Web Application Security Introduction
-
Upload
bjoern-kimminich -
Category
Technology
-
view
2.388 -
download
1
description
Transcript of Web Application Security Introduction
![Page 1: Web Application Security Introduction](https://reader035.fdocuments.us/reader035/viewer/2022081505/554ba371b4c905b3618b4c6d/html5/thumbnails/1.jpg)
Web Application SecurityIntroduction
V1.0.3 (11.04.2023)
Björn Kimminich
https://twitter.com/bkimminichhttps://linkedin.com/in/bkimminichhttps://google.com/+BjörnKimminichhttp://slideshare.net/BjrnKimminich
![Page 2: Web Application Security Introduction](https://reader035.fdocuments.us/reader035/viewer/2022081505/554ba371b4c905b3618b4c6d/html5/thumbnails/2.jpg)
Björn Kimminich
2007+Software
Architect & Security Officer
at Kuehne+Nagel Corporate Web
Development
2011+Part-time lector for Java & Agile
Software Develoment at
private UAS Nordakademie
2012+OWASP
Member & QA Developer
OWASP Zed Attack Proxy
(ZAP)
![Page 3: Web Application Security Introduction](https://reader035.fdocuments.us/reader035/viewer/2022081505/554ba371b4c905b3618b4c6d/html5/thumbnails/3.jpg)
Motivation
![Page 4: Web Application Security Introduction](https://reader035.fdocuments.us/reader035/viewer/2022081505/554ba371b4c905b3618b4c6d/html5/thumbnails/4.jpg)
Phishing
![Page 5: Web Application Security Introduction](https://reader035.fdocuments.us/reader035/viewer/2022081505/554ba371b4c905b3618b4c6d/html5/thumbnails/5.jpg)
Site Defacement
Source: http://praetorianprefect.com/archives/category/app-sec/web-site-defacement/
![Page 6: Web Application Security Introduction](https://reader035.fdocuments.us/reader035/viewer/2022081505/554ba371b4c905b3618b4c6d/html5/thumbnails/6.jpg)
Site Defacement II
Source: http://praetorianprefect.com/archives/category/app-sec/web-site-defacement/
![Page 7: Web Application Security Introduction](https://reader035.fdocuments.us/reader035/viewer/2022081505/554ba371b4c905b3618b4c6d/html5/thumbnails/7.jpg)
Site Defacement III
Source: http://news.cnet.com/Hackers-deface-SCO-site/2100-7344_3-5469486.html
![Page 8: Web Application Security Introduction](https://reader035.fdocuments.us/reader035/viewer/2022081505/554ba371b4c905b3618b4c6d/html5/thumbnails/8.jpg)
Worst Case Security Breach
Source: http://www.informationweek.com/security/attacks/sony-hacked-again-1-million-passwords-ex/229900111
![Page 9: Web Application Security Introduction](https://reader035.fdocuments.us/reader035/viewer/2022081505/554ba371b4c905b3618b4c6d/html5/thumbnails/9.jpg)
Why Web Application Security is a High Priority
Web Applications have become the #1 target
75% of Attacks target the Application Layer (Gartner)
Most Web Applications are vulnerable95% of Web Applications have some sort of vulnerability (Imperva)78% of easily exploitable weaknesses occur in Web Applications (Symantec)
Web Applications are valuable targetsCustomer data, Credit Cards, ID Theft, Fraud, … Source: https://www.owasp.org/index.php/Business_Justification_for_Application_Security_Assessment
![Page 10: Web Application Security Introduction](https://reader035.fdocuments.us/reader035/viewer/2022081505/554ba371b4c905b3618b4c6d/html5/thumbnails/10.jpg)
Top 10 Malware Distribution Sites(Symantec, 2013)
Source: http://www.symantec.com/content/en/us/enterprise/other_resources/b-istr_main_report_v18_2012_21291018.en-us.pdf
„61 percent of malicious sites are
actually regular websites that
have been compromised and
infected with malicious code.“
![Page 11: Web Application Security Introduction](https://reader035.fdocuments.us/reader035/viewer/2022081505/554ba371b4c905b3618b4c6d/html5/thumbnails/11.jpg)
OWASP Top 10
![Page 12: Web Application Security Introduction](https://reader035.fdocuments.us/reader035/viewer/2022081505/554ba371b4c905b3618b4c6d/html5/thumbnails/12.jpg)
OWASP
Open Web Application Security ProjectOpen communityNon-profit organization
