This presentation by Mike Shame of Qualys the basics of Web Application Security and how to safeguard your web infrastructure against the most prevalent online threats and security risks, such as: cross-site scripting (XSS) attacks, SQL injection, directory traversals, and other web vulnerabilities. Learn how to proactively identify critical web application vulnerabilities and take corrective actions to minimize risks.
Why Teams call analytics are critical to your entire business
Web Application Scanning 101
1. Web Security 101
An overview of some common application exploits
Mike Shema
Security Research Engineer, Qualys Inc.
2. Web Security
Web application (in)security continues to grow
Web-related vulnerabilities pop up on Bugtraq daily.
(http://www.securityfocus.com/bid/)
Web-related attacks are large and expensive to investigate,
react, and resolve.
Web security became a requirement of PCI in 2008.
XSS remains a significant problem
Original CERT advisory February 2000
(http://www.cert.org/advisories/CA-2000-02.html)
USENET references to “malicious html” and
“malicious javascript” as far back as 1996
comp.security.unix post on March 1996: http://tinyurl.com/2s593m
Entertaining discussion of JavaScript: http://tinyurl.com/2g2476
2
3. Web Security
Reported web server vulnerabilities have decreased
IIS 6.0 released April 2003
MS06-034 (specially-crafted ASP file could cause buffer overflow)
No resurgence of Code Red or Nimda style vulnerabilities
Apache 2.0.45 (March 2003) to Apache 2.0.63 (January 2008)
40 security bugs according to changelog
24 specific to core or mod_ssl
Apache 2.2.0 (November 2005) to Apache 2.2.8 (January 2008)
13 security bugs according to changelog Active Sites According to Netcraft
2 specific to core or mod_ssl 35,000,000
30,000,000
And the number of servers continues 25,000,000
20,000,000
to grow significantly Apache
15,000,000 IIS
10,000,000
5,000,000
0
May-03 Apr-08
3
4. Leave the Buffer Overflows at Home
Exploiting most web vulnerabilities has a very
low barrier to entry.
Low sophistication attacks can still lead to high
impact exploits
More codified lists defined in the OWASP TOP
10 and the WASC Threat Classification
4
5. Threats Evolve
Financial motivation
Infect rather than deface
Increased potential for targeted attacks
Exploit the trust between the server and
browser
5
6. Attacks Adapt
Bring the exploit to victim rather than bring the victim to
the exploit.
“Web 2.0”: More business logic and capabilities moved to
the web browser.
Social networking as an enabler for non-technical attacks.
Insert malicious content into a web page
Target the web browser
6
7. Persistent Browser Problems
Assumption of trust in HTML and
JavaScript (no “signed” content)
No separation of UI generation and data
manipulation
Few restrictions on pulling together inter-
domain content, no “trusted peers” for a
domain.
7
8. What do these attacks look like?
Review some examples to see where
vulnerabilities exist and how they are
exploited.
8
9. The Usual Suspects
SQL Injection
One of the easiest vulnerabilities to prevent.
Occurs when users can alter the actual query.
For example, SQL queries made with strong
concatenation or even raw SQL queries in a URL
parameter.
9
10. Recent Examples
Hacking & Happiness
One password to rule them all
Poor separation of duties
Lack of rate limiting
http://tinyurl.com/9f7ata
10
12. Recent Examples
Victim receives an e-mail with a legitimate link to the trading
site: https://site/login.cgi?sid=65531
Session ID = 655321
x.y.72.13 --> /trade.cgi?sid=655321&shares=1000&stock=FOO
Unauthenticated
Redirect to /login.cgi <-- server
x.y.72.13 --> /trade.cgi?sid=655321&shares=1000&stock=FOO
Unauthenticated
Redirect to /login.cgi <-- server
x.y.72.13 --> /trade.cgi?sid=655321&shares=1000&stock=FOO
Unauthenticated
Redirect to /login.cgi <-- server
a.b.101.92 --> /login.cgi?sid=655321
Authenticated
Redirect to /welcome.cgi?sid=655321 <-- server
x.y.72.13 --> /trade.cgi?sid=655321&shares=1000&stock=FOO
Authenticated
Trade executed <-- server
12
15. Wildly Different Vulnerabilities
Programming errors
Session fixation
Cross-site request forgery
Lack of input validation
Insecure environment
15
16. Where Are The Worms?
Attacks like Nimda, Code Red or SQL
Slammer haven’t been repeated in a while
Exploit preferences seem to fall to the
lowest common denominator
16
17. Manual & Automated Testing
Complementary approaches
What matters most for your environment?
Cost
Scalability
Repeatability
Comprehensiveness
Accuracy
What to expect from each approach?
17
18. Automated Testing
Ideal for large-scale or repetitive scans
Primarily focuses on syntax problems,
misconfigurations, and known issues
Several challenges to determining a good
scanner
Crawling & site coverage
Authentication & session management
Comprehensiveness & accuracy
18
19. Manual Testing
Ideal for in-depth security review
Biggest advantage over automated testing
is the ability to understand the
application’s business logic
Typically relies on some form of
automated testing
19
20. Proactive Countermeasures
Prevent the initial compromise in order to
minimize the potential for the application to be
used as a distribution point for malicious content
Web application hardening
Prevent unexpected HTML injection
Identify areas where user-generated content is
permitted
Pre-inspect content
Quarantine content
Continuous site monitoring
20
21. Development Quick Reference
Don’t store raw passwords.
Store the salted hash
Don’t use string concatenation when building SQL
queries.
Use parameterized queries
HTML encode user-supplied content that is written to a
web page
Normalize input
Work with an expected character set & encoding.
Decode multi-level URL encoding
21
22. Summary
The web browser continues to bear more and
more functionality that used to be relegated to
desktop applications -- but the browser security
model hasn’t kept pace.
Attackers placing more focus on compromising
trusted sites rather than lure victims to fake sites.
Social networking, Web 2.0, and similar concepts
place more and more personal data only a
browser request away.
Most reported compromises seem due to lack of
input validation (XSS and SQL injection).
22