MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter Wong
-
Upload
quek-lilian -
Category
Technology
-
view
668 -
download
1
description
Transcript of MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter Wong
![Page 1: MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter Wong](https://reader036.fdocuments.in/reader036/viewer/2022062513/5554bed9b4c90503388b4d52/html5/thumbnails/1.jpg)
Lap Around Web Application Vulnerabilities
Walter WongMVP – Visual Developer (Security)[email protected]://spaces.live.com/walterwws
![Page 2: MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter Wong](https://reader036.fdocuments.in/reader036/viewer/2022062513/5554bed9b4c90503388b4d52/html5/thumbnails/2.jpg)
Top 10 Web Application vulnerabilities in 2007
•Cross-site Scripting (XSS)
1
•Injection Flaws
2
•Malicious File Execution
3
•Insecure Direct Object Reference
4
•Cross Site Request Forgery
5
•Information Leakage and Improper Error Handling
6
•Broken Authentication and Session Management
7
•Insecure Cryptographic Storage
8
•Insecure Communications
9
•Failure to Restrict URL Access
10
Source: http://www.owasp.org/index.php/top_10_2007
![Page 3: MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter Wong](https://reader036.fdocuments.in/reader036/viewer/2022062513/5554bed9b4c90503388b4d52/html5/thumbnails/3.jpg)
Agenda
The foundation of attackAdvance attack techniquesObfuscationAutomated Testing
![Page 4: MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter Wong](https://reader036.fdocuments.in/reader036/viewer/2022062513/5554bed9b4c90503388b4d52/html5/thumbnails/4.jpg)
Foundation of attack
Application attack also known as “layer 7 attack”Program is just a set of instruction.Developer is the key protectorAll input is evil (Writing Secure Code by Michael Howard and David LeBlanc)
![Page 5: MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter Wong](https://reader036.fdocuments.in/reader036/viewer/2022062513/5554bed9b4c90503388b4d52/html5/thumbnails/5.jpg)
3 basic techniques
Path Traversal
Cross-site Scripting
SQL Injection
![Page 6: MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter Wong](https://reader036.fdocuments.in/reader036/viewer/2022062513/5554bed9b4c90503388b4d52/html5/thumbnails/6.jpg)
SQL Injection
Build SQL statement using string concatenationAttacker change the semantics of SQL queryDeveloper prefer string concatenation because is easy but they also known the safer method but requires more thought
![Page 7: MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter Wong](https://reader036.fdocuments.in/reader036/viewer/2022062513/5554bed9b4c90503388b4d52/html5/thumbnails/7.jpg)
Scenario #1
Attacker submit specially crafted input when performing search
![Page 8: MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter Wong](https://reader036.fdocuments.in/reader036/viewer/2022062513/5554bed9b4c90503388b4d52/html5/thumbnails/8.jpg)
SQL Injection
![Page 9: MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter Wong](https://reader036.fdocuments.in/reader036/viewer/2022062513/5554bed9b4c90503388b4d52/html5/thumbnails/9.jpg)
Date : 12 June 2008
http://www.lowyat.net
![Page 10: MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter Wong](https://reader036.fdocuments.in/reader036/viewer/2022062513/5554bed9b4c90503388b4d52/html5/thumbnails/10.jpg)
3 basic techniques
Path Traversal
Cross-site Scripting
SQL Injection
![Page 11: MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter Wong](https://reader036.fdocuments.in/reader036/viewer/2022062513/5554bed9b4c90503388b4d52/html5/thumbnails/11.jpg)
Cross-site Scripting (XSS)
How it works?1. Take input from user2. Fails to validate input3. Echoes input directly to web page4. Done!
![Page 12: MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter Wong](https://reader036.fdocuments.in/reader036/viewer/2022062513/5554bed9b4c90503388b4d52/html5/thumbnails/12.jpg)
Scenario #2
When developer using
<%# DataBinder.Eval(Container.DataItem, “Column1”) %>
to bind data in Datalist.
![Page 13: MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter Wong](https://reader036.fdocuments.in/reader036/viewer/2022062513/5554bed9b4c90503388b4d52/html5/thumbnails/13.jpg)
Cross-Site Scripting (XSS)
![Page 14: MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter Wong](https://reader036.fdocuments.in/reader036/viewer/2022062513/5554bed9b4c90503388b4d52/html5/thumbnails/14.jpg)
3 basic techniques
Path Travers
al
Cross-site
Scripting
SQL Injectio
n
![Page 15: MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter Wong](https://reader036.fdocuments.in/reader036/viewer/2022062513/5554bed9b4c90503388b4d52/html5/thumbnails/15.jpg)
Path Traversal
Access files that application not intend to accessTo read any files in the systemUsing “dot-dot-slash” to backtrack the folder
Example:http://app.com/GetImage.aspx?file=..\..\windows\repair\sam
![Page 16: MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter Wong](https://reader036.fdocuments.in/reader036/viewer/2022062513/5554bed9b4c90503388b4d52/html5/thumbnails/16.jpg)
Scenario #3
To prevent “Resource cannot be found”, developer create a page to check whether the picture file it exist or not. If doesn’t exist it will show the generic image.
