Web SecurityWeb Security

Group 5Group 5

Adam SwettAdam Swett

Brian MarcoBrian Marco

Why Web Security?Why Web Security?

Web sites and web applications constantly Web sites and web applications constantly growinggrowing

Complex business applications are now Complex business applications are now delivered over the webdelivered over the web

Increased “web hacking” activityIncreased “web hacking” activity

Web Worms (Sammy)Web Worms (Sammy)

Firewalls?Firewalls?

Difficulties In Traditional HackingDifficulties In Traditional Hacking

Modern networks more secureModern networks more secure

Firewalls being used in all network rolloutsFirewalls being used in all network rollouts

OS vendors patching hole quicklyOS vendors patching hole quickly

Increased maturity in codingIncreased maturity in coding

FirewallsFirewalls

Lab SectionsLab Sections

SQL InjectionSQL Injection– BasicBasic– BlindBlind

Cross Site Scripting (XSS)Cross Site Scripting (XSS)– BasicsBasics– Cookie StealingCookie Stealing– Java ScriptingJava Scripting

Default PagesDefault PagesCGI VulnerabilitiesCGI Vulnerabilities– Vulnerable ScriptsVulnerable Scripts– NiktoNikto

SQL InjectionSQL Injection

Exploits a security vulnerability present in Exploits a security vulnerability present in the database layer of an applicationthe database layer of an application– With ErrorsWith Errors– BlindBlind– AutomatedAutomated

SQL InjectionSQL Injection

SQL InjectionSQL Injection

Cross Site ScriptingCross Site Scripting

SecurityFocus cataloged over 1,400 issues.

WhiteHat Security has Identified over 1,500 in custom web applications. 8 in 10 websites have XSS.

Tops the Web Hacking Incident Database (WHID)

Cross Site ScriptingCross Site Scripting

Cookie StealingCookie Stealing– One of the most common uses of XSSOne of the most common uses of XSS– Allows you to impersonate someoneAllows you to impersonate someone

Can Lead To Session Hijacking Can Lead To Session Hijacking – HTTP is statelessHTTP is stateless– Only verifies at the beginning of sessionOnly verifies at the beginning of session

Cross Site ScriptingCross Site Scripting

Java ScriptJava Script– Can be written by anyone and executed on Can be written by anyone and executed on

any computer over the webany computer over the web– Most people have Java Script enabled making Most people have Java Script enabled making

it very dangerous it very dangerous

Cross Site ScriptingCross Site Scripting

Java Script ExamplesJava Script Examples– black hat search engine optimization (SEO)– Click-fraud– Distributed Denial of Service– Force access of illegal content– Hack other websites (IDS sirens)– Distributed email spam (Outlook Web Access)– Distributed blog spam– Vote tampering– De-Anonymize people– etc.

Cross Site ScriptingCross Site Scripting

Default PagesDefault Pages

Careless hostingCareless hosting

Gives the ability to browse and retreive a Gives the ability to browse and retreive a complete directory on the web servercomplete directory on the web server

Happens when the default page is missingHappens when the default page is missing

Not-so-strict Web server configurationNot-so-strict Web server configuration

Default PagesDefault Pages

CGI VulnerabilitiesCGI Vulnerabilities

A number of widely distributed CGI scripts A number of widely distributed CGI scripts contain known security holescontain known security holes

Finding the scripts and exploiting them can Finding the scripts and exploiting them can be time consumingbe time consuming

Usually well documented on the webUsually well documented on the web

Some can be worth it Some can be worth it

CGI VulnerabilitiesCGI Vulnerabilities

Nph-test-cgiNph-test-cgi– Script included with all old versions of Apache Script included with all old versions of Apache

web Serverweb Server– Allows user to view all files on the computer Allows user to view all files on the computer

Nph-test-cgiNph-test-cgi

NiktoNikto

Nikto is an Open Source (Nikto is an Open Source (GPLGPL) web server scanner ) web server scanner which performs comprehensive tests against web which performs comprehensive tests against web servers for multiple items, including over 3300 potentially servers for multiple items, including over 3300 potentially dangerous files/CGIs, versions on over 625 servers, and dangerous files/CGIs, versions on over 625 servers, and version specific problems on over 230 servers. Scan version specific problems on over 230 servers. Scan items and plugins are frequently updated and can be items and plugins are frequently updated and can be

automatically updated (if desired)automatically updated (if desired)

NiktoNikto

SourcesSources

NetSquare Blackhat Asia PresentationNetSquare Blackhat Asia Presentation

Whitehat SecurityWhitehat Security

Spi DynamicsSpi Dynamics