Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Table of Contents
INTRODUCTION
THE BASICS
DIRECTORY PATH
WEB APPLICATIONS
QUERY STRING
COOKIES
POST DATA
URL
COOKIE
POST DATA
DEFENSE-IN-DEPTH
ARCHITECTURE SECURITY
back page
Introduction
Over 700 million people worldwide bank, shop, buy airline tickets, and perform research using the World Wide Web.
With each transaction, private information, including names, addresses, phone numbers, credit card numbers, and
passwords, are routinely transferred and stored in a variety of locations. Billions of dollars and millions of personal
identities are at stake every day. In the past, security professionals thought firewalls, Secure Sockets Layer (SSL),
patching, and privacy policies were enough to protect websites from hackers (see 5 Myths of Website Security1). Today,
with prominent Web attacks taking place seemingly every week, the industry knows better.
The Web Application Security Consortium (WASC) has identified twenty-four classes of Web attacks, including CrossSite Scripting2 (XSS) and SQL Injection3, used to prey upon corporations, their customers, and educational institutions.
These attacks are forcing many organizations to take a hard look at their existing website security posture. In many
cases, web application or website security is a new concept with many facets. This paper will examine the fundamental
components of a website, entry points of Web attacks, attack methodologies, and suggested preventive measures for
effective and complete website vulnerability management.
The Basics
The best way to begin exploring website security is by learning how the Web works. While most IT professionals are
very comfortable with using a Web browser to surf the Web, few of us look behind the application, at the client-server4
structure that powers the Web. This structure governs the way Web browsers (Firefox5, Microsoft Internet Explorer6)
must communicate with Web servers7 (Apache8, Microsoft IIS9) to retrieve Web pages10. To peer deeper into the world
of the Web, well begin by looking at the Web browser location bar (see diagram 1).
All major Web browsers possess a location bar that displays the Web address11 (URL) of the current Web page. URL
manipulation is one of the many ways to launch a Web application attack. And yet, they (location bars) are required to
enable customers, partners, and hackers to view your website. URLs are used to uniquely identify the location of a Web
page or on-line resource. When traveling from one Web page to the next, the displayed URL is updated. URLs, also
referred to as links, are commonly embedded in Web pages to click on to visit other pages. URLs also tell us a lot about
a website. They tell us what type of communication they expect, what type of operating system they run, the type of Web
application code is being used, and more. Well be exploring the anatomy of URLs closely in the following section and
well look at how each section can be vulnerable to attack.
HTTP/1.1 200 OK
Date: Thursday, 01 Dec 2006 23:37:18 GMT
Server: Apache
Set-Cookie: Name=Value; path=/; expires=Thursday, 01-Dec-06 23:12:40 GMT
Content-Type: text/html
HTTP Response
GET http://www.whitehatsec.com HTTP/1.1
Host: www.whitehatsec.com
Cookie: Name=Value
HTTP Request
Post Data
Post Data is another portion of an HTTP request, and is typically populated with data from Web forms. Post Data is most
often used when larger amounts of data need to be sent from the browser to the Web server. Post data is more or less
identical to a query string, except that its located in the lower body of the request.
Web Form
If successful, the hacker would automatically jump into another users session, with the ability to take over the account
and access personal information.
In this case, the solution is to have random Customer Identifiers. FTD should have been using random-unique integers
of at least 10 to 12 characters in length. This would prevent the Customer Identifier from being ascertained, even after
extended attempts.
Post Data
In October 2005, in an incident known as the Samy worm, a hacker (Samy) used a common, Cross-Site Scripting (XSS)
vulnerability to exploit the MySpace social networking website18. Users Web browsers were forced to send Web
requests that they did not expect to make. Approximately one million users unwittingly altered their profile Web page with
malicious JavaScript code when they visited other infected profiles.
Samy altered his MySpace profile Web page to include some crafty JavaScript exploit code. When another MySpace
user visited Samys profile, the JavaScript code would execute its payload in the users browser. At this point, Samy had
complete control over the users browser. The payload forced the user to automatically befriend Samy, and also add him
as a hero (Samy is my hero was appended to each profile page). To propagate site-wide, the exploit code would copy
itself to the users profile and wait to exploit other unsuspecting users.
To halt the infection, MySpace was forced to shutdown its entire website for twenty hours. While the incident was
severe, the payload of the Samy worm was relatively benign. It would have been trivial for Samy to force everyone to
delete their profile and blog data, resulting in a far more damaging situation for users and for MySpace.
Defense-in-Depth
All it takes is a single security flaw, or one small oversight, for your company to make headlines. Experience tells us
that no single protective measure is completely impenetrable. Everything has its weakness, and its only a matter of
time before that weakness is found and exploited. With this real-world knowledge, most security experts subscribe to a
philosophy called defense-in-depth to protect their systems. Defense-in-depth promotes a layered security approach, so
that if any single control mechanism fails, other defensive measures are in place to ensure nothing is compromised.
