Vulnerability Assessment Services
Download
Report
Transcript Vulnerability Assessment Services
Web Application
Security
Web Application Security
• Overview
– Increase in deployment of web applications
– Issues with secure web application
development
– Impact of Application Attacks
– Top Web Application Threats
– Conclusions
Web Application Security
• Many in-house applications are being
migrated to web applications
–
–
–
–
Ease of accessibility
Ease of client deployment
Employee intranets
PeopleSoft and SAP recently converted to web
applications
– Customer portals
– Support applications
– Endless possibilities…
Web Application Security
• Traditional security protections do not address
the complexity of web applications
– Stateful inspection firewalls
– Many IDS/IDP systems
– Vulnerability Assessments
• Because of this, new security products and
services need to be developed to address the
security problems inherent in web applications
–
–
–
–
Web application firewalls
Web application vulnerability assessments
Web application code review
Training and awareness
Web Application Security
• Issues with secure web application
development
– Protecting applications against threats
– Ensuring access for authorized users
– Ensuring availability and application
performance
– Applications need to be coded securely, but
that is most often not the case
– A Web application vulnerability assessment
can uncover weaknesses in applications
before malicious attackers do
Web Application Security
• Implications of Web Application attacks
–
–
–
–
–
–
–
–
–
Identity theft
Credit card theft
Website defacement
Unauthorized access
Password theft
Unauthorized modification of data
Data and information theft
Denial of service
Unauthorized access to back-end systems
Types of Attacks
• SQL Injection
– Attack description
• Allows execution of commands against database
• Results in unauthorized disclosure and/or
modification of SQL data
• Occurs when SQL statements are constructed with
user-supplied data, either through the URL, headers,
or forms variables
• In some extreme cases, commands can be executed
in the OS (with xp_cmdshell stored procedure in
MSSQL)
– Countermeasures
• Validate all input, looking for SQL commands in input
• Deploy a web application firewall that provides
protection against SQL Injection
Types of Attacks
• Command Injection
– Attack description
• Allows execution of commands in the web server OS
• Results in unauthorized access to the OS, including
disclosure and modification of data. Also results in
privilege escalation
• Occurs when command statements are constructed with
user-supplied data, either through the URL, headers, or
forms variables
– Countermeasures
• Validate all input, looking for OS commands in input
• Deploy a web application firewall that provides
protection against Command Injection
Types of Attacks
• Parameter & Form Tampering
– Attack description
• User manipulates parameters by setting them in the
URL, editing HTML code, or modifying the POST with
a proxy such as Achilles
• Can result in bypassing authentication mechanisms,
privilege escalation, unauthorized disclosure and/or
modification of data
– Countermeasures
• Validate all information returned from the client
• Deploy a web application firewall that understands
the parameters used for that application, their data
types, acceptable lengths, acceptable ranges of
values, etc.
Types of Attacks
• Directory Traversal & Forceful Browsing
– Attack description
• Attacker uses unchecked URL input parameters,
cookies, and HTTP request headers to access files
outside of allowed paths and directories
• Attacker may also try to guess or brute-force special
paths and known paths/scripts that are known to be
vulnerable
• Results in unauthorized disclosure of and
modification to the file system of the web server
– Countermeasures
• Validate all user input. Specifically look for “../”
• Deploy a web application firewall that knows the
valid forms, paths and URLs for the particular web
application that you are trying to protect
Types of Attacks
• Cross Site Scripting
– Attack description
• Attacker uses malicious script on a vulnerable target
site to send the attack to client browser
• Results in theft of client data, may lead to identity
theft and financial fraud
– Countermeasures
• Validate all input. Specifically, look for <SCRIPT>
tags
• Deploy a web application firewall that parses out
<SCRIPT> tags in user-supplied input
Types of Attacks
• Session Hijacking
– Attack description
• Each user logged into a web application receives a
unique session id from the web application. Allows
web app to keep state for the client
• Attacker manipulates web application to determine
predictable session ids
• Attacker then sets a session id either through
parameters, cookies, or HTML code (depending on
how the web app stores session ids)
• Attacker now has a session id from another user’s
valid session
• Results in authentication bypass, unauthorized
disclosure and modification, and privilege escalation
Types of Attacks
• Session Hijacking (continued)
– Countermeasures
• Use random session ids. Use MD5 (or similar) to
generate session ids
• Deploy a web application firewall that protects
session id data (cookies and/or form parameters).
