Web Application Security

“The Forgotten Layer”

Paul Klahn, CISSP

November 21, 2002

Web Application Security

Informational website

E-commerce website

Extranet

Search Engine

Transaction Engine

“75% of hacks occur at the Application Layer”

“3 of 4 business websites are vulnerable to attack”

(Gartner)

The Threat is Real

But I Have a Firewall!!

Firewall

Intrusion Detection

Authentication

Antivirus

A Firewall is NOT enough

Allowing authorized incoming Internet traffic to network from outside via port 80 and 443.

http = port 80 https = port 443

IDS, SSL and data-encryption, passwords, or standard scanning will not

protect you from application layer attacks.

Three Pieces to the Puzzle

The Web ServerMicrosoft IIS, Netscape Commerce, Apache

Front-End Server CodeCode that makes up the Web page

Back-End Server CodeAccess to a database or other application

Three Pieces to the Puzzle

The Web ServerMicrosoft IIS, Netscape Commerce, Apache

System Administrator

Front-End Server CodeCode that makes up the Web page

Web Designer, Programmer

Back-End Server CodeAccess to a database or other application

Database admin, Programmer

Application Layer

Browser

User Input HTML/HTTP

Web Server

User Interface Code

Front End Application

Backend Application

Database

Data

Application Weaknesses

System Architecture

System Configuration

Application Design

Implementation Configuration

Operations

Application Risks

Incorrect Calculations

Theft, Integrity issues

Data accessed by unauthorized users

Data theft or lossProprietary data, Integrity, Privacy issues

Denial of ServiceDisruption of Business Operations

Critiquing the Web Application Level

Architectural Infrastructure & Design

Development Languages

Web and Database Servers

Programming code principles

Development Languages

Sun (Java, JavaBeans, JavaScript, J2EE)

Microsoft (Active Server Pages, Site

Server, .NET, and Commerce Server)

Open source community (PHP, HTML, XML)

Others (ColdFusion, Perl, CGI)

Most Common Attack Techniques

•Parameter Manipulation

•Known Vulnerability Checks

•Extension Checking

•Common File Checks

•Data Extension Checking

•Brute Force

•Path Truncation

•Hidden Web Paths

•Web Server Testing

•Application Mapping

•Directory Enumeration

•Backup Checking

•Cookie Manipulation

Parameter Manipulation

• Cross-Site Scripting

• SQL Injection

• Reverse Directory Transversal

• Buffer Overflow

• Hidden Field Manipulation

Involves tampering with URL parameters to retrieve information that would otherwise be unavailable to the user.

Cross-Site Scripting

Occurs when dynamically generated web pages display input that is not properly validated.

• Search Engines

• Error Message

• Forms

• Web Message Boards

Risks:

Compromise confidential information, manipulate or steal cookies, create requests mistaken for valid user, and execute malicious code.

Cross-Site Scripting

Press this link to get to your bank

Underlying link: http://www.mybank.com?a=<evil javascript>

The JavaScript program collects and sends user names and passwords

Enter your login information

1

2

Username

Password3

Cross-Site Scripting

Cross-Site Scripting

Real Site

Fake Hacker SiteCollects UsernamesAnd Passwords

Redirects User back to real site, making it look Transparent

SQL Injection

Act of passing SQL code not intended by the developer into an application.

Example:

Potentially malicious input, such as “ ‘ “, which could close the SQL string.

Risks:

Unintended system and application access

SQL Injection

SQL Injection

SQL Injection

SQL Injection

SQL Injection

SQL Injection

Reverse Directory Transversal

Sending malformed URL strings to access non-public portions of the web server’s content.

Example:

Adding ../’s to existing URL’s, and adjusting the amount of directories to transverse. (www.server.com/../../../password)

Risks:

Gain access to a system

Reverse Directory Transversal

Reverse Directory Transversal

Reverse Directory Transversal

Buffer Overflow

Something very large being placed in a box far too small for it to fit in.

Risks:

Gain complete control of a system.

Example:

Executing malicious code in content of the local system’s security.

Buffer Overflow

Buffer Overflow

Buffer Overflow

Buffer Overflow

Buffer Overflow

Hidden Field Manipulation

Modifying hidden parameters in the HTML, and then submitting the altered values to the remote server.

Risk(s):

Loss of revenue

Example:

Change pricing data on a site.

Hidden Field Manipulation

Hidden Field Manipulation

Hidden Field Manipulation

Hidden Field Manipulation

Known Vulnerability Checks

All exploitable holes and bugs in operating systems, web servers, applications, and other third-party components that have been published, posted, or otherwise communicated.