Core purposeBe the thriving global community that drives visibility and evolution in the safety and security of the world’s software
https://www.owasp.org
Source: https://www.owasp.org
![Page 13: Web Application Security Introduction](https://reader035.fdocuments.us/reader035/viewer/2022081505/554ba371b4c905b3618b4c6d/html5/thumbnails/13.jpg)
OWASP Top Ten 2013
A1: Injection
A2: Broken Authentication and Session Management
A3: Cross-Site Scripting (XSS)
A4: Insecure Direct Object References
A5: Security Misconfiguration
A6: Sensitive Data Exposure
A7: Missing Function Level Action Control
A8: Cross Site Request Forgery (CSRF)
A9: Using Known Vulnerable Components
A10: Unvalidated Redirects and Forwards
A1: Injection
A2: Broken Authentication and Session Management
A3: Cross-Site Scripting (XSS)
A4: Insecure Direct Object References
A5: Security Misconfiguration
A6: Sensitive Data Exposure
A7: Missing Function Level Action Control
A8: Cross Site Request Forgery (CSRF)
A9: Using Known Vulnerable Components
A10: Unvalidated Redirects and Forwards
![Page 14: Web Application Security Introduction](https://reader035.fdocuments.us/reader035/viewer/2022081505/554ba371b4c905b3618b4c6d/html5/thumbnails/14.jpg)
Injection
![Page 15: Web Application Security Introduction](https://reader035.fdocuments.us/reader035/viewer/2022081505/554ba371b4c905b3618b4c6d/html5/thumbnails/15.jpg)
Some simple authentication query
SELECT user_idFROM user_dataWHERE user_name = 'bkimminich'AND user_password = '680e89[…]75ab';
// …String query = "SELECT user_id FROM user_data WHERE "+ user_name = '" + req.getParameter("user") +"' AND user_password = '" + req.getParameter("password") +"'"; // …
![Page 16: Web Application Security Introduction](https://reader035.fdocuments.us/reader035/viewer/2022081505/554ba371b4c905b3618b4c6d/html5/thumbnails/16.jpg)
SQL Injection Example
SELECT user_idFROM user_dataWHERE user_name = '' or 1=1--' AND user_password = '1234';
// …String query = "SELECT user_id FROM user_data WHERE "+ user_name = '" + req.getParameter("user") +"' AND user_password = '" + req.getParameter("password") +"'"; // …
![Page 17: Web Application Security Introduction](https://reader035.fdocuments.us/reader035/viewer/2022081505/554ba371b4c905b3618b4c6d/html5/thumbnails/17.jpg)
Typical SQL Injection Attack Patterns I
Bypass Authenticationadmin' -- admin' # admin'/* ' or 1=1-- ' or 1=1# ' or 1=1/* ') or '1'='1') or ('1'='1
Source: http://ha.ckers.org/sqlinjection
![Page 18: Web Application Security Introduction](https://reader035.fdocuments.us/reader035/viewer/2022081505/554ba371b4c905b3618b4c6d/html5/thumbnails/18.jpg)
Typical SQL Injection Attack Patterns II
Spy out Data' UNION SELECT login, password, 'x' FROM user--1 UNION SELECT 1,1,1 FROM user--
Manipulate Data'; UPDATE user SET type = 'admin' WHERE id = 23;--
Manipulate the DB Server' ;GO EXEC cmdshell('format C') --
Cheat Sheet: http://ha.ckers.org/sqlinjectionSource: http://ha.ckers.org/sqlinjection
![Page 19: Web Application Security Introduction](https://reader035.fdocuments.us/reader035/viewer/2022081505/554ba371b4c905b3618b4c6d/html5/thumbnails/19.jpg)
Vulnerable Java Examples
Plain SQL via JDBC
HQL via Hibernate
String query = "SELECT account_balance FROM user_data WHERE user_name = " + request.getParameter("customerName");
try { Statement statement = connection.createStatement(…); ResultSet results = statement.executeQuery(query); }
Query unsafeHQLQuery = session.createQuery("from Inventory where productID='"+userSuppliedParameter+"'");
![Page 20: Web Application Security Introduction](https://reader035.fdocuments.us/reader035/viewer/2022081505/554ba371b4c905b3618b4c6d/html5/thumbnails/20.jpg)
Protection
Avoid Interpreters at all if possibleUse an interface that supports bind variables
For SQL: Prepared StatementsEnforce Least Privileges for the application‘s DB userPerform White List Input Validation on all user supplied input
