Detecting and Defending Against Security Vulnerabilities for Web 2.0 Applications

Size: px

Start display at page:

Download "Detecting and Defending Against Security Vulnerabilities for Web 2.0 Applications"

Nicholas Roy Thornton
8 years ago
Views:

1 Detecting and Defending Against Security Vulnerabilities for Web 2.0 Applications Ray Lai, Intuit TS-5358

2 Share experience how to detect and defend security vulnerabilities in Web 2.0 applications using open source security tools 2008 JavaOne SM Conference java.sun.com/javaone 2

3 Agenda Detect Defend Learn 2008 JavaOne SM Conference java.sun.com/javaone 3

4 Which is Easier to Hack? Google finds 2M suspicious sites Web 1.0 App Top 3 Security Vulnerabilities Unvalidated input parameters Broken access control Broken authentication and session management Web 2.0 App Top 3 Security Vulnerabilities Cross-site scripting Injection flaw Malicious file execution Note: Single loss expectancy - $690 per incident, Average annual loss $350,424 (CSI 2007) 2008 JavaOne SM Conference java.sun.com/javaone 4

5 What s New About Web 2.0 Security? OWASP 2007 Top 10 Web 2.0 Examples Cross-site scripting +++ Flash: cross-site flashing Injection flaws ++++ AJAX, mash-up Malicious file execution +++ Insecure direct object reference + JavaScript Object Notation (JSON) Cross-site request forgery +++ Flash Information leakage / improper error handling Broken authentication and session management Insecure cryptographic storage + Insecure communications ++ Failure to restrict URL access AJAX, JSON ++++ Cross-domain, mash-up 2008 JavaOne SM Conference java.sun.com/javaone 5

6 Use Case Scenario Use Open Source / commercial security tools to examine WebGoat (and Roller) from SecuriBench JavaOne SM Conference java.sun.com/javaone 6

7 Example #1: Post-Me Scenarios: newsgroup, forum, blogs, etc. Characteristics Plain data input screen No sensitive personal data High usage, high traffic How can I re-direct readers to my malicious website? 2008 JavaOne SM Conference java.sun.com/javaone 7

8 Example #1: What s the Issue? Cross-site Request Forgery What happens: Hackers post a message with the malicious URL or parameters: <IMG SRC="attack?screen=7&menu=410&transferFunds=4000" width="1" height="1" /> Result: when reading the posting, newsgroup readers will invoke a malicious URL without noticing the tiny 1x1 image (cross-site request forgery)! 2008 JavaOne SM Conference java.sun.com/javaone 8

9 Example #2: Online Travel Scenarios: online travel service, mash-up Characteristics AJAX with JSON Financial transactions Mash-up, possibly Can I change the price? 2008 JavaOne SM Conference java.sun.com/javaone 9

10 Example #2: What s the Issue? JSON Poisoning What happens: Hackers intercepts the JSON, tampers it, and posts it. { "From": "Boston", "To": "Seattle", "flights": [ {"stops": "0", "transit" : "N/A", "price": "$0"}, {"stops": "2", "transit" : "Newark,Chicago", "price": "$900"} ] } Result: hackers pay $ JavaOne SM Conference java.sun.com/javaone 10

11 Example #3: Change Password Scenarios: online services, mash-up Characteristics SOAP-based Web services Perhaps mash-up HTTP or HTTPS, depends Can I change somebody s password? 2008 JavaOne SM Conference java.sun.com/javaone 11

> <wsns0:body> <wsns1:changepassword> <id xsi:type='xsd:int'>101</id> <password xsi:type='xsd:string'> bar</password>

12 Example #3: What s the Issue SOAP Injection What happens: Hackers tries changing the password, intercepts the SOAP message, tampers it, and posts it. <?xml version='1.0' encoding='utf-8'?> <wsns0:body> <wsns1:changepassword> <id xsi:type='xsd:int'>101</id> <password xsi:type='xsd:string'> bar</password> </wsns1:changepassword> </wsns0:body> </wsns0:envelope> Result: hackers change someone s password for future access 2008 JavaOne SM Conference java.sun.com/javaone 12

13 What About Flex Application Cross-site Flashing You can detect XSF using SwfIntruder 2008 JavaOne SM Conference java.sun.com/javaone 13

14 What About Phishing attack Ad malware Botnet ActiveX controls Serialization security, e.g. DOJO, JQUERY 2008 JavaOne SM Conference java.sun.com/javaone 14

15 Agenda Detect Defend Learn 2008 JavaOne SM Conference java.sun.com/javaone 15

16 Strategy #1: Security Development Lifecycle Remark: Show demo or examples of these artifacts 2008 JavaOne SM Conference java.sun.com/javaone 16

17 Defensive Coding: Examples Scenarios Cross-site request forgery JSON poisoning SOAP injection Sample Actions Filter specific tags (e.g. <IMG>) Prompt user with security token for important actions or high value transactions Shorter time period for user sessions Client-side and server-side input validation JavaScript output encoding Obfuscate JavaScript Use of nonce WS-Security best practices Turn off WSDL 2008 JavaOne SM Conference java.sun.com/javaone 17

18 Strategy #2: Custom Security Test Category Public / Open Source Commercial Discovery tools NMAP Nessus Web server vulnerabilities Nikto Code quality* OWASP, FindBugs Fortify, Klockwork Application vulnerabilities Paros AppScan, Hailstorm Penetration testing WebScarab, Paros, SwfIntruder Hybrid security testing = white box* + black box testing Remark: Show demo of running different security testing tools on Roller 2008 JavaOne SM Conference java.sun.com/javaone 18

19 Agenda Detect Defend Learn 2008 JavaOne SM Conference java.sun.com/javaone 19

20 Lesson 1: Security Findings by Category 2008 JavaOne SM Conference java.sun.com/javaone 20

21 Lesson 2: What You Can and Can t Do Obvious, e.g. Information leakage Port scan OS fingerprinting Web server vulnerabilities scanner Difficult ones, e.g. Cross-site Scripting Cross-site Request Forgery Denial of Service Hard ones, e.g. New Web 2.0 vulnerabilities 2008 JavaOne SM Conference java.sun.com/javaone 21

22 Lesson 3: Summary Don t practice penetration testing tools on production system! Trust no one Do we know what to detect, or to test Different security testing tools provide different findings 2008 JavaOne SM Conference java.sun.com/javaone 22

23 For More Information Concepts OWASP top 10 vulnerabilities Cannings, Dwivedi and Lackey. Hacking Exposed Web 2.0. McGrawHill, 2008 Andrew Andreu. Professional Pen Testing for Web Applications Shyamsuda and Gould. You Are Hacked. JavaOne SM Conference Security Incident Updates Top 10 Web 2.0 attack vectors CERN Also RSA, Microsoft, Symantec major security vendor websites 2008 JavaOne SM Conference java.sun.com/javaone 23

24 For More Information (cont d) Tutorial Tools JavaOne SM Conference java.sun.com/javaone 24

25 Ray Lai, TS JavaOne SM Conference java.sun.com/javaone 25

(WAPT) Web Application Penetration Testing

(WAPT) Web Application Penetration Testing Module 0: Introduction 1. Introduction to the course. 2. How to get most out of the course 3. Resources you will need for the course 4. What is WAPT? Module 1: