Post on 16-Jan-2016
CERN IT Department
CH-1211 Genève 23
Switzerlandwww.cern.ch/
it
Web application security
Sebastian Lopienski
& Marthe Engebretsen
CERN Computer Security Team
HEPiX Autumn 2009, LBL
See also: http://indico.cern.ch/contributionDisplay.py?contribId=38&sessionId=13&confId=27391
CERN IT Department
CH-1211 Genève 23
Switzerlandwww.cern.ch/
it
Outline
• Why Web applications– Threats– Web at CERN– Possible solutions
• Tools– Requirements– How they work– Commercial vs. open source– Pros and cons of some chosen ones
Web application security - 2
CERN IT Department
CH-1211 Genève 23
Switzerlandwww.cern.ch/
it
Focus on Web applications?
Web applications are:• often much more useful than desktop software =>
popular• often publicly available• easy target for attackers
– finding vulnerable sites, automating and scaling attacks
• easy to develop• not so easy to develop well and securely
• often vulnerable, thus making the server, the database, internal network, data etc. insecure
Web application security - 3
CERN IT Department
CH-1211 Genève 23
Switzerlandwww.cern.ch/
it
Threats
• Web defacement loss of reputation (clients, shareholders) fear, uncertainty and doubt
• information disclosure (lost data confidentiality)e.g. business secrets, financial information, client
database, medical data, government documents
• data loss (or lost data integrity)• unauthorized access
functionality of the application abused
• denial of service loss of availability or functionality (and revenue)
• “foot in the door” (attacker inside the firewall)
Web application security - 4
CERN IT Department
CH-1211 Genève 23
Switzerlandwww.cern.ch/
it
Web landscape at CERN
• many Web sites centrally hosted– official (35%), private (55%), test (10%)
– Windows/IIS (65%), Linux/Apache (30%), Sharepoint, J2EE
– ~10% scriptable
• other hosts with Web ports open on the firewall
Web application security - 5
CERN IT Department
CH-1211 Genève 23
Switzerlandwww.cern.ch/
it
September 2008
Web application security - 6
CERN IT Department
CH-1211 Genève 23
Switzerlandwww.cern.ch/
it
Approaches
What to do?
• Provide training for Web application developers
• Limit the number of Web applications
• Harden the Web hosting service
• Perform vulnerability scanning
• Detect successful attacks
Web application security - 7
CERN IT Department
CH-1211 Genève 23
Switzerlandwww.cern.ch/
it
Tools - top requirements
• Handle automatic scanning of Web sites
• Easily parsable/processable reports
• Low false positive rate– preferred over low false negative rate
Web application security - 8
CERN IT Department
CH-1211 Genève 23
Switzerlandwww.cern.ch/
it
Tools – how they work
1. Crawling
2. Scanning
3. Reporting
Web application security - 9
Web application security - 10
Web application security - 11
CERN IT Department
CH-1211 Genève 23
Switzerlandwww.cern.ch/
it
Scanning - HTTP requests
http://www.google.fr/
/etc/passwd
c:\\boot.ini
../../../../../../../../../../etc/passwd
../../../../../../../../../../boot.ini
a;env
a);env
/e
¿'"(
sleep(4)#
1+and+sleep(4)#
')+and+sleep(4)='"))+and+sleep(4)="
;waitfor+delay+'0:0:4'--"));waitfor+delay+'0:0:4'--
benchmark(1000, MD5(1))#1))+and+benchmark(10000000,MD5(1))#
pg_sleep(4)--
"))+and+pg_sleep(4)--
gt5mgbxkht
http://www.google.fr
Wapiti:+2.1.0+version
<SCrIPT>fake_alert("TbBPE8YaN3gA72vQAlao1")</SCrIPT>
|+ping+-c+4+localhostrun+ping+-n+3+localhost
&&+type+%SYSTEMROOT%\win.ini
;+type+%SYSTEMROOT%\win.ini`/bin/cat+/etc/passwd`
run+type+%SYSTEMROOT%\win.ini
b"+OR+"81"="81http://w3af.sourceforge.net/w3af/remoteFileInclude.html
../../../../../../../../../../../../../../../etc/passwd%00.php
C:\boot.ini
%SYSTEMROOT%\win.ini
C:\boot.ini%00.php
%SYSTEMROOT%\win.ini%00.php
d'z"0
<!--#include+file="/etc/passwd"-->
<!--#include+file="C:\boot.ini"-->
echo+'mlYRc'+.+'buwWR';
print+'mlYRc'+++'buwWR'
Response.Write("mlYRc+buwWR")
import+time;time.sleep(4);
Thread.sleep(4000);
hTtp://w3af.sf.net/
Web application security - 12
CERN IT Department
CH-1211 Genève 23
Switzerlandwww.cern.ch/
it
Different tools
• HP WebInspect• IBM Rational AppScan• Acunetix WVS• N-Stalker • Syhunt Sandcat• W3AF - Web Application
Attack and Audit Framework• Wapiti
• Cenzic Hailstorm• Retina Web App Scanner• NTOSpider• Burp Suite• CORE IMPACT Pro• OWASP WebScarab Project• MileSCAN• WebKing
• WebApp360• Typhon• Nessus• Nikto2• Wikto • Wfuzz• Powerfuzzer• SQLmap• Cross Site Scripting Backdoor• Acunetix XSS-Scanner• Paros Proxy• ProxyStrike• Grabber• Suru• Burp Proxy• OWASP Pantera Web
Assessment Studio Project
5 commercial and 2 open source tested against one ”known-vulnerable” test site and several ”unknown” test sites
Web application security - 13
Known-vulnerable test site
Web application security - 14
• Cross-Site Scripting– Reflected
– Permanent
• SQL Injection– Blind SQL Injection
• File Inclusions and Execution– Local/Directory traversal
– Remote
• Information leakage
• Improper error handling
Disclaimer
The primary choice of Web application vulnerability assessment tools that we evaluated was arbitrary, and it is possible that a good tool was not tested during this evaluation. We have not followed any formal, scientific methodology when testing these tools. The tests were driven by our requirements, and we focused on some particular aspects and characteristics of tools while ignoring others – so conclusions may not be applicable in different environments.
