Web Application Security

Centre for Development of Advanced Computing (C-DAC) Electronics City, Bangalore.

C-DAC, EC, Bangalore

Agenda
Who are your Enemies What is a web application SD3 Security Framework Top 10 vulnerabilities How to avoid these Demo Example

C-DAC, EC, Bangalore

Know Your Enemy

If you know both the, enemy and yourself, you will fight a hundred battles without danger of defeat; If you are ignorant of the enemy but only know yourself, your chances of winning and losing are equal; If you know neither the enemy nor yourself, you will certainly be defeated in every battle.
SUN TZU ON THE ART OF WAR THE OLDEST MILITARY TREATISE IN THE WORLD

Chinese general, 500 B.C.

C-DAC, EC, Bangalore

Who are the enemies?

Innocent (?) Users.. Can be u (!).. Hackers..()

C-DAC, EC, Bangalore

What is a web application?

C-DAC, EC, Bangalore

Web application
A web application or web service is a software application that is accessible using a web browser or HTTP(s) user agent. A web application or webapp is an application that is accessed via web browser over a network such as the Internet or an intranet. A computer software application that is

C-DAC, EC, Bangalore

What is a web application security?

C-DAC, EC, Bangalore

Web application security

is...

Simply, Web Application Security Securing of web applications.

Security goes beyond establishing a firewall and implementing SSL. Includes IDS, Policy, Standards, Awareness, Audit, Testing. Do not assume someone else is taking care of it.
C-DAC, EC, Bangalore

Is your application really secure

C-DAC, EC, Bangalore

Firewalls
Firewalls can provide:

Secure gateway to the Internet for internal clients Packet filtering Auditing
Firewalls cannot provide:

Protection against application level attacks over HTTP or HTTPS

C-DAC, EC, Bangalore

Through the firewall without a fire suit

C-DAC, EC, Bangalore

Concepts
Threat : Any natural or unintentional event with the potential to cause harm to an information system, resulting in a degradation of a systems ability to fully perform its mission. Vulnerability: A security exposure in a system software or application software component.
C-DAC, EC, Bangalore

The SD3 Security Framework

Secure by Design
Secure architecture and code Threat analysis Vulnerability reduction Attack surface area reduced Unused features turned off by default Minimum privileges used Protection: Detection, defense, recovery, management Process: How to guides, architecture guides People: Training

Secure by Default

Secure in Deployment
C-DAC, EC, Bangalore

Adopt the SD3 Security Framework

Secure by Design
Build threat models
Conduct code reviews, penetration tests Run code with minimal privileges

Secure by Default

Minimize your attack surface Enable services securely

Secure in Deployment
C-DAC, EC, Bangalore

Leverage the security best practices Create security guidance Build tools to assess application security

Your code is part of your security perimeter

Application Layer Legacy Systems Human Resrcs

Your security perimeter has huge holes at the application layer

Databases Custom Developed Application Code

Web Services

Directories

APPLICATION ATTACK

App Server Network Layer Web Server Hardened OS Firewall Firewall

C-DAC, EC, Bangalore

You cant use network layer protection (firewall, SSL, IDS, hardening) to stop or detect application layer attacks

Billing

SSL Protection

C-DAC, EC, Bangalore

Top 10 Vulnerabilities
Invalidated Parameters Broken Access Control Broken Account and Session Management Cross-site Scripting(XSS) Flaws Buffer Overflows Command Injection Flaws Error Handling Problems Insecure Use of Cryptography Remote Administration Flaws Web and Application Server Misconfiguration

C-DAC, EC, Bangalore

95% of Web Apps Have Vulnerabilities Cross-site scripting (80 percent) SQL injection (62 percent) Parameter tampering (60 percent) Cookie poisoning (37 percent) Database server (33 percent) Web server (23 percent) Buffer overflow (19 percent)

C-DAC, EC, Bangalore

1. Invalidated Parameters
Attacker can easily tamper any part of the HTTP request before submitting. - URL - Cookies - Form fields - Hidden fields - Headers Common names for common input tampering attacks forced browsing, command insertion, cross site scripting, buffer overflows, format string attacks, SQL injection, cookie poisoning, and hidden field manipulation.
C-DAC, EC, Bangalore

Invalidated Parameters continued.. Do rigorous input data validation - All parameters should be validated before use Do server-side validation - Client side validation could be bypassed by the attacker easily - Client side validation is to be used mainly for quick user responsiveness

C-DAC, EC, Bangalore

Invalidated Parameters continued.. Use centralized code for input validation - Scattered code is hard to maintain Each parameter should be checked against a strict format that specifies exactly what input will be allowed.

C-DAC, EC, Bangalore

2. Broken Access Control

Access control is how you keep one user away from other users information

The problem is that many environments provide authentication, but dont handle access control well Many sites have a complex access control policy Key Points Write down your access control policy Dont use any ids that an attacker can

C-DAC, EC, Bangalore

Broken Access Control continued..

