Introduction to Web Application Security
-
Upload
mariko-curry -
Category
Documents
-
view
32 -
download
0
description
Transcript of Introduction to Web Application Security
![Page 1: Introduction to Web Application Security](https://reader034.fdocuments.us/reader034/viewer/2022051702/568138e0550346895da09441/html5/thumbnails/1.jpg)
REX BOOTH, CISSP, PMPSENIOR MANAGER, GRANT THORNTON LLP
Introduction to Web Application Security
![Page 2: Introduction to Web Application Security](https://reader034.fdocuments.us/reader034/viewer/2022051702/568138e0550346895da09441/html5/thumbnails/2.jpg)
Introduction: Rex Booth
Senior Manager at Grant Thornton10+ years of IT experienceFormer web application developerLeads cybersecurity group for Grant Thornton's
public sector practiceExperience with information security from a variety
of perspectives including developer, auditor, and ISSO
![Page 3: Introduction to Web Application Security](https://reader034.fdocuments.us/reader034/viewer/2022051702/568138e0550346895da09441/html5/thumbnails/3.jpg)
Agenda
Why target web applications?Web application attack surface overviewAttack examples
Client layer attacks Application layer attacks Data layer attacks 3rd party trust attacks
Live DemonstrationBest Practices and Remediation resourcesQuestions
3
![Page 4: Introduction to Web Application Security](https://reader034.fdocuments.us/reader034/viewer/2022051702/568138e0550346895da09441/html5/thumbnails/4.jpg)
Why target web applications?
1. Incentives Valuable targets
FinancialCompetitive advantage (corporate or national)Force multiplier
Reputation / Prestige
2. Absence of effective deterrents Soft targets: Weak or poorly implemented security Low cost of entry: cheap and easy access “Wild West” mentality regarding probability of
detection, capture and punishment4
![Page 5: Introduction to Web Application Security](https://reader034.fdocuments.us/reader034/viewer/2022051702/568138e0550346895da09441/html5/thumbnails/5.jpg)
Agenda
Why target web applications?Web application attack surface overviewAttack examples
Client layer attacks Application layer attacks Data layer attacks 3rd party trust attacks
Live DemonstrationBest Practices and Remediation resourcesQuestions
5
![Page 6: Introduction to Web Application Security](https://reader034.fdocuments.us/reader034/viewer/2022051702/568138e0550346895da09441/html5/thumbnails/6.jpg)
Web application attack surface
Client layer: Code and functionality executed on the client-side Various vulnerabilities Two key points:
Never trust client-supplied data Don’t introduce vulnerabilities by trying to offload cycles
from the server to the client6
Client layer: HTML, JavaScript, Flash, etc
Application layer: Business logic (.Net, Java, etc)
Data layer: Access components, RDBMS
3rd Party Trust
s
![Page 7: Introduction to Web Application Security](https://reader034.fdocuments.us/reader034/viewer/2022051702/568138e0550346895da09441/html5/thumbnails/7.jpg)
Web application attack surface
Application layer: Expression and capture of business rules and business policy
logic in code; Workflows based on the ordered tasks of passing documents or
data from one participant (a person or a software system) to another; Do those expressions introduce vulnerabilities?
