Strategic Information Security. Attacking and Defending Web Services



Similar documents
elearning for Secure Application Development

The Top Web Application Attacks: Are you vulnerable?

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

Passing PCI Compliance How to Address the Application Security Mandates

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Adobe Systems Incorporated

DISTRIBUTED SYSTEMS SECURITY

Where every interaction matters.

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

Cracking the Perimeter via Web Application Hacking. Zach Grace, CISSP, CEH January 17, Mega Conference

What is Web Security? Motivation

Core Feature Comparison between. XML / SOA Gateways. and. Web Application Firewalls. Jason Macy jmacy@forumsys.com CTO, Forum Systems

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet

Barracuda Web Site Firewall Ensures PCI DSS Compliance

Rational AppScan & Ounce Products

Reducing Application Vulnerabilities by Security Engineering

Excellence Doesn t Need a Certificate. Be an. Believe in You AMIGOSEC Consulting Private Limited

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

Threat Modeling. Categorizing the nature and severity of system vulnerabilities. John B. Dickson, CISSP

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

THE HACKERS NEXT TARGET

OWASP and OWASP Top 10 (2007 Update) OWASP. The OWASP Foundation. Dave Wichers. The OWASP Foundation. OWASP Conferences Chair

Application Security Testing

How to Build a Trusted Application. John Dickson, CISSP

Thick Client Application Security

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

Web Engineering Web Application Security Issues

Web Application Security

WEB SITE SECURITY. Jeff Aliber Verizon Digital Media Services

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

Web Services Security with SOAP Security Proxies

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

DISA's Application Security and Development STIG: How OWASP Can Help You. AppSec DC November 12, The OWASP Foundation

(WAPT) Web Application Penetration Testing

Web App Security Audit Services

Detecting and Defending Against Security Vulnerabilities for Web 2.0 Applications

Introduction to Web Application Security. Microsoft CSO Roundtable Houston, TX. September 13 th, 2006

Web Application Security

Security in Network-Based Applications. ITIS 4166/5166 Network Based Application Development. Network Security. Agenda. References

WEB APPLICATION SECURITY

8070.S000 Application Security

05.0 Application Development

From the Bottom to the Top: The Evolution of Application Monitoring

Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability

Web Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure

Integrating Security into the Application Development Process. Jerod Brennen, CISSP CTO & Principal Security Consultant, Jacadis

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

Secure Web Application Coding Team Introductory Meeting December 1, :00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

The monsters under the bed are real World Tour

Don t Get Burned! Are you Leaving your Critical Applications Defenseless?

Requirement Priority Name Requirement Text Response Comment

WEB APPLICATION FIREWALLS: DO WE NEED THEM?

Magento Security and Vulnerabilities. Roman Stepanov

Application Firewall Overview. Published: February 2007 For the latest information, please see

Mobile Application Security Sharing Session May 2013

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

Black Box versus White Box: Different App Testing Strategies John B. Dickson, CISSP

Web Services Security Standards Forum. Dr. Phillip M. Hallam-Baker C.Eng. FBCS VeriSign Inc.

STOPPING LAYER 7 ATTACKS with F5 ASM. Sven Müller Security Solution Architect

Web Application Report

Java Web Application Security

Architectural Design Patterns. Design and Use Cases for OWASP. Wei Zhang & Marco Morana OWASP Cincinnati, U.S.A.

Web Application Security

Security Testing and Vulnerability Management Process. e-governance

OWASP Top Ten Tools and Tactics

Web Application Vulnerability Testing with Nessus

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Learning objectives for today s session

Pentests more than just using the proper tools

Application Security: What Does it Take to Build and Test a Trusted App? John Dickson, CISSP Denim Group

Web Application Penetration Testing

WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL. Ensuring Compliance for PCI DSS 6.5 and 6.6

Copyright Watchfire Corporation. All Rights Reserved.

Vulnerability Assessment of SAP Web Services By Crosscheck Networks

Bad Romance: Three Reasons Hackers <3 Your Web Apps & How to Break Them Up

Visa U.S.A Cardholder Information Security Program (CISP) Payment Application Best Practices

JOHN KNEILING APRIL 3-5, 2006 APRIL 6-7, 2006 RESIDENZA DI RIPETTA - VIA DI RIPETTA, 231 ROME (ITALY)

Network Test Labs (NTL) Software Testing Services for igaming

Contemporary Web Application Attacks. Ivan Pang Senior Consultant Edvance Limited

SENSITIVE AUSTRALIAN SPORTS COMMISSION ATHLETE MANAGEMENT SYSTEM (AMS) SMARTBASE SECURITY TEST PLAN. Final. Version 1.0

SERENA SOFTWARE Serena Service Manager Security

Promoting Application Security within Federal Government. AppSec DC November 13, The OWASP Foundation

