Vulnerabilidades en sitios web (english)

1

Vulnerabilidades en sitios web


Aradi Pineda Barranca

Alba Nidya Soto Domínguez

Instituto Tecnológico de Tuxtepec

Abril 2014

2


AGRADECIMIENTOS

MY PARENTS:

With all my love and my love to the people who made everything in life so that I could

achieve my dreams, for motivating me and shake my hand when I felt that the road

ended, to you forever my heart and gratitude.

Aradi Pineda Barranca

To carry out this project in the best possible way was needed the support of many

people to whom I want to thank.

First God giving me life and for giving me the family gave me.

To my mother for her unconditional support and for encouraging me to do things the

best way possible as their support for the realization of this software, Vicente has

helped me to in my studies and supported me in everything I propose.

My brother for their love, unconditional support and for encouraging me to be a better

person in life.

Thanks also to my friends for helping me and supporting me unconditionally and for

being part of my life in these 4 years in and out of school. Thanks for the friendship

that I offer.

Alba Nidya Soto Domínguez

3


RESUMEN & ABSTRACT

To protect information, a web application can be objective of malicious users looking

to access it. In the same way, when implemented the application analysts, designer

and developers can leave without knowing some security hole. Additionally, the

software and hardware used for the implementation of the application can have a

vulnerability or security hole.

Therefore, you should be aware of the possible risks to web applications, as well as

the impact and actions that can be taken to correct such situations.

OWASP is a group of security professionals and web applications with several years

of experience to help remedy some of the problems that arise in the field of web

application development.

This group focuses on understanding and improving security for applications and

web services.

OWASP has free guides available for development, recommendation for good

practice, current information of common vulnerabilities in web applications and a

learning tool for web application security known as “WebGoat”.

4


PALABRAS CLAVE/KEYWORDS

WPScan

Nmap

TamperData

OWASP

5


INTRODUCCIÓN

In 1980, Tim Berners-Lee, develped ENQUIRE, as a personal database of people

and software models, but also as a way of interacting with hypertext. In 1990,

Berners-Lee had developed all the tools needed to work the web: HTTP, HTML, the

first web server WorldWideWeb and the first web browser.

The websites have countless vulnerabilities that make these at great risk of attack

from several points, with this document is expected to have the theoretical tools for

mastering the topic to be addressed in each of the sections.

The aim is to encourage organizations that use websites to mature in the

understanding and management of security applications.

6


MÉTODOS Y MATERIALES

VULNERABILIDADES DE SEGURIDAD EN UN SISTEMA

To protect information, a web application can be targeted by malicious users looking

to access it. Likewise, when implemented application analysts, designers and

developers can leave without knowing a security hole. Additionally, the software and

hardware used for the implementation of the application may have a vulnerability or

security hole.

Therefore, you should be aware of potential risks will affect web applications as well

as the impact and actions that can be taken to correct such situations.

OWASP takes account of the attacks and most critical vulnerabilities in web

applications. Are reported with examples and details that explain these risks for

software developers, administrators and interested in web security.

The aim is to encourage organizations to mature in the understanding and

management of security applications.

7


TOP 10 DE OWASPP

1. Injection

Involves sending malicious code to the system by a user or by another system, often

the code is sent in plain text.

The code can try to send for any input:

• Consultations to Active Directory.

• Queries to the database.

• Entries in web forms.

• XPath queries.

• Operating system commands.

• Check function.

It happens when you are not properly validating user-supplied input, trusting that it

enters the system.

CONSEQUENCES

• Loss and / or corruption of data.

• Denial of access.

ACTIONS

• Implement secure code: input validation, even from other systems.

• Use tools to search for vulnerabilities injection attacks.

• It is highly recommended to keep untrusted data separate from commands

and queries.

8


• Using API's safe (no interpreters).

2. Loss authentication and session management

Vulnerabilities are related to the loss of authentication and session management.

Are critical to the security of applications and especially web applications, since they

allow an attacker to spoof the information from a particular user, being able to obtain

an administrative account that allows you to sabotage checks authorization and

registration application.

CONSEQUENCES

• Unauthorized access to any information that is stored on the server.

• Access to services that have been compromised.

ACTIONS

• Consider a good user authentication.

• Protect session data (id, token, password).

• Perform robust session tracking.

• Avoid XSS vulnerabilities as they can cause the abduction of session data.

