What is Web Security? Motivation



Similar documents
3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

Where every interaction matters.

Magento Security and Vulnerabilities. Roman Stepanov

Web Application Security

Top Ten Web Application Vulnerabilities in J2EE. Vincent Partington and Eelco Klaver Xebia

Secure Web Application Coding Team Introductory Meeting December 1, :00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

Last update: February 23, 2004

Check list for web developers

Criteria for web application security check. Version

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

Data Breaches and Web Servers: The Giant Sucking Sound

Passing PCI Compliance How to Address the Application Security Mandates

Top 10 Web Application Security Vulnerabilities - with focus on PHP

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

Sitefinity Security and Best Practices

Chapter 1 Web Application (In)security 1

Web application security

Thick Client Application Security

Web Application Attacks and Countermeasures: Case Studies from Financial Systems

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

External Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION

Barracuda Web Site Firewall Ensures PCI DSS Compliance

The Top Web Application Attacks: Are you vulnerable?

How to Build a Trusted Application. John Dickson, CISSP

Security in Network-Based Applications. ITIS 4166/5166 Network Based Application Development. Network Security. Agenda. References

Web Application Penetration Testing

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

Web Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

Web Application Security

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

The Weakest Link: Mitigating Web Application Vulnerabilities. webscurity White Paper. webscurity Inc. Minneapolis, Minnesota USA

WEB APPLICATION FIREWALLS: DO WE NEED THEM?

1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications

Enterprise Application Security Workshop Series

OWASP and OWASP Top 10 (2007 Update) OWASP. The OWASP Foundation. Dave Wichers. The OWASP Foundation. OWASP Conferences Chair

CS5008: Internet Computing

(WAPT) Web Application Penetration Testing

OWASP Top Ten Tools and Tactics

Web Application Security Assessment and Vulnerability Mitigation Tests

elearning for Secure Application Development

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

Implementation of Web Application Firewall

Web Application Security Considerations

Columbia University Web Security Standards and Practices. Objective and Scope

Web Application Report

Web Application Guidelines

Web Application Vulnerability Testing with Nessus

Web Application Security

Web Application Security

Lecture 11 Web Application Security (part 1)

Rational AppScan & Ounce Products

WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL. Ensuring Compliance for PCI DSS 6.5 and 6.6

Don t Get Burned! Are you Leaving your Critical Applications Defenseless?

Application Security: What Does it Take to Build and Test a Trusted App? John Dickson, CISSP Denim Group

Penetration Test Report

Ruby on Rails Secure Coding Recommendations

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

Web applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh

Cloud Security:Threats & Mitgations

WEB APPLICATION SECURITY

Nuclear Regulatory Commission Computer Security Office Computer Security Standard

Java Program Vulnerabilities

Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability

Web Application Security. Radovan Gibala Senior Field Systems Engineer F5 Networks

Adobe Systems Incorporated

Columbia University Web Application Security Standards and Practices. Objective and Scope

Information Technology Policy

WHITE PAPER. FortiWeb Web Application Firewall Ensuring Compliance for PCI DSS 6.5 and 6.6

Objectives. Security. Fixing Our JSTL Problem. Web Application Architecture. Web Security. A few lines of code can wreak more havoc than a bomb.

IJMIE Volume 2, Issue 9 ISSN:

WEB SITE SECURITY. Jeff Aliber Verizon Digital Media Services

Common Criteria Web Application Security Scoring CCWAPSS

Cracking the Perimeter via Web Application Hacking. Zach Grace, CISSP, CEH January 17, Mega Conference

Basic & Advanced Administration for Citrix NetScaler 9.2

Java Web Application Security

A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications. Slides by Connor Schnaith

EVALUATING COMMERCIAL WEB APPLICATION SECURITY. By Aaron Parke

Secure development and the SDLC. Presented By Jerry

Application Layer Encryption: Protecting against Application Logic and Session Theft Attacks. Whitepaper

