Web Application Security

Download Report

Transcript Web Application Security

Web Application Security
Contributed By – Kiran Maraju
What is a Web Application?







Every company has web presence and firewalls permit the use of web applications,
commonly used for web presence, webmail, ecommerce and integrated portal
system like supply chain or B2B commerce
An application generally comprised of a collection of scripts that reside on a Web
Server
Web application Interacts with databases or other sources of dynamic content
Web application vulnerabilities are easy targets for attackers as connecting to them
on http/s port is permitted by firewalls and the vulnerabilities in the web application
give attackers access to confidential business information
Web application vulnerabilities generally stem from improper handling of client
requests and/or lack of input validation checking
Web applications process data elements from within HTTP requests
Most applications fail to identify how data elements were captured – difficult to know
what kind of validation and sanity checking to use
OWASP has published Top 10 web application vulnerabilities for 2007
OWASP Top 10





A1 - Cross Site Scripting (XSS) XSS flaws occur whenever an application
takes user supplied data and sends it to a web browser without first validating
or encoding that content. XSS allows attackers to execute script in the victim's
browser which can hijack user sessions, deface web sites, possibly introduce
worms, etc.
A2 - Injection Flaws Injection flaws, particularly SQL injection, are common in
web applications. Injection occurs when user-supplied data is sent to an
interpreter as part of a command or query. The attacker's hostile data tricks the
interpreter into executing unintended commands or changing data.
A3 - Malicious File Execution Code vulnerable to remote file inclusion (RFI)
allows attackers to include hostile code and data, resulting in devastating
attacks, such as total server compromise. Malicious file execution attacks
affect PHP, XML and any framework which accepts filenames or files from
users.
A4 - Insecure Direct Object Reference A direct object reference occurs when a
developer exposes a reference to an internal implementation object, such as a
file, directory, database record, or key, as a URL or form parameter. Attackers
can manipulate those references to access other objects without authorization.
A5 - Cross Site Request Forgery (CSRF) A CSRF attack forces a logged-on
victim's browser to send a pre-authenticated request to a vulnerable web
application, which then forces the victim's browser to perform a hostile action to
the benefit of the attacker. CSRF can be as powerful as the web application
that it attacks.
OWASP Top 10 Cont..





A6 - Information Leakage and Improper Error Handling Applications can
unintentionally leak information about their configuration, internal workings, or
violate privacy through a variety of application problems. Attackers use this
weakness to steal sensitive data, or conduct more serious attacks.
A7 - Broken Authentication and Session Management Account credentials and
session tokens are often not properly protected. Attackers compromise
passwords, keys, or authentication tokens to assume other users' identities.
A8 - Insecure Cryptographic Storage Web applications rarely use cryptographic
functions properly to protect data and credentials. Attackers use weakly
protected data to conduct identity theft and other crimes, such as credit card
fraud.
A9 - Insecure Communications Applications frequently fail to encrypt network
traffic when it is necessary to protect sensitive communications.
A10 - Failure to Restrict URL Access Frequently, an application only protects
sensitive functionality by preventing the display of links or URLs to
unauthorized users. Attackers can use this weakness to access and perform
unauthorized operations by accessing those URLs directly.
Two Common Vulnerabilities- SQL Injection & XSS



Stems from failure of developers to strip user input of potentially “nasty” characters prior
to input use
Can lead to varying levels of data/system access for attacker
May allow read in or write out to files, execution of shell commands on underlying OS
Example in the web Form, SQL injection can be exploited
Login:‘ OR ‘1’=’1
Password:‘ OR ‘1’=’1
Now the SQL Query becomes:
SELECT Username FROM Users WHERE
Username = ‘’ OR ‘1’=’1’ AND
Password = ‘’ OR ‘1’=’1’
Web Applications Breach the Perimeter
Web Application
Vulnerabilities
 Generally stem from improper handling of
client requests and/or lack of input
validation checking
 Web applications are publicly accessible
 Process data elements from within HTTP
requests
 Fail to identify how data elements were
captured – difficult to know what kind of
validation and sanity checking to use
The Root of the Issue: Input
Validation
 Can be difficult to locate in a large code
base
 Penetration testing used to expose
problems
 Web applications subject to traditional
forms of attack
SQL Injection Vulnerabilities
 Stems from failure of developers to strip
user input of potentially “nasty” characters
prior to input use
 Can lead to varying levels of data/system
access for attacker
 May allow read in or write out to files,
execution of shell commands on
underlying OS
Locating SQL Injection
Vulnerabilities
 Studying application inputs and inserting
special characters
 Most popular database backends give
informative error messages, yielding clues
about SQL syntax
http://www.abc.com/app.asp?user=jason&password=’ OR ‘1’=’1
http://www.abc.com/app.asp?user=jason&password=’
Testing For SQL Injection
JSP Code Example:
String username = request.getParameter(“user”);
String password = request.getParameter(“password”);
String SQLQuery = “SELECT Username FROM Users WHERE Username = ‘” +
username + “’ AND Password = ‘” + password + “’”;
Statement stmt = dbConnection.createStatement();
ResultSet resultSet = stmt.executeuery(SQLQuery);
String checkAuth = resultSet.getString(1);
boolean authenticated = false;
if(checkAuth == null)
authenticated = false;
else
authenticated = true;
Web Form Example:
Login:‘ OR ‘1’=’1
Password:‘ OR ‘1’=’1
Now the SQL Query becomes:
SELECT Username FROM Users WHERE
Username = ‘’ OR ‘1’=’1’ AND
Password = ‘’ OR ‘1’=’1’
OS Commanding
 If a hacker can access your cmd.exe or a
copy of it, he can use it to execute arbitrary
commands on your web browser.
 In conjunction with tftp, a hacker could use
this to download his own tools to the
machine and compromise the machine
further.
Cross Site Scripting
 Also known as XSS
 Embed Javascript into page that executes
on view
 Commonly used to display and redirect user
cookie data
 Particularly vulnerable are message boards
and web forms
Cross Site Scripting Examples
<script>alert(document.cookie)</script>
– Can display user’s cookie which can contain
session and authentication information
 Gmail XSS Vulnerability - Fixed
– zx variable used in authentication can contain
exploitable scripts
 Often the script text is converted to hex
characters to hide its intent
Phishing Attacks
 Attacker creates replica login page that
forwards information to them
 Usually attack financial institutions
 Spread by email that persuades users to
access the fake page and login
 October 2004, 1142 phishing sites up from
542 in September.
Phishing Examples
 Citibank recent target
– www.citibank.com/domain/email_scam.htm
 Newer sophisticated attacks being used by
organized crime groups to collect credit card
and social security numbers
 Email links can contain IP address instead
of DNS name in email link
Achilles Web Proxy
 Achilles acts as a HTTP/HTTPS proxy that
allows a user to intercept, log, and modify
web traffic on the fly.
 By modifying parameters, a user can
potentially alter the contents of hidden fields
or gain access to additional resources.
 Can also be used to change cookie values.
Resources
 Lecture Slides excerpted from:
–
–
–
–
–
–
–
–
http://www.securityfocus.com/infocus/1709
http://www.securityfocus.com/infocus/1722
http://www.securityfocus.com/infocus/1704
“Phishing spreads the net wider.” Computer Weekly. November 2004.
http://www.securitytracker.com/alerts/2004/Nov/1012289.html
“Cross-Site Scripting.” SPIDynamics.
“Top Web App Attack Methods and How to Combat Them.” SPIDynamics.
http://www.mavensecurity.com/achilles