Scribd Logo
Upload

Welcome to Scribd!

  • 43 views

    Web Application Security: ISACA Bangalore Chapter Aug 2007 Runa Dwibedi

    Uploaded by

    Akki ash
    An audit of a web application found several serious security vulnerabilities, including the ability to view any user's bank statements, siphon off funds, log in without a password, and deny access to all users. The presentation covered common web application vulnerabilities like input validation issues, session management problems, authentication weaknesses, threats from the browser, and discussed tools for threat modeling and logging to improve security. It provided checklists of items to audit and referenced additional learning resources on topics like SQL injection, cross-site scripting, encryption, and CAPTCHAs.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd

    Web Application Security: ISACA Bangalore Chapter Aug 2007 Runa Dwibedi

    Uploaded by

    Akki ash
    43 views49 pages
    An audit of a web application found several serious security vulnerabilities, including the ability to view any user's bank statements, siphon off funds, log in without a password, and deny access to all users. The presentation covered common web application vulnerabilities like input validation issues, session management problems, authentication weaknesses, threats from the browser, and discussed tools for threat modeling and logging to improve security. It provided checklists of items to audit and referenced additional learning resources on topics like SQL injection, cross-site scripting, encryption, and CAPTCHAs.

    Original Description:

    Web application security

    Original Title

    WebAppSec_ISACA2007

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    An audit of a web application found several serious security vulnerabilities, including the ability to view any user's bank statements, siphon off funds, log in without a password, and deny access to all users. The presentation covered common web application vulnerabilities like input validation issues, session management problems, authentication weaknesses, threats from the browser, and discussed tools for threat modeling and logging to improve security. It provided checklists of items to audit and referenced additional learning resources on topics like SQL injection, cross-site scripting, encryption, and CAPTCHAs.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    43 views49 pages

    Web Application Security: ISACA Bangalore Chapter Aug 2007 Runa Dwibedi

    Uploaded by

    Akki ash
    An audit of a web application found several serious security vulnerabilities, including the ability to view any user's bank statements, siphon off funds, log in without a password, and deny access to all users. The presentation covered common web application vulnerabilities like input validation issues, session management problems, authentication weaknesses, threats from the browser, and discussed tools for threat modeling and logging to improve security. It provided checklists of items to audit and referenced additional learning resources on topics like SQL injection, cross-site scripting, encryption, and CAPTCHAs.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    of 49

    Web Application Security

    ISACA Bangalore Chapter Aug 2007


    Runa Dwibedi
    In a recent application security audit

     An adversary could:

     View bank statements of any user


     Siphon off funds easily
     Login without a password
     Deny access to all users
     Hijack active sessions
     Steal encryption keys
    This morning…

     The HTTP Protocol


     Attacks on Input Validation
     Insecurities in Session Management
     Threats at the browser
     Authentication Weaknesses
     Threat Modeling
    Attacks on Input Validation
    Attacks on Input Validation

     Client-side validation
     Breach business rules
     SQL Injection
     XPATH Injection
    Input Validation - Audit Checklist

     Is input validated at server?


     Are inputs checked with business rules?
     Is the filter a white list?
     Are SQL queries pre-compiled?
     Are XPATH queries pre-compiled?
    References – SSL & Encryption
    • SSL Basics, RSA Security,
    http://www.rsasecurity.com/standards/ssl/basics.html
    • The pros and cons of securing Web services with
    SSL, Jack Loftus,
    http://searchwebservices.techtarget.com/qna/0,289202,
    sid26_gci995388,00.html
    • Understanding SSL, Shalini Gupta,
    http://palisade.paladion.net/issues/2005Sep/understandi
    ng-ssl/
    • Encrypting data in Databases, Priyali Vibhute,
    http://palisade.paladion.net/issues/2005Jun/database-
    encryption/
    References - SQL Injection
    • SQL Injection Walkthrough, Securiteam,
    http://www.securiteam.com/securityreviews/5DP0N1P76
    E.html
    • Introduction to SQL Injection Attacks,
    Integrigy,
    http://www.integrigy.com/info/IntegrigyIntrotoSQLInjectio
    nAttacks.pdf
    • Best Practices in Input Validation, Roshen
    Chandran,
    http://palisade.paladion.net/issues/2004Dec/input-
    validation/
    References - XML Injection
    • XML Tutorial, W3Schools,
    http://www.w3schools.com/xml/
    • XPATH Tutorial, W3Schools,
    http://www.w3schools.com/xpath/
    • Mitigating XPath Injection Attacks in .NET,
    Oleg Tkachenko,
    http://www.tkachenko.com/blog/archives/00038
    5.html
    References - XML Injection