KEN VAN WYK. Fundamentals of Secure Coding and how to break Software MARCH 19-23, 2007 RESIDENZA DI RIPETTA - VIA DI RIPETTA, 231 ROME (ITALY)

Web Engineering Web Application Security Issues

Application Security Best Practices. Wally LEE Principal Consultant

Web Application Hacking (Penetration Testing) 5-day Hands-On Course

Web Application Firewall on SonicWALL SRA

CSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

OWASP TOP 10 ILIA

STOPPING LAYER 7 ATTACKS with F5 ASM. Sven Müller Security Solution Architect

Web App Security Audit Services

Application Security Testing. Generic Test Strategy

DFW INTERNATIONAL AIRPORT STANDARD OPERATING PROCEDURE (SOP)

Session Management in Web Applications

Software Assurance Tools: Web Application Security Scanner Functional Specification Version 1.0

Sichere Software- Entwicklung für Java Entwickler

Transcription:

brucker@inf.ethz.ch http://www.brucker.ch/ Information Security ETH Zürich Zürich, Switzerland Information Security Fundamentals March 23, 2004 The End Users View The Server Providers View What is Web Security? Over 90% of online apps not secured against common cracking techniques! A research of WebCohort s Application Defense Center revealed the most common vulnerabilities for web applications in 2003: Cross-site scripting (80%). SQL injection (62%). Parameter tampering (60%). Cookie poisoning (37%). Database server (33%). Web server (23%). Bucer overflow (19%). Web security is not as well-defined as e.g. cryptographic security. Practical web and network security depends on details of network standards, implementation details, concrete versions of browsers and servers.... Attacks against privacy, security, and quality of service ( safety ). Web and network security is a moving target. There is no once and forever solution.

Roadmap The End Users View The Server Providers View Client GET/PUT/POST <html> <head> Server HyperText Transfer Protocol (HTTP) is defined in RFC 2068. HTTP is an application level protocol. HTTP transfers hypertext requests and information between server and browsers. HTTP: The Client Side The client initiates all communication: Method Description GET request a web page HEAD request header of a web page PUT store a web page POST append to a web page The user navigates trough URLs, e.g. http://www.infsec.ethz.ch/. HTTP does not support for sessions. HTTP: The Server Side The server delivers data upon request of the client. Arbitrary data can be transfered (client takes care of processing). The data can be computed on demand (web application) or can be static (HTML pages, images,... ). Three tier architecture is widely used: Presentation (First Tier) PC Network Computer Business Logic (Second Tier) Backend (Third Tier) Database Java Web Server Database

Roadmap HTTP Header The End Users View The Server Providers View On each request, the client sends a HTTP header to the server. Normally headers are sent unencrypted. Headers contain information such as requested language, requested character encoding, used browser (and operating system),... HTTPS sends headers encrypted. HTTP Headers: Private Information Cookies HTTP headers can also contain private information, e.g.: FROM: the users email address, critical due to user tracking and address harvesting (spam). AUTHORIZATION: contains authentication information. COOKIE: a piece of data given to the client by the server, and returned by the client to the server in subsequent requests. REFERER: the page from which the client came, including search terms used in search engines. Combining information (e.g. FROM, REFERER, IP address) allows server providers already a reasonable tracking of the users behavior. Remark: in HTTP, authorization means authentication! Cookies were introduced to allow session management. The main idea is quite simple: A server may, in any response, include a cookie. A client sends in every request the cookie back to the server. A cookie can contain any data (up to 4Kb). A cookie has a specified lifetime. Cookies received lots of criticism for privacy reasons.

