES IN E-COMMERCE THE GENERAL CONTEXT The software environment in web applications are NOT implemented relying on a SECURITY DESIGN Programmers are not well formed in securing programming techniques Programmers are not well formed in securing programming techniques Weak mechanisms that ensure sanitized inputs and outputs (e.g. improper input validation and improper escaping and structured output)Weak mechanisms that ensure sanitized inputs and outputs (e.g. improper input validation and improper escaping and structured output) Designers don’t specify an independent and restricted environment for the application Designers don’t specify an independent and restricted environment for the application Undefined policies for restricting the software environment: Undefined policies for restricting the software environment: Run privileges  total control of the sw environment Run privileges  total control of the sw environment Error messages  disclosure software architecture and implementation Error messages  disclosure software architecture and implementation Virtualization  Attacks impact more spread into the sw environmnet Virtualization  Attacks impact more spread into the sw environmnet Relying on Security through ObscurityRelying on Security through Obscurity Software protections mechanisms relying on secrecy == reversing engineering exploitable Software protections mechanisms relying on secrecy == reversing engineering exploitable Trustworthiness in third parties softwareTrustworthiness in third parties software Maintainers and managers don’t asses and implement security in the all software lifecycle Maintainers and managers don’t asses and implement security in the all software lifecycle Misuse of the automated/static and manual/dynamic analysis (e.g fuzzers, scanners, pen testing)Misuse of the automated/static and manual/dynamic analysis (e.g fuzzers, scanners, pen testing) RESULT: "You can’t effectively and consistently manage what you can’t measure, and you can’t measure what you haven’t defined…“  SOFTWARE WEAKNESSES

10 VULNERABILITIES IN E-COMMERCE DIFFERENT TECHNIQUES APROACHING WEAKNESSES “INJECTION” INJECTION attacks happen when untrusted data is sent to an interpreter as a part of a command or query INJECTION attacks happen when untrusted data is sent to an interpreter as a part of a command or query The attacker’s modified data can mislead the interpreter (in the back-end database) The attacker’s modified data can mislead the interpreter (in the back-end database) executing unintended command orexecuting unintended command or accessing to unauthorized dataaccessing to unauthorized data Two Front-end application Injection’s attacks : Two Front-end application Injection’s attacks : 1.Incorrect filtered escape characters 2.Incorrect type handling One back-end application Injection’s attack: One back-end application Injection’s attack: 1.Blind Injection

11 VULNERABILITIES IN E-COMMERCE DIFFERENT TECHNIQUES APROACHING WEAKNESSES “INJECTION EXAMPLES” 1.Incorrectly filtered escape characters The next statement is crafted by the attacker for evaluates always like true:The next statement is crafted by the attacker for evaluates always like true: SELECT * FROM users WHERE name = ‘ ‘ OR ‘1’ = ‘1’ In this statement the attacker can force selecting a valid user name, broken the authentication procedureIn this statement the attacker can force selecting a valid user name, broken the authentication procedure 2.Incorrect type handling The input field is not type constrained (strongly typed), so the attacker can craft the next query:The input field is not type constrained (strongly typed), so the attacker can craft the next query: SELECT * FROM userinfo WHERE id = “ + type_not_constrained_input_value + “ ; “ Crafting this statement introducing: 1;DROP TABLE `users`Crafting this statement introducing: 1;DROP TABLE `users` SELECT * FROM userinfo WHERE id = 1;DROP TABLE `users`; In this statement the attacker delete the user’s table in the database, so the integrity of the data has been compromised.In this statement the attacker delete the user’s table in the database, so the integrity of the data has been compromised.

