Srv Www Data Sans Php Rr Papers 2053

7/27/2019 Srv Www Data Sans Php Rr Papers 2053

http://slidepdf.com/reader/full/srv-www-data-sans-php-rr-papers-2053 1/47

Interested in learningmore about security?

SANS Institute

InfoSec Reading RoomThis paper is from the SANS Institute Reading Room site. Reposting is not permitted without express written permission.

Web Based Attacks

Copyright SANS Institute

Author Retains Full Rights

A D

http://www.sans.org/info/36923




http://www.sans.org/reading-room/click/363






Web Based Attacks

GCI A Gol d Cer t i f i cat i on

Aut hor : J ust i n Cr i st , j cri st @secur ewor ks. com

Advi ser : J i m Pur cel l



Web Based At t acks

J ust i n Cr i st 2

Abstract

At t acks upon i nf or mat i on secur i t y i nf r ast r uct ur es have

cont i nued to evol ve st eadi l y over t i me; l egacy net wor k based

at t acks have l argel y been r epl aced by more sophi st i cated

web appl i cat i on based at t acks. Thi s paper wi l l i nt r oduce

and addr ess web based at t acks f r om at t ack t o det ect i on.

I nf or mat i on secur i t y pr of essi onal s new t o appl i cat i on l ayer

at t acks wi l l be i n a bet t er posi t i on t o under st and t he

under l yi ng appl i cat i on at t ack vect or s and met hods of

mi t i gat i on af t er r eadi ng t hi s paper .



Web Based At t acks

J ust i n Cr i st 3

Table of Contents

Abstract.................................................................... 2

Table of Contents........................................................... 3

Introduction:............................................................... 4

What is a web based attack?................................................. 5

Who is at risk from Web Based Attacks....................................... 7

Three Aspects of a Web Based Attack......................................... 8

Vul nerabi l i t y Pr event i on: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

At t ack: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

At t ack Det ect i on & Prevent i on: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Prevention/Detection Methods............................................... 11

Log Moni t or i ng and Cor r el at i on Tool s: . . . . . . . . . . . . . . . . . . . . . 12 OSSI M: For det ect i ng at t acks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Propr i et ary Det ect i on/ Prevent i on Tool s: . . . . . . . . . . . . . . . . . . . 25

Wat chf i r e AppScan. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Open Source Pr event i on Tool s: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Ni kt o. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 WebScar ab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Secure Coding.............................................................. 33

OWASP...................................................................... 34

Top Ten Hi ghl i ght s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 SQL I nj ect i on At t ack Exampl e . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Unval i dat ed I nput Exampl e: XSS . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Summary.................................................................... 42



Web Based At t acks

J ust i n Cr i st 4

Introduction:

Bef or e di scussi ng web appl i cat i on secur i t y or at t acks i t i s

vi t al l y i mpor t ant t o under st and t he evol ut i on of web

appl i cat i ons, t hei r i ncr easi ng compl exi t y and t he par amount

i mpor t ance t hat t hey pl ay i n over one bi l l i on peopl es’ l i ves

t oday ( I nt er net Wor l d St at s) .

The advent of f i r st gener at i on web appl i cat i ons was

sever el y l i mi t ed i n t hei r abi l i t y t o pr ovi de any mor e

i nf ormat i on t han a br ochur e you mi ght r ecei ve i n t he mai l .

St at i c HTML was pr ovi ded as a t ool t o di spl ay pi ct ur es and i ner t

i nf ormat i on. Consequent l y, as t he i nt ernet and web access becamemore and more ubi qui t ous so t oo di d t he needs of t hose users who

wer e accessi ng web appl i cat i ons. As a r esul t web appl i cat i ons

evol ved t o pr ovi de user conveni ences such as searchi ng, post i ng,

and upl oadi ng.

CGI , Common Gateway I nt er f ace pr otocol was t he f i r st l eap

f or war d i n t hi s pr ogr essi on. CGI pr ovi ded a means f or users t o

i nt er act wi t h web pages by submi t t i ng data i nt o f orms. Uponsubmi ssi on back end CGI scr i pt s woul d pr ocess t hi s data

present ed and r epr esent HTML back t o t he end user . CGI t hrough

t he i nt er act i on wi t h end users ef f ect i vel y became one of t he

f i r st web appl i cat i on at t ack vect or s known.

As ment i oned ear l i er web appl i cat i on devel opment di d not

st op wi t h CGI scr i pt s, i nst ead newer more evol ved f r ameworks

mani f est ed. PHP, ASP. NET, J 2EE, AJ AX, Ruby on Rai l s, and other s

emer ged t o i ncor por at e mor e i nt er act i ve f eat ur es whi ch al l ow

user s more f l exi bi l i t y and power when managi ng dat a and workf l ow

wi t hi n web appl i cat i ons.

Secur i ng web appl i cat i ons has become i ncr edi bl y i mport ant

as t he i nf ormat i on pr ocessed by web appl i cat i ons has become



Web Based At t acks

J ust i n Cr i st 5

cri t i cal t o cor por at i ons, cust omer s, or gani zat i ons, and

count r i es. Web appl i cat i ons manage a wi de arr ay of i nf ormat i on

i ncl udi ng f i nanci al dat a, medi cal r ecor ds, soci al secur i t y

number s, i nt el l ect ual pr oper t y and nat i onal secur i t y dat a. Web

appl i cat i ons must handl e t hi s i nf or mat i on secur el y whi l e

mai nt ai ni ng ef f i ci ency and avai l abi l i t y.

What is a web based attack?

Web based at t acks ar e consi der ed by secur i t y exper t s t o be

t he gr eat est and of t ent i mes t he l east under st ood of al l r i sks

rel at ed t o conf i dent i al i t y, avai l abi l i t y, and i nt egr i t y. ( ci t e)

The pur pose of a web based at t ack i s si gni f i cant l y di f f er entt hen ot her at t acks; i n most t r adi t i onal penet r at i on t est i ng

exer ci ses a net wor k or host i s t he t ar get of at t ack. Web based

at t acks f ocus on an appl i cat i on i t sel f and f unct i ons on l ayer 7

of t he OSI . J ohn Pescator e of t he Gar t ner gr oup cl ai ms t hat

near l y 70% of al l at t acks occur at t he appl i cat i on l ayer

( Desmond, 2004) .

Appl i cat i on vul ner abi l i t i es coul d pr ovi de t he means f ormal i ci ous end user s t o br each a syst em' s prot ect i on mechani sms

t ypi cal l y t o t ake advant age or gai n access t o pr i vat e

i nf or mat i on or syst em r esour ces. I nf or mat i on gat her ed can

i ncl ude soci al secur i t y number s, dat es of bi r t h, and mai den

names, whi ch ar e al l of t en used i n i dent i t y t hef t . Anot her

popul ar t ar get f or at t acker s i s credi t car d dat a whi ch l ef t

unpr ot ect ed and unencr ypt ed can be used t o cause si gni f i cant

damage to or gani zat i ons most val ued assets, t hei r cust omer s.

So what makes up an appl i cat i on at t ack? By def i ni t i on, al l

web appl i cat i on at t acks ar e compr i sed of at l east one normal

r equest or a modi f i ed r equest ai med at t aki ng advant age of poor



Web Based At t acks

J ust i n Cr i st 6

par amet er checki ng or i nst r uct i on spoof i ng. Ther e ar e si x

f undament al cat egor i es of appl i cat i on at t acks.

Spoofing:

Spoof i ng i s t he act of mi mi cki ng anot her user or pr ocess t o

per f or m a t ask or r et r i eve i nf or mat i on t hat woul d nor mal l y not

be al l owed. An at t acker coul d use a cr af t ed HTTP r equest

cont ai ni ng t he sessi on i d i nf or mat i on f r om anot her user and

r et r i eve t he tar get ed user s account i nf or mat i on.

Repudiation:

I n or der t o t i e speci f i c acti ons of a si ngl e user ,

appl i cat i ons must have r easonabl e r epudi at i on cont r ol s such as

web access, aut hent i cat i on, and dat abase t r ansact i on l ogs.

Wi t hout cor r obor at i ng l ogs, onl i ne web appl i cat i on user s coul d

easi l y cl ai m t hat t hey di d not t r ansf er equi t i es f r om one acct

t o an ext er nal acct of anot her . Ot her wi se wi t hout pr oof

ot her wi se al l onl i ne br oker ages woul d be r equi r ed t o rei mbur se

t he cl i ent f or l ost f unds. Aggr egat i ng and cor r el at i ng l ogs

f r om mul t i pl e sour ces ( web appl i cat i on, mi ddl ewar e, anddat abase) can pr event r epudi at i on at t acks.

Information Disclosure:

I nf or mat i on di scl osur e i s one of t he bi ggest t hr eat s t o

l ar ge or gani zat i ons who mai nt ai n pr i vat e i nf or mat i on about t hei r

cust omer base. When at t acker s ar e capabl e of r eveal i ng pr i vat e

i nf ormat i on about a user or user s of a web si t e, consumer

conf i dence i n t hat or gani zat i on can t ake dr ast i c hi t s; causi ngl oss i n sal es, st ock pr i ce, and over al l mar ket abi l i t y. To

pr event t hi s, appl i cat i ons must r equi r e adequat e cont r ol s whi ch

wi l l pr event user I D and sessi on mani pul at i on.

Denial of Service:



Web Based At t acks

J ust i n Cr i st 7

Deni al of ser vi ce at t acks ar e l i kel y t he most wel l known of

al l appl i cat i on at t acks, of t en gener at ed by mal i ci ous user s,

compet i t or s or scr i pt ki ddi es. Mot i vat i ons f or t hi s t ype of an

at t ack r ange f r om per sonal t o pol i t i cal r easons i n hopes of

st i f l i ng an or gani zat i on’ s abi l i t y t o f i el d onl i ne busi ness.

