Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 © 2003 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID Web Security Martin Nystrom, CISSP-ISSAP Security Architect Cisco Systems,

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "1 © 2003 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID Web Security Martin Nystrom, CISSP-ISSAP Security Architect Cisco Systems,"— Presentation transcript:

1 1 © 2003 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID Web Security Martin Nystrom, CISSP-ISSAP Security Architect Cisco Systems, Inc. mnystrom@cisco.com

2 222 © 2004 Cisco Systems, Inc. All rights reserved. mnystrom

3 333 © 2004 Cisco Systems, Inc. All rights reserved. mnystrom Why worry? Net worm using Google to spread “…uses a flaw in the widely used community forum software known as the PHP Bulletin Board (phpBB) to spread…” California reports massive data breach “…The compromised system had the names, addresses, phone numbers, social security numbers, and dates of birth of everyone who provided or received care.” Google bug exposes e-mail to hackers “…By altering the "From" address field of an e-mail sent to the service, hackers could potentially find out a user's personal information, including passwords....'' truckstop.com web application stolen by competitor “…Getloaded's officers also hacked into the code Creative used to operate its website.”

4 444 © 2004 Cisco Systems, Inc. All rights reserved. mnystrom Secure development stats Research conducted by MIT and @stake Fixing defects during development is 7 times cheaper than during testing ROI of fixing bugs Testing: 12% ROI Implementation: 15% ROI Design: 21% ROI

5 555 © 2004 Cisco Systems, Inc. All rights reserved. mnystrom 95% of web apps have vulnerabilities Cross-site scripting (80 per cent) SQL injection (62 per cent) Parameter tampering (60 per cent) Cookie poisoning (37 per cent) Database server (33 per cent) Web server (23 per cent) Buffer overflow (19 per cent) 95% of web apps have vulnerabilities

6 666 © 2004 Cisco Systems, Inc. All rights reserved. mnystrom The goal of an attack Steal data Blackmail Beachhead for other attacks Bragging rights Vandalism Demonstrate vulnerability/satisfy curiosity Damage company reputation

7 777 © 2004 Cisco Systems, Inc. All rights reserved. mnystrom Security principles of web architecture Practice defense-in-depth Separate services Web server, app server, db server on separate hosts Limit privileges of application user File system (chroot or limit privs to read-only) Database system (limit privileges on tables, schemas, etc.) Privileges of running user (xxtomcat, apache, kobayashi, etc.) Hide secrets Database account passwords Encryption keys Use standard, vetted components, libraries Keep them patched Log, and watch logs for unusual activity Load-test and tune accordingly

8 888 © 2004 Cisco Systems, Inc. All rights reserved. mnystrom Example web environment Web server Web app transport DB App server (optional) Web client: IE, Mozilla, etc. HTTP reply (HTML, JavaScript, VBScript, etc.) HTTP request Clear- text or SSL Apache IIS Netscape etc. J2EE server ColdFusion Oracle 9iAS etc. Perl C++ CGI Java ASP PHP etc. ADO ODBC JDBC etc. Oracle SQL Server etc. InternetDMZProtected network Internal network AJP IIOP T9 etc.

9 999 © 2004 Cisco Systems, Inc. All rights reserved. mnystrom Web Application Security database firewall Securing the application Input validationSession mgmtAuthentication AuthorizationConfig mgmtError handling Secure storageAuditing/logging host apps firewall Securing the network Router Firewall Switch host apps host Web server App serverDB server Securing the host Patches/updatesAccountsPorts ServicesFiles/directoriesRegistry ProtocolsSharesAuditing/logging

10 10 © 2004 Cisco Systems, Inc. All rights reserved. mnystrom Example Web Application Web server Web app transport DB App server (optional) Web client: IE, Mozilla, etc. HTTP reply (HTML, JavaScript, VBScript, etc.) HTTP request Clear- text or SSL Apache IIS Netscape etc. J2EE server ColdFusion Oracle 9iAS etc. Perl C++ CGI Java ASP PHP etc. ADO ODBC JDBC etc. Oracle SQL Server etc. InternetDMZProtected network Internal network AJP IIOP T9 etc.

