Chapter 10 Review - PowerPoint PPT Presentation

1 / 28

About This Presentation

Title:

Chapter 10 Review

Description:

description Outputs the current date /description name simpleDate /name ... OWASP Web Scarab. http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project ... – PowerPoint PPT presentation

Number of Views:70

Avg rating:3.0/5.0

Slides: 29

Provided by: brian171

Category:

more less

Transcript and Presenter's Notes

Title: Chapter 10 Review

1
Chapter 10 Review

Tag Files
.tag file in WEB-INF/tags
lt_at_ taglib prefix"tags" tagdir"/WEB-INF/tags"
gt
Tag Library
Tag Handler extends SimpleTagSupport
Override doTag() method
Tag Library Descriptor
lttaggt
ltdescriptiongtOutputs the current
datelt/descriptiongt
ltnamegtsimpleDatelt/namegt
lttag-classgtaacc.tags.SimpleDateTaglt/tag-classgt
ltbody-contentgtemptylt/body-contentgt
ltattributegt
ltnamegtformatlt/namegt
ltrequiredgtfalselt/requiredgt
ltrtexprvaluegttruelt/rtexprvaluegt
lt/attributegt
lt/taggt
JSP File

2
Chapter 11

Cleanup chapter
Still worth reading
Especially if you are taking the certification
exam
WAR files and JSP location are the only two
things we will discuss in class

3
WAR

Web Archive
Zip the web app directory
Give it a .war extension
Deploy into webapps directory
Name of the file is the name of the web app
Adds a META-INF for declaring external
dependencies

4
Directly Accessible JSPs

Any JSP not in WEB-INF can be accessed directly
Can be good or bad
Protect JSPs in WEB-INF
Can still .forward() to them inside the WEB-INF
directory

5
Web Security

95 of all web applications have at least one
vulnerability
Attackers look for
open ports
what apps are running (e.g. versions)
force errors to look at messages
find any info left behind (source code, comments,
hidden fields).

6
Scanning Tools

nmap will scan a target site (network level)
http//www.insecure.org/nmap/
nikto will throw http requests at a service to
try and determine what web apps are available
http//www.cirt.net/code/nikto.shtml
nessus will scan from the inside as well as the
outside
http//www.nessus.org/
brutus will test password strength
http//www.hoobie.net/brutus/

7
Development Tools

Web application scanners
Used to detect flaws during development
Examples
Watchfire AppScan
http//www.watchfire.com/securityzone/default.aspx
SPI Dynamics WebInspect
http//www.spidynamics.com/products/webinspect/ind
ex.html
OWASP Web Scarab
http//www.owasp.org/index.php/CategoryOWASP_WebS
carab_Project
Cenzic Hailstorm
http//www.cenzic.com/products_services/cenzic_hai
lstorm.php
WebGoat
A web application designed to teach web security
http//www.owasp.org/index.php/CategoryOWASP_WebG
oat_Project

8
What to do?

Separate services
web server, db server, app server
Limit privileges
file system, db privs, running user privs (e.g.
tomcat, apache, oracle).
Hide secrets
db passwords, encryption keys
Use standard, vetted libraries
dont use your buddys xml parser
Log everything and watch the logs.
Load-test-tune accordingly
be ready for DoS attacks
Dont trust anything from the user
Find logic holes (empty catch blocks!).

9
Top 10 Vulnerabilities

Unvalidated Input
Validate ALL client input
Includes the url, cookies, form fields, hidden
fields, and headers.
Scan 2 ways
Against regular expressions or enumerated values
Application level checks

10
Top 10 Vulnerabilities

Broken Access Control
After login each page MUST enforce access control
Do not rely solely on the data stream (e.g.
client data)
Incorporate application level checks
Encrypt traffic to block replay attempts
Session hijacking
Reauthenticate users before critical tasks
Mainly occurs when not using container
authentication and authorization

11
Top 10 Vulnerabilities

Broken Authentication and Session Management
If a hacker can get the users session ID they
can get around the entire system
Do not use your own session key generation code!
Occurs when user authentication is password only
Easily guessable usernames (e.g. admin for a
linksys router)
Poorly implemented single sign-on
a cookie with open data is used.encrypt the data
stored in the cookie

12
Top 10 Vulnerabilities

Cross-Site Scripting (XSS)
Attacker inserts code in your application to
trick a user in to executing it in their browser
Example, take an ID from the URL and just display
it out. The user can inject javascript into the
url, try to trick the user with executing it and
the goal is to get the JSESSIONID.
To stop cross-site scripting all input must be
validated and scrubbed and try not to display
back user input
Parse input to turn angle brackets (lt) into
HTTP escape sequences
Prevents scripting code from being uploaded and
executed by the server
Need to handle Unicode characters
Used to get around these checks

