Upload
sdf9sdfsd
View
218
Download
0
Embed Size (px)
Citation preview
8/6/2019 Web Application Security Made Easy_06212012
http://slidepdf.com/reader/full/web-application-security-made-easy06212012 1/29
Roy Wattanasin
@Boston Security Meetup
July 21, 2011
8/6/2019 Web Application Security Made Easy_06212012
http://slidepdf.com/reader/full/web-application-security-made-easy06212012 2/29
Disclaimer
You do not hold the presenter liable and accept fullresponsibility for your actions.
You will use these tools in an ethical, professional and legalmanner and RTFM.
You will always get permission before running any of thesetools on the network.
The presentation does not endorse or approve and assumesno responsibility for the content, accuracy or completeness
of the information presented.
This presentation does not represent the opinions of any ofthe organizations that I have worked for.
8/6/2019 Web Application Security Made Easy_06212012
http://slidepdf.com/reader/full/web-application-security-made-easy06212012 3/29
Overview
How Do Breaches Occur?
Attack Patterns are growing
What are the underlying problems?
What is web application security?
OWASP Top 10
Toolz & Recommendations Resources
Final Words
8/6/2019 Web Application Security Made Easy_06212012
http://slidepdf.com/reader/full/web-application-security-made-easy06212012 4/29
How Do Breaches Occur?
Source: Verizon 2011DBIR
8/6/2019 Web Application Security Made Easy_06212012
http://slidepdf.com/reader/full/web-application-security-made-easy06212012 5/29
Attack Patterns are growing
Source: Verizon 2011DBIR
8/6/2019 Web Application Security Made Easy_06212012
http://slidepdf.com/reader/full/web-application-security-made-easy06212012 6/29
What are the underlying problems?
Majority of web applications areinsecure
The web (HTTP) was not designed to be
secure
Security was “bolted-on” rather than
“built-in”
8/6/2019 Web Application Security Made Easy_06212012
http://slidepdf.com/reader/full/web-application-security-made-easy06212012 7/29
Web Applications are still a problem
Source: Verizon 2011DBIR
“79% of breached records are web application attacks" as stated from the 2009 Data Breach Investigations
Report conducted by Verizon Business Risk Team.
"30% of the 57 attacks were carried out by SQL injection" from the 2008 Web Hacking Incidents Database Annual
Report conducted by Breach Security.
8/6/2019 Web Application Security Made Easy_06212012
http://slidepdf.com/reader/full/web-application-security-made-easy06212012 8/29
Web Applications are still a problem
Source: Lulz Security
8/6/2019 Web Application Security Made Easy_06212012
http://slidepdf.com/reader/full/web-application-security-made-easy06212012 9/29
What is web application security?
Securing “anything” that drives the web
application
Writing defensive code
Look at our applications from an attacker’s
mindset and perspective
What flaws would they be aware of?
8/6/2019 Web Application Security Made Easy_06212012
http://slidepdf.com/reader/full/web-application-security-made-easy06212012 10/29
Source: OWASP
8/6/2019 Web Application Security Made Easy_06212012
http://slidepdf.com/reader/full/web-application-security-made-easy06212012 11/29
8/6/2019 Web Application Security Made Easy_06212012
http://slidepdf.com/reader/full/web-application-security-made-easy06212012 12/29
Source: OWASP
8/6/2019 Web Application Security Made Easy_06212012
http://slidepdf.com/reader/full/web-application-security-made-easy06212012 13/29
Source: OWASP
What is the risk?
8/6/2019 Web Application Security Made Easy_06212012
http://slidepdf.com/reader/full/web-application-security-made-easy06212012 14/29
OWASP Top 10
8/6/2019 Web Application Security Made Easy_06212012
http://slidepdf.com/reader/full/web-application-security-made-easy06212012 15/29
Injection protect with white listing, escape special characters and safe API
= SQL Injection Source: OWASP
8/6/2019 Web Application Security Made Easy_06212012
http://slidepdf.com/reader/full/web-application-security-made-easy06212012 16/29
Cross Site Scripting (XSS)protect with escape all untrusted data, whitelist input validation
= Session Hijacking Source: OWASP
8/6/2019 Web Application Security Made Easy_06212012
http://slidepdf.com/reader/full/web-application-security-made-easy06212012 17/29
Broken Authentication & Session Mgmt.protect with a single set of strong authentication and session management controls
= You’re 0wned
Source: OWASP
8/6/2019 Web Application Security Made Easy_06212012
http://slidepdf.com/reader/full/web-application-security-made-easy06212012 18/29
Insecure Direct Object Referencesprotect with using per user or session indirect object references, review access from each untrusted source to include access control
Source: OWASP
= Access any account
8/6/2019 Web Application Security Made Easy_06212012
http://slidepdf.com/reader/full/web-application-security-made-easy06212012 19/29
Cross-Site Request Forgery (CSRF)protect with minimum be unique per user session, but can also be unique per request.