Famous exampl es i ncl ude at t acks upon SCO a coupl e of years ago

by i ndi vi dual s upset about l awsui t s ai med at LI NUX.

Elevation of Privileges:

Aut hor i zat i on cont r ol s whi ch ar e bot h r el i abl e and st aunch

ar e requi si t e f or any syst em or appl i cat i on whi ch guar ds

sensi t i ve i nf or mat i on. Escal at i on of pr i vi l eges r equi r es a

mal i ci ous user t o ei t her al r eady possess or gai n t hr ough

unl awf ul met hods aut hor i zat i on pr i vi l eges of a r egul ar user .

Once t he mal i ci ous user i s l ogged i nt o t he vi ct i m syst em an

at t empt wi l l be made by expl oi t at i on of an appl i cat i on t hr ough

poor par amet er checki ng or i nst r uct i on spoof i ng.

Who is at risk from Web Based Attacks

Al l or gani zat i ons whi ch mai nt ai n a web pr esence ar e at r i sk

of bei ng at t acked. However , t he l evel of r i sk i s di f f er ent f or

each or gani zat i on. A coupl e of f act or s t hat pl ay i nt o

consi der at i on when det er mi ni ng t he t hr eat l evel ar e i nt el l ect ual

pr oper t y or per sonal l y i dent i f i abl e i nf or mat i on st or ed by t he

or gani zat i on.

Intellectual property:

I nt el l ectual pr oper t y i s a pr oduct of t he i nt el l ect t hat

has commerci al val ue, i ncl udi ng copyr i ght ed pr opert y such as

l i t er ar y or ar t i st i c wor ks, and i deat i onal pr oper t y, such as

pat ent s, appel l at i ons of or i gi n, busi ness met hods, and

i ndust r i al pr ocesses. Compani es wher e success and r eput at i on are



Web Based At t acks

J ust i n Cr i st 8

bui l t upon pat ent s, r esear ch, and devel opment ar e especi al l y at

r i sk. Gr eat exampl es i ncl ude phar maceut i cal compani es, chi p

f abr i cat or s and uni ver si t i es.

Personally Identifiable Information:

Near l y al l or gani zat i ons whi ch i nt er f ace wi t h cust omer s

hol d t o some degr ee i nf ormat i on whi ch i s consi der ed t o be

sensi t i ve. For att acker s to per pet r at e f i nanci al cri mes or

i dent i t y t hef t t hey need credi t card number s, phone number s,

addr esses, heal t h r el ated i nf ormat i on, bank account number s

( Kr ebs, 2006) . As such t hi s i nf ormat i on has become a commodi t y

i n underground I RC chat r ooms.

Three Aspects of a Web Based Attack

Vulnerability Prevention:

The f i r st st ep i n a comprehensi ve appl i cat i on secur i t y

f r amewor k st ar t s wi t h devel oper s. Sof t war e ar chi t ect ur e j ust

l i ke bui l di ng physi cal st r uct ur es r equi r es sound pl anni ng and

oversi ght , wi t h an adherence t o f undament al sof t ware devel opment

l i f ecycl e met hodol ogi es. Many sof t war e devel oper s car r y t he

ski l l s t o pr oper l y pr oof r ead and l ocat e vul ner abi l i t i es.

However as an i nsur ance pol i cy of sor t s expl oi t at i on det ect i on

t ool s ar e r equi r ed t o pr ovi de a st andar d l evel of er r or

checki ng.

Attack:

I t f or f i r st necessar y f or i ndi vi dual s i nt er ested i nconduct i ng an appl i cat i on based at t ack i t i s f i r st necessar y t o

under st and and i dent i f y a t ar get syst em. Thi s f i r st st age i n an

at t ack i s commonl y r ef er r ed t o as reconnai ssance; r econnai ssance

can be per f ormed usi ng a var i et y of t ool s such as port scanner s

and vul ner abi l i t y scanner s. These scanner s ar e of t en f l exi bl e



Web Based At t acks

J ust i n Cr i st 9

enough t o l ook f or speci f i c l i st eni ng por t s associ at ed wi t h

suspect ed vul ner abl e appl i cat i ons. Appl i cat i on ver si on det ect i on

can be per f ormed by banner gr abbi ng. Banner gr abbi ng i s t he

pr ocess of connect i ng t o a host on a speci f i c TCP/ UDP port and

l i st eni ng t o what t he host r epl i es wi t h. Once a connect i on i s

est abl i shed appl i cat i ons wi l l commonl y i dent i f y or pr ovi de a

ver si on or bui l d i nf or mat i on r el evant t o t he appl i cat i on t hat

host i s usi ng. By gr abbi ng banner s at t acker s ar e qui ckl y abl e

t o cross r ef er ence appl i cat i on ver si ons, pat ch l evel s, and bui l d

i nf or mat i on t o onl i ne r ef er ences whi ch l i st vul ner abl e

appl i cat i ons. I n addi t i on t o onl i ne r esour ces whi ch l i st

vul ner abl e appl i cat i ons many f r eel y avai l abl e t ool s cont ai n sel f cont ai ned and dynami cal l y updat i ng databases whi ch per f orm

appl i cat i on mappi ng t o cur r ent vul ner abi l i t i es. A cl oser i n

dept h l ook at sever al of t hese wi l l f ol l ow i n a l at er sect i on.

Attack Detection & Prevention:

I nt r usi on Det ect i on Syst ems ( I DS) and I nt r usi on

Pr event i on syst ems ( I PS) ar e al so used as det ect i ve and r eact i ve

devi ces f or bot h net wor k and appl i cat i on t ar get ed at t acks. They

are commonl y depl oyed wi t hi n the demi l i t ar i zed zones ( DMZs) of

cor por at e net wor ks and ei t her passi vel y f i l t er or act i vel y bl ock

at t acks t ar get ed at appl i cat i on l ayer servi ces. I DSs and I PSs

bot h wor k at t he net wor k l ayer by l i st eni ng t o net wor k t r af f i c

dest i ned to pr ot ect ed syst ems f or at t acks agai nst vul ner abl e

ser vi ces, dat a mani pul at i on at t acks on appl i cat i ons, pr i vi l ege

escal at i on on host s, mul t i pl e f ai l ed unaut hor i zed l ogi ns, and

even access t o sensi t i ve dat a. Upon successf ul det ect i on; I DS

al er t s are usual l y sent t o a cent r al consol e wher e act i on by an

anal yst can be t aken. I nt r usi on Prevent i on Syst ems upon

det ect i on of an at t ack, can dr op t he packet s, send TCP r esets t o

t he of f endi ng I P or shun f ur t her connect i ons by mal i ci ous



Web Based At t acks

J ust i n Cr i st 10

at t acker s f or a var i abl e per i od of t i me. Some I nt r usi on

Det ect i on Syst ems have t he abi l i t y t o t hwar t of f endi ng at t acker s

by communi cat i ng di r ect l y wi t h a f i r ewal l or r out er t o bl ock t he

sour ce I P addr ess.

Rever se web proxi es ar e one of many t ool s t hat can be used

t o not onl y det ect , but pr ot ect an appl i cat i on ser ver f r om

unaut hor i zed, mal i ci ous, or i nappr opr i at e cal l s, post s, or

quer i es t o onl i ne web appl i cat i ons, ser vi ces and dat abases. A

r ever se web pr oxy wor ks by i nt er cept i ng t r af f i c dest i ned t o a

pr ot ect ed web appl i cat i on or ser vi ce and t hen appl i es f i l t er s t o

det ect mal i ci ous commands, bad synt ax, i nappr opr i ate cont ent ,

and t he l i ke. By st andi ng i n f r ont of t he web appl i cat i ons,

t hi s al l ows t he web appl i cat i on t o f ocus on l egi t i mat e r equest s.

Many f i r ewal l s sol d i n t he mar ket pl ace t oday ar e

appl i cat i on aware and as such underst and many of t he ubi qui t ous

pr ot ocol s and commands. I n underst andi ng t hese prot ocol s and

appl i cat i ons t hey ar e abl e t o ascer t ai n whet her or not t r af f i c

dest i ned f or an appl i cat i on or net wor k based ser vi ce i s

mal i ci ous or not . Common appl i cat i ons i ncl ude t el net , SSH,

HTTP, FTP, SMTP and SI P. When t uned pr oper l y t hese f i r ewal l s

ar e capabl e of t hwar t i ng many common at t acks waged agai nst

vul ner abl e appl i cat i ons or pr ot ocol s. Upon i nspect i on of

mal i ci ous payl oads or commands sent t o an appl i cat i on, t hese

advanced f i r ewal l s wi l l usual l y of f er t he abi l i t y t o dr op

mal i ci ous packet s, enact t empor ar y or per manent f i l t er s agai nst

al l t r af f i c dest i ned f r om t he of f endi ng I P, or send an al er t t o

secur i t y per sonnel so t hat f ur t her act i on can be taken.



Web Based At t acks


Prevention/Detection Methods

Many met hodol ogi es exi st , and t her e i s never one r i ght

sol ut i on or ar chi t ect ur e f or al l envi r onment s. Pr evi ousl y

di scussed, t here are more passi ve methods whi ch i ncl ude

I nt r usi on Det ect i on Syst ems ( I DS) . I DS syst ems si mpl y al er t on

seemi ngl y of f ensi ve t r af f i c whi ch i s dest i ned t owar ds a

pr ot ect ed asset or appl i cat i on. On t he opposi t e spect r um t her e

are more pr event at i ve met hods whi ch i ncl ude appl i cat i on- aware

f i r ewal l s, r ever se pr oxi es, and I nt r usi on Det ect i on Pr event i on

( I DP) whi ch not onl y act i vel y moni t or f or at t acks but t hey

at t empt t o bl ock or change t he envi r onment such t hat f ur t her

at t acks are not successf ul i n r eachi ng t he pr ot ect ed appl i cat i on

or syst em.

