Presentation is loading. Please wait.

Presentation is loading. Please wait.

Top Web App Attack Methods and How to Combat Them Dennis Hurst, SPI Dynamics Schedule: 9:30~10:00 Breakfast 10:00~11:30 Presentation 11:30~12:00 Break.

Similar presentations


Presentation on theme: "Top Web App Attack Methods and How to Combat Them Dennis Hurst, SPI Dynamics Schedule: 9:30~10:00 Breakfast 10:00~11:30 Presentation 11:30~12:00 Break."— Presentation transcript:

1 Top Web App Attack Methods and How to Combat Them Dennis Hurst, SPI Dynamics Schedule: 9:30~10:00 Breakfast 10:00~11:30 Presentation 11:30~12:00 Break / Demo

2 SPI Dynamics Confidential Agenda  Who is SPI Dynamics  The Evolution of Web Applications and Why They Need to Be Secured  Web Application Vulnerabilities in Depth  Managing Web Application Vulnerabilities  Closing and Q&A

3 SPI Dynamics Confidential SPI Dynamics  The expert in web application security testing and enterprise security risk management  Established market and thought leader  Introduction of product line for application lifecycle and AMP  Multiple patent applications completed and pending  Co-creator of AVDL interoperability standard and other industry leading consortiums  WebInspect assesses the security of applications and web services throughout the application lifecycle  Development  Production  SPI Labs  Research and development group  Recognized as leading authority on web application security  QA  Audit

4 SPI Dynamics Confidential SPI Dynamics  Founded January 2000 by web application and security experts  Focused on web application security testing and vulnerability assessment market  600+ Customers  Noted as the fastest growing company (with 380% growth) by IDC in December 2003 report by Charles J. Kolodgy  Strong in F500, federal and state government  #1 in customer growth, #1 in market share

5 SPI Dynamics Confidential Selected Commercial Customers

6 SPI Dynamics Confidential Selected Government Customers

7 SPI Dynamics Confidential Web Sites Web Server HTML Browser Simple, single server solutions

8 SPI Dynamics Confidential Web Applications Browser Web Servers Presentation Layer Media Store Very complex architectures, multiple platforms, multiple protocols Database Server Customer Identification Access Controls Transaction Information Core Business Data Wireless Web Services Application Server Business Logic Content Services

9 SPI Dynamics Confidential Web Applications Breach the Perimeter InternetDMZ Trusted Inside Corporate Inside HTTP(S) IMAP FTP SSH TELNET POP3 Firewall only allows PORT 80 (or 443 SSL) traffic from the Internet to the web server. Any – Web Server: 80 Firewall only allows applications on the web server to talk to application server. Firewall only allows application server to talk to database server. IIS SunOne Apache ASP.NET WebSphere Java SQL Oracle DB2

10 SPI Dynamics Confidential Part Two Web Application Vulnerabilities in Depth  Why Web Application Vulnerabilities Occur  Web Application Attack Methodologies

11 SPI Dynamics Confidential Security Professionals Don’t Know The Applications “As an Application Developer, I can build great features and functions while meeting deadlines, but I don’t know how to develop my web application with security as a feature.” The Web Application Security Gap “As a Network Security Professional, I don’t know how my companies web applications are supposed to work so I deploy a protective solution…but don’t know if it’s protecting what it’s supposed to.” Application Developers and QA Professionals Don’t Know Security Why Web Application Risks Occur

12 SPI Dynamics Confidential Web Application Vulnerabilities Platform Administration Application Known Vulnerabilities Extension Checking Common File Checks Data Extension Checking Backup Checking Directory Enumeration Path Truncation Hidden Web Paths Forceful Browsing Application Mapping Cookie Manipulation Custom Application Scripting Parameter Manipulation Reverse Directory Transversal Brute Force Application Mapping Cookie Poisoning/Theft Buffer Overflow SQL Injection Cross-site scripting Web application vulnerabilities occur in multiple areas.

13 SPI Dynamics Confidential Platform Known Vulnerabilities Platform: Known vulnerabilities can be exploited immediately with a minimum amount of skill or experience – “script kiddies” Most easily defendable of all web vulnerabilities MUST have streamlined patching procedures MUST have inventory process Web Application Vulnerabilities

14 SPI Dynamics Confidential Administration Extension Checking Common File Checks Data Extension Checking Backup Checking Directory Enumeration Path Truncation Hidden Web Paths Forceful Browsing Administration: Less easily corrected than known issues Require increased awareness More than just configuration, must be aware of security flaws in actual content Remnant files can reveal applications and versions in use Backup files can reveal source code and database connection strings Web Application Vulnerabilities

15 SPI Dynamics Confidential Common file vulnerabilities  Robots.txt  shows files that the administrator does not want search engines to crawl  Don’t show confidential information in this file

