SlideShare una empresa de Scribd logo

Web Based Security

Descargar como PPT, PDF
John Wiley
John Wiley

This gives insight on how people manipulate online servers to do harm, *without* exposing security risks.This simply explains whats going on during this activity and how to protect yourself.

Tecnología
1 de 66
Detection and Evasion of Web Application Attacks K. K. Mookhey Founder & CTO Network Intelligence (I) Pvt. Ltd. www.nii.co.in © Network Intelligence India Pvt. Ltd. 1
Agenda Static Detection Techniques Dynamic Detection Techniques – Signature-based – Anomaly-based Typical Web Application Attacks Signature-based detection Anomaly-based detection Conclusion 2
Current state Web applications represent highly vulnerable attack avenues Most discussions on web application security, center on attacking it and secure coding to protect it Methods for detecting such attacks are coming into their own Existing detection methods are being tested before customers accept these solutions as standard 3
Solution Positioning Database App IDS Internet Firewall Web Servers Application Servers User/Attacker 4
Detecting Web Application Attacks © Network Intelligence India Pvt. Ltd. 5
My classification Detection Techniques Static Techniques Dynamic Techniques Anomaly-based Signature-based 6
What information is needed We need the following fields for an effective investigation: – Source IP – Timestamp – HTTP Method – URI requested – Full HTTP data sent Attack data could be in: – URI – HTTP headers from client – Cookie – Basically anywhere 7
Detection Techniques Using static techniques – Happens post-occurrence of event – Parse log files using standard tools/techniques – Aim is forensics investigation Using dynamic techniques – Detect the attack as it happens – Trigger alarms when attack is happening – Aim is detect/prevent in real-time 8
Static Detection © Network Intelligence India Pvt. Ltd. 9
Static detection techniques Data sources to look at: – Web Server Logs – Application Server Logs – Web Application’s custom audit trail – Operating system logs What’s missing: – POST data (only GET data available) – HTTP Headers only partially represented – Cookie or Referer data depends on web server 10
Web Server Logs IIS Web Server Log entry (with almost all options selected) 2004-06-23 11:44:53 192.168.0.70 POST /sqlinject2.pl - 200 797 640 43082 HTTP/1.1 Mozilla/5.0+(Windows;+U;+Windows+NT+5.0;+en-US; +rv:1.4)+Gecko/20030624+Netscape/7.1+(ax) - http://192.168.0.25/sqlinject2.html This is an SQL injection attack – surely doesn’t look like one! POST Request data is missing HTTP Headers are missing 11
Static Detection Fails to detect: HTTP Header attacks can’t be detected: – The Template: F attack can’t be detected – Attacks that overflow various HTTP header fields Web application attacks in a POST form – SQL injection – Cross-site scripting Forceful browsing – user tries to access page without going through prior pages that would ensure proper authentication and authorization 12
Static Detection does detect: Automated attacks using tools such as Nikto or Whisker or Nessus Attacks that check for server misconfiguration (../../winnt/system32/cmd.exe) HTML hidden field attacks (only if GET data – rare) Authentication brute-forcing attacks Order ID brute-forcing attacks (possibly) – but if it is POST data, then order IDs cannot be seen 13
Dynamic Detection © Network Intelligence India Pvt. Ltd. 14
Dynamic detection techniques Methods: – Application Firewall – In-line Application IDS – Network-based IDS (possibly) adapted for applications Advantages: – Complete packet headers and payload available – Including HTTP headers – POST request data – URI request data 15
Dynamic Detection Techniques The web application intrusion detection space is divided into two possibilities: – Signature-based – Anomaly-based Each has its own implementation and effectiveness issues 16
Comparison Table Signature-based Anomaly-based Easier to implement More complicated Cheaper – DIY Mostly commercial solutions False positives False positives are fewer, but… As well as false negatives False negatives as well Popular for detecting known Used for both web server, as web server attacks. Can be well as web application tweaked to do decent web attacks application detection. 17
Signature-based Snort IDS has 868+ signatures out of 1940+ for web layer attacks Most are for known vulnerabilities in web servers, such as: – IIS directory traversal – IIS .ida, .idq, etc. attempts – Chunked Transfer-encoding attacks Only a few are generic signatures for web application attacks, such as for: – cross-site scripting – /usr/bin/perl or other Unix command attempts 18
mod_security Works specifically with Apache Can scan in-depth and fine-grained checks Can scan cookies as well Also supports PCRE Can be configured as IPS – ‘exec’ Can’t detect: – Session id brute forcing – Forced browsing – Authentication brute-forcing – HTML hidden field manipulation Comes with a Perl script to convert all Snort rules to its own ruleset 19
The Attacks © Network Intelligence India Pvt. Ltd. 20
Web Server Attacks (A10) These are usually with tools such as Nikto or Nessus Default run of these tools is easily detected by Snort or any other IDS: rules will fire all over the place Tools have IDS evasion techniques Effective only to some extent, eventually you will get flagged More flags will be ‘DOUBLE DECODING ATTACK’ on Snort Demo {} 21
Downloading entire website Often an attacker will crawl the entire website and download it locally Objective is to study the process flow, structure, and overall programming logic used by developers Also to find out any client-side javascripting encryption or obfuscation used Also to search for HTML comments or any other pieces of critical information 22
Detection Similar to a portscan – but its happening at the application layer Web site logs will show almost entire website being accessed in a very short time interval Almost impossible to write an signature for this Perfectly suited for anomaly detection How about a Snort preprocessor for this? – issues? 23
Cross-site scripting (A4) © Network Intelligence India Pvt. Ltd. 24
XSS Attacks the end-user Works due to failure in input as well as output validation by the web application User input is produced without parsing as output Works by inserting HTML meta-tags, which contain java script or other malicious code 25
Cross-site scripting Existing snort signatures: For typical <script>alert(document.cookie)</script> attack: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC cross site scripting attempt"; flow:to_server,established; content:"<SCRIPT>"; nocase; classtype:web-application-attack; sid:1497; rev:6;) For typical <img src=javascript> attack: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC cross site scripting HTML Image tag set to javascript attempt"; flow:to_server,established; content:"img src=javascript"; nocase; classtype:web- application-attack; sid:1667; rev:5;) 26
Evasion of these Can be trivially evaded: – <a href="javas&#99;ript&#35;[code]"> – <div onmouseover="[code]"> – <img src="javascript:[code]"> – <xml src="javascript:[code]"> Demo {} 27
Better signatures Enter PCRE – Perl Compatible Regular Expressions Greater flexibility One signature can catch multiple attacks Lower learning curve for Unix admins – regex is part of daily life Regular expressions work with: – Snort IDS – Eeye’s SecureIIS – Apache’s mod_security (best bet) 28
Signatures for XSS /((%3D)|(=))[^n]*((%3C)|<)[^n]+((%3E)|>) Checks for occurrence of: – = – Followed by one or more non-newline characters – Followed by < or hex-equivalent – Zero or more / – And then > or hex-equivalent This will catch almost any remote attempt to attack XSS Very few false positives 29
Demo of XSS Signatures © Network Intelligence India Pvt. Ltd. 30
Malicious redirection Some sites have code which will redirect user to another part of the website or a partner website: http://www.nii.co.in/redirect.php?target=www.partnersite.com This can be manipulated to http://www.nii.co.in/redirect.php?target=www.evilsite.com Can be obfuscated using hex or Unicode encoding or even URL mangling: 1. Redirection to IP address in Octal or Hex (URL Munge) 2. Conversion to URL encoded values http://www.nii.co.in/redirect.php?target=%68%74%74%70%3A%2F%2F %37%35%32%37%32%30%32%38%31%37 Attack outcome is similar to an XSS attack 31
Detection of this If the set of sites to which redirection is to be allowed is know Then signature can be written in PCRE to detect any input that is not belonging to that set: target=[^(www.partner.com)] Mod_security can be used to refer specifically to the particular argument type as well Anomaly-based detection is ideal, since the bank of clean data would include only references to partner.com And by definition, any variation would be flagged 32
Forceful browsing (A2) User tries to directly access a web page that requires previous authentication If web application is badly coded, attempt may be successful For instance, access to http://www.nii.co.in/orders.php, requires successful authentication at: http://www.nii.co.in/login.php Very difficult to write signature, unless there is a stateful application engine that records whether authentication was first successful or not Anomaly-based detection is best bet 33
