Designing and Testing Secure Web Applications

Designing and Testing Secure Web Applications Blue Oasis Technologies, Inc 2005 1 Background and Material • Will Bechtel, Blue Oasis - CISSP • 18 years of experience in Software • • • Development, IT and Security. Development of web based applications for Sony, American Express, Cellular One, Federal Express, Sega, US Navy, Wells Fargo. Example .Net Web application from www.foundstone.com – Hacme Bank. Top ten vulnerabilities from Open Web Application Security Project (OWASP) – www.owasp.org Blue Oasis Technologies, Inc 2005 2 Overview • Application vulnerabilities – why should you care? • Review top ten web application vulnerabilities • • • • • • (www.owasp.org). Review simplified common Web Application Architecture. Review web application attack architecture. Show web application attacks on Foundstone’s Hacme Bank example application. Introduction to automated testing tools for scanning web applications. Overview of Web application security testing tool – SPI Dynamic’s WebInspect. Overview of database server testing tool Application Security Inc.’s AppDetective. Blue Oasis Technologies, Inc 2005 3 Application vulnerabilities – why should you care? • 2004 – Victoria’s Secret fined $50,000 for breach of privacy on website. Parameter alteration. • 2002 – Tower Records agreement which could pay up to $11,000 for each of occurrence (up to 5000 ). Parameter alteration. • None of the above mention the lawsuits that are sure to follow … so LIABILITY is the issue. Blue Oasis Technologies, Inc 2005 4 OWASP Top 10 Web App Vulnerabilities • • • • • • • • • • Unvalidated Input Broken Access Control Broken Authentication and Session Management Cross Site Scripting (XSS) flaws Buffer Overflows Injection Problems Improper Error Handling Insecure Storage Denial of Service Insecure Configuration Management Blue Oasis Technologies, Inc 2005 5 Typical Web Application Scenario Internet DMZ HTTP(S) ODBC Client Firewall Web Browser (Internet Explorer) Web Server (IIS) Firewall Database (MSSQL) Blue Oasis Technologies, Inc 2005 6 Web Application Attack Scenario Internet DMZ HTTP(S) HTTP(S) ODBC Web Proxy Browser Server Attack Workstation Firewall Web Server Firewall Database Proxy Server allows changes to requests after leaving web browser, but before reaching the server – changes to parameters, etc Blue Oasis Technologies, Inc 2005 7 Hacme Bank Examples • • • • • SQL Injection URL Parameter Manipulation FORM Parameter Manipulation Cross-Site scripting Cookie Manipulation Blue Oasis Technologies, Inc 2005 8 Introduction to Automated Web Application Testing Tools • Tools automate the ‘attack’ on the web server/database server. • Send protocol specific requests to the server to test for common vulnerabilities • Can execute policy based scans for specific purposes Blue Oasis Technologies, Inc 2005 9 What automated testing tools excel at: • Testing for 100s of common vulnerabilities and misconfigurations that are impractical to test for manually. • Regression testing of servers to ensure they stay secure – especially after activities like patching or new code deployment. • Ability to schedule automated scanning/testing for offproduction hours to avoid conflicts. Blue Oasis Technologies, Inc 2005 10 What automated testing tools have problems with: • Detailed exploits that require intelligent feedback and analysis – example: Advanced SQL Injection for Hacme Bank. • White box testing – Automated tools are most effective at ‘guessing’ and using known signatures to identify issues. Software code reviews may find many more lurking issues that the tools can not, especially with custom developed software. Blue Oasis Technologies, Inc 2005 11 Common issues with automated test tools: • Testing can adversely impact a system being scanning. Performance issues and crashing can happen. It is usually difficult to know what the impact will be before scanning on any given web/app or database server. • The most rigorous testing usually requires special planning and may overload log files, set off IDS sensors and leave ‘junk’ application data. • Information overload and false positives. Blue Oasis Technologies, Inc 2005 12 Some techniques for addressing common issues with automated test tools: • Always run scans on development, then test, then production. This doesn’t eliminate issues because many times these environments are not exactly the same, but it usually reduces the likelihood of adverse effects. • The first scans for any given system should be run manually and monitored with the system admin so that any issues can be identified and the scan can be stopped if needed. • If testing data will be injected, back up database/system prior to testing, then restore after test. You probably are better off creating a second test environment for this case. • Coordinate testing around known process schedules, ensure other security personnel who monitor security sensors or management systems are in the loop. Blue Oasis Technologies, Inc 2005 13 SPI