"The Web Is Broken" by Bipin Upadhyay

The Web Is BrokenWhy every feature is, in fact, a loophole!

Bipin Upadhyay http://projectbee.org

The first matrix I designed was quite

naturally, perfect. It was a work of art.

Flawless. Sublime. A triumph only equaled by

its monumental failure.

RoadMap

• Introduction

• Attacks

• The Arsenal

• Breaking the Web

• Preventing the Breakage

RoadMap…

• Introduction

• Attacks

• The Arsenal

Who Am I?

• I am SpiderMan

• Apart from that, I:– am a part of ADMS

– work on WebAppSec

– am co-author of a yet to be released book

• I can be pinged @:– http://blog.projectbee.org

– Om-[AT]-PROJectBee-[DOT]-org

Web 1.0 versus Web 2.0

Technologies Involved

Fundamentals

Fundamentals,

less or more, still the same

Fundamentals…

Database

Web server(Server side scripts like

PHP, ASP, JSP etc.)

Database

User User

Firewall / IDSFirewall / IDS

Network Sec. versus Web Sec.

Firewall/IDS/IPS

Web ServerAttacker

Network Sec. versus Web Sec…

Firewall/NATed IP

65535Malicious OR Compromised Web Server

Victim

How serious is the matter!

• 90% of web applications have serious vulnerabilities –Gartner Group

• 78% of attacks are at the web application level –Symantec

• XSS and SQLI replacing buffer overflows as the favourite hacker initiative –Mitre

• Every 8-9/10 sites vulnerable to XSS –WASC

How serious is the matter!...

What’s @ Stake

• Money

• Data

• Reputation

• Faith/Trust

• and…

What’s @ Stake…

• …

It’s a Mythical World out there…

• Myths often prevail rationality.

• Myths often are the cause of devastation.

Myth Buster

• Myth:– My developers have implemented security

• Reality:– Security ain’t no feature dude! It’s a metrics.

Myth Buster…

• Myth:– Security is a non-functional requirement

• Reality:– By definition, Yes!

Myth Buster…

• Myth:– We use blah-blah framework. We’re safe

• Reality:– Frameworks are encouraged. Human brain isn’t.

Myth Buster…

• Myth:– Java is secure by design

• Reality:– May be! But web isn’t… nor is human brain.

Myth Buster…

• Myth:– SSL is secure from sniffing

• Reality:– Far from it. It’s difficult for sure, though

Myth Buster…

• Myth:– Procedures means no SQL Injection

• Reality:– Not always.

Myth Buster…

• Myth:– I use firewall. I am safe.

• Reality:– So what? Your browser ports are open.

Myth Buster…

• Myth:– I use latest antivirus and my system is patched.

• Reality:– Big Deal!!!

Myth Buster…

• Myth:– I browse net from inside a LAN.

• Reality:– Urghhh! Browser dude, browser!

Myth Buster…

• Myth:– Human stupidity is infinite

• Reality:– There you go! ☺

RoadMap…

• Introduction

• Attacks

• The Arsenal

Injection Attacks

• A form of attack where the user input manipulates the underlying platform in an undesired way.

• Several variants:-– SQL Injection

– Command Injection

– LDAP Injection

– XPATH Injection

– XML Injection

– JSON Injection

SQL Injections

• OWASP Top - 10 2007 #1

• Any type of user input that is reflected back to the user without being purified.

• Input can be HTML, CSS, or Javascript

• Two kinds --Persistent & Non-Persistent XSS

XSS…

• XSS attacks include, but not limited to:– Cookie Theft & Session Hijacking

– Site Defacement & Phishing

– Key logging

– History Theft

– Port Scanning

– CSRF & Web Worms

– DoS-ing

– … limited only by imagination

• Also called Unauthorized Requests.

• The server is punished/exploited for trusting the user.

• CSRF is, arguably, more dangerous than XSS.

• Doesn’t necessarily require javascript.

• OWASP Top - 10 2007 #5, (also called the Sleeping Giant)

Cookie Poisoning

• Cookies sometimes store confidential data

• This information can be manipulated for fun and profit.e.g., price of a product on an ecommerce site

HTTP Response Splitting

• Attacker splits Http Response into two.

• Watch out for redirection scripts using user input in response headers

• CR-LF (0x0d & 0x0a) is the key to response splitting

• Web/browser cache poisoning, XSS etc. attacks possible

Google Hacking

• Search engines index all permissibledocuments inside the web tree

• These data can be recovered using special queries:– site:<sitename>

– inurl:<string>

– intitle:<string>

– filetype:<string>

Scary Cracks

• Credit Cards & Google

• Google.com UTF-7 XSS Vulnerability

• Yamanner

• “Samy is my Hero” OR Samy Worm

• Bank Of India Hack

• GMail CSRF Vulnerability

RoadMap…

• Introduction

• Attacks

• The Arsenal

The Arsenal

• A Web browser

• Textbox/Textarea

• Iframe

• TamperData/TamperIE

• WebScarab

• Fuzzer (Crowbar)

• Google

RoadMap…

• Introduction

• Attacks

• The Arsenal

Google Hacking

• Search engines index anything and everything

• Demo

Exploiting Mistakes

• Client side validation isn’t enough

• Demo

• “Clues in Codes/Comments”

• Demo

• Insecure implementation of “Forgot Password” feature

• Demo

Exploiting Mistakes…

• Too verbose error messages

• Demo

• Cookie Isn’t for sensitive data

• Demo

• Brute forcing Session id

• Demo

Exploiting Zero Days

• URI Vulnerabilities

• Demo

Injection Attacks

• SQL Injections

• Demo

• Command Injection

• Demo

• XPATH Injection

• Demo

XSS Family

• XSS (Cross Site Scripting)

• Demo

• XSS and encoding mistakes

• Demo

• CSRF, the sleeping Giant

• Demo

Http Response Splitting

• Why user is evil?

