Web Application Security

Similar documents
Application security testing: Protecting your application and data

Cross Site Scripting Prevention

Web Application Security

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

WEB ATTACKS AND COUNTERMEASURES

Magento Security and Vulnerabilities. Roman Stepanov

CSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

The Top Web Application Attacks: Are you vulnerable?

Recommended Practice Case Study: Cross-Site Scripting. February 2007

The Web AppSec How-to: The Defenders Toolbox

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

Bank Hacking Live! Ofer Maor CTO, Hacktics Ltd. ATC-4, 12 Jun 2006, 4:30PM

The Key to Secure Online Financial Transactions

Web Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure

HTTPParameter Pollution. ChrysostomosDaniel

Penetration Test Report

Web Application Security

Recon and Mapping Tools and Exploitation Tools in SamuraiWTF Report section Nick Robbins

Barracuda Web Site Firewall Ensures PCI DSS Compliance

Passing PCI Compliance How to Address the Application Security Mandates

Improving Web Application Security by Eliminating CWEs Weijie Chen, China INFSY 6891 Software Assurance Professor Dr. Maurice Dawson 15 December 2015

Cross-Site Scripting

Acunetix Website Audit. 5 November, Developer Report. Generated by Acunetix WVS Reporter (v8.0 Build )

Columbia University Web Security Standards and Practices. Objective and Scope

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

Web Application Vulnerabilities and Avoiding Application Exposure

The Nexpose Expert System

Vulnerability Management

FSOEP Web Banking & Fraud: Corporate Treasury Attacks

OWASP Top Ten Tools and Tactics

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

Web application security: automated scanning versus manual penetration testing.

Integrated Network Vulnerability Scanning & Penetration Testing SAINTcorporation.com

Is Penetration Testing recommended for Industrial Control Systems?

Rational AppScan & Ounce Products

Bug Report. Date: March 19, 2011 Reporter: Chris Jarabek

Common Security Vulnerabilities in Online Payment Systems

HP WebInspect Tutorial

Application Layer Encryption: Protecting against Application Logic and Session Theft Attacks. Whitepaper

Introduction: 1. Daily 360 Website Scanning for Malware

Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities

WEB SECURITY. Oriana Kondakciu Software Engineering 4C03 Project

White Paper. IT Security in Higher Education

Web Application Security 101

Adobe Systems Incorporated

Proactive Vulnerability Management Using Rapid7 NeXpose

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

A Network Administrator s Guide to Web App Security

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

elearning for Secure Application Development

How to Justify Your Security Assessment Budget

SECURE APPLICATION DEVELOPMENT CODING POLICY OCIO TABLE OF CONTENTS

National Endowment for the Arts Evaluation Report. Table of Contents. Results of Evaluation Areas for Improvement Exit Conference...

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

Network Security Audit. Vulnerability Assessment (VA)

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

Detecting and Exploiting XSS with Xenotix XSS Exploit Framework

The Roles of Software Testing & QA in Security Testing

EVALUATING COMMERCIAL WEB APPLICATION SECURITY. By Aaron Parke

National Information Security Group The Top Web Application Hack Attacks. Danny Allan Director, Security Research

Secure Web Application Coding Team Introductory Meeting December 1, :00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

WHITEPAPER. Nessus Exploit Integration

Web application testing

Cracking the Perimeter via Web Application Hacking. Zach Grace, CISSP, CEH January 17, Mega Conference

Sitefinity Security and Best Practices

Web application security: Testing for vulnerabilities

WhiteHat Security White Paper. Top 11 PCI DSS 3.0 Changes That Will Affect Your Application Security Program

The Weakest Link: Mitigating Web Application Vulnerabilities. webscurity White Paper. webscurity Inc. Minneapolis, Minnesota USA

Web applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh

Web Application Security

Boston University Security Awareness. What you need to know to keep information safe and secure

Web Vulnerability Scanner by Using HTTP Method

What is Penetration Testing?

SECURITY ADVISORY. December 2008 Barracuda Load Balancer admin login Cross-site Scripting

Integrated Threat & Security Management.

External Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION

The Dark Side of Ajax. Jacob West Fortify Software

White Paper. Guide to PCI Application Security Compliance for Merchants and Service Providers

Certification Report

Testing the OWASP Top 10 Security Issues

The New PCI Requirement: Application Firewall vs. Code Review

The Prevalence of Flash Vulnerabilities on the Web

CORE Security and the Payment Card Industry Data Security Standard (PCI DSS)

WordPress Security Scan Configuration

ITSC Training Courses Student IT Competence Programme SIIS1 Information Security

External Network & Web Application Assessment. For The XXX Group LLC October 2012

WEB 2.0 AND SECURITY

Introduction to Computer Security

Security features of ZK Framework

Transcription:

White Paper Web Application Security Managing Cross-Site Scripting, The Number One Item on OWASP s Top Ten List

