IBMs Application Hacking

8/3/2019 IBMs Application Hacking

http://slidepdf.com/reader/full/ibms-application-hacking 1/45

®

IBM Software Group

Discovering the Value of Verifying Web Application

Ong Khai Wei Rational IT S ecialist

[email protected]

© 2009 IBM Corporation



IBM Software Group | Rational software

ec ves

Understand the web application environment

Understand and differentiate between network and application level vulnerabilities

Understand where the vulnerabilities exist

Understand how to levera e A Scan to erform an automated scan for vulnerabilities




gen a

Security Landscape

Vulnerability Analysis

Automated Vulnerability Analysis

IBM® Rational® AppScan Overview



®

IBM Software Group

Security Landscape





Hacking Stage 6— Wikipedia, Feb 9 2007




y

pp ca on

ecur y

s a

g

r or y

Web applications are the #1 focus of hackers:

XSS and

SQL

Injection

are

#1

and

#2

reported

vulnerabilities

(Mitre)

Most sites are vulnerable:

90% of sites are vulnerable to application attacks (Watchfire)

78% percent of easily exploitable vulnerabilities affected Web applications (Symantec)

80% of

organizations

will

experience

an

application

security

incident

by

2010

(Gartner)

Web applications are high value targets for hackers:

Customer data, credit cards, ID theft, fraud, site defacement, etc

Compliance requirements:

Payment Card Industry (PCI) Standards, GLBA, HIPPA, FISMA,




e

ecur y

an scape o

e pas

Traditional Infrastructure was easier to protect . . .

Concrete entities that were easy to understand

Attack surface and vectors were very well‐defined

A lication foot rint ver static

Perimeter defense was king




ang ng

ecur y

an scape o

o ay

“Webification” has changed everything ...

Infrastructure is more abstract and less defined

Everything needs a web interface

A ents and heav clients are no lon er acce table

Traditional defenses no longer apply




op

ac

ac s

o ay

arge

e

pp ca ons




Hi h Level

Web

A lication

Architecture

Review Sensitive

data isstored here

CustomerApp is deployedhere

Internet

DatabaseClient Tier(Browser)

Firewall

(Presentation) App Server(Business

Logic)

SSL

Protects

Middle Tier ranspor




Networ

De enses

or We

App cat ons

SecuritySecurity

Perimeter IDS IPS

IntrusionDetection

IntrusionPrevention

App Firewall

ApplicationFirewall

Firewall

System System




“ ”

We Have Firewallsand IPS in Place

We Audit It Once aQuarter with Pen Testers

Port 80 & 443 are openfor the right reasons

Applications are constantlychanging

We Use Network

Vulnerability ScannersNeglect the security of the

software on the network/web

We Use SSL EncryptionOnly protects data betweensite and user not the web

app ca on se




ea y:

ecur y an

pen ng

re

n a ance

of All Attacks on Information Security areDirected to the Web Application Layer75%75%

of All Web Applications are Vulnerable **Gartner




Wh

Do

Hackers

Toda

Tar et

A lications? Because they know you have firewalls

So its not very convenient to attack the network anymore

But the still want to attack ‘cos the still want to steal data …

Because firewalls

do

not

protect

against

app

attacks!

So the hackers are having a field day!

Because web sites have a large footprint

No need

to

worry

anymore

about

cumbersome

IP

addresses

Because t ey can

It is difficult or impossible to write a comprehensively robust application

Developers are yet to have secure coding as second nature

Deve opers

t in

i erent y

rom

ac ers Cheap, Fast, Good – choose two, you can’t have it all

It is also a nightmare to manually QA the application

e‐ ox s a c co e ana yzers on es or n er‐app re a ons ps

Many companies today still do not have a software security QA policy or resource




a

an

appen




y

o

pp ca on

ecur y

ro ems

x s IT security solutions and professionals are normally from the network

/infrastructure /sysadmin side

They usually have little or no experience in application development

And developers

typically

don’t

know

or

don’t

care

about

security

or

networking

Most companies today still do not have an application security QA policy or

resource

IT security staff are focused on other things and are swarmed

App Sec

is

their

job

but

they

don’t

understand

it

and

don’t

want

to

deal

with

it

Deve opers t in its not t eir jo or pro em to ave security in co ing

People who outsource expect the 3rd party to security‐QA for them

It is cultural currently to not associate security with coding

“ ”u er ver ow as een aroun or years

“Input Validation” is still often overlooked.



®

IBM Software Group

Vulnerability Analysis





ecur y

e ec s:

ose

manage vs.

ose

own

I n f ras t ruc tu re Vulnerab il i t i es

or Com m on Web Vulnera bi l i t iesAppl icat ion Spec i f i c

Vulnerabi l i t ies (ASVs)

Cause of Defec t Insecure application

development

by

3rd

party SWInsecure application development In‐house

Locat ion w i th in

App l i ca t ion

3rd party technical building blocks or

infrastructure (web servers,)

Business logic ‐ dynamic data consumed by

an application

Type(s) of Exp loi t s Known vulnerabilities

(patches

issued),

SQL

injection,

path

tampering,

Cross

site

scripting, Suspect content & cookie

m scon gura onpoisoning

Detec t ionMatch signatures & check for known

misconfigurations.Requires application specific knowledge

Business Risk Patch latency

primary

issue Requires

automatic

application

lifecycle

security

Cost Cont r o l As secure as 3rd art software Earl detection saves $$$




A lication Threat Ne ative

Im act Exam le

Im act

The OWASP Top 10 list

Cross‐Site®

scripting Identity Theft, Sensitive Information

Leakage, …

Hackers can impersonate legitimate users, and control

their accounts.

