It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks
Challenges When Implementing Security Attacker needs to understand only one security issue Defender needs to secure all entry points Attacker has unlimited time Defender works with time and cost constraints Attacker needs to understand only one security issue Defender needs to secure all entry points Attacker has unlimited time Defender works with time and cost constraints Attackers vs. Defenders Developers and management think that security does not add any business value Addressing security issues just before a product is released is very expensive Developers and management think that security does not add any business value Addressing security issues just before a product is released is very expensive Security As an Afterthought Security? Secure systems are more difficult to use Complex and strong passwords are difficult to remember Users prefer simple passwords Secure systems are more difficult to use Complex and strong passwords are difficult to remember Users prefer simple passwords Security vs. Usability
Agenda A Closer look at Top Web Vulnerabilities: Cross Site Scripting Injection Flaws Malicious File Execution Insecure Direct Object Reference Cross Site Request Forgery (CSRF) Information Leakage and Improper Error Handling Broken Authentication and Session Management Insecure Cryptography Insecure Communications Failure to Restrict URL Access Open Web Application Security Project (OWASP)
Cross Site Scripting (XSS) What is Cross Site Scripting Exploit applications that echo raw, unfiltered input to Web pages Malicious code is echoed back into the HTML Find a field or query string parameter whose value is echoed to the Web page and put in malicious script and get a user to navigate to the page Allows attackers to execute scripts Can hijack user sessions Deface web sites or insert hostile content Conduct Phishing attacks Take over the user’s browsers
Cross Site Scripting (XSS) Three known types of cross site scripting Reflected Stored DOM Injection
Cross Site Scripting (XSS) Reflected A page will reflect user supplied data directly back to the user Occurs when a site does not filter content before displaying it Allows for hidden site details such as session or authentication structure to be captured and potentially utilized
Cross Site Scripting (XSS) Stored / Sticky XSS Stores hostile / non-approved data in a file or a database Sometimes assumed that stored data is inherently safe Internal attacks often exploit this assumption Dangerous to Systems such as: Content Management Systems Blogs or forums Sites that allow users to see input by other users
Cross Site Scripting (XSS) DOM based attacks JavaScript code is manipulated Attacks can be a blend of various attacks Generally carried out using JavaScript Allows hackers to manipulate the rendered page Manipulating the DOM tree Can allow Form Data Hijacking Can occur without user interaction in complete transparency Can utilize the XmlHttpRequest Object (AJAX) Can compromise checkout information
Cross Site Scripting (XSS) Cross Site Scripting Demo Discovery using Reflected Method Using Stored or Sticky Method Non-Persistent Attack via
Cross Site Request Forgery Simple and Potentially Devastating Forces a logged-on victim’s browser to send a request to a vulnerable web application Then performs an action on behalf of the victim Occurs when authorization is performed solely on automatically submitted credentials such as: Session cookies Basic authorization credentials Source IP Addresses SSL Certificates Windows domain credentials
Cross Site Request Forgery
Cross Site Request Forgery Demo
Injection Flaws SQL Injection flaws are common vulnerabilities Occurs when external input is used in database commands The supplied data changes the command being executed Can allow attackers to create, read, update or delete data. Can potentially compromise an entire application
Injection Flaws Example exploit: SELECT COUNT(*) FROM Users WHERE User = ‘User’ AND Password = ‘Password’ The query relies on user submitted information to perform the query Malicious code can be submitted such as Where input could be ‘or 1 = 1 -- ‘ closes preceding string in SQL statement or 1=1 matches every record in the table -- comments out the remainder of the SQL statement
Injection Flaws SQL Injection Flaw Demos Adding an Admin Account Compromising Database Table Structure and Data Defacing a Website
Injection Flaws Not limited to SQL Injection only LDAP, XPATH, XXI, MX(Mail) HTML Injection (XSS) HTTP Injection (HTTP Response Splitting)
Malicious File Execution Occurs when the application is tricked into executing commands or creating files on the server System allows potentially hostile input to be utilized with file or stream functions such as URLS or file system references Can lead to arbitrary remote and hostile content being included or invoked by server Allows for remote code execution Remote root installations or system compromises
Insecure Direct Object Reference Occurs when an internal implementation object is exposed such as a: File Directory Database Record or Key URL Form Parameter These can be manipulated if no access control check is in place
Insecure Direct Object Reference Applications expose internal objects to users Parameter Tampering allow references to be changed Can violate the intended but unenforced access control policy Any exposed application construct could be vulnerable Code can be attacked when user input is determining location of Object Using input parameters such as:../../…/ - can allow an attacker to traverse the file system
Insecure Direct Object Reference Insecure Direct Object Reference Demo Accessing Source Code Accessing Sensitive Information
Information Leakage and Improper Error Handling Applications can unintentionally leak information about their configuration or internal workings They can leak state information Improper error handling exposes internal workings and implementation details Stack traces Failed SQL statements Other debugging information This Information can help a hacker successfully exploit other vulnerabilities This is an extremely common error and can occur if the web.config file is not properly configured
Information Leakage and Improper Error Handling Information Leakage and Improper Error Handling DEMO Too Much Info on Login Attempts Too Much Error Information
Broken Authentication and Session Management Improper authentication and session management Use of pseudo random session values Failing to protect credentials and session tokens after login Can lead to hijacking of user or admin accounts Undermine authorization and accountability controls Can cause privacy violations
Broken Authentication and Session Management Generally ancillary functions cause problems such as: Logout Password Management Timeout Remember me Secret question Account update
Broken Authentication and Session Management Broken Authentication and Session Management Demo Displaying Others Profile Information
Insecure Cryptographic Storage Correct use of data encryption tools is key to protection Flaws can lead to disclosure of sensitive data and compliance violations Some of the most common flaws include: Not encrypting sensitive data Insecure use of strong algorithms Usage of weak / homegrown algorithms A.K.A. “encraption” Hard coding keys or not protecting them
Insecure Communications Unencrypted traffic can be sniffed Can access conversation Potentially expose sensitive information or credentials Could risk exposing authentication or session token Traffic sniffers can access credentials or sensitive information Varies by network Not using SSL for each authenticated request
Failure to Restrict URL Access Generally URL protection is based on authentication Pages can still be accessed if not secured properly Security by obscurity is not sufficient Hidden URLS that are only available to certain users can be stumbled upon or discovered Client side privilege authentication
Failure to Restrict URL Access Failure to Restrict URL Access Demo Security by Obscurity