Más contenido relacionado
La actualidad más candente (20)
Similar a Andrew Useckas Csa presentation hacking custom webapps 4 3 (20)
Más de Trish McGinity, CCSK (14)
Andrew Useckas Csa presentation hacking custom webapps 4 3
- 2. www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance
Introduction
• Securing custom web applications is more challenging than
most people realize:
- Security is often overlooked during design and development
- As long as the site is indexed by at least one search engine, it is
exposed to hacks, attacks, and full-blown assaults from anywhere
in the world
- There’s big money in hacking and web applications are seen as an
easy target with potential to use them as a jump board to the
internal network or private customer cloud
- No “security patch” for custom WebApps (vs. infrastructure)
• It’s simply not as difficult to compromise a web application as
most people think
- You don’t have to be a hacking wiz to exploit most badly written
apps – there are plenty of tools out there to help you do it
- 3. www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance
About Me
• CTO at Threat X working on a new approach to Web
Application security.
• Over 15 years of experience in penetration testing / ethical
hacking.
• Author and architect of multiple security sensors.
• Consulted for multiple enterprises in technical and compliance
aspects of security.
- 4. www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance
Agenda
• Basic overview of hacker’s mindset.
• Overview of most currently popular security measures.
• Web Application Attacks
• Authentication
• Session Management
• Access Controls
• Client Side checks
• Server Side checks
- 5. www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance
Who is the target?
• According to Verizon 2016 DBIR Report:
• 40% of confirmed breaches were Web App Attacks.
• 95% of confirmed WebApp breaches financially motivated.
• Top Industries attacked: Finance, Information, Retail.
• Higher percentage of confirmed data disclosure as security
measures are lacking.
• Botnets. Is my company too small to be attacked?
• My perimeter is secure – we run quarterly scans.
- 6. www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance
The wild west of WebApps
• Security is often an afterthought. Time to market is more
important than security.
• Developer education on safe coding techniques is lacking.
• Traditional Layer 3 firewall does nothing for WebApp Security.
• IDS / IPS systems do very little as the focus is more on the
network applications.
• New ciphers use ephemeral keys making it harder to decrypt
and examine the flows at the edge (no more decryption in
passive sensors).
• Piping all the logs to a SIEM tool may overwhelm the
administrators.
• Most of these tools are useless in a cloud deployment model.
- 7. www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance
Tools
• Browser – Firefox
• Intercepting Proxy – Burpsuite
• SQLMap
• Target apps – Bodgeit from Google
- 8. www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance
Authentication
• Login forms are often the first thing a hacker will try to break.
• Common issues:
• Weak or default passwords
• Default pages
• Guessable protected URIs
• Navigation tree leaks in JS
• Lack of proper server side sanitization
- 9. www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance
Session Management
• Sessions are used to track users
• First line of defense
• Common attacks
• Session hijacking
• Missing idle session timeouts
• Session riding (CSRF)
• Cookie manipulation
- 10. www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance
Access Controls
• Defective access controls are often used after the initial
penetration.
• Hidden information in HTML
• Information leaks through JS
• Horizontal privilege escalation
• Vertical privilege escalation
- 11. www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance
Client Side Checks
• Validation of input fields before they are passed to the server
• Usually based on JS
• Can be easily bypassed with transparent proxy
- 12. www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance
Server Side Checks
• Server side usually talking to a database engine such as
MySql.
• User input can be passed to the backend scripts without
proper validation, resulting in the backend attacks such as
SQL injection (SQLi).
• SQLi can be used to
• Bypass authentication controls
• Bypass access controls
• Execute full database dumps
• Write script files to the remote file system. Scripts can then
be executed from the browser giving an attacker shell
access to the remote system
- 13. www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance
Further Exploits
• It is possible to upload server side scripts via backends such
as MySQL.
• Scripts can then be executed from the browser giving shell
access.
• Sample injection:
UNION SELECT '<%Runtime.getRuntime().exec(request.getParameter("cmd"));%>',null INTO
OUTFILE '/some/webdir/dir/cmd.jsp'
- 14. www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance
Parting Recommendations
• Secure development and QA
• Next-generation Web Application Firewall
• Pen testing
- 15. www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance
References
• Verizon DBIR report: http://www.verizonenterprise.com/verizon-insights-
lab/dbir/