/ LDAP / Other system

,

it or steal it.

Malicious File Execution Execute shell commands on server, up to

full control

Site modified to transfer all interactions to the hacker.

Insecure Direct Object Reference Attacker can access sensitive files and

resources

Web application returns contents of sensitive file

(instead of harmless one)

Cross‐Site Request Forgery Attacker can invoke “blind” actions on web

applications, impersonating

as

a trusted

user

Blind requests to bank account transfer money to

hacker

Information Leakage and Improper

Error Handling

Attackers can gain detailed system

information

Malicious system reconnaissance may assist in

developing further attacks

Broken Authentication & Session Session tokens not guarded or invalidated Hacker can “force” session token on victim; session

anagemen proper y o ens can e s o en a er ogou

Insecure Cryptographic Storage Weak encryption techniques may lead to

broken encryption

Confidential information (SSN, Credit Cards) can be

decrypted by malicious users

Insecure Communications Sensitive info sent unencr ted over Unencr ted credentials “sniffed” and used b hacker

insecure channel

to impersonate user

Failure

to

Restrict

URL

Access Hacker

can

access

unauthorized

resources Hacker

can

forcefully

browse

and

access

a

page

past

the

login page




.

ross‐

e

cr p ng

What is it?

Malicious script echoed back into HTML returned from a trusted site, and runs under

trusted context

What are the implications?

Session Tokens stolen (browser security circumvented)

Complete page

content

compromised

Future pages in browser compromised




y

ere

appens

User data is embedded in

HTML response

JS is embedded in page, as iforiginating from the trusted site




Cross Site Scripting – The Exploit Process

Evil.orgEvil.org

Evil.org uses stolensession informationto impersonate user

5

1Link to bank.comsent to user via E-mail or HTTP

Script sends user’scookie and sessioninformation without

the user’s consent

4

or now e ge

Bank.comBank.comUserUser

embedded as data

2

Script returned,

executed by browser




.

n ec on

aws

User‐supplied

data

is

sent

to

an

interpreter

as

part

of

a command,

query

or

data.

What are the implications?

SQL Injection – Access/modify/delete data in DB

SSI Injection

– Execute

commands

on

server

and

access

sensitive

data

LDAP Injection – Bypass authentication




n ec on

xamp e




n ec on

xamp e

‐xp o




n ec on

xamp e

‐u come



®

IBM Software Group

Automated Vulnerability

Analysis

IBM® Rational® AppScan





Collaborative Application Lifecycle Management

SDLC Quality Assurance

Quality Dashboard

ManageTest LabCreatePlan BuildTests ReportResults

Test Management and Execution DefectManagement

RequirementsManagement

O en Platform

TEAM SERVER

Best Practice Processes

FunctionalTesting Performance

TestingWeb Service

Quality

CodeQuality

Security andCompliance

Open Lifecycle Service Integrations

home rown

JavaSystem z, iSAP

.NET




pp can

n

e

a ona

o r o oBUSINESS

Defects

Test and Change Management

Requirements Test Change

Rational RequisitePro Rational ClearQuest Rational ClearQuest

M

E N T

O

I N S

Rational ClearQuest

Developer Test Functional Test

Automated Manual

Performance Test

D E V E L O

O P E R A

Rational PurifyPlus

Rational Test

Rational Functional Tester Plus

Rational Rational

RationalPerformance Tester

Security andCompliance Test

AppScan

Quality Metrics

RealTime Functional Tester

Rational Robot

Manual Tester

PolicyTester

Project Dashboards Detailed Test Result s Quality Reports




a ona

pp can

What is it?

AppScan is an automated tool used to perform vulnerability assessments

on Web

Applications

To simplify finding and fixing web application security problems

What does

it

do?

Scans web applications, finds security issues and reports on them in an

actionable fashion

Security Auditors – main users today

QA engineers – when the auditors become the bottle neck

Developers – to find issues as early as possible (most efficient)




ow

oes

pp can wor

Approaches an application as a black‐box

Traverses a web application and builds the site model

Determines the

attack

vectors

based

on

the

selected

Test

policy

Tests by sending modified HTTP requests to the application and examining the HTTP

response accor ng to va ate ru es

HTTP Request

Web Application




pp can

oes

eyon

o n ng ou

ro ems




on gura on

zar

IBM S f G | R i l f




cann ng

n

rogress

IBM S ft G | R ti l ft




en y

u nera es





x MOST

IMPORTANT





epor s





pp can w

e ec

ogger

or

ear ues





ess on summary

Understand

and

differentiate

between

network

and

application

level

vulnerabilities Understand where the vulnerabilities exist

Hands on exercises to understand types of vulnerabilities

Hands on exercise to leverage automated scan for vulnerabilities




p |


IBMs Application Hacking

Documents

Transcript of IBMs Application Hacking