Introduction: What is OWASP? The Open Web Application Security Project (OWASP) is, by its own definition, a worldwide free and open community focused on improving the security of application software. Its mission is to make application security visible, so that people and organizations can make informed decisions about application security risks. 1 The global OWASP community includes corporations, educational institutions, and individuals. The project is not affiliated with any technology company, although it supports the informed use of security technology. Anyone may participate, and all materials are available under a free and open software license. The OWASP Top Ten List One of OWASP s key projects is its Top Ten List, compiled by network security experts from around the world. The list, currently available in English, French, Japanese, Korean, and Turkish, catalogs what this group views as the Top Ten Most Critical Web Application Vulnerabilities. It is described by OWASP as a powerful awareness document for web application security that represents a broad consensus about what the most critical web application security flaws are. 2 OWASP s goal is to urge all companies to adopt this list and begin the process of ensuring that their web applications do not contain these vulnerabilities. The top item on the OWASP list is Cross-Site Scripting, or XSS. Cross-Site Scripting is a type of computer security vulnerability typically found in web applications that allow code injection by malicious users into the web pages viewed by other users. Examples of vulnerable pages include those containing HTML code and/or client-side scripts. The Danger of XSS XSS works in the following way. The attacker inserts code or scripts into a web page, thereby altering its function. This can happen to any page that requests any type of information or input from the user, even through script code embedded in a URL within an email or a blog posting in a place unrelated to the altered web page. This means, of course, that there are many potential avenues for an XSS attack, and a key concern in the network security community is that XSS is becoming increasingly prevalent as trends in website design move toward greater interactivity for the user. As of 2007, XSS attacks, which can bypass access controls, constituted about 80 percent of all documented security vulnerabilities. During such attacks, the end user, who typically notices nothing unusual, may be subject to unauthorized access, theft of sensitive data, and/or financial loss. Symantec Corporation, whose anti-spam and antivirus protection products offer security for inbound and outbound computer messaging, issues periodic Internet Security Threat Reports to help organizations implement effective security measures so as to better protect and manage their information. One recent Threat Report noted that there were 11,253 XSS vulnerabilities during the second half of 2007, as opposed to only 2,134 non-xss vulnerabilities. The vast majority of these XSS vulnerabilities were site-specific, in that they were custom built for a particular target. CVE (Common Vulnerabilities and Exposures) is a dictionary of publicly known information, security vulnerabilities, and exposures. CVE s common identifiers enable data exchange between security products and provide a baseline index point for evaluating coverage of tools and services. The CVE Initiative s May 2007 Report on Vulnerability Type Distributions listed XSS Number One overall, findings that were endorsed by OWASP in their Top Ten 2007 list. 1 OWASP website 2 Ibid. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com

Some very large websites that have been hit by XSS include Google, Yahoo, MySpace, Facebook, PayPal, SourceForge, and Microsoft. In his December 20, 2008 article in The Register, reporter Dan Goodin described two recent XSS attacks against financial giant American Express. The website for American Express has once again been bitten by security bugs that could expose its considerable base of customers to attacks that steal their login credentials, he wrote. The notice comes days after The Register reported Amex unnecessarily put its users at risk by failing to fix a glaring vulnerability more than two weeks after a security research first alerted company employees to the problem. An Amex spokesman later said the hole had been plugged. Goodin continued, It turns out that s not the case. The XSS error that makes it trivial for attackers to steal www. americanexpress.com users authentication cookies is alive and kicking. The confusion stems from a mistake made by many application developers who incorrectly assume that the root cause of a vulnerability is closed as soon as a particular exploit no longer works. 3 Joshua Abraham, Rapid7 Security Consultant, commented on Amex s attempted fix. They did not address the problem, he said. They addressed an instance of the problem. You want to look at the whole application and say, Where could similar issues exist? 4 The XSS threat has become so widespread that there is now a website www.xssed.com dedicated to providing the latest information on XSS vulnerabilities. It includes news articles and tutorials, as well as an archive of known XSS vulnerable websites. Reflective and Persistent Cross-Site Scripting Attacks There are three main types of XSS: Reflective, Persistent, and DOM-based. The primary difference between the first two is whether or not the altered page is viewable by anyone other than the attacker. If the intrusion is made through a login screen or a search box, the result is visible only to the user, so that, in order to complete the attack, the hacker must trick other people into visiting the altered page. This is Reflective XSS. Persistent XSS is similar to Reflective XSS, but its effects are far more pervasive in that the altered page may be viewed by many people with no further effort on the hacker s part. A common example of Reflective XSS is a bulletin board system or a forum where many people can chat and/or post messages. If the forum software does not properly escape when a message is posted, then a hacker can easily slip an XSS tag into that message. Anyone who subsequently views the posted message will be affected by the XSS tag, which is like a worm that can propagate itself and affect anyone who views the infected object. Another type of Persistent XSS attack is accomplished through sequel injection. In these cases, the hacker creates a massive program that can sweep the entire Internet and insert script tags randomly, with the intent of actually modifying the data within a database. When these script tags are served up, anyone accessing the affected page runs the script, which in turn tries to exploit a local browser vulnerability in the client. There are three levels in this type of attack: (1) the initial sequel injection attack against the server and the database, (2) the XSS attack based on the first attack having stored the script tags somewhere within a table, and (3) the attack against the unsuspecting user visiting the site in the attempt to do something such as Internet shopping. With both Reflective and Persistent XSS, attacks are generally limited in scope to the open browser session. However, they still enable the hacker to steal cookies, session IDs, and account information. 3 American Express bitten by XSS bugs (again), by Dan Goodin, The Register, 20 th December 2008. 4 Ibid. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com

