97-2003 - Bad Request

Download Report

Transcript 97-2003 - Bad Request 

Web Application Threats and Remediation
Terry Labach, IST Security Team
IST Security Team
WatITis | Strengthening Collaboration | December 8, 2009 | Web Application Threats and Remediation
The problem
 While we use firewalls and other means to prevent
attackers from access to our networks, we
encourage access to our web sites, literally inviting
miscreants to attack us
 Complex web application systems contain flaws
that attackers can use for a variety of nefarious
purposes
WatITis | Strengthening Collaboration | December 8, 2009 | Web Application Threats and Remediation
Risks






Loss of confidential data
Vandalism of web sites
Financial theft
Denial of service
Spread of spam or viruses
Damaged reputation
WatITis | Strengthening Collaboration | December 8, 2009 | Web Application Threats and Remediation
OWASP Top Ten for 2010










A1 Injection
A2 Cross Site Scripting (XSS)
A3 Broken Authentication and Session Management
A4 Insecure Direct Object References
A5 Cross Site Request Forgery (CSRF)
A6 Security Misconfiguration
A7 Failure to Restrict URL Access
A8 Unvalidated Redirects and Forwards
A9 Insecure Cryptographic Storage
A10 Insufficient Transport Layer Protection
WatITis | Strengthening Collaboration | December 8, 2009 | Web Application Threats and Remediation
SANS Institute




PHP Remote File Include
SQL Injection
Cross-Site Scripting (XSS)
Cross-site request forgeries (CSRF)
WatITis | Strengthening Collaboration | December 8, 2009 | Web Application Threats and Remediation
General principles
 Specify what is allowed, not what is forbidden
 Use software engineering best practices (no
cowboy coders)
 Test applications fully
 Test environments must duplicate production
environments
 Test bad input, not just good input
WatITis | Strengthening Collaboration | December 8, 2009 | Web Application Threats and Remediation
Trust no one
WatITis | Strengthening Collaboration | December 8, 2009 | Web Application Threats and Remediation
Example attacks
WatITis | Strengthening Collaboration | December 8, 2009 | Web Application Threats and Remediation
Failure to restrict URL access
 OWASP A6
 Includes elements of data leakage
 Attackers can access documents through URLs that
should be protected
WatITis | Strengthening Collaboration | December 8, 2009 | Web Application Threats and Remediation
Preventing data leakage
 Permissions, server settings, .htaccess can help,
but best to prevent unneeded files from being
present at all
 Limit development to dedicated machines, publish
only final files to production server
WatITis | Strengthening Collaboration | December 8, 2009 | Web Application Threats and Remediation
Cross-site scripting (XSS)
 OWASP A2
 Crafted URLs can allow scripts to be run by client’s
browser
 This can result in victims:
 Having authentication credentials stolen
 Being redirected to malicious web sites
WatITis | Strengthening Collaboration | December 8, 2009 | Web Application Threats and Remediation
Preventing cross-site scripting
 Sanitize all user input
 Remove meta-characters e.g. “’`<>
 Characters may be encoded, best to remove
anything not obviously harmless (e.g. a-zA-Z0-9)
 Foreign language support allows pathway to inject
meta-characters
 Validation must be done on server end, validation
done in the browser (e.g. through Javascript) can
be bypassed
WatITis | Strengthening Collaboration | December 8, 2009 | Web Application Threats and Remediation
Broken Authentication
 OWASP A3
 Authentication of users can be faked or credentials
stolen to allow access to resources
WatITis | Strengthening Collaboration | December 8, 2009 | Web Application Threats and Remediation
Preventing authentication theft
 Don’t pass authentication information in hidden
fields
WatITis | Strengthening Collaboration | December 8, 2009 | Web Application Threats and Remediation
SQL injection
 OWASP A1
 SQL commands are entered in user input fields
 If allowed as part of query to back-end database,
can result in
 data theft
 manipulation or vandalism of data
WatITis | Strengthening Collaboration | December 8, 2009 | Web Application Threats and Remediation
Preventing injection attacks
 Sanitize user input
 Use appropriate data types and enumerations
instead of text fields
WatITis | Strengthening Collaboration | December 8, 2009 | Web Application Threats and Remediation
Automated Vulnerability
Scanning
 Hackers can perform vast numbers of typical
attacks using automated processes to identify
likely targets
 The good guys can do the same, and a number of
vendors provide such solutions
 IBM AppScan selected after a lengthy evaluation
process
 IST Security Team will provide web application
scans as a service
WatITis | Strengthening Collaboration | December 8, 2009 | Web Application Threats and Remediation
IBM AppScan
WatITis | Strengthening Collaboration | December 8, 2009 | Web Application Threats and Remediation
Resources
 Security information
 OWASP
 www.owasp.org
 SANS Institute
 (SysAdmin, Audit, Network, Security)
 www.sans.org
 Jeremiah Grossman
 www.whitehatsec.com/home/resource/grossman.html
WatITis | Strengthening Collaboration | December 8, 2009 | Web Application Threats and Remediation
Resources
 Vendors
 IBM (Appscan)
 www.ibm.com/software/awdtools/appscan/
 Cenzic (Hailstorm)
 www.cenzic.com
 HP (WebInspect)
 www.hp.com
 WhiteHat
 www.whitehatsec.com
WatITis | Strengthening Collaboration | December 8, 2009 | Web Application Threats and Remediation
Questions and Comments
WatITis | Strengthening Collaboration | December 8, 2009 | Web Application Threats and Remediation