The Weakest Link: Mitigating Web Application Vulnerabilities. webscurity White Paper. webscurity Inc. Minneapolis, Minnesota USA



Similar documents
Secure Web Application Coding Team Introductory Meeting December 1, :00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

What is Web Security? Motivation

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

Magento Security and Vulnerabilities. Roman Stepanov

Columbia University Web Security Standards and Practices. Objective and Scope

Recommended Practice Case Study: Cross-Site Scripting. February 2007

Integrated Network Vulnerability Scanning & Penetration Testing SAINTcorporation.com

OWASP and OWASP Top 10 (2007 Update) OWASP. The OWASP Foundation. Dave Wichers. The OWASP Foundation. OWASP Conferences Chair

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

Web Engineering Web Application Security Issues

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

Web Application Vulnerabilities and Avoiding Application Exposure

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

Testing Web Applications for SQL Injection Sam Shober

Where every interaction matters.

Web Application Security

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

DFW INTERNATIONAL AIRPORT STANDARD OPERATING PROCEDURE (SOP)

Information Technology Policy

Web application security

Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability

Web App Security Audit Services

External Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

Table of Contents. Page 2/13

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

Barracuda Web Site Firewall Ensures PCI DSS Compliance

How To Protect A Web Application From Attack From A Trusted Environment

Secure Web Applications. The front line defense

National Endowment for the Arts Evaluation Report. Table of Contents. Results of Evaluation Areas for Improvement Exit Conference...

How to Build a Trusted Application. John Dickson, CISSP

Passing PCI Compliance How to Address the Application Security Mandates

Rational AppScan & Ounce Products

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

Web Application Report

Criteria for web application security check. Version

Lecture 15 - Web Security

Application Security Testing. Generic Test Strategy

Top Ten Web Attacks. Saumil Shah Net-Square. BlackHat Asia 2002, Singapore

OWASP AND APPLICATION SECURITY

Introduction to Web Application Security. Microsoft CSO Roundtable Houston, TX. September 13 th, 2006

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

Appalachian Regional Commission Evaluation Report. Table of Contents. Results of Evaluation Areas for Improvement... 2

The Top Web Application Attacks: Are you vulnerable?

Last update: February 23, 2004

elearning for Secure Application Development

Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified

Penetration Test Report

Network Security Audit. Vulnerability Assessment (VA)

Making Database Security an IT Security Priority

Web Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure

Nuclear Regulatory Commission Computer Security Office Computer Security Standard

WEB APPLICATION SECURITY

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 4 Finding Network Vulnerabilities

Columbia University Web Application Security Standards and Practices. Objective and Scope

Application Security: What Does it Take to Build and Test a Trusted App? John Dickson, CISSP Denim Group

OWASP Top Ten Tools and Tactics

The Web AppSec How-to: The Defenders Toolbox

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

External Supplier Control Requirements

Web Application Security 101

Data Breaches and Web Servers: The Giant Sucking Sound

[state of the internet] / SEO Attacks. Threat Advisory: Continuous Uptick in SEO Attacks

A Survey on Security and Vulnerabilities of Web Application

Threat Modeling. Categorizing the nature and severity of system vulnerabilities. John B. Dickson, CISSP

National Information Security Group The Top Web Application Hack Attacks. Danny Allan Director, Security Research

Security Management. Keeping the IT Security Administrator Busy

05.0 Application Development

Web Applications The Hacker s New Target

STOPPING LAYER 7 ATTACKS with F5 ASM. Sven Müller Security Solution Architect

Check list for web developers

Don t Get Burned! Are you Leaving your Critical Applications Defenseless?

The President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/

Penetration Testing Report Client: Business Solutions June 15 th 2015

Cracking the Perimeter via Web Application Hacking. Zach Grace, CISSP, CEH January 17, Mega Conference

Web attacks and security: SQL injection and cross-site scripting (XSS)

THREAT MODELLING FOR SQL SERVERS Designing a Secure Database in a Web Application

Are you fighting new threats with old weapons? Secure your Web applications with Web Application Firewalls.

Secure Software Programming and Vulnerability Analysis

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

Protecting against DoS/DDoS Attacks with FortiWeb Web Application Firewall

Högskoleexamen. Web application Security. Sektionen för informationsvetenskap, data- och elektroteknik. Rapport för Högskoleexamen, January 2013

Essential IT Security Testing

Protect Your Business and Customers from Online Fraud

DISCOVERY OF WEB-APPLICATION VULNERABILITIES USING FUZZING TECHNIQUES

Web applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh

Managing IT Security with Penetration Testing

The Roles of Software Testing & QA in Security Testing

1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications

Members of the UK cyber security forum. Soteria Health Check. A Cyber Security Health Check for SAP systems

Web Application Security. Radovan Gibala Senior Field Systems Engineer F5 Networks

1.3 Prohibit Direct Public Access - Prohibit direct public access between the Internet and any system component in the cardholder data environment.