12 VULNERABILITIES IN E-COMMERCE DIFFERENT TECHNIQUES APROACHING WEAKNESSES “INJECTION EXAMPLES” 3.Blind injection The attacker introduces conditional queries in order to reveal information that is not disclose at first, through error messages database responses finding any possible Injections attacks attempts: The attacker introduces conditional queries in order to reveal information that is not disclose at first, through error messages database responses finding any possible Injections attacks attempts: A typical attempt: A typical attempt: The attacker have this information :The attacker have this information : SELECT title, description, body FROM items WHERE ID = 2 He/She sends the next query to the database:He/She sends the next query to the database: and 1=2 SELECT title, description, body FROM items WHERE ID = 2 AND 1=2 If the attacker receives a different page from the database, he/she knows that the database is vulnerable to Injection.If the attacker receives a different page from the database, he/she knows that the database is vulnerable to Injection.

13 VULNERABILITIES IN THE E-COMMERCE DIFFERENT TECHNIQUES APROACHING WEAKNESSES “INJECTION” (OWASP TOP TEN 2010) Firewall Hardened OS Web Server App Server Firewall Databases Legacy Systems Web Services Directories Human Resrcs Billing Custom Code APPLICATION ATTACK Network Layer Application Layer Accounts Finance Administration Transactions Communication Knowledge Mgmt E-Commerce Bus. Functions HTTP request  SQL query  DB Table   HTTP response   "SELECT * FROM accounts WHERE acct=‘’ OR 1=1-- ’" 1. Application presents a form to the attacker 2. Attacker sends an attack in the form data 3. Application forwards attack to the database in a SQL query Account Summary Acct: Acct: Acct: Acct: Database runs query containing attack and sends encrypted results back to application 5. Application decrypts data as normal and sends results to the user Account: SKU: Account: SKU:

14 VULNERABILITIES IN E-COMMERCE DIFFERENT TECHNIQUES APROACHING WEAKNESSES “XSS” XSS (Cross Site Scripting) attacks occur when webapps and attackers takes unsanitized data and they send to a user’s web browser. XSS (Cross Site Scripting) attacks occur when webapps and attackers takes unsanitized data and they send to a user’s web browser. Attackers and the webapp can execute scripts in the user’s browsers for obtain: Attackers and the webapp can execute scripts in the user’s browsers for obtain: Session cookies.Session cookies. Redirect the user another malicious sites.Redirect the user another malicious sites. Bypass the control access mechanisms (like same origin policy).Bypass the control access mechanisms (like same origin policy). There are 3 principal variants: There are 3 principal variants: Non persistent attackNon persistent attack Persistent attackPersistent attack DOM oriented attackDOM oriented attack This vulnerability rely on the user’s browser trustworthiness put on the webapp This vulnerability rely on the user’s browser trustworthiness put on the webapp

15 VULNERABILITIES IN E-COMMERCE DIFFERENT TECHNIQUES APROACHING WEAKNESSES “XSS NON-PERSISTENT” Non-persistent attack requires that the user visit any crafted link or any object containing malicious code Non-persistent attack requires that the user visit any crafted link or any object containing malicious code Example: “This attack perform a theft of user’s authorization when the user is required to introduce the credit card number, in order to obtain access to a Web server stealing the user’s session ID" Example: “This attack perform a theft of user’s authorization when the user is required to introduce the credit card number, in order to obtain access to a Web server stealing the user’s session ID" 1.The attacker catch the server’s not validate response of the request sent by the user: (String) page += " "; 2.The attacker introduce the embebed code in order to redirect the user’s session ID to an untrusted web site. He/She uses the “CC” field: '>‘ 3.The attacker receives the user’s session ID in the malicious place and can impersonate the “user’s browser”.

16 VULNERABILITIES IN E-COMMERCE DIFFERENT TECHNIQUES APROACHING WEAKNESSES “XSS PERSISTENT AND DOM-ORIENTED ATTACK” A persistent attack uses the proper web site to inject the code into the user. A persistent attack uses the proper web site to inject the code into the user. Viewing some information crafted into a Javascript, the attacker can introduce this piece of embebed code:Viewing some information crafted into a Javascript, the attacker can introduce this piece of embebed code: A DOM-oriented attack can instigate the user’s browser to execute A DOM-oriented attack can instigate the user’s browser to execute pieces of modified DOM controled by the attacker. In this case, the embebed malicious code can steal the user’s session cookie by forcing the user to click:In this case, the embebed malicious code can steal the user’s session cookie by forcing the user to click:

