Web Application Security

Web Web Application Application SecuritySecurity

Web Application Security

• Overview– Increase in deployment of web applications– Issues with secure web application

development– Impact of Application Attacks– Top Web Application Threats– Conclusions


• Many in-house applications are being migrated to web applications – Ease of accessibility– Ease of client deployment– Employee intranets– PeopleSoft and SAP recently converted to web

applications– Customer portals– Support applications– Endless possibilities…


• Traditional security protections do not address the complexity of web applications– Stateful inspection firewalls– Many IDS/IDP systems– Vulnerability Assessments

• Because of this, new security products and services need to be developed to address the security problems inherent in web applications– Web application firewalls– Web application vulnerability assessments– Web application code review– Training and awareness


• Issues with secure web application development– Protecting applications against threats – Ensuring access for authorized users – Ensuring availability and application

performance– Applications need to be coded securely, but

that is most often not the case– A Web application vulnerability assessment

can uncover weaknesses in applications before malicious attackers do


• Implications of Web Application attacks– Identity theft– Credit card theft– Website defacement– Unauthorized access– Password theft– Unauthorized modification of data– Data and information theft– Denial of service– Unauthorized access to back-end systems

Types of Attacks

• SQL Injection– Attack description

• Allows execution of commands against database• Results in unauthorized disclosure and/or

modification of SQL data• Occurs when SQL statements are constructed with

user-supplied data, either through the URL, headers, or forms variables

• In some extreme cases, commands can be executed in the OS (with xp_cmdshell stored procedure in MSSQL)

– Countermeasures• Validate all input, looking for SQL commands in input• Deploy a web application firewall that provides

protection against SQL Injection

Types of Attacks

• Command Injection– Attack description

• Allows execution of commands in the web server OS

• Results in unauthorized access to the OS, including disclosure and modification of data. Also results in privilege escalation

• Occurs when command statements are constructed with user-supplied data, either through the URL, headers, or forms variables

– Countermeasures• Validate all input, looking for OS commands in input• Deploy a web application firewall that provides

protection against Command Injection

Types of Attacks

• Parameter & Form Tampering– Attack description

• User manipulates parameters by setting them in the URL, editing HTML code, or modifying the POST with a proxy such as Achilles

• Can result in bypassing authentication mechanisms, privilege escalation, unauthorized disclosure and/or modification of data

– Countermeasures• Validate all information returned from the client• Deploy a web application firewall that understands

the parameters used for that application, their data types, acceptable lengths, acceptable ranges of values, etc.

Types of Attacks

• Directory Traversal & Forceful Browsing– Attack description

• Attacker uses unchecked URL input parameters, cookies, and HTTP request headers to access files outside of allowed paths and directories

• Attacker may also try to guess or brute-force special paths and known paths/scripts that are known to be vulnerable

• Results in unauthorized disclosure of and modification to the file system of the web server

– Countermeasures• Validate all user input. Specifically look for “../”• Deploy a web application firewall that knows the

valid forms, paths and URLs for the particular web application that you are trying to protect

Types of Attacks

• Cross Site Scripting– Attack description

• Attacker uses malicious script on a vulnerable target site to send the attack to client browser

• Results in theft of client data, may lead to identity theft and financial fraud

– Countermeasures• Validate all input. Specifically, look for <SCRIPT>

tags• Deploy a web application firewall that parses out

<SCRIPT> tags in user-supplied input

Types of Attacks

• Session Hijacking– Attack description

• Each user logged into a web application receives a unique session id from the web application. Allows web app to keep state for the client

• Attacker manipulates web application to determine predictable session ids

• Attacker then sets a session id either through parameters, cookies, or HTML code (depending on how the web app stores session ids)

• Attacker now has a session id from another user’s valid session

• Results in authentication bypass, unauthorized disclosure and modification, and privilege escalation

Types of Attacks

• Session Hijacking (continued)– Countermeasures

• Use random session ids. Use MD5 (or similar) to generate session ids

• Deploy a web application firewall that protects session id data (cookies and/or form parameters). Some of these products digitally encrypt, sign and time-stamp cookies, protecting their data

• Cookie poisoning– Attack description

• Attacker modifies cookie to escalate privileges or assume another users identity. See “Session Hijacking”

Types of Attacks

• HTTP Header Manipulation– Attack description

• Attacker alters HTTP request headers to include meta-characters (see “SQL Injection” and “Command Injection”) or steal cookies

– Countermeasures• Valid all HTTP request headers• Deploy a web application firewall that examines

HTTP request headers for malicious input

Types of Attacks

• Hidden Form Field Tampering– Attack description

• Applications may use hidden form fields for tracking state (session ids), authentication, price of item, etc.

• Attacker can modify the HTML or modify the parameter value with a proxy such as Achilles

• Results in privilege escalation, unauthorized disclosure and modification, possible session hijacking. Can also result in monetary loss (in the case of a field such as “price”)

– Countermeasures• Try not to use hidden form fields, as they don’t provide any

security.• If hidden fields are necessary, validate all information

returned from the client• Deploy a web application firewall that understands the

parameters used for that application, their data types, acceptable lengths, acceptable ranges of values, etc.

Types of Attacks

• Error Message Interception– Attack description

• Attacker sends input in an attempt to cause a program error• Program sends an error message back to the browser (through

HTML)• Error message may reveal directories, OS and version,

database and version, database field names and tables, parameter names

• Gives attacker information necessary to execute other attacks (SQL Injection, Command Injection)

– Countermeasures• Turn off all error message output in web server and web

application. Turn off all debugging. Enable only for development servers

• Validate input to prevent errors from ocurring• Deploy a web application firewall that understands the

parameters used for that application, their data types, acceptable lengths, acceptable ranges of values, etc.