For envi r onment s whi ch cont ai n known of f t he shel f

appl i cat i ons whi ch ar e usi ng common pr ot ocol s such as FTP, HTTP,

HTTPS, SMTP, and ot her s I DP can be ver y ef f ect i ve i n pr ot ect i ng

asset s i n a r eact i ve f ashi on. For t hose l ar ger envi r onment s

whi ch cont ai n home gr own appl i cat i ons, oddl y conf i gur ed

appl i cat i on and ser vi ce por t s, or syst ems whi ch do not f ol l ow

RFC st andar ds when communi cat i ng, I DS may be a mor e i ntel l i gent

sol ut i on.

The r eason i s si mpl e; I DP sol ut i ons t ypi cal l y bl ock

mal i ci ous t r af f i c, or t r af f i c whi ch does not adher e t o RFC

st andards. RFC st andards or Request s f or Comment s are rul es

commi ssi oned by t he I ETF whi ch di ct at e pr oper communi cat i on

met hods and pr act i ces f or near l y al l wel l known pr ot ocol s i n use

on t he i nternet t oday. Many t hi r d par t y or home grown

appl i cat i ons ar e bui l t wi t h one pur pose i n mi nd, t o wor k. The

adher ence of a par t i cul ar appl i cat i on or ser vi ce t o an RFC

st andar d i s ver y r ar el y a pr i or i t y f or appl i cat i on devel oper s.



Web Based At t acks


As such, appl i cat i ons, especi al l y l egacy appl i cat i ons ar e of t en

put t oget her i n a hast y f ashi on wi t h l i t t l e r egar d wi t h how i t

may or may not be af f ect ed by a secur i t y devi ce such as I DP. I t

shoul d be underst ood t hat I DP has onl y been around f or a coupl e

of year s and i s st i l l a mat ur i ng t echnol ogy.

Addi t i onal l y l og anal ysi s on cri t i cal f i l es whi ch ar e used

by bot h appl i cat i ons and t hei r under l yi ng syst ems can pr ovi de

good i ndi cat i ons as t o when an i nt r usi on or unsuccessf ul

penet r at i on has occur r ed. Ther e ar e a var i et y of bot h open

sour ce and pr opr i et ar y t ool s whi ch of f er t he abi l i t y t o moni t or

key conf i gur at i on f i l es ( i nt egr i t y checker ) , and l og f i l es ( l og

cor r el at i on and moni t or i ng t ool s) . We wi l l di scuss exampl es of

each of t hese i n t he next sect i on.

Log Monitoring and Correlation Tools:

Gar t ner has i dent i f i ed SI EMs or Secur i t y I nf or mat i on and

Event Manager s as a means t o pr ovi de “r eal - t i me event management

and hi st or i cal anal ysi s of secur i t y dat a f r om a wi de set of

het er ogeneous sour ces” ( Gart ner , 2005) .

I n l ar ger or gani zat i ons whi ch of t en f eat ur e a mul t i t ude of

ser ver s spr ead acr oss di f f er ent geogr aphi es, l og anal ysi s and

r evi ew becomes i ncr easi ngl y di f f i cul t and l abor some. “Thi s

st r eam of event s and al er t s—Gart ner est i mates t hat t he syst ems

i n compani es wi t h more t han 1000 user s gener at e over 200

secur i t y "event s" per second—i s enough to over whel m any I T

depart ment ”, notes J ason Hal l oway of ExaProtect ( Hal l oway,

ExaPr ot ect ) .

I n t hi s exampl e, i f an admi ni st r at or or secur i t y mi nded

engi neer wi shes t o pr oact i vel y revi ew t he l ogs of hi s or her

managed syst ems a number of st eps must ensue.



Web Based At t acks


1. I t woul d be necessary t o remotel y l ogi n t o t hese syst ems

one at a t i me.

2. Fi l t er l og f i l es f or i nt er est i ng event s.

3. Mat ch t hese ‘ i nt er est i ng’ event s wi t h ot her si mi l ar event s

on ot her managed syst ems.

Thi s process was i dent i f i ed as f ar t oo t i me consumi ng,

t edi ous, and pr one t o er r or s or mi st akes. Wi t h t hi s pr obl em

came the advent of l og moni t or i ng and cor r el at i on tool s whi ch

serve t o f i l t er and match a l og event on one devi ce or

appl i cat i on t o a compl i ment ar y or si mi l ar event on anot her

syst em. Bei ng pr i vy t o t he l ogs or event s whi ch ar e occur r i ngon di f f er ent syst ems can l ead t o mor e i nt el l i gent deci si ons

about t he sour ce of an at t ack, a mi sconf i gur at i on of an

appl i cat i on or syst em, or even an i nt er nal user who wi shes t o

cause har m.

SI EM sol ut i ons are pr eval ent and t her e ar e a number of bot h

pr opr i et ar y and open sour ce al t er nat i ves avai l abl e. Ar cSi ght ,

net For ensi cs, Sent i nel , and I nt el l i t acti cs ar e but a f ewpr opr i et ar y sol ut i ons that ar e avai l abl e ( Gar t ner , 2006) . Open

sour ce sol ut i ons ar e al so at t r act i ve f or smal l er busi nesses t hat

may not have t he budget f or pr opr i et ary sol ut i ons whi ch

of t ent i mes of f er bet t er scal e and mor e r obust suppor t . OSSI M,

or t he Open Sour ce Secur i t y I nf ormat i on Management t ool i s a

popul ar choi ce amongst t he open sour ce communi t y. I t of f er s

many of t he f eat ur es of pr opr i et ar y sol ut i ons wi t hout t he hi gh

cost and l i censi ng f ees. A f ew scr een shot s have been added

bel ow.



Web Based At t acks


Here we can see si gnat ure mat ches by sour ce address,

dest i nat i on, et c. These can be sor t ed by t he var i ous col umns

and can hel p secur i t y anal yst s determi ne common denomi nat ors i n

an at t ack.



Web Based At t acks


Thi s scr eenshot shows t he act ual packet broken down i nt o

t he di f f er ent l ayer s of t he TCP/ I P st ack. Thi s wi l l be hel pf ul

i n anal yzi ng I DS si gnat ur es of val i d at t acks and even

mi sconf i gur at i ons i n appl i cat i ons and syst ems.

Al l scr eenshot s wer e t aken f r om www. ossi m. net .

OSSIM: For detecting attacks

The l ar ger a gi ven or gani zat i ons’ i nf r ast r uct ure t he mor e

di f f i cul t i t becomes t o be pr oact i ve about det ect i ng at t acks

bef ore t hey can bur geon i nt o wi de scal e pr obl ems. The r easons

are numerous but can be nar r owed t o t he f ol l owi ng:



Web Based At t acks


Syst ems are of t en di st r i but ed acr oss di spar at e net wor ks i n

di f f er ent par t s of a busi ness uni t , count r y, and even cont i nent .

Di ver se or gani zat i ons, t eams, and busi ness uni t s wi t h di f f er ent

at t i t udes manage t hese di spar ate net works. As a r esul t

pat chi ng, bui l d pr ocedur es, net wor k secur i t y, and gener al

secur i t y best pr act i ces can t ake a back seat t o other r evenue

gener at i ng acti vi t i es.

Of t ent i mes di f f er ent conf i gur at i on st andar ds and pol i ci es

may be t he r esul t of r egul at ory requi r ement s, government

r est r i ct i ons, and gover nment suppor t ed expor t r est r i ct i ons. I t

qui ckl y becomes obvi ous t hat Secur i t y Anal yst s ar e f aced wi t h a

st agger i ng t ask. I n or der t o per f or m t he j ob successf ul l y

secur i t y anal yst s are r equi r ed t o under st and a net wor k t opol ogy

t hat may span a mul t i t ude of count r i es. Achi evi ng t hi s t hor ough

under st andi ng of t he l ay of t he l and i s of t en much easi er sai d

t han done.

To assi st , SI M packages coupl ed wi t h networ k r econnai ssance

t ool s ar e of t en used t o map out net wor k t opol ogi es. OSSI M i s an

open sour ce Secur i t y I nf ormat i on Manager t hat i ncl udes Nessus, a

ver y popul ar and f r eel y avai l abl e vul ner abi l i t y scanner and

NMAP, of t en consi der ed t o be one of t he best avai l abl e net work

mappi ng t ool s. Bot h Nessus and NMAP possess t he abi l i t y t o map

network spaces. Network pr obi ng and t he di f f erent methods of

net work di scover y are beyond t he scope of t hi s paper . To

compr ehend t he f or t hcomi ng exampl e i t i s onl y necessary to

under st and that Nmap al l ows a secur i t y anal yst t o scan net worksand vi sual l y map t hese net works. These pi ct ur es or

vi sual i zat i ons al l ow secur i t y anal yst s t o under st and t he i nner

worki ngs of t hei r mapped net works. Wi t hout t hese maps, l earni ng

cur ves ar e si gni f i cant l y st eeper , and of t en br eed unnecessary

conf usi on amongst secur i t y anal yst s r esponsi bl e f or t he net wor k,



Web Based At t acks


net work users, and net work admi ni st r ators. A l ayman can t hi nk

of a net wor k map as a st r eet map. St r eet maps encourage common

under st andi ng by t hose t hat use t he roads and t hose t hat pr ovi de

di r ecti ons.