Risk(s):

Exploit systems where patches have not been installed in a timely fashion.

Known Vulnerability Checks

/msadc/..à?¯..à?¯..à?¯..à..¯?/winnt/system32/cmd.exe?/c+dir+c:

Extension Checking

Backup files and scripts on the web server.

Risk(s):

Retrieving script’s source code

Example:

Attacker who finds hi.asp might search for hi.old and hi.back

Common File Checks

Commonly existing duplicate, uploaded, and hidden files that should be removed from the web server.

Risk(s):

Detailed information that attackers can use to compromise a site.

Example:

Admin.htm, test.htm, and deploy.exe

Data Extension Checking

Finding old renamed files left on the server.

Risk(s):

Retrieve script’s source code

Example:

Attacker might find hi.asp, and then search for hi.asp.back or hi.asp.old

Forceful Browsing

Checks for all variations of commonly existing files.

Risk(s):

Gain access to system

Example:

A password file search would encompass file including psswd.txt, password.htm, password.dat, and all other variations.

Forceful Browsing

Forceful Browsing

Forceful Browsing

Path Truncation

Looking for directory listings or unusual errors within each truncation.

Risk(s):

Gain access to system

Example:

A link /customers/id/993/details.html, which looks for vulnerabilities within each truncation.

/customers/id/993

/customers/id/

/customers/

Hidden Web Paths

Finding hidden or commented out references to paths on your server.

Risk(s):

Gain access to developers code, or other non-public files.

Example:

<!my old path /webroot/ol/bleh.asp

Application Mapping

Exposes and follows all known (and unknown) links located on your site.

Risk(s):

Attackers gains information for vulnerability checking and application testing.

Directory Enumeration

Finds all directory paths and possibilities on the application server.

Risk(s):

Gain sensitive information and accurate map of targeted site.

Backup Checking

Checks for common folders where backup source code files are kept.

Risk(s):

Receiving all the source code for a site due to improper permissions.

Example:

Administrators leave backup copies of their site stored somewhere on their server.

Cookie Manipulation

Cookies are not securely encoded, allowing a hacker to modify them.

Risk(s):

Bypassing authentication, gain access to accounts and information of other users.

Example:

“Poisoning” the cookies (User ID’s and timestamps)

Cookie Manipulation

Cookie Manipulation

Cookie Manipulation

Cookie Manipulation

Layer 7 - Security Recommendations

•Implement Application Firewall(s)

•Password Strength

•System and Web Server Logging

•Input Sanitization

•Two-factor Authentication

•Update Patches

•Remove Banners

Architectural Infrastructure & Design

• Web server / Web application / Database server demilitarized zones (DMZ)

• End to end encryption (SSL)

• Two-factor authentication

• Application Traffic Management

• Firewall Access Control

• Load-balancing/High Availability

• Web application firewalls

Manual Vulnerability Mitigation

•Knowledge of application interfaces

•Inspection of all client scripts and pages

•Consideration of 3rd party code

•Ability to obtain and understand current vulnerabilities

Manual Vulnerability Mitigation

•Multiple points of failure

•Vulnerabilities / Bugs discovered weekly

•Site complexity

•Application development time demands

•Creative vs. productive vs. paranoid

Offensive Tools - Commercial

Network & Known Vulnerability Scanners– ISS / Internet Scanner

– NAI / CyberCop

– eEye / Retina

– SPI Dynamics / WebInspect

Network & Known Vulnerability Scanning Services– Qualys

– FoundStone

Application Scanners– Sanctum / AppScan

Offensive Tools – Public Domain

Known Vulnerability Scanners– Whisker

– Nessus

Proxy Scanners– Achilles

– HTTPush

– RFProxy

Defensive Measures

Content Integrity– TripWire

– Gilian

Network Separation– Whale

– SpearHead

Access Control– Netegrity

– Securant

Defensive Measures

Protected OS– Argus

– HP

Known Attack Detection– Entercept

– eEye

Application Protection– Sanctum

Summary

Hackers victimized 90% of large corporations and government agencies within the last 12 months (CSI and FBI)

$18 Billion in lost sales forecasted due to security concerns in 2002 (according to the Federal Trade

Commission)

75% of attacks are at the application level (Gartner

Group)- the Network Firewalls and Network Scanning are mandatory but NOT enough

Performing application level audits and/or application level prevention and detection is crucial.

Automatic tools exist that can assist in securing the application.

FishNet Security - Contacts

Paul KlahnDirector of Assessment Services

FishNet Security888-732-9406

pklahn@fishnetsecurity.com