SQL Injection (A6) © Network Intelligence India Pvt. Ltd. 34
SQL injection Demo of standard SQL injection attack {} Typical attackers will try the following: – Just a single-quote – A boolean True expression: 1’or’1’=‘1 – A commented input admin;-- At an intermediate stage: – SELECT, INSERT, UPDATE, DELETE, etc. At an advanced stage: – UNION – EXEC XP_CMDSHELL 35
SQL injection – key inputs The key input types for this are: SQL meta-characters: – Single-quote – Comment characters – Query separators, such as semi-colon (;) Some boolean logic sooner or later Possibly the word ‘union’ or ‘select’ or ‘insert’ or ‘delete’ at an advanced stage Possibly even ‘exec xp_cmdshell’, if attacker determines database as Microsoft SQL Server 36
Regex for SQL injection detection [^n]+(%3D)|(=)) (%27)|(')|(--)|(%23) Typical POST data would look like: – username=test&password=1’or’1’=‘1 Watch out for: – One or more non-newline characters – Followed by the = sign, which denotes the occurrence of an input field – Then the single-quote or hex-equivalent – Or double-dash (as comment character) – Or semi-colon – Or /**/ if used for evasion 37
Problems Leads to false positives Some of the characters could occur as genuine non-malicious input: – O’Conner?? Need further tweaking But could be kept for later forensics Important: With mod_security, this signature can be added at a more fine-grained level – specific parameter within a specific script to be checked Also, mod_security can scan cookie values as well 38
Boolean SQL injection Intention is to manipulate the SQL query into a true value always: Select username, password from user_table where username=‘user_supplied_input1’ and password=‘user_supplied_input2’ If user supplied password as 1’or’1’=‘1 Query becomes Select username, password from user_table where username=‘user_supplied_input1’ and password=‘1’or’1’=‘1’ 39
Regex for this Attack signature could be 1’or’1’=‘1 Could also be 1’or’B’>’A Could be any Boolean expression, as long as it is OR’ed and results in a TRUE value /w*((%27)|(’))((%6F)|o|(%4F))((%72)|r|(%52))/ix Explanation w* - zero or more alphanumeric or underscore characters (%27)|’ – the ubiquitous single-quote or its hex equivalent (%6F)|o|(%4F))((%72)|r|(%52) – the word ‘or’ with various combinations of its upper and lower case hex equivalents. Caveat: be careful if your application uses forms such as process.php?id=OR123 40
Other keywords to detect EXEC XP_ EXEC SP_ OPENROWSET EXECUTE IMMEDIATE UNION SELECT INSERT UPDATE 41
Evasion of these Some common evasion techniques, which need to be taken care of: Different encodings, such as URL encoding, or UTF-8 encoding. Counter: Snort preprocessors decode encoded URL strings before applying signature check White spaces used intermittently by attacker Counter: Use [s]+ to check for one or more whitespaces Use of SQL comments -- or /**/ Counter: write signature for detecting: -- /* 42
Other attacks © Network Intelligence India Pvt. Ltd. 43
Buffer overflows (A5) Buffer overflows against web applications do not always yield significant results Buffer overflows are typically used to exploit known vulnerabilities However, sometimes interesting information can be revealed For instance, a large input value is entered into an input field, and gets fed into a PHP function producing the following error Note this is also A7 ‘Improper Error Handling’ in OWASP Top Ten 44
45
Signature for this? So the regex might look like this: /[w]+=[^=]{500,+}&/ Other alternatives are to use the SecFilterByteRange in mod_security SecFilterByteRange 32 126 Or use the the following directives within Apache – LimitRequestBody – LimitRequestFieldsize 46
Command Execution (A7) Used if input may be going into a Perl or PHP system() call or C execve() call Say a URI like “lame.cgi?page=ls%20-al” All the characters could easily occur as part of a genuine URI Snort has multiple signatures for various OS commands Snort signatures can misfire mod_security comes with Perl script to convert most of the Snort rules to its own directives SecureIIS and URLScan can do the same job for IIS 47
Null byte poison attack (A1) Used to end an input string, as the null byte is the end-of-string character in C "%00" This is definitely malicious traffic Null byte has no business in genuine URIs Trivial to detect Just watch out for ‘%00’ 48
The pipe ‘|’ (A1) Used for piping the output of one command into the input of another Used if input may be going into a Perl or PHP system() call or C execve() call This is also definitely malicious Trivially, identified, and signature can be written 49
Where signature-based detection fails © Network Intelligence India Pvt. Ltd. 50
Hidden Field Manipulation Developers assume HTML hidden fields will be input unchanged Parameter manipulation: – Attacker manipulates price from $200 to $2 – Almost impossible to write a working signature for this – Anomaly-based detection would (possibly) work 51
52
Invalid input (A1) Entering numeric values in web applications, where alphabets are expected Entering alphabets where numeric values are expected Modifying the case of the file being requested Attempts such as these typically yield information or path disclosure results Not possible to write specific signatures for all the input fields in the web application 53
54
Authentication/Authorization Attacks (A3) These attacks typically brute-force the authentication mechanism For example, use of Brutus for dictionary-attack against Basic Authentication or Form-based Authentication Or custom Perl script for brute-forcing session IDs or order IDs, or any such similar attack if these IDs are not truly random enough: http://www.nii.co.in/getorder.php?order_id=200406271 http://www.nii.co.in/getorder.php?order_id=200406272 http://www.nii.co.in/getorder.php?order_id=200406273 http://www.nii.co.in/getorder.php?order_id=200406274 55
Detection of these Not possible to write a signature to detect these As individually, each request is perfectly legitimate traffic Static detection techniques using log analysis, might detect it But if POST request is used, then all that will be seen in the logs is repeated requests for: http://www.nii.co.in/getorder.php?order_id And not the actual Order ID being requested 56
Possible detection Possible if some sort of rule-based correlation (RBC) can be used An RBC rule could say, – if Snort flags this 10 times within 60 seconds from the same source IP – then raise a stink A Snort rule could be created, if there is an outgoing HTTP 401 Authentication Failed message But, genuine mistakes during authentication would raise too many alarms to investigate 57
Another possibility? These attacks are similar in nature to portscans at the network layer Rapid HTTP requests for URLs that change at specific locations: – Either the form fields (for authentication attacks) – Or session IDs (for authorization attacks) Could a Snort preprocessor be possibly written for this? 58
Anomaly-based Detection © Network Intelligence India Pvt. Ltd. 59
Anomaly-based Based on assumption that normal traffic can be defined Attack patterns will differ from such ‘normal’ traffic Anomaly-based detection system will go through a learning phase to register such ‘normal’ traffic Analysis will be done for individual field attributes as well as for entire query string This difference should be able to be expressed quantitatively 60
Anomaly-based Some of the attributes that could be analyzed are: – Input length – Character distribution – Parameter string structure – Parameter absence or presence – Order of parameters Important: Learning must be on actual web traffic, not old web server logs. Logs do not contain all critical data where attack traffic could occur, such as cookies or HTTP headers, POST data, etc. Commercial products dominate this field Choice is influenced by cost-benefit analysis 61
A quick overview AppShield from Sanctum Inc. Imperva’s SecureSphere Teros Secure Application Gateway NetContinuum’s Application IDS 62
Conclusion © Network Intelligence India Pvt. Ltd. 63
Key points Signature-based IDS is good enough to detect a large majority of initial web app attacks It fails in detecting certain unique attacks, such as price manipulation or forceful browsing or malicious redirection Some signatures may yield large number of false positives Anomaly-based detection is based on training the IDS to learn normal web traffic Products are still maturing Maybe best solution is a combination of signature-based to detect majority of simpler attacks, and anomaly-based to detect sophisticated application-specific attacks Cost-benefit will be the deciding factor 64
References Christopher Kruguel and Giovanni Vigna. Anomaly Detection of Web-based Attacks, October 2003 Detection of Web Application Attacks, http://www.securityfocus.com/infocus/1768 SQL Signatures Evasion http://www.imperva.com/application_defense_center/wh Mod_security www.modsecurity.org 65
Questions? www.nii.co.in © Network Intelligence India Pvt. Ltd. 66

