Learning security through insecurity



Similar documents
Getting started with OWASP WebGoat 4.0 and SOAPUI.

Basic computer security

PTSv2 in pills: The Best First for Beginners who want to become Penetration Testers. Self-paced, online, flexible access

Web attacks and security: SQL injection and cross-site scripting (XSS)

Security Products Development. Leon Juranic

Web Application Security: Exercise Development Approaches

Client logo placeholder XXX REPORT. Page 1 of 37

Mobile Application Hacking for Android and iphone. 4-Day Hands-On Course. Syllabus

elearning for Secure Application Development

Web Application Hacking (Penetration Testing) 5-day Hands-On Course

Detecting and Exploiting XSS with Xenotix XSS Exploit Framework

THE HACKERS NEXT TARGET

Application Security Testing. Erez Metula (CISSP), Founder Application Security Expert

Security Testing & Load Testing for Online Document Management system

WEB APPLICATION VULNERABILITY STATISTICS (2013)

Vulnerability scanning

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

Source Code Review Using Static Analysis Tools

Introduction to Web Security

SAST, DAST and Vulnerability Assessments, = 4

Adobe Systems Incorporated

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

Vulnerability scanning

Web Applications The Hacker s New Target

Interactive Application Security Testing (IAST)

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

Columbia University Web Security Standards and Practices. Objective and Scope

Copyright Watchfire Corporation. All Rights Reserved.

Web Application Security Payloads. Andrés Riancho Director of Web Security OWASP AppSec USA Minneapolis

Recon and Mapping Tools and Exploitation Tools in SamuraiWTF Report section Nick Robbins

Web Application Security

Web Application Security

Your Web and Applications

Common Security Vulnerabilities in Online Payment Systems

Penetration Testing: Lessons from the Field

Interactivity in Legal Web Courses through Direct Response Systems

STABLE & SECURE BANK lab writeup. Page 1 of 21

Secure Web Application Coding Team Introductory Meeting December 1, :00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

Using Nessus In Web Application Vulnerability Assessments

Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability

Penetration Testing Lessons Learned. Security Research

Attack Vector Detail Report Atlassian

Security Tools - Hands On

Secure Web Development Teaching Modules 1. Threat Assessment

DISCOVERY OF WEB-APPLICATION VULNERABILITIES USING FUZZING TECHNIQUES

Magento Security and Vulnerabilities. Roman Stepanov

Detailed Description about course module wise:

Columbia University Web Application Security Standards and Practices. Objective and Scope

Expert Services Group (Security Testing) Nilesh Dasharathi Sadaf Kazi Aztecsoft Limited

Web Application Security

Secure in 2010? Broken in 2011! Matias Madou, PhD Principal Security Researcher

Passing PCI Compliance How to Address the Application Security Mandates

Penetration Testing. NTS330 Unit 1 Penetration V1.0. February 20, Juan Ortega. Juan Ortega, juaorteg@uat.edu. 1 Juan Ortega, juaorteg@uat.

Web Application Report

Software security specification and verification

Rapid Security Framework (RSF) Taxonomie, Bewertungsparameter und Marktanalyse zur Auswahl von Fuzzing-Tools

HackMiami Web Application Scanner 2013 PwnOff

SYWorks Vulnerable Web Applications Compilation For Penetration Testing Installation Guide

Criteria for web application security check. Version

Threat Modeling. Categorizing the nature and severity of system vulnerabilities. John B. Dickson, CISSP

With so many web applications, universities have a huge attack surface often without the IT security budgets or influence to back it up.

