Presentation is loading. Please wait.

Presentation is loading. Please wait.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks."— Presentation transcript:

1 It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks

2 Challenges When Implementing Security Attacker needs to understand only one security issue Defender needs to secure all entry points Attacker has unlimited time Defender works with time and cost constraints Attacker needs to understand only one security issue Defender needs to secure all entry points Attacker has unlimited time Defender works with time and cost constraints Attackers vs. Defenders Developers and management think that security does not add any business value Addressing security issues just before a product is released is very expensive Developers and management think that security does not add any business value Addressing security issues just before a product is released is very expensive Security As an Afterthought Security? Secure systems are more difficult to use Complex and strong passwords are difficult to remember Users prefer simple passwords Secure systems are more difficult to use Complex and strong passwords are difficult to remember Users prefer simple passwords Security vs. Usability

3 Agenda A Closer look at Top Web Vulnerabilities: Cross Site Scripting Injection Flaws Malicious File Execution Insecure Direct Object Reference Cross Site Request Forgery (CSRF) Information Leakage and Improper Error Handling Broken Authentication and Session Management Insecure Cryptography Insecure Communications Failure to Restrict URL Access Open Web Application Security Project (OWASP) http://www.owasp.org/index.php/Top_10_2007

4 Cross Site Scripting (XSS) What is Cross Site Scripting Exploit applications that echo raw, unfiltered input to Web pages Malicious code is echoed back into the HTML Find a field or query string parameter whose value is echoed to the Web page and put in malicious script and get a user to navigate to the page Allows attackers to execute scripts Can hijack user sessions Deface web sites or insert hostile content Conduct Phishing attacks Take over the user’s browsers

5 Cross Site Scripting (XSS) Three known types of cross site scripting Reflected Stored DOM Injection

6 Cross Site Scripting (XSS) Reflected A page will reflect user supplied data directly back to the user Occurs when a site does not filter content before displaying it Allows for hidden site details such as session or authentication structure to be captured and potentially utilized

7 Cross Site Scripting (XSS) Stored / Sticky XSS Stores hostile / non-approved data in a file or a database Sometimes assumed that stored data is inherently safe Internal attacks often exploit this assumption Dangerous to Systems such as: Content Management Systems Blogs or forums Sites that allow users to see input by other users

8 Cross Site Scripting (XSS) DOM based attacks JavaScript code is manipulated Attacks can be a blend of various attacks Generally carried out using JavaScript Allows hackers to manipulate the rendered page Manipulating the DOM tree Can allow Form Data Hijacking Can occur without user interaction in complete transparency Can utilize the XmlHttpRequest Object (AJAX) Can compromise checkout information

9 Cross Site Scripting (XSS) Cross Site Scripting Demo Discovery using Reflected Method Using Stored or Sticky Method Non-Persistent Attack via Email

10 Cross Site Request Forgery Simple and Potentially Devastating Forces a logged-on victim’s browser to send a request to a vulnerable web application Then performs an action on behalf of the victim Occurs when authorization is performed solely on automatically submitted credentials such as: Session cookies Basic authorization credentials Source IP Addresses SSL Certificates Windows domain credentials

11 Cross Site Request Forgery

12 Cross Site Request Forgery Demo

13 Injection Flaws SQL Injection flaws are common vulnerabilities Occurs when external input is used in database commands The supplied data changes the command being executed Can allow attackers to create, read, update or delete data. Can potentially compromise an entire application

14 Injection Flaws Example exploit: SELECT COUNT(*) FROM Users WHERE User = ‘User’ AND Password = ‘Password’ The query relies on user submitted information to perform the query Malicious code can be submitted such as Where input could be ‘or 1 = 1 -- ‘ closes preceding string in SQL statement or 1=1 matches every record in the table -- comments out the remainder of the SQL statement

15 Injection Flaws SQL Injection Flaw Demos Adding an Admin Account Compromising Database Table Structure and Data Defacing a Website

16 Injection Flaws Not limited to SQL Injection only LDAP, XPATH, XXI, MX(Mail) HTML Injection (XSS) HTTP Injection (HTTP Response Splitting)