For t hi s par t i cul ar exampl e we wi l l be usi ng Nmap and

Nessus. Fi r st , Nmap i s i ni t i at ed t o pr obe I P addr ess space whi ch

i s owned by t he par ent or gani zat i on of t he secur i t y anal yst .

The r esul t s of t hi s scan wi l l yi el d al l l i st eni ng devi ces wi t h a

TCP/ I P st ack t hat ar e r esponsi ve t o a var i et y of I CMP, TCP, and

UDP sweeps.

Fol l owi ng t he successf ul r un of Nmap, A Nessus scan i s

i ni t i at ed f r om wi t hi n OSSI M agai nst pr evi ousl y di scover ed

net wor k host s f or vul ner abi l i t i es. Af t er scanni ng i s compl et ed

a l i st of known vul ner abi l i t i es of t he scanned host s ar e st or ed

wi t hi n t he OSSI M dat abase.

Nessus sampl e out put f or one host has been di spl ayed bel ow.



Web Based At t acks


Because t here ar e near l y al ways goi ng t o be emergi ng

t hr eat s and unpat ched vul ner abi l i t i es i s i t necessar y t o creat e

a r i sk r at i ng. OSSI M uses t he f ol l owi ng met hodol ogy t o quant i f y

r i sk. Thi s i s i mpor t ant t o under st and f or t he secur i t y anal yst .

These quant i f i cat i ons of r i sk al l ow an anal yst t o pr i or i t i ze hi s

or her at t ent i on t owar ds t he most bur ni ng i ssues.

Risk = (Asset * Priority * Reliability)/10

Wher e:

Asset ( 0- 5)

Pr i or i t y ( 0- 5)

Rel i abi l i t y ( 0- 5)

The computed risk rating will always be between 0 and 10.

Asset Value

I n det er mi ni ng asset val ues, t he asset owner or data owneri s gener al l y r esponsi bl e f or cl assi f yi ng t hi s f or t he secur i t y

anal yst . Thi s st ep shoul d not be over l ooked as i t enabl es

secur i t y anal yst s t o have an under st andi ng of cri t i cal i t y

amongst t he var i ous net work host s. Based upon t hi s f eedback an

asset can be t agged wi t h a val ue f r om 0- 5. Cust omer data,

i nt el l ect ual pr oper t y and t he l i ke mi ght be t agged wi t h a 4 or

5. Whi l e t he syst em t hat st ores the l unch menu f or t he

caf et er i a may r ecei ve a l ower score, 0. These numer i cal val ues

hel p an or gani zat i on pr i or i t i ze t hei r secur i t y ef f or t s, DR, and

ot her cont i ngency pl ans.



Web Based At t acks


Priority/Threat

Pr i or i t y or t hr eat r ef er s to t he si gni f i cance of a

part i cul ar at t ack on a managed asset . I n other words, what

mi ght be t he di sr upt i on t o my envi r onment i n the event t hat a

par t i cul ar vul ner abi l i t y i s bei ng exposed? OSSI M i s abl e t o

make deci si ons r el at i ve t o t he envi r onment t hat i s under at t ack

r egar di ng pr i or i t y.

A common scenar i o whi ch OSSI M i s abl e to hel p i s descr i bed

i n t he f ol l owi ng scenar i o.

A Mi cr osof t Wi ndows t ar get ed vi r us code r ed has i nf i l t r at ed t he

cor por at e net wor k f r om t he i nt er net . Thr ough t he use of snor t ,

a popul ar open sour ce I nt r usi on Det ect i on Syst em, snor t i s abl e

t o det ect t hat code r ed, an I I S t ar get ed wor m i s r unni ng r ampant

on t he DMZ. Due t o t he sheer number of host s t hat are f ound

wi t hi n t he DMZ a secur i t y anal yst can qui ckl y f i nd her sel f i n a

t enuous posi t i on of not knowi ng whi ch host s t o pr ot ect f i r st .

Though no secur i t y anal yst shoul d condone t he spreadi ng of

wor ms i n t hei r net wor k, i t i s saf e t o say t hat Wi ndows I I Svul ner abi l i t i es wi l l have l i t t l e t o no af f ect on a UNI X or Li nux

based ser ver . At t he same t i me as t hi s code r ed at t ack i s

t aki ng pl ace agai nst a UNI X ser ver f ar m i t al so has t he abi l i t y

t o spr ead t o the cor por at e i nt r anet subnet whi ch does cont ai n

unpatched Wi ndows Ser ver s r unni ng I I S. Appl yi ng hi gher

pr i or i t i es f or t hi s behavi or i n a wi ndows envi r onment al l ows a

secur i t y anal yst t o r espond mor e appr opr i at el y of t en decr easi ng

t he t i me f or r emedi at i on.

To proper l y pr i or i t i ze OSSI M provi des a met hod t o

pr i or i t i ze t hr eat l evel s. We wi l l di ve deeper i nt o t hese

di r ect i ves i n a subsequent sect i on.



Web Based At t acks


Reliability

Rel i abi l i t y speaks speci f i cal l y t o t he l i kel i hood t hat an al er t

whi ch i s l ogged by OSSI M i s wor t hy of an al ar m. An al er t i s

si mpl y any event t hat i s l ogged f r om one of t he many devi ces

whi ch l ogs t o OSSI M. Thi s coul d be a l og r ecei ved f r om a

r out er , f i r ewal l , or host on t he net wor k. Rel i abi l i t y st ar t s t o

t ake i nt o account pat t er ns and char act er i st i cs i n t he event s

t hat ar e bei ng l ogged. For exampl e, i f a wi ndows wor kst at i on

connect s t o on aver age of 20- 30 host s on TCP 135 dur i ng a gi ven

hour t hi s mi ght be consi dered normal based upon t he dut i es of

t hi s wi ndows host . However , i f t hi s same syst em begi ns t o

connect t o 400- 600 host s i n a hal f hour i t i s r easonabl e t o

suspect t he pr esence of a mi sconf i gur at i on or even per haps t he

presence of a compromi sed host .

Rel i abi l i t y of an al ar m speaks t o t he l i kel i hood t hat t he

al ar m i s accur at el y depi ct i ng a cer t ai n scenar i o whi ch mor e

t i mes t han not need t o be act ed upon.

Al arms wi t hi n OSSI M can be t r i gger ed af t er a cer t ai n number

of l i ke event s have been r ecei ved. Coupl ed wi t h t hei r asset

val ues, and pr i or i t i es, a r i sk rat i ng can be comput ed.

Power of Correlation

As ment i oned bef ore di r ect i ves are used wi t hi n OSSI M.

Di r ect i ves are i n essence r ul es or f or mul as whi ch ar e used t o

cal cul at e t he pot ent i al cl assi f i cat i on or meani ng of a ser i es of

r ecei ved al er t s.

For t hose f ami l i ar wi t h CI SCO based ACLs, di r ect i ves have a

somewhat si mi l ar nomencl at ur e whi ch use numbers as i dent i f i ers.

- Gener i c ossi m: 1- 2999



Web Based At t acks


- At t ack cor r el at i on: 3000- 5999- Vi r us & Wor ms: 6000- 8999- Web at t ack corr el at i on: 9000- 11999- DoS: 12000- 14999- Por t scan/ scan: 15000- 17999- Behavi our anomal i es: 18000- 20999

- Net work abuse & er r or : 21000- 23999

- Troj ans: 24000- 26999

- Mi scel aneous: 27000- 34999

Di r ecti ves al l st ar t wi t h an i ni t i al r ul e t hat at t empt s to

mat ch t he di r ect i ve and begi n t he event cor r el at i on. For

exampl e, gi ven t he exampl e above wher e a wi ndows host connect s

t o 400 wi ndows syst ems on por t 135.

We wi l l i l l ust r at e t hi s wi t h a det ector r ul e.

<rule type = “detector” name=”Potentially Suspicious”

reliability = “1” occurrence=”500” from=”ANY” to=”ANY”

port_to=”135,137,139,445” plugin id=”50051” plugin_sid=”ANY”

time_out=360>

For t hi s par t i cul ar r ul e we mat ch agai nst anyt hi ng goi ng t o

st andar d wi ndows por t whi ch exceeds 500 occur r ences or

connect i ons i n a one hour t i me span.

Detector rules ar e r ul es t hat ar e r ecei ved f r om agent s whi ch ar e

r ecor di ng t o OSSI M. Exampl es may i ncl ude apache, snor t , f W- 1,

et c. The power of OSSI M and cor r el at i on i s t he abi l i t y t o

r ecei ve i nf or mat i on f r om di spar at e sour ces t o ar r i ve at a deeper

concl usi on or under st andi ng of what i s occur r i ng i n a net wor k.

Bel ow we have broken down t he maj or cat egor i es wi t hi n a

di r ect i ve.

Name f i el d si mpl y repr esent s t he pr oper name of t he di r ect i ve.



Web Based At t acks


Reliability i s based upon t he l i kel i hood t hat t hi s event i snot ewor t hy. Agai n t he scal e of 0 – 5 i s used.

Occurrence i ndi cat es how many t i mes a par t i cul ar event wi l l havet o occur bef or e t he di r ect i ve i s mat ched.

From i ndi cat es t he sour ce of t he event .To i ndi cat es t he dest i nat i on of t he event .

Ports_to i ndi cat e t he sour ce por t of t he event .Ports_from i s not l i st ed her e but can be def i ned f or sour ce por tmat chi ng.

Event s whi ch occur by t hemsel ves of t ent i mes are not par t i cul ar l ynotewort hy; however , when mul t i pl e sour ces are r ecor di ng si mi l arbehavi or s whi ch di f f er f r om t he nor m behavi or s, OSSI M i s abl e t oal er t secur i t y anal ysts of t hi s pot ent i al l y i nt er est i ng

act i vi t y. The power t hat cor r el at i on can of f er a secur i t yanal yst shoul d not be under est i mated.

