Top 10 WEB Application

1
Top 10 WEB Application
Vulnerabilities
Presented by Hai Phung (CISSP, CEH, CCNP, MCSD,
MCSE) CEO VietShield Security Consulting phunghai_at_
vietshield.com
2
Introduction

• Many organizations relied on Web application to
  do business with customers, partners.
• When an organization puts up a web application,
  they invite the world to send them http request.
• Attacks buried in these requests will go
  undetected by firewalls, network filters,
  platform hardening, and intrusion detection
  system
• Your web application code is part of your
  security parameter

3
(No Transcript)
4
Scope of my presentation

• To illustrate top 10 web application
  vulnerabilites, selected and ranked by OWASP
  (open web application security project)
• A brief demonstration on how each works and
  consequences
• High level recommendation on course of action

5
No 1. Unvalidated Input.
6
A1. Unvalidated Input

• Vulnerability
• Input from HTTP request is not validated.
• Use of only client-side validation mechanism
• Consequences
• Command insertion
• Cross site scripting
• Buffer overflow
• SQL injection
• Hidden field manipulation
• Format string attack

7
No 2. Broken Access Control
8
A2. Broken Access Control

• Access control is related to resource
  authorization, a function in web application to
  control Who is allowed to access What
• Improper Access Control implementation leads to
• An unauthenticated user could access protected
  resources.
• An authenticated user could access resources
  which he/she should not have access to.

9
No 3. Broken Authentication and Session Management
10
A3. Broken Authentication and Session Management

• Authentication and session management includes
  all aspects of handling user authentication and
  managing active sessions.
• A wide array of account and session management
  flaws can result in the compromise of user or
  system administration accounts.
• Solid authentication mechanisms can be undermined
  by flawed credential management functions,
  including password change, forgot my password,
  remember my password, account update, and other
  related functions.

11
No 4. Cross Site Scripting
12
A4. Cross Site Scripting

• Cross-site scripting (sometimes referred to as
  XSS) vulnerabilities occur when an attacker uses
  a web application to send malicious code,
  generally in the form of a script, to a different
  end user.
• These flaws are quite widespread and occur
  anywhere a web application uses input from a user
  in the output it generates without validating it.
• The likelihood that a site contains XSS
  vulnerabilities is extremely high.

13
No 5. Buffer Overflow
14
A5. Buffer Overflow

• Attackers use buffer overflows to corrupt the
  execution stack of a web application.
• By sending carefully crafted input to a web
  application, an attacker can cause the web
  application to execute arbitrary code.
• Buffer overflow flaws can be present in both the
  web server or application server products that
  serve the static and dynamic aspects of the site,
  or the web application itself.

15
No 6. Injection Flaw
16
A6. Injection Flaw

• Injection flaws allow attackers to relay
  malicious code through a web application to
  another system.
• These attacks include calls to the operating
  system via system calls, the use of external
  programs via shell commands, as well as calls to
  backend databases via SQL (i.e., SQL injection).
• SQL injection is a particularly widespread and
  dangerous form of injection

17
No 7. Improper Error Handling
18
A7. Improper Error Handling

• Detailed internal error messages such as stack
  traces, database dumps, and error codes are
  displayed to the user (hacker).
• These messages reveal implementation details that
  should never be revealed.
• Such details can provide hackers important clues
  on potential flaws in the site and such messages
  are also disturbing to normal users.

19
No 8. Insecure Storage
20
A8. Insecure Storage

• Failure to encrypt critical data
• Insecure storage of keys, certificates, and
  passwords
• Improper storage of secrets in memory
• Poor sources of randomness
• Poor choice of algorithm
• Attempting to invent a new encryption algorithm
• Failure to include support for encryption key
  changes and other required maintenance procedures

21
No 9. Denial of Service
22
A9. Denial of Service

• Attacks targets web site resources such as
• Bandwidth
• Database connection
• Disk usage
• CPU, Memory
• Threads
• Application specific resource

23
No 10. Insecure Configuration Management
24
A10. Insecure Configuration Management

• Unpatched security flaws in the server software
• Server software flaws or misconfigurations that
  permit directory listing and directory traversal
  attacks
• Unnecessary default, backup, or sample files,
  including scripts, applications, configuration
  files, and web pages
• Improper file and directory permissions
• Unnecessary services enabled, including content
  management and remote administration
• Default accounts with their default passwords

25
A10. Insecure Configuration Management

• Administrative or debugging functions that are
  enabled or accessible
• Overly informative error messages (more details
  in the error handling section)
• Misconfigured SSL certificates and encryption
  settings
• Use of self-signed certificates to achieve
  authentication and man-in-the-middle protection
• Use of default certificates
• Improper authentication with external systems

26
Recommended Action Points
27
Recommended Action Points

• Regular vulnerability scanning from both internal
  and external perspectives.
• Applying secure coding practice
• Complete code review by a third party
• Monitoring the latest security vulnerabilities
  published.
• Applying the latest security patches.
• Use of application level firewall

28
Questions?
For more information, please email
phunghai_at_vietshield.com