Copyright © 2008, CIBER Norge AS 1 Web Application Security Nina Ingvaldsen 22 nd October 2008
Copyright © 2008, CIBER Norge AS 2 Agenda Defining security Vulnerabilities Threats Risk analysis Example Summary
Copyright © 2008, CIBER Norge AS 3 Defining security Authentication is the process of uniquely identifying the clients (both users and systems) of your applications and services. Confidentiality is the process of making sure that data remains private and confidential, and that it cannot be viewed by unauthorized users or eavesdroppers Integrity is the guarantee that data is protected from unauthorized modification. Availability refers to the ability to use the information or resource desired.
Copyright © 2008, CIBER Norge AS 4 Core terms Asset: An asset is a resource of value such as the data in a database, on the file system, or a system resource. Threat: A threat is a potential occurrence, malicious or otherwise, that may harm an asset. Vulnerability: A vulnerability is a weakness that make a threat possible. Attack: An attack is an action taken to harm an asset. Countermeasures: A countermeasure is a safeguard that addresses a threat and mitigates a risk.
Copyright © 2008, CIBER Norge AS 5 Vulnerabilities Unvalidated input Cross site scripting flaws (XSS) SQL Injections Buffer overflow Broken authentication and session management Broken access control Improper error handling Insecure storage
Copyright © 2008, CIBER Norge AS 6 Unvalidated input Attackers may exploit vulnerabilities to attack back end components through a web application. Attackers may tamper with the HTTP Request (URL, query strings, headers, cookies, form fields and hidden fields) to try to bypass the site's security mechanisms. Countermeasures Validating input (both user and system input) Client SERVERSERVER
Copyright © 2008, CIBER Norge AS 7 Cross site scripting flaws (XSS) Countermeasures Validating headers, cookies, query strings, form fields and hidden fields. Convert specific characters, in all generated output, to the appropriate HTML entity coding
Copyright © 2008, CIBER Norge AS 8 SQL Injections Countermeasures – Never pass detailed error messages to the client – Validate every possible meta character to subsystems – Convert specific characters, in all generated output, to the appropriate HTML entity coding Username: Marcus Password: Safari Query: SELECT * FROM Users WHERE username = 'Marcus’ AND password = 'Safari'. Username: ' or 1=1--. Query: SELECT * FROM Users WHERE username = " or 1=1– AND password=” User Attacker
Copyright © 2008, CIBER Norge AS 9 Buffer overflow Buffer overflow is a vulnerability that alter the flow of an application by overwriting parts of memory. It is a common software flaw that might result in an error condition. This error condition occurs when data written to memory exceed the allocated size of the buffer. Countermeasures Validation of input Use high level languages where buffer overflow is unlikely to occur
Copyright © 2008, CIBER Norge AS 10 Broken authentication and session management Authentication and session management includes all aspects of handling user authentication and managing active sessions. Solid authentication mechanisms may be undermined by flawed credential management functions, including forgot password feature, password change, account update, and other related functions. Countermeasures Design a robust and secure authentication and session management scheme that is consistently enforced Store password encrypted, and transfer data only via SSL Use POST rather than GET making requests over HTTP
Copyright © 2008, CIBER Norge AS 11 Broken access control Access control is how a web application grants access to content and functions to some users, and not others. These checks are performed after authentication, and govern what authorized users are allowed to do. Countermeasures Thoroughly plan the access control scheme Keep in mind the principal of least privilege Review logs to spot potential attempts to break the access control scheme Make users aware not to leave their computers unlocked when leaving their workstation
Copyright © 2008, CIBER Norge AS 12 Improper error handling When detailed internal error messages are displayed to the use it reveals implementation details that always should be kept secret from outsiders. The messages can give up important clues of potential flaws in the site. The attacker can, through improper error handling, gain detailed system information, deny services, cause security mechanisms to fail, or crash the server. Countermeasures Create a policy on how to handle errors; what information to give to the user and what to log
Copyright © 2008, CIBER Norge AS 13 Insecure storage Applications need to store sensitive information like passwords, credit card numbers, account records, or proprietary information, either in a database or on a file system somewhere. Encryption techniques are used to protect this information. Although encryption techniques has become more easier to implement and use, developers still make mistakes while integrating this techniques into applications. Countermeasures Store sensitive information encrypted. Use a public library that is well tested when in need of an encryption algorithm