17 Malicious File Execution Occurs when the application is tricked into executing commands or creating files on the server System allows potentially hostile input to be utilized with file or stream functions such as URLS or file system references Can lead to arbitrary remote and hostile content being included or invoked by server Allows for remote code execution Remote root installations or system compromises

18 Insecure Direct Object Reference Occurs when an internal implementation object is exposed such as a: File Directory Database Record or Key URL Form Parameter These can be manipulated if no access control check is in place

19 Insecure Direct Object Reference Applications expose internal objects to users Parameter Tampering allow references to be changed Can violate the intended but unenforced access control policy Any exposed application construct could be vulnerable Code can be attacked when user input is determining location of Object Using input parameters such as:../../…/ - can allow an attacker to traverse the file system

20 Insecure Direct Object Reference Insecure Direct Object Reference Demo Accessing Source Code Accessing Sensitive Information

21 Information Leakage and Improper Error Handling Applications can unintentionally leak information about their configuration or internal workings They can leak state information Improper error handling exposes internal workings and implementation details Stack traces Failed SQL statements Other debugging information This Information can help a hacker successfully exploit other vulnerabilities This is an extremely common error and can occur if the web.config file is not properly configured

22 Information Leakage and Improper Error Handling Information Leakage and Improper Error Handling DEMO Too Much Info on Login Attempts Too Much Error Information

23 Broken Authentication and Session Management Improper authentication and session management Use of pseudo random session values Failing to protect credentials and session tokens after login Can lead to hijacking of user or admin accounts Undermine authorization and accountability controls Can cause privacy violations

24 Broken Authentication and Session Management Generally ancillary functions cause problems such as: Logout Password Management Timeout Remember me Secret question Account update

25 Broken Authentication and Session Management Broken Authentication and Session Management Demo Displaying Others Profile Information

26 Insecure Cryptographic Storage Correct use of data encryption tools is key to protection Flaws can lead to disclosure of sensitive data and compliance violations Some of the most common flaws include: Not encrypting sensitive data Insecure use of strong algorithms Usage of weak / homegrown algorithms A.K.A. “encraption” Hard coding keys or not protecting them

27 Insecure Communications Unencrypted traffic can be sniffed Can access conversation Potentially expose sensitive information or credentials Could risk exposing authentication or session token Traffic sniffers can access credentials or sensitive information Varies by network Not using SSL for each authenticated request

28 Failure to Restrict URL Access Generally URL protection is based on authentication Pages can still be accessed if not secured properly Security by obscurity is not sufficient Hidden URLS that are only available to certain users can be stumbled upon or discovered Client side privilege authentication

29 Failure to Restrict URL Access Failure to Restrict URL Access Demo Security by Obscurity

Download ppt "It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks."

Similar presentations

Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
Webgoat.

Webgoat.
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
OWASP’s Ten Most Critical Web Application Security Vulnerabilities

OWASP’s Ten Most Critical Web Application Security Vulnerabilities
Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.

Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.
Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!

Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!
SEC835 OWASP Top Ten Project.

SEC835 OWASP Top Ten Project.
ATTACKING AUTHENTICATION The Web Application Hacker’s Handbook, Ch. 6 Presenter: Jie Huang 10/31/2012.

ATTACKING AUTHENTICATION The Web Application Hacker’s Handbook, Ch. 6 Presenter: Jie Huang 10/31/2012.
EECS 354 Network Security Cross Site Scripting (XSS)

EECS 354 Network Security Cross Site Scripting (XSS)
Security Issues and Challenges in Cloud Computing

Security Issues and Challenges in Cloud Computing
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
The 10 Most Critical Web Application Security Vulnerabilities

The 10 Most Critical Web Application Security Vulnerabilities
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Introduction to Application Penetration Testing

Introduction to Application Penetration Testing
Web Security Overview Lohika ASC team 2009

Web Security Overview Lohika ASC team 2009
OWASP Zed Attack Proxy Project Lead

OWASP Zed Attack Proxy Project Lead

Similar presentations

Ads by Google