Security vulnerabilities in new web applications. Ing. Pavol Lupták, CISSP, CEH Lead Security Consultant



Similar documents
How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

Criteria for web application security check. Version

(WAPT) Web Application Penetration Testing

Check list for web developers

State of The Art: Automated Black Box Web Application Vulnerability Testing. Jason Bau, Elie Bursztein, Divij Gupta, John Mitchell

Using Foundstone CookieDigger to Analyze Web Session Management

Statistics Whitepaper

CSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities

Open Web Application Security Project Open source advocacy group > web security Projects dedicated to security on the web

Web Application Hacking (Penetration Testing) 5-day Hands-On Course

Recon and Mapping Tools and Exploitation Tools in SamuraiWTF Report section Nick Robbins

The Top Web Application Attacks: Are you vulnerable?

Certified Secure Web Application Security Test Checklist

Øredev Web application testing using a proxy. Lucas Nelson, Symantec Inc.

Where every interaction matters.

BASELINE SECURITY TEST PLAN FOR EDUCATIONAL WEB AND MOBILE APPLICATIONS

Certified Secure Web Application Secure Development Checklist

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Web Application Security Guidelines for Hosting Dynamic Websites on NIC Servers

Cracking the Perimeter via Web Application Hacking. Zach Grace, CISSP, CEH January 17, Mega Conference

APPLICATION SECURITY AND ITS IMPORTANCE

elearning for Secure Application Development

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

Lecture 11 Web Application Security (part 1)

JVA-122. Secure Java Web Development

Web application security

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

Web Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

Enterprise Application Security Workshop Series

Rational AppScan & Ounce Products

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

OWASP Top Ten Tools and Tactics

What is Web Security? Motivation

Top Web Application Security Issues. Daniel Ramsbrock, CISSP, GSSP

Advanced Web Technology 10) XSS, CSRF and SQL Injection 2

Application Security Testing. Generic Test Strategy

ASP.NET MVC Secure Coding 4-Day hands on Course. Course Syllabus

1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications

Adobe Systems Incorporated

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Magento Security and Vulnerabilities. Roman Stepanov

Bypassing Web Application Firewalls (WAFs) Ing. Pavol Lupták, CISSP, CEH Lead Security Consultant

Chapter 1 Web Application (In)security 1

Web Application Security

Sichere Software- Entwicklung für Java Entwickler

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

Ruby on Rails Secure Coding Recommendations

OWASP TOP 10 ILIA

Introduction:... 1 Security in SDLC:... 2 Penetration Testing Methodology: Case Study... 3

Thick Client Application Security

Security and Vulnerability Testing How critical it is?

Hack Proof Your Webapps

Passing PCI Compliance How to Address the Application Security Mandates

ABC LTD EXTERNAL WEBSITE AND INFRASTRUCTURE IT HEALTH CHECK (ITHC) / PENETRATION TEST

WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL. Ensuring Compliance for PCI DSS 6.5 and 6.6

Security Protocols/Standards

Web Application Penetration Testing

SENSITIVE AUSTRALIAN SPORTS COMMISSION ATHLETE MANAGEMENT SYSTEM (AMS) SMARTBASE SECURITY TEST PLAN. Final. Version 1.0

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

External Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION

Security Testing with Selenium

Web Application Security

Architectural Design Patterns. Design and Use Cases for OWASP. Wei Zhang & Marco Morana OWASP Cincinnati, U.S.A.

Don t Get Burned! Are you Leaving your Critical Applications Defenseless?

WHITE PAPER. FortiWeb Web Application Firewall Ensuring Compliance for PCI DSS 6.5 and 6.6

Web Application Attacks and Countermeasures: Case Studies from Financial Systems

MatriXay WEB Application Vulnerability Scanner V Overview. (DAS- WEBScan ) The best WEB application assessment tool

National Information Security Group The Top Web Application Hack Attacks. Danny Allan Director, Security Research

Cyber Security Challenge Australia 2014

Attack and Penetration Testing 101

Kentico CMS security facts

In partnership with CST. Web Application Security Assessment Report. Acme Inc V November COMMERCIAL IN CONFIDENCE

EVALUATING COMMERCIAL WEB APPLICATION SECURITY. By Aaron Parke

Mavituna Security Ltd. Finance House, 522A Uxbridge Rd. Pinner. HA5 3PU / UK

Conducting Web Application Pentests. From Scoping to Report For Education Purposes Only

2010: and still bruteforcing

Detecting and Exploiting XSS with Xenotix XSS Exploit Framework

Essential IT Security Testing

Finding and Preventing Cross- Site Request Forgery. Tom Gallagher Security Test Lead, Microsoft

What about MongoDB? can req.body.input 0; var date = new Date(); do {curdate = new Date();} while(curdate-date<10000)

Overview of the Penetration Test Implementation and Service. Peter Kanters

Bug Report. Date: March 19, 2011 Reporter: Chris Jarabek

Network Security Exercise #8

Sample Report. Security Test Plan. Prepared by Security Innovation

Software Assurance Tools: Web Application Security Scanner Functional Specification Version 1.0

Penetration Testing. Types Black Box. Methods Automated Manual Hybrid. oless productive, more difficult White Box

QuickBooks Online: Security & Infrastructure

! Resident of Kauai, Hawaii

Intrusion detection for web applications

Testing the OWASP Top 10 Security Issues

With so many web applications, universities have a huge attack surface often without the IT security budgets or influence to back it up.