11 11 © 2004 Cisco Systems, Inc. All rights reserved. mnystrom Principles for secure coding Don’t trust input from user Watch for logic holes Leverage common, vetted resources Only give information needed Leverage vetted infrastructure & components Build/test to withstand load Expected load Potential DOS attack

12 12 © 2004 Cisco Systems, Inc. All rights reserved. mnystrom OWASP Top 10 Web Application Security Vulnerabilities 1.Unvalidated input 2.Broken access control 3.Broken account/session management 4.Cross-site scripting (XSS) flaws 5.Buffer overflows 6.Injection flaws 7.Improper error handling 8.Insecure storage 9.Denial-of-service 10.Insecure configuration management http://www.owasp.org

13 13 © 2004 Cisco Systems, Inc. All rights reserved. mnystrom #1: Unvalidated Parameters Attacker can easily change any part of the HTTP request before submitting URL Cookies Form fields Hidden fields Headers Encoding is not encrypting Toasted Spam: http://www.toastedspam.com/decode64 Input must be validated on the server (not just the client). CoolCarts: http://www.extremelasers.com Countermeasures Code reviews (check variable against list of allowed values, not vice- versa) Don’t accept unnecessary input from user Store in session or trusted back-end store Sanitize input with regex

14 14 © 2004 Cisco Systems, Inc. All rights reserved. mnystrom #2: Broken Access Control Usually inconsistently defined/applied Examples Forced browsing past access control checks Path traversal File permissions – may allow access to config/password files Client-side caching Countermeasures Use non-programmatic controls Verify access control via central container Code reviews

15 15 © 2004 Cisco Systems, Inc. All rights reserved. mnystrom #3: Broken Account and Session Management Weak user authentication Password-only Easily guessable usernames (admin, etc.) Poorly implemented single sign-on (SSO) Weak resource authentication How are database passwords stored? Review trust relationships between hosts IP address can be spoofed, etc. Countermeasures Use vetted single sign-on and session mgmt solution Netegrity SiteMinder RSA ClearTrust Strong passwords Remove default user names Protect sensitive files

16 16 © 2004 Cisco Systems, Inc. All rights reserved. mnystrom #4: Cross-Site Scripting (XSS) Attacker… Inject code into web page that is then displayed to user in the browser Uses trusted application/company to reflect malicious code to end-user Can “hide” the malicious code w/unicode Vulnerable anywhere user-supplied data is redisplayed w/out input validation or output encoding 2 types of attacks: stored & reflected Can steal cookies, especially vulnerable on apps with form-based authentication Countermeasures Input validation White-listing: a-z, A-Z, 0-9, etc.) Black-listing: “ ( ) # &” Don’t forget these: “&lt &gt &#40 &#41 &#35 &#38” Output encoding (htmlEncode output) Truncate input fields to reasonable length

17 17 © 2004 Cisco Systems, Inc. All rights reserved. mnystrom #5: Buffer Overflows Mostly affects web/app servers Can affect apps/libraries too Goal: crash the target app and get a shell Buffer overflow example echo “vrfy `perl –e ‘print “a” x 1000’`” |nc www.targetsystem.com 25 www.targetsystem.com Replace all those “a”s with something like this… char shellcode[] = “\xeb\xlf\x5e\x89\x76\x08…” Countermeasures Keep up with bug reports/patches Code reviews Run with limited privileges Use “safer” languages like Java

18 18 © 2004 Cisco Systems, Inc. All rights reserved. mnystrom #6: Injection Flaws Allows attacker to relay malicious code in form variables or URL System commands SQL Typical dangers Runtime.exec() to external programs (like sendmail) Dynamically concatenated SQL statements Examples Path traversal: “../ ” Add more commands: “ ; rm –r * ” SQL injection: “ ’ OR 1=1 ” Countermeasures Use prepared statements in SQL Avoid Runtime.exec() calls (use libraries instead) Run with limited privileges Filter/validate input

19 19 © 2004 Cisco Systems, Inc. All rights reserved. mnystrom #7: Error Handling Examples: stack traces, DB dumps Helps attacker know how to target the app Often left behind during programmer debugging Inconsistencies can be revealing “File not found” vs. “Access denied” Gives insight into source code Logic flaws Default accounts, etc. Good messages give enough info to user w/o giving too much info to attacker Countermeasures Code review Modify default error pages (404, 401, etc.) Log details to log files, not returned in HTTP request

20 20 © 2004 Cisco Systems, Inc. All rights reserved. mnystrom Error messages example