![Page 17: MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter Wong](https://reader036.fdocuments.in/reader036/viewer/2022062513/5554bed9b4c90503388b4d52/html5/thumbnails/17.jpg)
Path Traversal
![Page 18: MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter Wong](https://reader036.fdocuments.in/reader036/viewer/2022062513/5554bed9b4c90503388b4d52/html5/thumbnails/18.jpg)
Advance Technique
Utilizing the basic attack techniquesAble to unveil a lot of privacy information of serversExample:
WMI AttackHost File Hijacking
![Page 19: MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter Wong](https://reader036.fdocuments.in/reader036/viewer/2022062513/5554bed9b4c90503388b4d52/html5/thumbnails/19.jpg)
WMI Attack
WMI = Windows Management InstrumentationWMI is a essential tools for IT Administrator to manage the servers and workstationsDamages:
Retrieve server’s information Remotely uninstall application
![Page 20: MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter Wong](https://reader036.fdocuments.in/reader036/viewer/2022062513/5554bed9b4c90503388b4d52/html5/thumbnails/20.jpg)
Scenario #4
Attack retrieve the software installed in web server and uninstall the software.
![Page 21: MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter Wong](https://reader036.fdocuments.in/reader036/viewer/2022062513/5554bed9b4c90503388b4d52/html5/thumbnails/21.jpg)
WMI Attack
![Page 22: MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter Wong](https://reader036.fdocuments.in/reader036/viewer/2022062513/5554bed9b4c90503388b4d52/html5/thumbnails/22.jpg)
Host File Hijacking
Windows rely on DNS and Host file to resolve the target IP addressHost file location : %windir%\system32\drivers\etc\hostsDamages:
Corrupt the host file so it can redirect the data to malicious server
![Page 23: MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter Wong](https://reader036.fdocuments.in/reader036/viewer/2022062513/5554bed9b4c90503388b4d52/html5/thumbnails/23.jpg)
Scenario #5
Attacker redirect the traffic for www.abc.com to different IP address. Imagine a antivirus application refer the wrong IP address to download the latest signature file.
![Page 24: MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter Wong](https://reader036.fdocuments.in/reader036/viewer/2022062513/5554bed9b4c90503388b4d52/html5/thumbnails/24.jpg)
Host File Hijacking
![Page 25: MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter Wong](https://reader036.fdocuments.in/reader036/viewer/2022062513/5554bed9b4c90503388b4d52/html5/thumbnails/25.jpg)
Obfuscation
The default .Net assembly format allow developer to disassemble and decompile.Obfuscate is a process to rebuilds the .Net assembly into a new format that is impossible to dissemble, decompile and difficult to understand.Prevent competitors and hackers from getting your source code.
![Page 26: MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter Wong](https://reader036.fdocuments.in/reader036/viewer/2022062513/5554bed9b4c90503388b4d52/html5/thumbnails/26.jpg)
Scenario #6
Attacker download the .Net assembly through Path Traversal attack. He successfully dissemble and decompile the assembly. Attacker now able to view all the logic behind the source code.
![Page 27: MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter Wong](https://reader036.fdocuments.in/reader036/viewer/2022062513/5554bed9b4c90503388b4d52/html5/thumbnails/27.jpg)
Obfuscator
![Page 28: MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter Wong](https://reader036.fdocuments.in/reader036/viewer/2022062513/5554bed9b4c90503388b4d52/html5/thumbnails/28.jpg)
Automated Testing
Develop your own testing tools Automate your testing processVisual Studio Tester Edition have a capability to do automated testing
![Page 29: MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter Wong](https://reader036.fdocuments.in/reader036/viewer/2022062513/5554bed9b4c90503388b4d52/html5/thumbnails/29.jpg)
The Dark Side……
Brutal Force attack are using the same techniqueIt is a common attack to “try” out passwordTo prevent such attack, identify the source.
MAC AddressIP AddressLogin username
![Page 30: MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter Wong](https://reader036.fdocuments.in/reader036/viewer/2022062513/5554bed9b4c90503388b4d52/html5/thumbnails/30.jpg)
Scenario #7
Develop a simple application to automate the brutal force attack on wireless router.
![Page 31: MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter Wong](https://reader036.fdocuments.in/reader036/viewer/2022062513/5554bed9b4c90503388b4d52/html5/thumbnails/31.jpg)
Automate the task
![Page 32: MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter Wong](https://reader036.fdocuments.in/reader036/viewer/2022062513/5554bed9b4c90503388b4d52/html5/thumbnails/32.jpg)
Steps to Defense Against Attackers
Validate both client-side and server-side inputDuplicated the validation functions in both client-side and server sideNO SQL Injection – use Parameter class in .NetNO XSS – Validate Input, Validate Output (VIVO)Obfuscate your code TODAY!Be innovative and creative in testing
![Page 34: MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter Wong](https://reader036.fdocuments.in/reader036/viewer/2022062513/5554bed9b4c90503388b4d52/html5/thumbnails/34.jpg)
ResourcesRequired slide
Visit My Blog athttp://spaces.live.com/walterwws
![Page 35: MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter Wong](https://reader036.fdocuments.in/reader036/viewer/2022062513/5554bed9b4c90503388b4d52/html5/thumbnails/35.jpg)
ResourcesRequired slide
Visit My Pagecast athttp://www.pageflakes.com/walterw
![Page 36: MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter Wong](https://reader036.fdocuments.in/reader036/viewer/2022062513/5554bed9b4c90503388b4d52/html5/thumbnails/36.jpg)
© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED
OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.