Lethal Attacks On The Rise Shreeraj Shah › ... › Securing_web_applications.pdf · Securing Web...
Transcript of Lethal Attacks On The Rise Shreeraj Shah › ... › Securing_web_applications.pdf · Securing Web...
![Page 1: Lethal Attacks On The Rise Shreeraj Shah › ... › Securing_web_applications.pdf · Securing Web Applications Lethal Attacks On The Rise Shreeraj Shah Founder & Director, ... Java](https://reader034.fdocuments.in/reader034/viewer/2022042322/5f0c788f7e708231d4359120/html5/thumbnails/1.jpg)
Securing Web Applications
Lethal Attacks On The Rise
Shreeraj ShahFounder & Director, Blueinfy SolutionsFounder & Director, Blueinfy Solutions
SiliconIndia, Mumbai, India
![Page 2: Lethal Attacks On The Rise Shreeraj Shah › ... › Securing_web_applications.pdf · Securing Web Applications Lethal Attacks On The Rise Shreeraj Shah Founder & Director, ... Java](https://reader034.fdocuments.in/reader034/viewer/2022042322/5f0c788f7e708231d4359120/html5/thumbnails/2.jpg)
Who Am I?
• Founder & Director
– Blueinfy Solutions Pvt. Ltd. (Brief)
– SecurityExposure.com
• Past experience
– Net Square, Chase, IBM & Foundstone
• Interest
– Web security research
• Published research
http://shreeraj.blogspot.com
http://www.blueinfy.com
http://shreeraj.blogspot.com
http://www.blueinfy.com
• Published research
– Articles / Papers – Securityfocus, O’erilly, DevX, InformIT etc.
– Tools – wsScanner, scanweb2.0, AppMap, AppCodeScan, AppPrint etc.
– Advisories - .Net, Java servers etc.
• Books (Author)
– Web 2.0 Security – Defending Ajax, RIA and SOA
– Hacking Web Services
– Web Hacking
![Page 3: Lethal Attacks On The Rise Shreeraj Shah › ... › Securing_web_applications.pdf · Securing Web Applications Lethal Attacks On The Rise Shreeraj Shah Founder & Director, ... Java](https://reader034.fdocuments.in/reader034/viewer/2022042322/5f0c788f7e708231d4359120/html5/thumbnails/3.jpg)
Lethal Attacks on the rise
![Page 4: Lethal Attacks On The Rise Shreeraj Shah › ... › Securing_web_applications.pdf · Securing Web Applications Lethal Attacks On The Rise Shreeraj Shah Founder & Director, ... Java](https://reader034.fdocuments.in/reader034/viewer/2022042322/5f0c788f7e708231d4359120/html5/thumbnails/4.jpg)
Attacks in 2010
• Web Attacks Skyrocketed 93% In 2010, while attack
toolkits grew to account for two-thirds of all Web-
based threats.
• Hacking results in an average of 262,767 identities • Hacking results in an average of 262,767 identities
exposed per data breach incident – hitting bottom
line
50%+ vulnerabilities are on
Web Apps
Counting & Growing
Era of Web Hacking , Web 2.0
and Social Networks
![Page 5: Lethal Attacks On The Rise Shreeraj Shah › ... › Securing_web_applications.pdf · Securing Web Applications Lethal Attacks On The Rise Shreeraj Shah Founder & Director, ... Java](https://reader034.fdocuments.in/reader034/viewer/2022042322/5f0c788f7e708231d4359120/html5/thumbnails/5.jpg)
Certificates are issued forGoogle, Microsoft etc.Privacy and Security ???
Web App Hacking - Lethal
Mass SQL InjectionMass SQL InjectionBlind Injections acrossInternet
![Page 6: Lethal Attacks On The Rise Shreeraj Shah › ... › Securing_web_applications.pdf · Securing Web Applications Lethal Attacks On The Rise Shreeraj Shah Founder & Director, ... Java](https://reader034.fdocuments.in/reader034/viewer/2022042322/5f0c788f7e708231d4359120/html5/thumbnails/6.jpg)
Mobile App Hacking - LethalMobile hackingAndroid or iPhone
![Page 7: Lethal Attacks On The Rise Shreeraj Shah › ... › Securing_web_applications.pdf · Securing Web Applications Lethal Attacks On The Rise Shreeraj Shah Founder & Director, ... Java](https://reader034.fdocuments.in/reader034/viewer/2022042322/5f0c788f7e708231d4359120/html5/thumbnails/7.jpg)
Impact
• In above two cases
– Certificate can be injected as man in the middle
– Attacker can spoof and sniff your content
– Mass SQL injection delivers AV site and pop up for – Mass SQL injection delivers AV site and pop up for
credit card.
