Web Application Security ECE 4112. ECE 4112 - Internetwork Security What is a Web Application? An application generally comprised of a collection of scripts.

Web Application Security

ECE 4112

ECE 4112 - Internetwork Security

What is a Web Application?

• An application generally comprised of a collection of scripts that reside on a Web Server

• Interacts with databases or other sources of dynamic content

• Examples include: search engines, webmail, shopping carts and portal systems


Web Applications Breach the Perimeter


Web Application Vulnerabilities

• Generally stem from improper handling of client requests and/or lack of input validation checking

• Web applications are publicly accessible

• Process data elements from within HTTP requests

• Fail to identify how data elements were captured – difficult to know what kind of validation and sanity checking to use


The Root of the Issue: Input Validation

• Can be difficult to locate in a large code base

• Penetration testing used to expose problems

• Web applications subject to traditional forms of attack


SQL Injection Vulnerabilities

• Stems from failure of developers to strip user input of potentially “nasty” characters prior to input use

• Can lead to varying levels of data/system access for attacker

• May allow read in or write out to files, execution of shell commands on underlying OS


Locating SQL Injection Vulnerabilities

• Studying application inputs and inserting special characters

• Most popular database backends give informative error messages, yielding clues about SQL syntax

http://www.abc.com/app.asp?user=jason&password=’ OR ‘1’=’1

http://www.abc.com/app.asp?user=jason&password=’


Testing For SQL Injection


JSP Code Example:

String username = request.getParameter(“user”);

String password = request.getParameter(“password”);

String SQLQuery = “SELECT Username FROM Users WHERE Username = ‘” +

username + “’ AND Password = ‘” + password + “’”;

Statement stmt = dbConnection.createStatement();

ResultSet resultSet = stmt.executeuery(SQLQuery);

String checkAuth = resultSet.getString(1);

boolean authenticated = false;

if(checkAuth == null)

authenticated = false;

else

authenticated = true;


Web Form Example:

Login:‘ OR ‘1’=’1Password:‘ OR ‘1’=’1

Now the SQL Query becomes:SELECT Username FROM Users WHERE

Username = ‘’ OR ‘1’=’1’ AND

Password = ‘’ OR ‘1’=’1’


OS Commanding

• If a hacker can access your cmd.exe or a copy of it, he can use it to execute arbitrary commands on your web browser.

• In conjunction with tftp, a hacker could use this to download his own tools to the machine and compromise the machine further.


Cross Site Scripting

• Also known as XSS• Embed Javascript into page that

executes on view• Commonly used to display and

redirect user cookie data• Particularly vulnerable are message

boards and web forms


Cross Site Scripting Examples

<script>alert(document.cookie)</script>

Can display user’s cookie which can contain session and authentication information

• Gmail XSS Vulnerability - Fixed zx variable used in authentication can

contain exploitable scripts

• Often the script text is converted to hex characters to hide its intent


Phishing Attacks

• Attacker creates replica login page that forwards information to them

• Usually attack financial institutions• Spread by email that persuades

users to access the fake page and login

• October 2004, 1142 phishing sites up from 542 in September.


Phishing Examples

• Citibank recent target www.citibank.com/domain/email_scam.htm

• Newer sophisticated attacks being used by organized crime groups to collect credit card and social security numbers

• Email links can contain IP address instead of DNS name in email link


Achilles Web Proxy

• Achilles acts as a HTTP/HTTPS proxy that allows a user to intercept, log, and modify web traffic on the fly.

• By modifying parameters, a user can potentially alter the contents of hidden fields or gain access to additional resources.

• Can also be used to change cookie values.


What you will do in this lab:

• Information Gathering using nmap and netcat

• SQL Injection• OS Commanding• Cross Site Scripting• Phishing Attacks• Achilles Web Proxy


Resources

• Lecture Slides excerpted from: http://www.securityfocus.com/infocus/1709 http://www.securityfocus.com/infocus/1722 http://www.securityfocus.com/infocus/1704 “Phishing spreads the net wider.” Computer Weekly. November 2004. http://www.securitytracker.com/alerts/2004/Nov/1012289.html “Cross-Site Scripting.” SPIDynamics. “Top Web App Attack Methods and How to Combat Them.” SPIDynamics. http://www.mavensecurity.com/achilles

Web Application Security ECE 4112. ECE 4112 - Internetwork Security What is a Web Application? An application generally comprised of a collection of scripts.

Documents