Clarice Technologies - Securing Web Applications- A Complete Solution

1/22www.claricetechnologies.com | November 2012

Securing Web Applications: A Complete Solution As the number of Web sites reaches around 300 million and Internet users reach 2 billion, results from security assessment of various websites have con-firmed that over 80% of all websites have serious Security Vulnerabilities. With frequencies of attacks increasing each day and new attack methods being introduced almost as quickly as existing methods are discovered and defeated, every enterprise needs to develop a comprehensive plan to defeat website threats.

Introduction

In view of the increased adoption of Internet over the past few years, and more

than that, increased usage of internet for various activities like e-commerce,

financial transactions and social networking, security of web applications has

never been much sought than what it is today. As the number of Web sites

reaches around 300 million and Internet users reach 2 billion, there’s a third

community that is popping up at the same pace, and that is of hackers, who

continue to relentlessly attack at the web application level and seek to breach

into Enterprise’s as well as Individual’s secured data and information. Results from

security assessment of various websites have confirmed that over 80% of all

websites have serious Security Vulnerabilities. With frequencies of attacks

increasing each day and new attack methods being introduced almost as quickly

as existing methods are discovered and defeated, every enterprise needs to

develop a comprehensive plan to defeat website threats.

2/22Clarice Technologies | November 2012

Securing Web Applications: A Complete Solution

Clarice Technologies | November 2012


3/22

Terms associated with Security of Web Applications Before looking at how to optimize security of web sites and web applications, let us look at some of the terms generally associated with security of web applications.

Clarice Technologies | November 2012Securing Web Applications: A Complete Solution

4/22

Security VulnerabilitySecurity Vulnerabilities are the flaws in assets or software of a product or the absence of security controls that makes it infeasible, even when using the prod-uct properly, to prevent an attacker from usurping privileges on the user's system, regulating its operation, compromising data on it, or assuming ungranted trust. If an application has security vulnerability, it can allow an attacker to access privileged data, delete or steal critical data or break into the system and operate at the same priority level as the application and destroy the entire system.

SQL InjectionSQL injection is a code injection technique that exploits a security vulnerability in a website's software. It is a technique often used to attack a website. This is done by including portions of SQL statements in a web form entry field in an attempt to get the website to pass a newly formed rogue SQL command to the database (e.g., dump the database contents to the attacker). SQL injection attack is considered one of the top 10 web application vulnerabilities.

If an application has security vulnerability, it can allow an attacker to access privileged data, delete or steal critical data

Cross-site Scripting (XSS)Cross-site scripting (XSS) is a security hazard that allows crackers or hackers to interfere with your program’s logic by inserting their own logic into your HTML. In an XSS attack, a Web application is sent with a script that activates when it is read by an unsuspecting user’s browser or by an application that has not

01

02

03

The only truly secure system is one that is pow-ered o�, cast in a block of concrete and sealed in a lead-lined room with armed guards.

“”Gene Spa�ord


5/22

Cross-site Request Forgery (CSRF)

protected itself against cross-site scripting.Because dynamic web sites rely on user input, a malicious user can input malicious script into the page by hiding it within legitimate requests.

Cross-site Request Forgery (CSRF) is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated. With a little help of social engineering (like sending a link via email/chat), an attacker may force the users of a web application to execute actions of the attacker's choice. A successful CSRF exploit can compromise end user data and operation in case of normal user. If the targeted end user is the administrator account, this can compromise the entire web application.

Parameter TamperingParameter Tampering is a form of Web-based attack in which certain parameters in the Uniform Resource Locator (URL) or Web page form field data entered by a user are changed without that user's authorization. This points the browser to a link, page or site other than the one the user intends (although it may look exactly the same to the casual observer). Parameter tampering can be employed by criminals and identity thieves to surreptitiously obtain personal or business information about the user.

Dynamic web sites rely on user input, a malicious user can input malicious script into the page by hiding it within legitimate requests

An attacker may force the users of a web application to execute actions of the attacker's choice.

04

05


6/22

Session HijackingSession hijacking, also known as TCP session hijacking, is a method of taking over a web user session by surreptitiously obtaining the session ID and masquer-ading as the authorized user. Once the user's session ID has been accessed (through session prediction), the attacker can masquerade as that user and do anything the user is authorized to do on the network.