– Stealing banking information
![Page 8: Lethal Attacks On The Rise Shreeraj Shah › ... › Securing_web_applications.pdf · Securing Web Applications Lethal Attacks On The Rise Shreeraj Shah Founder & Director, ... Java](https://reader034.fdocuments.in/reader034/viewer/2022042322/5f0c788f7e708231d4359120/html5/thumbnails/8.jpg)
What’s going on …
• Attacks over HTTP (port 80/443)
• Firewall blocking – No!
• Web pages and software – Vulnerable? YES!!!
– Impact : Severe– Impact : Severe
– Exploitability : Easy
– Loss : Business, Intellectual Property, Data etc.
• Attacks are growing with sophistication …
• Game of Chess – going on …
![Page 9: Lethal Attacks On The Rise Shreeraj Shah › ... › Securing_web_applications.pdf · Securing Web Applications Lethal Attacks On The Rise Shreeraj Shah Founder & Director, ... Java](https://reader034.fdocuments.in/reader034/viewer/2022042322/5f0c788f7e708231d4359120/html5/thumbnails/9.jpg)
Hacks & Exploits
• 90% of sites are vulnerable to one or more
vulnerabilities.
• Exploitable ? – YES!
• Most popular ones are – SQLi & XSS• Most popular ones are – SQLi & XSS
• SQLi – complete compromise of the
application …
• XSS – Control over browser and exploitation
• Mobile hacks and attacks
![Page 10: Lethal Attacks On The Rise Shreeraj Shah › ... › Securing_web_applications.pdf · Securing Web Applications Lethal Attacks On The Rise Shreeraj Shah Founder & Director, ... Java](https://reader034.fdocuments.in/reader034/viewer/2022042322/5f0c788f7e708231d4359120/html5/thumbnails/10.jpg)
Attack Patterns
![Page 11: Lethal Attacks On The Rise Shreeraj Shah › ... › Securing_web_applications.pdf · Securing Web Applications Lethal Attacks On The Rise Shreeraj Shah Founder & Director, ... Java](https://reader034.fdocuments.in/reader034/viewer/2022042322/5f0c788f7e708231d4359120/html5/thumbnails/11.jpg)
Attacks and Hacks
• 80% Sites are having security issues
• Web Application Layer vulnerabilities are growing at higher rate in security space
• Client side hacking and vulnerabilities are on • Client side hacking and vulnerabilities are on the rise – from 5% to 30% (IBM)
• Web browser vulnerabilities is growing at high rate
• End point exploitation shifting from OS to browser and its plugins
![Page 12: Lethal Attacks On The Rise Shreeraj Shah › ... › Securing_web_applications.pdf · Securing Web Applications Lethal Attacks On The Rise Shreeraj Shah Founder & Director, ... Java](https://reader034.fdocuments.in/reader034/viewer/2022042322/5f0c788f7e708231d4359120/html5/thumbnails/12.jpg)
Attacks and Hacks
• Web pages are medium for eCrime
• Web vulnerabilities are medium for malware and spyware delivery
• Web based malware embedded in sites are • Web based malware embedded in sites are common mean for delivery
• 82% rise in malicious sites which needs to be blocked in one year
• Spyware/adware are at higher then malware on sites – iframe based attacks
![Page 13: Lethal Attacks On The Rise Shreeraj Shah › ... › Securing_web_applications.pdf · Securing Web Applications Lethal Attacks On The Rise Shreeraj Shah Founder & Director, ... Java](https://reader034.fdocuments.in/reader034/viewer/2022042322/5f0c788f7e708231d4359120/html5/thumbnails/13.jpg)
Attacks and Hacks
• Social networking and Web 2.0 sites are carrier for complex worms and malware – rising at rapid rate
• Top Security Concerns of 2008: Criminals are exploiting vulnerabilities along the entire Web ecosystem to gain control of computers and ecosystem to gain control of computers and networks.
• Invisible threats (such as hard-to-detect infections of legitimate websites) are making common sense and many traditional security solutions ineffective.