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

Performing a Web Application Security Assessment

Integrated Network Vulnerability Scanning & Penetration Testing SAINTcorporation.com

THE OPEN UNIVERSITY OF TANZANIA

COURSE NAME: INFORMATION SECURITY INTERNSHIP PROGRAM

An Introduction to Application Security In ASP.NET Environments. Houston.NET User Group. February 23 rd, 2006

ITEC441- IS Security. Chapter 15 Performing a Penetration Test

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

TEAM Academy Catalog. 187 Ballardvale Street, Wilmington, MA

Secure Web Development Teaching Modules 1. Security Testing. 1.1 Security Practices for Software Verification

Protect, License and Sell Xojo Apps

Vulnerability analysis

OWASP Top Ten Tools and Tactics

Introduction. Secure Software Development 9/03/2015. Matias starts. Daan takes over. Matias takes over. Who are we? Round of introductions

Updating KP Learner Manager Enterprise X On Your Server

Lecture 15 - Web Security

ASL IT SECURITY BEGINNERS WEB HACKING AND EXPLOITATION

Application Code Development Standards

Web Application Security

Introduction to Web Application Security. Microsoft CSO Roundtable Houston, TX. September 13 th, 2006

An Introduction To The Web File Manager

APPLICATION SECURITY: FROM WEB TO MOBILE. DIFFERENT VECTORS AND NEW ATTACK

Testing the OWASP Top 10 Security Issues

Penetration Testing with Kali Linux

White Paper Converting Lotus Notes Applications to the Cloud Using the CIMtrek converter Product

Web Engineering Web Application Security Issues

Conducting Web Application Pentests. From Scoping to Report For Education Purposes Only

A Network Administrator s Guide to Web App Security

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

Android (in)security. Having fun with Android. Sarantis Makoudis

Thomas Röthlisberger IT Security Analyst

CRYPTUS DIPLOMA IN IT SECURITY

Web application security: automated scanning versus manual penetration testing.

Put a Firewall in Your JVM Securing Java Applications!

JobScheduler Installation by Copying

Black Box Penetration Testing For GPEN.KM V1.0 Month dd "#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;!

Magento Search Extension TECHNICAL DOCUMENTATION

State of The Art: Automated Black Box Web Application Vulnerability Testing. Jason Bau, Elie Bursztein, Divij Gupta, John Mitchell

Smartphone Pentest Framework v0.1. User Guide

Transcription:

Learning security through insecurity Michael Sonntag Institute for Information processing and microprocessor technology (FIM) Johannes Kepler University Linz, Austria michael.sonntag@jku.at 1

Web application security 86% of all websites have at least one serious vulnerability (Ø: 56 vuln.)* Web applications are ubiquitous: Almost everything on the web is not a static webpage, but generated dynamically; most are based on a database But see also the trend for mobile devices: HTML5 instead of Apps (which are similar anyway regarding security, but not the topic here) Practically all web applications are insecure E.g. XSSed.com: Web site with XSS vulnerabilities. These included (and regularly occur again!): Google, Microsoft, Facebook, NYTimes, Ebay, McAfee, PayPal Therefore: Education in website security is sorely needed! Also: 57% provide some security training 40% fewer vulnerabilities, solved 59% faster; but 12% lower remediation rate* *: WhiteHat Website Security Statistics Report 5/2013, https://www.whitehatsec.com/assets/wpstatsreport_052013.pdf 2

Part of the solution: more security education Security education is urgently needed for all kinds of SW, but specifically for web applications because of their public attack surface Potential approaches: Paper, book, lectures: Security problems and their solutions are described Nice, but depends on attention & retention; lacks training in applying them Penetration testing: Good for testers, but will help implementers little Proposed solution: Interactive system where security problems are shown, can be tested, and remedies are also explained and can be tested too 3

Existing systems WebGoat: Insecure web application J2EE and ASP.NET environments; Java Runtime + Tomcat + Web application Black-box testing to exploit vulnerabilities No corrected (=secure) version available HackThisSite: Numerous individual small web application Penetration testing: Users must hack them No source code of the applications; no corrected versions Includes also modifying executables, steganography etc. Damn Vulnerable Web Application: Live-CD or existing web server; source code accessible Three security levels available (insecure, programmed-tried-but-failed, secure) Few vulnerabilities, no education (explanations e.g. for secure version lacking) 4

