Web Application Scanning 101
-
Upload
qualys -
Category
Technology
-
view
4.437 -
download
1
description
Transcript of Web Application Scanning 101
Web Security 101An overview of some common application exploits
Mike ShemaSecurity Research Engineer, Qualys Inc.
Web Security
� Web application (in)security continues to grow
� Web-related vulnerabilities pop up on Bugtraq daily. (http://www.securityfocus.com/bid/)
� Web-related attacks are large and expensive to investigate, react, and resolve.
� Web security became a requirement of PCI in 2008.
2
� Web security became a requirement of PCI in 2008.
� XSS remains a significant problem
� Original CERT advisory February 2000 (http://www.cert.org/advisories/CA-2000-02.html)
� USENET references to “malicious html” and “malicious javascript” as far back as 1996
� comp.security.unix post on March 1996: http://tinyurl.com/2s593m
� Entertaining discussion of JavaScript: http://tinyurl.com/2g2476
Web Security
� Reported web server vulnerabilities have decreased
� IIS 6.0 released April 2003
� MS06-034 (specially-crafted ASP file could cause buffer overflow)
� No resurgence of Code Red or Nimda style vulnerabilities
� Apache 2.0.45 (March 2003) to Apache 2.0.63 (January 2008)
� 40 security bugs according to changelog
3
� 40 security bugs according to changelog
� 24 specific to core or mod_ssl
� Apache 2.2.0 (November 2005) to Apache 2.2.8 (January 2008)
� 13 security bugs according to changelog
� 2 specific to core or mod_ssl
� And the number of servers continuesto grow significantly
0
5,000,000
10,000,000
15,000,000
20,000,000
25,000,000
30,000,000
35,000,000
May-03 Apr-08
Active Sites According to Netcraft
Apache
IIS
Leave the Buffer Overflows at Home
� Exploiting most web vulnerabilities has a very
low barrier to entry.
� Low sophistication attacks can still lead to high
impact exploits
4
impact exploits
� More codified lists defined in the OWASP TOP
10 and the WASC Threat Classification
Threats Evolve
� Financial motivation
� Infect rather than deface
� Increased potential for targeted attacks
5
� Increased potential for targeted attacks
� Exploit the trust between the server and browser
Attacks Adapt
� Bring the exploit to victim rather than bring the victim to the exploit.
� “Web 2.0”: More business logic and capabilities moved to the web browser.
6
� Social networking as an enabler for non-technical attacks.
� Insert malicious content into a web page
� Target the web browser
Persistent Browser Problems
� Assumption of trust in HTML and JavaScript (no “signed” content)
� No separation of UI generation and data manipulation
7
manipulation
� Few restrictions on pulling together inter-domain content, no “trusted peers” for a domain.
What do these attacks look like?
� Review some examples to see where vulnerabilities exist and how they are exploited.
8
The Usual Suspects
� SQL Injection� One of the easiest vulnerabilities to prevent.
� Occurs when users can alter the actual query.� For example, SQL queries made with strong
concatenation or even raw SQL queries in a URL
9
concatenation or even raw SQL queries in a URL parameter.
Recent Examples
� Hacking & Happiness� One password to rule them all
� Poor separation of duties
� Lack of rate limiting
� http://tinyurl.com/9f7ata
10
� http://tinyurl.com/9f7ata
Recent Examples
� Session Fixation & Stock Inflation� Buy stocks using someone else’s account.
11
Recent Examples
Session ID = 655321
Unauthenticated
Unauthenticated
Victim receives an e-mail with a legitimate link to the trading site: https://site/login.cgi?sid=65531
x.y.72.13 --> /trade.cgi?sid=655321&shares=1000&stock=FOO
Redirect to /login.cgi <-- server
x.y.72.13 --> /trade.cgi?sid=655321&shares=1000&stock=FOO
Redirect to /login.cgi <-- server
12
Unauthenticated
Unauthenticated
Authenticated
Authenticated
Redirect to /login.cgi <-- server
x.y.72.13 --> /trade.cgi?sid=655321&shares=1000&stock=FOO
Redirect to /login.cgi <-- server
a.b.101.92 --> /login.cgi?sid=655321
Redirect to /welcome.cgi?sid=655321 <-- server
x.y.72.13 --> /trade.cgi?sid=655321&shares=1000&stock=FOO
Trade executed <-- server
Recent Examples
� Inspection & Infiltration� Abusing server-side scripts
� http://tinyurl.com/d6ymuc
13
Recent Examples
../lists/admin/index.php?_SERVER[ConfigFile]=../../php.ini
� Viewing arbitrary files on the web server for sensitive content
� A confluence of programming error,
14
� A confluence of programming error, misconfiguration, and lack of host hardening
Wildly Different Vulnerabilities
� Programming errors
� Session fixation
� Cross-site request forgery
� Lack of input validation
15
� Lack of input validation
� Insecure environment
Where Are The Worms?
� Attacks like Nimda, Code Red or SQL Slammer haven’t been repeated in a while
� Exploit preferences seem to fall to the lowest common denominator
16
lowest common denominator
Manual & Automated Testing
� Complementary approaches
� What matters most for your environment?� Cost
� Scalability
17
� Repeatability
� Comprehensiveness
� Accuracy
� What to expect from each approach?
Automated Testing
� Ideal for large-scale or repetitive scans
� Primarily focuses on syntax problems,
misconfigurations, and known issues
� Several challenges to determining a good
scanner
18
scanner
� Crawling & site coverage
� Authentication & session management
� Comprehensiveness & accuracy
Manual Testing
� Ideal for in-depth security review
� Biggest advantage over automated testing is the ability to understand the application’s business logic
19
� Typically relies on some form of automated testing
Proactive Countermeasures
� Prevent the initial compromise in order to
minimize the potential for the application to be
used as a distribution point for malicious content
� Web application hardening
� Prevent unexpected HTML injection
20
� Prevent unexpected HTML injection
� Identify areas where user-generated content is
permitted
� Pre-inspect content
� Quarantine content
� Continuous site monitoring
Development Quick Reference
� Don’t store raw passwords.
� Store the salted hash
� Don’t use string concatenation when building SQL
queries.
� Use parameterized queries
21
� HTML encode user-supplied content that is written to a
web page
� Normalize input
� Work with an expected character set & encoding.
� Decode multi-level URL encoding
Summary
� The web browser continues to bear more and more functionality that used to be relegated to desktop applications -- but the browser security model hasn’t kept pace.
� Attackers placing more focus on compromising
22
� Attackers placing more focus on compromising trusted sites rather than lure victims to fake sites.
� Social networking, Web 2.0, and similar concepts place more and more personal data only a browser request away.
� Most reported compromises seem due to lack of input validation (XSS and SQL injection).
Thank you!
23