Presentation is loading. Please wait.

Presentation is loading. Please wait.

Web 2.0 Security James Walden Northern Kentucky University.

Published bySteven Harrell Modified over 8 years ago

Similar presentations

Presentation on theme: "Web 2.0 Security James Walden Northern Kentucky University."— Presentation transcript:

1 Web 2.0 Security James Walden Northern Kentucky University

2 Speaker Biography Assistant Professor at NKU Graduate certificate in Secure Software Eng. Minors in Infosec and Forensics. Papers & workshops in software security. Contributor to SANS/CWE Top 25 programming flaws. SANS GSSP secure programmer cert. OWASP/Fortify Open Source Review.

3 Why Target Web Apps?

4 Attack Surface A system’s attack surface consists of all of the ways an adversary can enter the system. Merchant’s Bank Building

5 Defender’s View firewall VPN wireless web server

6 History of Web Security YearTechnologySecurity 1993CGIFirewalls, SSL 1995PHP, JavascriptFirewalls, SSL 1997ASP, JSPFirewalls, SSL 2000SOAFirewalls, SSL 2006AJAXFirewalls, SSL

7 Firewalls and Web Apps Firewall Port 80 HTTP Traffic Web Client Web Server Application Database Server telnet ftp

8 SSL: injection attacks, XSS Firewall Port 443 HTTPS Traffic Web Client Web Server Application Database Server telnet ftp

9 Revised Attack Surface firewall VPN wireless external web server external web apps database

10 Intra-Security Assumptions Since the firewall protects you  Patches don’t have to be up to date.  Passwords don’t have to be strong.  There’s no need to be careful when you code.  There’s no need to audit your source code.  There’s no need to run penetration tests. But do your users have web browsers?

11 Javascript Malware Firewall Port 80 HTTP Traffic Web Server (Javascript malware)‏ Web Client telnet ftp Intranet Main Server Wiki Group Server

12

13 Malware Sources 1.Evil web site owner inserts in page. 2.Attacker inserts malware into defaced page. 3.Attacker inserts malware into a public comment or forum post (stored XSS.) 4.Attacker creates link that causes web site to echo malware to user (reflected XSS.)

14 Re-revised Attack Surface firewall VPN wireless external web server external web apps database internal web servers internal web apps

15 Web Applications firewall VPN wireless external web server external web apps database internal web servers internal web apps

16 Web App Vulnerabilities Input-based Security Problems Injection Flaws Insecure Remote File Inclusion Unvalidated Input Authentication and Authorization Authentication Access Control Cross-Site Attacks Other Bugs Error Handling and Information Leakage Insecure Storage Insecure Communications

17 SQL Injection 1.App sends form to user. 2.Attacker submits form with SQL exploit data. 3.Application builds string with exploit data. 4.Application sends SQL query to DB. 5.DB executes query, including exploit, sends data back to application. 6.Application returns data to user. Attacker Web Server DB Server Firewall User Pass ‘ or 1=1--

18 Cross-Site Scripting 1. Login 2. Cookie Web Server 3. XSS Attack Attacker User 4. User clicks on XSS link. 5. XSS URL 7. Browser runs injected code. Evil site saves ID. 8. Attacker hijacks user session. 6. Page with injected code.

19 Feature Vulnerability Map Database interaction Displays user-supplied data Error messages File upload/download Login SQL injection. Cross-site scripting. Information leakage. Path traversal. Authentication, session management, access control flaws.

20 Web App Attack Surface form inputs HTTP headers URLs cookies

21 Traditional Web Apps HTTP Request (form submission)‏ HTTP Response (new web page)‏ Server processingUser waits HTTP Request (form submission)‏ User interaction HTTP Response (new web page)‏ User waits Server processing

22 AJAX Asynchronous Javascript & XML  User interacts with client-side Javascript.  Javascript makes asynchronous requests to server for data.  Continues to allow user to interact with application.  Updates when receives encoded data from server.