13
Top 10 Vulnerabilities

Buffer Overflows
Only a risk for server side C and C programs
which dont have buffer overflow protection
Dont use CGI!
Third-party components need to be kept patched
Injection Flaws
Occurs when unfiltered user input is passed
directly to operating system programs or SQL
databases
Command injection will be associated with
Runtime.exec
SQL injection will occur with dynamically
generated SQL
Use PreparedStatements!!!
Limit permissions on web user logins and database
logins

14
Top 10 Vulnerabilities

Improper Error Handling
Never show default error messages to web users
Intercept errors and display generic messages
Leaks information
Why say invalid password when a username is
correct.
Why say file not found and access denied.
Use error tracking software to watch your site
being probed for weaknesses

15
Top 10 Vulnerabilities

Insecure Storage
Begins with bad cryptography (dont write your
own!).
Encrypt in your database only if the law says you
must or if you dont trust your DBAs.
Every language has strong cryptography now
Use a proven algorithm (AES)
Dont store the key in the source code
Source code disclosure is a common bug in app
servers
Denial of Service
It is going to happen, you have to test to make
sure your site handles it.

16
Top 10 Vulnerabilities
telnet webserver Trying 10.1.1.2 Connected to
webserver (10.1.1.2) Escape character is
. Red Hat Linux release 6.0 (Hedwig) Kernel
2.2.16 on an i686 login

Insecure Configuration Management
Keep servers patched!
Remove unnecessary extensions
Dont open extra ports (DNS, NIS)
Remove default accounts and passwords
Log and Audit thoroughly
Change publicly available messages
Send the hacker on a wild goose chase by
returning fake messages
Turn off remote administration tools
If they are needed use a VPN

17
Usability

Tradeoffs
To make a system usable security takes a back
seat
Credit card information a good example
Most sites should take the information and then
forget about it
Do they?
Users hate that because they dont want to have
to enter their information each time they
purchase something
The most secure approach is not one-click
shopping

18
Credit Cards

Dont show the number
Not even to the customer who owns the card
Showing a partial number is a common solution
XXXX-XXXX-XXXX-1234
Why is this bad?
Some sites show the first 12 and not the last 4
while others show the last 4 and not the first 12
Only show the bank name

19
Credit Cards

Encrypt numbers on the server side
Keep the key on a different machine
If the database is compromised the hacker will
have to compromise another machine to get the key
Most numbers are compromised on the server, not
on the wire!!!

20
Network Security

Secure Socket Layer (SSL)
Secures the network connections (https//) using
encryption
SSL Certificate
An electronic file that uniquely identifies
individuals and Web sites and enables encrypted
communications.
Usually 40 bit or 128 bit
Serves as a kind of digital passport or
credential.
Typically, the "signer" of a certificate is a
"Certificate Authority" (CA), such as VeriSign
(www.verisign.com)
The next diagram illustrates the process that
guarantees protected communications between a Web
server and a client.
All exchanges of SSL Certificates occur within
seconds, and require no action by the consumer.

21
(No Transcript)
22
Network Security

Use a firewall
Can screen content for viruses
Protects against address spoofing
Can restrict access based on source address,
application service, and user
Block all unnecessary ports

23
Tools to Help

Web application firewalls
Examines and parses HTTP requests dynamically and
only allows legitimate requests to pass
(emerging)
Examples
F5 TrafficShield
http//www.f5.com/products/TrafficShield/
Citrix Application Firewall
http//www.citrix.com/English/ps2/products/product
.asp?contentID25636

24
Tomcat Realms

A list of users and associated roles
roles are like groups
A user can have multiple roles
Tomcat comes with 4 realms
DataSource
JDBC
JNDI
Memory
Demo the easy one, MemoryRealm

25
Memory Realm

Loads users and roles from a XML config file
TOMCAT_HOME/conf/tomcat-users.xml
Define the realm in TOMCAT_HOME/conf/server.xml
Inside an ltEnginegt element
Shared across ALL web applications on ALL virtual
hosts, UNLESS it is overridden by a Realm element
nested inside a subordinate ltHostgt or ltContextgt
element.
Inside a ltHostgt element
Shared across ALL web applications for THIS
virtual host, UNLESS it is overridden by a Realm
element nested inside a subordinate ltContextgt
element.
Inside a ltContextgt element
Used ONLY for THIS web application.

26
Memory Realm

On startup users are loaded
User file is not monitoredmust restart when
changed
On the first access Tomcat will call the
authenticate() method of the Realm.
Once authenticated the users roles are cached
within Tomcat for the duration of the user's
login
FORM-based authentication, that means until the
session times out or is invalidated
BASIC authentication, that means until the user
closes their browser
Form-Based Example
http//localhost8080/jsp-examples/security/protec
ted