Recomendados

Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing BasicsRick Wanner
 
Network penetration testing
Network penetration testingNetwork penetration testing
Network penetration testingImaginea
 
Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016
Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016
Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016SecuRing
 
Penetration and hacking training brief
Penetration and hacking training briefPenetration and hacking training brief
Penetration and hacking training briefBill Nelson
 
Web Apps Security
Web Apps SecurityWeb Apps Security
Web Apps SecurityVictor Bucutea
 
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...Jakub Kałużny
 
Internal penetration test_hitchhackers_guide
Internal penetration test_hitchhackers_guideInternal penetration test_hitchhackers_guide
Internal penetration test_hitchhackers_guideDarin Fredde
 
Defcon 22-alex zacharis-nikolaos-tsagkarakis-po s-attacking-t
Defcon 22-alex zacharis-nikolaos-tsagkarakis-po s-attacking-tDefcon 22-alex zacharis-nikolaos-tsagkarakis-po s-attacking-t
Defcon 22-alex zacharis-nikolaos-tsagkarakis-po s-attacking-tPriyanka Aash
 

Recomendados

Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing BasicsRick Wanner
 
Network penetration testing
Network penetration testingNetwork penetration testing
Network penetration testingImaginea
 
Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016
Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016
Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016SecuRing
 
Penetration and hacking training brief
Penetration and hacking training briefPenetration and hacking training brief
Penetration and hacking training briefBill Nelson
 
Web Apps Security
Web Apps SecurityWeb Apps Security
Web Apps SecurityVictor Bucutea
 
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...Jakub Kałużny
 
Internal penetration test_hitchhackers_guide
Internal penetration test_hitchhackers_guideInternal penetration test_hitchhackers_guide
Internal penetration test_hitchhackers_guideDarin Fredde
 
Defcon 22-alex zacharis-nikolaos-tsagkarakis-po s-attacking-t
Defcon 22-alex zacharis-nikolaos-tsagkarakis-po s-attacking-tDefcon 22-alex zacharis-nikolaos-tsagkarakis-po s-attacking-t
Defcon 22-alex zacharis-nikolaos-tsagkarakis-po s-attacking-tPriyanka Aash
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure CodingMateusz Olejarka
 
3. APTs Presentation
3. APTs Presentation3. APTs Presentation
3. APTs Presentationisc2-hellenic
 
Web Security 101
Web Security 101Web Security 101
Web Security 101Michael Peters
 
Web Application Penetration Testing Introduction
Web Application Penetration Testing IntroductionWeb Application Penetration Testing Introduction
Web Application Penetration Testing Introductiongbud7
 