![Page 14: Lethal Attacks On The Rise Shreeraj Shah › ... › Securing_web_applications.pdf · Securing Web Applications Lethal Attacks On The Rise Shreeraj Shah Founder & Director, ... Java](https://reader034.fdocuments.in/reader034/viewer/2022042322/5f0c788f7e708231d4359120/html5/thumbnails/14.jpg)
Attacks and Hacks
• 75 percent of Web sites with malicious code
• 60 percent of the top 100 most popular Web sites have either hosted or been involved in malicious activity
• 76.5 percent of all emails in circulation contained • 76.5 percent of all emails in circulation contained links to spam sites and/or malicious Web sites.
• 29 percent of malicious Web attacks included data-stealing snippet
• 46 percent of data-stealing attacks are conducted over the Web. (WebSense)
![Page 15: Lethal Attacks On The Rise Shreeraj Shah › ... › Securing_web_applications.pdf · Securing Web Applications Lethal Attacks On The Rise Shreeraj Shah Founder & Director, ... Java](https://reader034.fdocuments.in/reader034/viewer/2022042322/5f0c788f7e708231d4359120/html5/thumbnails/15.jpg)
Top Attacks
![Page 16: Lethal Attacks On The Rise Shreeraj Shah › ... › Securing_web_applications.pdf · Securing Web Applications Lethal Attacks On The Rise Shreeraj Shah Founder & Director, ... Java](https://reader034.fdocuments.in/reader034/viewer/2022042322/5f0c788f7e708231d4359120/html5/thumbnails/16.jpg)
Top Weaknesses
![Page 17: Lethal Attacks On The Rise Shreeraj Shah › ... › Securing_web_applications.pdf · Securing Web Applications Lethal Attacks On The Rise Shreeraj Shah Founder & Director, ... Java](https://reader034.fdocuments.in/reader034/viewer/2022042322/5f0c788f7e708231d4359120/html5/thumbnails/17.jpg)
Impact
![Page 18: Lethal Attacks On The Rise Shreeraj Shah › ... › Securing_web_applications.pdf · Securing Web Applications Lethal Attacks On The Rise Shreeraj Shah Founder & Director, ... Java](https://reader034.fdocuments.in/reader034/viewer/2022042322/5f0c788f7e708231d4359120/html5/thumbnails/18.jpg)
Real Life Cases and Analysis
![Page 19: Lethal Attacks On The Rise Shreeraj Shah › ... › Securing_web_applications.pdf · Securing Web Applications Lethal Attacks On The Rise Shreeraj Shah Founder & Director, ... Java](https://reader034.fdocuments.in/reader034/viewer/2022042322/5f0c788f7e708231d4359120/html5/thumbnails/19.jpg)
Enterprise Application Case
• Enterprise running on 2.0 wave - Portal
• Technologies & Components – Dojo, Ajax, XML Services, Blog, Widgets
• Scan with tools/products failedfailed
• Security issues and hacks• Security issues and hacks
– SQL injection over XML
– Ajax driven XSS
– Several XSS with Blog component
– Several information leaks through JSON fuzzing
– CSRF on both XML and JS-Array» HACKED
» DEFENSE
![Page 20: Lethal Attacks On The Rise Shreeraj Shah › ... › Securing_web_applications.pdf · Securing Web Applications Lethal Attacks On The Rise Shreeraj Shah Founder & Director, ... Java](https://reader034.fdocuments.in/reader034/viewer/2022042322/5f0c788f7e708231d4359120/html5/thumbnails/20.jpg)
Real Case Study
• Impact
– Possible to run sql queries remotely
– Changing price and placing order
– Customer information enumeration– Customer information enumeration
– Stealing customer identities
– Manipulation in JSON/XML streams and much
more
– Great financial impact…
![Page 21: Lethal Attacks On The Rise Shreeraj Shah › ... › Securing_web_applications.pdf · Securing Web Applications Lethal Attacks On The Rise Shreeraj Shah Founder & Director, ... Java](https://reader034.fdocuments.in/reader034/viewer/2022042322/5f0c788f7e708231d4359120/html5/thumbnails/21.jpg)
Large Telecom Application
• Large Telecom company
– Source code review was done
