Title: Web Security
1Web Security
- Ryan Gerard
- QA Engineer
- Symantec
2Agenda
- Web Security in Context
- Common Web Vulnerabilities
- Defense Mechanisms
- Tools
- Resources
3Web Security in Context
- Its all about the walled gardens of data
- Identity Theft and the Underground Economy
4Attack Trends
- Microsoft Internet Explorer was targeted by 77
of all attacks specifically targeting Web
browsers. - Symantec observed an average of 63,912 active
bot-infected computers per day - Home users were the most highly targeted sector,
accounting for 93 of all targeted attacks.
5Pop Quiz
- Which country accounted for the most malicious
activity?
- The United States accounted for 31 percent of all
malicious activity during this period, - more than any other country.
6Vulnerability Trends
- Symantec documented 2,526 vulnerabilities in the
second half of 2006 - 66 of vulnerabilities disclosed during this
period affected Web applications
7Vulnerability Trends
- 79 of all vulnerabilities in the 2nd half of
2006 were considered to be easily exploitable - 77 of all easily exploitable vulnerabilities
affected Web applications (61 of all
vulnerabilities)
8Vulnerability Trends
- Symantec documented
- 54 vulnerabilities in Microsoft Internet Explorer
- 40 vulnerabilities in the Mozilla browsers
- 4 vulnerabilities in Apple Safari and Opera
9Vulnerability Trends
- 25 of exploit code was released less than one
day after vulnerability publication. 31 was
released in one to six days after vulnerability
publication.
10Data Breaches by Sector
11Common Web Vulnerabilities
- Cross-Site Scripting (XSS)
- SQL Injection
- Session Hijacking
- DNS Cache Poisoning
12Cross-Site Scripting (XSS)
- Sites are tricked into running user-supplied code
- Any site that accepts user-input is fair game!
13XSS How does it work?
- Sites output exactly what you type in
- Input text is translated as HTML, Javascript,
PHP, etc.
- What happens if you input Javascript?
14XSS How does it work?
- alert(hello)
- Google validates their input, but not everyone
does!
15SQL Injection
- Sites are tricked into executing user-supplied
SQL - Database is exposed
- Any site that accepts user-input is fair game!
16SQL Injection How does it work?
Login.php
email _POSTemail cmd select from
users where emailemail users
db-execute(cmd)
User Info
17SQL Injection How does it work?
- What happens if you write in SQL code as your
email?
Login.php
email _POSTemail cmd select from
users where emailemail users
db-execute(cmd)
select from users where email AND 11
- Everything from your table is dumped!
18Session Hijacking
- Sessions are used to keep state
- Also used to identify you as a legitimate,
authenticated user - The Problem Sessions are easy to manipulate
19Session Hijacking Example
login
sessionid12345
Victim
GET account.php?sessionid12345
GET account.php?sessionid12345
Website
Attacker
20DNS Cache Poisoning
- Send incorrect DNS / IP updates to a local DNS
nameserver - Redirect traffic to wherever you want
- Technique used to host phishing websites
21DNS Cache Poisoning Example
bankofamerica.com. IN A 1.1.1.1
Attacker
Gethostbyname(bankofamerica.com)
1.1.1.1
DNS Server
Victim
22Defense Mechanisms
- User-Input Validation
- Unpredictable Session ID Scheme
- Configuration Management
23Web Security Tools
- mod_security for Apache
- Nessus Network and Server Scanner
- Nikto Web Server Scanner
- Web Scarab HTTP/S Analysis and Manipulation
- Web Goat An insecure web app designed to teach
web app security
24Resources
- OWASP
- How to Break Web Security
- WHATWG
- Bruce Schneier
- (http//www.schneier.com/)
- SecurityFocus (http//www.securityfocus.com/)
- Symantec Internet Security Threat
Report(http//www.symantec.com/threatreport/)
25Questions?
- ryan_gerard_at_symantec.com
- http//searchforquality.blogspot.com
- Im taking resumes ?