Introduction to web security @ confess 2012
Introduction to web security @ confess 2012Introduction to web security @ confess 2012
Introduction to web security @ confess 2012jakobkorherr
 
How to find Zero day vulnerabilities
How to find Zero day vulnerabilitiesHow to find Zero day vulnerabilities
How to find Zero day vulnerabilitiesMohammed A. Imran
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingAnurag Srivastava
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by defaultSecuRing
 
Web application penetration testing
Web application penetration testingWeb application penetration testing
Web application penetration testingImaginea
 
Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security TestingMarco Morana
 
Axoss Web Application Penetration Testing Services
Axoss Web Application Penetration Testing ServicesAxoss Web Application Penetration Testing Services
Axoss Web Application Penetration Testing ServicesBulent Buyukkahraman
 
Neoito — Secure coding practices
Neoito — Secure coding practicesNeoito — Secure coding practices
Neoito — Secure coding practicesNeoito
 
OWASP Top 10 Proactive Controls
OWASP Top 10 Proactive ControlsOWASP Top 10 Proactive Controls
OWASP Top 10 Proactive ControlsKaty Anton
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & TestingDeepu S Nath
 
Security testing
Security testingSecurity testing
Security testingKhizra Sammad
 
[DSBW Spring 2009] Unit 08: WebApp Security
[DSBW Spring 2009] Unit 08: WebApp Security[DSBW Spring 2009] Unit 08: WebApp Security
[DSBW Spring 2009] Unit 08: WebApp SecurityCarles Farré
 
Owasp for testing_mobile_apps_opd
Owasp for testing_mobile_apps_opdOwasp for testing_mobile_apps_opd
Owasp for testing_mobile_apps_opdPawel Rzepa
 
Security Testing
Security TestingSecurity Testing
Security TestingISsoft
 
Secure coding in C#
Secure coding in C#Secure coding in C#
Secure coding in C#Siddharth Bezalwar
 
DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101dc612
 
Cos 432 web_security
Cos 432 web_securityCos 432 web_security
Cos 432 web_securityMichael Freyberger
 
Web application security
Web application securityWeb application security
Web application securityJin Castor
 

Más contenido relacionado

La actualidad más candente

Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure CodingMateusz Olejarka
 
3. APTs Presentation
3. APTs Presentation3. APTs Presentation
3. APTs Presentationisc2-hellenic
 
Web Application Penetration Testing Introduction
Web Application Penetration Testing IntroductionWeb Application Penetration Testing Introduction
Web Application Penetration Testing Introductiongbud7
 
Introduction to web security @ confess 2012
Introduction to web security @ confess 2012Introduction to web security @ confess 2012
Introduction to web security @ confess 2012jakobkorherr
 
How to find Zero day vulnerabilities
How to find Zero day vulnerabilitiesHow to find Zero day vulnerabilities
How to find Zero day vulnerabilitiesMohammed A. Imran
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingAnurag Srivastava
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by defaultSecuRing
 
Web application penetration testing
Web application penetration testingWeb application penetration testing
Web application penetration testingImaginea
 
Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security TestingMarco Morana
 
Axoss Web Application Penetration Testing Services
Axoss Web Application Penetration Testing ServicesAxoss Web Application Penetration Testing Services
Axoss Web Application Penetration Testing ServicesBulent Buyukkahraman
 
Neoito — Secure coding practices
Neoito — Secure coding practicesNeoito — Secure coding practices
Neoito — Secure coding practicesNeoito
 
OWASP Top 10 Proactive Controls
OWASP Top 10 Proactive ControlsOWASP Top 10 Proactive Controls
OWASP Top 10 Proactive ControlsKaty Anton
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & TestingDeepu S Nath
 
[DSBW Spring 2009] Unit 08: WebApp Security
[DSBW Spring 2009] Unit 08: WebApp Security[DSBW Spring 2009] Unit 08: WebApp Security
[DSBW Spring 2009] Unit 08: WebApp SecurityCarles Farré
 
Owasp for testing_mobile_apps_opd
Owasp for testing_mobile_apps_opdOwasp for testing_mobile_apps_opd
Owasp for testing_mobile_apps_opdPawel Rzepa
 
Security Testing
Security TestingSecurity Testing
Security TestingISsoft
 
DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101dc612
 

La actualidad más candente (20)

Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure Coding
 
3. APTs Presentation
3. APTs Presentation3. APTs Presentation
3. APTs Presentation
 
Web Security 101
Web Security 101Web Security 101
Web Security 101
 
Web Application Penetration Testing Introduction
Web Application Penetration Testing IntroductionWeb Application Penetration Testing Introduction
Web Application Penetration Testing Introduction
 
Introduction to web security @ confess 2012
Introduction to web security @ confess 2012Introduction to web security @ confess 2012
Introduction to web security @ confess 2012
 
How to find Zero day vulnerabilities
How to find Zero day vulnerabilitiesHow to find Zero day vulnerabilities
How to find Zero day vulnerabilities
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
 
Web application penetration testing
Web application penetration testingWeb application penetration testing
Web application penetration testing
 
Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security Testing
 
Axoss Web Application Penetration Testing Services
Axoss Web Application Penetration Testing ServicesAxoss Web Application Penetration Testing Services
Axoss Web Application Penetration Testing Services
 
Neoito — Secure coding practices
Neoito — Secure coding practicesNeoito — Secure coding practices
Neoito — Secure coding practices
 
OWASP Top 10 Proactive Controls
OWASP Top 10 Proactive ControlsOWASP Top 10 Proactive Controls
OWASP Top 10 Proactive Controls
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & Testing
 
Security testing
Security testingSecurity testing
Security testing
 
[DSBW Spring 2009] Unit 08: WebApp Security
[DSBW Spring 2009] Unit 08: WebApp Security[DSBW Spring 2009] Unit 08: WebApp Security
[DSBW Spring 2009] Unit 08: WebApp Security
 
Owasp for testing_mobile_apps_opd
Owasp for testing_mobile_apps_opdOwasp for testing_mobile_apps_opd
Owasp for testing_mobile_apps_opd
 
Security Testing
Security TestingSecurity Testing
Security Testing
 
Secure coding in C#
Secure coding in C#Secure coding in C#
Secure coding in C#
 
DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101
 

Destacado

Web application security
Web application securityWeb application security
Web application securityJin Castor
 
Secure Kernel Machines against Evasion Attacks
Secure Kernel Machines against Evasion AttacksSecure Kernel Machines against Evasion Attacks
Secure Kernel Machines against Evasion AttacksPluribus One
 
