Presentation on Web AttacksBy : Vivek Sinha Anurag

Agenda

•Owasp Top-5 Attacks▫ Injection Attacks (SQLi, Xpath Injection, Command Injection)▫ XSS▫ Broken Authentication & Authorization (Session Management

Flaws)▫ CSRF▫ Sensitve Data Exposure (PII, PCI, SSL)

▫ Slow Attacks:▫ Slow Read▫ Slow Get▫ Slow POST

Injection Attacks

•SQLi•Xpath Injection•Command Injection

SQL Injection

• It is a code drive technique used to attack data driven apps in which malicious SQL statements are inserted into entry field for executionuse of ‘ or ‘1’=‘1select * from Users where (username = 'submittedUser' and password = 'submittedPassword');

• Prevention▫ Sanitizing Inputs▫ Using Escape Characters▫ Using Parameterized query▫ Using Stored Procedures

XPath Injection• Similar to SQLi, this is also a technique where

attacker manipulates the input data to extract the desired information from XML doc where the data is stored. Malformed data is provided in input

Eg: ‘ or ‘1’=‘1 in USER/PASS

• Prevention▫ Using parameterized Xpath interface▫ Escaping the input characters▫ Using precompiled xpath query

Command Injection• It is a technique to inject and execute OS

commands specified by an attacker in the vulnerable app.

• In most of the cases it is possible due to lack of input data validation which can be manipulated by the attacker

• Prevention:▫ Always validate the input data▫ Run the app with minimum permissions

possible

XSS Attacks•Persistent

▫ It occurs when the data provided by the attacker is saved by the server, and then permanently displayed on "normal" pages returned to other users in the course of regular browsing, without proper HTML escaping.

•Non-Persistent▫ When the data provided by a web client, most

commonly in HTTP query parameters or in HTML form submissions, is used immediately by server-side scripts to parse and display a page of results for and to that user, without properly sanitizing the request

•DOM based▫ Attack payload is executed as a result of

modifying the DOM environment in the victim browser used by the original client side script

XSS Attacks•Prevention

▫Escaping/Encoding of string input▫Safely validating untrusted HTML input▫Whitelist/Blacklist based HTML tags▫Disabling Scripts▫Implementation of Cookie with additional

parameters, like IP

Broken AuthOWASP Definition:

Account credentials and session tokens are often not properly protected. Attackers compromise passwords, keys, or authentication tokens to assume other users’ identities

•Broken Authentication•Broken Authorization•Session Management Flaws

Broken Auth•Protection:

▫ Password Change Controls▫ Password Strength▫ Password Expiration▫ Password Storage▫ Protection In Transit▫ Avoid Cookieless Session▫ Avoid homegrown authentication schema▫ Look into IP/Location/Browser/OS combination▫ Always have unique session ID bound with IP▫ Double-check password on certain activity▫ Expire sessions early▫ Don’t forget logout button [which should destroy the server/client

session]

CSRF (Cross Site request Forgery)OWASP Definition:

A CSRF attack forces a logged-on victim’s browser to send a pre-authenticated request to a vulnerable web application, which then forces the victim’s browser to perform a hostile action to the benefit of the attacker. CSRF can be as powerful as the web application that it attacks

CSRF

Someblog.net

https://bank.com/fn?param=1JSESSIONID=AC934234…

Somebank.net

CSRF Prevention•Captcha•Re-Authentication

▫Password Based▫One-Time Token

•Unique Request Tokens

Sensitive Data Exposure

•PII (Personal Identifiable Information)▫ Sensitive and Non Sensitive PII

•PCI Compliance▫ Its assures that the CC data is secured

•SSL▫ Always use strong ciphers

and disable renegotiation▫ Make sure that the private key

is always secured.

PCI•Requirements

▫ Build and maintain a Secured Network Firewalls, Don’t use default passwords

▫ Protect Cardholder Data Protect the stored data, Encrypt the data while transmitting

it▫ Maintain a Vulnerability Management Program

Updated Antivirus, develop/maintain secure systems in apps▫ Implement Strong Access Control Measures

Restricted access, unique ids to people have access, restrict physical access

▫ Regularly Monitor and Test Networks Track and monitor all access, regularly test security systems

▫ Maintain an Information Security Policy Maintain policy to address information security

Slow Attacks•Slow Read•Slow GET•Slow POST

Difficult to detectCan be used from single computerCan bypass traditional WAF

Slow Read• Attacker creates multiple connections to the server• Advertise that receiving window size is very small• Keeps the connection open for very long time• Uses all the connections causing DOS • Tools used: SlowHttpTest

Slow Get• Attacker creates multiple connections to the server• Sends GET requests at very slow rate• Server keeps waiting for completion of headers• Uses all the connections causing DOS • Tools Used: AlowHttpTest, Slowloris

Slow POST• Attacker creates multiple connections to the server• Sends header and advertise fixed content length• Sends POST body at very slow rate• Server keeps waiting for completion of POST body• Uses all the connections causing DOS • Tools Used: AlowHttpTest, RUDY

Slow Attacks - Protection• Drop Connections which HTTP method not supported by URL• Limit the header and message body to a minimal reasonable length• Set an absolute connection timeout, if possible.• Try to maximize server max no of connections• Define minimum incoming data rate• Define max no of concurrent connections from same IP• Blacklist the known attack user-agents [Slowloris uses *MSIE*MSOffice

12*]

Questions?

Thanks