Top web apps security vulnerabilities
Embed Size (px)
Transcript of Top web apps security vulnerabilities
Top Web Apps Security Vulnerabilities Aleksandar BozinovskiTechnical Lead, Seavus
AgendaImportance of Web SecurityHTTP, Sessions, CookiesInjectionCross Site Scripting (XSS)Cross-Site Request Forgery (CSRF)Security MisconfigurationInsecure Direct Object References
Famous QuoteEvery program has at least two purposes: the one for which it was written, and another for which it wasn't. -Alan J. PerlisAlan Jay Perlis was an computer scientist known for his pioneering work in programming languages, and is the first recipient of the Turing Award.
A big part of web application security testing involves attempts to force an application to function in a way it was not intended to.Alan Jay Perlis was an computer scientist known for his pioneering work in programming languages and the first recipient of the Turing Award (Nobel prize of computing)
string query="INSERT INTO Students VALUES ('"+txtName.Text+"','"+txtSSN.Text+"')";
//Attack: Robert); DROP TABLE Students;--
INSERT INTO Students VALUES ('Robert'); DROP TABLE Students;--','12345')
Code: string query = "INSERT INTO Students VALUES ('" + txtStudentName.Text + ", + txtSSN.Text+ )";Attack: Robert); DROP TABLE Students;--Result: INSERT INTO Students VALUES ('Robert); DROP TABLE Students;-- ,12345)
q = "INSERT INTO Students VALUES ('" + txtStudentName.Text + "')";Robert); DROP TABLE Students;--
Website Security Statistics
HTTPHypertext Transport ProtocolLanguage of the Web. Protocol used for communication between web browsers and web serversStandard RFC 1945, 1996URLUniform Resource IdentifierMethodsGET, POST, PUT, HEAD, OPTIONS
Statelessness, CookiesIn its nature HTTP it is said to be a stateless protocol.i.e. from one web page to the next there is nothing in the protocol that allows a web program to maintain program state (like a desktop program).state can be maintained by witchery or trickery if it is needed.Cookie piece of data sent from a website and stored in a user's web browser while a user is browsing a website.The Server sets the cookie in a response.The client includes the cookies in the Http header for subsequent requests to the server.Example Cookie: ASP.NET_SessionId=haay355s5g0vm5zotvlncqpr
Session Cookie Hijacking
OWASP Top 10
Enter OWASP, the Open Web Application Security Project, a non-profit charitable organisation established with the express purpose of promoting secure web application design.
OWASP was started on September 9, 2001 By Mark Curphey and Dennis Groves. Since late 2003, Jeff Williams served as the volunteer Chair of OWASP until September 2011. The current chair is Michael Coates, and vice chair is Eoin Keary. The OWASP Foundation, a 501(c)(3) organization (in the USA) was established in 2004 and supports the OWASP infrastructure and projects. 13
InjectionOWASP DefinitionInjection flaws, such as SQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attackers hostile data can trick the interpreter into executing unintended commands or accessing unauthorized data.
SQL InjectionHappens when we create query but we fail to validate and sanitize untrusted input data.
Queries constructed with concatenating strings are vulnerable to SQL Injection.
SQL Queriesvar categoryId = Request.QueryString["CategoryId"];var sql = "SELECT * FROM Products WHERE CategoryID=" + categoryId;
// If we enter "7 OR 1=1" in query string we end up with:SELECT * FROM Products WHERE CategoryID=7 OR 1=1
// Attacker can use ; to terminate current command and run its own commands.SELECT * FROM Products WHERE CategoryID=7; DROP TABLE Products
Validate untrusted data. If input data is supposed to be number, convert it to number or check it with regex.Use parameterized SQL queries instead of strings soup.Using stored procedures is also a good idea but keep in mind that stored procedures are vulnerable if they concatenate strings on their own.Use ORMs (like Entity Framework) that are inherently resistant to SQL Injection.
