Reducing Web Application Vulnerabilities using OWASP€¦ · 2. Cross Site Scripting 3. Broken...

CONTENTS

• Contents

• Disclaimer

• Introduction

• Common uses for Web Applications

• Common Web Application Infrastructure and Users

• The Importance of Web Application Security

• Why OWASP

• About OWASP

• Top Ten

• Summary.

• Mapping to Verizon Data Breach Report (Hacking Methods)

• In Detail (with Examples and Case Studies)

• 2013 Release Candidate Update

• Recommendations

• Prize

• Q & A

DISCLAIMER

Informational Purposes and ownership of views.

The content of this publication is for information purposes only, individuals and

organisations should assess the suitability of this information for their own

purposes. The information is provided for the purpose of understanding software

vulnerabilities and how to prevent their exploitation.

The views are not necessarily those of OWASP, however their will be similarities.

Chatham House Rule

This presentation is provided under the Chatham House Rule for the purpose of

facilitating free and open discussion.

“Chatham House Rule: Participants are free to use the information received, but

neither the identity nor the affiliation of the speaker(s), nor that of any

participant, may be revealed”.

COMMON USES FOR “WEB APPLICATIONS”

Internet Banking

Online Shopping

Online Bill Payments

Online Gambling

Online Forums

Software as a Service

Remote Access

Device Management (ICT Infrastructure)

COMMON WEB APPLICATION INFRASTRUCTURE &

USERS

THE IMPORTANCE OF WEB APP SECURITY

Competitive Advantage

Increased Consumer / Customer Confidence

Lower Costs from managing Theft / Fraud / Misuse / Recovery

Continuity of Business

Services are less susceptible to data corruption and/or data

accessibility problems resulting from unauthorised access

Compliance with requirements to protect information

WHY OWASP

Widely Recognised :

31 Different ICT Security Related Organisations have cited OWASP https://www.owasp.org/index.php/Industry:Citations#National_.26_International_Legislation.2C_Standards.2C_Guidelines.2C_Committees_and_In

dustry_Codes_of_Practice

Compliance with Security Standards

PCI DSS: Requirement 6.5 Develop Secure Applications (v2). “… as industry best practices for vulnerability management are updated (for example, the OWASP Guide,” Approved Scanning Vendor Program Guide Reference 1.0/PCI DSS Version 1.2: “Perform a Scan without Interference from IDS/IPS”

Australian Government ISM: “Control 0971: Agencies should follow the documentation provided in the Open Web Application Security Project guides to building secure web applications …”

ABOUT OWASP

Open Web Application Security Project

“OWASP is an open community dedicated to enabling

organizations to conceive, develop, acquire, operate,

and maintain applications that can be trusted”

Publications

Top 10

Full Development Guide (293 Pages)

Tutorials

Detail advice on Specific Topics

OWASP’S TOP TEN (1-5)

OWASP’S TOP TEN (6-10)

ALIGNMENT TO VERIZON DATA BREACH REPORT (2012)

H A C K I N G M E T H O D S

( A L L % / E N T E R P R I S E % )

• SQL Injection (3/14)

• Brute force and dictionary attacks (29/14)

• Exploitation of default or guessable credentials (55/9)

• Exploitation of insufficient authentication (6/3)

• Use of stolen login credentials (40/51)

• Exploitation of backdoor or command and control

channel (25/29)

• Remote File Inclusion (1/6)

• Abuse of Functionality (1/3)

• Unknown (4/31)

O W A S P T O P 1 0

1. Injection

2. Cross Site Scripting

3. Broken Authentication and Session

Management

4. Insecure Direct Object Access

5. Cross Site Request Forgery

6. Security Misconfiguration

7. Insecure Cryptographic Storage

8. Failure to Restrict URL Access

9. Insufficient Transport Layer Protection

10. Unvalidated Redirects and Forwards.

INJECTION - OVERVIEW

OWASP Rating

Prevention:

Parameterized Queries, Escaping and Whitelisting.

INJECTION – CASE STUDY

Case Study: Membership Website

Root Cause:

Unchecked Numeric Field due to lack of security awareness.

Log Entries show the attack.