16 SPI Dynamics Confidential Common file vulnerabilities  Web server logs & Stats folders  A web accessible web server log or Stats folder will show WAY to much information about your web site

17 Demonstration 1 Common file vulnerabilities

18 SPI Dynamics Confidential Configuration files  Remnant files  Remnant files are any files that are left on a web server that are not in use or part of the web based application.  Remnant files can include backup files, documentation files, default files (like samples) or any other file that is not part of the production system.  Remnant files solutions  Never leave unnecessary files on a web server (i.e. Web.config.old)  Assume all files on a web server will be seen by a hacker.  Encrypt secure information in configuration files

19 Demonstration 2 Configuration file vulnerabilities

20 SPI Dynamics Confidential Administration Application Application Mapping Cookie Manipulation Custom Application Scripting Parameter Manipulation Reverse Directory Transversal Brute Force Application Mapping Cookie Poisoning/ Theft Buffer Overflow SQL Injection Cross-site scripting Application Programming: Common coding techniques do not necessarily include security Input is assumed to be valid, but not tested Inappropriate file calls can reveal source code and system files Unexamined input from a browser can inject scripts into page for replay against later visitors Unhandled error messages reveal application and database structures Unchecked database calls can be ‘piggybacked’ with a hacker’s own database call, giving direct access to business data through a web browser Web Application Vulnerabilities

21 SQL Injection

22 SPI Dynamics Confidential SQL Injection  Cause: Using user provided data to build a SQL Statement w/o validating the data first  Goal:  Pass a SQL command to the web based application and have that command executed on the database server  Use the exploit to steal data or damage/alter the database.

23 SPI Dynamics Confidential SQL Injection  Demo  Browser based  HTTP Based  Automated SQL Injection  Blind SQL Injection

24 SPI Dynamics Confidential SQL Injection – Solution  Use parameterized queries  Trap your Errors!!! Don’t let the environment  Use Stored Procedures  Validate User Input  Turn off default error messages cnn = new SqlConnection(…database connection information here…); cmd = new SqlCommand("SELECT FirstName, LastName from Users “ + "WHERE UserName AND password SqlDbType.VarChar, 100).Value=uid; SqlDbType.VarChar,100).Value = passwd; cnn.Open();

25 SPI Dynamics Confidential Federal Trade Commission investigates Guess Inc.  “Guess Settles with FTC over Cyber Security Snafu”, June 2003 by Kevin Poulson for SecurityFocus  “ Guess.com was open to an "SQL injection attack," permitting anyone able to construct a properly-crafted URL to pull down every name, credit card number and expiration date in the site's customer database -- over 200,000 in all …The episode prompted a year-long FTC investigation into alleged deceptive trade practices by Guess “  "Consumers have every right to expect that a business that says it's keeping personal information secure is doing exactly that," said Howard Beales, Director of the FTC's consumer protection bureau, in a press release. "It's not just good business, it's the law."

26 Google Hacking

27 SPI Dynamics Confidential Google Hacking  Find vulnerable sites using google (Old method – new life)  Example Search Queries  “filetype:mdb inurl:admin” – 180 results  “Filetype:xls inurl:admin” – 14,100 results  “ORA-00921: unexpected end of SQL command” – 3,470 results  “allintitle:Netscape Enterprise Server Home Page” – 431 results

28 SPI Dynamics Confidential Google Hacking  Take this method a step further and use it to narrow your attack victims.  “inurl:id= filetype:asp site:gov” – 572,000 results  “inurl:id= filetype:asp site:com” – 7,150,000 results  “inurl:id= filetype:asp site:org” – 3,240,000 results  Use this list as a baseline for identifying SQL injection vulnerabilities

29 SPI Dynamics Confidential Google Hacking  Take this method a step further and use it to narrow your attack victims.  “inurl:id= filetype:asp site:gov” – 572,000 results  “inurl:id= filetype:asp site:com” – 7,150,000 results  “inurl:id= filetype:asp site:org” – 3,240,000 results  Use this list as a baseline for identifying SQL injection vulnerabilities

30 SPI Dynamics Confidential Google Hacking  Took 1 hour of coding  500 vulnerable sites were found in 1 minute and 26 seconds

31 SPI Dynamics Confidential Google Hacking  SQL Injection Worm Find next victim Exploit victim

32 Session Hijacking

33 SPI Dynamics Confidential Review your account  Find where the confidential data is

34 SPI Dynamics Confidential So Many Cookies  TestSess  ‘Site cookie’  Seg  TestPerm  ProfileAddressVerified  ProfileID  MEMUSER  USERID  SESSIONUSERID  PROFILE

35 SPI Dynamics Confidential  Eliminate each one until the ones that matter are left  In this case ‘SESSIONUSERID=505741’  Is the number incremental?  Keep everything the same except decrement the number – ‘SESSIONUSERID=505740’