• Demo

RoadMap…

• Introduction

• Attacks

• The Arsenal

• Integrate security into SDLC

DesignDesign

CodingCoding

TestingTesting

DeploymentDeployment

Design Phase

• Stick to standards

• Encourage usage of well-proven frameworks

• Prefer Whitelisting over Blacklisting

• Prefer Onion Model over Garlic Model

Coding Phase

• Do NOT trust the user.

• Do NOT rely on Client side validation.

• Prefer HttpOnly Cookie to avoid cookie theft

• Use nonces to prevent CSRF

• Don’t just hash passwords, salt them too

• Avoid too verbose/meaningful error messages

Coding Phase…

• Proper encoding can avoid most problems

• Input Encoding– prefer UTF-8 and ISO-8859-1

– refer http://ha.ckers.org/charsets.html

• Output Encoding– avoid rich html input from user

– decimal encode input before displaying

– refer OWASP_Encoding_Project

Coding Phase…

• Sanitize anything that comes from the user.

Coding Phase…

• Filter Metacharacters:• < %3c > %3e• | %7c ‘ %60• & %26 ( %28• %od %0a ..• / %2f \ %5c

• RegEx are your friend

• Use Stored Procedures

• Prefer usage of bind variables in SQL statement

Testing Phase

• Code Auditing:– OWASP – LAPSE plugin (Java)

– SPI Dynamics’ DevInspect (Java & .NET), etc.

• Web Application Scanners– w3af

– Watchfire AppScan

– SPI Dynamics’ WebInspect, etc.

• No substitute for an experienced human eye

Deployment Phase

• Keep out of the Web Tree; use robots.txt

• Set minimal permissions

• Keep the system patched & patched

• Use Web Application Firewall– urlScan

– ModSecurity

– SecureIIS, etc.…but, most importantly

Education

Educate your developers.

Final Words

• www was designed for information exchange

• Today, too much is at stake

• Ignorance, no longer a bliss

• Take responsibility and…

Final Words…

…be prepared.

“Do you know what HTML 5.0 and XHTML2.0 has in store for us? You don't even want to know…”

–Ronald van den Heetkamp

…and Finally,

String.fromCharCode(84,104,97,110,107,32,89,111,117,33)

i.e., Thank You! ☺

Acknowledgements

• Lalit Patel (http://lalit.org) & Lucky (http://reboot.in)• http://flickr.com• http://flickr.com/photos/jeanetteb1/1400824517• http://flickr.com/photos/jbhalper/334521840• http://flickr.com/photos/hondawang/566041603• http://flickr.com/photos/14018070@N08/1438910620• http://flickr.com/photos/44368636@N00/76684587• http://www.cyberpunkreview.com/images/matrixreloaded63.jpg• www.flickr.com/photos/johnengler/211482969• http://www.flickr.com/photos/lamkevin/458083458• http://www.flickr.com/photos/beavis/459281241• http://flickr.com/photos/briansolis/326278887• http://www.flickr.com/photos/focus2capture/297232107• http://flickr.com/photos/complexify/97303317• http://flickr.com/photos/amyking/142161588• http://xkcd.com/327/

References

• http://search.yahoo.com (To be safer)• http://0x000000.com• http://ha.ckers.org• http://sla.ckers.org• http://gnucitizen.com• XSS Attacks (Syngress Publications)• PenTesting for Web Applications (Wrox)• Hacking Exposed (Tata McGraw Hill)• 19 Deadly Sins of Sotware Security (Tata McGraw Hill)• OWASP & WASC• David Kierznowski, Amit Klien, Jeremiah Grossman, Gareth Hayes,

Andres Riancho, Ronald, RSnake, pdp, Billy Rios, Nate, Thor,….

……………………………. a lot many

Got Questions???

Shoot them

"The Web Is Broken" by Bipin Upadhyay

Technology

Transcript of "The Web Is Broken" by Bipin Upadhyay

modern india by bipin chandra.pdf

Modern India Bipin Chandra.pdf

Upadhyay Jay

Tansformer @dheeraj upadhyay

Bipin Chandra Ncert

BIPIN TRIPATHI KUMAON INSTITUTE OF TECHNOLOGY, …

Bipin Xavier resume Final draft

Presented By:- Ravi Upadhyay (Leader Of The Group) Ravi Upadhyay (Leader Of The Group)

Shailee Jain*, Tarun Upadhyay*

Presentations By Bipin Malvi

India Struggle for Freedom BIPIN CHANDR1

Jaydev Kumar Upadhyay

D.K. Upadhyay Sir

BIPIN RELA[1][1]. PROJECT

Bipin Vodafone Project

BIPIN CHANDRA PAL..ppt

Gayatri ajay upadhyay

India's Struggle for Independence - Bipin Chandra

Editor’s Note - Deendayal Upadhyay

21 Vandana Upadhyay

Shailee Jain, Tarun Upadhyay