OWASP and OWASP Top 10 (2007 Update) OWASP. The OWASP Foundation. Dave Wichers. The OWASP Foundation. OWASP Conferences Chair

Acunetix Web Vulnerability Scanner. Getting Started. By Acunetix Ltd.

Offensive Security. Advanced Web Attacks and Exploitation. Mati Aharoni Devon Kearns. v. 1.0

Guidelines for Web applications protection with dedicated Web Application Firewall

External Network & Web Application Assessment. For The XXX Group LLC October 2012

Transcription:

Security vulnerabilities in new web applications Ing. Pavol Lupták, CISSP, CEH Lead Security Consultant

$whoami Introduction Pavol Lupták 10+ years of practical experience in security and seeking vulnerabilities with a strong theoretical background (CISSP, CEH) OWASP Slovakia Chapter Leader co-author of the OWASP Testing Guide v3.0 owner of security company Nethemba s.r.o. focused on penetration tests and web application security audits

The goal of this presentation To show security vulnerabilities common in new web applications (Internet banking, e shops, online casinos,..) during the period 2008 2009 Real data from plenty of new web applications developed by Czech/Slovak companies was used To ensure their privacy, the used data was aggregated

SQL injection downtrend, risk of second order injection vulnerabilities Most new applications use prepared statements/parametrized queries Complex architecture with multiple different applications can increase the likelihood of second order injection vulnerabilities New fully automatized SQL injection tools are available (sqlmap, Power SQL injector)

Increased complexity of XSS vulnerabilities, AJAX security Due to a huge number of XSS variations, blacklisting simply does not work Importance of the output validation (inevitable if the stored data is contaminated with injected code) It is still a problem to automatically reveal persistent XSS / AJAX vulnerabilities New XSS demo tools (Browser Rider, Beef)

Vulnerabilities in session management Many new applications use own session management that is almost always bad implemented If it is possible, use language underlying session management instead At this moment, there is no automated way to fully test session management security

Session Fixation Attacks If the attacker can inject an arbitrary value in anonymous session tokens and the application accepts this value and uses it for authenticated login, session fixation attacks are feasible Can be used to hijack user sessions using social engineering, XSS vulnerabilities,.. The application should not accept injected session token, should regenerate it after login, invalidate after logout

Absence of secure and HttpOnly flag for cookies Secure flag prevents the browser to send a cookie through unencrypted connection HttpOnly flag prevents the injected javascript code to steal cookies using the document.cookie parameter HttpOnly is effective only when TRACE/TRACK HTTP methods are disabled on web server

Simultaneous sessions In normal circumstances there is no need for simultaneous sessions for one user in the application User should be informed if another user with the same credentials is logged to the application Bind the user session with its IP address/subnet Session logging is very important

Brute force attack against session management Feasible when session token is shorter than 128 bits or it is easily determinable Almost no application can detect this attack because session token is not associated with an existing user The application should detect increased number of session tokens from one IP address in a short time and blocks it for a defined period

CSRF vulnerabilities GET requests are still used for sensitive operations Many ways how to protect against CSRF: Requiring special non determinable parameters in GET/POST requests (hidden fields) AJAX double submit cookies Using other verification channels (email, SMS,..)

Weak and broken CAPTCHA We successfully break all our tested CAPTCHAs with CAPTCHA killer It is really difficult to create strong CAPTCHA Many CAPTCHA implementations are vulnerable to replay attacks Is still using CAPTCHA a good idea?

Business Logic Security Flaws Still prevailed because of complexity to detect them automatically Common problems: Permanent user's account locking Using negative numbers to gain a lot of money Enumeration of users using forgotten password or registration form

Vulnerable SSL protocol, weak ciphers, hashes and passwords SSLv2 is still massively used Weak (less than 56 bits) SSL ciphers are used MD5 is still massively used DES ECB is still used (in a bank environment!) Applications have password complexity restrictions that drastically decrease all possible combinations Short complicated passwords are still used Hashes are not salted (risk of rainbow table attacks)

Any questions? Thank you for listening Ing. Pavol Lupták, CISSP CEH

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information