Top Ten Web Application Vulnerabilities

Download Report

Transcript Top Ten Web Application Vulnerabilities 

Web Application Security
Presented By
Allen Brokken
Principal Systems Security Analyst
GSEC, CSDA, CPTS
Overview
•
•
•
•
•
•
Disclaimer
Why Should I Care?
Open Web Application Security Project
OWASP Top Vulnerabilities
Practice Sites
MU SafeWeb Initiative
Disclaimer
• The information contained in this presentation is intended to be used
to educate developers about security vulnerabilities commonly found
in Web Applications.
• This presentation is not intended as training material for those with
malicious intent against information systems.
• Exploitation of the vulnerabilities listed in this presentation on
systems or applications not owned or developed by the viewer is
illegal in jurisdictions worldwide.
• It is a violation of the University of Missouri Acceptable Use policy to
transmit these exploits across the MU network without explicit
permission of the system or application owner they are directed at.
• The presenter is a trained professional, don’t try this at home…
Why Should I Care?
“[all users] were able to view individual
customers' orders for… items of intimate
apparel in which the retailer specializes.”
“One clever MySpace user … figured out
how to force others to become his friend …
In less than 24 hours, "Samy" had
amassed over 1 million friends …
“… informed its members that their
credit card information might have been
compromised after a Chicago-based
hacker cracked the site's code…”
Why Should I Care?
• Common Misconceptions
– Aren’t I protected by firewalls or something?
– I thought you just needed to keep things
patched?
– I’m not using Microsoft, so I must be secure.
– Isn’t keeping me secure your job?
The Open Web Application Security
Project
The Open Web Application Security Project (OWASP) is
dedicated to finding and fighting the causes of insecure
software.
They have chapters world wide and manage multiple
projects designed to help individuals and organizations
increase the level of security of their applications.
http://www.owasp.org
OWASP TOP 10
#1 Unvalidated Input
Information from web requests is not
validated before being used by a web
application. Attackers can use these flaws
to attack backend components through a
web application.
OWASP TOP 10
#2 Broken Access Control
Restrictions on what authenticated users are
allowed to do are not properly enforced.
Attackers can exploit these flaws to
access other users' accounts, view
sensitive files, or use unauthorized
functions.
OWASP TOP 10
#3 Broken Authentication and Session
Management
Account credentials and session tokens are not
properly protected. Attackers that can
compromise passwords, keys, session cookies,
or other tokens can defeat authentication
restrictions and assume other users' identities.
Brute Force Password Statistics
Length
of the
password
Character set
Lowercase
letters
Lowercase
letters and
digits
<=4
Both lowercase and
uppercase letters
instant
all printable
ASCII
characters
2 min
5
instant
2 min
12 min
4 hours
6
10 min
72 min
10 hours
18 days
7
4 hours
43 hours
23 days
4 years
8
4 days
65 days
3 years
463 years
9
4 months
6 years
178 years
44530 years
OWASP TOP 10
#4 Cross Site Scripting (XSS) Flaws
The web application can be used as a
mechanism to transport an attack to an
end user's browser. A successful attack
can disclose the end user's session token,
attack the local machine, or spoof content
to fool the user.
OWASP TOP 10
#5 Buffer Overflows
Web application components in some
languages that do not properly validate
input can be crashed and, in some cases,
used to take control of a process. These
components can include CGI, libraries,
drivers, and web application server
components.
OWASP TOP 10
#5 Buffer Overflows cont.
Memory
Free Memory
Your Code
Memory Manager Table
Program
Allocation
Your Code #1148-#1248
Explorer.exe #1548-#5548
Attack Data
100 Bytes of Data
100 Bytes of Data
Explorer.exe
Attacker Sends 200
Bytes to Your Code
Attack Code
#1148-#1248
#1548-#1568
OWASP TOP 10
#6 Injection Flaws
Web applications pass parameters when they
access external systems or the local operating
system. If an attacker can embed malicious
commands in these parameters, the external
system may execute those commands on behalf
of the web application.
OWASP TOP 10
#7 Improper Error Handling
Error conditions that occur during normal
operation are not handled properly. If an
attacker can cause errors to occur that the
web application does not handle, they can
gain detailed system information, deny
service, cause security mechanisms to fail,
or crash the server.
OWASP TOP 10
#8 Insecure Storage
Web applications frequently use
cryptographic functions to protect
information and credentials. These
functions and the code to integrate them
have proven difficult to code properly,
frequently resulting in weak protection.
OWASP TOP 10
#9 Denial of Service
Attackers can consume web application
resources to a point where other legitimate
users can no longer access or use the
application. Attackers can also lock users
out of their accounts or even cause the
entire application to fail.
OWASP TOP 10
#10 Insecure Configuration Management
Having a strong server configuration
standard is critical to a secure web
application. These servers have many
configuration options that affect security
and are not secure out of the box.
Practice Sites
•
Starfleet Academy
– http://academy.dyndns.org
•
HACK This Site
– http://www.hulla-balloo.com/hack/level1/
•
Next Generation Security Games
– http://quiz.ngsec.com/
•
WebGoat
– http://www.owasp.org/software/webgoat.html
– Requires a Java Virtual Machine be available on the local machine, and runs
from the local machine.
•
HACME Bank / HACME Books
– http://www.foundstone.com
– Note you will have to install these on a system you can run an appropriate web
server on.
• Objectives
– Applications development standards with an emphasis on
security.
– Data classification policies.
– Secure server environments that support the defined data
classifications.
– Auditing policies and processes to insure adherence to the
standards.
– Minimum training requirements for applications
development, database administration and server
administration.
• Activities to date
– Faculty Collaboration Meeting
– Multiple one-off or guest lectures
– Multi-Media efforts
– Secure Coding Requirement Pilot
• Report Details
–
–
–
–
–
–
–
Severity
File Name(s)
Summary
Execution
Implication
Fix
References
Management Console Look at Student Learning
Q&A
• SafeWeb Initiative
– http://safeweb.missouri.edu
• Application Security Software
– http://www.spidynamics.com
• Presenter Contact
– [email protected]
References
• Victoria's Secret reveals far too much
– http://cooltech.iafrica.com/technews/280300.htm
• Cross-Site Scripting Worm Hits MySpace
• http://www.betanews.com/article/CrossSite_Scripting_Worm_Hit
s_MySpace/1129232391
• Online political warriors savage opposition
Web sites
– http://www.statesman.com/metrostate/content/metro/stories/07/1
4hackers.html