REX BOOTH, CISSP, PMPSENIOR MANAGER, GRANT THORNTON LLP

Introduction to Web Application Security

Introduction: Rex Booth

Senior Manager at Grant Thornton10+ years of IT experienceFormer web application developerLeads cybersecurity group for Grant Thornton's

public sector practiceExperience with information security from a variety

of perspectives including developer, auditor, and ISSO

Agenda

Why target web applications?Web application attack surface overviewAttack examples

Client layer attacks Application layer attacks Data layer attacks 3rd party trust attacks

Live DemonstrationBest Practices and Remediation resourcesQuestions

3

Why target web applications?

1. Incentives Valuable targets

FinancialCompetitive advantage (corporate or national)Force multiplier

Reputation / Prestige

2. Absence of effective deterrents Soft targets: Weak or poorly implemented security Low cost of entry: cheap and easy access “Wild West” mentality regarding probability of

detection, capture and punishment4

Agenda

Why target web applications?Web application attack surface overviewAttack examples

Client layer attacks Application layer attacks Data layer attacks 3rd party trust attacks

Live DemonstrationBest Practices and Remediation resourcesQuestions

5

Web application attack surface

Client layer: Code and functionality executed on the client-side Various vulnerabilities Two key points:

Never trust client-supplied data Don’t introduce vulnerabilities by trying to offload cycles

from the server to the client6

Client layer: HTML, JavaScript, Flash, etc

Application layer: Business logic (.Net, Java, etc)

Data layer: Access components, RDBMS

3rd Party Trust

s

Web application attack surface

Application layer: Expression and capture of business rules and business policy

logic in code; Workflows based on the ordered tasks of passing documents or

data from one participant (a person or a software system) to another; Do those expressions introduce vulnerabilities?

Attacks on specific technology and poor implementation 7

Client layer: HTML, JavaScript, Flash, etc

Application layer: Business logic (.Net, Java, etc)

Data layer: Access components, RDBMS

3rd Party Trust

s

Web application attack surface

Data layer: Likely the most valuable component of your application to your

organization Less focused on code and logic, more focused on good

implementation and maintenance, proper technology

8

Client layer: HTML, JavaScript, Flash, etc

Application layer: Business logic (.Net, Java, etc)

Data layer: Access components, RDBMS

3rd Party Trust

s

Web application attack surface

3rd Party Trusts: Critical to maintain awareness of system interactions

Federal Sector C&A Interconnection Agreements Potential to affect all layers of the application

Repeat the attack surfaces at the client, application and data layers for each 3rd party trust

9

Client layer: HTML, JavaScript, Flash, etc

Application layer: Business logic (.Net, Java, etc)

Data layer: Access components, RDBMS

3rd Party Trust

s

Agenda

Why target web applications?Web application attack surface overviewAttack examples

Client layer attacks Application layer attacks Data layer attacks 3rd party trust attacks

Live DemonstrationBest Practices and Remediation resourcesQuestions

10

Injection Attacks

SQL injection is the most common web attack An attacker inserts commands that are used to

dynamically construct SQL queries Attacker may be able to view or modify any data

in a database Severity can be equivalent to a full database

compromiseOther injections include XML, LDAP, code

injection, remote file inclusionsAny action that takes input from the user and

uses it in a query or function

SQL Injection Scenario

You wish to edit your credit card number in your account profile on

http://www.shoppingsite.comTo verify your identity, the site asks for the

last 4 digits of your credit cardThe application then passes your input to

the following querySELECT * FROM credit_cards WHERE digits

= ‘your_input’

SQL Injection Scenario

What if the attacker enters1234’ OR ‘1’ = ‘1

The full query then becomes

SELECT * FROM credit_cards WHERE digits = ‘1234’ OR ‘1’ = ‘1’;

This query will always return true and, therefore, will return every card in the database.

Cross Site Scripting (XSS)

Affects the client web browser.Scripting code from URL or HTML Form gets

rendered in the page sent by the server.2 types of XSS

Persistent / Stored: attack code gets stored in the application data store and affects all users who visit the page.

Non-Persistent / Reflected: attack code does not get stored and can only affect 1 user at a time.

One of the most prolific and dangerous vulnerabilities on the web.

Cross Site Scripting (XSS) Scenario

What if we change “shawn” to: “><script>alert(document.cookie)</script>

Cross Site Scripting (XSS) Scenario

Cross Site Request Forgery (CSRF)

Affects the client browser.The vulnerability allows an attacker to force

the browser to fraudulently execute application functionality.

Leverages the user’s authenticated session on the target application.

Not *really* a vulnerability, rather an exploit of expected functionality.

Can be one of the most serious vulnerabilities in web applications.

Authentication and Authorization

Lack of authentication / authorization.Unauthorized data access.Unauthorized system functionality access.Predictable session identifiers.Session Fixation. Session Replay.Brute forcing of credentials.

Session Fixation Example

Session Fixation occurs when a session identifier is not refreshed after successful authentication

The following sequence describes an application vulnerable to Session Fixation: When a user browses to www.whatever.com, they receive

Cookie: my_cookie=abcdefg After logging in, the application elevates my_cookie=abcdefg

from unauthenticated to authenticated statusWhy is this a problem?

The initial value may have been sent over an unencrypted channel

Attacker could use XSS to set a known value in the target browser

The application may accept any value prior to authentication, making this even easier for an attacker

Business Logic Flaws

Flaw in the design and/or implementation of the project design. Booking a ticket on a web application without

paying. Registering an account without completing all

required steps. Apply the same coupon/discount multiple times

on the same order. Account lockout on auction sites. Setting your own pricing on a product.

No way to detect this type of vulnerability using automated tools.

Host and 3rd Party Code

Keeping up with patches Patch management 3rd party code dependency updates

Host security Unused network services Password Policy Brute forcing Logging Hidden/Old/Unreferenced files

Building a good relationship with SysAdmins

Agenda

Why target web applications?Web application attack surface overviewAttack examples

Client layer attacks Application layer attacks Data layer attacks 3rd party trust attacks

Live DemonstrationBest Practices and Remediation resourcesQuestions

22

Agenda

Why target web applications?Web application attack surface overviewAttack examples

Client layer attacks Application layer attacks Data layer attacks 3rd party trust attacks

Live DemonstrationBest Practices and Remediation resourcesQuestions

23

Best Practices Summary

Input validation and output encodingStrong authentication and password

managementEffective access controlsSafe error handling and meaningful loggingProtection of data at rest and in motionProper system and database configuration

See the OWASP Secure Coding Practices Quick Reference Guide for more information

Remediation Resources

Incorporating security into the SDLC https://buildsecurityin.us-cert.gov http://www.owasp.org http://www.webappsec.org/

Post-deployment remediation Two basic approaches: fix the underlying problem or

get in between the threat and the asset The latter, including web application firewalls, are not

a panacea, but can be useful

Questions

Ask now or contact via email: Rex.Booth@us.gt.com