The f ol l owi ng scr een shot shows t he st r uct ure vi sual l y of adi r ect i ve t hat i s bui l t wi t hi n OSSI M.



Web Based At t acks


Bel ow you wi l l f i nd a screen shot t aken f r om OSSI M. net whi chi ndi cat es the l i kel i hood of a wi ndows wor m. Not i ce t hecor r el at i on l evel , r i sk r at i ng, and al ar m.



Web Based At t acks


Si mi l ar l y t he f ol l owi ng scr eens can be used t o cor r obor at e anyal ar ms whi ch may be sent . Anal yst s have t he abi l i t y t odet er mi ne t hr ough thi s snapshot whi ch host s ar e responsi bl e f orsendi ng and r ecei vi ng t he maj or i t y of t he net wor k t r af f i c.Ot her scr eens i ndi cat e t he t i mi ng of net wor k usage. Thi si nf or mat i on by i t sel f may not be par t i cul ar l y t el l i ng, however ,wi t h t he use of t he pr evi ous scr een, cer t ai n hypot hesi s begi n t ot ake hol d.



Web Based At t acks


The f ol l owi ng di agram i ndi cat es l oad at par t i cul ar t i mes of t heday on a net work. These di agr ams can i ndi cat e net work abuse,mi sconf i gur at i ons, worms, or even normal use. These data poi nt scan be t r ended over t i me and compar ed t o pr evi ous days/ mont hsf or pat t er ns.

Proprietary Detection/Prevention Tools:

Ther e ar e many school s of t hought when i t comes t o

deci di ng bet ween a capabl e open sour ce t ool and a pr opr i et ary

t ool . Regardl ess of your st ance t her e are many pr oven t ool s

t hat of f er bot h commer ci al suppor t and suppor t f r om t he open

sour ce communi t y. Bel ow we wi l l hi ghl i ght a f ew of t hese.

Watchfire AppScan

Whi l st t he maj or i t y of appl i cat i on scanni ng t ool s of f er t he

abi l i t y t o scan f or codi ng vul ner abi l i t i es af t er an appl i cat i on



Web Based At t acks


has been bui l t , Wat chf i r e’ s AppScan di st i ngui shes i t sel f i n t hat

i t can be used t hr oughout t he sof t war e devel opment l i f ecycl e.

I t i s not l i mi t ed t o use af t er an appl i cat i on has been

compl et el y bui l t . The abi l i t y t o l ever age AppScan dur i ng t he

devel opment l i f ecycl e enabl es secur i t y consci ous devel oper s t o

f i x secur i t y i ssues ear l i er i n devel opment t hus savi ng

consi der abl e post f i x dol l ar s.

Some of t he mor e common checks t hat AppScan checks f or

i ncl ude cross si t e scr i pt i ng, pr i vi l ege escal at i on, sessi on

st at e moni t or i ng, HTTP r esponse spl i t t i ng, par amet er t amper i ng,

hi dden f i el d mani pul at i on, backdoor s/ debug opt i ons, and buf f er

over f l ows. What di f f er ent i at es AppScan f r om many of t he ot her

pr opr i et ar y and open sour ce t ool s avai l abl e i s t he wi de var i et y

of usef ul r epor t s t hat ar e gener at ed. Wi t hi n t he AppScan t ool

r emedi at i on r eport s, execut i ve dashboar ds, and compl i ance

r epor t i ng ar e al l of f er ed. These f eat ur es ar e i ncreasi ngl y

val uabl e f or l ar ger mor e r i sk aver se or gani zat i ons whi ch ar e

subj ect t o compl i ance, pr i vacy, and regul at or y st andar ds.

AppScan i s provi ded as a Wi ndows based GUI whi ch has

been i nt ui t i vel y l ai d out . A l ogi cal di r ector y st r uctur e i s

l ai d out f r om l ef t t o r i ght . I ssues, Remedi at i on, and

Appl i cat i on dat a ador n t he l ef t si de and ar e f eat ur ed mai n

cat egor i es. Fr om l ef t t o r i ght t he user may dr i l l down

successi vel y



Web Based At t acks


Figure 1: AppScan

Figure 2

Figure 2: AppScan



Web Based At t acks


Figure 2: AppScan



Web Based At t acks


WebInspect

WebI nspect i s anot her ext r emel y popul ar web

appl i cat i on scanner amongst many secur i t y pr of essi onal s.

WebI nspect appl i cat i on secur i t y assessment t ool s al l ow f or t hei dent i f i cat i on of known and unknown vul ner abi l i t i es, WebI nspect

can al so check t o ensure t hat a web appl i cat i on are secur ed

proper l y, at t empt common web at t acks such as par amet er

subst i t ut i on/ i nj ect i on, cross si t e scr i pt i ng, di r ect ory

t r aversal at t acks, and much more.

WebI nspect f eat ur es a si mi l ar user i nt er f ace as t he

one f eat ur ed i n AppScan. However , i t does of f er t he abi l i t y t oi nt er act wi t h t he r epor t i ng t ool s i n r eal t i me as scans ar e

bei ng per f or med. I nt er act i ve r epor t s ar e al so avai l abl e whi ch

al l ow f or dr i l l i ng down i nt o par t i cul ar ar eas of concer n.

Figure 3: WebInspect

Popul ar and usef ul pr e- bundl ed t ool s ar e f avor i t es wi t h

WebI nspect . Amongst t he of f ered t ool s are:



Web Based At t acks


• A Cooki e Cr uncher whi ch al l ows a secur i t y pr act i t i oner t o

assess t he st r engt h of t he cooki es used i n br owsi ng

sessi ons.

• An SPI Proxy al l ows t he secur i t y assessor t o vi ew each and

every br owser r equest and ser ver r esponse.

• WebBr ut e al l ows f or br ut e f or ci ng l ogi n f or ms.

• WebDi scover y al l ows f or scanni ng of web ser vi ces and

cor r el at es to t hem t o speci f i c por t s f or l at er

i nvest i gat i on.

Bot h of t hese t ool s have been ext r emel y popul ar amongst

both secur i t y consul t i ng f i r ms and sof t ware devel opment houses

whi ch pr ovi de web pr esence sof t ware. As f or whi ch one t o use,

bot h compani es of f er a f r ee t r i al of f er .

Open Source Prevention Tools:

Nikto

Ni kt o i s ar guabl y the most popul ar web ser ver scanner

avai l abl e i n t he open sour ce communi t y. Compr ehensi vel y

scanni ng f or over 3250 known danger ous f i l es on as many as 600

ser ver s Ni kt o has i t s name f i r ml y i mbedded amongst many seasoned

secur i t y pr of essi onal s as one of t he pr emi er web vul ner abi l i t y

scanners.

Ni kt o i s a command l i ne dr i ve t ool whi ch f eat ur es a wi de

var i et y of opt i ons i ncl udi ng ant i I DS or evasi on scanni ng

t act i cs. These ar e hel pf ul when t est i ng I DS depl oyment s f orat t ack si gnatur es and I DS r esponses.

As wi t h t he pr opr i et ar y tool s ment i oned ear l i er Ni kt o can

be used as a pr event at i ve t ool whi ch can t i p of f devel oper s of

i nsecur e conf i gur at i ons bef or e cr i t i cal web ser vi ces ar e



Web Based At t acks


publ i shed t o t he Wor l d Wi de Web or even t o ext r anet par t ners.

Ni kt o si gnat ur e updat es are si mi l ar t o t hose f eat ur es i n many

popul ar ant i vi r us t ool s; however , t hey ar e updat ed by t he open

source communi t y.

Figure 4: Nikto

WebScarab

WebScarab i s a j ava appl i cat i on whi ch has been publ i shed by

t he OWASP proj ect , an open source l ed communi t y whi ch we wi l l

speak i n dept h about l at er . The WebScarab f r amework i s of t en

used t o di ssect appl i cat i ons whi ch communi cat e over HTTP or

HTTPS. Typi cal uses i ncl ude l ocat i ng, i dent i f yi ng, and al t er i ng

post s and request s made by a web browser bef or e t hey are sent

of f t o a web server . These opt i ons al l ow a user t o sl ow down

t he communi cat i on bet ween a web cl i ent and server so t hat

r equest s and r esponses can be anal yzed pr oper l y. Of t ent i mes



Web Based At t acks


dur i ng t hi s anal ysi s t he i mpr oper handl i ng of credent i al s,

l ogi ns, cooki es, et c ar e di scover ed t hus al l owi ng a user t o

subver t t he secur i t y cont r ol s i nher ent wi t hi n t he web

appl i cat i ons bei ng anal yzed. WebScar ab i s most commonl y used by

appl i cat i on devel oper s who wi sh t o more compl et el y secur e t he

web appl i cat i ons t hey ar e servi ng.

WebScarab f eat ur es ar e pl ent i f ul , however t he most commonl y

used i ncl ude:

• Proxy: Abl e t o obser ve bot h encr ypt ed ( HTTPS) and

unencrypt ed t r af f i c ( HTTP) . Encrypt ed t r af f i c i s vi ewed by

est abl i shi ng a second SSL t unnel between t he pr oxy and t he

appl i cat i on web server .

• SessionID Analysis: a var i et y of cooki es can be capt ur ed

and anal yzed t o vi sual l y determi ne t he randomness and

unpr edi ct abi l i t y whi ch shoul d be i nher ent i n al l cooki e

gener at i on.

• Manual Request: Edi t i ng and r epl ay of pr evi ous r equest s t o

web appl i cat i ons can be vi ewed and mani pul at ed.

