View
217
Download
1
Embed Size (px)
Citation preview
Web Application Security
Informational website
E-commerce website
Extranet
Search Engine
Transaction Engine
“75% of hacks occur at the Application Layer”
“3 of 4 business websites are vulnerable to attack”
(Gartner)
The Threat is Real
A Firewall is NOT enough
Allowing authorized incoming Internet traffic to network from outside via port 80 and 443.
http = port 80 https = port 443
IDS, SSL and data-encryption, passwords, or standard scanning will not
protect you from application layer attacks.
Three Pieces to the Puzzle
The Web ServerMicrosoft IIS, Netscape Commerce, Apache
Front-End Server CodeCode that makes up the Web page
Back-End Server CodeAccess to a database or other application
Three Pieces to the Puzzle
The Web ServerMicrosoft IIS, Netscape Commerce, Apache
System Administrator
Front-End Server CodeCode that makes up the Web page
Web Designer, Programmer
Back-End Server CodeAccess to a database or other application
Database admin, Programmer
Application Layer
Browser
User Input HTML/HTTP
Web Server
User Interface Code
Front End Application
Backend Application
Database
Data
Application Weaknesses
System Architecture
System Configuration
Application Design
Implementation Configuration
Operations
Application Risks
Incorrect Calculations
Theft, Integrity issues
Data accessed by unauthorized users
Data theft or lossProprietary data, Integrity, Privacy issues
Denial of ServiceDisruption of Business Operations
Critiquing the Web Application Level
Architectural Infrastructure & Design
Development Languages
Web and Database Servers
Programming code principles
Development Languages
Sun (Java, JavaBeans, JavaScript, J2EE)
Microsoft (Active Server Pages, Site
Server, .NET, and Commerce Server)
Open source community (PHP, HTML, XML)
Others (ColdFusion, Perl, CGI)
Most Common Attack Techniques
•Parameter Manipulation
•Known Vulnerability Checks
•Extension Checking
•Common File Checks
•Data Extension Checking
•Brute Force
•Path Truncation
•Hidden Web Paths
•Web Server Testing
•Application Mapping
•Directory Enumeration
•Backup Checking
•Cookie Manipulation
Parameter Manipulation
• Cross-Site Scripting
• SQL Injection
• Reverse Directory Transversal
• Buffer Overflow
• Hidden Field Manipulation
Involves tampering with URL parameters to retrieve information that would otherwise be unavailable to the user.
Cross-Site Scripting
Occurs when dynamically generated web pages display input that is not properly validated.
• Search Engines
• Error Message
• Forms
• Web Message Boards
Risks:
Compromise confidential information, manipulate or steal cookies, create requests mistaken for valid user, and execute malicious code.
Cross-Site Scripting
Press this link to get to your bank
Underlying link: http://www.mybank.com?a=<evil javascript>
The JavaScript program collects and sends user names and passwords
Enter your login information
1
2
Username
Password3
Cross-Site Scripting
Real Site
Fake Hacker SiteCollects UsernamesAnd Passwords
Redirects User back to real site, making it look Transparent
SQL Injection
Act of passing SQL code not intended by the developer into an application.
Example:
Potentially malicious input, such as “ ‘ “, which could close the SQL string.
Risks:
Unintended system and application access
Reverse Directory Transversal
Sending malformed URL strings to access non-public portions of the web server’s content.
Example:
Adding ../’s to existing URL’s, and adjusting the amount of directories to transverse. (www.server.com/../../../password)
Risks:
Gain access to a system
Buffer Overflow
Something very large being placed in a box far too small for it to fit in.
Risks:
Gain complete control of a system.
Example:
Executing malicious code in content of the local system’s security.
Hidden Field Manipulation
Modifying hidden parameters in the HTML, and then submitting the altered values to the remote server.
Risk(s):
Loss of revenue
Example:
Change pricing data on a site.
Known Vulnerability Checks
All exploitable holes and bugs in operating systems, web servers, applications, and other third-party components that have been published, posted, or otherwise communicated.
Risk(s):
Exploit systems where patches have not been installed in a timely fashion.
