Web Application Security - D C. Epler

2y ago
27 Views
2 Downloads
3.70 MB
32 Pages
Last View : Today
Last Download : 2m ago
Upload by : Randy Pettway
Transcription

Web Application SecurityDavid EplerSr. Software Developerdepler@aboutweb.com

About Me Application DeveloperWeb Application Security EnthusiastOWASP Individual MemberCreated Unofficial Updater 2 to patchAdobe ColdFusion 8.0.1 & 9.0.1

About the Demos Virtual Machines, not real servers OWASP Broken Web Apps Samurai Web Testing Framework DO NOT perform any activities shownon any network/system or on a networkconnected device without properpermission!

OWASP Top Ten (2010)A1: InjectionA2: Cross-SiteScripting (XSS)A3: BrokenAuthenticationand SessionManagementA4: InsecureDirect ObjectReferencesA5: Cross SiteRequest Forgery(CSRF)A6: SecurityMisconfigurationA7: InsecureCryptographicStorageA8: Failure toRestrict URLAccessA9: InsufficientTransport LayerProtectionA10: UnvalidatedRedirects andForwards

OWASP Top Ten (2010)A1: InjectionA2: Cross-SiteScripting (XSS)A3: BrokenAuthenticationand SessionManagementA4: InsecureDirect ObjectReferencesA5: Cross SiteRequest Forgery(CSRF)A6: SecurityMisconfigurationA7: InsecureCryptographicStorageA8: Failure toRestrict URLAccessA9: InsufficientTransport LayerProtectionA10: UnvalidatedRedirects andForwards

In the News March 27 - FTC fines RockYou 250,000 for storing user data in plain text June 6 - 6.46 million LinkedIn passwords leaked online n-passwords-leaked-online/79290June 7 - eHarmony admits to leaking 1.5 million passwords tmlJuly 12 - Hackers expose 453,000 credentials allegedly taken from Yahoo service ice-hacked/July 23 - Eight Million Email Addresses And Passwords Spilled From Gaming SiteGamigo Months After Hacker Breach -gamigo-months-after-breach/Along with Last.fm, Phandroid, Billabong, Formspring, and Nvidia

A1 - Injection Tricking an application into includingunintended commands in the data sent toan interpreter SQL, LDAP, XPath, OS Shell Impact Usually severe, entire database canusually be read or modified May also allow full database schema, oraccount access, or even OS level access

A1 - Injection (SQLi) Stacked Queries http://www.victim.com/products.asp?id 1;exec master.xp cmdshell 'dir' Tautology http://www.victim.com/logon.aspx?username admin' or 1 1;- UNION Statements http://www.victim.com/products.asp?id 12 UNION SELECT userid,first name,second name,password FROM customers

A1 - Injection Avoid the interpreter completely (if possible) Use an interface that supports bind variables Prepared Statements, Stored Procedures Encode all user input before passing it to the interpreter Always perform “white list” input validation on all usersupplied input Minimize database privileges to reduce the impact of a flaw https://www.owasp.org/index.php/SQL Injection Prevention Cheat Sheet https://www.owasp.org/index.php/Query Parameterization Cheat Sheet

A7 - Insecure CryptographicStorage Not encrypting data that deserves encryption Use of weak or unsalted hashes to protectpasswords Unsafe key generation and storage, notrotating keys, and weak algorithm usage Impact Failure frequently compromises all datathat should have been encrypted. Typicallythis information includes sensitive data

A7 - Insecure CryptographicStorage Considering the threats you plan to protect this data from, make sureyou encrypt all such data at rest in a manner that defends against thesethreats Ensure all keys and passwords are protected from unauthorized access Ensure offsite backups are encrypted, but the keys are managed andbacked up separately Ensure appropriate strong standard algorithms and strong keys areused, and key management is in place Ensure passwords are hashed with a strong standard algorithm and anappropriate salt is used https://www.owasp.org/index.php/Cryptographic Storage Cheat Sheet https://www.owasp.org/index.php/Password Storage Cheat Sheet

OWASP Top Ten (2010)A1: InjectionA2: Cross-SiteScripting (XSS)A3: BrokenAuthenticationand SessionManagementA4: InsecureDirect ObjectReferencesA5: Cross SiteRequest Forgery(CSRF)A6: SecurityMisconfigurationA7: InsecureCryptographicStorageA8: Failure toRestrict URLAccessA9: InsufficientTransport LayerProtectionA10: UnvalidatedRedirects andForwards