Network Security Audit. Vulnerability Assessment (VA)

Attack Vector Detail Report Atlassian

National Information Security Group The Top Web Application Hack Attacks. Danny Allan Director, Security Research

Spigit, Inc. Web Application Vulnerability Assessment/Penetration Test. Prepared By: Accuvant LABS

Software Development: The Next Security Frontier

Mean Time to Fix (MTTF) IT Risk s Dirty Little Secret Joe Krull, CPP, CISSP, IAM, CISA, A.Inst.ISP, CRISC, CIPP

Application Code Development Standards

WHITE PAPER. FortiWeb Web Application Firewall Ensuring Compliance for PCI DSS 6.5 and 6.6

The Panoptix Building Efficiency Solution: Ensuring a Secure Delivery of Building Efficiency

Table of Contents. Page 2/13

IJMIE Volume 2, Issue 9 ISSN:

White Paper Secure Reverse Proxy Server and Web Application Firewall

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

Bank Hacking Live! Ofer Maor CTO, Hacktics Ltd. ATC-4, 12 Jun 2006, 4:30PM

Security Testing & Load Testing for Online Document Management system

Development. Resilient Software. Secure and. Mark S. Merkow Lakshmikanth Raghavan. CRC Press. Taylor& Francis Croup. Taylor St Francis Group,

Security Goals Services

APIs The Next Hacker Target Or a Business and Security Opportunity?

Transcription:

Security PS Strategic Information Security. Attacking and Defending Web Services Presented By: David W. Green, CISSP dgreen@securityps.com

Introduction About Security PS Application Security Assessments Network Security Assessments Security Compliance Consulting Security Training and Awareness 2

Introduction Agenda Background for Discussion Attacks and Defenses Information Gathering Denial of Service Message Confidentiality Authentication Access Control Data Validation and Encoding Conclusions 3

Security PS Background for Discussion What is a Web Service? Current Risk Considerations

Background for Discussion What is a Web Service? Definition for Today: Application to application communication over XML Common Uses: B2B communication Middleware Interface to legacy systems AJAX (maps.google.com) APIs to add functionality 5

Background for Discussion What is a Web Service? Web Service Client XML HTML Application Browser 6

Background for Discussion Current Risk Considerations Increased popularity The use of web services has increased dramatically in recent years It s still a web application Web app security principles still apply Emerging technologies Supporting standards are still being developed Closed door solutions are currently common 7

Background for Discussion A Few of the Standards XML WS-Security XAML WSDL X.509 UDDI XACML SOAP ebxml REST XSL SAML XKMS XSD CORBA XrML UBR XKMS XLANG 8

Security PS Attacks and Defenses Information Gathering Denial of Service Message Confidentiality Authentication Access Control Data Validation and Encoding

Attacking and Defending Information Gathering (Exposure) Visibility Network firewalls and common ports Web Application DMZ Web Service Database 10

Attacking and Defending Information Gathering (Exposure) Discovery Google UDDI Business Registry Third Party Registries (xmethods.com) WSDL 11

Attacking and Defending Information Gathering (Exposure) WSDL: A hacker s reference manual http://www.example.com/service.asmx?wsdl 12

Attacking and Defending Avoiding Information Gathering Reduce exposure Privately exchange WSDL Don t assume! 13

Attacking and Defending Denial of Service Attack DTD Interpretation Servers can accept and interpret DTDs provided by clients Complex/large/recursive DTD can overload parser Solution Options Disable support for DTDs, use XSD instead Ideally, don t accept any form of schema definition from the client 14

Attacking and Defending Message Confidentiality Option 1: SSL/TLS Common, widely supported Fine for single hops Point to point encryption SSL Client Web Service 15

Attacking and Defending Message Confidentiality Option 2: XML Encryption End to end encryption Intermediate servers are able to see the request for routing Encrypts only a specific portion of the data SSL SSL XML Encryption Client Proxy Web Service 16

Attacking and Defending Authentication Federated Identity Leverage existing solution Can use SAML to communicate assertions Single-Use Authentication Options available from architecture Custom solutions 17

Attacking and Defending Access Control Forced requests for: Services: by URL Methods: by modifying service method Data: by manipulating parameter values Results Access to web service without authentication Escalation of privileges Crossed permission boundaries 18

Attacking and Defending Unauthorized Access to a Web Service Network firewalls may not help Access control must be coded into the application or provided by the web server XML Browser Web Application Web Service Database 19

Attacking and Defending Data Validation and Encoding XML Data Injection XML Parser Command Injection SQL Injection Cross Site Scripting 20

