Scribd
Upload
76 views

Web Application Security: ISACA Bangalore Chapter Aug 2007 Runa Dwibedi

An audit of a web application found several serious security vulnerabilities, including the ability to view any user's bank statements, siphon off funds, log in without a password, and deny access to all users. The presentation covered common web application attacks like SQL injection, session hijacking, cross-site scripting and weaknesses in authentication. It provided checklists to audit applications for these issues and summarized best practices for input validation, session management, password security and threat modeling. References were given for further reading on specific topics.

Uploaded by

Akki ash
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
76 views

Web Application Security: ISACA Bangalore Chapter Aug 2007 Runa Dwibedi

An audit of a web application found several serious security vulnerabilities, including the ability to view any user's bank statements, siphon off funds, log in without a password, and deny access to all users. The presentation covered common web application attacks like SQL injection, session hijacking, cross-site scripting and weaknesses in authentication. It provided checklists to audit applications for these issues and summarized best practices for input validation, session management, password security and threat modeling. References were given for further reading on specific topics.

Uploaded by

Akki ash
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 49

Web Application Security

ISACA Bangalore Chapter Aug 2007


Runa Dwibedi
In a recent application security audit

An adversary could:

View bank statements of any user


Siphon off funds easily
Login without a password
Deny access to all users
Hijack active sessions
Steal encryption keys
This morning…

The HTTP Protocol


Attacks on Input Validation
Insecurities in Session Management
Threats at the browser
Authentication Weaknesses
Threat Modeling
Attacks on Input Validation
Attacks on Input Validation

Client-side validation
Breach business rules
SQL Injection
XPATH Injection
Input Validation - Audit Checklist

Is input validated at server?


Are inputs checked with business rules?
Is the filter a white list?
Are SQL queries pre-compiled?
Are XPATH queries pre-compiled?
References – SSL & Encryption
• SSL Basics, RSA Security,
http://www.rsasecurity.com/standards/ssl/basics.html
• The pros and cons of securing Web services with
SSL, Jack Loftus,
http://searchwebservices.techtarget.com/qna/0,289202,
sid26_gci995388,00.html
• Understanding SSL, Shalini Gupta,
http://palisade.paladion.net/issues/2005Sep/understandi
ng-ssl/
• Encrypting data in Databases, Priyali Vibhute,
http://palisade.paladion.net/issues/2005Jun/database-
encryption/
References - SQL Injection
• SQL Injection Walkthrough, Securiteam,
http://www.securiteam.com/securityreviews/5DP0N1P76
E.html
• Introduction to SQL Injection Attacks,
Integrigy,
http://www.integrigy.com/info/IntegrigyIntrotoSQLInjectio
nAttacks.pdf
• Best Practices in Input Validation, Roshen
Chandran,
http://palisade.paladion.net/issues/2004Dec/input-
validation/
References - XML Injection
• XML Tutorial, W3Schools,
http://www.w3schools.com/xml/
• XPATH Tutorial, W3Schools,
http://www.w3schools.com/xpath/
• Mitigating XPath Injection Attacks in .NET,
Oleg Tkachenko,
http://www.tkachenko.com/blog/archives/00038
5.html
References - XML Injection

• XPath injection in XML databases, Runa


Dwibedi,
http://palisade.paladion.net/issues/2005Jul/xpath
-injection/
• Blind XPath Injection, Amit Klein,
http://www.watchfire.com/resources/blind-xpath-
injection.pdf
Insecurities in Managing
Sessions
Insecurities in Managing Sessions

Predictable session tokens


Transmitting tokens
On Logout
Session timeout
On Login
Cross Site Scripting
Session Management - Audit Checklist

Are session tokens random?


Do session tokens use cookies?
Are session tokens sent over SSL?
Are sessions invalidated on logout?
Is session timeout duration acceptable?
Are session tokens changed on login?
Are special characters escaped?
References - Session Management

• Web-based Session Management, Gunter Ollmann,


http://www.technicalinfo.net/papers/WebBasedSessi
onManagement.html
• Securing your session with Page Tokens, Sangita
Pakala,
http://palisade.paladion.net/issues/2005Aug/page-
tokens/
• Transmitting Session IDs, Salil Aroskar,
http://palisade.paladion.net/issues/2005Jul/quiz/
References - Cross Site Scripting
• The Cross Site Scripting FAQ, CGISecurity,
http://www.cgisecurity.net/articles/xss-faq.shtml
• HTML Code Injection and Cross-site scripting,
Gunter Ollmann,
http://www.technicalinfo.net/papers/index.html#Pap
er6
• Cross Site Scripting, Are your web applications
vulnerable?, Kevin Spett,
http://www.spidynamics.com/whitepapers/SPIcross-
sitescripting.pdf
Threats at the Browser
Threats at the Browser

The browser cache


History
Browser memory
The Refresh button
Threats at the Browser - Audit
Checklist
Has cache-control: no-store been set?
Are the links in History safe?
Are passwords stored as hashes?
Are passwords sent as salted hashes?
Is redirection used during login?
References - Cache

