Web Application Security

Size: px

Start display at page:

Download "Web Application Security"

Alexina Lester
8 years ago
Views:

1 Web Application Security A Beginner's Guide Bryan Sullivan Vincent Liu Mc r New York Chicago San Francisco Lisbon London Madrid Mexico City Milan New Delhi San Juan Seoul Singapore Sydney Toronto

2 Contents ACKNOWLEDGMENTS INTRODUCTION xiii xv PART I Primer 1 Welcome to the Wide World of Web Application Security 3 Misplaced Priorities and the Need for a New Focus 4 Network Security versus Application Security: The Parable of the Wizard and the Magic Fruit Trees 6 Real-World Parallels 7 Thinking like a Defender 9 The OWASP Top Ten List 11 #1, Injection 13 #2. Cross-Site Scripting (XSS) 13 #3. Broken Authentication and Session Management 14 #4. Insecure Direct Object References 15 #5. Cross-Site Request Forgery 15 vii

Fruit Trees 6 Real-World Parallels 7 Thinking like a Defender 9 The OWASP Top Ten List 11 #1, Injection 13 #2.

3 Viii Web Application Security: A Beginner's Guide #6. Security Misconfiguration 16 #7. Insecure Cryptographic Storage 16 #8. Failure to Restrict URL Access 17 #9. Insufficient Transport Layer Protection 18 #10. Unvalidated Redirects and Forwards 19 Wrapping Up the OWASP Top Ten 19 Secure Features, Not Just Security Features 20 Final Thoughts 21 2 Security Fundamentals 23 Input Validation 24 Blacklist Validation 25 Whitelist Validation 27 More Validation Practices 30 The Defense-in-Depth Approach 31 Attack Surface Reduction 32 Attack Surface Reduction Rules ofthumb 34 Classifying and Prioritizing Threats 35 STRIDE 36 IMF 38 CIA 39 Common Weakness Enumeration (CWE) 41 DREAD 42 Common Vulnerability Scoring System (CVSS) 44 PART II Web Application Security Principles 3 Authentication Access Control Overview Authentication Fundamentals 56 Proving Your Identity 57 Two-Factor and Three-Factor Authentication 60 Web Application Authentication 61 Password-Based Authentication Systems 61 Built-in HTTP Authentication 61 Single Sign-On Authentication 64 Custom Authentication Systems 67 Validating Credentials 69 Securing Password-Based Authentication 70 Attacks Against Passwords 70 The Importance ofpassword Complexity 74 Password Best Practices

Unvalidated Redirects and Forwards 19 Wrapping Up the OWASP Top Ten 19 Secure Features, Not Just Security Features 20 Final Thoughts 21 2 Security Fundamentals 23 Input Validation 24 Blacklist

4 Contents ix Secure Authentication Best Practices 80 When and Where to Perform Authentication 80 Securing Web Authentication Mechanisms 84 4 Authorization 91 Access Control Continued 92 Authorization 93 Session Management 93 Authorization Fundamentals 94 Authorization Goals 96 Detailed Authorization Check Process 96 Types of Permissions 102 Authorization Layers 103 Controls by Layer 108 Custom Authorization Mechanisms 116 Client-Side Attack 120 TOCTTOU Exploit 121 Web Authorization Best Practices 123 Attacks Against Authorization 127 Session Management Fundamentals 130 What's a Session? 130 How to Manage Session State? 133 Why Do We Need Session Management? 134 Attacks Against Sessions 135 SSL and HTTPS 136 Jetty: Session Predictability in the Real World 138 Attacks Against Session State 140 Securing Web Application Session Management 140 Session Management Best Practices Browser Security Principles: The Same-Origin Policy 149 Defining the Same-Origin Policy 150 An Important Distinction: Client-Side vs. Server-Side 152 AWorld Without the Same-Origin Policy 154 Exceptions to the Same-Origin Policy 155 HTML <script> Element 155 JSONandJSONP 156 iframes and JavaScript document.domain 158 Adobe Flash Player Cross-Domain Policy File 161 Microsoft Silverlight 164 XMLHttpRequest (Ajax) and Cross-Origin Resource Sharing 164 XDomainRequest 166 Final Thoughts on the Same-Origin Policy 166

Authorization Mechanisms 116 Client-Side Attack 120 TOCTTOU Exploit 121 Web Authorization Best Practices 123 Attacks Against Authorization 127 Session Management Fundamentals 130 What's a Session?