– Application is distributed running in browser, PDA and Mobile phones
– Payment system was involved
– Vulnerable
• Presentation layer (XSS and CSRF)
• SQL
• DoS
• Session issues
![Page 22: Lethal Attacks On The Rise Shreeraj Shah › ... › Securing_web_applications.pdf · Securing Web Applications Lethal Attacks On The Rise Shreeraj Shah Founder & Director, ... Java](https://reader034.fdocuments.in/reader034/viewer/2022042322/5f0c788f7e708231d4359120/html5/thumbnails/22.jpg)
Banking Application
• Scanning application for vulnerabilities
• Typical banking running with middleware
• Vulnerabilities
– Profile manipulation (Logical and Hidden values)– Profile manipulation (Logical and Hidden values)
– XSS
– Strong session management but URL rewriting
– SQL is impossible in this case
![Page 23: Lethal Attacks On The Rise Shreeraj Shah › ... › Securing_web_applications.pdf · Securing Web Applications Lethal Attacks On The Rise Shreeraj Shah Founder & Director, ... Java](https://reader034.fdocuments.in/reader034/viewer/2022042322/5f0c788f7e708231d4359120/html5/thumbnails/23.jpg)
Postmortem
• Web application firewall was in place
• They scanned their applications
• Manual testing was done
• Source code was never audited• Source code was never audited
• There was no focus on SDLC and security
awareness for developers
• Fixing is going to cost a lot
![Page 24: Lethal Attacks On The Rise Shreeraj Shah › ... › Securing_web_applications.pdf · Securing Web Applications Lethal Attacks On The Rise Shreeraj Shah Founder & Director, ... Java](https://reader034.fdocuments.in/reader034/viewer/2022042322/5f0c788f7e708231d4359120/html5/thumbnails/24.jpg)
Vulnerability Analysis
![Page 25: Lethal Attacks On The Rise Shreeraj Shah › ... › Securing_web_applications.pdf · Securing Web Applications Lethal Attacks On The Rise Shreeraj Shah Founder & Director, ... Java](https://reader034.fdocuments.in/reader034/viewer/2022042322/5f0c788f7e708231d4359120/html5/thumbnails/25.jpg)
AppSec dynamics
Source - OWASP
![Page 26: Lethal Attacks On The Rise Shreeraj Shah › ... › Securing_web_applications.pdf · Securing Web Applications Lethal Attacks On The Rise Shreeraj Shah Founder & Director, ... Java](https://reader034.fdocuments.in/reader034/viewer/2022042322/5f0c788f7e708231d4359120/html5/thumbnails/26.jpg)
Vulnerability – Why and Where?
![Page 27: Lethal Attacks On The Rise Shreeraj Shah › ... › Securing_web_applications.pdf · Securing Web Applications Lethal Attacks On The Rise Shreeraj Shah Founder & Director, ... Java](https://reader034.fdocuments.in/reader034/viewer/2022042322/5f0c788f7e708231d4359120/html5/thumbnails/27.jpg)
Root cause of Vulnerabilities
CSI Security Survey : Vulnerability Distribution
misconfiguration,
other problems
36%
programming
errors64%
misconfiguration, other problems programming errors
![Page 28: Lethal Attacks On The Rise Shreeraj Shah › ... › Securing_web_applications.pdf · Securing Web Applications Lethal Attacks On The Rise Shreeraj Shah Founder & Director, ... Java](https://reader034.fdocuments.in/reader034/viewer/2022042322/5f0c788f7e708231d4359120/html5/thumbnails/28.jpg)
Source Code Issues
• 1 Security defect per 10,000 lines
• Reported
– 30,000+ at CVE
– 6000+ at IBM X-Force– 6000+ at IBM X-Force
• 70% developers are working on application coding
• 4 in top 5 vulnerabilities are on application layer
• Expensive to fix them.
![Page 29: Lethal Attacks On The Rise Shreeraj Shah › ... › Securing_web_applications.pdf · Securing Web Applications Lethal Attacks On The Rise Shreeraj Shah Founder & Director, ... Java](https://reader034.fdocuments.in/reader034/viewer/2022042322/5f0c788f7e708231d4359120/html5/thumbnails/29.jpg)
Vulnerability vs. Bug ...