A2 - Cross-Site Scripting(XSS) Raw data from attacker is sent to an innocentuser’s browser Three known types: Stored, Reflected, DOM Based Impact Steal user’s session, steal sensitive data, rewriteweb page, redirect user to phishing or malwaresite Most Severe: Install XSS proxy which allowsattacker to observe and direct all user’s behavioron vulnerable site and force user to other sites

A2 - Cross-Site Scripting(XSS) Stored Attacker’s script is stored on the server(e.g. blog comments, forums) and laterdisplayed in HTML pages, without properfiltering Reflected HTML page reflects user input data back tothe browser, without sanitizing the response DOM Based

A2 - Cross-Site Scripting(XSS) Eliminate Don’t include user supplied input in the output page Defend Output encode all user supplied input with proper encoder Always perform “white list” input validation on all usersupplied input included in the page Use OWASP’s AntiSamy to sanitize user supplied HTML tomake it safe https://www.owasp.org/index.php/XSS Prevention Cheat Sheet https://www.owasp.org/index.php/DOM based XSS Prevention Cheat Sheet

A5 - Cross-Site RequestForgery (CSRF) Attacker creates forged HTTP requestsand tricks a victim into submitting themvia image tags, XSS, or numerous othertechniques Impact Can cause victims to change any datathe victim is allowed to change orperform any function the victim isauthorized to use

A5 - Cross-Site RequestForgery (CSRF) Real World Example: Netflix 2006 img src "http://www.netflix.com/AddToQueue?movieid 70011204" /

A5 - Cross-Site RequestForgery (CSRF) Real World Example: Netflix 2006 img src "http://www.netflix.com/AddToQueue?movieid 70011204" /

A5 - Cross-Site RequestForgery (CSRF) Add a secret, not automatically submitted, token to ALL sensitiverequests This makes it impossible for the attacker to spoof the request unless there’s an XSS hole in your application Tokens should be cryptographically strong or random Store a single token in the session and add it to all forms and links Hidden Field, Single use URL, Form Token Can have a unique token for each function Use a hash of function name, session id, and a secret Can require secondary authentication for sensitive functions https://www.owasp.org/index.php/CSRF Prevention Cheat Sheet

OWASP Top Ten (2010)A1: InjectionA2: Cross-SiteScripting (XSS)A3: BrokenAuthenticationand SessionManagementA4: InsecureDirect ObjectReferencesA5: Cross SiteRequest Forgery(CSRF)A6: SecurityMisconfigurationA7: InsecureCryptographicStorageA8: Failure toRestrict URLAccessA9: InsufficientTransport LayerProtectionA10: UnvalidatedRedirects andForwards

OWASP Top Ten (2010)A1: InjectionA2: Cross-SiteScripting (XSS)A3: BrokenAuthenticationand SessionManagementA4: InsecureDirect ObjectReferencesA5: Cross SiteRequest Forgery(CSRF)A6: SecurityMisconfigurationA7: InsecureCryptographicStorageA8: Failure toRestrict URLAccessA9: InsufficientTransport LayerProtectionA10: UnvalidatedRedirects andForwards

So should you just turneverything off and unplug it?

OWASP Enterprise Security API ESAPI is NOT a framework Collection of security building blocks Designed to help retrofit existingapplications Available for multiple languages Java, .NET, Perl, PHP, ColdFusion Security Frameworks already exist Spring Security ASP.NET Web Application Security

ESAPI baked into CFML Adobe ColdFusion 10 uses ESAPI 2.0.1 Canonicalize, DecodeForHTML, DecodeFromURL, EncodeForCSS,EncodeForHTML, EncodeForHTMLAttribute, EncodeForJavaScript,EncodeForURL, EncodeForXML With APSB11-04 and higher ESAPI installed into ColdFusion ESAPI 1.4.4 for CF 8.0.x ESAPI 2.0 rc10 for CF 9.0.x Railo 4.0 Beta ESAPI* functions CFESAPI project by Damon Miller https://github.com/damonmiller/cfesapi CFBackPort project by David Boyer https://github.com/misterdai/cfbackport

Web Application Firewall Web application firewall (WAF) are used to protect webapplications without the need to modify them Can be an appliance, server plugin, or filter Commercial Trustwave - WebDefend Web Application Firewall Cisco - ACE Web Application Firewall Citrix - NetScaler App Firewall F5 - BIG-IP Application Security Manager Privacyware - ThreatSentry IIS Web Application Firewall Free Trustwave SpiderLabs - ModSecurity Microsoft - URLScan 3.1