    • XPath injection in XML databases, Runa


    Dwibedi,
    http://palisade.paladion.net/issues/2005Jul/xpath
    -injection/
    • Blind XPath Injection, Amit Klein,
    http://www.watchfire.com/resources/blind-xpath-
    injection.pdf
    Insecurities in Managing
    Sessions
    Insecurities in Managing Sessions

     Predictable session tokens


     Transmitting tokens
     On Logout
     Session timeout
     On Login
     Cross Site Scripting
    Session Management - Audit Checklist

     Are session tokens random?


     Do session tokens use cookies?
     Are session tokens sent over SSL?
     Are sessions invalidated on logout?
     Is session timeout duration acceptable?
     Are session tokens changed on login?
     Are special characters escaped?
    References - Session Management

    • Web-based Session Management, Gunter Ollmann,


    http://www.technicalinfo.net/papers/WebBasedSessi
    onManagement.html
    • Securing your session with Page Tokens, Sangita
    Pakala,
    http://palisade.paladion.net/issues/2005Aug/page-
    tokens/
    • Transmitting Session IDs, Salil Aroskar,
    http://palisade.paladion.net/issues/2005Jul/quiz/
    References - Cross Site Scripting
    • The Cross Site Scripting FAQ, CGISecurity,
    http://www.cgisecurity.net/articles/xss-faq.shtml
    • HTML Code Injection and Cross-site scripting,
    Gunter Ollmann,
    http://www.technicalinfo.net/papers/index.html#Pap
    er6
    • Cross Site Scripting, Are your web applications
    vulnerable?, Kevin Spett,
    http://www.spidynamics.com/whitepapers/SPIcross-
    sitescripting.pdf
    Threats at the Browser
    Threats at the Browser

     The browser cache


     History
     Browser memory
     The Refresh button
    Threats at the Browser - Audit
    Checklist
     Has cache-control: no-store been set?
     Are the links in History safe?
     Are passwords stored as hashes?
     Are passwords sent as salted hashes?
     Is redirection used during login?
    References - Cache

    • Caching Tutorial for Web Authors and Webmasters,


    Mark Nottingham http://www.mnot.net/cache_docs/
    • HTTP/1.1: Caching in HTTP,
    www.w3.org/Protocols/rfc2616/rfc2616-sec13.html
    References - Passwords in memory

    • Discovering passwords in the memory,


    Abhishek Kumar,
    http://paladion.net/papers/Discovering_Passwor
    ds_In_Memory.pdf
    • Passwords - In Memory Still Green, Sangita
    Pakala,
    http://palisade.paladion.net/issues/2004Aug/pas
    swords-in-memory/
    • WinHex – http://www.x-ways.net/winhex/index-
    m.html
    References - Browser Refresh

    • Stealing Passwords via Browser Refresh,


    Karmendra Kohli,
    http://paladion.net/papers/Stealing_passwords_via_
    browser_refresh.pdf
    Insecurities in Authentication
    Authentication - Forgot
    Password
    Best Practice

    1. Ask a hint/custom question


    2. Display a CAPTCHA
    3. Send a short lived link to the user’s
    registered email ID
    4. Allow the user to reset the password over
    SSL
    5. Invalidate the link after one use
    Authentication - Audit Checklist

     Is “Forgot Password” question non-trivial?


