Web Security

1
Web Security

• Ryan Gerard
• QA Engineer
• Symantec

2
Agenda

• Web Security in Context
• Common Web Vulnerabilities
• Defense Mechanisms
• Tools
• Resources

3
Web Security in Context

• Its all about the walled gardens of data
• Identity Theft and the Underground Economy

4
Attack Trends

• Microsoft Internet Explorer was targeted by 77
  of all attacks specifically targeting Web
  browsers.
• Symantec observed an average of 63,912 active
  bot-infected computers per day
• Home users were the most highly targeted sector,
  accounting for 93 of all targeted attacks.

5
Pop Quiz

• Which country accounted for the most malicious
  activity?

• The United States accounted for 31 percent of all
  malicious activity during this period,
• more than any other country.

6
Vulnerability Trends

• Symantec documented 2,526 vulnerabilities in the
  second half of 2006
• 66 of vulnerabilities disclosed during this
  period affected Web applications

7
Vulnerability Trends

• 79 of all vulnerabilities in the 2nd half of
  2006 were considered to be easily exploitable
• 77 of all easily exploitable vulnerabilities
  affected Web applications (61 of all
  vulnerabilities)

8
Vulnerability Trends

• Symantec documented
• 54 vulnerabilities in Microsoft Internet Explorer
• 40 vulnerabilities in the Mozilla browsers
• 4 vulnerabilities in Apple Safari and Opera

9
Vulnerability Trends

• 25 of exploit code was released less than one
  day after vulnerability publication. 31 was
  released in one to six days after vulnerability
  publication.

10
Data Breaches by Sector
11
Common Web Vulnerabilities

• Cross-Site Scripting (XSS)
• SQL Injection
• Session Hijacking
• DNS Cache Poisoning

12
Cross-Site Scripting (XSS)

• Sites are tricked into running user-supplied code
• Any site that accepts user-input is fair game!

13
XSS How does it work?

• Sites output exactly what you type in
• Input text is translated as HTML, Javascript,
  PHP, etc.

• What happens if you input Javascript?

14
XSS How does it work?

• alert(hello)
• Google validates their input, but not everyone
  does!

15
SQL Injection

• Sites are tricked into executing user-supplied
  SQL
• Database is exposed
• Any site that accepts user-input is fair game!

16
SQL Injection How does it work?

• Example

Login.php
email _POSTemail cmd select from
users where emailemail users
db-execute(cmd)
User Info
17
SQL Injection How does it work?

• What happens if you write in SQL code as your
  email?

Login.php
email _POSTemail cmd select from
users where emailemail users
db-execute(cmd)
select from users where email AND 11

• Everything from your table is dumped!

18
Session Hijacking

• Sessions are used to keep state
• Also used to identify you as a legitimate,
  authenticated user
• The Problem Sessions are easy to manipulate

19
Session Hijacking Example
login
sessionid12345
Victim
GET account.php?sessionid12345
GET account.php?sessionid12345
Website
Attacker
20
DNS Cache Poisoning

• Send incorrect DNS / IP updates to a local DNS
  nameserver
• Redirect traffic to wherever you want
• Technique used to host phishing websites

21
DNS Cache Poisoning Example
bankofamerica.com. IN A 1.1.1.1
Attacker
Gethostbyname(bankofamerica.com)
1.1.1.1
DNS Server
Victim
22
Defense Mechanisms

• User-Input Validation
• Unpredictable Session ID Scheme
• Configuration Management

23
Web Security Tools

• mod_security for Apache
• Nessus Network and Server Scanner
• Nikto Web Server Scanner
• Web Scarab HTTP/S Analysis and Manipulation
• Web Goat An insecure web app designed to teach
  web app security

24
Resources

• OWASP
• How to Break Web Security
• WHATWG
• Bruce Schneier
• (http//www.schneier.com/)
• SecurityFocus (http//www.securityfocus.com/)
• Symantec Internet Security Threat
  Report(http//www.symantec.com/threatreport/)

25
Questions?

• ryan_gerard_at_symantec.com
• http//searchforquality.blogspot.com
• Im taking resumes ?