A combined approach to search for evasion techniques in network intrusion det...
A combined approach to search for evasion techniques in network intrusion det...A combined approach to search for evasion techniques in network intrusion det...
A combined approach to search for evasion techniques in network intrusion det...eSAT Journals
 
Cross Domain Hijacking - File Upload Vulnerability
Cross Domain Hijacking - File Upload VulnerabilityCross Domain Hijacking - File Upload Vulnerability
Cross Domain Hijacking - File Upload VulnerabilityRonan Dunne, CEH, SSCP
 
CEHv7 Question Collection
CEHv7 Question CollectionCEHv7 Question Collection
CEHv7 Question CollectionManish Luintel
 
Social engineering-Attack of the Human Behavior
Social engineering-Attack of the Human BehaviorSocial engineering-Attack of the Human Behavior
Social engineering-Attack of the Human BehaviorJames Krusic
 
Social engineering presentation
Social engineering presentationSocial engineering presentation
Social engineering presentationpooja_doshi
 
Presentation of Social Engineering - The Art of Human Hacking
Presentation of Social Engineering - The Art of Human HackingPresentation of Social Engineering - The Art of Human Hacking
Presentation of Social Engineering - The Art of Human Hackingmsaksida
 
Social Engineering
Social EngineeringSocial Engineering
Social EngineeringCyber Agency
 

Destacado (15)

Cos 432 web_security
Cos 432 web_securityCos 432 web_security
Cos 432 web_security
 
Web application security
Web application securityWeb application security
Web application security
 
Web security
Web securityWeb security
Web security
 
Secure Kernel Machines against Evasion Attacks
Secure Kernel Machines against Evasion AttacksSecure Kernel Machines against Evasion Attacks
Secure Kernel Machines against Evasion Attacks
 
Web backdoors attacks, evasion, detection
Web backdoors attacks, evasion, detectionWeb backdoors attacks, evasion, detection
Web backdoors attacks, evasion, detection
 
A combined approach to search for evasion techniques in network intrusion det...
A combined approach to search for evasion techniques in network intrusion det...A combined approach to search for evasion techniques in network intrusion det...
A combined approach to search for evasion techniques in network intrusion det...
 
Veil Evasion and Client Side Attacks
Veil Evasion and Client Side AttacksVeil Evasion and Client Side Attacks
Veil Evasion and Client Side Attacks
 
Cross Domain Hijacking - File Upload Vulnerability
Cross Domain Hijacking - File Upload VulnerabilityCross Domain Hijacking - File Upload Vulnerability
Cross Domain Hijacking - File Upload Vulnerability
 
CEHv7 Question Collection
CEHv7 Question CollectionCEHv7 Question Collection
CEHv7 Question Collection
 
Social engineering-Attack of the Human Behavior
Social engineering-Attack of the Human BehaviorSocial engineering-Attack of the Human Behavior
Social engineering-Attack of the Human Behavior
 
Social engineering
Social engineeringSocial engineering
Social engineering
 
Social engineering presentation
Social engineering presentationSocial engineering presentation
Social engineering presentation
 
Presentation of Social Engineering - The Art of Human Hacking
Presentation of Social Engineering - The Art of Human HackingPresentation of Social Engineering - The Art of Human Hacking
Presentation of Social Engineering - The Art of Human Hacking
 
Social Engineering
Social EngineeringSocial Engineering
Social Engineering
 
Web Security
Web SecurityWeb Security
Web Security
 

Similar a Web Based Security

Catch Me If You Can - Finding APTs in your network
Catch Me If You Can - Finding APTs in your networkCatch Me If You Can - Finding APTs in your network
Catch Me If You Can - Finding APTs in your networkDefCamp
 
website vulnerability scanner and reporter research paper
website vulnerability scanner and reporter research paperwebsite vulnerability scanner and reporter research paper
website vulnerability scanner and reporter research paperBhagyashri Chalakh
 
Meetup DotNetCode Owasp
Meetup DotNetCode Owasp Meetup DotNetCode Owasp
Meetup DotNetCode Owasp dotnetcode
 
Common Web Application Attacks
Common Web Application Attacks Common Web Application Attacks
Common Web Application Attacks Ahmed Sherif
 
Vices & Devices - How IoT & Insecure APIs Became the New Cyber Battlefront
Vices & Devices - How IoT & Insecure APIs Became the New Cyber BattlefrontVices & Devices - How IoT & Insecure APIs Became the New Cyber Battlefront
Vices & Devices - How IoT & Insecure APIs Became the New Cyber BattlefrontOry Segal
 
CSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web ApplicationsCSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web ApplicationsAlert Logic
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application SecurityAbdul Wahid
 
Injection techniques conversys
Injection techniques conversysInjection techniques conversys
Injection techniques conversysKrishnendu Paul
 
Top web apps security vulnerabilities
Top web apps security vulnerabilitiesTop web apps security vulnerabilities
Top web apps security vulnerabilitiesAleksandar Bozinovski
 
Xfocus xcon 2008_aks_oknock
Xfocus xcon 2008_aks_oknockXfocus xcon 2008_aks_oknock
Xfocus xcon 2008_aks_oknockownerkhan
 
Cyber Crime / Cyber Secuity Testing Architecture by MRITYUNJAYA HIKKALGUTTI (...
Cyber Crime / Cyber Secuity Testing Architecture by MRITYUNJAYA HIKKALGUTTI (...Cyber Crime / Cyber Secuity Testing Architecture by MRITYUNJAYA HIKKALGUTTI (...
Cyber Crime / Cyber Secuity Testing Architecture by MRITYUNJAYA HIKKALGUTTI (...MrityunjayaHikkalgut1
 
Security in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsSecurity in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsCenzic
 
Double guard synopsis
Double guard synopsisDouble guard synopsis
Double guard synopsismanju5162
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CDamiable_indian
 
Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008ClubHack
 
Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008ClubHack
 
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Jeremiah Grossman
 

Similar a Web Based Security (20)

Catch Me If You Can - Finding APTs in your network
Catch Me If You Can - Finding APTs in your networkCatch Me If You Can - Finding APTs in your network
Catch Me If You Can - Finding APTs in your network
 
T04505103106
T04505103106T04505103106
T04505103106
 
website vulnerability scanner and reporter research paper
website vulnerability scanner and reporter research paperwebsite vulnerability scanner and reporter research paper
website vulnerability scanner and reporter research paper
 