Abuse of FunctionalityAbuse of Functionality is an attack technique that uses a website's own features and functionality to consume, defraud or circumvent access control mecha-nisms. Some functionality of a web site, possibly even security features, may be abused to cause unexpected behavior. When a piece of functionality is open to abuse, an attacker could potentially annoy other users or perhaps defraud the system entirely. The potential and level of abuse will vary from web site to web site and application to application.

Bu�er OverflowBu�er Overflow exploits are attacks that alter the flow of an application by over-writing parts of the memory. Bu�er overflows can be triggered by inputs that aredesigned to execute code, or alter the way the program operates. This may result in erratic program behavior, including memory access errors, incorrect results, a crash, or a breach of system security. Thus, they are the basis of many software vulnerabilities and can be maliciously exploited.

The attacker can masquer-ade as that user and do any-thing the user is authorized to do on the network.

Attack technique that uses a website's own features and functionality to consume, defraud or circumvent access control mechanisms.

06

07

08


7/22

If you spend more on co�ee than on IT security, you will be hacked. What’s more, you deserve to be hacked.

“”Information SecurityInformation Security is protection of the availability, privacy, and integrity of data. IT has following key principles: - Confidentiality : only allow access to data for which the user is permitted- Integrity: ensure that data is not tampered or altered by unauthorized users- Availability: ensure that systems and data are available to authorized users when they need it.

Content SpoofingContent spoofing is a type of exploit used by a malicious hackers to present a faked or modified web site to the user and making them believe that certain con-tent appearing on a website is legitimate and not from an external source. The intent is, typically, to defraud victims (as in phishing) although sometimes the purpose is simply to misrepresent an organization or an individual. Content spoofing often exploits an established trust relationship between a computer user and an organizationApart from the above, there are several other terms like Brute Force, Credential/Session Prediction, Denial of Service, Format String attack, Informa-tion Leakage, Insu�cient anti-automation etc used to describe various security vulnerabilities that web applications are exposed to.

Content spoofing often exploits an established trust relationship between a com-puter user and an organiza-tion.

09

10

Richard Clarke


8/22

Security Levels in Web Applications The principle of Security is to provide multiple levels of protection to protect critical assets. Security at every layer of a web application is equally important as each level provides resistance to potential threats to the web application. Security could be incorporated at various levels.


9/22

Network SecurityNetwork Security could be achieved in the following ways:

Authenticating the user, commonly with a username and a password (including two-factor or three-factor authentications)Putting up a firewall that enforces access policies such as what services are allowed to be accessed by the network usersInstall anti-virus software or Intrusion Prevention System that help detect and prevent action of malware that get transmitted over networs

OS level Security Choice of Operating System could also determine the level of security a web application provides. Operating Systems like Windows provide security through various security features like:

Access Tokens: Evidence that a user successfully logged-inSecurity Descriptors: Represent access rights of a logged-in userObject Manager: Reads the security descriptors and passes on the information to the Security Reference Monitor (SRM). SRM determines whether a user’s action is legal or illegal NTFS : Allows system administrators to set global or very specific file access per-missions

Authenticating the user, commonly with a username and a password

Represent access rights of a logged-in user

01

02

-

-

-

---

-


10/22

Server Level SecurityWeb Sites are hosted on Web Servers. Most of the web servers could be config-ured for high level security by:

Setting them up to provide directory and file level security based on usernames and passwordsUse "Secure Sockets Layer" (SSL) and "Transport Layer Security" (TLS) protocols to authenticate users and send things over the network or Internet that you want to keep from prying EyesEnhancing web application security by signing up for notices about web appli-cation updatesMaking sure that you log all admin level accesses with date, times and user-names and ensure that logs are working properly

Application SecurityThe highest level of security could be put at the application level itself. From developer’s perspective, this is the most important level of security and hence needs utmost attention. This level of security could be applied at design level as well development level.Following are some of the ways in which application level security could be attained:

Input ValidationInput validation is applied whenever input is received from outside the current trust boundary. The application design should assume that user input is malicious and hence needs to be constrained, rejected and then sanitized.

Use "Secure Sockets Layer" (SSL) and "Transport Layer Security" (TLS) protocols to authenticate users and send things over the network

03

04

-

-

-

-


11/22

History has taught us: never underestimate the amount of money, time, and e�ort someone will expend to thwart a security system. It's always better to assume the worst. Assume your adversaries are better than they are. Assume sci-ence and technology will soon be able to do things they cannot yet. Give yourself a margin for error. Give yourself more secu-rity than you need today. When the unexpected happens, you'll be glad you did.

