Is the Web at Risk?

ISCTE-IUL/SoTA/ADETTI-IUL

Instituto Superior de Ciências do Trabalho e da Empresa Instituto Universitário de Lisboa

School of Technology and Architecture ADETTI-IUL

Carlos Serrão [email protected] [email protected]

http://www.carlosserrao.net http://blog.carlosserrao.net http://www.linkedin.com/in/carlosserrao

is the web @ risk ? World Internet Project Meeting 2010

Is the Web … … at risk? … a risk? … putting YOU at risk?

WHY? WHEN? HOW?

The Internet…

… and the WWW,

in the beginning.

in the beginning...

Vinton Gray Cerf Robert Elliot Kahn

… a.k.a. the “Internet fathers”

The Internet was created…

… as an ubiquitous

… decentralized

… standardized

… global

… interconnected

… digital

… communications channel.

in the beginning...

… a.k.a. the “WWW father”

(Sir) Tim Berners Lee

The WWW was created!

A system of interlinked hypertext documents accessed via the Internet.

Infinite worldwide knowledge access.

growth

Small data part on a specific web-site (or limited number of web-sites)

Applications on the desktop

Most data is on the desktop

Data processing on the desktop

Large amounts of data on a large number of sites

Applications on the desktop and Web (more and more)

Part of the data still on desktop (but also mobile)

Data processing on the desktop, but also on the web

Data on the Cloud

Applications on the Web and Cloud

Data almost inexistent on the desktop (still on mobile)

Data processing almost inexistent

evolving, growing

user

network

security++

  what do we have today?  anti-virus  anti-malware  anti-spyware  firewalls  intrusion detection systems  …  are they enough?

security++

  YES, but…  do they protect the user from the web applications?

 can a Web application be compromised to hurt legitimate users?

 sure it can.

security++

  How?  Do you trust your favorite web-applications?

 Google  Gmail

 Do you trust your favorite social-web applications?  Facebook  Twitter

 Do you trust your homebanking?  Do you trust your government web-sites?

security++

Firewall

Hardened OS

Web Server

App Server

Firewall

Data

base

s

Lega

cy S

yste

ms

Web

Serv

ices

Dire

ctor

ies

Human

Res

rcs

Bill

ing

Custom Developed Application Code

APPLICATION ATTACK

Netw

ork L

ayer

Ap

plic

atio

n L

ayer

The security perimeter has huge security holes in the application layer

implications…

security trends

problem types typical problems on web apps

the security risks

http://www.owasp.org/index.php/Top_10

security risks

  considering the three most important  A1: Injection  A2: Cross Site Scripting (XSS)  A5: Cross Site Request Forgery (CSRF)

A1: Injection

what if?

A1: Injection

what if?

SELECT * FROM users usr WHERE usr.username = ‘admin’;--’ AND usr.password=’bb21158c733229347bd4e681891e213d94c685be’

A1: Injection

what if?

any input from the web app user can be an attack vector

A2: Cross Site Scripting (XSS)

  injecting malicious payload on the web app from the end-user side to be redirected to other users (victims)

A2: Cross Site Scripting (XSS)

Application with stored XSS vulnerability

3

2

Attacker sets the trap – update my profile

Attacker enters a malicious script into a web page that stores the data on the server

1

Victim views page – sees attacker profile

Script silently sends attacker Victim’s session cookie

Script runs inside victim’s browser with full access to the DOM and cookies

Custom Code

Acc

ount

s Fi

nanc

e

Adm

inist

ratio

n Tr

ansa

ctio

ns

Com

mun

icat

ion

Know

ledg

e M

gmt

E-C

omm

erce

Bu

s. Fu

nctio

ns

A5: Cross Site Request Forgery (CSRF)

  an attacker can build its own malicious website and initiate request on the user’s browser


3

2

Attacker sets the trap on some website on the internet (or simply via an e-mail) 1

While logged into vulnerable site, victim views attacker site

Vulnerable site sees legitimate request from victim and performs the action requested

<img> tag loaded by browser – sends GET request (including credentials) to vulnerable site

Custom Code

Acc

ount

s

Fina

nce

Adm

inis

trat

ion

Tran

sact

ions

Com

mun

icat

ion

Kno

wle

dge

Mgm

t

E-C

omm

erce

Bus.

Fun

ctio

ns

Hidden <img> tag contains attack against vulnerable site

Application with CSRF vulnerability


Alice Bob transfer 100€ to Bob through bank.com

POST http://bank.com/transfer.do HTTP/1.1 ... ... ... Content-Length: 19;

acct=BOB&amount=100

Pirate realizes that the same bank.com web application can execute the transfer using a URL with parameters GET http://bank.com/transfer.do?acct=BOB&amount=100 HTTP/1.1

will try to use Alice to transfer 100.000€ to its own account http://bank.com/transfer.do?acct=MARIA&amount=100000

sends an HTML email to Alice with an URL to click <a href="http://bank.com/transfer.do?acct=MARIA&amount=100000">View my Pictures!</a>

or, sends an HTML email to Alice with a image to hide the attack <img src="http://bank.com/transfer.do?acct=MARIA&amount=100000" width="1" height="1" border="0">

Alice if Alice is authenticated at bank.com with an active session the transfer is performed

consequences

This is serious!!!

And we are just looking at the tip of the iceberg!

[quick] conclusions

  Extra-care with the web applications you trust your data

  Extra-care on the way you handle your email

  Always act suspicious upon something “strange” on the web

  WebApp developers take care on what you do – your code is part of the security perimeter

Is the Web at Risk?

Technology

Transcript of Is the Web at Risk?