Web Security Overview (OWASP Top 10 Web App
Download
Report
Transcript Web Security Overview (OWASP Top 10 Web App
Web Security
Martin Nystrom, CISSP
Security Architect
Cisco Systems, Inc.
[email protected]
Session Number
Presentation_ID
© 2003 Cisco Systems, Inc. All rights reserved.
1
Who am I?
• Security Architect in Cisco’s InfoSec
Responsible for consulting with application teams to secure their
architecture
Monitor for infrastructure vulnerabilities
Infrastructure security architect
• 12 years developing application architectures
• Java programmer
• Master of Engineering – NC State University
• Bachelor’s - Iowa State University – (1990)
mnystrom
© 2004 Cisco Systems, Inc. All rights reserved.
2
Why worry?
• Guess.com sanctioned by FTC for exposing private information
“…permitting anyone able to construct a properly-crafted URL to pull
down every name, credit card number and expiration date in the site's
customer database.”
• U.S. Army systems hacked using WebDAV vulnerability in IIS
“…it was a disturbingly successful attack, experts say, because the
intruder found and exploited a flaw that took security researchers
completely by surprise. “
• Millions of credit card numbers compromised at Data Processors
International
"All indications are the attack on this company's (Internet) address came
from the outside, and efforts continue to analyze this attack to see if it
could be traced to the attacker," the investigator said.
• Utah ISP is victim of retaliation following hackers' attack on Al-Jazeera
“…impersonating an Al-Jazeera employee, tricked the Web addressing
company Network Solutions into making technical changes that
effectively turned over temporary control of the network's Arabic and
English Web sites...''
mnystrom
© 2004 Cisco Systems, Inc. All rights reserved.
3
Security Vulnerabilities vs. Incidents
CERT
90,000
Why worry? (cont.)
80,000
70,000
60,000
50,000
Vulnerabilities
Incidents
40,000
30,000
20,000
10,000
0
mnystrom
1995
©1996
2004 Cisco Systems, 1997
Inc. All rights reserved.1998
1999
2000
2001
2002
4
The goal of an attack
• Steal data
• Blackmail
• Beachhead for other attacks
• Bragging rights
• Vandalism
• Demonstrate vulnerability/satisfy curiosity
• Damage company reputation
mnystrom
© 2004 Cisco Systems, Inc. All rights reserved.
5
A word of warning
• These tools and techniques can be dangerous
• The difference between a hacker and a cracker
is…permission
• Admins will see strange activity in logs, and come
looking for you
• Authorities are prosecuting even the “good guys” for
using these tools
mnystrom
© 2004 Cisco Systems, Inc. All rights reserved.
6
Commonly attacked services
• SMTP servers (port 25)
sendmail: “The address parser performs
insufficient bounds checking in certain conditions
due to a char to int conversion, making it possible
for an attacker to take control of the application”
• RPC servers (port 111 & others)
• NetBIOS shares (ports 135, 139, 445)
Blaster worm
Sasser worm
• FTP servers (ports 20, 21)
wuftpd vulnerabilities
• SSH servers (port 22)
OpenSSH, PAM vulnerabilities
• Web servers (ports 80, 443)
Apache chunked encoding vulnerability
mnystrom
© 2004 Cisco Systems, Inc. All rights reserved.
7
Web server attack
• Scan to find open ports
• Find out what’s running on open ports (banner
grabbing)
• Profile the server
Windows (look for Kerberos, NetBIOS, AD)
Unix
Use TCP fingerprinting
• Probe for weaknesses on interesting ports
Default configuration files and settings (e.g. popular IIS
ones)
Buffer overflows
Insecure applications
• Launch attack
Use exploit code from Internet…
…or build your own
mnystrom
© 2004 Cisco Systems, Inc. All rights reserved.
8
Scanning…
What O/S is this system?
mnystrom
© 2004 Cisco Systems, Inc. All rights reserved.
9
Scanning…
What O/S is this system?
mnystrom
© 2004 Cisco Systems, Inc. All rights reserved.
10
Example Web Application
Internet
DMZ
Internal
network
Protected
network
• AJP
• IIOP
• T9
• etc.
HTTP
request
Cleartext or
SSL
transport
Web
client:
IE,
Mozilla,
etc.
mnystrom
DB
HTTP reply
(HTML,
JavaScript,
VBScript,
etc.)
Web app
Web
server
• Apache
• IIS
• Netscape
• etc.
© 2004 Cisco Systems, Inc. All rights reserved.
App
server
(optional)
•J2EE server
• ColdFusion
• Oracle 9iAS
• etc.
Web app
Web app
Web app
• Perl
• C++
• CGI
• Java
• ASP
• PHP
• etc.
DB
• ADO
• ODBC
• JDBC
• etc.
• Oracle
• SQL
Server
• etc.
11
OWASP Top 10 Web Application Security
Vulnerabilities
http://www.owasp.org
1. Unvalidated parameters
2. Broken access control
3. Broken account/session management
4. Cross-site scripting flaws
5. Buffer overflows
6. Command injection flaws
7. Error handling problems
8. Insecure use of cryptography
9. Remote administration flaws
10.Web and app server mis-configuration
mnystrom
© 2004 Cisco Systems, Inc. All rights reserved.
12
Principles
• Turn off un-needed services
• Keep systems patched
• Don’t trust input
• Watch for logic holes
• Only provide the necessary information
• Hide sensitive information
Encryption
Access controls
mnystrom
© 2004 Cisco Systems, Inc. All rights reserved.