Proposed solution: aims & characteristics (1) Independent vulnerabilities: No real application Easier to understand because code is short and little external elements contained But: Differs significantly from real applications Finding problems is more difficult, not-programming them gets easier! Providing solutions: For education Each vulnerability exists twice: Once vulnerable and once fixed This includes explanations why this is a fix and what other approaches are possible Versatile: Many security problems shall be exemplified No artificial restrictions Problems for server, other servers, and end-users 5

Proposed solution: aims & characteristics (2) Simplicity: Pure vulnerabilities; no pre-knowledge required Avoiding frameworks, template engines, complex stylesheets etc. To focus the attention on the security issues and remove extraneous clutter No hacking: Penetration testing is no goal Testing only to understand problem & test own code; no exploitation (remote shell etc.) Self-contained: No additional software needed Must be trivial to use; download should be small; no public webserver Own webserver implementation: Required for some vulnerabilities Allows running several webservers and reduces complexity One-time bonus: Students implemented the individual vulnerabilities 6

The SecuritySampleServer Implemented in Java, as this is the main teaching language (here) Also widely use for web applications Webserver: Implemented in Java too Uncommon for a webserver, but here acceptable Supports GET/PUT, cookies, and server-side-includes: Simple (and insecure!) Started on port 8080 (80 might already be used), and 8081 Each application embodies a single vulnerability and is called directly Specific path element for each, where individual subpaths are possible No database included in general, individual applications use an in-memory SQL database 7

Anatomy of a lesson (1) Each lesson consists of several webpages and two applications Introductory page General description of the problem Shows a color-coded table of the danger from this vulnerability: Exploitability: How easy it is to exploit the vulnerability Prevalence: How common is this problem Detectability: How easy it is to find out if a problem has such a vulnerability Impact: What can happen when it is exploited Insecure code: The full code of the example application General elements are placed in a base class typ. 50-150 lines of code 8

Anatomy of a lesson (2) Explanation of the vulnerability Includes exploits and directions to try them (if possible direct links) Can be tested manually, also with other parameters/data/ Partially shows code and browser results Database or other state: Reset link to restore the app to the initial version How to secure the application Explanation how to prevent such an attack; what must be changed in the code Links to same exploits as before, just not working any more Own tests can be tried again too, obviously! Secure code: The code of the same application without the vulnerability 9

Restrictions and limitations Only pure vulnerabilities, but none specific to a language or a framework Different languages might be included through a bridge Especially interpreted languages, which learners could change directly No buffer overflows ( Java!): They are just explained Not available online: Too insecure A secure tunnel to a cloned VM would be too complex/expensive Simplistic view because of independent vulnerabilities Investigating code for them is different in reality; so less suited for educating testers No assessment: Learners can try out, but their activities are not logged Formative self-assessment could be built into it 10

Example lesson: OS command injection (1) 11

Example lesson: OS command injection (2) 12

Example lesson: OS command injection (3) 13

Example lesson: OS command injection (4) 14

Conclusions Practical evaluation is planned for next summer term (=next course) Planned extensions: Gathering statistics on usage locally (potentially anonymized upload) Might be extended to scoring: Provide hints based on tries, show completed elements etc. Towards a tutoring system Bridge to PHP, for interpreted languages Differential view on code: Comparing the insecure and the secure code Adding a different educational approach: Secure version is not available initially Students only receive explanations and must correct the code, which is then automatically tested by the system (examples shown + additional ones) 15

Link The server can be downloaded under http://www.fim.uni-linz.ac.at/research/securitysampleserver/securitysampleserver.zip Running it: Download and unpack to a local folder Run Start.bat (or start.sh - depending on OS; requires a JRE!) Open http://127.0.0.1:8080/ in your webbrowser 16

Thank you for your attention! Michael Sonntag Institute for Information processing and microprocessor technology (FIM) Johannes Kepler University Linz, Austria michael.sonntag@jku.at 17

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information