Dynamics - WebInspect • • • • Automated tool for scanning web applications and web services. Smart update to get latest vulnerability tests. Scriptable – can automate login process/etc. Has 2 phases – Crawl • Read only – does not post any data • Determines vulnerabilities by interacting with app – uses informed guessing • and reads signatures Lower impact – Audit • Submits data to exposes vulnerabilities • High impact – will put test data into application Blue Oasis Technologies, Inc 2005 14 SPI Dynamics – WebInspect - Challenges • False positives and noise. • Can be difficult to know how best to test an application. Multiple scans with and without credentials provide best coverage but are most complicated. • Although there are explanations for vulnerabilities and references to how to mitigate the risk, it can be difficult to determine how to prioritize remediation/control analysis. • Tool can automatically find the issues, but addressing them can be overwhelming. • Application usage/environment must be factored into risk ratings. Blue Oasis Technologies, Inc 2005 15 Application Security Inc – AppDetective • Automated tool for scanning databases. • Smart update to get latest vulnerability tests. • Has 2 primary phases – Pen Test • Black Box – tests without authentication or access. • Determines vulnerabilities by interacting with app – uses informed guessing • and reads signatures Acts as an ‘outsider’ would – Audit • Utilizes supplied credentials to read configuration • Can identify configuration/patching/other problems Blue Oasis Technologies, Inc 2005 16 Application Security Inc – AppDetective Challenges • Getting the DBAs to let you test their systems without having a stroke • Potential impact on other applications that use shared DB Server. • Can be difficult to determine the real level of risk – there is always a trade-off between the risk of the fix breaking something and leaving the opening. Blue Oasis Technologies, Inc 2005 17 Licensing Issues • WebInspect licensed by company, not per server. Good for large organizations – prices out smaller companies. • AppDetective licenses per ‘instance’. More practical for small companies, can get pricey for larger organizations. Blue Oasis Technologies, Inc 2005 18 OWASP Top Ten Mitigation Techniques • Unvalidated Input, Cross Site Scripting(XSS), Injection Problems, Buffer overflows – Mitigation techniques: Code reviews. Do not rely on client-side (javascript) validation. Develop or purchase common input validation routines (validated), then put policies/standards in place that require they be used or if not, that other routines used pass similar validation. – Mitigation techniques: Code reviews of custom code. Use trusted components. URL filtering. Avoid client-side caching (for cookies, etc). – Mitigation techniques: Ensure password complexity and secure storage, SSL to protect credentials in transit, avoicd client-side caching. – Mitigation techniques: Develop or purchase common input validation routines (validate them), then put policies/standards in place that require they be used or if not, that other routines used pass similar validation. • Broken Access Control • Broken Authentication and Session Management • Cross Site Scripting (XSS) flaws Blue Oasis Technologies, Inc 2005 19 OWASP Top Ten Mitigation Techniques • Injection Flaws – Mitigation Techniques: Use Prepared statements and stored procedures. Check return codes for proper/expected values – Mitigation Techniques: Fail closed. Do not return unneeded information to the user (log it). – Mitigation Techniques: Avoid storing sensitive information – if possible require re-entry. Do not ‘roll your own’ encryption – use industry validated components. – Mitigation Techniques: If possible limit resources a single user can utilize. Do not allow unauthenticated users to execute expensive operations. – Mitigation Techniques: Patch regularly. Utilize vendor and industry supplied hardening guidelines for web/app/database at both the OS and application tier. • Improper Error Handling • Insecure Storage • Denial of Service • Insecure Configuration Management Blue Oasis Technologies, Inc 2005 20 Web Application Security References • Open Web Application Security Organization - http://www.owasp.org/ • Web Application Security Consortium http://www.webappsec.org/ Blue Oasis Technologies, Inc 2005 21 Web Application Testing Tools • Paros Proxy http://www.parosproxy.org/download.shtml - – Proxy Server • Foundstone – Hacme Bank and other free tools http://www.foundstone.com/index.htm?subnav=products/navigation.htm&s ubcontent=/products/overview.htm • SPI Dynamics – WebInspect http://www.spidynamics.com/products/webinspect/index.html - Web app security assessment tool • Watchfire (purchased) Sanctum – AppScan http://www.watchfire.com/products/security/default.aspx - Web app security assessment tool • Application Security Inc - AppDetective http://www.appsecinc.com/products/appdetective/ - Database security assessment tool. Blue Oasis Technologies, Inc 2005 22