     Is the “Reset link” short-lived?
     Is the new password exchanged over SSL?
    References – Forgot Password

    • Using Secret Questions, Mark Burnett,


    http://www.owasp.org/columns/mburnett/questions
    .html
    The Attack of the Bots
    Bots

     Bots flood the server


     With fake requests in public pages
     Comments page
     Registration at Free e-mail sites
     Support query page
    How can we stop them?

     Pose a question that is easy for humans to


    answer but difficult for computers
     Enter Captchas!
     “Completely Automated Public Turing Test to Tell
    Computers and Humans Apart”
    Types of CAPTCHAs

     Image
     Display a distorted text image
     Knowledge
     Pose a question “ What is the color of the sky?”
     Arithmetic
     Pose a question “ What is 34 +15?”
    How to implement a CAPTCHA

     Use readily available classes


     Jcaptcha for Java
     http://jcaptcha.sourceforge.net/main.html
     BotDetect for .Net
     http://www.lanapsoft.com/products.html
     Authen-Captcha for Perl
     http://search.cpan.org/dist/Authen-Captcha/
     Build your own classes
    Common Mistakes

     Small set of images


     Image File-names always map to same word
     All the mappings can be discovered by attacker
     Small set of images, dynamic filenames
     Attacker can brute force till the correct word is
    submitted
    Best Practices

    1. Dynamically generate an image


    2. Send it to client with random token
    3. Accept user input along with token
    4. Compare user input with correct word for
    token
    5. Invalidate the token after one use
     Do public forms have CAPTCHAs?
    References - CAPTCHA

    • PWntcha, http://sam.zoy.org/pwntcha/
    • LanAp BotDetect,
    http://www.lanapsoft.com/products.html
    Audit Logs
    Audit logs

     An audit trail of activities enable us to trace


    back fraud
     Application layer activities are not logged by
    system and web server logs
     So, application should maintain own audit
    trail
     Access to logs should be controlled
    The activities to be logged

     Login and logout of users


     Critical transactions (eg. fund transfer across
    accounts)
     Failed login attempts
     Account lockouts
     Violation of policies
     Are audit logs detailed?
    References – Logging and Audit Trails

    • Application Logs - Security Best Practices, Dipesh


    Rawal,
    http://palisade.paladion.net/issues/2004Oct/security
    -logging/
    Threat Modeling
    Threat Modeling

     A structured technique to identify threats and


    the security controls required to counter them
    Across the SDLC

    Threat
    Modeling

    SRS Design Development Testing Deployment

    Evaluate against
    Threat model
    Phase1:Threat Profile

     Is a list of all the possible threats to the


    application

     For example, for an online banking application,


    some of the threats would be –
    - An adversary steals the password of other users
    - An adversary transfers fund from others account
    to his own account
    Phase2: Threat Trees

     Identify security controls for each threat in the


    threat profile
     The 3 ways of compromising user password
    would be –
    - Access password
    - Steal password from database
    - Guess password
    References - General

    • Application Security FAQ, OWASP,


    http://www.owasp.org/documentation/appsec_faq.
    html
    • HTTP/1.1: Header Field Definitions from RFC
    2616,
    http://www.w3.org/Protocols/rfc2616/rfc2616-
    sec14.html
    References - Books
    • Writing Secure Code, Michael Howard, David
    LeBlanc, Microsoft Press
    • Secure Coding: Principles & Practices, Mark G.
    Graff, Kenneth R. van Wyk, O’Reilly
    • How to Break Software Security, James A.
    Whittaker, Herbert H. Thompson, Addison Wesley
    • Code Complete, Steve McConnell, Microsoft Press
    • HTTP Developer's Handbook, Chris Shiflett, Sam’s
    Publishing
    • Threat Modeling, Frank Swiderski and Window
    Snyder, Microsoft Press
    References – Mailing List

    • Security Focus Web Application Security -


    http://www.securityfocus.com/archive/107
    • Web Application Security Consortium Mailing List -
    http://www.webappsec.org/lists/websecurity/archive
    • Secure Coding Mailing List -
    http://www.securecoding.org/list/
    • Secure Programming Mailing List,
    http://www.securityfocus.com/archive/98
    Thank You

    You might also like