5 X Web Application Security: A Beginner's Guide 6 Browser Security Principles: Cross-Site Scripting and Cross-Site Request Forgery 169 Cross-Site Scripting 170 Cross-Site Scripting Explained 171 Reflected XSS 177 POST-Based Reflected XSS 180 Stored XSS 182 Local XSS 184 Another Variation: HTML Injection 186 XSS Defense: Encoding Output 188 XSS Defense: Sanitizing Input 191 XSS Defense: Using a Reduced Markup Language 193 XSS Defense-in-Depth: HttpOnly 194 XSS Defense-in-Depth: Content Security Policy (CSP) 196 Final Thoughts on Cross-Site Scripting 197 Cross-Site Request Forgery 197 Cross-Site Request Forgery Explained 199 HTTP GET and the Concept of Safe Methods 201 Ineffective CSRF Defense: Relying on POST 202 Ineffective CSRF Defense: Checking the Referer Header 202 Ineffective CSRF Defense: URL Rewriting 204 Better CSRF Defense: Shared Secrets 205 Better CSRF Defense: Double-Submitted Cookies 206 Prevent XSS 207 Reauthentication 208 What Being "Logged In" Means 208 Final Thoughts on Cross-Site Request Forgery Database Security Principles 213 Structured Query Language (SQL) Injection 215 SQL Injection Effects and Confidentiality-Integrity-Availability 217 The Dangers of Detailed Errors 223 Blind SQL Injection: No Errors Required 227 Solving the Problem: Validating Input 230 Regular Expressions 232 Solving the Problem: Escaping Input 233 Setting Database Permissions 238 Single Account Security 238 Separate Accounts for Separate Roles 240 Stored Procedure Security 242 The Stored-Procedures-Only Approach: Reducing Permissions Even Further SQL Injection in Stored Procedures 244

a Reduced Markup Language 193 XSS Defense-in-Depth: HttpOnly 194 XSS Defense-in-Depth: Content Security Policy (CSP) 196 Final Thoughts on Cross-Site Scripting 197 Cross-Site Request Forgery 197

6 Contents XI Insecure Direct Object References 246 No Technical Knowledge Required 246 Insecure Direct Object References and... Confidentiality-Integrity-Availability 248 Solving the Problem: Pre- or Post-Request Authorization Checks 249 Final Thoughts on Insecure Direct Object References File Security Principles 253 Keeping Your Source Code Secret 254 Static Content and Dynamic Content 256 Revealing Source Code 258 Interpreted versus Compiled Code 259 Backup File Leaks 260 Include-File Leaks 264 Keep Secrets Out of Static Files 265 Exposing Sensitive Functionality 268 Security Through Obscurity 271 Forceful Browsing 271 Forceful Browsing and Insecure Direct Object References 272 Directory Enumeration 273 Redirect Workflow Manipulation 276 Directory Traversal 278 etc/passwd 279 More Directory Traversal Vulnerabilities 280 Canonicalization 282 PART III Secure Development and Deployment 9 Secure Development Methodologies 287 Baking Security In 288 The Earlier, the Better 288 The Penetrate-and-Patch Approach 291 The Holistic Approach to Application Security 293 Training 294 Threat Modeling 296 Secure Coding Libraries 301 Code Review 303 Security Testing 306 Security Incident Response Planning 309 Industry Standard Secure Development Methodologies and Maturity Models 311 The Microsoft Security Development Lifecycle (SDL) 311 OWASP Comprehensive Lightweight Application Security Process (CLASP) The Software Assurance Maturity Model (SAMM) 314

Keeping Your Source Code Secret 254 Static Content and Dynamic Content 256 Revealing Source Code 258 Interpreted versus Compiled Code 259 Backup File Leaks 260 Include-File Leaks 264 Keep Secrets Out

7 Xli Web Application Security: A Beginner's Guide The Building Security In Maturity Model (BSIMM) 315 Conclusions on Secure Development Methodologies and Maturity Models Epilogue The Wizard, the Giant, and the Magic Fruit Tfees: A Happy Ending 319 Index 321

Development Methodologies and Maturity Models.

Adobe Systems Incorporated

Adobe Connect 9.2 Page 1 of 8 Adobe Systems Incorporated Adobe Connect 9.2 Hosted Solution June 20 th 2014 Adobe Connect 9.2 Page 2 of 8 Table of Contents Engagement Overview... 3 About Connect 9.2...