November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University

Slides:



Advertisements
Similar presentations
Nick Feamster CS 6262 Spring 2009
Advertisements

Webgoat.
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.
©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane
WebGoat & WebScarab “What is computer security for $1000 Alex?”
COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
James Walden, Maureen Doyle Northern Kentucky University Students: Andrew Plunkett, Rob Lenhof, John Murray.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Apache Tomcat Server Typical html Request/Response cycle
Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?
Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.
Workshop 3 Web Application Security Li Weichao March
Web Security Overview Lohika ASC team 2009
CSCI 6962: Server-side Design and Programming Course Introduction and Overview.
Cosc 4765 Server side Web security. Web security issues From Cenzic Vulnerability report
HTTP and Server Security James Walden Northern Kentucky University.
Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.
Prevent Cross-Site Scripting (XSS) attack
Introduction to InfoSec – Recitation 7 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
CSCI 6962: Server-side Design and Programming Secure Web Programming.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
1-Vulnerabilities 2-Hackers 3-Categories of attacks 4-What a malicious hacker do? 5-Security mechanisms 6-HTTP Web Servers 7-Web applications attacks.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Penetration Testing James Walden Northern Kentucky University.
Web 2.0 Security James Walden Northern Kentucky University.
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
06/10/2015AJAX 1. 2 Introduction All material from AJAX – what is it? Traditional web pages and operation Examples of AJAX use Creating.
Cross-Site Attacks James Walden Northern Kentucky University.
Web Application Security ECE ECE Internetwork Security What is a Web Application? An application generally comprised of a collection of scripts.
Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim
SIGITE 2008: Oct Integrating Web Application Security into the IT Curriculum James Walden Northern Kentucky University.
The attacks ● XSS – type 1: non-persistent – type 2: persistent – Advanced: other keywords (, prompt()) or other technologies such as Flash.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Web Security.
October 3, 2008IMI Security Symposium Application Security through a Hacker’s Eyes James Walden Northern Kentucky University
SQL INJECTIONS Presented By: Eloy Viteri. What is SQL Injection An SQL injection attack is executed when a web page allows users to enter text into a.
Web Applications Testing By Jamie Rougvie Supported by.
Building Secure Web Applications With ASP.Net MVC.
Web Security SQL Injection, XSS, CSRF, Parameter Tampering, DoS Attacks, Session Hijacking SoftUni Team Technical Trainers Software University
Web Application Vulnerabilities ECE 4112 Internetwork Security, Spring 2005 Chris Kelly Chris Lewis April 28, 2005 ECE 4112 Internetwork Security, Spring.
Chapter 16 The World Wide Web. FIGURE 16.0.F01: A very, very simple Web page. Courtesy of Dr. Richard Smith.
Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.
Web2.0 Secure Development Practice Bruce Xia
What Is XSS ? ! Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to.
Web Application (In)security Note: Unless noted differently, all scanned figures were from the textbook, Stuttard & Pinto, 2011.
Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.
ASP.NET 2.0 Security Alex Mackman CM Group Ltd
By Collin Donaldson. Hacking is only legal under the following circumstances: 1.You hack (penetration test) a device/network you own. 2.You gain explicit,
SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.
National College of Science & Information Technology.
UKUUG Linux 2008 Introduction to Web Application Security Flaws Jake Edge LWN.net URL for slides:
Web Security (cont.) 1. Referral issues r HTTP referer (originally referrer) – HTTP header that designates calling resource  Page on which a link is.
Building Secure ColdFusion Applications
TOPIC: Web Security (Part-4)
World Wide Web policy.
What is REST API ? A REST (Representational State Transfer) Server simply provides access to resources and the REST client accesses and presents the.
James Walden Northern Kentucky University
Web Systems Development (CSC-215)
WWW安全 國立暨南國際大學 資訊管理學系 陳彥錚.
Exploring DOM-Based Cross Site Attacks
Presentation transcript:

November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University

November 13, 2008 Ohio Information Security Forum Why Do Hackers Target Web Apps?

November 13, 2008 Ohio Information Security Forum History of Web Security YearTechnologySecurity 1993CGIFirewalls, SSL 1995PHPFirewalls, SSL 1997ASP, JSPFirewalls, SSL 2000REST, SOAFirewalls, SSL 2006AJAXFirewalls, SSL

November 13, 2008 Ohio Information Security Forum Attack Surface A system’s attack surface consists of all of the ways an adversary can enter the system. Merchant’s Bank Building

November 13, 2008 Ohio Information Security Forum Defender’s View of Attack Surface firewall VPN wireless web server

November 13, 2008 Ohio Information Security Forum Firewalls don’t protect Web Apps Firewall Port 80 HTTP Traffic Web Client Web Server Application Database Server telnet ftp

November 13, 2008 Ohio Information Security Forum SSL won’t stop injection attacks, XSS Firewall Port 443 HTTPS Traffic Web Client Web Server Application Database Server telnet ftp

November 13, 2008 Ohio Information Security Forum Revised View of Attack Surface firewall VPN wireless external web server external web apps database

November 13, 2008 Ohio Information Security Forum Intranet Security Assumptions Since the firewall protects you  Patches don’t have to be up to date.  Passwords don’t have to be strong.  There’s no need to be careful when you code.  There’s no need to audit your source code.  There’s no need to run penetration tests. But do your users have web browsers?