36 Phishing

37 SPI Dynamics Confidential Phishing Attacks In computing, phishing is the fraudulent acquisition, through deception, of sensitive personal information such as passwords and credit card details, by masquerading as someone trustworthy with a real need for such information. The term was coined in the mid 1990's by crackers attempting to steal AOL accounts. An attacker would pose as an AOL staff member and send an instant message to a potential victim. The message would ask the victim to reveal his or her password, for instance to "verify your account" or to "confirm billing information". Once the victim gave over the password, the attacker could access the victim's account and use it for criminal purposes, such as spamming. Source:

38 SPI Dynamics Confidential Phishing Defined  The word "phishing" comes from the analogy that Internet scammers are using lures to "fish" for passwords and financial data from the sea of Internet users.  The term was coined in the 1996 timeframe by hackers who were stealing America On-Line accounts.  The first mention on the Internet of phishing is on the alt.2600 hacker newsgroup in January  Over the years, phishing attacks grew from simply stealing AOL dialup accounts into a more sinister criminal enterprise. (source:

39 SPI Dynamics Confidential Phishing Stats  Number of active phishing sites reported in January: 2560  Average monthly growth rate in phishing sites July through January: 28% (source: )

40 SPI Dynamics Confidential GET /default.asp HTTP/1.0 Host: Accept-Language: en-us,en;q=0.5 Referer: Accept-Encoding: gzip,deflate Accept-Charset: ISO ,utf-8 Keep-Alive: 300 Phishing Technical Review

41 SPI Dynamics Confidential Avoiding Phishing Attacks  Companies should NEVER send an that asks users to log in and change their passwords via an embedded link.  This policy MUST be communicated to end users.  When critical account changes are made send a verification and lock the account until the change is verified.  Send a notification to users when significant transactions are made.

42 SPI Dynamics Confidential Sample Letter to Customers Company X Security While the Internet is generally not a secure environment and no one can guarantee absolute security, Company X strives to provide our customers with a level of comfort about the security of the information they store and transmit through our Web site.While the Internet is generally not a secure environment and no one can guarantee absolute security, Company X strives to provide our customers with a level of comfort about the security of the information they store and transmit through our Web site.………… Beware of scams. Do not respond to unsolicited s asking you to validate your account information. If you receive a suspicious or request for your personal information supposedly from Company X, please forward it to of scams. Do not respond to unsolicited s asking you to validate your account information. If you receive a suspicious or request for your personal information supposedly from Company X, please forward it to

43 SPI Dynamics Confidential Identifying Phishing attacks  Bounced s, LOTS of bounces  Phishers will send “phishing spam”  Notification from customers  Referer headers being sent from unknown or malicious Web sites  Referer:  Applications can track referer headers sent by users‘ browsers, detect Phishing attacks and notify the user of the possible attack

44 SPI Dynamics Confidential Responding to Phishing attacks 1. Attempt to determine who has been compromised by the attack and take appropriate action 2. Find out who is hosting the phishing Web site  Use: 3. Send a “cease and desist” letter to the ISP that is hosting the phishing site 4. Contact Federal officials (FBI)

45 SPI Dynamics Confidential Session Summary  Session Hijacking and Phishing attacks are both ways that criminals attempt to steal users’ credentials and possibly money  Minimizing the risk of these attacks requires understanding how your application works and recognizing the signs of a potential attack  Responding to an ongoing attack is possible but will require some amount of up-front work to be prepared

46 SPI Dynamics Confidential Phishing Resources Individuals – Internet Crime Complaint Center  Established as a partnership between the FBI and the National White Collar Crime Center to provide a way to receive Internet-related criminal complaints and to research, develop and refer the criminal complaints to law enforcement agencies for any investigation they deem to be appropriate.

47 SPI Dynamics Confidential Phishing Resources Companies  – Federal Bureau of Investigation  Ask for the “Cyber Crime Officer”  Contact the FBI to report a Phishing attack  – Anti-Phishing Working Group  The Anti-Phishing Working Group (APWG) is the global pan-industrial and law enforcement association focused on eliminating the fraud and identity theft that result from phishing, pharming and spoofing of all types  Excellent resource for Phishing information  – Digital PhishNet  The Digital PhishNet is a joint enforcement initiative between industry and law enforcement designed to ensnare those who perpetrate phishing attacks  Requires specific resources within a company

48 Cross Site Scripting (XSS)

49 SPI Dynamics Confidential Cross Site Scripting - XSS  Cross-site scripting (also know as XSS or CSS) occurs when dynamically generated web pages display input that is not property validated.  A user passes input in the form of a parameter to the web server.  The web server returns the user provided input back to the user without proper encoding.