VulnerableState
ExpectedState
ExceptionHandler
Decision
Integer/
Number
Special
Characters
A-Z CharactersInput
Potential
Exploitation
![Page 30: Lethal Attacks On The Rise Shreeraj Shah › ... › Securing_web_applications.pdf · Securing Web Applications Lethal Attacks On The Rise Shreeraj Shah Founder & Director, ... Java](https://reader034.fdocuments.in/reader034/viewer/2022042322/5f0c788f7e708231d4359120/html5/thumbnails/30.jpg)
OWASP’s Risk Picture
![Page 31: Lethal Attacks On The Rise Shreeraj Shah › ... › Securing_web_applications.pdf · Securing Web Applications Lethal Attacks On The Rise Shreeraj Shah Founder & Director, ... Java](https://reader034.fdocuments.in/reader034/viewer/2022042322/5f0c788f7e708231d4359120/html5/thumbnails/31.jpg)
Securing – Methodologies &
Approach
![Page 32: Lethal Attacks On The Rise Shreeraj Shah › ... › Securing_web_applications.pdf · Securing Web Applications Lethal Attacks On The Rise Shreeraj Shah Founder & Director, ... Java](https://reader034.fdocuments.in/reader034/viewer/2022042322/5f0c788f7e708231d4359120/html5/thumbnails/32.jpg)
Application Security Cycle
Architecture Blackbox
Design Review
Technology Review
Threat modeling Assessment
Audit controls
Penetration tests
WhiteboxDefense
Architecture Review Deployment tests
Configuration review
Deployment review
Code review
Threat correlationSecure coding
Configuration lockdown
Content filtering
Threat mitigation
![Page 33: Lethal Attacks On The Rise Shreeraj Shah › ... › Securing_web_applications.pdf · Securing Web Applications Lethal Attacks On The Rise Shreeraj Shah Founder & Director, ... Java](https://reader034.fdocuments.in/reader034/viewer/2022042322/5f0c788f7e708231d4359120/html5/thumbnails/33.jpg)
Methodology, Scan and Attacks
Footprinting & Discovery
Enumeration & Crawling
Config Scanning
Assets
Attacks and Scanning
Web Firewall
Secure Coding
Secure Assets
Black White
Defense
Code Scanning
![Page 34: Lethal Attacks On The Rise Shreeraj Shah › ... › Securing_web_applications.pdf · Securing Web Applications Lethal Attacks On The Rise Shreeraj Shah Founder & Director, ... Java](https://reader034.fdocuments.in/reader034/viewer/2022042322/5f0c788f7e708231d4359120/html5/thumbnails/34.jpg)
Microsoft - SDL
![Page 35: Lethal Attacks On The Rise Shreeraj Shah › ... › Securing_web_applications.pdf · Securing Web Applications Lethal Attacks On The Rise Shreeraj Shah Founder & Director, ... Java](https://reader034.fdocuments.in/reader034/viewer/2022042322/5f0c788f7e708231d4359120/html5/thumbnails/35.jpg)
WAF in ActionInternet DMZ Trusted
Corporate
Firewall
Web
Application
Firewall
1
Web
Client
DB
Application
Resource..
Internal/Corporate
IIS
Web
Server
Web Application
IDS
2
![Page 36: Lethal Attacks On The Rise Shreeraj Shah › ... › Securing_web_applications.pdf · Securing Web Applications Lethal Attacks On The Rise Shreeraj Shah Founder & Director, ... Java](https://reader034.fdocuments.in/reader034/viewer/2022042322/5f0c788f7e708231d4359120/html5/thumbnails/36.jpg)
Securing Your App
• Detection
– Scan and Penetration testing (Symptoms)
– Code Analysis (Root Cause)
• Securing• Securing
– Securing Code during SDLC (Long term and
permanent fix)
– Web Application Firewall (Short term and
temporary patch)
• Don’t go live without securing !!! World is
hostile ….
![Page 37: Lethal Attacks On The Rise Shreeraj Shah › ... › Securing_web_applications.pdf · Securing Web Applications Lethal Attacks On The Rise Shreeraj Shah Founder & Director, ... Java](https://reader034.fdocuments.in/reader034/viewer/2022042322/5f0c788f7e708231d4359120/html5/thumbnails/37.jpg)
Thanks!!!
http://shreeraj.blogspot.com
http://www.blueinfy.com
http://shreeraj.blogspot.com
http://www.blueinfy.com
Conclusion – Questions?
Upcoming Events
http://www.infibeam.com/Books/search?q=shreeraj