A presentation on OWASP top 5 web based attacks and Slow DOS methodologies which are difficult to detect and stop.

1. Presentation on Web Attacks
By : Vivek Sinha Anurag

2. Agenda
• Owasp Top-5 Attacks
▫ Injection Attacks (SQLi, Xpath Injection, Command Injection)
▫ XSS
▫ Broken Authentication & Authorization (Session Management Flaws)
▫ CSRF
▫ Sensitve Data Exposure (PII, PCI, SSL)
▫ Slow Attacks:
▫ Slow Read
▫ Slow Get
▫ Slow POST

3. Injection Attacks
• SQLi
• Xpath Injection
• Command Injection

4. SQL Injection
• It is a code drive technique used to attack data driven apps
in which malicious SQL statements are inserted into entry
field for execution
use of ‘ or ‘1’=‘1
select * from Users where (username = 'submittedUser' and password = 'submittedPassword');
• Prevention
▫ Sanitizing Inputs
▫ Using Escape Characters
▫ Using Parameterized query
▫ Using Stored Procedures

5. XPath Injection
• Similar to SQLi, this is also a technique where attacker
manipulates the input data to extract the desired
information from XML doc where the data is stored.
Malformed data is provided in input
 Eg: ‘ or ‘1’=‘1 in USER/PASS
• Prevention
▫ Using parameterized Xpath interface
▫ Escaping the input characters
▫ Using precompiled xpath query

6. Command Injection
• It is a technique to inject and execute OS
commands specified by an attacker in the
vulnerable app.
• In most of the cases it is possible due to lack of
input data validation which can be manipulated by
the attacker
• Prevention:
▫ Always validate the input data
▫ Run the app with minimum permissions possible

7. XSS Attacks
• Persistent
▫ It occurs when the data provided by the attacker is
saved by the server, and then permanently displayed
on "normal" pages returned to other users in the
course of regular browsing, without proper HTML
escaping.
• Non-Persistent
▫ When the data provided by a web client, most
commonly in HTTP query parameters or in HTML
form submissions, is used immediately by server-side
scripts to parse and display a page of results for and
to that user, without properly sanitizing the request
• DOM based
▫ Attack payload is executed as a result of modifying the
DOM environment in the victim browser used by the
original client side script

8. XSS Attacks
• Prevention
▫ Escaping/Encoding of string input
▫ Safely validating untrusted HTML input
▫ Whitelist/Blacklist based HTML tags
▫ Disabling Scripts
▫ Implementation of Cookie with additional
parameters, like IP

9. Broken Auth
OWASP Definition:
Account credentials and session tokens are often not properly protected.
Attackers compromise passwords, keys, or authentication tokens to
assume other users’ identities
• Broken Authentication
• Broken Authorization
• Session Management Flaws

10. Broken Auth
• Protection:
▫ Password Change Controls
▫ Password Strength
▫ Password Expiration
▫ Password Storage
▫ Protection In Transit
▫ Avoid Cookieless Session
▫ Avoid homegrown authentication schema
▫ Look into IP/Location/Browser/OS combination
▫ Always have unique session ID bound with IP
▫ Double-check password on certain activity
▫ Expire sessions early
▫ Don’t forget logout button [which should destroy the server/client session]

11. CSRF (Cross Site request Forgery)
OWASP Definition:
A CSRF attack forces a logged-on victim’s browser to
send a pre-authenticated request to a vulnerable web
application, which then forces the victim’s browser to
perform a hostile action to the benefit of the attacker.
CSRF can be as powerful as the web application that it
attacks

12. CSRF
Someblog.net
https://bank.com/fn?param=1
JSESSIONID=AC934234…
Somebank.net

13. CSRF Prevention
• Captcha
• Re-Authentication
▫ Password Based
▫ One-Time Token
• Unique Request Tokens

14. Sensitive Data Exposure
• PII (Personal Identifiable Information)
▫ Sensitive and Non Sensitive PII
• PCI Compliance
▫ Its assures that the CC data is secured
• SSL
▫ Always use strong ciphers
and disable renegotiation
▫ Make sure that the private key
is always secured.

15. PCI
• Requirements
▫ Build and maintain a Secured Network
 Firewalls, Don’t use default passwords
▫ Protect Cardholder Data
 Protect the stored data, Encrypt the data while transmitting it
▫ Maintain a Vulnerability Management Program
 Updated Antivirus, develop/maintain secure systems in apps
▫ Implement Strong Access Control Measures
 Restricted access, unique ids to people have access, restrict physical
access
▫ Regularly Monitor and Test Networks
 Track and monitor all access, regularly test security systems
▫ Maintain an Information Security Policy
 Maintain policy to address information security

16. Slow Attacks
• Slow Read
• Slow GET
• Slow POST
Difficult to detect
Can be used from single computer
Can bypass traditional WAF

17. Slow Read
• Attacker creates multiple connections to the server
• Advertise that receiving window size is very small
• Keeps the connection open for very long time
• Uses all the connections causing DOS
• Tools used: SlowHttpTest

18. Slow Get
• Attacker creates multiple connections to the server
• Sends GET requests at very slow rate
• Server keeps waiting for completion of headers
• Uses all the connections causing DOS
• Tools Used: AlowHttpTest, Slowloris

19. Slow POST
• Attacker creates multiple connections to the server
• Sends header and advertise fixed content length
• Sends POST body at very slow rate
• Server keeps waiting for completion of POST body
• Uses all the connections causing DOS
• Tools Used: AlowHttpTest, RUDY

20. Slow Attacks - Protection
• Drop Connections which HTTP method not supported by URL
• Limit the header and message body to a minimal reasonable length
• Set an absolute connection timeout, if possible.
• Try to maximize server max no of connections
• Define minimum incoming data rate
• Define max no of concurrent connections from same IP
• Blacklist the known attack user-agents [Slowloris uses *MSIE*MSOffice 12*]

21. Questions?

22. Thanks