Web Sec DEEPTI

8/2/2019 Web Sec DEEPTI

http://slidepdf.com/reader/full/web-sec-deepti 1/21

Web Security :

Vulnerability andThreats

Presented by

Deepti Patole



A Brief History of the World



Web Application Security

Securing the ―custom code‖ that drives a web

application

Securing libraries

Securing backend systems

Securing web and application servers

Network Security Mostly Ignores the Contents ofApplication Layer Traffic such as HTTP Traffic.



Why do we need Security

Protect vital information while still allowingaccess to those who need it

Provide authentication and access control forresources

Guarantee availability of resources



vulnerability

A vulnerability is a hole or a weakness in theapplication, which can be a design flaw or animplementation bug, that allows an attackerto cause harm to the stakeholders of anapplication.



vulnerabilities that affect thecurrent systems

Injection

Cross-Site Scripting (XSS)

Broken Authentication and Session Management

Insecure Direct Object References Cross-Site Request Forgery (CSRF)

Security Misconfiguration

Insecure Cryptographic Storage

Failure to Restrict URL Access

Insufficient Transport Layer Protection

Invalidated Redirects and Forwards



Who is vulnerable?

Financial institutions and banks

Internet service providers

Pharmaceutical companies Government and defense agencies

Contractors to various government agencies

Multinational corporations ANYONE ON THE NETWORK



Vulnerability Lifecycle



Vulnerability Lifecycle (Cont..)

Bug:

The bug is the precursor to a vulnerability

Vulnerability:

If the bug can be reproduced reliably (e.g. for

bypassing authentication, to cause a memory stackoverflow, to allow access to ‗restricted‘ content, etc.)it will subsequently be classified as a securityvulnerability.



Vulnerability Lifecycle (Cont..)

Proof-of-concept: realization of a certain method or idea(s)to demonstrate its feasibility

Exploit: An exploit is code that takes advantage of a softwarevulnerability or security hole.

Once exploit code is generally available the threat escalates

Malware and Tool Integration:

Malware is a program that performs unexpected or unauthorized,but always malicious, actions. It is a general term used to refer toboth viruses and Trojans, which respectively include replicating

and non-replicating malicious code.Rapid integration of Bug into malware or security assessment and

penetration tools sees the threat reach maximum potential.



Since vulnerabilities are almost always associatedwith a particular software flaw, they are usuallyremediated via a software patch (or update).

phases of the vulnerability lifecycle : Disclosed, Existing, Fixed, Eradicated



Web Threat:

A web threat is any threat that uses the internet tofacilitate cybercrime.

Web threats use multiple types of malware and fraud,

all of which utilize HTTP or HTTPS protocols, butmay also employ other protocols and components,such as links in email, or malware attachments or onservers that access the Web.

They benefit cybercriminals by stealing information forsubsequent sale and help absorb infected PCs intobotnets.



Threat classification: STRIDE

Spoofing of user identityAttempt by an unauthorized entity to gain access to a system by posing as an

authorized user.

Tampering

Deliberate alteration of a system's logic, data, or control information tointerrupt or prevent correct operation of system functions.

RepudiationA threat action whereby an entity deceives another by falsely denyingresponsibility for an act.

Information disclosure (privacy breach or Data leak)

Denial of Service (D.o.S.)Killing of User threads, Filling up disk or memory etc

Elevation of privilegea lower privilege user or application accesses functions or content reserved forhigher privilege users or applications



DREAD DREAD is a classification scheme used by microsoft for

quantifying, comparing and prioritizing the amount ofrisk presented by each evaluated threat.

Risk_DREAD =( DAMAGE + REPRODUCIBILITY + EXPLOITABILITY+ AFFECTED USERS + DISCOVERABILITY) / 5

The calculation always produces a number between 0 and10; the higher the number, the more serious the risk.



DREAD (Cont..) Damage Potential - If a threat exploit occurs, how much damage will be

caused?0 = Nothing; 5 = Individual user data is compromised or affected; 10 = Complete system or data destruction

Reproducibility - How easy is it to reproduce the threat exploit?

0 = Very hard or impossible, even for administrators of the application.

5 = One or two steps required, may need to be an authorized user.

10 = Just a web browser and the address bar is sufficient, without authentication.

Exploitability- What is needed to exploit this threat?0 = Advanced programming and networking knowledge, with advanced attack tools.

5 = Malware exists on the Internet, or an exploit is easily performed, using available tools.

10 = Just a web browser

Affected Users- How many users will be affected?(0 = None ; 5 = Some users, but not all; 10 = All users)

Discoverability- How easy is it to discover this threat?0 = Very hard to impossible; requires source code or administrative access.

5 = Can figure it out by guessing or by monitoring network traces.

9 = Details of faults like this are already in the public domain and can be easily discovered using a search engine.

10 = The information is visible in the web browser address bar or in a form.



Threat Graph

Attacker may be able to read other users information

User may not havelogged off on ashared Computer

Data Validationmay fail, allowingSQL injection

Implement DataValidation

Authorization mayFail AllowingunauthorizedAccess

ImplementAuthorizationChecks

Browser cachemay containcontents ofmessage

Implement Anticaching HTTPHeaders

If risk is High useSSL



Malware Threat Lifecycle

Worms—the most insidious form of malware— are self-propagatingand network-centric, and typically evolve through four sequential

phases; as observed in the following graph



Examples of web Threats

In September 2008, malicious hackers broke into several

sections of BusinessWeek.com to redirect visitors tomalware-hosting websites. Hundreds of pages werecompromised with malicious JavaScript pointing to third-

party servers.

In August 2008, popular social networking sites were hitby a worm using social engineering techniques to getusers to install a piece of malware. The worm installscomments on the sites with links to a fake site. If users

follow the link, they are told they need to update theirFlash Player. The installer then installs malware ratherthan the Flash Player. The malware then downloads arogue anti-spyware application, AntiSpy Spider.



Conclusion

Organizations need to be aware that oldthreats never actually retire from the digitallandscape. Rather, they tend to become

background noise on the Internet— – readyto burst into life with each new softwareupdate, host recovery, device deployment orembedded system release.

At the same time educating the developersand users in the context of security against

continuously upcoming threats.



References

Cryptography and Network Security, Priciples andPractices: William Stallings( Pearson Education)

http://www.technicalinfo.net/papers/OldThreats.html

https://www.owasp.org/index.php/Threat_Risk_Modeling

https://www.owasp.org/index.php/Category:Attack

msdn.microsoft.com/en-us/library/ff648644.aspx http://www.m86security.com/labs/glossary.asp



Thank you

Documents

Web Sec DEEPTI