Meetup DotNetCode Owasp
Meetup DotNetCode Owasp Meetup DotNetCode Owasp
Meetup DotNetCode Owasp
 
Common Web Application Attacks
Common Web Application Attacks Common Web Application Attacks
Common Web Application Attacks
 
ASP.NET security vulnerabilities
ASP.NET security vulnerabilitiesASP.NET security vulnerabilities
ASP.NET security vulnerabilities
 
Vices & Devices - How IoT & Insecure APIs Became the New Cyber Battlefront
Vices & Devices - How IoT & Insecure APIs Became the New Cyber BattlefrontVices & Devices - How IoT & Insecure APIs Became the New Cyber Battlefront
Vices & Devices - How IoT & Insecure APIs Became the New Cyber Battlefront
 
CSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web ApplicationsCSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web Applications
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
Injection techniques conversys
Injection techniques conversysInjection techniques conversys
Injection techniques conversys
 
Top web apps security vulnerabilities
Top web apps security vulnerabilitiesTop web apps security vulnerabilities
Top web apps security vulnerabilities
 
Xfocus xcon 2008_aks_oknock
Xfocus xcon 2008_aks_oknockXfocus xcon 2008_aks_oknock
Xfocus xcon 2008_aks_oknock
 
Cyber Crime / Cyber Secuity Testing Architecture by MRITYUNJAYA HIKKALGUTTI (...
Cyber Crime / Cyber Secuity Testing Architecture by MRITYUNJAYA HIKKALGUTTI (...Cyber Crime / Cyber Secuity Testing Architecture by MRITYUNJAYA HIKKALGUTTI (...
Cyber Crime / Cyber Secuity Testing Architecture by MRITYUNJAYA HIKKALGUTTI (...
 
Security in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsSecurity in the cloud protecting your cloud apps
Security in the cloud protecting your cloud apps
 
Double guard synopsis
Double guard synopsisDouble guard synopsis
Double guard synopsis
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CD
 
Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008
 
Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008
 
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
 

Último

Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 

Último (20)

Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 

Web Based Security

  • 1. Detection and Evasion of Web Application Attacks K. K. Mookhey Founder & CTO Network Intelligence (I) Pvt. Ltd. www.nii.co.in © Network Intelligence India Pvt. Ltd. 1
  • 2. Agenda Static Detection Techniques Dynamic Detection Techniques – Signature-based – Anomaly-based Typical Web Application Attacks Signature-based detection Anomaly-based detection Conclusion 2
  • 3. Current state Web applications represent highly vulnerable attack avenues Most discussions on web application security, center on attacking it and secure coding to protect it Methods for detecting such attacks are coming into their own Existing detection methods are being tested before customers accept these solutions as standard 3
  • 4. Solution Positioning Database App IDS Internet Firewall Web Servers Application Servers User/Attacker 4
  • 5. Detecting Web Application Attacks © Network Intelligence India Pvt. Ltd. 5
  • 6. My classification Detection Techniques Static Techniques Dynamic Techniques Anomaly-based Signature-based 6
  • 7. What information is needed We need the following fields for an effective investigation: – Source IP – Timestamp – HTTP Method – URI requested – Full HTTP data sent Attack data could be in: – URI – HTTP headers from client – Cookie – Basically anywhere 7
  • 8. Detection Techniques Using static techniques – Happens post-occurrence of event – Parse log files using standard tools/techniques – Aim is forensics investigation Using dynamic techniques – Detect the attack as it happens – Trigger alarms when attack is happening – Aim is detect/prevent in real-time 8
  • 9. Static Detection © Network Intelligence India Pvt. Ltd. 9
  • 10. Static detection techniques Data sources to look at: – Web Server Logs – Application Server Logs – Web Application’s custom audit trail – Operating system logs What’s missing: – POST data (only GET data available) – HTTP Headers only partially represented – Cookie or Referer data depends on web server 10
  • 11. Web Server Logs IIS Web Server Log entry (with almost all options selected) 2004-06-23 11:44:53 192.168.0.70 POST /sqlinject2.pl - 200 797 640 43082 HTTP/1.1 Mozilla/5.0+(Windows;+U;+Windows+NT+5.0;+en-US; +rv:1.4)+Gecko/20030624+Netscape/7.1+(ax) - http://192.168.0.25/sqlinject2.html This is an SQL injection attack – surely doesn’t look like one! POST Request data is missing HTTP Headers are missing 11
  • 12. Static Detection Fails to detect: HTTP Header attacks can’t be detected: – The Template: F attack can’t be detected – Attacks that overflow various HTTP header fields Web application attacks in a POST form – SQL injection – Cross-site scripting Forceful browsing – user tries to access page without going through prior pages that would ensure proper authentication and authorization 12
  • 13. Static Detection does detect: Automated attacks using tools such as Nikto or Whisker or Nessus Attacks that check for server misconfiguration (../../winnt/system32/cmd.exe) HTML hidden field attacks (only if GET data – rare) Authentication brute-forcing attacks Order ID brute-forcing attacks (possibly) – but if it is POST data, then order IDs cannot be seen 13
  • 14. Dynamic Detection © Network Intelligence India Pvt. Ltd. 14
  • 15. Dynamic detection techniques Methods: – Application Firewall – In-line Application IDS – Network-based IDS (possibly) adapted for applications Advantages: – Complete packet headers and payload available – Including HTTP headers – POST request data – URI request data 15
  • 16. Dynamic Detection Techniques The web application intrusion detection space is divided into two possibilities: – Signature-based – Anomaly-based Each has its own implementation and effectiveness issues 16
  • 17. Comparison Table Signature-based Anomaly-based Easier to implement More complicated Cheaper – DIY Mostly commercial solutions False positives False positives are fewer, but… As well as false negatives False negatives as well Popular for detecting known Used for both web server, as web server attacks. Can be well as web application tweaked to do decent web attacks application detection. 17
  • 18. Signature-based Snort IDS has 868+ signatures out of 1940+ for web layer attacks Most are for known vulnerabilities in web servers, such as: – IIS directory traversal – IIS .ida, .idq, etc. attempts – Chunked Transfer-encoding attacks Only a few are generic signatures for web application attacks, such as for: – cross-site scripting – /usr/bin/perl or other Unix command attempts 18
  • 19. mod_security Works specifically with Apache Can scan in-depth and fine-grained checks Can scan cookies as well Also supports PCRE Can be configured as IPS – ‘exec’ Can’t detect: – Session id brute forcing – Forced browsing – Authentication brute-forcing – HTML hidden field manipulation Comes with a Perl script to convert all Snort rules to its own ruleset 19
  • 20. The Attacks © Network Intelligence India Pvt. Ltd. 20
  • 21. Web Server Attacks (A10) These are usually with tools such as Nikto or Nessus Default run of these tools is easily detected by Snort or any other IDS: rules will fire all over the place Tools have IDS evasion techniques Effective only to some extent, eventually you will get flagged More flags will be ‘DOUBLE DECODING ATTACK’ on Snort Demo {} 21
  • 22. Downloading entire website Often an attacker will crawl the entire website and download it locally Objective is to study the process flow, structure, and overall programming logic used by developers Also to find out any client-side javascripting encryption or obfuscation used Also to search for HTML comments or any other pieces of critical information 22
  • 23. Detection Similar to a portscan – but its happening at the application layer Web site logs will show almost entire website being accessed in a very short time interval Almost impossible to write an signature for this Perfectly suited for anomaly detection How about a Snort preprocessor for this? – issues? 23
  • 24. Cross-site scripting (A4) © Network Intelligence India Pvt. Ltd. 24
  • 25. XSS Attacks the end-user Works due to failure in input as well as output validation by the web application User input is produced without parsing as output Works by inserting HTML meta-tags, which contain java script or other malicious code 25
  • 26. Cross-site scripting Existing snort signatures: For typical <script>alert(document.cookie)</script> attack: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC cross site scripting attempt"; flow:to_server,established; content:"<SCRIPT>"; nocase; classtype:web-application-attack; sid:1497; rev:6;) For typical <img src=javascript> attack: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC cross site scripting HTML Image tag set to javascript attempt"; flow:to_server,established; content:"img src=javascript"; nocase; classtype:web- application-attack; sid:1667; rev:5;) 26
  • 27. Evasion of these Can be trivially evaded: – <a href="javas&#99;ript&#35;[code]"> – <div onmouseover="[code]"> – <img src="javascript:[code]"> – <xml src="javascript:[code]"> Demo {} 27
  • 28. Better signatures Enter PCRE – Perl Compatible Regular Expressions Greater flexibility One signature can catch multiple attacks Lower learning curve for Unix admins – regex is part of daily life Regular expressions work with: – Snort IDS – Eeye’s SecureIIS – Apache’s mod_security (best bet) 28
  • 29. Signatures for XSS /((%3D)|(=))[^n]*((%3C)|<)[^n]+((%3E)|>) Checks for occurrence of: – = – Followed by one or more non-newline characters – Followed by < or hex-equivalent – Zero or more / – And then > or hex-equivalent This will catch almost any remote attempt to attack XSS Very few false positives 29
  • 30. Demo of XSS Signatures © Network Intelligence India Pvt. Ltd. 30
  • 31. Malicious redirection Some sites have code which will redirect user to another part of the website or a partner website: http://www.nii.co.in/redirect.php?target=www.partnersite.com This can be manipulated to http://www.nii.co.in/redirect.php?target=www.evilsite.com Can be obfuscated using hex or Unicode encoding or even URL mangling: 1. Redirection to IP address in Octal or Hex (URL Munge) 2. Conversion to URL encoded values http://www.nii.co.in/redirect.php?target=%68%74%74%70%3A%2F%2F %37%35%32%37%32%30%32%38%31%37 Attack outcome is similar to an XSS attack 31
  • 32. Detection of this If the set of sites to which redirection is to be allowed is know Then signature can be written in PCRE to detect any input that is not belonging to that set: target=[^(www.partner.com)] Mod_security can be used to refer specifically to the particular argument type as well Anomaly-based detection is ideal, since the bank of clean data would include only references to partner.com And by definition, any variation would be flagged 32
  • 33. Forceful browsing (A2) User tries to directly access a web page that requires previous authentication If web application is badly coded, attempt may be successful For instance, access to http://www.nii.co.in/orders.php, requires successful authentication at: http://www.nii.co.in/login.php Very difficult to write signature, unless there is a stateful application engine that records whether authentication was first successful or not Anomaly-based detection is best bet 33