• Reveal Hidden Fields: WebScarab al l ows a user t o vi ew

hi dden f i el ds wi t hi n t he web pr esent at i on f i el ds f or

mani pul at i on, del et i on, or r econnai ssance.

• Spider: Al l ows f or anal ysi s on t he web appl i cat i on whi ch

may r eveal addi t i onal l i nks t hat ar e not known i ni t i al l y.

• Beanshell: Thi s i s a f eat ur e whi ch al l ows f or t he

scr i pt i ng of ar bi t r ar y j ava code on r equest s and or

r esponses r ecei ved by t he web cl i ent or server .



Web Based At t acks


Figure 5: WebScarab: Editing of web post

Figure 6: WebScarab: Directory structure view of webpage

Secure Coding

Awareness of t he i mport ance of web appl i cat i on secur i t y has

j umped si gni f i cant l y i n j ust a f ew year s… 93 percent f el t t hat

secur e appl i cat i on devel opment was more of a pr i or i t y now t han

t hree year s ago( Symant ec, 2006) .



Web Based At t acks


“Secur i t y t r ai ni ng i s at t he hear t of wr i t i ng good code”,

wr i t es J ohn Hei mann of Or acl e(Hei mann, 2006) . For

or gani zat i ons t hat make avai l abl e i nt er net connect ed syst ems t o

t he publ i c f or use, secur i t y t r ai ni ng i s a must have and i s

of t en over l ooked i n many devel oper s backgr ounds. “I t ’ s an

unf or t unat e f act t hat most devel oper s ar e not r equi r ed t o l ear n

secur e codi ng pr act i ces i n school ”, not ed Hei mann. Too of t en

wi t hi n academi a and wi t hi n t he cor por at e wor l d t he f ocus i n

educat i ng devel oper s i s on cr eat i ng ef f i ci ent bug f r ee code.

Secur i t y checks are opt i onal at best ar e rarel y consi der ed.

Ref erences t o secur e codi ng methodol ogi es and pr act i ces can

be f ound her e:

ht t p: / / www. mi cr osof t . com/ uk/ msdn/ secur i t y/ devel oper _secur i t

y. mspx

As an exampl e, most progr ammers woul d consi der t he

i mpl ement at i on of a speci f i c check on t he l engt h of web f or m

i nput t o be unnecessar y and wast ef ul of val uabl e CPU cycl e

t i mes. Unf or t unat el y f or ever y pr ogr ammer out t her e t hat i s

unawar e of secur e codi ng pr act i ces t her e ar e hacker s out t her e

t hat ar e not onl y awar e but capabl e of sear chi ng f or and t aki ng

advant age of t hese l oophol es l ef t behi nd by devel oper s.

OWASP

The Open Web Appl i cat i on Secur i t y Pr oj ect commonl y r ef er r ed

t o as OWASP i s an open sour ce pr oj ect dedi cated t o the di scover y

and f i ght i ng of i nsecur e sof t war e( Wi ki pedi a) .

The open sour ce OWASP communi t y i s made up of cor por at i ons,

educat i onal ent i t i es, and devel oper s and secur i t y pr act i t i oner s

l ocat ed on al l seven cont i nent s. They ar e best known f or t hei r

cr eat i on of ar t i cl es, met hodol ogi es, document at i on, and t ool s



Web Based At t acks


whi ch ar e al l f r eel y avai l abl e f or use t he devel opment and

t est i ng of secur e appl i cat i on code( OWASP, 2007) .

Some of t he not abl e tool s t hat OWASP has pr oduced i ncl ude

Web Goat , a web appl i cat i on penet r at i on t est i ng envi r onment ,

WebScarab, ment i oned ear l i er , and t he OWASP. NET t ool s set . Most

f amousl y t hough OWASP i s r esponsi bl e f or produci ng t he OWASP Top

Ten, whi ch i s an appl i cat i on secur i t y awar eness document . I n

t he next sect i on we wi l l hi ghl i ght t he Top Ten, and t he

vul ner abi l i t i es most of t en f ound wi t hi n web appl i cat i ons.

OWASP – Top Ten

The OWASP Top Ten i s of t en consi dered t he def act o st andar dwhen l ooki ng at many audi t cont r ol s and secur i t y f i r ms

r esponsi bl e f or assessi ng code.

Speci f i cal l y PCI or t he payment car d i ndust r y secur i t y

st andard, a st andard enf orced j oi nt l y bet ween Amer i can Expr ess,

Vi sa, Mast er Car d, and J CB r equi r es or gani zat i ons whi ch st or e or

pr ocess cr edi t card data t o i mpl ement secur e codi ng pr ocedur es

wi t hi n thei r SDLC.

Thi s r equi r ement ensur es t hat al l web appl i cat i ons

devel oped i n house ar e secur el y coded and r evi ewed f or t he

f ol l owi ng vul ner abi l i t i es( PCI and Dat a Secur i t y Compl i ance,

2007) .

Top Ten Highlights

Bef or e get t i ng i nt o a f ew speci f i c t ypes of at t ack we wi l l

di ve i nt o some of t he mor e pr omi nent t op t en vul ner abi l i t i es

f r om a hi gher l evel . I t i s i mpor t ant t o under st and t he br eadt h

of at t acks t hat ar e cover ed by t he t op t en t o t r ul y under st and

i t s val ue amongst t he devel opment communi t y.



Web Based At t acks


Unvalidated Input:

Unval i dat ed I nput i s def i ned as any i nf or mat i on r ecei ved

vi a web request s whi ch ar e not val i dated bef ore bei ng used by a

web appl i cat i on.

Commonl y at t acker s t ar get t hese vul ner abi l i t i es t o at t ack

backend component s t hr ough a web appl i cat i on. Usual t argets

i ncl ude t he web appl i cat i on l ayer i t sel f , t he under l yi ng OS t hat

suppor t s t he web appl i cat i on and backend dat abases whi ch of t en

cont ai n sensi t i ve cust omer i nf or mat i on, credi t car ds, soci al

secur i t y number s, and i nt el l ect ual pr oper t y.

Exampl es of unval i dat ed i nput i ncl ude cross si t e scr i pt i ngat t acks, buf f er over f l ows, and i nj ect i on f l aws.

Buf f er over f l ows ar e al so common areas of concer n when

wr i t i ng secur e appl i cat i ons. Expl oi t i ng buf f er over f l ows si mpl y

r equi r es an at t acker t o i dent i f y f i el ds i n a vul ner abl e

appl i cat i on whi ch do not per f or m bounds checki ng. Wr i t i ng

out si de t he bounds of a memory bl ock can cor r upt dat a, cr ash t he

pr ogr am, and even cr ash t he ent i r e oper at i ng syst em subj ect i ngan organi zat i on t o unnecessary downt i me.

Broken Access Control:

Anot her commonl y over l ooked vul nerabi l i t y when cr eat i ng web

appl i cat i ons ar e br oken access cont r ol s. Access i s gr ant ed t o

speci f i c aut hor i zed user s of web appl i cat i ons t o per f or m a

speci f i c f unct i on based upon t hei r need and gener al r ol e t hat

t hey ser ve. Br oken access cont r ol vul ner abi l i t i es pr ovi de ameans f or mal i ci ous users t o escal at e pr i vi l eges beyond t hei r

i nt ended per mi ssi ons. Thi s f l aw may al l ow f or t he unaut hor i zed

vi ewi ng of ot her user s account s, t he vi ewi ng of sensi t i ve

conf i gur at i on f i l es, or t he escal at i on t o t hat of a r oot user .



Web Based At t acks


Broken Authentication and Session Management

I n t he r eal m of onl i ne banki ng t he sanct i t y of t he user

aut hor i zat i on/ aut hent i cat i on component i s par amount t o t he bot h

t he cust omers and t he banks wel l bei ng and r eput at i on. Wi t hout

a t est ed and pr oven saf e aut hent i cat i on model cust omer s are

unl i kel y t o use onl i ne banki ng, somet hi ng t hat saves banks

si gni f i cant amount s of money annual l y ( Lee, 2001) .

Aut hent i cat i on and sessi on management r el at e to t he di r ect

pr ocessi ng of user , appl i cat i on, or syst em aut hent i cat i on and

t he subsequent need t o manage t hese act i ve sessi ons. Wi t hout

r el i abl e aut hent i cat i on, t r ust i s l ost and account abi l i t y

escapes t he pr ocess.

Aut hent i cat i on met hods wi t h web appl i cat i ons near l y al ways

i nvol ve a user name and passwor d. Because of t hi s i t i s vi t al l y

i mpor t ant t o ensur e t hat t hese cr edent i al s ar e not easi l y

accessi bl e. Feat ur es such as passwor d r esets and f or got t en

usernames shoul d al l be pr ot ect ed and r equi r e aut hent i cat i on vi a

a passwor d hi nt , mot her s’ mi ddl e name, or some ot her

aut hent i cat i on met hod.

Commonl y over l ooked areas of weakness wi t hi n web

appl i cat i ons i ncl ude:

1. Password St r engt h – ensur e that PAM modul es or l i ke

enf or cement i s used wi t hi n t he appl i cat i on. Di ct i onar y

wor d at t acks ar e common amongst web appl i cat i ons, and

unl ess compl exi t y i s enf orced aut hent i cat i on mechani sms are

2. Password Use – Too many f ai l ed aut hent i cat i on r equest s i n a

gi ven per i od of t i me shoul d l ock or f r eeze an account f or a

gi ven per i od of t i me.



Web Based At t acks


3. Passwor d Change Cont r ol s – When changi ng a passwor d users

shoul d be requi r ed t o pr ovi de bot h the ol d and new password

bef ore bei ng abl e t o change a password. Use of emai l as a

conf i r mat i on of a password change i s anot her enf orcement

mechani sm whi ch wi l l of t en pr ovi de an al er t t o an

unsuspect i ng user of someone t amper i ng wi t h t hei r l ogi n

i nf or mat i on.