“” Data needs to be validated for type, length, format and range. Input validation should not just be applied at client-side. It should be applied across all tiers.

AuthenticationIn addition to ensuring that only valid users get access to the web application, it’s also imperative that your design identifies secured storage of credentials that are accepted from the users. It also needs to ensure that secured mechanisms are used to protect these credentials over the wire. Design needs to drive users to choose strongest passwords.

AuthorizationThis feature ensures that a role based access is defined for the web application. Access to system level resources need to be restricted. All identities that are used by the application are identified and the resources accessed by each identity are known.

Sensitive Data HandlingThe design should ensure that Secrets are not stored unless necessary and if they need to be stored, they are not stored at the code level. Sensitive information like Passwords, keys, database connections etc should not be stored in plain text, but need to be encrypted and stored in secured storage. Sensitive data should not be logged or stored in persistent cookies.

Session Management Application security can be e�ectively handled at session level. Session lifetime needs to be limited. Session state needs to be protected from unauthorized access. SSL could be used to protect Authentication cookies.

Exception Management Structured exception handling should be applied across the application.

Bruce Schneier


12/22

A business will have good security if its corporate culture is correct. That depends on one thing: tone at the top. There will be no grassroots e�ort to overwhelm corporate ne-glect.

“”Minimum information should be disclosed in case of an exception.For informa-tion security purpose, generic messages should be displayed to end users. Errors also need to be logged to the error logs.

Auditing and Logging Levels of Auditing and Logging needs be determined during design. The design should also consider how to flow caller identity across multiple tiers for auditing. In addition, it should identify the storage, security and analysis of the application log files.

William Malik, Vice Presi-dent and Research Area Director for Information Security at Gartner.


13/22

Preventing and Fixing Security Vulnerabilities


14/22

Cross-site Scripting (XSS)

1.

2. SQL Injection

In-order to prevent Cross-Site Scripting issues, you can add input validation to Web Forms pages by using validation controls: for exam-ple, testing for valid dates or values within a range. In addition, valida-tion controls allow you to completely customize how error informa-tion is displayed to the user.

SQL Injection could be used by Strict type checking (Don’t trust what the user enters). If you expect user name to be entered, then validate whether it contains only alpha numerals. Also, escape or filter the special characters and user inputs. Use prepared statements to execute the queries and use stored procedures wherever possible. Don’t allow multiple queries to be executed on a single statement. Further, don’t leak the database information to the end user by displaying the “syntax errors”, etc. If possible, use a good ORM tool like Hibernate or iBATIS.

Sr. Vulnerability How to prevent or fix the vulnerability


15/22

4.

5.

3. Cross-site Request Forgery (CSRF)

Session Hijacking

Bu�er Overflows

In-order to prevent CSRF attacks, it is necessary to implement a unique identifier in every request, which is a parameter that an attacker cannot guess. One can add the session id taken from the ses-sion cookie and add it as a parameter. The server must check that this parameter matches the session cookie, and if not discard the request.The reason an attacker cannot guess this parameter is the "same origin policy" that applies to cookies, so the attacker cannot forge a fake request that will seem real to the server. Any secret that is hard to guess and is not accessible to an attacker can be used instead of the session.

Session Hijacking can be prevented by Encryption of the data tra�c passed between the parties; in particular the session key, though ide-ally all tra�c for the entire session by using SSL/TLS. Use of a long random number or string as the session key can also help. Regenerat-ing the session i.d after a successful login prevents session fixation.

One of the ways to prevent Bu�er Overflow is to avoid using library files included with the compiler. Library files are commonly included with a programming language. If a hacker finds a weakness with a particular library file, any application that includes that particular library file also has the weakness. So if a hacker wants to exploit a home-grown application, he will often start by trying to exploit known weaknesses in commonly used libraries.


16/22

6.

Some other techniques to prevent Bu�er Overflows include : Code auditing (automated or manual), Safe Functions, Periodic scanning of applications etc.

Parameter Tampering

To prevent this, all input parameters must be validated (including form fields, query strings, cookies, and HTTP Headers). Always use SSL cer-tificates (https) on authentication pages and in the modules that does some secured transactions. Also, Don’t use persistent cookies for storing authentication tokens (session ids). Cookies with sensitive data should be encrypted. Do not rely on HTTP header information to make security decisions.


17/22

Guidelines and Best Practices on Security for Development Community From developer’s perspective, ensuring that simple principles are fol-lowed at the design and code level could lay a strong foundation for a highly secured web application. Section below lists down simple guidelines and best practices that could be followed.