Prevent SQL Injection
Other Injection AttacksLDAP Injectionstring ldapSearch = "(cn=" + txtSearchTerm.Text + ")";Dynamic LINQ Injectionstring where = Table.Contains(\"" + search + "\")";XPATH Injectionstring loginExpression = "/employees/employee[loginID/text()='" + username + "' and passwd/text()='" + password + "']";
Cross-Site Scripting (XSS)OWASP DefinitionXSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation and escaping. XSS allows attackers to execute scripts in the victims browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.
Types of XSS AttacksStored XSSStored attacks are those where the injected code is permanently stored on the target servers.Users should not be able to create message content that could cause another user to load an undesirable page or undesirable content when the user's message is retrieved.
Reflected XSSReflected attacks are those where the injected code is reflected off the web server, such as in an error message, search result.Reflected attacks are delivered to victims via another route, such as in an e-mail message, or on some other web server.
Built-in protectionModern browsers and servers employ many first line defenses against XSS by default:ASP.NET Request Validation, present since version 2.0. In ASP.NET 4.0 it is enabled for all types of requests not just pages. To be turned off we must revert to the older mode requestValidationMode="2.0Output encoding. MVC Razor view engine encodes everything by default. XSS is possible only if we use @Html.Raw()
Built-in protectionAntiXSS library is by default included in ASP.NET Web Forms 4.5. Can be retrofitted on older web apps.
Google Chrome has built-in anti XSS protection
Cross-Site Request ForgeryOWASP DefinitionA CSRF attack forces a logged-on victims browser to send a forged HTTP request, including the victims session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victims browser to generate requests the vulnerable application thinks are legitimate requests from the victim.
How CSRF works
Authenticated sessions are persisted via cookies The cookie is sent with every request to the domain
The attacking site recreates a legitimately formed request to the target site Although the request has a malicious payload (query string parameters or post data)
The victims browser is tricked into issuing the request For all intents and purposes, the target website views it as a legitimate request
To mitigate this risk, we can add randomness via a CSRF token
A token is a random string known to both the legitimate page where the form is and to the browser via a cookie
Security MisconfigurationOWASP DefinitionGood security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform. All these settings should be defined, implemented, and maintained as many are not shipped with secure defaults. This includes keeping all software up to date, including all code libraries used by the application.
Keep up to dateYour serversWindows Server 2012 is arguably more secure than Windows Server 2003Client browsers (if applicable)Modern browsers include built-in defenses against most prevalent attacksKeep your frameworks up to date
Set Custom Errors, hide YSOD
Turn Off Tracing
Keep in mind that Trace.axd usually is not protected by authentication. Search on google for: inurl:trace.axd33
Also dont forget to turn offELMAHCases with unprotected ELMAH handlers are notorious. Googledork: inurl:elmah.axdDEBUGPerformance penaltiesAlthough not related with direct security risks on its own beware of #if DEBUG statements that can disclose information
Googledork: Search on google inurl:elmah.axd34
Also dont forget to turn offScript execution on folders where not neededUsually folders where various documents or uploaded files are kept, unless you use App_Data folder.HTTP Access to LogsLog files can disclose many sensitive details about your web app. Its best to keep them outside of the web app root. If not possible at least keep them in App_Data.
Search on google inurl:elmah.axd35
Insecure Direct Object ReferencesOWASP DefinitionA direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data.
Direct Object References A direct object reference is an observable key used to identify an individual record in databasehttp://northwind.com/Products?catId=1 http://northwind.com/Products?catId=3 http://northwind.com/Products?catId=8
Direct Object References Another examplehttp://webapp.com/Download?f=DSC01031.JPG http://webapp.com/Download?f=DSC01032.JPG http://webapp.com/Download?f=DSC01033.JPG
PreventionImplementing proper access controlValidate user dataImplement security checks before using object referenceAccess via undiscoverable surrogate keysI