9


3. Cross -Site Scripting (XSS)

Is the insertion of text strings not valid in your own web application by a malicious

user (you can be in the system as a user or administered, or elsewhere), which is

expected to be executed to obtain information or a benefit.

It is classified into three different types:

• Storage. It is this code that is permanently stored in the web application

server. For example, in the database.

• Reflected. Is the code that is not stored in the database of the web

application that is attacked, but it was running at the time you enter into any

entry that does not validate the input provided.

• Based on DOM. It is this code that modifies the DOM of the original web

application.

CONSEQUENCES

• Abduction of user sessions.

• Destruction of websites.

• Installation of malicious code in browsers.

• Re - routing to malicious sites.

ACTIONS

• Perform code analysis tests.

• Using tools of static and dynamic scanning.

• Separate unreliable data from active browser content.

• data entry validation.

10


4. Insecure direct object reference

It is to replace the value of a parameter that refers to an object by another object and

is given even if unauthorized access.

CONSEQUENCES

• Access to restricted information.

• Access to all information that is referenced by similar parameters.

ACTIONS

• Perform code analysis and manual tests.

• Perform checks to code level for direct references to restricted resources.

• Make use of indirect references per user or session.

• Check the user access to objects.

11


5. Incorrect configuration of security

It's a failure or error in the configuration of security defined and implemented for the

application, frameworks, application server, web server, database and platform. All

these settings should be defined, implemented, and maintained. This includes

keeping all software up to date, including code libraries used by the application.

It can occur in:

• Platforms.

• Web Servers.

• Application Servers.

• work environments.

• Custom Codes.

It makes use of:

• Auditors default.

• Pages not used.

• Software not updated or patched.

• Unprotected files or directories.

CONSEQUENCES

• Unauthorized access to data or system functions.

ACTIONS

• Use automated tools to locate: pending updates , faulty settings , default

active accounts, active services not needed.

• Ensure all levels of the application stack.

12


6. Exposure of sensitive data

It consists of not properly protecting sensitive data such as credit cards, IDs , tax

and database authentication credentials . Attackers may steal or modify data to

conduct credit card fraud, identity theft or other crimes can happen with or while

stored data transmission is performed.

CONSEQUENCES

• Theft of sensitive data such as health records , credentials, personal data ,

credit cards , etc. .

ACTIONS

• Encrypt sensitive data stored during transmission.

• Do not store sensitive data unnecessarily.

• Encrypt passwords are stored with an algorithm designed specifically for

password protection, as bcrypt , or PBKDF2 scrypt .

• Disable autocomplete in forms capture sensitive data and disable caching

of pages that contain sensitive data.

7. Lack of access control function level

Is the lack of access controls for private functions of web applications. If no requests

are verified, attackers will be able to force requests in order to access the features

of the application without proper authorization.

CONSEQUENCES

• Access to private functions of the application by common users.

13


• Access and modify system data.

ACTIONS

• Implement authentication modules for private functions of the system.

8. CSRF (Cross-Site Request Forgery)

It is an attack which forces the user to execute unwanted actions on this one that

currently authenticated web application actions. With a little help from social

engineering (like sending a link via e-mail or chat), an attacker can force users of the

web application to execute actions of the attacker's choice. If the target user is the

administrator account, this can compromise the entire web application.

CONSEQUENCES

• You can access, modify and use any data or are authorized to use this

function.

ACTIONS

• Review of source code.

• Perform penetration testing.

• Discard protection as session cookies, source IP addresses and other

information.

• Analyze links and forms that invoke functions that allow change states.

14


9. Using components with known vulnerabilities

Is the use of components such as libraries, frameworks and other vulnerable

software modules, which almost always run with administrator privileges. If a

vulnerable component is exploited, can facilitate the loss of important data or take

control of the server.

CONSEQUENCES

• Code Injections.

• XSS.

• Breaking access controls.

ACTIONS

• Maintain updated each implemented component.

• When using components that are own developments, security testing on

them.

10. Redirects and Forwards invalid

Is a redirection or forwarding by web applications to other pages or websites without

proper validation. Attackers can redirect victims to phishing or malware sites.

CONSEQUENCES

• Theft authentication credentials.

• Installing malware.

• Phishing.

15


ACTIONS

• Conduct a site mapping (spidering) for detecting malicious redirects.

• Avoid using redirects and forwards.

• If used, do not add the user parameters on the target.

• If you can not avoid the target parameters, ensure that the value provided is

valid and authorized user.

