Detecting and Defending Against Security Vulnerabilities for Web 2.0 Applications

Similar documents
(WAPT) Web Application Penetration Testing

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

The Top Web Application Attacks: Are you vulnerable?

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

Rational AppScan & Ounce Products

Web Application Penetration Testing

CSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

OWASP Top Ten Tools and Tactics

Using Free Tools To Test Web Application Security

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

Strategic Information Security. Attacking and Defending Web Services

Web Application Vulnerability Testing with Nessus

Where every interaction matters.

Web application testing

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

Bust a cap in a web app with OWASP ZAP

Web Security Testing Cookbook*

What is Web Security? Motivation

Black Box versus White Box: Different App Testing Strategies John B. Dickson, CISSP

The Dark Side of Ajax. Jacob West Fortify Software

OWASP and OWASP Top 10 (2007 Update) OWASP. The OWASP Foundation. Dave Wichers. The OWASP Foundation. OWASP Conferences Chair

Integrating Web Application Security into the IT Curriculum

Application Code Development Standards

EC-Council CAST CENTER FOR ADVANCED SECURITY TRAINING. CAST 619 Advanced SQLi Attacks and Countermeasures. Make The Difference CAST.

Essential IT Security Testing

Web Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet

How To Fix A Web Application Security Vulnerability

SQuAD: Application Security Testing

Testnet Summerschool. Web Application Security Testing. Dave van Stein

Web Application Security

Adobe Systems Incorporated

Professional Penetration Testing Techniques and Vulnerability Assessment ...

Network Security Exercise #8

Ethical Hacking as a Professional Penetration Testing Technique

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

Testing the OWASP Top 10 Security Issues

Hack Proof Your Webapps

Conducting Web Application Pentests. From Scoping to Report For Education Purposes Only

Cracking the Perimeter via Web Application Hacking. Zach Grace, CISSP, CEH January 17, Mega Conference

Using Sprajax to Test AJAX. OWASP AppSec Seattle Oct The OWASP Foundation

Securing your Web application

Passing PCI Compliance How to Address the Application Security Mandates

FSOEP Web Banking & Fraud: Corporate Treasury Attacks

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

Web application security

Information Security. Training

Learning objectives for today s session

Exploiting Web 2.0 Next Generation Vulnerabilities

State of The Art: Automated Black Box Web Application Vulnerability Testing. Jason Bau, Elie Bursztein, Divij Gupta, John Mitchell

Web Application Security

Attack Vector Detail Report Atlassian

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Enterprise Application Security Workshop Series

Malicious Network Traffic Analysis

Excellence Doesn t Need a Certificate. Be an. Believe in You AMIGOSEC Consulting Private Limited

Implementation of Web Application Firewall

Integrating Web Application Security into the IT Curriculum

Magento Security and Vulnerabilities. Roman Stepanov

Reducing Application Vulnerabilities by Security Engineering

Secure Web Application Coding Team Introductory Meeting December 1, :00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

IJMIE Volume 2, Issue 9 ISSN:

Introduction:... 1 Security in SDLC:... 2 Penetration Testing Methodology: Case Study... 3

Integrating Security into the Application Development Process. Jerod Brennen, CISSP CTO & Principal Security Consultant, Jacadis

National Information Security Group The Top Web Application Hack Attacks. Danny Allan Director, Security Research

Secure Web Development Teaching Modules 1. Threat Assessment

Acunetix Website Audit. 5 November, Developer Report. Generated by Acunetix WVS Reporter (v8.0 Build )

Table of Contents. Page 2/13

SAST, DAST and Vulnerability Assessments, = 4

Cross-Site Scripting

Pentests more than just using the proper tools

Real World Web Service Testing For Web Hackers

WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL. Ensuring Compliance for PCI DSS 6.5 and 6.6