C-DAC, EC, Bangalore

3. Broken Account and Session Management

Includes all aspects of handling user authentication and managing active sessions. Session hi-jacking If the session cookies are not properly protected, an attacker can hijack an active session and assume the identity of a user. Account Management Handling credentials across client-server gap Backend authentication credentials too

C-DAC, EC, Bangalore

Broken Account and

Session Management HTTP is a stateless protocol. Web apps Session Management ... request came need to keep track of which from which user Brand sessions with an id using cookie, hidden field, URL tag, etc Key Points Keep credentials secret at all times Use only the random sessionid provided by your environment
C-DAC, EC, Bangalore

4. Cross-site Scripting (XSS)

An attacker can use cross site scripting technique to implement malicious script (into a server), which is then sent to unsuspecting users accessing the same server. Example: Chat server The attacked users (victim's) browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the

C-DAC, EC, Bangalore

4. Cross-site Scripting (XSS)

What it does ? Disclose users session cookie session high-jacking Disclose end user files Redirect user to some other page or site Modify presentation of content How to avoid ? Search for all places where input from an HTTP request could possibly make its way into the HTML output

C-DAC, EC, Bangalore

XSS Scenario continued..

The server is a chat server The chat server displays whatever message that is typed in by a particular user to all other users. An attacker (user A) implements JavaScript as part of a message (message A). The chat server saves the message (into the database or whatever storage) without input validation. When unsuspecting user (user B) reads the

C-DAC, EC, Bangalore

5 .Buffer Overflow
Many system put limits on how much data a variable can store or a system can handle. Often times if these limits are exceeded, the data will still be used, but bypass certain security considerations. Attackers use buffer overflows to corrupt the execution stack of a web application. By sending carefully crafted input to a web application, an attacker can cause the web application to execute arbitrary code.
C-DAC, EC, Bangalore

Buffer Overflow continued..

Buffer overflow flaws can be present in both the web server or application server products or the web application itself. URLs such as: http://www.myweb.com/cgi?param=filenam e Replaced with: http://www.myweb.com/cgi?param=<5K_of _Data>

C-DAC, EC, Bangalore

6. SQL Injection
When a web application passes information from an HTTP request through as part of an external request, the attacker can inject special (meta) characters, malicious commands, or command modifiers into the information. SQL injection is a particularly widespread and dangerous form of injection - To exploit a SQL injection flaw, the attacker must find a parameter that the web application passes through to a database.

C-DAC, EC, Bangalore

SQL Injection continued..

Path traversal - ../ characters as part of a filename request Additional commands could be tacked on to the end of a parameter that is passed to a shell script to execute an additional shell command -; rm r * SQL queries could be modified by adding additional constraints to a where clause -OR 1=1

C-DAC, EC, Bangalore

7 . Improper Error Handling

The most common problem is when detailed internal error messages such as stack traces, database dumps, and error codes are displayed to a potential hacker These messages reveal implementation details that should never be revealed Inconsistent errors may reveal internal info. - File not found vs. Access denied

C-DAC, EC, Bangalore

Improper Error Handling continued.. The errors must be handled according to a well thought out scheme that will - provide a meaningful error message to the user - provide diagnostic information to the site maintainers - provide no useful information to an attacker All security mechanisms should deny access until specifically granted, not grant access
C-DAC, EC, Bangalore

Improper Error Handling continued.. A specific policy for how to handle errors should be documented, including - The types of errors to be handled - For each, what information is going to be reported back to the user What information is going to be logged In the implementation, ensure that the site is built to gracefully handle all possible errors. When errors occur, the site should respond with a
C-DAC, EC, Bangalore

8. Insecure Use of Cryptography

Use cryptography to store sensitive information Algorithms are simple to use, integrating them is hard Key Points Do not even think about inventing a new algorithm Be extremely careful storing keys, certs, and passwords Rethink whether you need to store the information Dont store user passwords use a hash like SHA256
C-DAC, EC, Bangalore

9. Remote Administration Flaws

Many sites allow remote administration - Very powerful, often hidden interfaces - Difficult to protect Key Points - Eliminate all administration over the Internet - Separate the admin application from the main app - Limit the scope of remote administration Consider strong authentication - Smart card or token

C-DAC, EC, Bangalore

10. Web and Application Server

All web and application servers have many securityrelevant configuration options Misconfiguration Default accounts and passwords Unnecessary default, backup, sample apps, libraries Overly informative error messages Misconfigured SSL, default certificates, selfsigned certs Unused administrative services Key Points: Keep up with patches (Code Red, Slammer) Use Scanning Tools (Nikto, Nessus)
C-DAC, EC, Bangalore

Secure your application

Training Read the Top Ten paper! Get developers trained in web application security Try OWASP WebGoat to learn how flaws work Policy Write down the security rules for your application Reviews Get expert code review and penetration test periodically
C-DAC, EC, Bangalore

Keys to secure your

Customers application Demand web applications that dont have these ten simple problems Developers Take responsibility for securing your code Software Development Organizations Guarantee that your web applications dont have the top ten flaws Educators Stop teaching insecure coding Project Managers Split your security budget between network and
C-DAC, EC, Bangalore

Tools
WebScarab - a web application vulnerability assessment suite including proxy tools Validation Filters (Stinger for J2EE, filters for PHP) generic security boundary filters that developers can use in their own applications CodeSpy look for security issues using reflection in J2EE apps

C-DAC, EC, Bangalore

WebGoat - an interactive training and benchmarking tool that users can learn about web application security in a safe and legal environment

WebSphinx web crawler looking for security issues in web applications OWASP - Java based portal code designed with security as a prime concern
C-DAC, EC, Bangalore

Case Study

C-DAC, EC, Bangalore

Thank You !!

C-DAC, EC, Bangalore