1. Sixth Outline Level
Seventh Outline Level
Eighth Outline Level
Ninth Outline LevelClick to edit Master
text styles
Web Application Security
Vikas Thange
2. Topics
1 What is Web Security
2 Why Web Security?
3 Proxy Server – Paros Proxy
4 Web Vulnerability
5 Web Vulnerability Types
6 SQL Injection
7 Other Types
3. What is Web Security
1 Web application security is a branch of information security that
deals specifically with security of websites and web applications.
2 At a high level, Web application security draws on the principles of
application security but applies them specifically to Internet and
Web systems.
3 Typically web applications are developed using programming
languages such as PHP, Java EE, Java, Python, Ruby, ASP.NET,
C#, VB.NET or Classic ASP.
4. Why Web Security
1 We value our privacy
2 We value our client’s important data
3 We want to make everyone’s web presence safer and better
4 We must remember , it’s the users who uses the system
5 Users can be good as well as bad
5. Proxy Server
1 A proxy server is a server (a computer system or an application)
that acts as an intermediary for requests from clients seeking
resources from other servers
2 A client connects to the proxy server, requesting some service,
such as a file, web page, or other resource, available from a
different server.
3 The proxy server evaluates the request according to its filtering
rules. If the request is validated by the filter, the proxy provides the
resource
6. Use of Proxy Server
1 To apply access policy to network services or content, e.g. to block undesired sites.
2 To log / audit usage, i.e. to provide company employee Internet usage reporting.
3 To bypass security/ parental controls.
4 To scan transmitted content for malware before delivery.
5 To scan outbound content, e.g., for data leak protection.
6 To circumvent regional restrictions.
8. Web Vulnerability
A vulnerability is a weakness which allows an attacker to reduce a
system's information assurance.
Weakness in custom Web
Application, architecture,
design, configuration, or code.
9. Web Vulnerability Types
1 SQL Injection
2 Code Injection
3 XSS or Cross Site Scripting
4 CSRF or Cross Site Request Forgery
5 To scan outbound content, e.g., for data leak protection.
6 Session Security
7 Input Validation
10. How Bad is it?
**Web Application Security Consortium (WASC)
http://www.webappsec.org/projects/statistics/
11. How Bad is it?
**Web Application Security Consortium (WASC)
http://www.webappsec.org/projects/statistics/
13. SQL Injection
What is SQL Injection?
•
It is a trick to inject SQL query/command as an input
What do you need? possibly via web pages.
What you should look for?
•
Many web pages take parameters from web user, and
What if you can't find any page make SQL query to the database.
that takes input?
How do you test if it is
vulnerable?
•
Take for instance when a user login, web page that user
name and password and make SQL query to the database
But why ' or 1=1--?
to check if a user has valid name and password.
How to avoid SQL Injection?
•
With SQL Injection, it is possible for us to send crafted
Where can I get more info? user name and/or password field that will change the
SQL query and thus grant us something else.
14. SQL Injection
What is SQL Injection?
•
Little Sql and programming Knowledge
What do you need?
•
No tool required
What you should look for?
What if you can't find any page •
Any Web Browser
that takes input?
How do you test if it is
vulnerable?
•
Sql injection attak dictonary
But why ' or 1=1--?
How to avoid SQL Injection?
Where can I get more info?
15. SQL Injection
What is SQL Injection?
•
Try to look for pages that allow you to submit data,
What do you need? i.e: login page, search page, feedback, etc.
What you should look for? •
Sometimes, HTML pages use POST command to send
What if you can't find any page parameters to another ASP page. Therefore, you may not
that takes input?
see the parameters in the URL. However, you can check
How do you test if it is
vulnerable? the source code of the HTML, and look for "FORM" tag in
the HTML code. You may find something like this in some
But why ' or 1=1--?
HTML codes:
How to avoid SQL Injection? <FORM action=Search/search.asp method=post>
<input type=hidden name=A value=C>
Where can I get more info? </FORM>
Everything between the <FORM> and </FORM> have
potential parameters that might be useful (exploit wise).
16. SQL Injection
What is SQL Injection?
What is SQL Injection?
•
You should look for pages like ASP, JSP, CGI, or PHP web
What do you need? pages. Try to look especially for URL that takes
parameters, like:
What you should look for?
What if you can't find any page http://duck/index.asp?id=10
that takes input?
How do you test if it is
vulnerable?
But why ' or 1=1--?
How to avoid SQL Injection?
Where can I get more info?
17. SQL Injection
What is SQL injection?
What is SQL Injection?
•
Start with a single quote trick. Input something like:
What do you need? hi' or 1=1-- Into login, or password, or even in the URL.
Example:
What you should look for? - Login: hi' or 1=1--
What if you can't find any page - Pass: hi' or 1=1--
that takes input? - http://duck/index.asp?id=hi' or 1=1—
How do you test if it is
How do you tet if it is vulnerable?
vulnerable? •
If you must do this with a hidden field, just download
But why ' or 1=1--? the source HTML from the site, save it in your hard disk,
modify the URL and hidden field accordingly. Example:
How to avoid SQL Injection?
