Upload
deepti-patole
View
213
Download
0
Embed Size (px)
Citation preview
8/2/2019 Web Sec DEEPTI
http://slidepdf.com/reader/full/web-sec-deepti 1/21
Web Security :
Vulnerability andThreats
Presented by
Deepti Patole
8/2/2019 Web Sec DEEPTI
http://slidepdf.com/reader/full/web-sec-deepti 2/21
A Brief History of the World
8/2/2019 Web Sec DEEPTI
http://slidepdf.com/reader/full/web-sec-deepti 3/21
Web Application Security
Securing the ―custom code‖ that drives a web
application
Securing libraries
Securing backend systems
Securing web and application servers
Network Security Mostly Ignores the Contents ofApplication Layer Traffic such as HTTP Traffic.
8/2/2019 Web Sec DEEPTI
http://slidepdf.com/reader/full/web-sec-deepti 4/21
Why do we need Security
Protect vital information while still allowingaccess to those who need it
Provide authentication and access control forresources
Guarantee availability of resources
8/2/2019 Web Sec DEEPTI
http://slidepdf.com/reader/full/web-sec-deepti 5/21
vulnerability
A vulnerability is a hole or a weakness in theapplication, which can be a design flaw or animplementation bug, that allows an attackerto cause harm to the stakeholders of anapplication.
8/2/2019 Web Sec DEEPTI
http://slidepdf.com/reader/full/web-sec-deepti 6/21
vulnerabilities that affect thecurrent systems
Injection
Cross-Site Scripting (XSS)
Broken Authentication and Session Management
Insecure Direct Object References Cross-Site Request Forgery (CSRF)
Security Misconfiguration
Insecure Cryptographic Storage
Failure to Restrict URL Access
Insufficient Transport Layer Protection
Invalidated Redirects and Forwards
8/2/2019 Web Sec DEEPTI
http://slidepdf.com/reader/full/web-sec-deepti 7/21
Who is vulnerable?
Financial institutions and banks
Internet service providers
Pharmaceutical companies Government and defense agencies
Contractors to various government agencies
Multinational corporations ANYONE ON THE NETWORK
8/2/2019 Web Sec DEEPTI
http://slidepdf.com/reader/full/web-sec-deepti 8/21
Vulnerability Lifecycle
8/2/2019 Web Sec DEEPTI
http://slidepdf.com/reader/full/web-sec-deepti 9/21
Vulnerability Lifecycle (Cont..)
Bug:
The bug is the precursor to a vulnerability
Vulnerability:
If the bug can be reproduced reliably (e.g. for
bypassing authentication, to cause a memory stackoverflow, to allow access to ‗restricted‘ content, etc.)it will subsequently be classified as a securityvulnerability.
8/2/2019 Web Sec DEEPTI
http://slidepdf.com/reader/full/web-sec-deepti 10/21
Vulnerability Lifecycle (Cont..)
Proof-of-concept: realization of a certain method or idea(s)to demonstrate its feasibility
Exploit: An exploit is code that takes advantage of a softwarevulnerability or security hole.
Once exploit code is generally available the threat escalates
Malware and Tool Integration:
Malware is a program that performs unexpected or unauthorized,but always malicious, actions. It is a general term used to refer toboth viruses and Trojans, which respectively include replicating
and non-replicating malicious code.Rapid integration of Bug into malware or security assessment and
penetration tools sees the threat reach maximum potential.
8/2/2019 Web Sec DEEPTI
http://slidepdf.com/reader/full/web-sec-deepti 11/21
Since vulnerabilities are almost always associatedwith a particular software flaw, they are usuallyremediated via a software patch (or update).
phases of the vulnerability lifecycle : Disclosed, Existing, Fixed, Eradicated
8/2/2019 Web Sec DEEPTI
http://slidepdf.com/reader/full/web-sec-deepti 12/21
Web Threat:
A web threat is any threat that uses the internet tofacilitate cybercrime.
Web threats use multiple types of malware and fraud,
all of which utilize HTTP or HTTPS protocols, butmay also employ other protocols and components,such as links in email, or malware attachments or onservers that access the Web.
They benefit cybercriminals by stealing information forsubsequent sale and help absorb infected PCs intobotnets.
8/2/2019 Web Sec DEEPTI
http://slidepdf.com/reader/full/web-sec-deepti 13/21
Threat classification: STRIDE
Spoofing of user identityAttempt by an unauthorized entity to gain access to a system by posing as an
authorized user.
Tampering
Deliberate alteration of a system's logic, data, or control information tointerrupt or prevent correct operation of system functions.
