Docstoc

OWASP Education Project - Template - NASA

Document Sample
OWASP Education Project - Template - NASA Powered By Docstoc
					Introduction to Web Application
           Security



         REX BOOTH, CISSP, PMP
  SENIOR MANAGER, GRANT THORNTON LLP
              Introduction: Rex Booth

 Senior Manager at Grant Thornton
 10+ years of IT experience
 Former web application developer
 Leads cybersecurity group for Grant Thornton's public
  sector practice
 Experience with information security from a variety of
  perspectives including developer, auditor, and ISSO
                            Agenda

 Why target web applications?
 Web application attack surface overview
 Attack examples
   Client layer attacks

   Application layer attacks

   Data layer attacks

   3rd party trust attacks

 Live Demonstration
 Best Practices and Remediation resources
 Questions
                                             3
              Why target web applications?
1.   Incentives
       Valuable targets
         Financial
         Competitive advantage (corporate or national)
         Force multiplier
       Reputation / Prestige


2. Absence of effective deterrents
      Softtargets: Weak or poorly implemented security
      Low cost of entry: cheap and easy access
      “Wild West” mentality regarding probability of
       detection, capture and punishment
                                                          4
                            Agenda

 Why target web applications?
 Web application attack surface overview
 Attack examples
   Client layer attacks

   Application layer attacks

   Data layer attacks

   3rd party trust attacks

 Live Demonstration
 Best Practices and Remediation resources
 Questions
                                             5
            Web application attack surface

       Client layer: HTML, JavaScript, Flash, etc


       Application layer: Business logic (.Net, Java,                 3rd
       etc)                                                          Party
                                                                     Trusts

       Data layer: Access components, RDBMS

 Client layer:
     Code and functionality executed on the client-side
     Various vulnerabilities
     Two key points:
       Never trust client-supplied data
       Don’t introduce vulnerabilities by trying to offload cycles from the
        server to the client
                                                                               6
           Web application attack surface

       Client layer: HTML, JavaScript, Flash, etc


       Application layer: Business logic (.Net, Java,             3rd
       etc)                                                      Party
                                                                 Trusts

       Data layer: Access components, RDBMS

 Application layer:
     Expression and capture of business rules and business policy logic in
      code;
     Workflows based on the ordered tasks of passing documents or data from
      one participant (a person or a software system) to another;
       Do those expressions introduce vulnerabilities?
     Attacks on specific technology and poor implementation
                                                                               7
           Web application attack surface

       Client layer: HTML, JavaScript, Flash, etc


       Application layer: Business logic (.Net, Java,             3rd
       etc)                                                      Party
                                                                 Trusts

       Data layer: Access components, RDBMS

 Data layer:
     Likely the most valuable component of your application to your
      organization
     Less focused on code and logic, more focused on good implementation
      and maintenance, proper technology



                                                                            8
            Web application attack surface

       Client layer: HTML, JavaScript, Flash, etc


       Application layer: Business logic (.Net, Java,                   3rd
       etc)                                                            Party
                                                                       Trusts

       Data layer: Access components, RDBMS

 3rd Party Trusts:
     Critical to maintain awareness of system interactions
       Federal Sector C&A Interconnection Agreements
       Potential to affect all layers of the application
     Repeat the attack surfaces at the client, application and data layers for
      each 3rd party trust

                                                                                  9
                            Agenda

 Why target web applications?
 Web application attack surface overview
 Attack examples
   Client layer attacks

   Application layer attacks

   Data layer attacks

   3rd party trust attacks

 Live Demonstration
 Best Practices and Remediation resources
 Questions
                                             10
                 Injection Attacks

 SQL injection is the most common web attack
  An attacker inserts commands that are used to
   dynamically construct SQL queries
  Attacker may be able to view or modify any data in a
   database
  Severity can be equivalent to a full database
   compromise
 Other injections include XML, LDAP, code
  injection, remote file inclusions
 Any action that takes input from the user and uses
  it in a query or function
             SQL Injection Scenario