November 13, 2008 Ohio Information Security Forum Javascript Malware controls Clients Firewall Port 80 HTTP Traffic Web Server (Javascript malware)‏ Web Client telnet ftp Intranet Main Server Wiki Group Server

November 13, 2008 Ohio Information Security Forum

November 13, 2008 Ohio Information Security Forum Sources of Javascript Malware 1.Evil web site owner inserts in page. 2.Attacker inserts malware into defaced page. 3.Attacker inserts malware into a public comment or forum post (stored XSS.)‏ 4.Attacker creates link that causes web site to echo malware to user (reflected XSS.)‏

November 13, 2008 Ohio Information Security Forum Re-revised View of Attack Surface firewall VPN wireless external web server external web apps database internal web servers internal web apps

November 13, 2008 Ohio Information Security Forum Web Applications firewall VPN wireless external web server external web apps database internal web servers internal web apps

November 13, 2008 Ohio Information Security Forum Web Application Vulnerabilities Input-based Security Problems –Injection Flaws –Insecure Remote File Inclusion –Unvalidated Input Authentication and Authorization –Authentication –Access Control –Cross-Site Attacks Other Bugs –Error Handling and Information Leakage –Insecure Storage –Insecure Communications

November 13, 2008 Ohio Information Security Forum SQL Injection 1.App sends form to user. 2.Attacker submits form with SQL exploit data. 3.Application builds string with exploit data. 4.Application sends SQL query to DB. 5.DB executes query, including exploit, sends data back to application. 6.Application returns data to user. Attacker Web Server DB Server Firewall User Pass ‘ or 1=1--

November 13, 2008 Ohio Information Security Forum Cross-Site Scripting 1. Login 2. Cookie Web Server 3. XSS Attack Attacker User 4. User clicks on XSS link. 5. XSS URL 7. Browser runs injected code. Evil site saves ID. 8. Attacker hijacks user session. 6. Page with injected code.

November 13, 2008 Ohio Information Security Forum Application Feature Vulnerability Map Database interaction Displays user-supplied data Error messages File upload/download Login SQL injection. Cross-site scripting. Information leakage. Path traversal. Authentication, session management, access control flaws.

November 13, 2008 Ohio Information Security Forum Web Application Attack Surface form inputs HTTP headers URLs cookies

November 13, 2008 Ohio Information Security Forum Traditional Web Applications HTTP Request (form submission)‏ HTTP Response (new web page)‏ Server processingUser waits HTTP Request (form submission)‏ User interaction HTTP Response (new web page)‏ User waits Server processing

November 13, 2008 Ohio Information Security Forum AJAX Asynchronous Javascript and XML  User interacts with client-side Javascript.  Javascript makes asynchronous requests to server for data.  Continues to allow user to interact with application.  Updates when receives encoded data from server.

November 13, 2008 Ohio Information Security Forum AJAX Applications Server processing User interaction Server processing Client-side Code HTTP request (asynchronous)‏ partial update HTTP Response (data)‏ partial updateHTTP request (asynchronous)‏ HTTP Response (data)‏ HTTP request (asynchronous)‏ HTTP Response (data)‏ partial update User interaction Server processing

November 13, 2008 Ohio Information Security Forum Architecture Differences Traditional Application on server. Entire form sent to server. –User fills in input items. –Clicks on submit. Server returns new page. –Presentation + Data. AJAX App on client and server. JavaScript receives user input, issues function calls to server when needed. –Get map tile. –Save location data. Server returns individual data items. JavaScript incorporates data items into existing page.

November 13, 2008 Ohio Information Security Forum Example Client-side Code var auth = checkPassword(user, pass); if (auth == false) { alert(‘Authentication failed.’); return; } var itemPrice = getPrice(itemID); debitAccount(user, itemPrice); downloadItem(itemID);

November 13, 2008 Ohio Information Security Forum JSON var json = getItem() // json = “[ ‘Toshiba’, 499, ‘LCD TV’]” var item = eval(json) // item[0] = ‘Toshiba’ // item[1] = 499 // item[2] = ‘LCD TV’

November 13, 2008 Ohio Information Security Forum JSON Injection Evil input: ‘];alert(‘XSS’);// var json = getItem() // json = “[ ‘Toshiba’, 499, ‘’];alert(‘XSS’);//” var item = eval(json) // Alert box with ‘XSS’ appears. // Use json2.js validation library to prevent.

November 13, 2008 Ohio Information Security Forum Client-Side State Storage Technologies Client-Side Storage Issues User can always modify client-side data. Cross-Domain Attacks (between subdomains). Cross-directory Attacks. Cross-port Attacks. Cookies DOM Storage (HTML5) Flash LSOs UserData (IE)

November 13, 2008 Ohio Information Security Forum AJAX Application Attack Surface form inputs HTTP headers URLs cookies client-side code client-side state server API client-side data transforms

November 13, 2008 Ohio Information Security Forum firewall VPN wireless external web server external web apps database internal web servers internal web apps form inputs HTTP headers URLs cookies client-side code client-side state server API client-side data transforms is nearly fractal. A site’s attack surface

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.