Attacks on specific technology and poor implementation 7
Client layer: HTML, JavaScript, Flash, etc
Application layer: Business logic (.Net, Java, etc)
Data layer: Access components, RDBMS
3rd Party Trust
s
![Page 8: Introduction to Web Application Security](https://reader034.fdocuments.us/reader034/viewer/2022051702/568138e0550346895da09441/html5/thumbnails/8.jpg)
Web application attack surface
Data layer: Likely the most valuable component of your application to your
organization Less focused on code and logic, more focused on good
implementation and maintenance, proper technology
8
Client layer: HTML, JavaScript, Flash, etc
Application layer: Business logic (.Net, Java, etc)
Data layer: Access components, RDBMS
3rd Party Trust
s
![Page 9: Introduction to Web Application Security](https://reader034.fdocuments.us/reader034/viewer/2022051702/568138e0550346895da09441/html5/thumbnails/9.jpg)
Web application attack surface
3rd Party Trusts: Critical to maintain awareness of system interactions
Federal Sector C&A Interconnection Agreements Potential to affect all layers of the application
Repeat the attack surfaces at the client, application and data layers for each 3rd party trust
9
Client layer: HTML, JavaScript, Flash, etc
Application layer: Business logic (.Net, Java, etc)
Data layer: Access components, RDBMS
3rd Party Trust
s
![Page 10: Introduction to Web Application Security](https://reader034.fdocuments.us/reader034/viewer/2022051702/568138e0550346895da09441/html5/thumbnails/10.jpg)
Agenda
Why target web applications?Web application attack surface overviewAttack examples
Client layer attacks Application layer attacks Data layer attacks 3rd party trust attacks
Live DemonstrationBest Practices and Remediation resourcesQuestions
10
![Page 11: Introduction to Web Application Security](https://reader034.fdocuments.us/reader034/viewer/2022051702/568138e0550346895da09441/html5/thumbnails/11.jpg)
Injection Attacks
SQL injection is the most common web attack An attacker inserts commands that are used to
dynamically construct SQL queries Attacker may be able to view or modify any data
in a database Severity can be equivalent to a full database
compromiseOther injections include XML, LDAP, code
injection, remote file inclusionsAny action that takes input from the user and
uses it in a query or function
![Page 12: Introduction to Web Application Security](https://reader034.fdocuments.us/reader034/viewer/2022051702/568138e0550346895da09441/html5/thumbnails/12.jpg)
SQL Injection Scenario
You wish to edit your credit card number in your account profile on
http://www.shoppingsite.comTo verify your identity, the site asks for the
last 4 digits of your credit cardThe application then passes your input to
the following querySELECT * FROM credit_cards WHERE digits
= ‘your_input’
![Page 13: Introduction to Web Application Security](https://reader034.fdocuments.us/reader034/viewer/2022051702/568138e0550346895da09441/html5/thumbnails/13.jpg)
SQL Injection Scenario
What if the attacker enters1234’ OR ‘1’ = ‘1
The full query then becomes
SELECT * FROM credit_cards WHERE digits = ‘1234’ OR ‘1’ = ‘1’;
This query will always return true and, therefore, will return every card in the database.
![Page 14: Introduction to Web Application Security](https://reader034.fdocuments.us/reader034/viewer/2022051702/568138e0550346895da09441/html5/thumbnails/14.jpg)
Cross Site Scripting (XSS)
Affects the client web browser.Scripting code from URL or HTML Form gets
rendered in the page sent by the server.2 types of XSS
Persistent / Stored: attack code gets stored in the application data store and affects all users who visit the page.
Non-Persistent / Reflected: attack code does not get stored and can only affect 1 user at a time.
One of the most prolific and dangerous vulnerabilities on the web.
![Page 15: Introduction to Web Application Security](https://reader034.fdocuments.us/reader034/viewer/2022051702/568138e0550346895da09441/html5/thumbnails/15.jpg)
Cross Site Scripting (XSS) Scenario
What if we change “shawn” to: “><script>alert(document.cookie)</script>
![Page 16: Introduction to Web Application Security](https://reader034.fdocuments.us/reader034/viewer/2022051702/568138e0550346895da09441/html5/thumbnails/16.jpg)
Cross Site Scripting (XSS) Scenario
![Page 17: Introduction to Web Application Security](https://reader034.fdocuments.us/reader034/viewer/2022051702/568138e0550346895da09441/html5/thumbnails/17.jpg)
Cross Site Request Forgery (CSRF)
Affects the client browser.The vulnerability allows an attacker to force
the browser to fraudulently execute application functionality.