Barracuda Web Site Firewall Ensures PCI DSS Compliance

Evaluation of Penetration Testing Software. Research

Pentests more than just using the proper tools

Bank Hacking Live! Ofer Maor CTO, Hacktics Ltd. ATC-4, 12 Jun 2006, 4:30PM

Web Application Security

Overview of the Penetration Test Implementation and Service. Peter Kanters

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

Web Application Report

Web Application Hacking (Penetration Testing) 5-day Hands-On Course

Cloud Security:Threats & Mitgations

Sitefinity Security and Best Practices

Members of the UK cyber security forum. Soteria Health Check. A Cyber Security Health Check for SAP systems

JVA-122. Secure Java Web Development

Application Security Testing. Generic Test Strategy

Web Application Security Assessment and Vulnerability Mitigation Tests

CYBERTRON NETWORK SOLUTIONS

Security Testing Tools

Transcription:

Detecting and Defending Against Security Vulnerabilities for Web 2.0 Applications Ray Lai, Intuit TS-5358

Share experience how to detect and defend security vulnerabilities in Web 2.0 applications using open source security tools 2008 JavaOne SM Conference java.sun.com/javaone 2

Agenda Detect Defend Learn 2008 JavaOne SM Conference java.sun.com/javaone 3

Which is Easier to Hack? Google finds 2M suspicious sites Web 1.0 App Top 3 Security Vulnerabilities Unvalidated input parameters Broken access control Broken authentication and session management Web 2.0 App Top 3 Security Vulnerabilities Cross-site scripting Injection flaw Malicious file execution Note: Single loss expectancy - $690 per incident, Average annual loss $350,424 (CSI 2007) 2008 JavaOne SM Conference java.sun.com/javaone 4

What s New About Web 2.0 Security? OWASP 2007 Top 10 Web 2.0 Examples Cross-site scripting +++ Flash: cross-site flashing Injection flaws ++++ AJAX, mash-up Malicious file execution +++ Insecure direct object reference + JavaScript Object Notation (JSON) Cross-site request forgery +++ Flash Information leakage / improper error handling Broken authentication and session management Insecure cryptographic storage + Insecure communications ++ Failure to restrict URL access ++ http://www.owasp.org/index.php/top_10_2007 +++++ AJAX, JSON ++++ Cross-domain, mash-up 2008 JavaOne SM Conference java.sun.com/javaone 5

Use Case Scenario Use Open Source / commercial security tools to examine WebGoat (and Roller) from SecuriBench http://suif.stanford.edu/~livshits/securibench/intro.html 2008 JavaOne SM Conference java.sun.com/javaone 6

Example #1: Post-Me Scenarios: newsgroup, forum, blogs, etc. Characteristics Plain data input screen No sensitive personal data High usage, high traffic How can I re-direct readers to my malicious website? 2008 JavaOne SM Conference java.sun.com/javaone 7

Example #1: What s the Issue? Cross-site Request Forgery What happens: Hackers post a message with the malicious URL or parameters: <IMG SRC="attack?screen=7&menu=410&transferFunds=4000" width="1" height="1" /> Result: when reading the posting, newsgroup readers will invoke a malicious URL without noticing the tiny 1x1 image (cross-site request forgery)! 2008 JavaOne SM Conference java.sun.com/javaone 8

Example #2: Online Travel Scenarios: online travel service, mash-up Characteristics AJAX with JSON Financial transactions Mash-up, possibly Can I change the price? 2008 JavaOne SM Conference java.sun.com/javaone 9

Example #2: What s the Issue? JSON Poisoning What happens: Hackers intercepts the JSON, tampers it, and posts it. { "From": "Boston", "To": "Seattle", "flights": [ {"stops": "0", "transit" : "N/A", "price": "$0"}, {"stops": "2", "transit" : "Newark,Chicago", "price": "$900"} ] } Result: hackers pay $0 2008 JavaOne SM Conference java.sun.com/javaone 10

Example #3: Change Password Scenarios: online services, mash-up Characteristics SOAP-based Web services Perhaps mash-up HTTP or HTTPS, depends Can I change somebody s password? 2008 JavaOne SM Conference java.sun.com/javaone 11