Types of Attacks

• Buffer Overflows– Attack description

• Occurs when user-supplied input is not checked for length• Leads to remote command execution

– Countermeasures• Check length of user-supplied input• Deploy a web application firewall that knows the acceptable

lengths and acceptable ranges of parameters

• Format String Vulnerabilities– Attack description

• Occurs when a format string command, such as printf, is constructed using user-supplied input

• Leads to remote command execution– Countermeasures

• Validate all input. Specifically, look for “%s” and “%x” in input• Deploy a web application firewall that checks for format string

attacks

Types of Attacks

• Unicode and URL Encoding– Attack description

• Attacker uses URL-encoded input to disguise malicious code in URL strings

• Bypasses security mechanisms• Can lead to any number of attacks

– Countermeasures• Deploy a web application firewall that decodes all

URLs before inspection

Types of Attacks

• Web Services Attacks– Web services – SOAP, UDDI, WSDL– New breed of web application– Components interacting with one another– Require authentication, authorization,

encryption, integrity– Peer relationships (Not client to server). Peers

are web services components who must authenticate to one another, encrypt communications between one another, and check permissions for allowed access

Types of Attacks

• Denial of Service• SSL Hacking• Attacks against Web Servers (IIS, Apache)• Operating System Attacks (Windows,

UNIX, Linux, etc.)


• OWASP Top Ten– Unvalidated Input - Information from

web requests is not validated before being used by a web application. Attackers can use these flaws to attack backend components through a web application.

– Broken Access Control - Restrictions on what authenticated users are allowed to do are not properly enforced. Attackers can exploit these flaws to access other users’ accounts, view sensitive files, or use unauthorized functions.


• OWASP Top Ten– Broken Authentication and Session

Management - Account credentials and session tokens are not properly protected. Attackers that can compromise passwords, keys, session cookies, or other tokens can defeat authentication restrictions and assume other users’ identities.

– Cross Site Scripting (XSS) Flaws - The web application can be used as a mechanism to transport an attack to an end user’s browser. A successful attack can disclose the end user’s session token, attack the local machine, or spoof content to fool the user.


• OWASP Top Ten– Buffer Overflows - Web application

components in some languages that do not properly validate input can be crashed and, in some cases, used to take control of a process. These components can include CGI, libraries, drivers, and web application server components.

– Injection Flaws - Web applications pass parameters when they access external systems or the local operating system. If an attacker can embed malicious commands in these parameters, the external system may execute those commands on behalf of the web application.


• OWASP Top Ten• SQL Injection - Attacker creates or alters

existing SQL commands. A serious threat for database-driven sites.

• Direct OS/system command injection - Attacker injects system commands into HTML forms, cookies, or URL parameters. Attacker can execute system-level functions.

• Meta character injection - Attacker inserts meta characters into URL-encoded parameters in query strings to exploit known security holes. Certain characters (such as ~ or =) have special meanings in certain scripts and applications. The risk varies with OS and application.


• OWASP Top Ten– Improper Error Handling - Error conditions

that occur during normal operation are not handled properly. If an attacker can cause errors to occur that the web application does not handle, they can gain detailed system information, deny service, cause security mechanisms to fail, or crash the server.

– Insecure Storage - Web applications frequently use cryptographic functions to protect information and credentials. These functions and the code to integrate them have proven difficult to code properly, frequently resulting in weak protection.


• OWASP Top Ten– Denial of Service - Attackers can consume

web application resources to a point where other legitimate users can no longer access or use the application. Attackers can also lock users out of their accounts or even cause the entire application to fail.

– Insecure Configuration Management - Having a strong server configuration standard is critical to a secure web application. These servers have many configuration options that affect security and are not secure out of the box.


• Traditional Network Security and Web Applications– Firewalls – usually only inspect up to

the transport layer– IDS/IPS – will not prevent/detect

application-specific attacks– AntiVirus – same problem as IDS and

IPS– OS Patches


• New solutions are needed– Web application firewalls – they focus on

the web application layer learn what input is valid for a specific application. Rules are generated based on valid inputs

– Web Application Scanners – test web applications for vulnerabilities

– Web Application Security Assessments – go further than a network-layer penetration test and examine the specific web application. Highly customized service

– Web application security training & awareness

– Secure programming practices


• Tools– WebScarab

http://www.owasp.org/development/webscarab– WebGoat

http://www.owasp.org/development/webgoat – Lilith http://angelo.scanit.biz/ – Nikto http://www.cirt.net/code/nikto.shtml – Achilles

http://packetstormsecurity.org/web/achilles-0-27.zip


• Conclusions– Web application vulnerability assessments

and web application scanners will check for all of these types of attacks

– Web application firewalls prevent these attacks before attack gets to web server

– Web application developers need to be trained in secure programming practices

– IT personnel responsible for the security of web servers need to understand the risks

– Training & awareness


• Links– OWASP http://www.owasp.org– CGI Security http://www.cgisecurity.com/– Improving Web Application Security: Threats

and Countermeasures (ASP.NET) http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/threatcounter.asp

– Web Application Security mailing list http://www.securityfocus.com/archive/107


• Links– OWASP http://www.owasp.org– CGI Security http://www.cgisecurity.com/– Improving Web Application Security: Threats

and Countermeasures (ASP.NET) http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/threatcounter.asp

– Web Application Security mailing list http://www.securityfocus.com/archive/107

Contact Information

James Kist

Network Security Corp.

405 North French Road, Suite 100

Amherst, NY 14228

Phone: (716) 692-8183

Fax: (716) 692-8301

www.nsec.net

[email protected]

Web Application Security

Documents