Dan Swett Program Manager Microsoft Corporation SESSION CODE: OSP216.
Web Security Group 5 Adam Swett Brian Marco. Why Web Security? Web sites and web applications...
-
Upload
neal-houston -
Category
Documents
-
view
214 -
download
0
Transcript of Web Security Group 5 Adam Swett Brian Marco. Why Web Security? Web sites and web applications...
Why Web Security?Why Web Security?
Web sites and web applications constantly Web sites and web applications constantly growinggrowing
Complex business applications are now Complex business applications are now delivered over the webdelivered over the web
Increased “web hacking” activityIncreased “web hacking” activity
Web Worms (Sammy)Web Worms (Sammy)
Firewalls?Firewalls?
Difficulties In Traditional HackingDifficulties In Traditional Hacking
Modern networks more secureModern networks more secure
Firewalls being used in all network rolloutsFirewalls being used in all network rollouts
OS vendors patching hole quicklyOS vendors patching hole quickly
Increased maturity in codingIncreased maturity in coding
Lab SectionsLab Sections
SQL InjectionSQL Injection– BasicBasic– BlindBlind
Cross Site Scripting (XSS)Cross Site Scripting (XSS)– BasicsBasics– Cookie StealingCookie Stealing– Java ScriptingJava Scripting
Default PagesDefault PagesCGI VulnerabilitiesCGI Vulnerabilities– Vulnerable ScriptsVulnerable Scripts– NiktoNikto
SQL InjectionSQL Injection
Exploits a security vulnerability present in Exploits a security vulnerability present in the database layer of an applicationthe database layer of an application– With ErrorsWith Errors– BlindBlind– AutomatedAutomated
Cross Site ScriptingCross Site Scripting
SecurityFocus cataloged over 1,400 issues.
WhiteHat Security has Identified over 1,500 in custom web applications. 8 in 10 websites have XSS.
Tops the Web Hacking Incident Database (WHID)
Cross Site ScriptingCross Site Scripting
Cookie StealingCookie Stealing– One of the most common uses of XSSOne of the most common uses of XSS– Allows you to impersonate someoneAllows you to impersonate someone
Can Lead To Session Hijacking Can Lead To Session Hijacking – HTTP is statelessHTTP is stateless– Only verifies at the beginning of sessionOnly verifies at the beginning of session
Cross Site ScriptingCross Site Scripting
Java ScriptJava Script– Can be written by anyone and executed on Can be written by anyone and executed on
any computer over the webany computer over the web– Most people have Java Script enabled making Most people have Java Script enabled making
it very dangerous it very dangerous
Cross Site ScriptingCross Site Scripting
Java Script ExamplesJava Script Examples– black hat search engine optimization (SEO)– Click-fraud– Distributed Denial of Service– Force access of illegal content– Hack other websites (IDS sirens)– Distributed email spam (Outlook Web Access)– Distributed blog spam– Vote tampering– De-Anonymize people– etc.
Default PagesDefault Pages
Careless hostingCareless hosting
Gives the ability to browse and retreive a Gives the ability to browse and retreive a complete directory on the web servercomplete directory on the web server
Happens when the default page is missingHappens when the default page is missing
Not-so-strict Web server configurationNot-so-strict Web server configuration
CGI VulnerabilitiesCGI Vulnerabilities
A number of widely distributed CGI scripts A number of widely distributed CGI scripts contain known security holescontain known security holes
Finding the scripts and exploiting them can Finding the scripts and exploiting them can be time consumingbe time consuming
Usually well documented on the webUsually well documented on the web
Some can be worth it Some can be worth it
CGI VulnerabilitiesCGI Vulnerabilities
Nph-test-cgiNph-test-cgi– Script included with all old versions of Apache Script included with all old versions of Apache
web Serverweb Server– Allows user to view all files on the computer Allows user to view all files on the computer
NiktoNikto
Nikto is an Open Source (Nikto is an Open Source (GPLGPL) web server scanner ) web server scanner which performs comprehensive tests against web which performs comprehensive tests against web servers for multiple items, including over 3300 potentially servers for multiple items, including over 3300 potentially dangerous files/CGIs, versions on over 625 servers, and dangerous files/CGIs, versions on over 625 servers, and version specific problems on over 230 servers. Scan version specific problems on over 230 servers. Scan items and plugins are frequently updated and can be items and plugins are frequently updated and can be
automatically updated (if desired)automatically updated (if desired)