 You wish to edit your credit card number in your
 account profile on
      http://www.shoppingsite.com
 To verify your identity, the site asks for the last 4
  digits of your credit card
 The application then passes your input to the
  following query
      SELECT * FROM credit_cards WHERE
              digits = ‘your_input’
            SQL Injection Scenario

 What if the attacker enters
               1234’ OR ‘1’ = ‘1
 The full query then becomes

    SELECT * FROM credit_cards WHERE
      digits = ‘1234’ OR ‘1’ = ‘1’;

 This query will always return true and, therefore,
 will return every card in the database.
             Cross Site Scripting (XSS)

 Affects the client web browser.
 Scripting code from URL or HTML Form gets rendered in
  the page sent by the server.
 2 types of XSS
   Persistent / Stored: attack code gets stored in the
    application data store and affects all users who visit the
    page.
   Non-Persistent / Reflected: attack code does not get
    stored and can only affect 1 user at a time.
 One of the most prolific and dangerous vulnerabilities on
  the web.
       Cross Site Scripting (XSS) Scenario




 What if we change “shawn” to:
    “><script>alert(document.cookie)</script>
Cross Site Scripting (XSS) Scenario
     Cross Site Request Forgery (CSRF)

 Affects the client browser.
 The vulnerability allows an attacker to force the
  browser to fraudulently execute application
  functionality.
 Leverages the user’s authenticated session on the
  target application.
 Not *really* a vulnerability, rather an exploit of
  expected functionality.
 Can be one of the most serious vulnerabilities in
      Authentication and Authorization


 Lack of authentication / authorization.
 Unauthorized data access.
 Unauthorized system functionality access.
 Predictable session identifiers.
 Session Fixation.
 Session Replay.
 Brute forcing of credentials.
               Session Fixation Example

 Session Fixation occurs when a session identifier is not
  refreshed after successful authentication
 The following sequence describes an application
  vulnerable to Session Fixation:
     When a user browses to www.whatever.com, they receive
      Cookie: my_cookie=abcdefg
     After logging in, the application elevates my_cookie=abcdefg
      from unauthenticated to authenticated status
 Why is this a problem?
     The initial value may have been sent over an unencrypted channel
     Attacker could use XSS to set a known value in the target browser
     The application may accept any value prior to authentication,
      making this even easier for an attacker
               Business Logic Flaws

 Flaw in the design and/or implementation of the project
  design.
   Booking a ticket on a web application without paying.

   Registering an account without completing all required
    steps.
   Apply the same coupon/discount multiple times on the
    same order.
   Account lockout on auction sites.

   Setting your own pricing on a product.

 No way to detect this type of vulnerability using
  automated tools.
             Host and 3rd Party Code

 Keeping up with patches
   Patch management
   3rd party code dependency updates

 Host security
   Unused network services

   Password Policy

   Brute forcing

   Logging

   Hidden/Old/Unreferenced files

 Building a good relationship with SysAdmins
                            Agenda

 Why target web applications?
 Web application attack surface overview
 Attack examples
   Client layer attacks

   Application layer attacks

   Data layer attacks

   3rd party trust attacks

 Live Demonstration
 Best Practices and Remediation resources
 Questions
                                             22
                            Agenda

 Why target web applications?
 Web application attack surface overview
 Attack examples
   Client layer attacks

   Application layer attacks

   Data layer attacks

   3rd party trust attacks

 Live Demonstration
 Best Practices and Remediation resources
 Questions
                                             23
             Best Practices Summary

 Input validation and output encoding
 Strong authentication and password management
 Effective access controls
 Safe error handling and meaningful logging
 Protection of data at rest and in motion
 Proper system and database configuration


 See the OWASP Secure Coding Practices Quick
 Reference Guide for more information
               Remediation Resources

 Incorporating security into the SDLC
   https://buildsecurityin.us-cert.gov

   http://www.owasp.org

   http://www.webappsec.org/



 Post-deployment remediation
   Two basic approaches: fix the underlying problem or get in
    between the threat and the asset
   The latter, including web application firewalls, are not a
    panacea, but can be useful
                     Questions


 Ask now or contact via email:
   Rex.Booth@us.gt.com

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:1
posted:6/20/2013
language:Latin
pages:26