Some of these products digitally encrypt, sign and
time-stamp cookies, protecting their data
• Cookie poisoning
– Attack description
• Attacker modifies cookie to escalate privileges or
assume another users identity. See “Session
Hijacking”
Types of Attacks
• HTTP Header Manipulation
– Attack description
• Attacker alters HTTP request headers to include
meta-characters (see “SQL Injection” and
“Command Injection”) or steal cookies
– Countermeasures
• Valid all HTTP request headers
• Deploy a web application firewall that examines
HTTP request headers for malicious input
Types of Attacks
• Hidden Form Field Tampering
– Attack description
• Applications may use hidden form fields for tracking state
(session ids), authentication, price of item, etc.
• Attacker can modify the HTML or modify the parameter
value with a proxy such as Achilles
• Results in privilege escalation, unauthorized disclosure
and modification, possible session hijacking. Can also
result in monetary loss (in the case of a field such as
“price”)
– Countermeasures
• Try not to use hidden form fields, as they don’t provide any
security.
• If hidden fields are necessary, validate all information
returned from the client
• Deploy a web application firewall that understands the
parameters used for that application, their data types,
acceptable lengths, acceptable ranges of values, etc.
Types of Attacks
• Error Message Interception
– Attack description
• Attacker sends input in an attempt to cause a program
error
• Program sends an error message back to the browser
(through HTML)
• Error message may reveal directories, OS and version,
database and version, database field names and tables,
parameter names
• Gives attacker information necessary to execute other
attacks (SQL Injection, Command Injection)
– Countermeasures
• Turn off all error message output in web server and web
application. Turn off all debugging. Enable only for
development servers
• Validate input to prevent errors from ocurring
• Deploy a web application firewall that understands the
parameters used for that application, their data types,
acceptable lengths, acceptable ranges of values, etc.
Types of Attacks
• Buffer Overflows
– Attack description
• Occurs when user-supplied input is not checked for length
• Leads to remote command execution
– Countermeasures
• Check length of user-supplied input
• Deploy a web application firewall that knows the
acceptable lengths and acceptable ranges of parameters
• Format String Vulnerabilities
– Attack description
• Occurs when a format string command, such as printf, is
constructed using user-supplied input
• Leads to remote command execution
– Countermeasures
• Validate all input. Specifically, look for “%s” and “%x” in
input
• Deploy a web application firewall that checks for format
string attacks
Types of Attacks
• Unicode and URL Encoding
– Attack description
• Attacker uses URL-encoded input to disguise
malicious code in URL strings
• Bypasses security mechanisms
• Can lead to any number of attacks
– Countermeasures
• Deploy a web application firewall that decodes all
URLs before inspection
Types of Attacks
• Web Services Attacks
–
–
–
–
Web services – SOAP, UDDI, WSDL
New breed of web application
Components interacting with one another
Require authentication, authorization,
encryption, integrity
– Peer relationships (Not client to server). Peers
are web services components who must
authenticate to one another, encrypt
communications between one another, and
check permissions for allowed access
Types of Attacks
•
•
•
•
Denial of Service
SSL Hacking
Attacks against Web Servers (IIS, Apache)
Operating System Attacks (Windows,
UNIX, Linux, etc.)
Web Application Security
• OWASP Top Ten
– Unvalidated Input - Information from web requests
is not validated before being used by a web
application. Attackers can use these flaws to
attack backend components through a web
application.
– Broken Access Control - Restrictions on what
authenticated users are allowed to do are not
properly enforced. Attackers can exploit these
flaws to access other users’ accounts, view
sensitive files, or use unauthorized functions.
Web Application Security
• OWASP Top Ten
– Broken Authentication and Session Management -
Account credentials and session tokens are not
properly protected. Attackers that can compromise
passwords, keys, session cookies, or other tokens
can defeat authentication restrictions and assume
other users’ identities.