Source: http://owasptop10.googlecode.com/files/OWASP_Top_10_-_2010%20Presentation.pptx
![Page 21: Web Application Security Introduction](https://reader035.fdocuments.us/reader035/viewer/2022081505/554ba371b4c905b3618b4c6d/html5/thumbnails/21.jpg)
White List vs. Black List Validation
White List = Positive Security Rule„Block what is not explicitly allowed!“
Example: Allow only [a-z], [A-Z] and [0-9]
Define once, (almost) never worry againCan be quite effortsome to define for a whole application
Black List = Negative Security Rule„Allow what is not explicitly blocked!“
Example vs. SQL Injection: Block [-#';]Example vs. HTML Injection: Block [<>";'script]
Can be bypassed by masking attack patternsMust be updated for new attack patterns
![Page 22: Web Application Security Introduction](https://reader035.fdocuments.us/reader035/viewer/2022081505/554ba371b4c905b3618b4c6d/html5/thumbnails/22.jpg)
Fixed Java Examples
Plain SQL via JDBC
HQL via Hibernate
String customerName = request.getParameter("customerName");assert(CustomerValidator.doesExist(customerName);String query = "SELECT account_balance FROM user_data WHERE
user_name = ?";PreparedStatement pstmt = connection.prepareStatement(query);pstmt.setString(1, customerName);ResultSet results = pstmt.executeQuery();
Query safeHQLQuery = session.createQuery("from Inventory where productID=:productId");
safeHQLQuery.setParameter("productId", userSuppliedParameter);
![Page 23: Web Application Security Introduction](https://reader035.fdocuments.us/reader035/viewer/2022081505/554ba371b4c905b3618b4c6d/html5/thumbnails/23.jpg)
Cross-Site Scripting (XSS)
![Page 24: Web Application Security Introduction](https://reader035.fdocuments.us/reader035/viewer/2022081505/554ba371b4c905b3618b4c6d/html5/thumbnails/24.jpg)
Reflected XSS
Source: http://www.h-online.com/security/features/Web-application-security-747201.html
ServerBrowser
Database
Web Application
Bug!URL
HTML
Victim Request
Website Server Response
![Page 25: Web Application Security Introduction](https://reader035.fdocuments.us/reader035/viewer/2022081505/554ba371b4c905b3618b4c6d/html5/thumbnails/25.jpg)
Persistent XSS
Source: http://www.h-online.com/security/features/Web-application-security-747201.html
ServerBrowser
Database
Web Application
Bug!
Website Server Response HTML
URL Initial Request
URL Subsequent Victim Request
![Page 26: Web Application Security Introduction](https://reader035.fdocuments.us/reader035/viewer/2022081505/554ba371b4c905b3618b4c6d/html5/thumbnails/26.jpg)
XSS Attack Patterns I
Simple Patterns<SCRIPT>javascript:alert('XSS');</SCRIPT><IMG SRC=javascript:alert('XSS')><IFRAME SRC="javascript:alert('XSS');"></IFRAME>
Masked / Evasive Patterns<IMG SRC=javascript:alert("XSS")>'';!--"<XSS>=&{()}<IMG """><SCRIPT>alert("XSS")</SCRIPT>"><IMG SRC="jav ascript:alert('XSS');"><IMG SRC="jav	ascript:alert('XSS');">
Source: http://ha.ckers.org/xss.html
![Page 27: Web Application Security Introduction](https://reader035.fdocuments.us/reader035/viewer/2022081505/554ba371b4c905b3618b4c6d/html5/thumbnails/27.jpg)
XSS Attack Patterns II
Masked / Evasive Patterns (continued)
<DIV STYLE="background-image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029"><b onmouseover=alert('Wufff!')>click me!</b> <img src="http://url.to.file.which/not.exist" onerror=alert(document.cookie);> …
Cheat Sheet: http://ha.ckers.org/xss.html
Source: http://ha.ckers.org/xss.html
![Page 28: Web Application Security Introduction](https://reader035.fdocuments.us/reader035/viewer/2022081505/554ba371b4c905b3618b4c6d/html5/thumbnails/28.jpg)
XSS Vulnerable Java Example
Scriptlet in Java Server Page (JSP)
<%String searchCriteria = request.getParameter("searchValue");%>
<%-- Later on the same or subsequent JSP... -->
Search results for <b><%=searchCriteria%></b>:...