18/22

Identify potential Security Vulnerabilities upfront. Identify what is to be secured and what are the most likely security threats. Also visualize type of people who are likely to attack your site, capabilities of these individuals or groups, their motives for attacking and vulnerabilities that they are most likely to target

Apply security solutions that are compliant to global security standards / regulations like PCI, SOX etc

Add secured data storage and data transmission features to the solution (data encryption etc)

Provide secured HTTPS based Internet connectivity. Use SSL certificates for your web applications

Examine the code – before deployment – for risk-prone operations

Proper Configuration Management should be designed. Configuration stores should be secured

Never use any account with admin privilege to connect to your database

Always use CAPTCHA to verify the users in input forms

Sensitive data should never be transmitted with the GET protocol

Ensure that the application's login does not have permissions to access tables directly

-

-

-

-

-

-

-

-

-


19/22

Always do input validations on server side even though you have JavaScript validation in place. Remember, JavaScript can be turned o� in client side and the validations can be easily bye-passed

Consider re-authenticating users when doing critical transaction. Or you can have a separate transaction password if required

Session tokens should be encrypted whether passed as cookies, hidden fields, etc especially if they contain user identifiable or sensitive information

Any input that is accepted and processed from a user or other application (in the case of web services) should be validated against a list of known good parameters (white list) versus looking for bad or malicious syntax (black list)

Ensure that Session identifiers are not passed in query strings

Use the error messages that are more generic. Never frame an error message that is very subjective which could hint an attacker

All special characters from incoming data should be escaped in order to remove an additional programmatic meaning

Runtime exceptions should be caught and never dumped to the user

Testing – Use combination of black box and white box testing for testing Web Application Security

-

-

-

-

-

-

-

-

-


20/22

ConclusionBuilding a highly functional web application with minimal security is like building

an elaborate fortress, but leaving its main gate open and unguarded. It is of

paramount importance for designers and developers of web applications to

consider security as a primary design goal and to follow secure coding guidelines

in order to provide the highest possible degree of assurance to their customers.

For organizations, it is important to integrate website security into their overall

security planning because, what is at stake is not only a direct loss of revenues,

but they may face a serious loss to their reputations as well. In some cases, they

may be faced with legal penalties for violating customer privacy or trust. In order

to create an e�ective security plan, information security and software

development teams must identify website vulnerabilities during both website

development and production, mitigate them quickly and e�ciently, share the

data within the organization, track the progress of fixing the vulnerabilities, and

provide management with updates of the security posture as needed.

Clarice Technologies | November 2012


www.claricetechnologies.com | November 2012

CapabilitiesWe are a one-stop shop for design & development of Web based solutions as well as Mobile applications. The various horizontals that we have experience with allows us to identify various security threats and apply preventive methods for the protection of applications. We use industry best practices while planning the security strategy in both design and development cycles. Our depth of experi-ence in the product world enables us to provide our customers the best UX design as well as robust development necessary for any application.

Information Architecture, Interaction & Visual Design Enterprise and consumer product user interfaces and RIAs Total user experience for target audience

Apps for iOS, Android, and Windows phone platforms HTML5/CSS, JavaScript, JQuery, Ext JS GWT, Flash/Flex, Silverlight, Template engines, CMS

Product Engineering Expertise

User Experience Expertise

---

---

Clarice Technologies

21/22

Clarice Technologies has helped design and engineer a broad range of world class products like:

Private Cloud infrastructure for Android device syncThe Tap n Tap UI system for Android Tablets, complete with built in applica tionsMultiple iPhone and iPad applications for the world’s top Graphics Software CompanyConsumer and enterprise management solution for a large multinational chip manufacturing companyHTML5 application interfacing with hardware for controlling key parametersDashboard for CIOs covering Risk Management and Compliance Manage-ment for one the biggest security technology companyNew UI system for desktop and mobile products for a leading anti-virus and internet security companyUI redesign partners for a big Indian retail bankCorporate website, several major brand websites and internet TV platform for a leading TV channel companyMobile social networking apps for a social networking startup (acquired by Google)Application for a world leader in lighting solutions that works on Desktop, iPad & Andrioid TabletsA time bound app using complex algorithms for swift movement of objects

22/22www.claricetechnologies.com | November 2012

Customers

--

-

-

--

-

-

-

-

-

-

Technology

Clarice Technologies - Securing Web Applications- A Complete Solution