Securing Web Applications - PowerPoint PPT Presentation

1 / 37

About This Presentation

Title:

Securing Web Applications

Description:

Min Song IS/CS698 Application Security Applications are part of your security perimeter. Application Security Attackers won t attack your firewall. – PowerPoint PPT presentation

Number of Views:228

Avg rating:3.0/5.0

Slides: 38

Provided by: webNjitE6

Category:

more less

Transcript and Presenter's Notes

Title: Securing Web Applications

1
Securing Web Applications

Min Song
IS/CS698

2
Application Security

Applications are part of your
security perimeter.

FIREWALL
BUSINESS
INTERNET
3
Application Security

Attackers wont attack your firewall.
Theyll attack your applications.

FIREWALL
BUSINESS
INTERNET
4
Application Security

or theyll walk through the door
(developers, administrators, users)

FIREWALL
BUSINESS
INTERNET
5
Application Security

or maybe just listen at the door (wireless,
newsgroups, job ads)

FIREWALL
BUSINESS
INTERNET
Information Leaks
6
Web Application Exploits

Footprinting
URL Manipulation
Cross-Site Scripting (XSS)
SQL Injection
Session Hijacking
Error Exploitation

7
Footprinting

CNN mentions your website
Instant traffic jam
Database gets overloaded and goes down
Web application cant get a connection
(Developer couldnt do much about it, so the code
lets it bubble up to the server)
The user sees a big, ugly Tomcat error message
with all the gory details

8
Footprinting in Action

Pointy-haired boss
Finds it annoying and unprofessional
Calls you in to interpret technical mumbo-jumbo
Knowledgeable user
Learns which server versions are running
Learns the name of JavaServer Pages (JSPs) and
other code components
Learns details about the database structure and
naming

9
Footprinting in Action

Attacker
Looks up server vulnerabilities
Tries accessing default server config pages
Tries to cause other kinds of errors to collect
more information
Tries SQL injection attack
Uses information to appear in-the-know during
social engineering attack

10
Footprinting Flavors

Errors (default application server behavior
prints out all the ugly details)
HTTP Response Headers
Powered by logos
Distinctive URL patterns
Default stylesheets/skins
Press releases
Job ads
Newsgroup or message board postings

11
Footprinting Fixes

Configure default server-level error pages
Test what happens when
Resources are unavailable
Pages are not found
Bugs cause unhandled exceptions
Dont give details about errors the user cant
fix (where possible, dont even admit that
theyre unexpected)
Dont give out specific product/version
information, either in error messages or
advertisements

12
URL Manipulation

User gets an email notification with an
invitation to visit her online profile at
http//www.acme.com/profile?userid2249
Cuts and pastes the link into the browser
Accidentally leaves off the 9
http//www.acme.com/profile?userid224
Gets a page with somebody elses personal
information

13
URL Manipulation in Action

Pointy-Haired Boss
Gets confused
Starts worrying about his own privacy
Knowledgeable user
Removes her own personal info immediately
Gets curious and looks through the other persons
information
Tries a few more IDs to see what happens

14
URL Manipulation in Action

Attacker
Looks for other URLs on the site that can be
manipulated
Finds admin functionality that shouldnt be
available
Writes a script to scrape confidential
information
Tries to guess other peoples usernames and
passwords based on their personal details
(username, birthday, etc.)
Uses personal info to impersonate others
Calls users and poses as company representative
who is looking at the same profile screen and
needs to confirm username and password
Asks company for ransom
Uses email addresses to launch cross-site
scripting attacks against users

15
URL Manipulation Flavors

Manipulating cookies
Manipulating form data
Both POSTs and GETs
Hidden form fields
ltselectgt values
Fishing for errors (footprinting)
Fishing for directory listings
Fishing for admin pages
Fishing for temp files (index.old, index.html)

16
URL Manipulation Fixes

Never trust client-side information
If you must rely on client-side tokens, sign and
encrypt them
Use programmatic security checks to implement
row-level security
Store authentication details in server-side
session, or re-check every time
Watch out for temp files

17
Cross-Site Scripting (XSS)

John visits an online bookstore
He copies the following book title from an HTML
email message
ltbgtArchitects Checklistlt/bgt
Pastes it into the search box
Website displays search terms in bold along with
results

18
XSS In Action

Knowledgeable user
Plays with search terms to see what else can get
through
Attacker
Tries entering JavaScript and watches it get
executed when the form is submitted
Looks at the name of the search form field and
figures out how to specify it through the URL
Sends an IM to a friend with a link that goes to
that site and displays a funny pop-up saying
Youve been hacked!