4. Br owser cachi ng – nei t her Aut hent i cat i on nor sessi on dat a

shoul d be pr esent ed i n r et r i eval r equest s f r om web ser ver s.

I n addi t i on cache opt i ons wi t hi n a web appl i cat i on may

al l ow a br owser t o st ore cooki es. Thi s can be danger ous

f or comput er s whi ch ar e accessi bl e f r om i nt er net caf es,

l i br ar i es, and ot her publ i cl y accessi bl e t er mi nal s.

Cachi ng of cooki es coul d al l ow anot her unaut hor i zed user t o

pur por t anot her user t hr ough cooki e/ sessi on i d

mani pul at i on.

Injection Flaws

I nj ect i on Fl aws ar e used t o subver t t he r equi r ed

aut hent i cat i on and aut hor i zat i on pr ocess t o an Oper at i ng Syst em,

appl i cat i on, or ot her ser vi ce. Mal i ci ous user s can t ake

advant age of weaknesses i n appl i cat i ons whi ch f ai l t o f i l t er

cl i ent based commands and make syst em cal l s, use ext ernal

appl i cat i ons such as net cat , ssh, and even r un ent i r e scr i pt s.

These weaknesses can be present anyt i me an i nt er pr et er i s used

wi t hi n a web appl i cat i on; as such code must be revi ewed bef ore

pushi ng out t o pr oduct i on syst ems.

SQL i nj ect i on f l aws are some of t he most popul ar at t ack

vect ors f or hacker s as t hey can of t en r eveal enormous amount s of

sensi t i ve dat a. Cust omer i nf or mat i on, cr edi t card number s,



Web Based At t acks


empl oyee i nf ormat i on, soci al secur i t y number s, and other

sensi t i ve i nf or mat i on.

SQL Injection Attack Example

As previ ousl y ment i oned SQL i nj ect i on at t acks can occur

when user i nput on t he cl i ent si de i s not f i l t er ed pr oper l y.

Escape char act er s ar e mal i ci ousl y used t o br eak away f r om t he

cur r ent l y command and i ni t i at e a new l i st eni ng st at e on t he

under l yi ng web appl i cat i on. Once t he web appl i cat i on i s i n a

new l i st eni ng st ate a new of t ent i mes unaut hor i zed SQL quer y

agai nst a back end dat abase can be per f ormed. Tabl e vi ews,

dr oppi ng tabl es, and addi ng usernames ar e al l ver y popul ar

met hods of gai ni ng unaut hor i zed access t o both appl i cat i ons and

under l i ng st or ed dat a.

The f ol l owi ng exampl e i l l ust r at es t hi s:

An at t acker who wi shes t o ret r i eve t he user names of al l

act i ve users coul d do so wi t h an appl i cat i on t hat uses an SQL

backend and one t hat does not f i l t er SQL r equest s as t he

appl i cat i on or mi ddl ewar e l ayer . For t hi s par t i cul ar exampl e auser i s wi shi ng t o l earn about t he usernames aut hor i zed t o use

an appl i cat i on.

Wi t hi n t he domai n mybank. com t he f ol l owi ng can be used t o

r et r i eve user names pr ovi ded t he t abl e names t hat are passed are

accur ate. Many t i mes i t i s easy t o guess t he t abl e names t hat

are used t o i dent i f y par amet ers such as user name, DOB, SOCSEC,

password, et c.

Exampl e:

User vi si t s: ht t p: / / www. mybank. com

When at t empt i ng t o r et r i eve t he user names of f el l ow banker s



Web Based At t acks


ht t p: / / www. mybank. com/ l ogi n/ l ogi n. asp?l ogi ni d=bobsmi t h or

d=d

The gener at ed SQL st at ement i s because of t hi s passed

argument i s:

SELECT loginid, FirstName FROM User where loginid =

bobsmith or d=d

Thi s condi t i on wi l l al ways be t r ue because d al ways equal s

d. Thus al l l ogi ni d and Fi r st Name pai r s wi l l be r et ur ned

( I mper va, 2007) .

Another cl ever way to mani pul at e SQL i nj ect i on at t acks i s

t o DROP t abl es whi ch can cause i r r eparabl e harm t o an under l yi ng

database and support ed appl i cat i on.

ht t p: / / www. mybank. com/ l ogi n/ l ogi n. asp?l ogi ni d=bobsmi t h; DROP

TABLE USERS

Thi s st at ement wi l l del et e t he USERS t abl e provi ded i t

exi st s. Del et i ng t hi s USERS t abl e woul d l i kel y r ender t he

appl i cat i on usel ess as user s woul d not be abl e t o l ogi n t o t he

under l yi ng appl i cat i on( SQLCour se. com, 2006) .

SQL i nj ect i on at t acks ar e onl y l i mi t ed t o t he creat i vi t y

and r esour cef ul ness of t he at t acker . Usernames coul d be added

al ong wi t h passwor ds, bi l l i ng amount s coul d be changed, i nt er est

pai d, bal ances changed ar e al l possi bl e wi t h weak f i l t er i ng at

t he appl i cat i on and dat abase l ayer .

Unvalidated Input Example: XSS

Cr oss si t e scr i pt i ng i s an at t ack t ar get ed t owar ds t he

host i ng web appl i cat i on, under l yi ng OS, and of t en backend

dat abase. An at t acker wi l l of t en at t ack web appl i cat i ons that

do not f i l t er scr i pt s f r om f or m f i el ds submi t t ed t o web



Web Based At t acks


appl i cat i ons. For exampl e, at t acker s ar e of t en abl e t o i nser t

code whi ch get s execut ed by t he user ’ s browser . Thi s code wi l l

at t empt t o st eal br owser cooki es t hat mi ght i ncl ude banki ng

sessi on dat a, passwor ds, or t he l i ke. Sessi on cooki es ar e t hen

used by t he at t acker t o emul ate a l egi t i mat e user sessi on t o a

banki ng si t e, emai l account , or t he l i ke.

The di agram bel ow i l l ust r at es t hi s r el at i onshi p between

at t acker , web appl i cat i on, and websi t e usi ng a XSS at t ack.

( Skoudi s, 2005)

Get t i ng i nt o t he t echni cal j ar gon behi nd some of t he

advanced cr oss s i t e scr i pt i ng at t acks i s beyond t he scope of

t hi s paper .



Web Based At t acks


A f ant ast i c ser i es of exampl es of cross si t e scr i pt i ng can

be f ound her e: ht t p: / / www. devshed. com/ c/ a/ Secur i t y/ A- Qui ck- Look-

at - Cr oss- Si t e- Scri pt i ng/ 1/

Summary

Many of t hese at t acks can be pr event ed and or detect ed

bef or e t hey do i r r epar abl e harm. Proper def enses r equi r e a

def ense i n dept h appr oach. Onl y a f ew of t he poss i bl e

appr oaches have been di scussed i n t hi s paper , and l i kel y i n t i me

t hese st r at egi es wi l l r equi r e t weaki ng and i mpr ovement as at t ack

vect or s wi l l i nvar i abl y evol ve over t i me.

I n summar y a combi nat i on of appl i cat i on of bot h

t echnol ogi es and user awar eness are the onl y ef f ect i ve ways of

t r ul y def endi ng agai nst web at t acks. Technol ogi es such as

appl i cat i on l ayer f i r ewal l s, r ever se pr oxi es, I nt r usi on

Det ect i on and Pr event i on syst ems coupl ed wi t h a sol i d secur i t y

t r ai ni ng pr ogr am f or appl i cat i on devel oper s wi l l yi el d

si gni f i cant secur i t y enhancement s. Addi t i onal l y t he use of code

r evi ew t ool s and scanner s wi l l pr ovi de pr oact i ve r esour ces t hat

bot h devel oper s and i n house secur i t y pr of essi onal s can l ever age

i n di scover i ng appl i cat i on l ayer weaknesses.

For many busi nesses whi ch conduct busi ness onl i ne, t hei r

r eput at i on i s at st ake. One br each can of t ent i mes l ead t o

i r r eparabl e br and damage. And put t i ng a pr i ce on t he amount of

damage done i s of t ent i mes ext r emel y di f f i cul t , t hough l osses t o

publ i c compani es can be i n excess of bi l l i ons when st ock

val uat i ons ar e consi der ed.

ht t p: / / esj . com/ Case_St udy/ ar t i cl e. aspx?Edi t or i al sI D=2249



Web Based At t acks


REFERENCES

Desmond, Paul ( 2004, May 17) . Al l - out bl i t z agai nst Web app At t acks

Ret r i eved December 30, 2006, f r om net workwor l d. com

Web si t e: ( 1)

ht t p: / / www. networkwor l d. com/ t echi nsi der / 2004/ 0517t echi nsi der mai n. ht ml

Hei mann, J ohn (2006, May 23) . The I mport ance of Secur i t y Tr ai ni ng.

Ret r i eved Oct ober 31, 2006, f r om CI O Update websi t e:

ht t p: / / www. ci oupdat e. com/ ar t i cl e. php/ 3608391

I mper va, ( 2007, Febr uar y 1) SQL I nj ect i on.

Ret r i eved Februar y 10, 2007 f r om:ht t p: / / www. i mper va. com/ appl i cat i on_def ense_cent er / gl ossar y/ sql _i nj ect i o

n. ht ml

I nt er net Wor l d St at s. ( 2007, J anuar y 11) . I nt er net Wor l d St at s, Usage and Population Statistics.