DOM-Based Cross-Site Scripting Attacks DOM-based attacks use pages written with the Document Object Model, a popular coding technique. Many websites include not only HTML code and images, but also a lot of Javascript code. In fact, the functionality in many Web 2.0 sites is driven by thousands or even tens of thousands of lines of highly architected Javascript code. NetFlix is a good example. On this website, there are many thumbnails that enable the user to zoom in and out, to hover, or to give a film a star rating. This is all possible through Javascript code, which can write directly into the contents of the web page. A hacker can use Javascript code to dynamically modify the tags that one s browser is interpreting so as to produce an XSS vulnerability with many of the same effects as the others. The difference is that this type of attack is much harder to detect. One must model the Javascript code and the flow of data through that code in order to understand how everything works and ties together, a method call Static Code Analysis. The Difficulty of Preventing XSS As has been mentioned, the vast majority of XSS attacks are targeted at specific sites and specific vulnerabilities, unlike the attacks of previous viruses that were designed once and then released to hit any possible targets. Because there are so many possible ways for XSS attacks to break into a system, it is nearly impossible to anticipate and thereby prevent them. Even Google, with one of the world s best teams of web engineers, has caught multiple XSS vulnerabilities only in its post-production websites. In these cases, Google s white-hat hackers, along with their own QA teams, identified the vulnerabilities, fixed them, and then announced the already-patched hole. Because of the difficulty of preventing XSS attacks, OWASP has issued a series of Best Practice recommendations. Their overarching suggestion is that organizations adopt an architectural approach to coding that is predicated on a secure development life cycle. This approach demands extensive forethought and planning before any actual coding is done on a particular page. Rapid7 Nexpose The only Product That Addresses ALL Types of Cross-Site Scripting Attacks Rapid7 Nexpose software utilizes the synergy between two of its proprietary technologies in order to locate XSS vulnerabilities in both pre- and post-production web applications. With its Browser Emulation Scanning Technology (BEST), Rapid7 Nexpose runs the code in an emulated browser. In this way, all tests are taken from the perspective of the hacker, and, in XSS cases, the target. By attempting to exploit found vulnerabilities, the Rapid7 Nexpose Expert System, licensed from Sandia National Laboratories, uses rules-based procedures to integrate a lot of information about a particular web application. The Expert System essentially reverse engineers the application, determines how it was constructed, how it communicates with a database, how it sits on top of its stack the web server, the operating system server, and the database server and uses all that information to determine how a hacker might try to penetrate the application. The Rapid7 Nexpose vulnerability library is the industry leader, and the Rapid7 vulnerability development team maintains it on a weekly basis to keep it current regarding any newly discovered vulnerabilities. This continual monitoring goes a long way to address the huge volume of new and different XSS vulnerabilities. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com

Next Steps As the owner or manager of a website, you need to determine whether or not that site is currently vulnerable to XSS attacks. Rapid7 allows potential customers to download the trial version of Rapid7 Nexpose from www.rapid7.com and try the product for 20 days at no cost. A Rapid7 product specialist will even help to configure the software so that you can identify any potential vulnerabilities in your web applications. There are also many security shops, including Rapid7 s Professional Services Organization (PSO), that offer manual penetration testing and web application auditing to help find other OWASP vulnerabilities and to perform services such as pen tests. Of course, the most important next step is to employ secure OWASP-approved development practices for all future web applications. About Rapid7 Rapid7 is a leading provider of IT security risk management software. Its integrated vulnerability management and penetration testing products, Nexpose and Metasploit, and mobile risk management solution, Mobilisafe, enable defenders to gain contextual visibility and manage the risk associated with the IT environment, users and threats relevant to their organization. Rapid7 s simple and innovative solutions are used by more than 2,000 enterprises and government agencies in more than 65 countries, while the Company s free products are downloaded more than one million times per year and enhanced by more than 175,000 members of its open source security community. Rapid7 has been recognized as one of the fastest growing security companies by Inc. Magazine and as a Top Place to Work by the Boston Globe. Its products are top rated by Gartner, Forrester and SC Magazine. The Company is backed by Bain Capital and Technology Crossover Ventures. For more information about Rapid7, please visit http://www.rapid7. com. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com

Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com

Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com

Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com

Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information