  • 34. SQL Injection (A6) © Network Intelligence India Pvt. Ltd. 34
  • 35. SQL injection Demo of standard SQL injection attack {} Typical attackers will try the following: – Just a single-quote – A boolean True expression: 1’or’1’=‘1 – A commented input admin;-- At an intermediate stage: – SELECT, INSERT, UPDATE, DELETE, etc. At an advanced stage: – UNION – EXEC XP_CMDSHELL 35
  • 36. SQL injection – key inputs The key input types for this are: SQL meta-characters: – Single-quote – Comment characters – Query separators, such as semi-colon (;) Some boolean logic sooner or later Possibly the word ‘union’ or ‘select’ or ‘insert’ or ‘delete’ at an advanced stage Possibly even ‘exec xp_cmdshell’, if attacker determines database as Microsoft SQL Server 36
  • 37. Regex for SQL injection detection [^n]+(%3D)|(=)) (%27)|(')|(--)|(%23) Typical POST data would look like: – username=test&password=1’or’1’=‘1 Watch out for: – One or more non-newline characters – Followed by the = sign, which denotes the occurrence of an input field – Then the single-quote or hex-equivalent – Or double-dash (as comment character) – Or semi-colon – Or /**/ if used for evasion 37
  • 38. Problems Leads to false positives Some of the characters could occur as genuine non-malicious input: – O’Conner?? Need further tweaking But could be kept for later forensics Important: With mod_security, this signature can be added at a more fine-grained level – specific parameter within a specific script to be checked Also, mod_security can scan cookie values as well 38
  • 39. Boolean SQL injection Intention is to manipulate the SQL query into a true value always: Select username, password from user_table where username=‘user_supplied_input1’ and password=‘user_supplied_input2’ If user supplied password as 1’or’1’=‘1 Query becomes Select username, password from user_table where username=‘user_supplied_input1’ and password=‘1’or’1’=‘1’ 39
  • 40. Regex for this Attack signature could be 1’or’1’=‘1 Could also be 1’or’B’>’A Could be any Boolean expression, as long as it is OR’ed and results in a TRUE value /w*((%27)|(’))((%6F)|o|(%4F))((%72)|r|(%52))/ix Explanation w* - zero or more alphanumeric or underscore characters (%27)|’ – the ubiquitous single-quote or its hex equivalent (%6F)|o|(%4F))((%72)|r|(%52) – the word ‘or’ with various combinations of its upper and lower case hex equivalents. Caveat: be careful if your application uses forms such as process.php?id=OR123 40
  • 41. Other keywords to detect EXEC XP_ EXEC SP_ OPENROWSET EXECUTE IMMEDIATE UNION SELECT INSERT UPDATE 41
  • 42. Evasion of these Some common evasion techniques, which need to be taken care of: Different encodings, such as URL encoding, or UTF-8 encoding. Counter: Snort preprocessors decode encoded URL strings before applying signature check White spaces used intermittently by attacker Counter: Use [s]+ to check for one or more whitespaces Use of SQL comments -- or /**/ Counter: write signature for detecting: -- /* 42
  • 43. Other attacks © Network Intelligence India Pvt. Ltd. 43
  • 44. Buffer overflows (A5) Buffer overflows against web applications do not always yield significant results Buffer overflows are typically used to exploit known vulnerabilities However, sometimes interesting information can be revealed For instance, a large input value is entered into an input field, and gets fed into a PHP function producing the following error Note this is also A7 ‘Improper Error Handling’ in OWASP Top Ten 44
  • 45. 45
  • 46. Signature for this? So the regex might look like this: /[w]+=[^=]{500,+}&/ Other alternatives are to use the SecFilterByteRange in mod_security SecFilterByteRange 32 126 Or use the the following directives within Apache – LimitRequestBody – LimitRequestFieldsize 46
  • 47. Command Execution (A7) Used if input may be going into a Perl or PHP system() call or C execve() call Say a URI like “lame.cgi?page=ls%20-al” All the characters could easily occur as part of a genuine URI Snort has multiple signatures for various OS commands Snort signatures can misfire mod_security comes with Perl script to convert most of the Snort rules to its own directives SecureIIS and URLScan can do the same job for IIS 47
  • 48. Null byte poison attack (A1) Used to end an input string, as the null byte is the end-of-string character in C "%00" This is definitely malicious traffic Null byte has no business in genuine URIs Trivial to detect Just watch out for ‘%00’ 48
  • 49. The pipe ‘|’ (A1) Used for piping the output of one command into the input of another Used if input may be going into a Perl or PHP system() call or C execve() call This is also definitely malicious Trivially, identified, and signature can be written 49
  • 50. Where signature-based detection fails © Network Intelligence India Pvt. Ltd. 50
  • 51. Hidden Field Manipulation Developers assume HTML hidden fields will be input unchanged Parameter manipulation: – Attacker manipulates price from $200 to $2 – Almost impossible to write a working signature for this – Anomaly-based detection would (possibly) work 51
  • 52. 52
  • 53. Invalid input (A1) Entering numeric values in web applications, where alphabets are expected Entering alphabets where numeric values are expected Modifying the case of the file being requested Attempts such as these typically yield information or path disclosure results Not possible to write specific signatures for all the input fields in the web application 53
  • 54. 54
  • 55. Authentication/Authorization Attacks (A3) These attacks typically brute-force the authentication mechanism For example, use of Brutus for dictionary-attack against Basic Authentication or Form-based Authentication Or custom Perl script for brute-forcing session IDs or order IDs, or any such similar attack if these IDs are not truly random enough: http://www.nii.co.in/getorder.php?order_id=200406271 http://www.nii.co.in/getorder.php?order_id=200406272 http://www.nii.co.in/getorder.php?order_id=200406273 http://www.nii.co.in/getorder.php?order_id=200406274 55
  • 56. Detection of these Not possible to write a signature to detect these As individually, each request is perfectly legitimate traffic Static detection techniques using log analysis, might detect it But if POST request is used, then all that will be seen in the logs is repeated requests for: http://www.nii.co.in/getorder.php?order_id And not the actual Order ID being requested 56
  • 57. Possible detection Possible if some sort of rule-based correlation (RBC) can be used An RBC rule could say, – if Snort flags this 10 times within 60 seconds from the same source IP – then raise a stink A Snort rule could be created, if there is an outgoing HTTP 401 Authentication Failed message But, genuine mistakes during authentication would raise too many alarms to investigate 57
  • 58. Another possibility? These attacks are similar in nature to portscans at the network layer Rapid HTTP requests for URLs that change at specific locations: – Either the form fields (for authentication attacks) – Or session IDs (for authorization attacks) Could a Snort preprocessor be possibly written for this? 58
  • 59. Anomaly-based Detection © Network Intelligence India Pvt. Ltd. 59
  • 60. Anomaly-based Based on assumption that normal traffic can be defined Attack patterns will differ from such ‘normal’ traffic Anomaly-based detection system will go through a learning phase to register such ‘normal’ traffic Analysis will be done for individual field attributes as well as for entire query string This difference should be able to be expressed quantitatively 60
  • 61. Anomaly-based Some of the attributes that could be analyzed are: – Input length – Character distribution – Parameter string structure – Parameter absence or presence – Order of parameters Important: Learning must be on actual web traffic, not old web server logs. Logs do not contain all critical data where attack traffic could occur, such as cookies or HTTP headers, POST data, etc. Commercial products dominate this field Choice is influenced by cost-benefit analysis 61
  • 62. A quick overview AppShield from Sanctum Inc. Imperva’s SecureSphere Teros Secure Application Gateway NetContinuum’s Application IDS 62
  • 64. Key points Signature-based IDS is good enough to detect a large majority of initial web app attacks It fails in detecting certain unique attacks, such as price manipulation or forceful browsing or malicious redirection Some signatures may yield large number of false positives Anomaly-based detection is based on training the IDS to learn normal web traffic Products are still maturing Maybe best solution is a combination of signature-based to detect majority of simpler attacks, and anomaly-based to detect sophisticated application-specific attacks Cost-benefit will be the deciding factor 64
  • 65. References Christopher Kruguel and Giovanni Vigna. Anomaly Detection of Web-based Attacks, October 2003 Detection of Web Application Attacks, http://www.securityfocus.com/infocus/1768 SQL Signatures Evasion http://www.imperva.com/application_defense_center/wh Mod_security www.modsecurity.org 65
  • 66. Questions? www.nii.co.in © Network Intelligence India Pvt. Ltd. 66

Notas del editor

  1. Numbers in brackets indicate OWASP Top Ten Reference