17 VULNERABILITIES IN E-COMMERCE DIFFERENT TECHNIQUES APROACHING WEAKNESSES “CSRF” CSRF (Cross Site Request Forgery) attacks exploit the webapp’s trustworthiness putting in the user’s browsers CSRF (Cross Site Request Forgery) attacks exploit the webapp’s trustworthiness putting in the user’s browsers These attacks force an authenticated user on a web site to send requests to a server without any knowledge by the user These attacks force an authenticated user on a web site to send requests to a server without any knowledge by the user Web servers often are designed to receive “trusted” requests from Web servers often are designed to receive “trusted” requests from trusted users without any control mechanisms to verify if they are intended requests: The attacker can trick the web site making unintended requests by the user and being treated like “trusted requests”The attacker can trick the web site making unintended requests by the user and being treated like “trusted requests” CSRF together with XSS is a bigger threat because XSS can be used like the base for CSRF’s attack operating under the “same- origin policy “(2 trusted places=same domain and same protocol) CSRF together with XSS is a bigger threat because XSS can be used like the base for CSRF’s attack operating under the “same- origin policy “(2 trusted places=same domain and same protocol)

18 VULNERABILITIES IN E-COMMERCE DIFFERENT TECHNIQUES APROACHING WEAKNESSES “CSRF’S ATTACK EXAMPLE” EXAMPLE: “A user is browsing in a vulnerable web site. He/she needs to transfer money for buy a product. The user is authenticated. How can an attacker compromise the user’s money with a CSRF attack?” EXAMPLE: “A user is browsing in a vulnerable web site. He/she needs to transfer money for buy a product. The user is authenticated. How can an attacker compromise the user’s money with a CSRF attack?” 1. The user does a request in the web site, and the request’s content is clear text: count= count= The attacker control the traffic and can store information in the web site. He/She receives the request. He construct a new request transfering money from the user’s account to the attacker’s account and embebe this code into a “image tag request” and stored in the vulnerable web site: 3. If the user stored the cookie with session info, browsing in the web site while the user is authenticated and “viewing” the image the forged request embebed will allow from the user’s browser the “authorized” hidden request

19 VULNERABILITIES IN E-COMMERCE SOME STATISTICS (FROM 2008) web applications with detected vulnerabilities

20 Social Engineering Targets Targets Teknique Teknique Consequence Consequence Prevention Prevention

21 Policy Making Purpose Statement Purpose Statement Applicability and Scope statement Applicability and Scope statement Effective date Effective date Responsibilities Responsibilities Policy Statement Policy Statement Background Background Definitions Definitions

22 Physical Security Lockup the Server rooms Lockup the Server rooms Set up surveillance Set up surveillance Make sure vulnerable devices are locked up Make sure vulnerable devices are locked up Use rack mount servers Use rack mount servers Don’t forget about the workstations Don’t forget about the workstations Keep intuders out of the computer/server case Keep intuders out of the computer/server case

23 Physical Security Protect portable devices Protect portable devices Take backups and keep them secure Take backups and keep them secure Disable the drives Disable the drives Protect your printers Protect your printers

24 SSL Secure Sockets Layer Secure Sockets Layer Enables secure data exchange between client and server Enables secure data exchange between client and server Protocol below the Application layer Protocol below the Application layer Confidentiality (Encryption) Confidentiality (Encryption) Integrity (MAC) Integrity (MAC)

25 SSL Services Fragmentation Devides data into blocks of 2^14 bytes Fragmentation Devides data into blocks of 2^14 bytes Compression Data can be compressed, optional Compression Data can be compressed, optional Message Integrity Keyed hash function with MAC Message Integrity Keyed hash function with MAC Confidentiality Symmetric key cryptography Confidentiality Symmetric key cryptography Framing Framing