PENETRATION TESTING METHODOLOGY

1. Penetration tests (pentest)

A pentest is a test on web applications, which attempt to reproduce actions malicious

users (internal and external to the organization). These actions cover both the

interaction with the application as part of configurations and software used.

Help find security holes that can allow access to sensitive information, modify the

original functionality of the site, among other actions.

Penetration testing should consider aspects such as:

• Testing SQL Injection.

• Testing Cross -Site Scripting (XSS).

• Testing JavaScript.

• Alerts and network port scanning.

16


ADVANTAGES

• Generate timely reports.

• Improvement in the strategy.

• Improved application.

DISADVANTAGES

• Risk of unavailability.

• Risk of loss or alteration of information.

To perform a penetration test is necessary to follow a methodology to carry around

an order and expected results are achieved.

2. Methodology of Penetration Testing

Phases of penetration testing:

• Planning.

• Recognition.

• Scan.

• Farm.

• Documentation.

2.1 Planning

Allows fully define the project, setting limits and establishing the elements to assess

and most importantly , getting the authorization to endorse the pentester throughout

their activity, both technically and legally.

17


Generally you can list the following items in this stage of preparation:

• Interview with the applicant.

• Information consequences of testing.

• Integration team.

• Permit.

• Confidentiality Agreement.

• Contract.

2.2. Recognition

It is the process of investigating the destination organization to gather information on

available sources, such as the services of domain registration and web sites. Some

people include techniques such as social engineering and dumpsterdiving in the

reconstruction phase information.

The specialist in pentest should try to get as much information as possible about the

target. Recognition can be done using two techniques: passive and active.

A passive technique is the best choice to start, as would normally be an IDS or other

forms of protection. It seeks to discover publicly available information on the Internet,

flyers, among others.

An active technique is more intrusive, which could be to use an automated or

implement social engineering tool.

18


2.3. Scanning

The aim at this stage is to find vulnerable entries evaluated, such as wireless access

points, available systems, listening ports and vulnerabilities.

Scanning is the process of finding openings in the target organization, such as

Internet gateways, wireless access points, available systems, listening ports and lists

of vulnerabilities. Some popular tools for this stage are:

• Port scanning

• Nmap

• Vulnerability scanning

• Nessus

2.4. Exploitation

At the end of the scanning phase possible potential vulnerabilities identified and

information such as the OS, which is very useful as it will create an attack vector to

help choose the tools , exploits or appropriate techniques to exploit systems. At this

stage the vulnerabilities are tested with a high risk rating given by the vulnerability

scanner and possibly be the aim to exploit the evaluation.

This phase aims to:

• Reduce or eliminate false positives.

• Meet the real impact of a vulnerability.

At this stage the vulnerabilities found in the previous phase are tested are reviewed

and evaluated in detail because sometimes tools can list false positives ; if it can

exploit any of these flaws to the system access or disclosure of sensitive information

is guarantee .

19


2.5. Documentation.

The documentation in this phase include the following:

• Executive Summary.

• Introduction.

• Methodology.

• Findings.

• High risk.

• Medium risk.

• Low risk.

• Recommendations.

The objective of this phase is to archive the results obtained from the beginning of

the recognition phase to the operational phase to generate a final report of the

findings during the entire testing process.

20


RESULTS

At the time of writing this article it was expected that the reader can locate the

vulnerabilities that exist on websites, also if the reader was who elaborated these

sites keep alert and should guard against the various risks that exist.

As supposed, there are several books, articles and reports of the topic, reporting on

the risks that exist when a website developed.

It was possible to study different vulnerabilities in web applications and mechanisms

to decrease these risks.

The knowledge gained enabled the reader to perform different tests to detect

vulnerabilities and so this, to focus on the faults found.

21


DISCUSSION

We obtained the expected results, the reader was attracted and motivated in

conducting tests to determine if your website had or has a bug.

This work is expected to see the person you clear your doubts and dares to

investigate thoroughly about the vulnerabilities that exist and to which it is exposed.

22


REFERENCES

(Open Web Application Security Project OWASP Top 10, s.f.)

(Pruebas de penetración, s.f.)

(Foundation, 2008)

(Análisis de vulnerabilidades y auditorías de seguridad bajo demanda, s.f.)

(México, 2013)

Vulnerabilidades en sitios web (english)

Engineering

Transcript of Vulnerabilidades en sitios web (english)