Chapter 10 Review - PowerPoint PPT Presentation

1 / 28
About This Presentation
Title:

Chapter 10 Review

Description:

description Outputs the current date /description name simpleDate /name ... OWASP Web Scarab. http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project ... – PowerPoint PPT presentation

Number of Views:70
Avg rating:3.0/5.0
Slides: 29
Provided by: brian171
Category:
Tags: chapter | review | scarab

less

Transcript and Presenter's Notes

Title: Chapter 10 Review


1
Chapter 10 Review
  • Tag Files
  • .tag file in WEB-INF/tags
  • lt_at_ taglib prefix"tags" tagdir"/WEB-INF/tags"
    gt
  • Tag Library
  • Tag Handler extends SimpleTagSupport
  • Override doTag() method
  • Tag Library Descriptor
  • lttaggt
  • ltdescriptiongtOutputs the current
    datelt/descriptiongt
  • ltnamegtsimpleDatelt/namegt
  • lttag-classgtaacc.tags.SimpleDateTaglt/tag-classgt
  • ltbody-contentgtemptylt/body-contentgt
  • ltattributegt
  • ltnamegtformatlt/namegt
  • ltrequiredgtfalselt/requiredgt
  • ltrtexprvaluegttruelt/rtexprvaluegt
  • lt/attributegt
  • lt/taggt
  • JSP File

2
Chapter 11
  • Cleanup chapter
  • Still worth reading
  • Especially if you are taking the certification
    exam
  • WAR files and JSP location are the only two
    things we will discuss in class

3
WAR
  • Web Archive
  • Zip the web app directory
  • Give it a .war extension
  • Deploy into webapps directory
  • Name of the file is the name of the web app
  • Adds a META-INF for declaring external
    dependencies

4
Directly Accessible JSPs
  • Any JSP not in WEB-INF can be accessed directly
  • Can be good or bad
  • Protect JSPs in WEB-INF
  • Can still .forward() to them inside the WEB-INF
    directory

5
Web Security
  • 95 of all web applications have at least one
    vulnerability
  • Attackers look for
  • open ports
  • what apps are running (e.g. versions)
  • force errors to look at messages
  • find any info left behind (source code, comments,
    hidden fields).

6
Scanning Tools
  • nmap will scan a target site (network level)
  • http//www.insecure.org/nmap/
  • nikto will throw http requests at a service to
    try and determine what web apps are available
  • http//www.cirt.net/code/nikto.shtml
  • nessus will scan from the inside as well as the
    outside
  • http//www.nessus.org/
  • brutus will test password strength
  • http//www.hoobie.net/brutus/

7
Development Tools
  • Web application scanners
  • Used to detect flaws during development
  • Examples
  • Watchfire AppScan
  • http//www.watchfire.com/securityzone/default.aspx
  • SPI Dynamics WebInspect
  • http//www.spidynamics.com/products/webinspect/ind
    ex.html
  • OWASP Web Scarab
  • http//www.owasp.org/index.php/CategoryOWASP_WebS
    carab_Project
  • Cenzic Hailstorm
  • http//www.cenzic.com/products_services/cenzic_hai
    lstorm.php
  • WebGoat
  • A web application designed to teach web security
  • http//www.owasp.org/index.php/CategoryOWASP_WebG
    oat_Project

8
What to do?
  • Separate services
  • web server, db server, app server
  • Limit privileges
  • file system, db privs, running user privs (e.g.
    tomcat, apache, oracle).
  • Hide secrets
  • db passwords, encryption keys
  • Use standard, vetted libraries
  • dont use your buddys xml parser
  • Log everything and watch the logs.
  • Load-test-tune accordingly
  • be ready for DoS attacks
  • Dont trust anything from the user
  • Find logic holes (empty catch blocks!).

9
Top 10 Vulnerabilities
  • Unvalidated Input
  • Validate ALL client input
  • Includes the url, cookies, form fields, hidden
    fields, and headers.
  • Scan 2 ways
  • Against regular expressions or enumerated values
  • Application level checks

10
Top 10 Vulnerabilities
  • Broken Access Control
  • After login each page MUST enforce access control
  • Do not rely solely on the data stream (e.g.
    client data)
  • Incorporate application level checks
  • Encrypt traffic to block replay attempts
  • Session hijacking
  • Reauthenticate users before critical tasks
  • Mainly occurs when not using container
    authentication and authorization

11
Top 10 Vulnerabilities
  • Broken Authentication and Session Management
  • If a hacker can get the users session ID they
    can get around the entire system
  • Do not use your own session key generation code!
  • Occurs when user authentication is password only
  • Easily guessable usernames (e.g. admin for a
    linksys router)
  • Poorly implemented single sign-on
  • a cookie with open data is used.encrypt the data
    stored in the cookie

12
Top 10 Vulnerabilities
  • Cross-Site Scripting (XSS)
  • Attacker inserts code in your application to
    trick a user in to executing it in their browser
  • Example, take an ID from the URL and just display
    it out. The user can inject javascript into the
    url, try to trick the user with executing it and
    the goal is to get the JSESSIONID.
  • To stop cross-site scripting all input must be
    validated and scrubbed and try not to display
    back user input
  • Parse input to turn angle brackets (lt) into
    HTTP escape sequences
  • Prevents scripting code from being uploaded and
    executed by the server
  • Need to handle Unicode characters
  • Used to get around these checks

13
Top 10 Vulnerabilities
  • Buffer Overflows
  • Only a risk for server side C and C programs
    which dont have buffer overflow protection
  • Dont use CGI!
  • Third-party components need to be kept patched
  • Injection Flaws
  • Occurs when unfiltered user input is passed
    directly to operating system programs or SQL
    databases
  • Command injection will be associated with
    Runtime.exec
  • SQL injection will occur with dynamically
    generated SQL
  • Use PreparedStatements!!!
  • Limit permissions on web user logins and database
    logins