Ret r i eved Febr uar y 01, 2006, f r omht t p: / / www. i nt er net wor l dst at s. com/ st at s2. ht m

Kr ebs, Br i an ( 2006, Sept ember 28) . I D Thi eves Tur n Si ght s on Smal l er E-Busi nesss. Ret r i eved December 30, 2006, f r om Washi ngt onPost . com

Web si t e: ( 1)

ht t p: / / www. washi ngt onpost . com/ wp-dyn/ cont ent / ar t i cl e/ 2006/ 09/ 28/ AR2006092800333. html



Web Based At t acks


Gart ner ( 2006, May 12) . Magi c Quadr ant f or Secur i t y I nf ormat i on and EventManagement .

Ret r i eved Febr uar y 28, 2007, f r om Novel l . com

Web si t e: ( 1)

ht t p: / / www. novel l . com/ pr oduct s/ sent i nel / gar t ner . pdf

Gar t ner ( 2005, May 2) . I mprove I T Secur i t y wi t h Vul nerabi l i t y Management

Ret r i eved Febr uar y 27, 2007, f r om Gar t ner . com

Web si t e: ht t p: / / www. gar t ner . com/ Di spl ayDocument ?doc_cd=127481

Hal l oway, J ason (No Date Pr ovi ded) . Ri sk and Secur i t y Rewards.

Ret r i eved Febr uar y 27, 2007, f r om CSOONLI NE. COM

Web si t e: ( 1)

ht t p: / / www. csoonl i ne. com/ caveat / 012907. ht ml

Lee, Mi e- Yun (2001, J ul y 1) . Money i n the eBank – t r ai ni ng cust omer s t o t r ustonl i ne banks

Ret r i eved Febr uar y 10, 2007, f r omht t p: / / f i ndar t i cl es. com/ p/ ar t i cl es/ mi _m0DTI / i s_7_29/ ai _79826907

OWASP, ( 2007, Febr uar y 10) Wel come t o OWASP.

Ret r i eved Februar y 10, 2007 f r om:

ht t p: / / www. owasp. org/ i ndex. php/ Mai n_Page

OWASP. ( 2006, December 21) . I n Wikipedia, The Free

Encyclopedia.

Ret r i eved Febr uar y 01, 2007, f r om

ht t p: / / en. wi ki pedi a. or g/ wi ki / OWASP

PCI and Data Secur i t y Compl i ance. ( 2007, J anuar y 19) . Wordpr ess websi t e

Ret r i eved Febr uar y 15, 2006, f r omht t p: / / dat asecur i t y. wor dpr ess. com/ 2007/ 02/ 05/ owasp- t op- 10- f or - 2007/



Web Based At t acks


Skoudi s, Ed (2005) . SANS TRAI NI NG TRACK 4.

Ret r i eved Oct ober 31, 2006, f r om SANS I nst i t ut e t r ai ni ng document s.Not distributed publicly.

SQLCour se. com. ( 2006, May 12) . SQLCour se. com websi t e

Ret r i eved Oct ober 31, 2006, f r om

ht t p: / / sql cour se. com/ dr op. ht ml

Symant ec News Rel ease. ( 2006, September 19) . Symant ec. com websi t e

Ret r i eved Oct ober 31, 2006, f r omht t p: / / www. symant ec. com/ about / news/ r el ease/ art i cl e. j sp?pr i d=20060919_01



Last Updated: August 20th, 2013

Upcoming SANS TrainingClick Here for a full list of all Upcoming SANS Events by Location

SANS Melbourne 2013 Melbourne, AU Sep 02, 2013 - Sep 07, 2013 Live Event

SANS Capital City 2013 Washington, DCUS Sep 03, 2013 - Sep 08, 2013 Live Event

SANS Network Security 2013 Las Vegas, NVUS Sep 14, 2013 - Sep 23, 2013 Live Event

SEC 440 @MCMC Sept 2013 CyberJaya, MY Sep 17, 2013 - Sep 19, 2013 Live Event

SANS Forensics Prague 2013 Prague, CZ Oct 06, 2013 - Oct 13, 2013 Live Event

SANS Seattle 2013 Seattle, WAUS Oct 07, 2013 - Oct 14, 2013 Live Event

SANS Bangalore 2013 Bangalore, IN Oct 14, 2013 - Oct 26, 2013 Live Event

SANS Baltimore 2013 Baltimore, MDUS Oct 14, 2013 - Oct 19, 2013 Live Event

SEC760 Advanced Exploit Development for Penetration Testers Baltimore, MDUS Oct 14, 2013 - Oct 19, 2013 Live Event

GridSecCon 2013 Jacksonville, FLUS Oct 15, 2013 - Oct 17, 2013 Live Event

Healthcare Cyber Security Summit San Francisco, CAUS Oct 17, 2013 - Oct 24, 2013 Live Event

Securing the Internet of Things Summit San Francisco, CAUS Oct 17, 2013 - Oct 22, 2013 Live Event

SANS Tokyo Autumn 2013 Tokyo, JP Oct 21, 2013 - Oct 26, 2013 Live Event

October Singapore 2013 Singapore, SG Oct 21, 2013 - Nov 02, 2013 Live Event

SANS Dubai 2013 Dubai, AE Oct 26, 2013 - Nov 07, 2013 Live Event

FOR572 Advanced Network Forensics and Analysis Washington, DCUS Oct 28, 2013 - Nov 02, 2013 Live Event

SANS Chicago 2013 Chicago, ILUS Oct 28, 2013 - Nov 02, 2013 Live Event

MGT415 at (ISC)2 SecureSoCal 2013 Manhattan Beach, CAUS Oct 31, 2013 - Oct 31, 2013 Live Event

SANS South Florida 2013 Fort Lauderdale, FLUS Nov 04, 2013 - Nov 09, 2013 Live Event

MGT415 at (ISC)2 SecureDallas 2013 Dallas, TXUS Nov 06, 2013 - Nov 06, 2013 Live Event

SANS Pen Test Hackfest Training Event and Summit Washington, DCUS Nov 07, 2013 - Nov 14, 2013 Live Event

SANS Sydney 2013 Sydney, AU Nov 11, 2013 - Nov 23, 2013 Live Event

SANS Korea 2013 Seoul, KR Nov 11, 2013 - Nov 23, 2013 Live Event

Cloud Security @ CLOUD Expo Asia Singapore, SG Nov 13, 2013 - Nov 15, 2013 Live Event

SANS London 2013 London, GB Nov 16, 2013 - Nov 25, 2013 Live Event

SANS San Diego 2013 San Diego, CAUS Nov 18, 2013 - Nov 23, 2013 Live Event

FOR585 Adv Mobile Device Forensics Vienna, VAUS Nov 18, 2013 - Nov 23, 2013 Live Event

SANS Thailand 2013 OnlineTH Aug 26, 2013 - Aug 31, 2013 Live Event

SANS OnDemand Books & MP3s OnlyUS Anytime Self Paced



http://www.sans.org/link.php?id=31220

http://www.sans.org/melbourne-2013


http://www.sans.org/sans-capital-city-2013


http://www.sans.org/network-security-2013


http://www.sans.org/sec440-mcmc-2013


http://www.sans.org/forensics-prague-2013


http://www.sans.org/seattle-2013


http://www.sans.org/bangalore-2013


http://www.sans.org/baltimore-2013


http://www.sans.org/sec760-advanced-exploit-development-for-penetration-testers


http://www.sans.org/grid-sec-2013


http://www.sans.org/healthcare-summit


http://www.sans.org/internet-of-things-summit


http://www.sans.org/tokyo-autumn-2013


http://www.sans.org/singapore-sos-2013


http://www.sans.org/dubai-2013


http://www.sans.org/for572-beta-2013


http://www.sans.org/chicago-2013


http://www.sans.org/isc2-secure-southern-california-2013


http://www.sans.org/south-florida-2013


http://www.sans.org/isc2-securedallas-2013


http://www.sans.org/pen-test-hack-fest-2013


http://www.sans.org/sydney-2013


http://www.sans.org/korea-2013


http://www.sans.org/cloud-expo-asia-2013


http://www.sans.org/london-2013


http://www.sans.org/san-diego-2013


http://www.sans.org/for585-advanced-smartphone-mobile-device-forensics


http://www.sans.org/thailand-2013


http://www.sans.org/ondemand/about.php

http://www.sans.org/ondemand/about.php


http://www.sans.org/thailand-2013


http://www.sans.org/for585-advanced-smartphone-mobile-device-forensics


http://www.sans.org/san-diego-2013


http://www.sans.org/london-2013


http://www.sans.org/cloud-expo-asia-2013


http://www.sans.org/korea-2013


http://www.sans.org/sydney-2013


http://www.sans.org/pen-test-hack-fest-2013


http://www.sans.org/isc2-securedallas-2013


http://www.sans.org/south-florida-2013


http://www.sans.org/isc2-secure-southern-california-2013


http://www.sans.org/chicago-2013


http://www.sans.org/for572-beta-2013


http://www.sans.org/dubai-2013


http://www.sans.org/singapore-sos-2013


http://www.sans.org/tokyo-autumn-2013


http://www.sans.org/internet-of-things-summit


http://www.sans.org/healthcare-summit


http://www.sans.org/grid-sec-2013


http://www.sans.org/sec760-advanced-exploit-development-for-penetration-testers


http://www.sans.org/baltimore-2013


http://www.sans.org/bangalore-2013


http://www.sans.org/seattle-2013


http://www.sans.org/forensics-prague-2013


http://www.sans.org/sec440-mcmc-2013


http://www.sans.org/network-security-2013


http://www.sans.org/sans-capital-city-2013


http://www.sans.org/melbourne-2013



Srv Www Data Sans Php Rr Papers 2053

Documents

Transcript of Srv Www Data Sans Php Rr Papers 2053