1. Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim 09.11.2004

2. Top 5 ● Top 5 vulnerabilities (src: http://software.newsforge.com/software/04/09/17/ 1527247.shtml?tid=78&tid=48) – SQL insertion – Cross Site Scripting (CSS/XSS) – Session management – Default/misconfigurations – Dangerous HTTP methods

3. SQL insertion ● Problem: Trusting input from client, and passing it on to a SQL server. ● E.g. : SELECT userid FROM tblusers WHERE user = ‘bleh’; EXEC master..xp_cmdshell “cmd.exe /c …”;-- ‘ AND pass = ‘password’

4. SQL insertion Form fields, URL parameters, cookies, and HTTP headers are all valid input vectors. Solution: Define acceptable data and make it as restrictive as possible. If input data is invalid then it should be rejected.

5. Cross Site Scripting ● Problem: a Web application accepts scripting commands as input, and returns them. – The script seems to appear to originate from the vulnerable server, which the user trusts, and gives it access to all the user's cookie and session information. ● Example: http://mywebsite.com/login.jsp?msg= alert() ● Solution: Do not reflect values obtained as input back to the browser.

6. Session management problems ● Problem: the state between your browser and the Web site. – Used to track who are logged in and their access privileges. ● Attackers can access restricted pages without proper authorization, or manipulate session variables to gain access to other users' accounts. – e.g. manipulating parameters in the URL

7. Session management problems ● Sessions should always be maintained on the server side. – Don't trust cookies and client-side session values – Always use a strong unique identifier instead of an integer, email address or account number/name. ● Check for a valid session on each restricted access page whenever the page is requested.

8. Session management problems ● javascript shopping carts – price is often embedded in html code – 3. party money collector – it is possible to change the price (get stuff cheaper...)

9. Default/misconfigurations (Sample apps/dir listings) ● configuration and installation problems. ● provides an attacker with a starting point for breaking into the server: – sample applications that are installed by default – directory listings and permissions – default software features and configurations – log and swap files

10. Default/misconfigurations ● Sample applications that are installed by default can contain information. ● Disclosing scripts that may reveal Web site source code. ● Directory listings can reveal files. ● Default software features may have exploitable bugs. ● Log files and swap files can be left over from developers editing Web application pages.

11. Dangerous HTTP commands ● PUT, DELETE, WebDAV ● PUT: upload a script ● DELETE: delete all the content of a site – DoS ● WebDAV: methods have been used to perform buffer overflows on Windows servers.

12. Dangerous HTTP commands cont. ● To test the PUT method, use a tool like curl to attempt a file upload: curl -T test.html www.mysite.comwww.mysite.com – try to access the file ● To test the DELETE method, telnet to the Web server and issue the command: DELETE / HTTP/1.0

14. Conclusion ● Security problems are caused by errors: – configuration errors – programming errors – misplaced trust (e.g. in user input) ● Cryptography is failing to protect – or.. not the final answer ● Awareness and theaching