50 Demonstration 4 Cross site scripting (XSS) example (login.aspx)

51 SPI Dynamics Confidential XSS solutions  Fix  Use the validateRequest=false cautiously  Server.HTMLEncode

52 SPI Dynamics Confidential Part Three Managing and Detecting Web Application Vulnerabilities  Changing the application development process  Assess in depth to defend in depth!  Manual vs. automated approach  WebInspect’s approach

53 SPI Dynamics Confidential How the Industry Has Changed 1990’s  Zero Liability 2004  Federal Trade Commission  Regulatory requirements  GLB  HIPAA  SOX  CA1386  Legal precedents

54 SPI Dynamics Confidential Testing and verifying  Web Application attacks come from many vectors  Application development is by nature an error (bug) prone process.  Some bugs will have a security aspect.  Testing for security bugs is critical.

55 SPI Dynamics Confidential Application Lifecycle Phases Design Development Testing Production Security Operations and Auditors Developers QA and Developers Auditors, Dev, and Business Subject Matter Experts (SME)

56 SPI Dynamics Confidential Audit Development QA Production Security Operations and Auditors Developers QA and Developers Application Lifecycle Phases Auditors, Dev, Compliance, and Business Subject Matter Experts (SME)

57 SPI Dynamics Confidential Audit Development QA Production Security Operations and Auditors Developers QA and Developers Application Lifecycle Phases Auditors, Dev, Compliance, and Business Subject Matter Experts (SME)

58 Secure Software Development Lifecycle A Microsoft case study

59 SPI Dynamics Confidential Critical Components of Security Creating Secure Applications People ToolsProcess/SDL

60 SPI Dynamics Confidential People Providing Developers with the Guidance to Create Secure Applications

61 SPI Dynamics Confidential MSDN Developer Security Center

62 SPI Dynamics Confidential Process/SDL Security Cannot be an Afterthought

63 SPI Dynamics Confidential Security Development Lifecycle (SDL) A PROCESS by which Microsoft develops software and defines security requirements and milestones  Mandatory for products that are exposed to meaningful security risk  Evolving and new factors, such as privacy, are being added *Steve Lipner, Director of Security Engineering Strategy, Microsoft

64 SPI Dynamics Confidential Baseline Process vs. SDL Integrated *Steve Lipner, Director of Security Engineering Strategy, Microsoft

65 SPI Dynamics Confidential Accountability and Incentives  Almost 40 percent of developers say that their companies do not think it is “very important” to write secure applications  CIOs, CTOs, CSOs, and ITDMs say it is very important  Current incentives on performance and ship dates  Must be driven top-down

66 SPI Dynamics Confidential Early Results of the SDL Windows pre- and post-SDL critical and important security bulletins SQL Server 2000 pre- and post-SDL security bulletins Exchange Server 2000 pre- and post-SDL security bulletins

67 SPI Dynamics Confidential Tools Visual Studio Team System Security Enhancements Hard to guess password! Connecting as sysadmin String concat for dynamic SQL Telling the bad guy too much on failure

68 SPI Dynamics Confidential Summary  People  Guidance  Training  Accountability  Process  Security is an evolving challenge  SDL process has proven effective at improving software security  As operating system security improves, attackers will move “up the stack”  Be ready to meet the challenge   Tools  People cannot find all the defects

69 SPI Dynamics Confidential Application Lifecycle Phases  Development  Secure development training  Develop secure applications  Testing applications in development  QA  Testing for security bugs  Production / Security  Validating systems are secure prior to going live  Audit  Continued validation of productions systems and processes  Establish remediation processes for production systems

70 SPI Dynamics Confidential Session Summary  Anything sent by a user to a web server, including parameters, headers, cookies, etc can be modified.  Always validate input before using it or returning it to a user.  Application development is by it’s nature prone to bugs. It is critical that applications be tested to verify the absence of parameter based vulnerabilities.

71 SPI Dynamics Confidential Detecting Web Application Vulnerabilities  Time consuming  Expensive  Not repeatable  Time consuming  Rely on third party individuals (penetration testers)  High performance, automated web application assessment  Cost effective  Scalable throughout entire application lifecycle  Consistent high quality assessments  Provides economy of scale (SPI Labs)  Customizable (Custom Agents) Manual vs. Automatic Testing

72 SPI Dynamics Confidential SPI Dynamics Security Throughout the Application Development Lifecycle

73 SPI Dynamics Confidential Start Secure. Stay Secure.

74 SPI Dynamics Confidential Part Four Closing and Q&A  Q&A  Break  WebInspect Demo  For a free 15 day trial of WebInspect please visit


Download ppt "Top Web App Attack Methods and How to Combat Them Dennis Hurst, SPI Dynamics Schedule: 9:30~10:00 Breakfast 10:00~11:30 Presentation 11:30~12:00 Break."

Similar presentations


Ads by Google