![Page 29: Web Application Security Introduction](https://reader035.fdocuments.us/reader035/viewer/2022081505/554ba371b4c905b3618b4c6d/html5/thumbnails/29.jpg)
Protection
Eliminate XSSDon‘t include user supplied input in your output!
Defend against XSSOutput Encode all user supplied inputPerform White List Input Validation on user inputUse an HTML Sanitizer for larger user supplied HTML chunks
Source: http://owasptop10.googlecode.com/files/OWASP_Top_10_-_2010%20Presentation.pptx
![Page 30: Web Application Security Introduction](https://reader035.fdocuments.us/reader035/viewer/2022081505/554ba371b4c905b3618b4c6d/html5/thumbnails/30.jpg)
Fixed Java Example w/ Encoding
Encoding with Struts Bean Taglib
Encoding with OWASP Enterprise Security API
...Search results for <b><bean:write name='searchCriteria'/></b>:...
...<easpi:encodeForHtml><%=searchCriteria></esapi:encodeForHtml>...
![Page 31: Web Application Security Introduction](https://reader035.fdocuments.us/reader035/viewer/2022081505/554ba371b4c905b3618b4c6d/html5/thumbnails/31.jpg)
OWASP Java HTML Sanitizer
Using a simple prepackaged policy
Defining a customized policy
private String sanitizeHtml(String html) { PolicyFactory policy = Sanitizers.FORMATTING.and(Sanitizers.BLOCKS)
.and(Sanitizers.LINKS);
return policy.sanitize(html);}
private static final PolicyFactory BASIC_FORMATTING_WITH_LINKS_POLICY =
new HtmlPolicyBuilder()
.allowCommonInlineFormattingElements().allowCommonBlockElements()
.allowAttributes("face", "color", "size", "style", "align").onElements("font")
.allowAttributes("style").onElements("div", "span").allowElements("a")
.allowAttributes("href").onElements("a").allowStandardUrlProtocols()
.requireRelNofollowOnLinks().toFactory();
![Page 32: Web Application Security Introduction](https://reader035.fdocuments.us/reader035/viewer/2022081505/554ba371b4c905b3618b4c6d/html5/thumbnails/32.jpg)
Cross-Site Request Forgery (CSRF)
![Page 33: Web Application Security Introduction](https://reader035.fdocuments.us/reader035/viewer/2022081505/554ba371b4c905b3618b4c6d/html5/thumbnails/33.jpg)
CSRF Attack Explained
bank.com
WebApp
Browser
Bug!
evil.org
WebApp
Login
100
0$
Request
GET / HTTP/1.1Host: www.evil.org
Response
HTTP/1.1 200 OK...<html>...<img src=“http://bank.com/transfer
?to=hacker&amount=1000$“/>...</html>
CSRF-Attack
GET/transfer?to=hacker&amount=1000$ HTTP/1.1Host: bank.com
![Page 34: Web Application Security Introduction](https://reader035.fdocuments.us/reader035/viewer/2022081505/554ba371b4c905b3618b4c6d/html5/thumbnails/34.jpg)
Intranet
Firewall
CSRF Attack into Intranet
192.168.0.1
WebApp
Browser
Bug!
evil.org
WebApp
Login
Rem
ote
Acc
ess
Request
GET / HTTP/1.1Host: www.evil.org
Response
HTTP/1.1 200 OK...<html>...<img src=“http://192.168.0.1/admin?setAccessMode=remote&resetPassword“/>...</html>
CSRF-Attack
GET/admin/setAccessMode=remote&resetPassword HTTP/1.1Host: 192.168.0.1
![Page 35: Web Application Security Introduction](https://reader035.fdocuments.us/reader035/viewer/2022081505/554ba371b4c905b3618b4c6d/html5/thumbnails/35.jpg)
Protection
Add a secret, not automatically submitted, token to all sensitive requests
This makes it impossible for the attacker to spoof the request (unless there is an XSS hole in your application)Tokens should be cryptographically strong or random
Make sure your application has no XSS holes which could be exploited to attack other applications (or itself)
Source: http://owasptop10.googlecode.com/files/OWASP_Top_10_-_2010%20Presentation.pptx
![Page 36: Web Application Security Introduction](https://reader035.fdocuments.us/reader035/viewer/2022081505/554ba371b4c905b3618b4c6d/html5/thumbnails/36.jpg)
CSRF + XSS =
What shenanigans might our troll friend have in mind with any unwelcome forum posts he encounters?
