Detecting and Defending Against Security Vulnerabilities ...Detecting and Defending Against Security...
Transcript of Detecting and Defending Against Security Vulnerabilities ...Detecting and Defending Against Security...
Detecting and Defending Against Security Vulnerabilities for Web 2.0 Applications
Ray Lai, Intuit
TS-5358
2008 JavaOneSM Conference | java.sun.com/javaone | 2
Share experience how to detect and defend security vulnerabilities in Web 2.0 applications using open source security tools
2008 JavaOneSM Conference | java.sun.com/javaone | 3
Agenda
DetectDefendLearn
2008 JavaOneSM Conference | java.sun.com/javaone | 4
Which is Easier to Hack?
Web 1.0 App Web 2.0 AppTop 3 Security Vulnerabilities•Unvalidated input parameters•Broken access control•Broken authentication and session management
Top 3 Security Vulnerabilities•Cross-site scripting•Injection flaw•Malicious file execution
Google finds 2M suspicious sites
Note: Single loss expectancy - $690 per incident, Average annual loss $350,424 (CSI 2007)
2008 JavaOneSM Conference | java.sun.com/javaone | 5
What’s New About Web 2.0 Security?OWASP 2007 Top 10 Web 2.0 Examples
Cross-site scripting +++ Flash: cross-site flashing
Injection flaws ++++ AJAX, mash-up
Malicious file execution +++
Insecure direct object reference + JavaScript™ Object Notation (JSON)
Cross-site request forgery +++ Flash
Information leakage / improper error handling
+++++ AJAX, JSON
Broken authentication and session management
++++ Cross-domain, mash-up
Insecure cryptographic storage +
Insecure communications ++
Failure to restrict URL access ++
http://www.owasp.org/index.php/Top_10_2007
2008 JavaOneSM Conference | java.sun.com/javaone | 6
Use Case Scenario
Use Open Source / commercial security tools to examine WebGoat (and Roller) from SecuriBench
http://suif.stanford.edu/~livshits/securibench/intro.html
2008 JavaOneSM Conference | java.sun.com/javaone | 7
Example #1: Post-Me
Characteristics•Plain data input screen•No sensitive personal data•High usage, high traffic
Scenarios: newsgroup, forum, blogs, etc.
How can I re-direct readers to my malicious website?
2008 JavaOneSM Conference | java.sun.com/javaone | 8
Example #1: What’s the Issue?
What happens: Hackers post a message with the malicious URL or parameters:
<IMG SRC="attack?screen=7&menu=410&transferFunds=4000" width="1" height="1" />
Cross-site Request Forgery
Result: when reading the posting, newsgroup readers will invoke a malicious URL without noticing the tiny “1x1 image” (cross-site request forgery)!
2008 JavaOneSM Conference | java.sun.com/javaone | 9
Example #2: Online Travel
Scenarios: online travel service, mash-up
Characteristics•AJAX with JSON•Financial transactions•Mash-up, possibly
Can I change the price?
2008 JavaOneSM Conference | java.sun.com/javaone | 10
Example #2: What’s the Issue?
What happens: Hackers intercepts the JSON, tampers it, and posts it.
JSON Poisoning
{ "From": "Boston", "To": "Seattle", "flights": [ {"stops": "0", "transit" : "N/A", "price": "$0"}, {"stops": "2", "transit" : "Newark,Chicago", "price": "$900"} ] }
Result: hackers pay $0
2008 JavaOneSM Conference | java.sun.com/javaone | 11
Example #3: Change Password
Scenarios: online services, mash-up
Characteristics•SOAP-based Web services•Perhaps mash-up•HTTP or HTTPS, depends
Can I change somebody’s password?
2008 JavaOneSM Conference | java.sun.com/javaone | 12
Example #3: What’s the Issue
SOAP Injection
What happens: Hackers tries changing the password, intercepts the SOAP message, tampers it, and posts it.
