Is the Web at Risk?
-
Upload
carlos-serrao -
Category
Technology
-
view
3.253 -
download
0
description
Transcript of Is the Web at Risk?
ISCTE-IUL/SoTA/ADETTI-IUL
Instituto Superior de Ciências do Trabalho e da Empresa Instituto Universitário de Lisboa
School of Technology and Architecture ADETTI-IUL
Carlos Serrão [email protected] [email protected]
http://www.carlosserrao.net http://blog.carlosserrao.net http://www.linkedin.com/in/carlosserrao
is the web @ risk ? World Internet Project Meeting 2010
Is the Web … … at risk? … a risk? … putting YOU at risk?
WHY? WHEN? HOW?
The Internet…
… and the WWW,
in the beginning.
in the beginning...
Vinton Gray Cerf Robert Elliot Kahn
… a.k.a. the “Internet fathers”
The Internet was created…
… as an ubiquitous
… decentralized
… standardized
… global
… interconnected
… digital
… communications channel.
in the beginning...
… a.k.a. the “WWW father”
(Sir) Tim Berners Lee
The WWW was created!
A system of interlinked hypertext documents accessed via the Internet.
Infinite worldwide knowledge access.
growth
Small data part on a specific web-site (or limited number of web-sites)
Applications on the desktop
Most data is on the desktop
Data processing on the desktop
Large amounts of data on a large number of sites
Applications on the desktop and Web (more and more)
Part of the data still on desktop (but also mobile)
Data processing on the desktop, but also on the web
Data on the Cloud
Applications on the Web and Cloud
Data almost inexistent on the desktop (still on mobile)
Data processing almost inexistent
evolving, growing
user
network
Small data part on a specific web-site (or limited number of web-sites)
Applications on the desktop
Most data is on the desktop
Data processing on the desktop
Large amounts of data on a large number of sites
Applications on the desktop and Web (more and more)
Part of the data still on desktop (but also mobile)
Data processing on the desktop, but also on the web
Data on the Cloud
Applications on the Web and Cloud
Data almost inexistent on the desktop (still on mobile)
Data processing almost inexistent
evolving, growing
user
network
Small data part on a specific web-site (or limited number of web-sites)
Applications on the desktop
Most data is on the desktop
Data processing on the desktop
Large amounts of data on a large number of sites
Applications on the desktop and Web (more and more)
Part of the data still on desktop (but also mobile)
Data processing on the desktop, but also on the web
Data on the Cloud
Applications on the Web and Cloud
Data almost inexistent on the desktop (still on mobile)
Data processing almost inexistent
evolving, growing
user
network
security++
what do we have today? anti-virus anti-malware anti-spyware firewalls intrusion detection systems … are they enough?
security++
YES, but… do they protect the user from the web applications?
can a Web application be compromised to hurt legitimate users?
sure it can.
security++
How? Do you trust your favorite web-applications?
Google Gmail
Do you trust your favorite social-web applications? Facebook Twitter
Do you trust your homebanking? Do you trust your government web-sites?
security++
Firewall
Hardened OS
Web Server
App Server
Firewall
Data
base
s
Lega
cy S
yste
ms
Web
Serv
ices
Dire
ctor
ies
Human
Res
rcs
Bill
ing
Custom Developed Application Code
APPLICATION ATTACK
Netw
ork L
ayer
Ap
plic
atio
n L
ayer
The security perimeter has huge security holes in the application layer
implications…
security trends
problem types typical problems on web apps
the security risks
http://www.owasp.org/index.php/Top_10
security risks
considering the three most important A1: Injection A2: Cross Site Scripting (XSS) A5: Cross Site Request Forgery (CSRF)
A1: Injection
what if?
A1: Injection
what if?
SELECT * FROM users usr WHERE usr.username = ‘admin’;--’ AND usr.password=’bb21158c733229347bd4e681891e213d94c685be’
A1: Injection
what if?
any input from the web app user can be an attack vector
A2: Cross Site Scripting (XSS)
injecting malicious payload on the web app from the end-user side to be redirected to other users (victims)
A2: Cross Site Scripting (XSS)
Application with stored XSS vulnerability
3
2
Attacker sets the trap – update my profile
Attacker enters a malicious script into a web page that stores the data on the server
1
Victim views page – sees attacker profile
Script silently sends attacker Victim’s session cookie
Script runs inside victim’s browser with full access to the DOM and cookies
Custom Code
Acc
ount
s Fi
nanc
e
Adm
inist
ratio
n Tr
ansa
ctio
ns
Com
mun
icat
ion
Know
ledg
e M
gmt
E-C
omm
erce
Bu
s. Fu
nctio
ns
A5: Cross Site Request Forgery (CSRF)
an attacker can build its own malicious website and initiate request on the user’s browser
A5: Cross Site Request Forgery (CSRF)
3
2
Attacker sets the trap on some website on the internet (or simply via an e-mail) 1
While logged into vulnerable site, victim views attacker site
Vulnerable site sees legitimate request from victim and performs the action requested
<img> tag loaded by browser – sends GET request (including credentials) to vulnerable site
Custom Code
Acc
ount
s
Fina
nce
Adm
inis
trat
ion
Tran
sact
ions
Com
mun
icat
ion
Kno
wle
dge
Mgm
t
E-C
omm
erce
Bus.
Fun
ctio
ns
Hidden <img> tag contains attack against vulnerable site
Application with CSRF vulnerability
A5: Cross Site Request Forgery (CSRF)
Alice Bob transfer 100€ to Bob through bank.com
POST http://bank.com/transfer.do HTTP/1.1 ... ... ... Content-Length: 19;
acct=BOB&amount=100
Pirate realizes that the same bank.com web application can execute the transfer using a URL with parameters GET http://bank.com/transfer.do?acct=BOB&amount=100 HTTP/1.1
will try to use Alice to transfer 100.000€ to its own account http://bank.com/transfer.do?acct=MARIA&amount=100000
sends an HTML email to Alice with an URL to click <a href="http://bank.com/transfer.do?acct=MARIA&amount=100000">View my Pictures!</a>
or, sends an HTML email to Alice with a image to hide the attack <img src="http://bank.com/transfer.do?acct=MARIA&amount=100000" width="1" height="1" border="0">
Alice if Alice is authenticated at bank.com with an active session the transfer is performed
consequences
This is serious!!!
And we are just looking at the tip of the iceberg!
[quick] conclusions
Extra-care with the web applications you trust your data
Extra-care on the way you handle your email
Always act suspicious upon something “strange” on the web
WebApp developers take care on what you do – your code is part of the security perimeter