Web Application Security

Secure Developing

Mahdi Dolati

mahdidolati@ut.ac.ir

بسم اهلل الرحمن الرحیم

An example to see why

Top Ten Attacks

• Open Web Application Security Project

• Injection

• Broken Authentication and Session Management

• Cross-Site Scripting (XSS)

• Insecure Direct Object References

• Security Misconfiguration

owasp.org/index.php/Top_10_2013-T10

SQL Injection

http://www-935.ibm.com/services/us/iss/xforce/trendreports/

SQL Injection

• Fill in the blanks!

• SELECT OrderIdFROM SalesWHERE CustomerId = ‘ ’

• SELECT OrderIdFROM SalesWHERE CustomerId = ‘’UNIONSELECT Table_NameFROM INFORMATION_SCHEMA.Table; -- ’

SQL Injection

SELECT OrderIDFROM SalesWHERE CustomerID = ‘ ’

Giving Information to the Attacker

‘‘

Giving Information to the Attacker

Hide the Error

•

• try {resultSet = READ FROM DATABASE;

} catch(error) {redirect(“home.html”);

}if(resultSet.RowCount > 0)

redirect(“history.html”);else

redirect(“home.html”);

Read From DB

Error?

Is Result

> 0

Go to “home”

Go to “history”

Yes

Yes

No

No

CustomerID = ‘

CustomerID = ‘ ;delay 1 min. ;--

Wait 1 min.Go to “home”

Go to “home”

Blind SQL Injection

Is the first letter of the name of the first table an

‘A’ No, it’s notgo to “home”

Is the first letter of the name of the first table an

‘B’ Yes, it isgo to “history”

SELECT OrderID FROM Sales WHERE CustomerID = ‘’ ORMID(

(SELECT table_name FROM INFORMATIN_SCHEMA.tables LIMIT 1), 1, 1) = ‘A’

Blind SQL Injection

Solutions

• Validate Input

• No SQL syntax

• No single quote

• What about Mr. John O’Malley?

• No single quote attack

• URL encoding

• Prevent OR 1 = 1

• Regex

• Encode or escape

Solutions

• Validate Input

• No SQL syntax

• No single quote

• Prevent OR 1 = 1

• Regex

• Encode or escape

Solutions

• Validate Input

• No SQL syntax

• No single quote

• Prevent OR 1 = 1

• Regex

• Encode or escape

Regexlib.comSearch for: person’s nameAllows apostrophesSQL injection: X’ OR A IS NOT NULL

Solutions

• Validate Input

• No SQL syntax

• Escape input

• Insert backslash

• Parameterized queries

• Stored Procedures

Bake Security In

Cost

• “Economic Impacts of Inadequate Infrastructure for Software Testing”

Nist.gov/director/planning/upload/report02-3.pdf

0

5

10

15

20

25

30

35

Req. / Design Coding / Unit Testing Integration Testing Customer BetaTesting

Release

Relative Cost to Fix Software Defects

Time

Find vulnerabilities

Hold release to

fix

Fix

Schedule a pentest

Pentest

HOWto bake security in?

Training

Threat Modeling

• Ultimate pessimist’s game

• Many Approaches

• Asset-centric

• Attacker-centric

• Software-centric

• Mitigation

• E.g. encrypt database

SDL Threat Modeling Tool

• A Data Flow Graph

• STRID

• Spoofing

• Tampering

• Information disclosure

• Denial of service

• Elevation of privilege

Add item into cart

View cart

contents

User database

Product Catalog

Cart Database

User

Secure Coding Libraries

• Don't reinvent the wheel

• Code review

• Correctness or Disuse

• OWASP AntiSamy or Microsoft Anti-XSS

• OpenSSL

Secure Coding Libraries

Bryan Sullivan and Vincent Liu, Web Application Security, McGraw Hill, 2011

Code Review

Static Analysis Tools

• White-Box Testing

• Integrate them

• Build process

• Code repository server

• False positive reports

Automated Analysis Tools

Tool Lang / Framework Free / Commercial

FindBugs™ Java Free (LGPL)

OWASP LAPSE+ Java Free (GPL)

FxCop .NET Free (Ms-PL)

PHP SecurotyScanner

PHP Free (GPL)

JSLint JavaScript Free (LGPL)

HP Fortify Source Code Analyser

C/C++, .NET, Java, PHP, others

Commercial

Security Testing

• Functional test approach

• Black-Box Testing

• Just like a Hacker

• Active

• Passive

Black-Box Testing Tools

IBM Rational AppScan

• Active

• Commercial

OWASP WebScarab

• Reactive

• Free

Back-Box vs. White-Box

GoF# Scala Admin.php

System Boundary

Security Incident Response planning

Industry Standard Secure Development Methodologies

Trustworthy Computing Memo

training• Core

Security Training

Req.• Establish

Security Requirements

• Create Quality Gates/Bug Bars

• Security & Privacy Risk Assessment

Design• Establish

Security Requirements

• Analyze Attack Surface

• Threat Modeling

Impl.• Use

Approved Tools

• Deprecate Unsafe Functions

• Static Analysis

Verif.• Dynamic

Analysis

• Fuzz Testing

• Attack Surface Review

Release• Incident

Response Plan

• Final Security Review

• Release Archive

Resp.• Execute

Incident Response Plan

Security Development Lifecycle (SDL)

Microsoft.com/sdl

SDL-Agile

OWASPComprehensive Lightweight Application Security Process (CLASP)

Project manager

Security Auditor

Test Analyst

Implementer

Architect

Requirements Specifier

Designer

`