13
#1: Unvalidated Parameters
• Attacker can easily change any part of the HTTP request before
submitting
URL
Cookies
Form fields
Hidden fields
Headers
• Encoding is not encrypting
Toasted Spam: http://www.toastedspam.com/decode64
• Input must be validated on the server (not just the client).
CoolCarts: http://www.extremelasers.com
• Countermeasures
Tainting (Perl)
Code reviews (check variable against list of allowed values, not viceversa)
Application firewalls
CodeSeeker: http://www.owasp.org/codeseeker/
Real-time auditing: http://www.covelight.com
mnystrom
© 2004 Cisco Systems, Inc. All rights reserved.
14
#2: Broken Access Control
• Usually inconsistently defined/applied
• Examples
Forced browsing past access control
checks
Path traversal
File permissions – may allow access to
config/password files
Client-side caching
• Countermeasures
Use non-programmatic controls
Verify access control via central container
Code reviews
mnystrom
© 2004 Cisco Systems, Inc. All rights reserved.
15
#3: Broken Account and Session Management
• Weak authentication
Password-only
Easily guessable usernames (admin, etc.)
Unencrypted secrets are sniffable
• How to break in
Guess/reset password
Have app email you new password
Sniff or crack password
• Backend authentication
How are database passwords stored?
Trust relationships between hosts (IP address
can be spoofed, etc.)
• Countermeasures
Strong passwords
Remove default user names
mnystrom
© 2004 Cisco Systems, Inc. All rights reserved.
Protect sensitive files
16
#4: Cross-Site Scripting (XSS)
• Attacker uses trusted application/company
to reflect malicious code to end-user
• Attacker can “hide” the malicious code
Unicode encoding
• 2 types of attacks
Stored
Reflected
• Wide-spread problem!
• Countermeasures
input validation
Positive
Negative: “< > ( ) # &”
Don’t forget these: “< > ( )
# &”
User/customer education
mnystrom
© 2004 Cisco Systems, Inc. All rights reserved.
17
#5: Buffer Overflows
• Mostly affects web/app servers
• Can affect apps/libraries too
• Goal: crash the target app and get a shell
• Buffer overflow example
echo “vrfy `perl –e ‘print “a” x 1000’`” |nc
www.targetsystem.com 25
Replace all those “a”s with something like this…
char shellcode[] = “\xeb\xlf\x5e\x89\x76\x08…”
• Countermeasures
Keep up with bug reports/patches
Code reviews
Run with limited privileges
Use “safer” languages like Java
mnystrom
© 2004 Cisco Systems, Inc. All rights reserved.
18
#6: Command Injection
• Allows attacker to relay malicious code in form variables
or URL
System commands
SQL
Interpreted code (Perl, Python, etc.)
• Many apps use calls to external programs
sendmail
• Examples
Path traversal: “../”
Add more commands: “; rm –r *”
SQL injection: “’ OR 1=1”
• Countermeasures
Taint all input
Avoid system calls (use libraries instead)
Run with limited privileges
mnystrom
© 2004 Cisco Systems, Inc. All rights reserved.
19
#7: Error Handling
• Examples: stack traces, DB dumps
• Helps attacker know how to target the app
• Inconsistencies can be revealing too
“File not found” vs. “Access denied”
• Fail-open errors
• Need to give enough info to user w/o giving too
much info to attacker
• Countermeasures
Code review
Modify default error pages (404, 401, etc.)
mnystrom
© 2004 Cisco Systems, Inc. All rights reserved.
20
Error messages example
mnystrom
© 2004 Cisco Systems, Inc. All rights reserved.
21
#8: Poor Cryptography
• Insecure storage of credit cards, passwords, etc.
• Poor choice of algorithm (or invent your own)
• Poor randomness
Session IDs
Tokens
Cookies
• Improper storage in memory
• Countermeasures
Store only what you must
Store a hash instead of the full value (SHA-1)
Use only vetted, public cryptography
mnystrom
© 2004 Cisco Systems, Inc. All rights reserved.
22
#9: Remote Administration Flaws
• Problems
Weak authentication (username=“admin”)
Weak encryption
• Countermeasures
Don’t place admin interface on same server
Use strong authentication: certificates, tokens, strong
passwords, etc.
Encrypt entire session (VPN or SSL)
Control who has accounts
IP restrictions
mnystrom
© 2004 Cisco Systems, Inc. All rights reserved.
23
#10: Web/App Server Misconfiguration
• Tension between “work out of the box” and
“use only what you need”
• Developers ≠ web masters
• Examples
Unpatched security flaws (BID example)
Misconfigurations that allow directory traversal
Administrative services accessible
Default accounts/passwords
• Countermeasures
Create and use hardening guides
Turn off all unused services
Set up and audit roles, permissions, and
accounts
Set up logging and alerts
mnystrom
© 2004 Cisco Systems, Inc. All rights reserved.
24
Principles
• Turn off un-needed services
• Keep systems patched
• Don’t trust input
• Watch for logic holes
• Only provide the necessary information
• Hide sensitive information
Encryption
Access controls
mnystrom
© 2004 Cisco Systems, Inc. All rights reserved.
25
Tools used in this preso
• WebGoat –vulnerable web applications for
demonstration
• VMWare – runs Linux & Windows 2000 virtual
machines on demo laptop.
• nmap –host/port scanning to find vulnerable hosts
• Ethereal – network traffic sniffing
• Metasploit Framework – exploit tool
• Brutus – password cracking
• Sleuth – HTTP mangling against web sites
mnystrom
© 2004 Cisco Systems, Inc. All rights reserved.
26