21 21 © 2004 Cisco Systems, Inc. All rights reserved. mnystrom #8: Insecure Storage Sensitive data such as credit cards, passwords, etc. must be protected Examples of bad crypto Poor choice of algorithm Poor randomness in sessions/tokens Storage locations must be protected Database Files Memory Countermeasures Store only what you must Store a hash instead of the full value if you can (SHA-1, for example) Use only vetted, public cryptography

22 22 © 2004 Cisco Systems, Inc. All rights reserved. mnystrom #9: Denial-of-service (DoS) Examples that may provoke DoS Heavy object allocation/reclamation Overuse of logging Unhandled exceptions Unresolved dependencies on other systems Web services Databases May impact other applications, hosts, databases, or network itself Countermeasures Load testing Code review

23 23 © 2004 Cisco Systems, Inc. All rights reserved. mnystrom #10: Insecure Configuration Management Tension between “work out of the box” and “use only what you need” Developers ≠ web masters Examples Unpatched security flaws (BID example) Misconfigurations that allow directory traversal Administrative services accessible Default accounts/passwords Countermeasures Create and use hardening guides Turn off all unused services Set up and audit roles, permissions, and accounts Set up logging and alerts

24 24 © 2004 Cisco Systems, Inc. All rights reserved. mnystrom Principles for secure coding Don’t trust input from user Watch for logic holes Leverage common, vetted resources Only give information needed Leverage vetted infrastructure & components Build/test to withstand load Expected load Potential DOS attack

25 25 © 2004 Cisco Systems, Inc. All rights reserved. mnystrom Tools used in this preso WebGoat –vulnerable web applications for demonstrationWebGoat VMWare – runs Linux & Windows 2000 virtual machines on demo laptop.VMWare nmap –host/port scanning to find vulnerable hostsnmap Ethereal – network traffic sniffingEthereal Metasploit Framework – exploit toolMetasploit Framework Brutus – password crackingBrutus Sleuth – HTTP mangling against web sitesSleuth

26 26 © 2004 Cisco Systems, Inc. All rights reserved. mnystrom #9: Remote Administration Flaws Problems Weak authentication (username=“admin”) Weak encryption Countermeasures Don’t place admin interface on same server Use strong authentication: certificates, tokens, strong passwords, etc. Encrypt entire session (VPN or SSL) Control who has accounts IP restrictions

Download ppt "1 © 2003 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID Web Security Martin Nystrom, CISSP-ISSAP Security Architect Cisco Systems,"

Similar presentations

Webgoat.

Webgoat.
OWASP’s Ten Most Critical Web Application Security Vulnerabilities

OWASP’s Ten Most Critical Web Application Security Vulnerabilities
The OWASP Foundation Web Application Security Host Apps Firewall Host Apps Database Host Web serverApp serverDB server Securing the.

The OWASP Foundation Web Application Security Host Apps Firewall Host Apps Database Host Web serverApp serverDB server Securing the.
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!

Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!
SEC835 OWASP Top Ten Project.

SEC835 OWASP Top Ten Project.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
Web Application Security Vulnerabilities Yen-Cheng Chen Department of Information Management National Chi Nan University Puli, 545 Nantou, Taiwan

Web Application Security Vulnerabilities Yen-Cheng Chen Department of Information Management National Chi Nan University Puli, 545 Nantou, Taiwan
1 © 2003 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID Web Security Martin Nystrom, CISSP Security Architect Cisco Systems, Inc.

1 © 2003 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID Web Security Martin Nystrom, CISSP Security Architect Cisco Systems, Inc.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Security in Application & SDLC

Security in Application & SDLC
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Web Application Security An Introduction. OWASP Top Ten Exploits *Unvalidated Input Broken Access Control Broken Authentication and Session Management.

Web Application Security An Introduction. OWASP Top Ten Exploits *Unvalidated Input Broken Access Control Broken Authentication and Session Management.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
Web server security Dr Jim Briggs WEBP security1.

Web server security Dr Jim Briggs WEBP security1.
Application Security Chapter 8 Copyright Pearson Prentice Hall 2013.

Application Security Chapter 8 Copyright Pearson Prentice Hall 2013.
Web Services and Authentication

Web Services and Authentication
Hacking Web Server Defiana Arnaldy, M.Si 0818 0296 4763.

Hacking Web Server Defiana Arnaldy, M.Si

Similar presentations

Ads by Google