– Cross Site Scripting (XSS) Flaws - The web
application can be used as a mechanism to
transport an attack to an end user’s browser. A
successful attack can disclose the end user’s
session token, attack the local machine, or spoof
content to fool the user.
Web Application Security
• OWASP Top Ten
– Buffer Overflows - Web application components in
some languages that do not properly validate input
can be crashed and, in some cases, used to take
control of a process. These components can
include CGI, libraries, drivers, and web application
server components.
– Injection Flaws - Web applications pass
parameters when they access external systems or
the local operating system. If an attacker can
embed malicious commands in these parameters,
the external system may execute those
commands on behalf of the web application.
Web Application Security
• OWASP Top Ten
• SQL Injection - Attacker creates or alters existing SQL
commands. A serious threat for database-driven sites.
• Direct OS/system command injection - Attacker injects
system commands into HTML forms, cookies, or URL
parameters. Attacker can execute system-level
functions.
• Meta character injection - Attacker inserts meta
characters into URL-encoded parameters in query
strings to exploit known security holes. Certain
characters (such as ~ or =) have special meanings in
certain scripts and applications. The risk varies with OS
and application.
Web Application Security
• OWASP Top Ten
– Improper Error Handling - Error conditions that
occur during normal operation are not handled
properly. If an attacker can cause errors to occur
that the web application does not handle, they can
gain detailed system information, deny service,
cause security mechanisms to fail, or crash the
server.
– Insecure Storage - Web applications frequently
use cryptographic functions to protect information
and credentials. These functions and the code to
integrate them have proven difficult to code
properly, frequently resulting in weak protection.
Web Application Security
• OWASP Top Ten
– Denial of Service - Attackers can consume web
application resources to a point where other
legitimate users can no longer access or use the
application. Attackers can also lock users out of
their accounts or even cause the entire application
to fail.
– Insecure Configuration Management - Having a
strong server configuration standard is critical to a
secure web application. These servers have many
configuration options that affect security and are
not secure out of the box.
Web Application Security
• Traditional Network Security and Web
Applications
– Firewalls – usually only inspect up to the transport
layer
– IDS/IPS – will not prevent/detect applicationspecific attacks
– AntiVirus – same problem as IDS and IPS
– OS Patches
Web Application Security
• New solutions are needed
– Web application firewalls – they focus on the web
–
–
–
–
application layer learn what input is valid for a
specific application. Rules are generated based on
valid inputs
Web Application Scanners – test web applications
for vulnerabilities
Web Application Security Assessments – go
further than a network-layer penetration test and
examine the specific web application. Highly
customized service
Web application security training & awareness
Secure programming practices
Web Application Security
• Tools
– WebScarab
http://www.owasp.org/development/webscarab
– WebGoat
http://www.owasp.org/development/webgoat
– Lilith http://angelo.scanit.biz/
– Nikto http://www.cirt.net/code/nikto.shtml
– Achilles
http://packetstormsecurity.org/web/achilles-027.zip
Web Application Security
• Conclusions
– Web application vulnerability assessments and
–
–
–
–
web application scanners will check for all of these
types of attacks
Web application firewalls prevent these attacks
before attack gets to web server
Web application developers need to be trained in
secure programming practices
IT personnel responsible for the security of web
servers need to understand the risks
Training & awareness
Web Application Security
• Links
– OWASP http://www.owasp.org
– CGI Security http://www.cgisecurity.com/
– Improving Web Application Security: Threats
and Countermeasures (ASP.NET)
http://msdn.microsoft.com/library/default.asp?
url=/library/enus/dnnetsec/html/threatcounter.asp
– Web Application Security mailing list
http://www.securityfocus.com/archive/107
Web Application Security
• Links
– OWASP http://www.owasp.org
– CGI Security http://www.cgisecurity.com/
– Improving Web Application Security: Threats
and Countermeasures (ASP.NET)
http://msdn.microsoft.com/library/default.asp?
url=/library/enus/dnnetsec/html/threatcounter.asp
– Web Application Security mailing list
http://www.securityfocus.com/archive/107
Contact Information
James Kist
Network Security Corp.
405 North French Road, Suite 100
Amherst, NY 14228
Phone: (716) 692-8183
Fax: (716) 692-8301
www.nsec.net
[email protected]