Leverages the user’s authenticated session on the target application.
Not *really* a vulnerability, rather an exploit of expected functionality.
Can be one of the most serious vulnerabilities in web applications.
![Page 18: Introduction to Web Application Security](https://reader034.fdocuments.us/reader034/viewer/2022051702/568138e0550346895da09441/html5/thumbnails/18.jpg)
Authentication and Authorization
Lack of authentication / authorization.Unauthorized data access.Unauthorized system functionality access.Predictable session identifiers.Session Fixation. Session Replay.Brute forcing of credentials.
![Page 19: Introduction to Web Application Security](https://reader034.fdocuments.us/reader034/viewer/2022051702/568138e0550346895da09441/html5/thumbnails/19.jpg)
Session Fixation Example
Session Fixation occurs when a session identifier is not refreshed after successful authentication
The following sequence describes an application vulnerable to Session Fixation: When a user browses to www.whatever.com, they receive
Cookie: my_cookie=abcdefg After logging in, the application elevates my_cookie=abcdefg
from unauthenticated to authenticated statusWhy is this a problem?
The initial value may have been sent over an unencrypted channel
Attacker could use XSS to set a known value in the target browser
The application may accept any value prior to authentication, making this even easier for an attacker
![Page 20: Introduction to Web Application Security](https://reader034.fdocuments.us/reader034/viewer/2022051702/568138e0550346895da09441/html5/thumbnails/20.jpg)
Business Logic Flaws
Flaw in the design and/or implementation of the project design. Booking a ticket on a web application without
paying. Registering an account without completing all
required steps. Apply the same coupon/discount multiple times
on the same order. Account lockout on auction sites. Setting your own pricing on a product.
No way to detect this type of vulnerability using automated tools.
![Page 21: Introduction to Web Application Security](https://reader034.fdocuments.us/reader034/viewer/2022051702/568138e0550346895da09441/html5/thumbnails/21.jpg)
Host and 3rd Party Code
Keeping up with patches Patch management 3rd party code dependency updates
Host security Unused network services Password Policy Brute forcing Logging Hidden/Old/Unreferenced files
Building a good relationship with SysAdmins
![Page 22: Introduction to Web Application Security](https://reader034.fdocuments.us/reader034/viewer/2022051702/568138e0550346895da09441/html5/thumbnails/22.jpg)
Agenda
Why target web applications?Web application attack surface overviewAttack examples
Client layer attacks Application layer attacks Data layer attacks 3rd party trust attacks
Live DemonstrationBest Practices and Remediation resourcesQuestions
22
![Page 23: Introduction to Web Application Security](https://reader034.fdocuments.us/reader034/viewer/2022051702/568138e0550346895da09441/html5/thumbnails/23.jpg)
Agenda
Why target web applications?Web application attack surface overviewAttack examples
Client layer attacks Application layer attacks Data layer attacks 3rd party trust attacks
Live DemonstrationBest Practices and Remediation resourcesQuestions
23
![Page 24: Introduction to Web Application Security](https://reader034.fdocuments.us/reader034/viewer/2022051702/568138e0550346895da09441/html5/thumbnails/24.jpg)
Best Practices Summary
Input validation and output encodingStrong authentication and password
managementEffective access controlsSafe error handling and meaningful loggingProtection of data at rest and in motionProper system and database configuration
See the OWASP Secure Coding Practices Quick Reference Guide for more information
![Page 25: Introduction to Web Application Security](https://reader034.fdocuments.us/reader034/viewer/2022051702/568138e0550346895da09441/html5/thumbnails/25.jpg)
Remediation Resources
Incorporating security into the SDLC https://buildsecurityin.us-cert.gov http://www.owasp.org http://www.webappsec.org/
Post-deployment remediation Two basic approaches: fix the underlying problem or
get in between the threat and the asset The latter, including web application firewalls, are not
a panacea, but can be useful