Cookies and Privacy HTTP: Authentication Cookies can be used to track users. Privacy is attacked from many sides: Analyzing server logs. Eavesdropping traec (even encrypted headers are informative). Enforcing proxys (or application level firewalls), e.g. deployed by your ISP or employer. Reveal browser logs (e.g. history) on the client side. Thus, cookies are only part of the game. Anyway, cookies should be considered as confidential information! Cookies with very long lifetimes are suspicious! HTTP supports two authentication modes: Basic authentication: Login/password based. Information is sent unencrypted. Credentials are sent on every request to the same realm. Supported by nearly all server/clients and thus widely used! Digest authentication: Server sends nonce. Client hashes nonce based on login/password. Client sends only cryptographic hash over the net. Seldom used. Use browser features for storing your login/password with care! General Considerations Roadmap Be careful when using public web browsers (e.g. internet cafe). Visited sites are stored in the browsers history, in the browsers cache, can also be revealed by auto-completion features. Use the manage password feature with care. Many threats are caused by malicious active components (JavaScript, ActiveX,... ). Browsing the web is not as harmless as it should be! The End Users View The Server Providers View

The Most Critical Web Application Security Vulnerabilities Software is generally created with functionallity at frist in mind and with security as a distant second or third. What have these threats in common? 1. Unvalidated input. 2. Broken access control. 3. Broken authentication and session management. 4. Cross-site scripting (XSS) flaws. 5. Bucer overflows. 6. Injection flaws. 7. Improper error handling. 8. Insecure storage. 9. Denial of service. 10. Insecure configuration management. They attack neither cryptography nor authorization directly. They all exploit programming or configuration flaws. All of them are relatively easy to exploit. They all can cause serious harm, either by revealing secret data, or by attacking quality of service. They can only be prevented by well-designed systems. Unvalidated Input 1/2 Unvalidated Input 2/2 Note: Web applications use input from HTTP requests. Attackers can tamper any part of a HTTP request. Main idea: send unexpected data (content or amount). Possible attacks include: System command insertion. Cross-site scripting. Exploiting bucer overflows. Format string attacks. SQL injection. Cookies poisoning. Manipulating (hidden) form fields. Many sites rely on client-side input validation (e.g. JavaScript). Ways to protect yourself: validate input against a positive specification. Allowed character sets. Minimum and maximum length. Numeric ranges. Specific patterns. Only server side input validation can prevent these attacks. Applications firewalls can provide only some parameter validation. These kind of attacks are becoming more likely!

Broken Access Control Broken Authentication and Session Management 1/2 Reliable access control mechanisms are diecult to implement. diecult to configure, setup and maintain. Access control policy should be clearly documented. Rethink your requirements and scan your setup for: Insecure IDs: is an attacker able to guess valid IDs? Forced browsing past access control checks: can a user simply access the protected area directly? Path traversal: take care of absolute and relative path names. File permissions. Client side caching. Authentication and session management includes web pages for changing passwords. handling of forgotten passwords. updating (personal) account data. The complexity of such systems is often underestimated. An attacker can hijack a user s session and identity. Broken Authentication and Session Management 2/2 Cross-Site Scripting (XSS) 1/2 To avoid these treats a web application should: Require to enter the login password on every management site. Require strong passwords. Implement a password change control. Store passwords as hash (whenever possible). Protect credentials and session ID in transit. Avoid browser caching. Why not switch to HTTPS (SSL)? The attacker tries to inject malicious code in well-known sites. = Users will trust this code! Assume we access http://www.abcd.com/mypage.asp and get: Sorry http://www.abcd.com/mypage.asp does not exist what happens, if we replace mypage.asp with a malicious script? we get a page from a trusted site (www.abcd.com) with malicious content,e.g: http://www.abcd.com/<script>alert(document.cookie);</script> can be used to steel cookies!