Extension Checking
Backup files and scripts on the web server.
Risk(s):
Retrieving script’s source code
Example:
Attacker who finds hi.asp might search for hi.old and hi.back
Common File Checks
Commonly existing duplicate, uploaded, and hidden files that should be removed from the web server.
Risk(s):
Detailed information that attackers can use to compromise a site.
Example:
Admin.htm, test.htm, and deploy.exe
Data Extension Checking
Finding old renamed files left on the server.
Risk(s):
Retrieve script’s source code
Example:
Attacker might find hi.asp, and then search for hi.asp.back or hi.asp.old
Forceful Browsing
Checks for all variations of commonly existing files.
Risk(s):
Gain access to system
Example:
A password file search would encompass file including psswd.txt, password.htm, password.dat, and all other variations.
Path Truncation
Looking for directory listings or unusual errors within each truncation.
Risk(s):
Gain access to system
Example:
A link /customers/id/993/details.html, which looks for vulnerabilities within each truncation.
/customers/id/993
/customers/id/
/customers/
Hidden Web Paths
Finding hidden or commented out references to paths on your server.
Risk(s):
Gain access to developers code, or other non-public files.
Example:
<!my old path /webroot/ol/bleh.asp
Application Mapping
Exposes and follows all known (and unknown) links located on your site.
Risk(s):
Attackers gains information for vulnerability checking and application testing.
Directory Enumeration
Finds all directory paths and possibilities on the application server.
Risk(s):
Gain sensitive information and accurate map of targeted site.
Backup Checking
Checks for common folders where backup source code files are kept.
Risk(s):
Receiving all the source code for a site due to improper permissions.
Example:
Administrators leave backup copies of their site stored somewhere on their server.
Cookie Manipulation
Cookies are not securely encoded, allowing a hacker to modify them.
Risk(s):
Bypassing authentication, gain access to accounts and information of other users.
Example:
“Poisoning” the cookies (User ID’s and timestamps)
Layer 7 - Security Recommendations
•Implement Application Firewall(s)
•Password Strength
•System and Web Server Logging
•Input Sanitization
•Two-factor Authentication
•Update Patches
•Remove Banners
Architectural Infrastructure & Design
• Web server / Web application / Database server demilitarized zones (DMZ)
• End to end encryption (SSL)
• Two-factor authentication
• Application Traffic Management
• Firewall Access Control
• Load-balancing/High Availability
• Web application firewalls
Manual Vulnerability Mitigation
•Knowledge of application interfaces
•Inspection of all client scripts and pages
•Consideration of 3rd party code
•Ability to obtain and understand current vulnerabilities
Manual Vulnerability Mitigation
•Multiple points of failure
•Vulnerabilities / Bugs discovered weekly
•Site complexity
•Application development time demands
•Creative vs. productive vs. paranoid
Offensive Tools - Commercial
Network & Known Vulnerability Scanners– ISS / Internet Scanner
– NAI / CyberCop
– eEye / Retina
– SPI Dynamics / WebInspect
Network & Known Vulnerability Scanning Services– Qualys
– FoundStone
Application Scanners– Sanctum / AppScan
Offensive Tools – Public Domain
Known Vulnerability Scanners– Whisker
– Nessus
Proxy Scanners– Achilles
– HTTPush
– RFProxy
Defensive Measures
Content Integrity– TripWire
– Gilian
Network Separation– Whale
– SpearHead
Access Control– Netegrity
– Securant
Defensive Measures
Protected OS– Argus
– HP
Known Attack Detection– Entercept
– eEye
Application Protection– Sanctum
Summary
Hackers victimized 90% of large corporations and government agencies within the last 12 months (CSI and FBI)
$18 Billion in lost sales forecasted due to security concerns in 2002 (according to the Federal Trade
Commission)
75% of attacks are at the application level (Gartner
Group)- the Network Firewalls and Network Scanning are mandatory but NOT enough
Performing application level audits and/or application level prevention and detection is crucial.
Automatic tools exist that can assist in securing the application.
FishNet Security - Contacts
Paul KlahnDirector of Assessment Services
FishNet Security888-732-9406