RepudiationA threat action whereby an entity deceives another by falsely denyingresponsibility for an act.
Information disclosure (privacy breach or Data leak)
Denial of Service (D.o.S.)Killing of User threads, Filling up disk or memory etc
Elevation of privilegea lower privilege user or application accesses functions or content reserved forhigher privilege users or applications
8/2/2019 Web Sec DEEPTI
http://slidepdf.com/reader/full/web-sec-deepti 14/21
DREAD DREAD is a classification scheme used by microsoft for
quantifying, comparing and prioritizing the amount ofrisk presented by each evaluated threat.
Risk_DREAD =( DAMAGE + REPRODUCIBILITY + EXPLOITABILITY+ AFFECTED USERS + DISCOVERABILITY) / 5
The calculation always produces a number between 0 and10; the higher the number, the more serious the risk.
8/2/2019 Web Sec DEEPTI
http://slidepdf.com/reader/full/web-sec-deepti 15/21
DREAD (Cont..) Damage Potential - If a threat exploit occurs, how much damage will be
caused?0 = Nothing; 5 = Individual user data is compromised or affected; 10 = Complete system or data destruction
Reproducibility - How easy is it to reproduce the threat exploit?
0 = Very hard or impossible, even for administrators of the application.
5 = One or two steps required, may need to be an authorized user.
10 = Just a web browser and the address bar is sufficient, without authentication.
Exploitability- What is needed to exploit this threat?0 = Advanced programming and networking knowledge, with advanced attack tools.
5 = Malware exists on the Internet, or an exploit is easily performed, using available tools.
10 = Just a web browser
Affected Users- How many users will be affected?(0 = None ; 5 = Some users, but not all; 10 = All users)
Discoverability- How easy is it to discover this threat?0 = Very hard to impossible; requires source code or administrative access.
5 = Can figure it out by guessing or by monitoring network traces.
9 = Details of faults like this are already in the public domain and can be easily discovered using a search engine.
10 = The information is visible in the web browser address bar or in a form.
8/2/2019 Web Sec DEEPTI
http://slidepdf.com/reader/full/web-sec-deepti 16/21
Threat Graph
Attacker may be able to read other users information
User may not havelogged off on ashared Computer
Data Validationmay fail, allowingSQL injection
Implement DataValidation
Authorization mayFail AllowingunauthorizedAccess
ImplementAuthorizationChecks
Browser cachemay containcontents ofmessage
Implement Anticaching HTTPHeaders
If risk is High useSSL
8/2/2019 Web Sec DEEPTI
http://slidepdf.com/reader/full/web-sec-deepti 17/21
Malware Threat Lifecycle
Worms—the most insidious form of malware— are self-propagatingand network-centric, and typically evolve through four sequential
phases; as observed in the following graph
8/2/2019 Web Sec DEEPTI
http://slidepdf.com/reader/full/web-sec-deepti 18/21
Examples of web Threats
In September 2008, malicious hackers broke into several
sections of BusinessWeek.com to redirect visitors tomalware-hosting websites. Hundreds of pages werecompromised with malicious JavaScript pointing to third-
party servers.
In August 2008, popular social networking sites were hitby a worm using social engineering techniques to getusers to install a piece of malware. The worm installscomments on the sites with links to a fake site. If users
follow the link, they are told they need to update theirFlash Player. The installer then installs malware ratherthan the Flash Player. The malware then downloads arogue anti-spyware application, AntiSpy Spider.
8/2/2019 Web Sec DEEPTI
http://slidepdf.com/reader/full/web-sec-deepti 19/21
Conclusion
Organizations need to be aware that oldthreats never actually retire from the digitallandscape. Rather, they tend to become
background noise on the Internet— – readyto burst into life with each new softwareupdate, host recovery, device deployment orembedded system release.
At the same time educating the developersand users in the context of security against
continuously upcoming threats.
8/2/2019 Web Sec DEEPTI
http://slidepdf.com/reader/full/web-sec-deepti 20/21
References
Cryptography and Network Security, Priciples andPractices: William Stallings( Pearson Education)
http://www.technicalinfo.net/papers/OldThreats.html
https://www.owasp.org/index.php/Threat_Risk_Modeling
https://www.owasp.org/index.php/Category:Attack
msdn.microsoft.com/en-us/library/ff648644.aspx http://www.m86security.com/labs/glossary.asp
8/2/2019 Web Sec DEEPTI
http://slidepdf.com/reader/full/web-sec-deepti 21/21
Thank you