Post on 23-Feb-2017
Presentation on Web AttacksBy : Vivek Sinha Anurag
Agenda
•Owasp Top-5 Attacks▫ Injection Attacks (SQLi, Xpath Injection, Command Injection)▫ XSS▫ Broken Authentication & Authorization (Session Management
Flaws)▫ CSRF▫ Sensitve Data Exposure (PII, PCI, SSL)
▫ Slow Attacks:▫ Slow Read▫ Slow Get▫ Slow POST
Injection Attacks
•SQLi•Xpath Injection•Command Injection
SQL Injection
• It is a code drive technique used to attack data driven apps in which malicious SQL statements are inserted into entry field for executionuse of ‘ or ‘1’=‘1select * from Users where (username = 'submittedUser' and password = 'submittedPassword');
• Prevention▫ Sanitizing Inputs▫ Using Escape Characters▫ Using Parameterized query▫ Using Stored Procedures
XPath Injection• Similar to SQLi, this is also a technique where
attacker manipulates the input data to extract the desired information from XML doc where the data is stored. Malformed data is provided in input
Eg: ‘ or ‘1’=‘1 in USER/PASS
• Prevention▫ Using parameterized Xpath interface▫ Escaping the input characters▫ Using precompiled xpath query
Command Injection• It is a technique to inject and execute OS
commands specified by an attacker in the vulnerable app.
• In most of the cases it is possible due to lack of input data validation which can be manipulated by the attacker
• Prevention:▫ Always validate the input data▫ Run the app with minimum permissions
possible
XSS Attacks•Persistent
▫ It occurs when the data provided by the attacker is saved by the server, and then permanently displayed on "normal" pages returned to other users in the course of regular browsing, without proper HTML escaping.
•Non-Persistent▫ When the data provided by a web client, most
commonly in HTTP query parameters or in HTML form submissions, is used immediately by server-side scripts to parse and display a page of results for and to that user, without properly sanitizing the request
•DOM based▫ Attack payload is executed as a result of
modifying the DOM environment in the victim browser used by the original client side script
XSS Attacks•Prevention
▫Escaping/Encoding of string input▫Safely validating untrusted HTML input▫Whitelist/Blacklist based HTML tags▫Disabling Scripts▫Implementation of Cookie with additional
parameters, like IP
Broken AuthOWASP Definition:
Account credentials and session tokens are often not properly protected. Attackers compromise passwords, keys, or authentication tokens to assume other users’ identities
•Broken Authentication•Broken Authorization•Session Management Flaws
Broken Auth•Protection:
▫ Password Change Controls▫ Password Strength▫ Password Expiration▫ Password Storage▫ Protection In Transit▫ Avoid Cookieless Session▫ Avoid homegrown authentication schema▫ Look into IP/Location/Browser/OS combination▫ Always have unique session ID bound with IP▫ Double-check password on certain activity▫ Expire sessions early▫ Don’t forget logout button [which should destroy the server/client
session]
CSRF (Cross Site request Forgery)OWASP Definition:
A CSRF attack forces a logged-on victim’s browser to send a pre-authenticated request to a vulnerable web application, which then forces the victim’s browser to perform a hostile action to the benefit of the attacker. CSRF can be as powerful as the web application that it attacks
CSRF
Someblog.net
https://bank.com/fn?param=1JSESSIONID=AC934234…
Somebank.net
CSRF Prevention•Captcha•Re-Authentication
▫Password Based▫One-Time Token
•Unique Request Tokens
Sensitive Data Exposure
•PII (Personal Identifiable Information)▫ Sensitive and Non Sensitive PII
•PCI Compliance▫ Its assures that the CC data is secured
•SSL▫ Always use strong ciphers
and disable renegotiation▫ Make sure that the private key
is always secured.
PCI•Requirements
▫ Build and maintain a Secured Network Firewalls, Don’t use default passwords
▫ Protect Cardholder Data Protect the stored data, Encrypt the data while transmitting
it▫ Maintain a Vulnerability Management Program
Updated Antivirus, develop/maintain secure systems in apps▫ Implement Strong Access Control Measures
Restricted access, unique ids to people have access, restrict physical access
▫ Regularly Monitor and Test Networks Track and monitor all access, regularly test security systems
▫ Maintain an Information Security Policy Maintain policy to address information security
Slow Attacks•Slow Read•Slow GET•Slow POST
Difficult to detectCan be used from single computerCan bypass traditional WAF
Slow Read• Attacker creates multiple connections to the server• Advertise that receiving window size is very small• Keeps the connection open for very long time• Uses all the connections causing DOS • Tools used: SlowHttpTest
Slow Get• Attacker creates multiple connections to the server• Sends GET requests at very slow rate• Server keeps waiting for completion of headers• Uses all the connections causing DOS • Tools Used: AlowHttpTest, Slowloris
Slow POST• Attacker creates multiple connections to the server• Sends header and advertise fixed content length• Sends POST body at very slow rate• Server keeps waiting for completion of POST body• Uses all the connections causing DOS • Tools Used: AlowHttpTest, RUDY
Slow Attacks - Protection• Drop Connections which HTTP method not supported by URL• Limit the header and message body to a minimal reasonable length• Set an absolute connection timeout, if possible.• Try to maximize server max no of connections• Define minimum incoming data rate• Define max no of concurrent connections from same IP• Blacklist the known attack user-agents [Slowloris uses *MSIE*MSOffice
12*]
Questions?
Thanks