14
Top 10 Vulnerabilities
  • Improper Error Handling
  • Never show default error messages to web users
  • Intercept errors and display generic messages
  • Leaks information
  • Why say invalid password when a username is
    correct.
  • Why say file not found and access denied.
  • Use error tracking software to watch your site
    being probed for weaknesses

15
Top 10 Vulnerabilities
  • Insecure Storage
  • Begins with bad cryptography (dont write your
    own!).
  • Encrypt in your database only if the law says you
    must or if you dont trust your DBAs.
  • Every language has strong cryptography now
  • Use a proven algorithm (AES)
  • Dont store the key in the source code
  • Source code disclosure is a common bug in app
    servers
  • Denial of Service
  • It is going to happen, you have to test to make
    sure your site handles it.

16
Top 10 Vulnerabilities
telnet webserver Trying 10.1.1.2 Connected to
webserver (10.1.1.2) Escape character is
. Red Hat Linux release 6.0 (Hedwig) Kernel
2.2.16 on an i686 login
  • Insecure Configuration Management
  • Keep servers patched!
  • Remove unnecessary extensions
  • Dont open extra ports (DNS, NIS)
  • Remove default accounts and passwords
  • Log and Audit thoroughly
  • Change publicly available messages
  • Send the hacker on a wild goose chase by
    returning fake messages
  • Turn off remote administration tools
  • If they are needed use a VPN

17
Usability
  • Tradeoffs
  • To make a system usable security takes a back
    seat
  • Credit card information a good example
  • Most sites should take the information and then
    forget about it
  • Do they?
  • Users hate that because they dont want to have
    to enter their information each time they
    purchase something
  • The most secure approach is not one-click
    shopping

18
Credit Cards
  • Dont show the number
  • Not even to the customer who owns the card
  • Showing a partial number is a common solution
  • XXXX-XXXX-XXXX-1234
  • Why is this bad?
  • Some sites show the first 12 and not the last 4
    while others show the last 4 and not the first 12
  • Only show the bank name

19
Credit Cards
  • Encrypt numbers on the server side
  • Keep the key on a different machine
  • If the database is compromised the hacker will
    have to compromise another machine to get the key
  • Most numbers are compromised on the server, not
    on the wire!!!

20
Network Security
  • Secure Socket Layer (SSL)
  • Secures the network connections (https//) using
    encryption
  • SSL Certificate
  • An electronic file that uniquely identifies
    individuals and Web sites and enables encrypted
    communications.
  • Usually 40 bit or 128 bit
  • Serves as a kind of digital passport or
    credential.
  • Typically, the "signer" of a certificate is a
    "Certificate Authority" (CA), such as VeriSign
    (www.verisign.com)
  • The next diagram illustrates the process that
    guarantees protected communications between a Web
    server and a client.
  • All exchanges of SSL Certificates occur within
    seconds, and require no action by the consumer.

21
(No Transcript)
22
Network Security
  • Use a firewall
  • Can screen content for viruses
  • Protects against address spoofing
  • Can restrict access based on source address,
    application service, and user
  • Block all unnecessary ports

23
Tools to Help
  • Web application firewalls
  • Examines and parses HTTP requests dynamically and
    only allows legitimate requests to pass
    (emerging)
  • Examples
  • F5 TrafficShield
  • http//www.f5.com/products/TrafficShield/
  • Citrix Application Firewall
  • http//www.citrix.com/English/ps2/products/product
    .asp?contentID25636

24
Tomcat Realms
  • A list of users and associated roles
  • roles are like groups
  • A user can have multiple roles
  • Tomcat comes with 4 realms
  • DataSource
  • JDBC
  • JNDI
  • Memory
  • Demo the easy one, MemoryRealm

25
Memory Realm
  • Loads users and roles from a XML config file
  • TOMCAT_HOME/conf/tomcat-users.xml
  • Define the realm in TOMCAT_HOME/conf/server.xml
  • Inside an ltEnginegt element
  • Shared across ALL web applications on ALL virtual
    hosts, UNLESS it is overridden by a Realm element
    nested inside a subordinate ltHostgt or ltContextgt
    element.
  • Inside a ltHostgt element
  • Shared across ALL web applications for THIS
    virtual host, UNLESS it is overridden by a Realm
    element nested inside a subordinate ltContextgt
    element.
  • Inside a ltContextgt element
  • Used ONLY for THIS web application.

26
Memory Realm
  • On startup users are loaded
  • User file is not monitoredmust restart when
    changed
  • On the first access Tomcat will call the
    authenticate() method of the Realm.
  • Once authenticated the users roles are cached
    within Tomcat for the duration of the user's
    login
  • FORM-based authentication, that means until the
    session times out or is invalidated
  • BASIC authentication, that means until the user
    closes their browser
  • Form-Based Example
  • http//localhost8080/jsp-examples/security/protec
    ted

27
Tomcat SSL
  • So easylook at Tomcat docs
  • Trick is putting the .keystore file in the right
    directory
  • For me it was C\windows\system32\config\systempro
    file
  • https//localhost8443

28
User Certificates
  • Client Side
  • Generate a client certificate signed by a CA
  • Import the certificate into the browser
  • Import the server certificate into the browser as
    a trusted certificate
  • Server Side
  • Set clientAuthtrue in server.xml
  • Add the CA certificate to .keystore
Write a Comment
User Comments (0)
About PowerShow.com