Example #3: What s the Issue SOAP Injection What happens: Hackers tries changing the password, intercepts the SOAP message, tampers it, and posts it. <?xml version='1.0' encoding='utf-8'?> <wsns0:body> <wsns1:changepassword> <id xsi:type='xsd:int'>101</id> <password xsi:type='xsd:string'> bar</password> </wsns1:changepassword> </wsns0:body> </wsns0:envelope> Result: hackers change someone s password for future access 2008 JavaOne SM Conference java.sun.com/javaone 12

What About Flex Application Cross-site Flashing You can detect XSF using SwfIntruder 2008 JavaOne SM Conference java.sun.com/javaone 13

What About Phishing attack Ad malware Botnet ActiveX controls Serialization security, e.g. DOJO, JQUERY 2008 JavaOne SM Conference java.sun.com/javaone 14

Agenda Detect Defend Learn 2008 JavaOne SM Conference java.sun.com/javaone 15

Strategy #1: Security Development Lifecycle Remark: Show demo or examples of these artifacts 2008 JavaOne SM Conference java.sun.com/javaone 16

Defensive Coding: Examples Scenarios Cross-site request forgery JSON poisoning SOAP injection Sample Actions Filter specific tags (e.g. <IMG>) Prompt user with security token for important actions or high value transactions Shorter time period for user sessions Client-side and server-side input validation JavaScript output encoding Obfuscate JavaScript Use of nonce WS-Security best practices Turn off WSDL 2008 JavaOne SM Conference java.sun.com/javaone 17

Strategy #2: Custom Security Test Category Public / Open Source Commercial Discovery tools NMAP Nessus Web server vulnerabilities Nikto Code quality* OWASP, FindBugs Fortify, Klockwork Application vulnerabilities Paros AppScan, Hailstorm Penetration testing WebScarab, Paros, SwfIntruder Hybrid security testing = white box* + black box testing Remark: Show demo of running different security testing tools on Roller 2008 JavaOne SM Conference java.sun.com/javaone 18

Agenda Detect Defend Learn 2008 JavaOne SM Conference java.sun.com/javaone 19

Lesson 1: Security Findings by Category 2008 JavaOne SM Conference java.sun.com/javaone 20

Lesson 2: What You Can and Can t Do Obvious, e.g. Information leakage Port scan OS fingerprinting Web server vulnerabilities scanner Difficult ones, e.g. Cross-site Scripting Cross-site Request Forgery Denial of Service Hard ones, e.g. New Web 2.0 vulnerabilities 2008 JavaOne SM Conference java.sun.com/javaone 21

Lesson 3: Summary Don t practice penetration testing tools on production system! Trust no one Do we know what to detect, or to test Different security testing tools provide different findings 2008 JavaOne SM Conference java.sun.com/javaone 22

For More Information Concepts OWASP top 10 vulnerabilities http://www.owasp.org/index.php/category:vulnerability Cannings, Dwivedi and Lackey. Hacking Exposed Web 2.0. McGrawHill, 2008 Andrew Andreu. Professional Pen Testing for Web Applications Shyamsuda and Gould. You Are Hacked. JavaOne SM Conference 2007 http://developers.sun.com/learning/javaoneonline/2007/pdf/ts-6014.pdf Security Incident Updates Top 10 Web 2.0 attack vectors http://www.net-security.org/article.php?id=949 http://www.us-cert.gov/current/current_activity.html CERN http://security.web.cern.ch/security/ Also RSA, Microsoft, Symantec major security vendor websites 2008 JavaOne SM Conference java.sun.com/javaone 23

For More Information (cont d) Tutorial http://www.irongeek.com/i.php?page=security/hackingillustrated Tools http://sectools.org/ http://www.cotse.com/tools/ http://www.securityhaven.com/tools.html http://framework.metasploit.com/ http://www.paneuropa.co.uk/penetration_testing.htm http://www.owasp.org/index.php/category:owasp_download 2008 JavaOne SM Conference java.sun.com/javaone 24

Ray Lai, rayymlai@gmail.com TS-5358 2008 JavaOne SM Conference java.sun.com/javaone 25

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information