ColdFusion ApplicationFirewall/Filters Fuseguard by Foundeo See Mike Henke’s presentation formore details nd-fuseguardpresentation-tomorrow Portcullis by John Mason http://portcullis.riaforge.org/

ModSecurity Open source, free web application firewall(WAF) Apache module Security Models Negative Security Model Positive Security Model Virtual Patching Extrusion Detection Model Run as Apache module or reverse proxy OWASP ModSecurity Core Rule Set Project

BooksThe Web Application Hacker'sHandbook: Finding andExploiting Security Flaws,Second Editionby Dafydd Stuttard and Marcus PintoJohn Wiley & Sons 2012 (912 pages)ISBN: 9781118026472SQL Injection Attacks andDefenseby Justin ClarkeSyngress Publishing 2009 (494 pages)ISBN: 9781597494243Penetration Tester's OpenSource Toolkit, Third Editionby Jeremy FairclothSyngress Publishing 2011 (465 pages)ISBN: 9781597496278Web Application Obfuscation: '-/WAFs.dEvasion.dFilters//alert (/Obfuscation/)-'by Mario Heiderich, Eduardo Alberto VelaNava, Gareth Heyes and David LindsaySyngress Publishing 2011 (290 pages)ISBN: 9781597496049XSS Attacks: Cross Site ScriptingExploits and Defenseby Jeremiah Grossman, Robert “RSnake”Hansen, Petko “pdp” D. Petkov and AntonRagerSyngress Publishing 2007 (479 pages)ISBN: 9781597491549Seven Deadliest WebApplication Attacksby Mike ShemaSyngress Publishing 2010 (187 pages)ISBN: 9781597495431

References om/files/OWASP Top 10 asp.org/index.php/Category:OWASP AntiSamy Projecthttps://www.owasp.org/index.php/Cheat ugs/2100-1002 3-6126438.html?part rss&tag 6126438&subj rity/index.php?title 7Milan dex.php/Category:OWASP Securing WebGoat using ModSecurity ases/2009/press /https://www.owasp.org/index.php/OWASP Broken Web Applications loitation-for-fun-profit.html

Web application firewall (WAF) are used to protect web applications without the need to modify them Can be an appliance, server plugin, or filter Commercial Trustwave - WebDefend Web Application Firewall Cisco - ACE Web Application Firewall Citrix - NetScale

Related Documents:

Application Security Testing (DAST) Origin Analysis / Software Composition Analysis (SCA) Mobile Application Security Testing (MAST) Application Security Testing as a Service (ASTaaS) Correlation Tools Application Security Testing Orchestration (ASTO) Database Security Scanning Test Coverage Analyzers Interactive Application Security Testing .

security - yet 75% of attacks come through web applications - market is now focusing on spending on web application security Mitre group indicates that application issues (XSS and SQL Injection ) are the top 2 hacks Most websites are vulnerable (Watchfire/Gartner) Cost of Application Security Breach Security Breach

ZscalerTM Web Security Zscaler Web Security, part of the Zscaler Cloud Security Platform, delivers the complete security stack as a cloud service, eliminating the cost and complexity of traditional secure web gateway appliances. By moving security to a globally distributed cloud, Zscaler brings the Internet and web gateway closer to the user .

address Web application security is with an automated solution, where the security policy is driven directly by the Web application itself and the security solution understands the Web application as a whole. Ensuring the integrity of interactions between the user and the application

Hacking and Security. Whether you are a beginner or an experienced ethical hacker, the Web Application Hacking and Security course offers something for all skill levels. You will hack through a variety of challenges from SQL Injection, to Security Misconfigurations, to Cross-Site-Scripting, and more. 3 WEB APPLICATION HACKING & SECURITY

Web Application Penetration Tests: Web application security testing is focused on evaluating the security of a web application. The process involves an active analysis and exploitation of the web application for any weaknesses, technical flaws, or vulnerabilities in accordance with the OWASP Testing Guide 4.1.

HPE Secure IoT Application Lifecycle IoT Endpoints Connectivity Edge Computing Visualization IoT Cloud / Platform HPE Security ArcSight (Security Intelligence)HPE Security Fortify (Application Security)HPE Security -Data Security (Voltage/Atalla) HPE Aruba (Communication Security)HPE ADM (Application Delivery Management)HPE ITOM (IT Operations Management)

Introducing Web Security Gateway Anywhere 4 Websense Web Security Gateway Anywhere To collapse a pane, click the arrows in the up per corner of the pane. To expand it, click the arrows again. You can do this on any page in the TRITON security center. Hybrid Web filtering Web Security Gateway Anywhere supports on-premises appliance as well as hybrid