Copyright © 2008, CIBER Norge AS 14 Threats Spoofing Tampering data Tap communication Repudiation Information disclosure Denial of Services (DoS)
Copyright © 2008, CIBER Norge AS 15 Spoofing Spoofing is an attempt to access a system by using a false identity. This can be performed in several ways, for example using stolen user credentials (phishing). Countermeasures Phishing: Making user aware of the threat
Copyright © 2008, CIBER Norge AS 16 Tampering data Tampering is unauthorized modification of data. It usually takes place when the data is flowing over a network between computers. When data is tampered with, it is compromised. Countermeasures Data hashing, data signing, digital signatures, strong authorization
Copyright © 2008, CIBER Norge AS 17 Tap communication Tapping of communication is unauthorized eavesdropping, or traffic analysis, of messages flowing over a network. When data is tapped, it looses integrity. Countermeasures Encryption
Copyright © 2008, CIBER Norge AS 18 Repudiation Repudiation is the user, legitimate or not, denying that he or she performed specific actions or transactions. Countermeasures Digital signatures Time stamps
Copyright © 2008, CIBER Norge AS 19 Information disclosure Information disclosure is unwanted exposure of private data. A user may, for instance, view the content of a table or file he or she isn't supposed to open, or monitor data passed in plain text over a network. Countermeasures Strong authorisation Strong encryption Secure communication links (SSL) Avoid storing secrets, i.e. passwords, in plan text Don’t let ”old” files be accessible through the Internet
Copyright © 2008, CIBER Norge AS 20 Denial of Service (DoS) A Denial of Service (DoS) attack is when an attacker attempts to stop legitimate users from accessing a service, or information. This is done by flooding the network with useless traffic, forge lock outs to user accounts, flood accounts, and so forth. Countermeasures Bandwith trotteling Install and maintain antivirus software and firewalls Keep address’ safe Make users enter secret personal information when ordering a new password Use time delays instead of locking of accounts if a user enters wrong password multiple times Use load balancing techniques to make a potential attack more difficult to perform
Copyright © 2008, CIBER Norge AS 21 Risk analysis D = Damage potential: How great is the damage if the vulnerability is exploited? R = Reproducibility: How easy is it to reproduce the attack? E = Exploitability: How easy is it to launch an attack? A = Affected users: As a rough percentage, how many users are affected? D = Discoverability: How easy is it to find the vulnerability? –Elements should be rated with a high (3)-, medium (2) or low (1) risk –Total score of equals high risk –Total score of 8-11 equals medium risk –Total score of 5-7 equals low risk
Copyright © 2008, CIBER Norge AS 22 Example, part I Threat/VulnerabilityDREADSumRisk Information disclosure High SQL-injections211228Medium JavaScript111137Low Cross-site scripting (XSS) Medium Manipulation of sessions122319Medium Brute-force High Denial of Service (DoS) High Elevation of privileges High Broken links111126Low Password autocomplete111227Low
Copyright © 2008, CIBER Norge AS 23 Example, part II Implemented countermeasures: Strengthen password regime Remove portlet’s not in use Make URL’s that reveals content about Web Services, JSP-files and other system files unavailable
Copyright © 2008, CIBER Norge AS 24 Example, part III Threat/VulnerabilityDREADSumRisk Information disclosure121116Low SQL-injections121217Low JavaScript111137Low Cross-site scripting (XSS)131117Low Manipulation of sessions111216Low Brute-force111317Low Denial of Service (DoS)111317Low Elevation of privileges112127Low Broken links111126Low Password autocomplete111227Low
Copyright © 2008, CIBER Norge AS 25 Summary Validate input Fail securely Keep it simple Use and reuse trusted components Defence in depth Secure the weakest link Practice the principal of least privilege Practice compartmentalization Limit cache usage Awareness Focus on security throughout the entire development process.
Copyright © 2008, CIBER Norge AS 26 More information and tools Information (guidelines and lists of threats and vulnerabilities) (developing and distributing best practice and standards for secure web development) (list of tools) Tools for testing security Tamper data (Firefox) A web application vulnerability assessment suite including proxy tools Paros For evaluating security in a web application. All HTTP and HTTPS data between server and client, including cookies and form fields, can be intercepted and modified. WebScarab A web application vulnerability assessment suite including proxy tools WebGoat An interactive training and benchmarking tool that users can learn about web application security in a safe and legal environment Acunetix A scanning tool for revealing vulnerabilities in applications
Copyright © 2008, CIBER Norge AS 27 Questions ?