= Change requests and redirectSource: OWASP
8/6/2019 Web Application Security Made Easy_06212012
http://slidepdf.com/reader/full/web-application-security-made-easy06212012 20/29
Insecure Cryptographic Storageprotect using encryption, hashed passwords, strong algorithms, physical security of keys etc.
Source: OWASP
= Clear data to be shared
8/6/2019 Web Application Security Made Easy_06212012
http://slidepdf.com/reader/full/web-application-security-made-easy06212012 21/29
Security Misconfigurationprotect with hardening process
= Open / unknown access
Source: OWASP
8/6/2019 Web Application Security Made Easy_06212012
http://slidepdf.com/reader/full/web-application-security-made-easy06212012 22/29
Restrict URL Accessprotect with enforced roles-based policies
= Access private pagesSource: OWASP
8/6/2019 Web Application Security Made Easy_06212012
http://slidepdf.com/reader/full/web-application-security-made-easy06212012 23/29
Insufficient Transport Layer
Protection protect with SSL and secure flags
= Insecure browsing and sniffing
Source: OWASP
8/6/2019 Web Application Security Made Easy_06212012
http://slidepdf.com/reader/full/web-application-security-made-easy06212012 24/29
Invalidated redirects & forwardsprotect with avoid using redirects and forwards
= Phishing, bogus and MITM
Source: OWASP
8/6/2019 Web Application Security Made Easy_06212012
http://slidepdf.com/reader/full/web-application-security-made-easy06212012 25/29
Toolz
Burp suite
Nikto
Paros Proxy
WebScarab
Whisker/libwhisker
Wikto
Firesheep
Blacksheep
8/6/2019 Web Application Security Made Easy_06212012
http://slidepdf.com/reader/full/web-application-security-made-easy06212012 26/29
Recommendations
Establish common security controls andschedules
Code Reviews
Testing White box
Black box
Automated and Penetration testing Education, educate and train again
Software Development Lifecycle (SDLC)
8/6/2019 Web Application Security Made Easy_06212012
http://slidepdf.com/reader/full/web-application-security-made-easy06212012 27/29
Resources About OWASP
https://www.owasp.org/index.php/About_The_Open_Web_Application_Security_Project https://www.owasp.org/index.php/Main_Page
OWASP WebGoat Projecthttps://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
Recommended books
Chase, Scott. Thompson, Herbert. The Software Vulnerability Guide .Charles River Media, Inc., 2005
Dhanjani, Riosa & Hardin. Hacking The Next Generation . O’Reilly, 2009
McGraw, Gary. Software Security: Building Security In . Addison-Wesley,2006.
Thompson, Herbert. Whittaker, James. How to Break Software Security.Addison Wesley, 2003.
Nagappan, Ramesh. Lai, Ray. Steel, Christopher. Core Security Patterns: Best Practices and Strategies for J2EE, Web Services, and Identity Management . Prentice Hill, 2006.
8/6/2019 Web Application Security Made Easy_06212012
http://slidepdf.com/reader/full/web-application-security-made-easy06212012 28/29
References
Brandeis University Graduate Professional Studies (GPS)http://www.brandeis.edu/gps/
Brandeis University Graduate Health Medical Informatics Programhttp://www.brandeis.edu/gps/programscourses/programs/hmi.html
Brandeis University Graduate Information Assurance Programhttp://www.brandeis.edu/gps/programscourses/programs/ias.html
OWASP Top 10 Application Security Riskshttps://www.owasp.org/index.php/Top_10_2010-Main
Threat Risk Modeling https://www.owasp.org/index.php/Threat_Risk_Modeling
Verizon 2011 DBIR http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2011_en_xg.pdf
8/6/2019 Web Application Security Made Easy_06212012
http://slidepdf.com/reader/full/web-application-security-made-easy06212012 29/29
Final Words
websecr at gmail dot com
twitter: wr0
Thank you !