Transcription:

The Weakest Link: Mitigating Web Application Vulnerabilities webscurity White Paper webscurity Inc. Minneapolis, Minnesota USA January 25, 2007

Contents Executive Summary...3 Introduction...4 Target Audience...4 Background...4 Common Web Application Attacks...5 Defacement...5 Worms...5 Buffer Overruns...5 URL Parameter Tampering...5 Banner-grabbing...6 Hidden Field Manipulation...6 Cookie Tampering...6 SQL Injection...7 Stealth Commanding...7 Cross-site Scripting...7 Forceful Browsing...7 Inadvertently Helping the Attacker...8 What You Can Do...9 Conclusions/Recommendations...10 Contacts...11 Appendix 1: References...12 Open Web Application Security Project...12 Web Application Security Consortium...12 January 25, 2007 Page 2 webscurity inc.

Section 1 Executive Summary Insecure Web applications provide an attacker a way through even the most robust perimeter defenses. This paper describes Web application vulnerabilities, their respective impact on overall security, and techniques to mitigate them. The door is open to customers and attackers alike For a long time, the prevailing wisdom has been that firewalls = security. But as networks have become more and more secure, attackers are seeking out easier targets. They are increasingly discovering that manipulating applications can be much more productive. After all, they can get in through the same door in the perimeter defenses deliberately left open for legitimate users such as customers, suppliers, and trading partners. Since 2001, webscurity has helped organizations of all sizes address Web application security. Industries from financial services to healthcare - food services to distribution - have benefited from our experience and understanding of Web application security. January 25, 2007 Page 3 webscurity inc.

Section 2 Introduction Target Audience Background One of the most important elements of a secure e-commerce environment is the applications. Web applications written and deployed without security as a prime consideration can inadvertently: Expose sensitive or confidential information Facilitate Web site defacement Provide access to private networks Perpetrate Denial of Service (DoS) attacks Facilitate unhindered access to back-end databases Application attacks cannot be prevented by network firewalls, intrusiondetection, or even encryption. These attacks work by exploiting the Web server and the applications it runs, meaning the attackers enter through the same open door in the perimeter defenses that customers use to access the Web site. Malicious activity cannot be distinguished from normal, everyday Web traffic. This paper is targeted toward security specialists, system administrators, developers, and other individuals interested in learning the importance of Web application security. The stateless nature of HTTP doesn t help Many of the most serious and difficult to detect - Web application attacks take advantage of the stateless nature of the Hypertext Transfer Protocol (HTTP) and the special programming required to develop useful applications for the Web. There are two types of attacks: Indiscriminate - the attacker has no interest in who your organization is or what it does, but simply the fact that you have a Web server Targeted (discriminate) - the attacker has selected a Web site for very specific reasons which might include financial gain, publicity, business disruption, etc. Worms are examples of indiscriminate attacks, while the various forms of parameter manipulation (such as cookie tampering discussed below) are typically targeted attacks. January 25, 2007 Page 4 webscurity inc.

Section 3 Common Web Application Attacks Defacement Web site defacement can largely be prevented through detailed server hardening by an experienced system administrator. However, operating systems, Web servers (HTTP servers like Apache, IIS, etc.), and other server software packages are typically shipped in an insecure configuration. It is up to a seasoned administrator to ensure all components are configured securely. It is widely reported that the vast majority (perhaps as high as 90%) of all attacks exploit improperly configured systems. Worms Possibly the most common type of indiscriminate attack, worms like Code Red, Nimda, and Slapper spread at an incredible pace. Often, they can infect hundreds of thousands of servers in a matter of minutes. Worms exploit vulnerabilities in widely-used server software. While fixes for the vulnerabilities are generally released quickly, it is little consolation to the hundreds of thousands of organizations that suffer countless damages due to downtime, lost productivity, and general business disruption. Buffer Overruns URL Parameter Tampering One of the most common attacks exploits a common programming mistake known as buffer overruns (also referred to as buffer overflows ). Virtually every mainstream software product commercial or open-source has had a buffer overrun issue of one sort or another. While some buffer overrun conditions can be relatively harmless, others can be as serious as allowing the attacker administrator access to the server and/or network. Web applications that use the URL query string to pass information from page-to-page (a widely-used way of maintaining state) are susceptible to January 25, 2007 Page 5 webscurity inc.

parameter tampering. This attack is literally as simple as altering the query string parameter values in the browser s address bar! For example, consider the following URL: http://www.website.com/show_account.asp?loggedin=true&acct=123456789 What happens if the acct parameter s value is changed to 223456789 and sent back to the server (as shown below)? http://www.website.com/show_account.asp?loggedin=true&acct=223456789 Banner-grabbing Hidden Field Manipulation Cookie Tampering The first step in any attack is selecting the appropriate toolbox. Two pieces of information that determine the attacker s toolbox choice are: Operating system Web server type A simple process known as banner-grabbing provides the attacker with both these pieces of information. Using a telnet utility, the attacker can quickly determine what operating system a given server is running, as well as the type of Web server (Apache, IIS, etc.) it is using. Knowing this, the attacker can construct attacks appropriate for the environment. Closely related to URL parameter tampering (see above), hidden field manipulation involves altering parameter values, except these are hidden from the user. Hidden fields are an HTML input type (<input type= hidden >) that are NOT rendered by the browser and shown to the user they are hidden. However, because most browsers provide a View/Source option, it is easy for anyone to see and alter hidden field values. The acct parameter from the example above could have been implemented as a hidden field. This would have made it less obvious and slightly increased the difficulty of altering its value, but it doesn t offer much protection against even a novice attacker! Like URL query string parameters and hidden fields, cookies are a popular way to maintain state information. While they are slightly more difficult to locate and alter, their relative level of obscurity compared to the other two methods is not sufficient to prevent malicious activity. Freely available tools help automate the process of cookie tampering. January 25, 2007 Page 6 webscurity inc.