Normal Use: GET /<BaseURL>/<Events> <FIELD>=<Number> 443 - <ClientIP>

Mozilla/5.0+(compatible;+MSIE+9.0;+Windows+NT+6.1;+WOW64;+Trident

/5.0) 200 0 0

Attack:

GET /<BaseURL>/<Events> <FIELD>='+declare+<snip>exec%28%40s%29--

443 - <AttackerIP>

Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.0) 500 0 0


• Initial Query (insecure) sql_query = “select date,title,status from events, registrations where events.id = registrations.id and events.date > ‘”. date() . “’ and registrations.id=‘“ . $_POST[“membershipid”] . “’”;

Resultant Query from attempted Exploitation $_POST[“membershipid”]=“’; <injected commands>; --”

sql_query = “select date,title,status from events, registrations where events.id = registrations.id and events.date > ‘”. date() . “’ and registrations.id=‘1000’; <injected commands>; --’”

Using escaping to prevent exploitation, using PHP’s addslashes() function. sql_query = “select date,title,status from events, registrations where events.id = registrations.id and events.date > ‘”. date() . “’ and registrations.id=“ . addslashes($_POST[“membershipid”]);

Resultant Query – exploitation prevented sql_query = “select date,title,status from events, registrations where events.id = registrations.id and events.date > ‘”. date() . “’ and registrations.id=‘1000\’; <injected commands>; --’”

INJECTION – EXAMPLE

Additional Input Validation – Check if membership is a number.

// validate all supplied user input. Set $process = true if all input has been validated.

$process = false; //don’t process by default

$valid_data_count=0; //initialise the counter for valid data elements

$expected_elements=1; // we are expecting to validate 1 element here.

if (is_numeric($_POST[“membershipid”]) { //if membershipid is a number increment valid data counter

$valid_data_count++;

}

if ($valid_data_count == $expected_elements) { //if the valid data count the required number of elements ?

$process = true;

}

if ($process) {

sql_query = “select date,title,status from events, registrations where events.id = registrations.id and

events.date > ‘”. date() . “’ and registrations.id=“ . addslashes($_POST[“membershipid”]);

} else {

// Gracefully handle the invalid membershipid

echo “Invalid data has been received\n”;

// Log input data, source address, date/time into errors database for security operations review.

}


Threat Agent

Grouping: Organised Crime.

Motivation: Spread Malware or Extortion

Based on:

Sophistication:

Use of Multiple Hosting Providers

Use of Multiple DNS Names for malware hosting servers

Targeting:

Attacked Multiple of Businesses

Business Impact

Outage of Online Membership Functions

Reduced Services to members.

Increased costs to provide member services.

Remediation and Incident Response Costs:

Application Remediation to Check User Input by Developers

Lost Productivity of IT Support staff diverted to Incident Response

3rd Party Security Incident Response Assistance

CROSS SITE SCRIPTING - OVERVIEW

OWASP Rating:

Prevention:

Escaping and Whitelisting.

CROSS SITE SCRIPTING – CASE STUDY

Case Study: User Registration

Root Cause: Unchecked form data included in

HTML source.


Analysis of Vulnerability

CROSS SITE SCRIPT – CASE STUDY

Insecure Code <?php

//code to obtain data from database

echo “Customer Name:” . $custname;

echo “Customer Address1:” . $custaddr1;

?>

Fix - Escaping

<?php


echo “Customer Name:” . htmlspecialchars($custname);

echo “Customer Address1:” . htmlspecialchars($custaddr1);

?>

Fix – Output Validation <?php


echo “Customer Name:” . htmlspecialchars($custname);

echo “Customer Address1:” . htmlspecialchars($custaddr1);

if (is_number($custpostcode)) {

// Works for Australian Numeric Post Codes

// accomodation of International Post Codes will require adjustment.

echo “Customer Post Code:” . $custpostcode;

} else {

//error handler

}

?>


Threat Agent

Grouping: N/A

Motivation: N/A

Business Impact

Risk:

Cascaded exploitation by attackers.

Costs:

Application remediation – Developer costs

BROKEN AUTHENTICATION AND SESSION

MANAGEMENT - OVERVIEW

Overview


MANAGEMENT – CASE STUDY

Case Study: Web Application

Root Cause: Insufficient protection of passwords

exposed by inadequate system maintenance.