Result: hackers change someone’s password for future access
<?xml version='1.0' encoding='UTF-8'?> …<wsns0:Body> <wsns1:changePassword> <id xsi:type='xsd:int'>101</id> <password xsi:type='xsd:string'>bar</password> </wsns1:changePassword> </wsns0:Body> </wsns0:Envelope>
2008 JavaOneSM Conference | java.sun.com/javaone | 13
What About Flex Application…
Cross-site FlashingYou can detect XSF using SwfIntruder
2008 JavaOneSM Conference | java.sun.com/javaone | 14
What About…
Phishing attackAd malwareBotnetActiveX controlsSerialization security, e.g. DOJO, JQUERY
2008 JavaOneSM Conference | java.sun.com/javaone | 15
Agenda
DetectDefend
Learn
2008 JavaOneSM Conference | java.sun.com/javaone | 16
Strategy #1: Security Development Lifecycle
Remark: Show demo or examples of these artifacts
2008 JavaOneSM Conference | java.sun.com/javaone | 17
Defensive Coding: Examples
Scenarios Sample Actions
Cross-site request forgery Filter specific tags (e.g. <IMG>)Prompt user with security token for important actions or high value transactionsShorter time period for user sessions
JSON poisoning Client-side and server-side input validationJavaScript output encodingObfuscate JavaScript
SOAP injection Use of nonceWS-Security best practicesTurn off WSDL
2008 JavaOneSM Conference | java.sun.com/javaone | 18
Strategy #2: Custom Security Test
Category Public / Open Source Commercial
Discovery tools NMAP Nessus
Web server vulnerabilities Nikto
Code quality* OWASP, FindBugs Fortify, Klockwork
Application vulnerabilities Paros AppScan, Hailstorm
Penetration testing WebScarab, Paros, SwfIntruder
Hybrid security testing = white box* + black box testing
Remark: Show demo of running different security testing tools on Roller
2008 JavaOneSM Conference | java.sun.com/javaone | 19
Agenda
DetectDefendLearn
2008 JavaOneSM Conference | java.sun.com/javaone | 20
Lesson 1: Security Findings by Category
2008 JavaOneSM Conference | java.sun.com/javaone | 21
Lesson 2: What You Can and Can’t Do
Obvious, e.g.• Information leakage• Port scan• OS fingerprinting• Web server
vulnerabilities scanner
Difficult ones, e.g.• Cross-site Scripting• Cross-site Request Forgery• Denial of Service
Hard ones, e.g.• New Web 2.0
vulnerabilities
2008 JavaOneSM Conference | java.sun.com/javaone | 22
Lesson 3: Summary
Don’t practice penetration testing tools on production system! “Trust no one”Do we know what to detect, or to testDifferent security testing tools provide different findings
2008 JavaOneSM Conference | java.sun.com/javaone | 23
For More Information
Concepts• OWASP top 10 vulnerabilities
http://www.owasp.org/index.php/Category:Vulnerability• Cannings , Dwivedi and Lackey. Hacking Exposed Web 2.0.
McGrawHill, 2008• Andrew Andreu. Professional Pen Testing for Web Applications• Shyamsuda and Gould. You Are Hacked. JavaOneSM Conference 2007
http://developers.sun.com/learning/javaoneonline/2007/pdf/TS-6014.pdf
Security Incident Updates• Top 10 Web 2.0 attack vectors
http://www.net-security.org/article.php?id=949• http://www.us-cert.gov/current/current_activity.html • CERN http://security.web.cern.ch/security/
Also RSA, Microsoft, Symantec major security vendor websites
2008 JavaOneSM Conference | java.sun.com/javaone | 24
For More Information (cont’d)
Tutorial• http://www.irongeek.com/i.php?page=security/hackingillustrated
Tools• http://sectools.org/ • http://www.cotse.com/tools/ • http://www.securityhaven.com/tools.html• http://framework.metasploit.com/• http://www.paneuropa.co.uk/penetration_testing.htm• http://www.owasp.org/index.php/Category:OWASP_Download