SQL Injection Stealth Commanding Cross-site Scripting Forceful Browsing Data-entry fields can unknowingly provide a convenient way for an attacker to access an SQL-compliant back-end database and execute their own SQL statements. Any user input (including hidden fields, URL query string parameters and cookie values) used by the Web application to construct SQL statements (usually part of the where clause) could result in the unintended execution of SQL statements injected by an attacker. SQL injection can be used to bypass authentication, gain unrestricted access to data, and in extreme cases, allow an attacker to execute destructive SQL statements like DROP TABLE users;! Similar to SQL injection, stealth commanding allows an attacker to execute operating system commands on the server without proper authorization. Any user input (including hidden fields, URL query string parameters, and cookie values) used by the Web application to construct operating system calls (shell scripts, commands, etc.) could allow an attacker to execute commands of their choice. Because most Web servers (Apache, IIS, etc.) run as a privileged group/user, the commands executed by the Web application (on behalf of the attacker) are also privileged. This is only one example of how stealth commanding can be accomplished. Cross-site scripting is the act of injecting malicious HTML tags or clientside scripting code into HTML form fields. The contents of these fields are saved to a database where they are later retrieved and automatically executed by an innocent user. Essentially, it is a way to affect another user s experience. Forceful browsing is the act of directly accessing pages (URL s) without consideration for its context within an application. Bypassing intended application flow can lead to unauthorized access to resources which could mean a press release getting out before expected to circumventing authentication altogether. January 25, 2007 Page 7 webscurity inc.

Section 4 Inadvertently Helping the Attacker Information that would be insignificant to a normal user is deadly in the hands of skilled attacker. Something as simple as disclosing the Web server platform (see banner grabbing discussion above) helps an attacker form the basis of their attack. Error messages are a great source of intelligence for attackers An attacker can also gather valuable information from error messages reported by the application. The common practice of reporting detailed error messages can aid the support process in controlled environments. However, when your audience is literally anyone in the world with an Internet connection, a different approach is needed. For example, database error messages from a failed query frequently contain details of the environment better left undisclosed, such as the database platform, vendor, and version. They may also include details of the database s table structure and layout. Don t give them any hints Letting a would-be attacker know they have entered an incorrect user id or password, specifically, gives them an unnecessary advantage. Generic messages such as Log in failed are much safer. January 25, 2007 Page 8 webscurity inc.

Section 5 What You Can Do Proper server hardening and upto-date patches Developer training, coding standards, code reviews Give away as little as possible Web application firewall Indiscriminate attacks can often be prevented through extensive server hardening and keeping patches up-to-date. However, even the latest patches only provide protection against known attacks. These measures are important, but unfortunately, are reactive rather than proactive. Build security into the development cycle by training programmers to write secure Web applications and conducting 3 rd -party source code assessments. Clear standards and regular internal assessments will also help ensure secure applications. Disabling Web server identification and avoiding detailed error messages will slow down an attacker tremendously. Install a Web application firewall to ensure all traffic that reaches the Web server and its applications will be exactly what is expected. January 25, 2007 Page 9 webscurity inc.

Section 6 Conclusions/Recommendations The degree to which insecure Web applications can undermine perimeter defenses cannot be over-emphasized. The most robust security measures will not protect back-end systems if holes exist in the applications. Focused attention to the environment behind the firewall is recommended to ensure on-going security. In addition to proper server hardening, secure coding practices, and frequent assessments, a Web application firewall is the perfect compliment to existing perimeter defenses. January 25, 2007 Page 10 webscurity inc.

Section 7 Contacts For more information, please contact info@webscurity.com. webscurity Inc. 9298 Central Ave NE Suite 402 Minneapolis, Minnesota USA 55434 Toll Free 866.SCURITY (728.7489) International/Twin Cities Metro - 1.763.786.2009 Fax 1.763.786.3680 info@webscurity.com www.webscurity.com January 25, 2007 Page 11 webscurity inc.

Appendix 1: References Open Web Application Security Project The Open Web Application Security Project (OWASP) is dedicated to finding and fighting the causes of insecure software. Everything here is free and open source. The OWASP Foundation is a 501c3 not-for-profit charitable organization that ensures the ongoing availability and support for our work. Participation in OWASP is free and open to all. http://www.owasp.org Web Application Security Consortium The Web Application Security Consortium (WASC) is an international group of experts, industry practitioners, and organizational representatives who produce open source and widely agreed upon best-practice security standards for the World Wide Web. http://www.webappsec.org January 25, 2007 Page 12 webscurity inc.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information