MANAGEMENT – CASE STUDY

Analysis of Vulnerability


MANAGEMENT

Insecure Code <?php

//code to store a password from a user in a sql database

$query = ‘update passwords set password=“’ . $password . “’ where

username=“’ . $username . “’;

mysql_query($query);

if (mysql_num_rows($query) == 1) {

//As there is a matching username and password,

//we consider the user authenticated

}

?>


MANAGEMENT Using Salt + multiple hashing.

<?php

//code to store a password from a user in a sql database

$salt_length = mt_rand(135,270); // 135 – 270 characters in the salt.

$iterations = mt_rand(2000,4000); // 2000-4000 iterations of the hashfunction

$hash_algo = “sha256”;

//Generate the salt

$salt = “”;

for ($saltcounter = 0; $saltcounter++; $saltcounter < $salt_length) {

$salt .= mt_rand(32,255);

}

//Combine the salt with the password and iterate the hash function.

$hashpass = $salt . $password;

for ($hashcounter = 0; $hashcounter++; $hashcounter < $iterations) {

$hashpass = hash($hash_algo, $hashpass);

}

$query = ‘update passwords set hashpass=“’ . $hashpass. “’, salt=‘” . $salt . “’, iterations=‘” . $iterations . “’ where username=“’ . $username . “’;

mysql_query($query);

?>


MANAGEMENT – CASE STUDY Threat Agent

Grouping: Infamy (Skilled – Employed Anti-Forensics)

Motivation: (Limited) Distribution of Copyrighted Material

Business Impact

Disruption:

Services unavailable while servers were rebuilt.

Delays to other projects as staff were resolving issues.

Costs:

Security Incident Response Team

7 FTE Staff for 3 Weeks, plus

External Security Incident Support.

Lost Productivity.

Reputational Damage

Additional Support

Additional Security Awareness Training

1 Year Fixed Term Staff Member to Provide.

Improvement to Policies, Procedures and Processes.

INSECURE DIRECT OBJECT REFERENCES

Overview

Prevention: Check access, use per user/session indirect object references.

INSECURE DIRECT OBJECT REFERENCES – CASE

STUDY

Root Cause: Direct access to objects, common in White Label” Sites.


Code Sample

<?php

include $_GET["header"];

echo "<h1>Payment Gateway</h1>\n";

include $_GET["footer"];

?>

INSECURE DIRECT OBJECT REFERENCES – CASE

STUDY

Analysis of the Vulnerability


A Fix – Map hostname to a numeric client identifier. <?php

clientid = hostclientmap($_SERVER[“http_host”]);

include “/” . $clientid . “/header”;

echo “<h1>Payment Gateway</h1>\n”;

include “/” . $clientid. “/footer”;

function hostclientmap($hostname) {

$result = mysql_query(“select clientid from client-hostname-mapping

where hostname=“’” . addslashes($hostname) . “’”);

if(!result) {

// return clientid=0 which is a warning to update the

clientid <-> hostname mapping.

$clientid=0;

} else {

$row=mysql_row();

$clientid = $row[“clientid”];

}

}

?>

INSECURE DIRECT OBJECT REFERENCES– CASE

STUDY

Threat Agent

Grouping: Discovered during testing.

Motivation: N/A

Business Impact

Vendor rework for compliance.

Damages Vendor’s credibility (hence reputation).

Claims of PCI DSS Compliance where able to be cast into doubt.

CROSS SITE REQUEST FORGERY

Overview

CROSS SITE REQUEST FORGERY - EXAMPLE

Analysis of the forgery

Visiting the “malicious” site may be incidental – e.g compromised ads, forums, etc.

CROSS SITE REQUEST FORGERY - EXAMPLE

Threat Agent

Grouping: Typically Organised Crime

Motivation: Fraud / Theft.

Business Impact

Damages Vendor’s reputation.

Increased losses from Fraud / Theft.

SECURITY MISCONFIGURATION

Overview

Prevention: System Hardening, System Maintenance.

SECURITY MISCONFIGURATION – CASE STUDY

Code Red Worm (July 13 2001).

“.ida” isapi extension left enabled.

“Indexing Service” – Largely unused.

System maintenance not conducted since June 18 2001


Code Red Worm


Threat Agent

Grouping: Self Promotion

Motivation: Infamy

eEye believed that the worm had the same original as the ILOVEYOU worm.

Business Impact

Disruption

Restoration costs to websites

INSECURE CRYPTOGRAPHIC STORAGE

Overview


Transactional Data was stored in a temporary table in clear text.