[img]http://forum.com/logout.do[/img]
![Page 37: Web Application Security Introduction](https://reader035.fdocuments.us/reader035/viewer/2022081505/554ba371b4c905b3618b4c6d/html5/thumbnails/37.jpg)
Securing Web Applications
![Page 38: Web Application Security Introduction](https://reader035.fdocuments.us/reader035/viewer/2022081505/554ba371b4c905b3618b4c6d/html5/thumbnails/38.jpg)
Network Security = Useless?!
ServerNetwork Security
Firewall IDS IPS WebApp
Malicious Requestsexploit vulnerabilities
andcompromise application
![Page 39: Web Application Security Introduction](https://reader035.fdocuments.us/reader035/viewer/2022081505/554ba371b4c905b3618b4c6d/html5/thumbnails/39.jpg)
Security Scanners
ServerNetwork Security
Firewall IDS IPS WebApp
BlackboxScannerPenetration Test
WhiteboxScanner
Web AppSourcecode
CodeAnalysis
Fix + PatchApplication
New security holes mightbe introduced duringongoing developmentand bugfixing!
![Page 40: Web Application Security Introduction](https://reader035.fdocuments.us/reader035/viewer/2022081505/554ba371b4c905b3618b4c6d/html5/thumbnails/40.jpg)
Web Application Firewall (WAF)
ServerNetwork Security
Firewall IDS IPS WebApp
WAF
GuidelinesRuleset
WhitelistBlacklist
Heuristics
Defines legal/illegal Requests
Rejects illegalrequests
Sometimes rejects legitimate requests („False Positives“) or fails to recognizeillegal requests („False Negative“)
![Page 41: Web Application Security Introduction](https://reader035.fdocuments.us/reader035/viewer/2022081505/554ba371b4c905b3618b4c6d/html5/thumbnails/41.jpg)
Hacking Homework
![Page 42: Web Application Security Introduction](https://reader035.fdocuments.us/reader035/viewer/2022081505/554ba371b4c905b3618b4c6d/html5/thumbnails/42.jpg)
The Voice of Rea§on™
Do not perform any attacks on servers, networks and applications…
…you do not own and operate yourself…or have the owners permission to pentest
![Page 43: Web Application Security Introduction](https://reader035.fdocuments.us/reader035/viewer/2022081505/554ba371b4c905b3618b4c6d/html5/thumbnails/43.jpg)
The Target: BodgeIT Store
Source: http://code.google.com/p/bodgeit/
![Page 44: Web Application Security Introduction](https://reader035.fdocuments.us/reader035/viewer/2022081505/554ba371b4c905b3618b4c6d/html5/thumbnails/44.jpg)
Installing BodgeIt
Download latest versionhttp://code.google.com/p/bodgeit/downloads/list
Unzip bodgeit.war into /webapps of an existing Serlvet Engine
e.g. Tomcat, Jetty, …Launch your ServerBrowse to the BodgeIt Store
e.g. http://localhost:8080/bodgeit
Source: http://code.google.com/p/bodgeit/
![Page 45: Web Application Security Introduction](https://reader035.fdocuments.us/reader035/viewer/2022081505/554ba371b4c905b3618b4c6d/html5/thumbnails/45.jpg)
Let the Hacking begin!
Try to pass as many challenges as possible!No Scanners! No Cheating! No Decompilers! Source: http://code.google.com/p/bodgeit/
![Page 46: Web Application Security Introduction](https://reader035.fdocuments.us/reader035/viewer/2022081505/554ba371b4c905b3618b4c6d/html5/thumbnails/46.jpg)
Thank You…
…for your attention!
For more details, exercises and the seven remaining OWASP Top 10
check out myWeb Application Security Training Workshop slides:
http://slideshare.net/BjrnKimminich/web-application-
security-21684264