Where can I get more info? <FORM action=http://duck/Search/search.asp
method=post>
<input type=hidden name=A value="hi' or 1=1--">
</FORM>
If luck is on your side, you will get login without any login
name or password.
18. SQL Injection
What is SQL injection?
What is SQL Injection?
•
Other than bypassing login, it is also possible to view
What do you need? extra information that is not normally available. Take an
asp page that will link you to another page with the
What you should look for?
following URL:
What if you can't find any page
that takes input?
http://duck/index.asp?category=food
How do you test if it is
How do you tet if it is vulnerable?
vulnerable?
•
In the URL, 'category' is the variable name, and 'food' is
But why ' or 1=1--?
the value assigned to the variable. In order to do that, an
How to avoid SQL Injection? ASP might contain the following code
Where can I get more info? v_cat = request("category")
sqlstr="SELECT * FROM product WHERE PCategory='" &
v_cat & "'"
set rs=conn.execute(sqlstr)
19. SQL Injection
What is SQL Injection?
•
As we can see, our variable will be wrapped into v_cat
What do you need? and thus the SQL statement should become:
What you should look for?
SELECT * FROM product WHERE PCategory='food'
What if you can't find any page
that takes input? The query should return a resultset containing one or
How do you test if it is more rows that match the WHERE condition, in this case,
vulnerable?
'food'.
But Why ‘ or 1=1--?
•
Now, assume that we change the URL into something
How to avoid SQL Injection?
like this:
Where can I get more info?
http://duck/index.asp?category=food' or 1=1--
Now, our variable v_cat equals to "food' or 1=1-- ", if we
Eg. http://testasp.vulnweb.com/
substitute this in the SQL query, we will have:
http://www.altoromutual.com
SELECT * FROM product WHERE PCategory='food' or
1=1--'
20. SQL Injection
What is SQL Injection?
•
Filter out character like single quote, double quote, slash,
What do you need? back slash, semi colon, extended character like NULL,
carry return, new line, etc, in all strings from:
What you should look for?
- Input from users
What if you can't find any page - Parameters from URL
that takes input? - Values from cookie
How do you test if it is
vulnerable?
For numeric value, convert it to an integer before parsing
But why ' or 1=1--? it into SQL statement. Or using ISNUMERIC to make sure
it is an integer.
How to avoid SQL Injection?
Where can I get more info?
21. SQL Injection
What is SQL Injection?
•
http://www.wiretrip.net/rfp/p/doc.asp?id=42&iface=6
What do you need?
•
http://www.blackhat.com/presentations/win-usa-
What you should look for?
01/Litchfield/BHWin01Litchfield.doc
What if you can't find any page
that takes input? •
http://www.owasp.org/asac/input_validation/sql.shtml
How do you test if it is
vulnerable?
•
http://www.sensepost.com/misc/SQLinsertion.htm
But why ' or 1=1--?
•
http://www.digitaloffense.net/wargames01/IOWargame
How to avoid SQL Injection?
s.ppt
Where can I get more info?
•
http://www.wiretrip.net/rfp/p/doc.asp?id=60&iface=6
•
http://www.spidynamics.com/whitepapers/WhitepaperS
QLInjection.pdf
22. Code Injection
•
Code Injection is the general name for a lot of types of attacks which
depend on inserting code, which is interpreted by the application.
•
Such an attack may be performed by adding strings of characters into a
cookie or argument values in the URI.
•
This attack makes use of lack of accurate input/output data validation, for
example:
1. class of allowed characters (standard regular expressions classes or
custom)
2. data format
3. amount of expected data
4. for numerical input, its values
23. Code Injection
When a programmer uses the eval() function and operates on the data inside it, and
these data may be altered by the attacker, then it's only one step closer to Code
Injection.
The example below shows how to use the eval() function:
$myvar = "varname";
$x = $_GET['arg'];
eval("$myvar = $x;");
The code above which smells like a rose may be used to perform a Code Injection attack.
Example: passing in the URI /index.php?arg=1; phpinfo()
While exploiting bugs like these, the attacker doesn't have to limit himself only to a
Code Injection attack. The attacker may attempt himself to use Command Injection
technique,
for example.
/index.php?arg=1; system(‘dir')
24. Cross Site Scripting Flaw (XSS)
•
Cross site Scripting (XSS) attacks are a type of injection problem, in which
malicious scripts are injected into otherwise benign and trusted web sites
•
Cross site scripting flaws are the most prevalent flaw in web applications
today
•
Cross site scripting attacks occur when an attacker uses a web application
to send malicious code , generally in the form of a browser side script, to a
different end user.
•
To avoid XSS attack we recommend validating input against a rigorous
positive specification of what is expected