Cross-Site Scripting (XSS) 2/2 Bucer Overflows For example, we could mail this error page to our victim. Our victim s browser will execute the script (from a trusted site). More easy: copy malicious content into trusted message boards. XSS can be used to steal session IDs of valid users. XSS is a special form of unvalidated input attack. Bucer overflows are caused by sending too much data. Bucer overflows corrupt the execution stack of the application. Bucer overflows can occur in any software worthy exception: languages with runtime checking, e.g. Java. To prevent bucer overflow attacks: watch for bug reports and install patches timely. program your own applications for safety! Overflow attacks are common for operating system attacks Injection Flaws Injection Flaws: SQL Injection A special injection unvalidated input attack. Attacker tries to inject commands to the back-end system. Back-end systems include: the underlying operating system (system commands). the database servers (SQL commands). used scripting languages (e.g. Perl, Python). The attacker tries to execute program code on the server system! Assume a web application with a database back-end using: SELECT * FROM users WHERE user='$usr' AND passwd='$pwd' What happens if we choose the following value for $pwd: We get ' or '1' = '1 SELECT * FROM users WHERE user='$usr' AND passwd='' or '1' = '1' As '1' = '1' is valid, we will be authenticated!

Preventing Injection Flaws Improper Error Handling Filter inputs (using a list of allowed inputs!). Avoid calling external interpreters. Choose safe calls to external systems. For databases: prefer precomputed SQL statements. Check the return codes to detect attacks! Error messages reveal details about your application, especially if they contain stack traces, etc. Do not distinguish between file not found and access denied. Your system should respond with short, clear error messages to the user. Execution failures could be a valuable input to the intrusion detection system. Insecure Storage Preventing Insecure Storage Using insecure storage can have many reasons: Storing critical data unencrypted. Insecure storage of keys, certificates. Improper storage of secretes in memory. Poor choice of cryptographic algorithms. Poor sources of randomness. Attempts to invent new cryptography. No possibility to change keys during lifetime. To prevent insecure storage: Minimize the use of encryption ( it s secure, it s encrypted ). Minimize the amount of stored data (e.g. hash instead of encrypt). Choose well-known, reliable cryptographic implementations. Ensure that keys, certificates and password are stored securely. Split the master secret into pieces and built it only when needed.

Denial of Service Insecure Configuration Management Beside network (e.g. SYN floods) also application level DoS. In principle: send as many HTTP requests you can. Today: tools for DDoS available for everyone. Test your application under high load. Load balancing could help. Restrict number of requests per host/user/session. Maintaining software is a diecult problem and not web application specific. You should never run unpatched software. carefully look for server misconfigurations. remove all default accounts with default passwords. check the default configuration for pitfalls. remove unnecessary (default) files (e.g. default certificates). check for improper file and directory permissions. check for misconfiguration of SSL certificates. Roadmap The End Users View The Server Providers View Many security problems in practice are caused by the complexity of systems built, e.g.: by combining small systems into larger ones. by (slightly) incompatible implementations. complex configuration issues. Remember: systems are only as secure as the weakest link! Today, cryptography is diecult to crack, but (concrete) systems built are vulnerable. Most successful attacks build on programming and configuration errors.

Security Guidelines 1/2 Security Guidelines 2/2 Design: Keep it simple. Security by obscurity won t work. Use least privileges possible. Separate privileges. Implementation: Validate input and output of your system. Don t rely on client-side validation. Fail securely (closed). Use and reuse trusted components. Test your system (e.g. using attack tools). Additional techniques: You should not rely only on a standard firewall (filtering IPs and ports): you have to filter carefully on the application level! Application level firewalls can help, but are not an all-in-one solution. Apply intrusion detection. Security issues are changing every day: keep up-to-date! Review your setup regularly! Appendix Further Reading William Stallings, Cryptography and Network Security, Prentice Hall, 2003 The Open Web Application Security Project, http://www.owasp.org The Ten Most Critical Web Application Security Vulnerabilities, OWASP, 2004, http://www.owasp.org/documentation/topten A Guide to Building Secure Web Applications: The Open Web Application Security Project, OWASP, 2004, http://www.owasp.org/documentation/guide David Scott and Richard Sharp, Developing Secure Web Applications in IEEE Internet Computing. Vol. 6, no. 6. Nov/Dec 2002. http://cambridgeweb.cambridge.intel-research.net/ people/rsharp/publications/framework-secweb.pdf Frequently Asked Questions on Web Application Security,

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information