J.R. Wikes CISA, CISSP, CEH, QSA

About This Presentation

Title:

J.R. Wikes CISA, CISSP, CEH, QSA

Description:

J.R. Wikes CISA, CISSP, CEH, QSA. jrwikes13_at_hotmail.com. Employment History ... Security Operations. Chase Card Services Lead Ethical Hacking Team ... – PowerPoint PPT presentation

Number of Views:385

Avg rating:3.0/5.0

Slides: 39

Provided by: nonyabu

Category:

more less

Transcript and Presenter's Notes

Title: J.R. Wikes CISA, CISSP, CEH, QSA

1

J.R. Wikes CISA, CISSP, CEH, QSA
jrwikes13_at_hotmail.com

Employment History
UofD alumni Class of 2000 Accounting MIS
PricewaterhouseCoopers - Global Risk Management
Services
MBNA America - Information Security Operations
Chase Card Services Lead Ethical Hacking Team
Symantec Consulting Services Lead Consultant
Security Certifications
Certified Information Systems Auditor (CISA)
Certified Information Systems Security
Professional (CISSP)
Certified Ethical Hacker (CEH)

2
3
3
4

Web applicationA software program that uses
HTTP for its core communication protocol and
delivers Web-based information to the user in the
HTML language.
http//www.microsoft.com

4
5
5
6

In the first half of 2007, 61 percent of all
vulnerabilities affected web applications.

6
7

According the Web Application Security Consortium
(WASC), web application vulnerabilities are
extremely common

7
8
8
9

Web Browser Mozilla Firefox, Internet
Explorer
Intercepting Proxy Paros, WebScarab, Burp
Proxy
Web Content Scanners Nikto, DirBuster
Fuzzers Spike Proxy, Burp Intruder
Brute Forcing Tools Hydra, Crowbar
Client Side Code Decompilers JAD, Flare
Commercial Tools IBM/Watchfire AppScan, HP/SPI
Dynamics WebInspect

9
10

Communications Security
Weak Passwords
Insecure Session Management
Business Logic Flaws
SQL Injection
Cross-Site Scripting (XSS)
Cross-Site Request Forgery (CSRF)
Information Leakage

10
11

Web applications that do not utilize SSL are
subject to network sniffing attacks
SSLv2 is vulnerable to Man In The Middle (MITM)
attacks
Weak SSL ciphers (less then 64 bits) can be
easily cracked

11
12
12
13
13
14

Communications Security
Weak Passwords
Insecure Session Management
Business Logic Flaws
SQL Injection
Cross-Site Scripting (XSS)
Cross-Site Request Forgery (CSRF)
Information Leakage

14
15

Weak passwords can be
Blank passwords
The same password as the username
Common passwords (such as password and
abc123)
Too short (less than eight characters)
Dictionary words
Based on dictionary words
Discovering usernames (for example through a
valid account determination vulnerability) is
half the battle

15
16
16
17

Communications Security
Weak Passwords
Insecure Session Management
Business Logic Flaws
SQL Injection
Cross-Site Scripting (XSS)
Cross-Site Request Forgery (CSRF)
Information Leakage

17
18

HTTP is a stateless protocol, so session
identifiers are required
Session identifiers should not be predictable
Homegrown session identifiers are suspect
Set-Cookie SESSIONIDa44b0846e788582dfab40511
Set-Cookie SESSIONIDa44b0846e788582dfab41985
Set-Cookie SESSIONIDa44b0846e788582dfab42008
Session identifiers should have the following
cookies set
Secure prevents cleartext transmission
HTTPOnly prevents JavaScript from accessing
cookie data

18
19

Communications Security
Weak Passwords
Insecure Session Management
Business Logic Flaws
SQL Injection
Cross-Site Scripting (XSS)
Cross-Site Request Forgery (CSRF)
Information Leakage

19
20

The business logic executed by the web
application is defective in some way, usually due
to some invalid assumption
Difficult to automate testing because attacks
vary greatly and there is not a common attack
signature
Examples
Horizontal privilege escalation
Vertical privilege escalation
Setting cheaper prices or negative quantities
within an e-commerce application

20
21
21
22

Communications Security
Weak Passwords
Insecure Session Management
Business Logic Flaws
SQL Injection
Cross-Site Scripting (XSS)
Cross-Site Request Forgery (CSRF)
Information Leakage

22
23

Results from insufficient input validation when
user input is included within a SQL query
Allows attackers to control the SQL query
executed on the backend database server

23
24

Example SQL query within application code
SELECT FROM users WHERE (username
AND password)
Normal SQL input username msmith
SELECT FROM users WHERE (usernamemsmith AND
passwordabcd123)
SQL injection input username ) OR 11--
SELECT FROM users WHERE (username) OR 11--
AND password)

24
25

Communications Security
Weak Passwords
Insecure Session Management
Business Logic Flaws
SQL Injection
Cross-Site Scripting (XSS)
Cross-Site Request Forgery (CSRF)
Information Leakage

25
26

Cross-Site Scripting (XSS) results from
insufficient input validation when user input is
echoed within the returned page
Allows attackers to target other application
users
Session identifiers could be compromised,
allowing attackers to access the application as
the target user
Typical test string
cityalert(document.cookie)
Real world attacks would send the session
identifier to the attacker

26
27
27
28
28
29

Communications Security
Weak Passwords
Insecure Session Management
Business Logic Flaws
SQL Injection
Cross-Site Scripting (XSS)
Cross-Site Request Forgery (CSRF)
Information Leakage

29
30

Cross-Site Request Forgery (CSRF) allows
attackers to trick an application user into
issuing unauthorized requests to other websites
(or to the target application from other
websites)
The application user must already be
authenticated to the target application
Example Cross-Site Request Forgery link
m _account_number111111111to_account_number6666
66666 "

30
31

Communications Security
Weak Passwords
Insecure Session Management
Business Logic Flaws
SQL Injection
Cross-Site Scripting (XSS)
Cross-Site Request Forgery (CSRF)
Information Leakage

31
32

Verbose error messages can leak sensitive
information, which can help attackers exploit
other vulnerabilities (especially SQL injection
vulnerabilities)
Server headers can leak the exact server type and
version, which can help attackers pinpoint
applicable vulnerabilities