Threat Agent

Grouping: N/A

Motivation: N/A

Business Impact

Failure to meet contractual obligations

Increased compliance costs due to additional infrastructure falling “into scope”.

Remediation Costs

FAILURE TO RESTRICT URL ACCESS

Overview

Prevention:


Threat Agent

Grouping: N/A

Motivation: N/A

Business Impact

Possible Denial of Service, Data Sniffing.

Remediation Costs Options:

Immediate Fix:

2 hours x 200 devices = 4 weeks.

Approximately $40,000 to bring in a resource.

Delayed Fix and Counter Measures.

Action Taken:

Delayed fix with other maintenance.

Changed Passwords on other systems (4 hours).

Risk Acceptance by Management.

INSUFFICIENT TRANSPORT LAYER PROTECTION

Overview

Prevention: Require SSL for Sensitive Pages, Configure SSL to only use approved

algorithms.

INSUFFICIENT TRANSPORT LAYER PROTECTION –

CASE STUDY

Local Australian Bank.

Root Cause: Use of Deprecated Private Key Crypto.

SSL Uses both Public Key and Private Key Cryptography.

INSUFFICIENT TRANSPORT LAYER PROTECTION –

CASE STUDY

Public Key – Ok

2048 Bits

Meets recent key length

upgrade requirements.


Private Key Encryption – Use of Deprecated RC4.

Considered ineffective as early as 2009[1].

Not “approved” by NIST in SP800-131A

Not “approved” by DSD in the 2012 ISM.

PCI-DSS requires strong cryptography.

Apache Config changes are easy.

“SSLProtocol –all +SSLv2”

“SSLCipherSuite SSLv2:+HIGH”


Threat Agent

Grouping: N/A

Motivation: Obtaining of sensitive information.

Business Impact

Reputation

Damage to reputation.

Compliance:

Fails to meet compliance requirements for PCI-DSS (Req 3.4).

Costs:

Reconfigure equipment to use newer algorithms.

Possible upgrade costs to equipment for newer algorithms

UNVALIDATED REDIRECTS AND FORWARDS

Overview

Prevention

Don’t allow users to control redirects.

Very common with Central Authentication Systems.


Common with Central Authentication Systems.


Common with Central Authentication Systems


Threat Agent

Grouping: N/A

Motivation: N/A

Business Impact

Reduced Customer / Staff Confidence.

Remediation Costs

2010 / 2013 RC TOP 10 COMPARISON

2 0 1 0

1. Injection

2. Cross Site Scripting

3. Broken Authentication & Session Management

4. Insecure Direct Object References

5. Cross-Site Request Forgery (CSRF)

6. Security Misconfiguration

7. Insecure Cryptographic Storage

8. Failure to Restrict URL Access

9. Insufficient Transport Layer Protection

10. Unvalidated Redirects and Forwards

2 0 1 3 R E L E A S E C A N D I D A T E

1. Injection (NC)

2. Broken Authentication & Session Management (+1)

3. Cross-Site Scripting (XSS) (-1)

4. Insecure Direct Object References (NC)

5. Security Misconfiguration (+1)

6. Sensitive Data Exposure (+1 – Similar to 7)

7. Missing Function Level Access Control (+1 – Similar to 8)

8. Cross-Site Request Forgery (CSRF) (-3)

9. Using Components with Known Vulnerabilities (New)

10. Unvalidated Redirects and Forwards. (NC)

RECOMMENDATIONS

When Developing Web Applications

Ensure that you have an Application Security Program

Train (new) developers before projects (including updates)

Develop reusable architectures and code libraries

Build-in rather than retrofit

Take unintended / unwanted “users” into consideration

When Purchasing Web Applications Include appropriate security measures in the contract.

Consider remediation clauses.

Consider requiring support for dependant vendor updates.

If both cases: Assessing the level of compliance with these measures to understand the risk to your organisation is

vital.

Assessments should occur at multiple stages during and after development.

PRIZE

In the presentation iconic object from a James Bond film .

a) What is the object ?

b) Which James Bond film is it from ?

Reducing Web Application Vulnerabilities using OWASP€¦ · 2. Cross Site Scripting 3. Broken...

Documents

Transcript of Reducing Web Application Vulnerabilities using OWASP€¦ · 2. Cross Site Scripting 3. Broken...