Integrating Web Application Security into the IT Curriculum James Walden Northern Kentucky University
Topics 1. 2. 3. 4. Why should we teach web application security? What material do we need to cover? How should we cover that material? Where do we go from here?
Is Web Hacking Really That Easy? Exploits of a Mom, XKCD
Vulnerability Growth C E R T V u ln e r a b ilitie s 9000 8000 7000 V u ln e r a b ilitie s 6000 5000 4000 3000 2000 1000 0 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 Year
Web Vulnerabilities Dominate
Reasons for Attacking Web Apps
Firewalls Don t Protect Web Apps telnet Firewall ftp Application Web Client HTTP Traffic Web Server Port 80 Application Database Server
Browser Malware Bypasses Firewall
Goals 1. 2. 3. 4. 5. Identify and explain common vulnerabilities. Explain security implications of client-side technologies like Javascript and ActiveX. Detect security vulnerabilities in web applications using appropriate tools. Design and implement web applications that do not contain common vulnerabilities. Deploy and configure a web application in a secure manner.
Topic Outline 1. 2. 3. 4. 5. 6. 7. 8. Web Application Input Client-side Technologies Input-based Attacks Injection Attacks Cross-site Attacks Authentication Secure Programming Operational Security
Web App Security in IT2005 IPT5 Software Security WS5 Web Security Web Application Security IAS6 Security Domains IAS11 Vulnerabilities
Labs 1. 2. 3. 4. 5. 6. 7. WebGoat exercises on specific vulnerabilities. Using a testing proxy to solve more advanced WebGoat exercises. Assessing an application using a web vulnerability scanner. Assessing a web application using a testing proxy. Reviewing the code of an application using a static analysis tool. Deploying a web application firewall. Participating in the international CTF competition.
WebGoat
Tools Web Proxies Web Application Firewalls Vulnerability Scanners Static Analysis
Web Proxies
Altering Form Parameters
Fuzz Testing Fuzz testing consists of Sending unexpected input. Monitoring for exceptions.
Web Application Firewalls What is a WAF? Web monitoring. Access control. Behind SSL endpoint. A/K/A Deep packet inspection. Web IDS/IPS. Web App Proxy/Shield. mod_security Open source. Embeds in Apache. Reverse proxy.
Vulnerability Scanners 1. 2. 3. 4. Spiders site. Identifies inputs. Sends list of malicious inputs to each input. Monitors responses.
Static Analysis Automated assistance for code auditing Speed: review code faster than humans can Accuracy: hundreds of secure coding rules Tools Results Coverity FindBugs Fortify Klocwork Ounce Labs
Labs WebGoat exercises on specific vulnerabilities. Using a testing proxy to solve more advanced WebGoat exercises. Assessing an application using a web vulnerability scanner. Assessing a web application using a testing proxy. Reviewing the code of an application using a static analysis tool. Deploying a web application firewall. Participating in the international CTF competition.
Approaches 1. Students evaluate and fix their own code. 2. Students evaluate and fix your code. 3. Students learn about their own coding mistakes. Scale of project limited to what students can write. Write a web application designed for teaching students. Students evaluate and fix someone else s code. 1. 2. Use a web application designed for teaching. Analyze an open source web application with known vulnerabilities reported in NVD or other bug db.
Teaching Applications Hacme Bank, Books, Casino, Travel
Future Directions: AJAX Security Asynchronous Javascript and XML Expanded server side API. Server API calls can be issued in any order by attacker; cannot assume calls issued in order by your client. Larger amount of client state. Client/server communication using data (XML/JSON) rather than presentation (HTML.)
Future Directions: Web Sec Class 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. Web Application Input Client-side Technologies Service Oriented Architectures AJAX Input-based Attacks Injection Attacks Race Conditions Cross-site Attacks Authentication Secure Programming Operational Security
Conclusions 1. Defense is shifting from network to application layer. Firewalls, anti-virus, SSL 2. Students need to learn to identify vulnerabilities. 3. input validation, WAF Static analysis of source code. Web proxies and scanners for testing. Students need to learn to remediate vulnerabiliites. 1. 2. Web application firewalls for immediate short-term fixes. Repairing source code for long term fixes.