19
XSS In Action

Attacker
Constructs some JavaScript that reads a cookie
and resubmits it to a different site (under his
control)
Hex encodes it so its not obvious in a URL
http//ebay.com/SendFeedback?feedback223e3c7
363726970743e646f63756d656e2e6e
Emails the link to hundreds of users with a
message asking them to participate in a survey
Expects many of them to click the link
Expects that many of them are configured to
auto-login
Collects cookies as theyre sent to the site
Logs in and uses their accounts

20
XSS Flavors

Code Flaws
Feedback, reviews, message boards, etc.
Error messages that quote user input
Search results (w/terms)
Public user profiles
Trusted partner content
Exploits
Cookie/session theft
Execution of fraudulent transactions
Access to confidential information

21
XSS Fixes

Validate all user input
Never redisplay user input without cleaning out
any HTML and JavaScript
Filter out whatever you can
If you must display it verbatim, escape all of
the characters or display them within ltpregt tags
so that the browser wont interpret them

22
SQL Injection

Erin visits a site and searches for
Architects Checklist
She gets an error that says
Sorry, an unexpected error has occurred
Invalid SQL Syntax

23
SQL Injection in Action

Pointy-haired boss
Tries the search again
Assumes site is broken
Knowledgeable user
Realizes that the single quote is often used in
SQL statements to surround text
Tries searching for architect checklist
Gets results

24
SQL Injection in Action

Attacker
Views the HTML source for the page to look for
field names that might match the database columns
Imagines the SQL to be something like
select name, isbn from book where name like
architects checklist
Gets full list by searching for foo or name
like
Tries logging in as foo and gets the error
Tries logging in as
Username foo
Password bar or usernameadmin
Gets a page that says Welcome, admin

25
SQL Injection Flavors

Code for advanced searches and other criteria
screens constructs query using string
concatenation
Authentication module constructs login query
using string concatenation
Database or driver doesnt bind parameters

26
SQL Injection Fixes

Use PreparedStatements
Validate all user info
Strip out special characters
Never display SQL error messages to user
Use different field names for user interface and
database
Turn off unused database features
Limit database user privileges

27
Session hijacking/replay

What a boring presentation
Brian pops open his laptop and connects to the
hotels wireless network
Browses his web mail

28
Session hijacking in Action

Attacker
Fires up a wireless cracking program like Kismet
Watches Brians information go by
Notices him making requests to a web-based mail
service
Reads his email as it goes by

29
Session hijacking in Action

Attacker (continued)
Wonders what other mail Brian keeps on the server
Grabs Brians session cookie as it goes by
Makes her own request to the mail server with
that cookie and is automatically logged in
Reads through Brians saved messages to find all
sorts of usernames and passwords

30
Session hijacking Flavors

Network sniffing
To be fair, a lot of the 802.11 problem is on
Brians side, since hes browsing in the clear
over airwaves
Cookie Theft (e.g. through XSS)
Brute forcing session IDs
Trying over and over until a valid session is
found
Computing the next session ID by observing the
algorithm the server uses to generate them

31
Session hijacking Fixes

Run everything over HTTPS
At least, run all confidential information over
HTTPS
Dont write your own simple session management
If you do write something
match session key to IP address
alter session on every request so that you can
detect duplicates

32
Error exploitation

Erin visits a travel site and starts browsing for
8-day Alaskan cruises
She finds one she likes and sees that there are
40 cabins left
She starts to book the only remaining deluxe
cabin, but her credit card is declined
She tries to rebook with a different credit card,
but the deluxe cabin is taken

33
Error exploitation in Action

Pointy-haired boss
Books an Economy cabin
Knowledgeable user
Calls to verify that its not still reserved
based on her aborted booking attempt
Finds out that the cabin was accidentally
reserved and is really available

34
Error exploitation in Action

Attacker
Books a bunch of cabins
Using fake credit card numbers
Through an anonymous web redirector
Waits to see how long it takes for the company to
realize they werent really booked
Calls at the last minute and gets a great deal
since theyre so undersold

35
Error exploitation Flavors

Time-consuming processes
Reliance on cached values of prices or other data
(that may have been manipulated)
Broken/misconfigured transactions
Multiple operations may not be correctly grouped
into transactions
Transaction rollback may leave the database
consistent, but not revert changes to cached data
or other application state

36
Error exploitation Fixes