Web Application Security

1
Web Application Security

• Presented By
• Allen Brokken GSEC, CSDA

2
Overview

• Disclaimer
• Why Should I Care?
• Open Web Application Security Project
• OWASP Top Vulnerabilities
• Conclusion
• QA

3
Disclaimer

• The information contained in this presentation is
  intended to be used to educate developers about
  security vulnerabilities commonly found in Web
  Applications.
• This presentation is not intended as training
  material for those with malicious intent against
  information systems.
• Exploitation of the vulnerabilities listed in
  this presentation on systems or applications not
  owned or developed by the viewer is illegal in
  jurisdictions worldwide.
• It is a violation of the University of Missouri
  Acceptable Use policy to transmit these exploits
  across the MU network without explicit permission
  of the system or application owner they are
  directed at.
• The presenter is a trained professional, dont
  try this at home

4
Why Should I Care?
all users were able to view individual
customers' orders for items of intimate apparel
in which the retailer specializes.
50,000
One clever MySpace user figured out how to
force others to become his friend In less than
24 hours, "Samy" had amassed over 1 million
friends
1,000,000 Profiles
informed its members that their credit card
information might have been compromised after a
Chicago-based hacker cracked the site's code
5000 Credit Card 's
5
Why Should I Care?

• Common Misconceptions
• Arent I protected by firewalls or something?
• I thought you just needed to keep things patched?
• Im not using Microsoft, so I must be secure.
• Isnt keeping me secure your job?

6
The Open Web Application Security Project

• The Open Web Application Security Project (OWASP)
  is dedicated to finding and fighting the causes
  of insecure software.
• They have chapters world wide and manage multiple
  projects designed to help individuals and
  organizations increase the level of security of
  their applications.
• http//www.owasp.org

7
OWASP TOP 10

• 1 Unvalidated Input
• Information from web requests is not validated
  before being used by a web application. Attackers
  can use these flaws to attack backend components
  through a web application.

8
OWASP TOP 10

• 2 Broken Access Control
• Restrictions on what authenticated users are
  allowed to do are not properly enforced.
  Attackers can exploit these flaws to access other
  users' accounts, view sensitive files, or use
  unauthorized functions.

9
OWASP TOP 10

• 3 Broken Authentication and Session Management
• Account credentials and session tokens are not
  properly protected. Attackers that can compromise
  passwords, keys, session cookies, or other tokens
  can defeat authentication restrictions and assume
  other users' identities.

10
OWASP TOP 10

• 4 Cross Site Scripting (XSS) Flaws
• The web application can be used as a mechanism to
  transport an attack to an end user's browser. A
  successful attack can disclose the end user's
  session token, attack the local machine, or spoof
  content to fool the user.

11
OWASP TOP 10

• 5 Buffer Overflows
• Web application components in some languages that
  do not properly validate input can be crashed
  and, in some cases, used to take control of a
  process. These components can include CGI,
  libraries, drivers, and web application server
  components.

12
OWASP TOP 10

• 5 Buffer Overflows cont.

Memory Manager Table Program
Allocation Your Code 1148-1248 Explorer.exe
1548-5548
Memory
Free Memory
Your Code
Explorer.exe
13
OWASP TOP 10

• 6 Injection Flaws
• Web applications pass parameters when they access
  external systems or the local operating system.
  If an attacker can embed malicious commands in
  these parameters, the external system may execute
  those commands on behalf of the web application.

14
OWASP TOP 10

• 7 Improper Error Handling
• Error conditions that occur during normal
  operation are not handled properly. If an
  attacker can cause errors to occur that the web
  application does not handle, they can gain
  detailed system information, deny service, cause
  security mechanisms to fail, or crash the server.

15
OWASP TOP 10

• 8 Insecure Storage
• Web applications frequently use cryptographic
  functions to protect information and credentials.
  These functions and the code to integrate them
  have proven difficult to code properly,
  frequently resulting in weak protection.

16
OWASP TOP 10

• 9 Denial of Service
• Attackers can consume web application resources
  to a point where other legitimate users can no
  longer access or use the application. Attackers
  can also lock users out of their accounts or even
  cause the entire application to fail.

17
OWASP TOP 10

• 10 Insecure Configuration Management
• Having a strong server configuration standard is
  critical to a secure web application. These
  servers have many configuration options that
  affect security and are not secure out of the
  box.

18
Practice Sites

• Starfleet Academy
• http//academy.dyndns.org
• HACK This Site
• http//www.hulla-balloo.com/hack/level1/
• Next Generation Security Games
• http//quiz.ngsec.com/
• WebGoat
• http//www.owasp.org/software/webgoat.html
• Requires a Java Virtual Machine be available on
  the local machine, and runs from the local
  machine.
• HACME Bank / HACME Books
• http//www.foundstone.com
• Note you will have to install these on a system
  you can run an appropriate web server on.

19
References

• Victoria's Secret reveals far too much
• http//cooltech.iafrica.com/technews/280300.htm
• Cross-Site Scripting Worm Hits MySpace
• http//www.betanews.com/article/CrossSite_Scriptin
  g_Worm_Hits_MySpace/1129232391
• Online political warriors savage opposition Web
  sites
• http//www.statesman.com/metrostate/content/metro/
  stories/07/14hackers.html