23 AJAX Applications Server processing User interaction Server processing Client-side Code HTTP request (asynchronous)‏ partial update HTTP Response (data)‏ partial updateHTTP request (asynchronous)‏ HTTP Response (data)‏ HTTP request (asynchronous)‏ HTTP Response (data)‏ partial update User interaction Server processing

24 Architecture Differences Traditional Application on server. Entire form sent to server. User fills in input items. Clicks on submit. Server returns new page. Presentation + Data. AJAX App on client and server. JavaScript receives user input, issues function calls to server when needed. Get map tile. Save location data. Server returns individual data items. JavaScript incorporates data items into existing page.

25 AJAX: More Entry Points Purchase Item downloadItem() debitAccount() getPrice()

26 Example Client-side Code var auth = checkPassword(user, pass); if (auth == false) { alert(‘Authentication failed.’); return; } var itemPrice = getPrice(itemID); debitAccount(user, itemPrice); downloadItem(itemID);

27 Client Side Data Use Firebug to modify variables. Modifying session state Set auth to true. Set itemPrice to $0.01, $0, -$1.00. Viewing sensitive data if (discountCode == “ HALF_OFF ” ) { window.location( “ discount_order.html ” ) ; }

28 Client Side Code Example Code (AJAX Security, p. 176) function sum(x,y) { var z = x + y; alert( “ Sum is “ + z); } Insert with Firebug to replace sum() in 5s: setTimeout( “ sum = function() { alert( ‘ hijacked! ’ ); } ”, 5000);

29 AJAX: More Client Data Web Server Database SQL Injection Web Server Database Intended Data Extra Data Selected Data Presentation (HTML) SQL Injection Intended Data Extra Data Selected Data Data (XML,JSON) Server returns XML/JSON full data for AJAX client to display. Server returns HTML page that displays desired data.

30 Client Data Vulnerability SQL Query SELECT * FROM USERS WHERE UID=<> Injected Query SELECT * FROM USERS WHERE UID=12345 UNION SELECT * FROM CREDITCARDS XML Data 12345 John Smith 4444-4444-4444-4444 01/01/2011

31 JSON var json = getItem() // json = “[ ‘Toshiba’, 499, ‘LCD TV’]” var item = eval(json) // item[0] = ‘Toshiba’ // item[1] = 499 // item[2] = ‘LCD TV’

32 JSON Injection Evil input: ‘];alert(‘XSS’);// var json = getItem() // json = “[ ‘Toshiba’, 499, ‘’];alert(‘XSS’);//” var item = eval(json) // Alert box with ‘XSS’ appears. // Use json2.js validation library to prevent.

33 Client-Side State Storage Technologies Client-Side Storage Issues User can always modify client-side data. Cross-Domain Attacks (between subdomains). Cross-directory Attacks. Cross-port Attacks. Cookies DOM Storage (HTML5) Flash LSOs UserData (IE)

34 AJAX Attack Surface form inputs HTTP headers URLs cookies client-side code client-side state server API client-side data transforms

35 firewall VPN wireless external web server external web apps database internal web servers internal web apps client-side state form inputs HTTP headers URLs cookies client-side code server API client-side data transforms is nearly fractal. A site’s attack surface

36 Discussion Items Are organization’s security policies changing in response to Web 2.0? What are people currently doing to determine their attack surface? How do people select which elements of the attack surface to reduce first?

Download ppt "Web 2.0 Security James Walden Northern Kentucky University."

Similar presentations

Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
Webgoat.

Webgoat.
Closing the Gap: Analyzing the Limitations of Web Application Vulnerability Scanners David Shelly Randy Marchany Joseph Tront Virginia Polytechnic Institute.

Closing the Gap: Analyzing the Limitations of Web Application Vulnerability Scanners David Shelly Randy Marchany Joseph Tront Virginia Polytechnic Institute.
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.

Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.
©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
James Walden, Maureen Doyle Northern Kentucky University Students: Andrew Plunkett, Rob Lenhof, John Murray.

James Walden, Maureen Doyle Northern Kentucky University Students: Andrew Plunkett, Rob Lenhof, John Murray.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.

Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.

Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.

Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Martin Kruliš 2. 4. 2015 by Martin Kruliš (v1.0)1.

Martin Kruliš by Martin Kruliš (v1.0)1.

Similar presentations

Ads by Google