Securing Web Applications

 tags so that the browser won‟t interpret them

21

SQL Injection
 Erin visits a site and searches for: Architect‟s Checklist

 She gets an error that says: Sorry, an unexpected error has occurred:
Invalid SQL Syntax

22

SQL Injection in Action
 Pointy-haired boss:
Tries the search again Assumes site is broken Realizes that the single quote is often used in SQL statements to surround text Tries searching for: architect checklist Gets results

 Knowledgeable user:

23

SQL Injection in Action
Attacker:
Views the HTML source for the page to look for field names that might match the database columns Imagines the SQL to be something like:
select name, isbn from book where name like ‘%architect’s checklist%’

Gets full list by searching for: foo‟ or name like „ Tries logging in as: foo‟ and gets the error Tries logging in as:
Gets a page that says “Welcome, admin…”
24

Username: foo Password: bar‟ or username=„admin

SQL Injection – Flavors
 Code for advanced searches and other criteria screens constructs query using string concatenation

 Authentication module constructs login query using string concatenation
 Database or driver doesn‟t bind parameters

25

SQL Injection – Fixes
 Use PreparedStatements

 Validate all user info
 Strip out special characters  Never display SQL error messages to user

 Use different field names for user interface and database
 Turn off unused database features

 Limit database user privileges

26

Session hijacking/replay
 What a boring presentation…  Brian pops open his laptop and connects to the hotel‟s wireless network

 Browses his web mail

27

Session hijacking in Action
 Attacker:
Fires up a wireless cracking program like Kismet Watches Brian‟s information go by Notices him making requests to a web-based mail service Reads his email as it goes by…

28

Session hijacking in Action
 Attacker (continued):
Wonders what other mail Brian keeps on the server Grabs Brian‟s session cookie as it goes by Makes her own request to the mail server with that cookie and is automatically logged in Reads through Brian‟s saved messages to find all sorts of usernames and passwords
29

Session hijacking – Flavors
 Network sniffing
To be fair, a lot of the 802.11 problem is on Brian‟s side, since he‟s browsing in the clear over airwaves

 Cookie Theft (e.g. through XSS)  Brute forcing session IDs

Trying over and over until a valid session is found Computing the next session ID by observing the algorithm the server uses to generate them

30

Session hijacking – Fixes
 Run everything over HTTPS
 At least, run all confidential information over HTTPS  Don‟t write your own simple session management

 If you do write something:
match session key to IP address alter session on every request so that you can detect duplicates

31

Error exploitation
 Erin visits a travel site and starts browsing for 8-day Alaskan cruises

 She finds one she likes and sees that there are 40 cabins left
 She starts to book the only remaining deluxe cabin, but her credit card is declined

 She tries to rebook with a different credit card, but the deluxe cabin is taken

32

Error exploitation in Action
 Pointy-haired boss:
Books an Economy cabin

 Knowledgeable user:
Calls to verify that it‟s not still reserved based on her aborted booking attempt Finds out that the cabin was accidentally reserved and is really available

33

Error exploitation in Action
 Attacker:
Books a bunch of cabins
Using fake credit card numbers Through an anonymous web redirector

Waits to see how long it takes for the company to realize they weren‟t really booked Calls at the last minute and gets a great deal since they‟re so undersold

34

Error exploitation – Flavors
 Time-consuming processes  Reliance on cached values of prices or other data (that may have been manipulated)  Broken/misconfigured transactions
Multiple operations may not be correctly grouped into transactions
Transaction rollback may leave the database consistent, but not revert changes to cached data or other application state
35

Error exploitation – Fixes
 Ensure that all modification is transactional  Be careful that cached values are properly flushed when transactions roll back

 Enforce performance goals  Watch logs for unusual error patterns (automate this!)

36

Always remember…
 Don‟t trust or display user input until you‟ve cleaned and validated it

 Don‟t use HTML comments to describe dynamic code  Keep control over your error messages  Don‟t advertise details about your network, servers, databases or code
 Implement row-level security  Log everything (and analyze the logs)

37




						  
						  


	    
	    

					 
            
        
    

	
	
	

		


		




		
		
Related docs



Securing the Enterprise Web Applications and Web Services security Inyoung

Views: 18  |  Downloads: 7




Securing Business by Securing Database Applications Presented by

Views: 13  |  Downloads: 3




Securing Web Applications

Views: 113  |  Downloads: 5




Securing Web Application

Views: 526  |  Downloads: 36




Securing-the-Uncertain

Views: 0  |  Downloads: 0




Securing Third party Web Applications Dr Michael Cohen This talk

Views: 1  |  Downloads: 3




Securing Web Applications Ben Maurer Ted Pham Information Security Office

Views: 2  |  Downloads: 0




September Securing Web Applications via PKI James A Rome Oak

Views: 4  |  Downloads: 0




FHNW Workshop ISM Securing Web Applications Carlo U Nicola September

Views: 7  |  Downloads: 0




Securing Web Services

Views: 0  |  Downloads: 0




Configuring web servers and web applications

Views: 54  |  Downloads: 21




securing-php

Views: 11288  |  Downloads: 47




		
		      
      

      

Business Plan Presentation Template$4.95

Marketing Plan$29.95

Business Plan$25.00

Letter of Intent for Business Transactions$14.95

Employee Handbook for Company$39.95

Sample Business Case$19.95

Sample Project Closeout Report$14.95
            

      

		
Other docs by Local Girl



MEETING PARTICIPANT LIST

Views: 213  |  Downloads: 4




ajij

Views: 122  |  Downloads: 0




Collateral control agreement

Views: 199  |  Downloads: 1




Transcript of Treaty of Guadalupe Hidalgo

Views: 176  |  Downloads: 1




28novleft[1]

Views: 93  |  Downloads: 0




From mortgaged premises

Views: 410  |  Downloads: 0




Executive Order 9066 Resulting in the Relocation of Japanese info

Views: 293  |  Downloads: 0




Right of approval of services to others

Views: 131  |  Downloads: 0




Dealer computer software license agreement

Views: 495  |  Downloads: 27




Transcript of Executive Order 10924 Establishment of the Peace Corps

Views: 150  |  Downloads: 0




communication

Views: 362  |  Downloads: 13




Sales Contract Lump Sum Payment

Views: 315  |  Downloads: 10




Transcript of Joint Address to Congress Leading to a Declaration of War Against Germany

Views: 182  |  Downloads: 0




Test Ban Treaty info

Views: 168  |  Downloads: 0




Assignment of application for registration

Views: 161  |  Downloads: 0




		

    
    
	

			
			
		
		


	
	
		
		

			

				

				

					

							
About:
							
What is Docstoc? | Docstoc Terms of Service | DocStore Terms of Service | Privacy Policy | FAQs
					
					

							
Links:
							
Docstoc Blog | Join Pro | Requests | Docsters | Upload | DMCA Guidelines | DMCA Notification | Docstoc API | RSS Feeds 
					
					

							
Contact:
							
Contact Us | Suggest Features | Join Our Team
					
					

							
Share:
							
Embed Documents | Docstoc OneClick | Docstoc Sync 
					
					
					

					
© Docstoc 2009. All rights reserved.