XML Data Injection Example: User Account Creation Attacking and Defending <UserRecord> <UserID>983</UserID> <Name>Dave Green</Name> <Email>dgreen@securityps.com</Email> <Phone>913-888-2111</Phone> </UserRecord> XML Browser Web Application Web Service Database 21

XML Data Injection Attack Attacking and Defending <UserRecord> <UserID>859</UserID> <Name>Mr. Evildoer</Name> <Email>evil@3mu.us</Email><UserID>1</UserID><Email>evil@3mu.us</Email> <Phone>913-234-6789</Phone> </UserRecord> XML Browser Web Application Web Service Database 22

Attacking and Defending XML Parser Command Injection <!DOCTYPE theft[ <!ENTITY bob SYSTEM "file:///c:/boot.ini"> ]>... <theft>&bob;</theft> XML Browser Web Application Web Service Database 23

Attacking and Defending SQL Injection <UserRecord> <UserID>983</UserID> <Password>mypass</Password> </UserRecord> XML Browser Web Application Web Service Database select * from Accounts where userid=983 and pass= mypass ; 24

SQL Injection Attack Attacking and Defending <UserRecord> <UserID>983</UserID> <Password>a or a = a</password> </UserRecord> XML Browser Web Application Web Service Database select * from Accounts where userid=983 and pass= a or a = a ; 25

Cross Site Scripting Attacking and Defending <UserRecord> <UserID>983</UserID> <Name>Dave Green</Name> <Email>dgreen@securityps.com</Email> <Phone>913-888-2111</Phone> </UserRecord> XML Browser Web Application Web Service Database Dave Green<br> <a href= mailto:dgreen@securityps.com >Email</a> 26

Cross Site Scripting Attack Attacking and Defending <UserRecord> <UserID>983</UserID> <Name>Dave Green</Name> <Email> onmouseover= alert( xss );</Email> <Phone>913-888-2111</Phone> </UserRecord> XML Browser Web Application Web Service Database Dave Green<br> <a href= mailto: onmouseover= alert( xss ); >Email</a> 27

Attacking and Defending Data Validation and Encoding Solutions Integrity XML Signature Other Cryptography Datatyping XML schema definitions must be detailed Application Logic Input validation: size, type, sanity Output encoding: ensure data stays data 28

Security PS Conclusions Summary of Risks Risk Mitigation Strategy Security Frameworks Web Application Security Products Effective App Security: The SDLC

Conclusions Summary of Risks Information Gathering Denial of Service Message Confidentiality Authentication Access Control Data Validation and Encoding 30

Conclusions Summary of Risks (cont.) No browser, but still need to defend against common web application attacks OWASP Top 10 are still valid Unvalidated Input Broken Authentication and Session Management Buffer Overflows Improper Error Handling Denial of Service Broken Access Control Insecure Configuration Management Injection Flaws Insecure Storage Cross Site Scripting 31

Conclusions Risk Mitigation Strategy 32

Conclusions Security Framework Features Many security frameworks available today provide effective high-level access to important functions such as: User Authentication/Access Controls Auditing Encryption Key Management, Certificate Management General object permission controls 33

Conclusions Additional Security Layers: Products In the wake of a large number web application security problems, many products have been introduced to help limit risk of vulnerable applications. Automated vulnerability scanning tools Incoming filters/proxies (App firewalls) Outgoing filters/validators Back-end filters/proxies Hybrids or multi-purpose systems 34

Conclusions In Perspective These devices: When used correctly, can reduce specific risks. Provide only one line of defense. Do not replace the need for secure application design/development. Should not be the only application security layer 35

Conclusions Effective Application Security Efforts Effectiveness: Results, Cost, Longevity/ROI Consider the entire Software Development Lifecycle (SDLC) Requirements Analysis Design and Engineering Development Testing Implementation Operations and Maintenance 36

Conclusions Tactical Only Approach Design and develop first, secure later General results: Apps deployed with risk Re-writes are costly, significant at this stage Vulnerabilities addressed Root cause rarely addressed Requirements Analysis Design and Architecture Re-Coding Effort Security Assessment Vulnerabilit y Managemen t Development Testing Implementation Operations and Maintenance 37

Conclusions Strategic View of Application Security Security is a process, not a task Early security results in less cost and strong ROI Address the root cause, not the symptom Address the practices first, vulnerabilities last Incorporate proven practices into all phases of the software development lifecycle Security Requirements Threat Modeling Education, tools, secure development practices Assessments, Sec Testing Validate Risk Level Assessment Check-up Requirements Analysis Design and Engineering Development Testing Implementation Operations and Maintenance 38

Conclusions Microsoft s Key Security Activities Mapped to the SDLC 39

Questions Questions & Discussion 40

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information