Architecture Security
All secure e-commerce infrastructures must be built on a solid foundation. Without a solid foundation, no amount of
security in Web application code will be enough to defend a website. Below is a top-level checklist to use to assess your
overall security. The Center for Internet Security19 (CIS) has excellent resources for in-depth, system-specific knowledge
of architecture security issues. Also, the Payment Card Industry20 (PCI) Data Security Standard is another resource for
a comprehensive security program.
Networks are properly segmented to separate public, semi-private, and private systems.
Perimeter firewalls are in place between network segments to only allow a limited set of network services to
communicate.
Operating systems are hardened and patches are kept up-to-date.
Web servers are properly patched, configured, and have any additional security add-ons applied.
Secure Software Development Program
Secure software is quality software. Vulnerabilities are nothing more than software bugs. And the best way to squash
these bugs before they become real problems is to tightly integrate security consideration at all points of the software
development life cycle (SDLC), from architecture design, to development releases, to quality assurance phases.
While there are copious amounts of data available covering software security best practices, the primary caution to
developers is DO NOT TRUST CLIENT-SIDE DATA. Lack of proper input validation is the number-one cause of
website security issues. The Web is a hostile environment; therefore its absolutely critical to validate all data you plan to
utilize, whether its from HTTP requests or the database. Here is a checklist for how to perform proper input validation in
any programming language:
Character-set: Ensure the data only contains characters you expect to receive.
Length: Ensure the data falls within a restricted minimum and maximum number of bytes.
Data Format: Ensure the structure of the data is consistent with what is expected. Phone numbers should look like
phone numbers, email addresses should look like email address, etc.
Escape: Before data is passed onto sub-systems, especially database or operating system calls, all characters
should be escaped, meaning no special characters should be allowed into the system unchecked.
Filtering: Sanitize data to not include dangerous characters. Specifically, convert < and > characters into their
equivalent HTML entities to prevent XSS issues.
Notes:
1
5 Security Myths
http://www.varbusiness.com/showArticle.jhtml?articleID=22104030&flatPage=true
2 Cross-site
Scripting (XSS) is an attack technique that forces a web site to echo attacker-supplied executable code,
which loads in a users browser. The code itself is usually written in HTML/JavaScript, but may also extend to VBScript,
ActiveX, Java, Flash, or any other browser-supported technology.
http://www.webappsec.org/projects/threat/classes/cross-site_scripting.shtml
3 SQL
Injection is an attack technique used to exploit web sites that construct SQL statements from user-supplied input.
http://www.webappsec.org/projects/threat/classes/sql_injection.shtml
4A
common form of distributed system in which software is split between server tasks and client tasks. A client sends
requests to a server, according to some protocol, asking for information or action, and the server responds.
http://dictionary.reference.com/search?q=client-server
5A
10
6 Microsofts
general-purpose software application used to handle HTTP requests. A web server may utilize a web application for
dynamic web page content.
http://www.webappsec.org/projects/glossary/#WebServer
8
document on the World Wide Web, consisting of an HTML file and any related files for scripts and graphics, and
often hyperlinked to other documents on the Web.
http://dictionary.reference.com/search?q=web%20page
11 Uniform
industry standard public-key protocol used to create encrypted tunnels between two network-connected devices
http://www.webappsec.org/projects/glossary/#SecureSocketsLayer
14 A
software application, executed by a web server, which responds to dynamic web page requests over HTTP.
http://www.webappsec.org/projects/glossary/#WebApplication
15 Flawed
16
Credential/Session Prediction is a method of hijacking or impersonating a web site user. Deducing or guessing the
unique value that identifies a particular session or user accomplishes the attack. Also known as Session Hijacking, the
consequences could allow attackers the ability to issue web site requests with the compromised users privileges.
http://www.webappsec.org/projects/threat/classes/credential_session_prediction.shtml
18 Teen
The Center for Internet Security (CIS) is a non-profit enterprise whose mission is to help organizations reduce the risk
of business and e-commerce disruptions resulting from inadequate technical security controls.
http://www.cisecurity.com/
20
Payment Card Industry (PCI) Data Security Requirements apply to all Members, merchants, and service providers that
store, process or transmit cardholder data.
http://usa.visa.com/business/accepting_visa/ops_risk_management/cisp.html
21 WhiteHat
Sentinel is the only continuous vulnerability assessment and management service for web applications
http://www.whitehatsec.com/services.shtml
11
WhiteHat Security, Inc. | 3003 Bunker Hill Lane, Suite 220 | Santa Clara, CA 95054 | 408.343.8300 | www.whitehatsec.com
Copyright 2007 WhiteHat Security, Inc. | Product names or brands used in this publication are for identification purposes only
and may be trademarks or brands of their respective companies.
06.14.07