26 Handshake No handshake, no security No handshake, no security Enables exchange of keys Enables exchange of keys Reduces the risk of Man in the middle attacks Reduces the risk of Man in the middle attacks Setting upp parameters Setting upp parameters About 10 steps in the handshake About 10 steps in the handshake What cipher suites, SSL versions are supportedWhat cipher suites, SSL versions are supported Client gets the servers public key from the server certificateClient gets the servers public key from the server certificate Client creates pre master secret, sends it encrypted to the serverClient creates pre master secret, sends it encrypted to the server Pre master secret creates a master secretPre master secret creates a master secret Master secret is then used to create session keys and auth keysMaster secret is then used to create session keys and auth keys

27 MAC Message Authentication Code Message Authentication Code A hash using the message and authentication key A hash using the message and authentication key Used to authenticate the sender of a message Used to authenticate the sender of a message (Message+Authkey) = Hash (Message+Authkey) = Hash

28 Putting it all together Exchange of information using SSL

29 SSL Weaknesses Cipher suites can be weak Cipher suites can be weak Man in the middle Man in the middle Keyjacking Keyjacking Fake certificates Fake certificates

30 PSP: Payment Service Provider 30 DEFINITION OF PSP “PSPs offers merchants online services for accepting electronic payments by a variety of payment methods including credit card, bank-based payments such as direct debit, bank transfer, and real-time bank transfer based on online banking.” Solution for problems in connecting e-market with banks Solution for problems in connecting e-market with banks 2 different fee policies 2 different fee policies Security Security

31 List of PSPs

32 3D SECURE DEFINITION OF 3D SECURE ”3D Secure is an XML-Based protocol used as an added layer of security for online credit and debit card transactions.” Security Security Three domain model for authentication: Three domain model for authentication: Acquirer DomainAcquirer Domain Issuer DomainIssuer Domain Interoperability DomainInteroperability Domain Based on SET Based on SET

33 PCI DSS Payment Card Industry Data Security Standard Security standard to control credit card info Security standard to control credit card info Defined by the PCI SSC Defined by the PCI SSC Unified from: Unified from: Visa Card Information SecurityVisa Card Information Security MasterCard Site Data ProtectionMasterCard Site Data Protection American Express Data Security Operating PolicyAmerican Express Data Security Operating Policy Discover Information and ComplianceDiscover Information and Compliance JBC Data security ProgramJBC Data security Program Objectives Objectives Protected and Unprotected Data Protected and Unprotected Data Security techniques Security techniques

34 PCI DSS Requirements Build and maintain a Secure NetworkBuild and maintain a Secure Network 1. Install and maintain a firewall configuration to protect cardholder data. 2. Do not use vendor-supplied defaults for system passwords and other security parameters. Protect cardholder DataProtect cardholder Data 3. Protect stored cardholder data. 3. Protect stored cardholder data. 4. Encrypt transmissions of cardholder data across open, public networks. 4. Encrypt transmissions of cardholder data across open, public networks. Maintain a vulnerability management programMaintain a vulnerability management program 5. Use and regularly update anti-virus software on all systems commonly affected by malware. 5. Use and regularly update anti-virus software on all systems commonly affected by malware. 6. Develop and maintain secure systems and applications. 6. Develop and maintain secure systems and applications. Implement strong access control measuresImplement strong access control measures 7. Restrict access to cardholder data by business need-to-know. 7. Restrict access to cardholder data by business need-to-know. 8. Assign a unique ID to each person with computer access. 8. Assign a unique ID to each person with computer access. 9. Restrict physical access to cardholder data. 9. Restrict physical access to cardholder data. Regularly monitor and test networksRegularly monitor and test networks 10. Track and monitor all access to network resources and cardholder data. 11. Regularly test security systems and processes. Maintain an information security policyMaintain an information security policy 12. Maintain a policy that addresses information security.


Download ppt "Web shop security Zlatan Filipusic, Arman Nasufovic, Arturo Quesada Gil, Andres Reyes Navas and Jimmy Sjöstrand."

Similar presentations


Ads by Google