• Caching Tutorial for Web Authors and Webmasters,


Mark Nottingham http://www.mnot.net/cache_docs/
• HTTP/1.1: Caching in HTTP,
www.w3.org/Protocols/rfc2616/rfc2616-sec13.html
References - Passwords in memory

• Discovering passwords in the memory,


Abhishek Kumar,
http://paladion.net/papers/Discovering_Passwor
ds_In_Memory.pdf
• Passwords - In Memory Still Green, Sangita
Pakala,
http://palisade.paladion.net/issues/2004Aug/pas
swords-in-memory/
• WinHex – http://www.x-ways.net/winhex/index-
m.html
References - Browser Refresh

• Stealing Passwords via Browser Refresh,


Karmendra Kohli,
http://paladion.net/papers/Stealing_passwords_via_
browser_refresh.pdf
Insecurities in Authentication
Authentication - Forgot
Password
Best Practice

1. Ask a hint/custom question


2. Display a CAPTCHA
3. Send a short lived link to the user’s
registered email ID
4. Allow the user to reset the password over
SSL
5. Invalidate the link after one use
Authentication - Audit Checklist

Is “Forgot Password” question non-trivial?


Is the “Reset link” short-lived?
Is the new password exchanged over SSL?
References – Forgot Password

• Using Secret Questions, Mark Burnett,


http://www.owasp.org/columns/mburnett/questions
.html
The Attack of the Bots
Bots

Bots flood the server


With fake requests in public pages
Comments page
Registration at Free e-mail sites
Support query page
How can we stop them?

Pose a question that is easy for humans to


answer but difficult for computers
Enter Captchas!
“Completely Automated Public Turing Test to Tell
Computers and Humans Apart”
Types of CAPTCHAs

Image
Display a distorted text image
Knowledge
Pose a question “ What is the color of the sky?”
Arithmetic
Pose a question “ What is 34 +15?”
How to implement a CAPTCHA

Use readily available classes


Jcaptcha for Java
http://jcaptcha.sourceforge.net/main.html
BotDetect for .Net
http://www.lanapsoft.com/products.html
Authen-Captcha for Perl
http://search.cpan.org/dist/Authen-Captcha/
Build your own classes
Common Mistakes

Small set of images


Image File-names always map to same word
All the mappings can be discovered by attacker
Small set of images, dynamic filenames
Attacker can brute force till the correct word is
submitted
Best Practices

1. Dynamically generate an image


2. Send it to client with random token
3. Accept user input along with token
4. Compare user input with correct word for
token
5. Invalidate the token after one use
Do public forms have CAPTCHAs?
References - CAPTCHA

• PWntcha, http://sam.zoy.org/pwntcha/
• LanAp BotDetect,
http://www.lanapsoft.com/products.html
Audit Logs
Audit logs

An audit trail of activities enable us to trace


back fraud
Application layer activities are not logged by
system and web server logs
So, application should maintain own audit
trail
Access to logs should be controlled
The activities to be logged

Login and logout of users


Critical transactions (eg. fund transfer across
accounts)
Failed login attempts
Account lockouts
Violation of policies
Are audit logs detailed?
References – Logging and Audit Trails

• Application Logs - Security Best Practices, Dipesh


Rawal,
http://palisade.paladion.net/issues/2004Oct/security
-logging/
Threat Modeling
Threat Modeling

A structured technique to identify threats and


the security controls required to counter them
Across the SDLC

Threat
Modeling

SRS Design Development Testing Deployment

Evaluate against
Threat model
Phase1:Threat Profile

Is a list of all the possible threats to the


application

For example, for an online banking application,


some of the threats would be –
- An adversary steals the password of other users
- An adversary transfers fund from others account
to his own account
Phase2: Threat Trees

Identify security controls for each threat in the


threat profile
The 3 ways of compromising user password
would be –
- Access password
- Steal password from database
- Guess password
References - General

• Application Security FAQ, OWASP,


http://www.owasp.org/documentation/appsec_faq.
html
• HTTP/1.1: Header Field Definitions from RFC
2616,
http://www.w3.org/Protocols/rfc2616/rfc2616-
sec14.html
References - Books
• Writing Secure Code, Michael Howard, David
LeBlanc, Microsoft Press
• Secure Coding: Principles & Practices, Mark G.
Graff, Kenneth R. van Wyk, O’Reilly
• How to Break Software Security, James A.
Whittaker, Herbert H. Thompson, Addison Wesley
• Code Complete, Steve McConnell, Microsoft Press
• HTTP Developer's Handbook, Chris Shiflett, Sam’s
Publishing
• Threat Modeling, Frank Swiderski and Window
Snyder, Microsoft Press
References – Mailing List

• Security Focus Web Application Security -


http://www.securityfocus.com/archive/107
• Web Application Security Consortium Mailing List -
http://www.webappsec.org/lists/websecurity/archive
• Secure Coding Mailing List -
http://www.securecoding.org/list/
• Secure Programming Mailing List,
http://www.securityfocus.com/archive/98
Thank You

You might also like