Presentation title - 15
CERN IT Department
CH-1211 Genève 23
Switzerlandwww.cern.ch/
it
Commercial tools
Commercial tools
+ Scan both application and server
+ Allow customization of almost everything
+ Have powerful crawling, scanning and reporting engines
- Designed for GUI runs and reporting within the tool itself
- CLI based on settings from GUI
- Internal formats or over-verbose XML reports
Web application security - 16
CERN IT Department
CH-1211 Genève 23
Switzerlandwww.cern.ch/
it
Open source tools
Open source tools
+ Designed for command line execution
+ Save data in open and parsable formats
+ Find the basic vulnerabilities with low false positive rate
- Have a lower customization level, and find less vulnerabilities than the commercial tools
- Small development teams
- Somewhat unknown future
Web application security - 17
Acunetix WVS
Web application security - 18
CERN IT Department
CH-1211 Genève 23
Switzerlandwww.cern.ch/
it
Acunetix WVS
Pros:
• Powerful tool
• Many possibilites to change settings and checks
• CLI is good and well documented
• Report generation through CLI
• False positive handling within the tool
Cons:
• Failed to find some blind SQL Injections
• Strange false positives
• Reports all variants of one vulnerability
• XML reports huge
Platform: Windows & MS SQL Server or AccessPrice: € 2700 + € 800 maintenance
Web application security - 19
IBM Rational AppScan
Web application security - 20
CERN IT Department
CH-1211 Genève 23
Switzerlandwww.cern.ch/
it
IBM Rational AppScan
Pros:
• Good GUI and reporting within the tool
• ”Delta analysis” to compare results of two scan of a site
• Python API for automatic scanning, and for adding functionality
Cons:
• CLI uses settings of previous, manually-run scans
• Didn’t find some SQL Injection bugs
• XML reports messy
Platform: WindowsPrice (educational): ~$10k (incl. 1y support)
Web application security - 21
HP WebInspect
Web application security - 22
CERN IT Department
CH-1211 Genève 23
Switzerlandwww.cern.ch/
it
HP WebInspect
Pros:
• Good GUI, especally reporting
• Crawling and scanning can be done simultaneously
• Lots of settings and custom made policies
Cons:
• Instable: crashed during installation and by syntax errors in CLI
• Missed some SQL Injection bugs
• Hard to read generated reports
• XML reports big/messy
Platform: Windows & MS SQL Server Price: ? (> $10k)
Web application security - 23
CERN IT Department
CH-1211 Genève 23
Switzerlandwww.cern.ch/
it
W3AF – open source
Pros:
• Plug-in approach – use what you want, write your own tests
• Many plugins provided
• Active community (mailing list)
• Made for command line execution (but GUI available)
Cons:
• Some problems with BlindSQL-and Eval-plugin (Too many retries...)
• Strange false positives
• XML report badly structured
Require: Windows/Linux, Python 2.5Developers: ~10Since: 2006
Releases: 3Latest: W3AF 1.0-rc2Revision: ~3000
Web application security - 24
CERN IT Department
CH-1211 Genève 23
Switzerlandwww.cern.ch/
it
Wapiti – open source
Pros:
• Finds less vulnerabilities (less false positives)
• Made for command line execution
• Very simple to use
• Good in finding SQL Injection vulnerabilities
Cons:
• Finds less vulnerabilities (more false negatives)
• Very small community
• Return MemoryErrors for some scans (looping?)
• Uncertain future?
Require: Windows/Linux, Python 2.4Developers: ~2First release: June 2006
Releases: 13 Latest: Wapiti 2.1.0Revision: ~ 100
Web application security - 25
CERN IT Department
CH-1211 Genève 23
Switzerlandwww.cern.ch/
it
Wapiti – sample results
<vulnerabilityType name="Cross Site Scripting">
<vulnerabilityList>
<vulnerability level="1">
<url>
http://xxx.web.cern.ch/xxx/default2.php?index="></frame><script>alert('qf3p4bpva2')</script>&main=experiments/documents.php
</url>
<parameter>
index="></frame><script>alert('qf3p4bpva2')</script>&main=experiments/documents.php
</parameter>
<info>
XSS (index)
</info>
</vulnerability>
Web application security - 26
CERN IT Department
CH-1211 Genève 23
Switzerlandwww.cern.ch/
it
Summary/conclusion
• No tool is perfect– but they can still help you find basic vulnerabilities
• Commercial tools are made (and are good)for in-depth scanning of a few well-known sites
• Open source tools are less sophisticated, and are made for automatic runs
• Wapiti and W3AF chosen– a commercial tool may be used in the future for
specific Web applications
Web application security - 27
CERN IT Department
CH-1211 Genève 23
Switzerlandwww.cern.ch/
it
Thank you!
Questions?
Sebastian.Lopienski@cern.ch