Web Security

The project has been funded by the European Commission. The Education, Audiovisual and Culture Executive program (EACEA), TEMPUS IV.
The content of this presentation reflects the opinion of the author.

1
 Content
• Basics and protection methods in the protocol for the Web
• Web attacks and vulnerabilities
- Web system architecture
- Authentication / Authorization
- Client Attacks
- Command Execution
- Logical Attacks
• Development of protected websites
- Methodologies
- OWASP (OWASP) implementation
/ testing
- Security Audit

2
 Why we study the attacks

• Cybersecurity specialists must have the same

skills as hackers, especially black hat hackers,
in order to protect against attacks.

3
4
 Lecture 1
Web Application Security Fundamentals

5
Agenda
• Web application architecture
• Client-side and server-side functionalities
• Web security organizations
• OWASP top 10
• Certification of the security experts
• Course logistic
• Web app pentester’s toolkit
• Interception tools

6
 Web Application is

• a client-server application where the client

acts as the browser and the server - Web
server. The logic of a web application is
distributed between client and server, data
storage is carried out mainly on the server,
information is exchanged over the network

7
 How do web applications work?
Client Side Browser & PC Server Side System

HTTP/S Requests Web Servers

to Web Server

Responses from Web Server

Web
(HTML, CSS Data, Java Script,
Company Website Visitor Application
Images…)
Server

Database Servers

8
COMPONENTS of WEB APP ARCHITECTURE
 Client-Side Functionality

User fill in the form

Client-side functionality: <form action=”/secure/login.php?app=quotations” method=”post”>
HTML (5), XML username: <input type=”text” name=”username”><br>
password: <input type=”password” name=”password”>
Hyperlinks, Forms, CSS, <input type=”hidden” name=”redir” value=”/secure/home.php”>
<input type=”submit” name=”submit” value=”log in”> </form>
JavaScript, Ajax,
JSON, Browser makes a request like the following:
POST /secure/login.php?app=quotations HTTP/1.1
Web 2.0 Host: wahh-app.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 39
Cookie: SESS=GTnrpx2ss2tSWSnhXJGyG0LJ47MXRsjcFM6Bd
username=daf&password=foo&redir=/secure/home.php&submit=log+in
10
 Server-Side Functionality

Server-Side Scripting languages: Server-side functionality:

PHP, Web application platforms such as ASP.NET and Java
VBScript, Web servers such as Apache, IIS, and Netscape Enterprise
Perl, Java Databases such as MS-SQL, Oracle, and MySQL
Other back-end components such as file systems, SOAP-
based web services

11
 Categories of Attacks
• Denial of Service, DoS - actions that violate the functioning of the
automated information system in accordance with a purpose.
• Hacking - unauthorized use, attempts to deceive or circumvent the
security systems of computer information system or network.
• Cracking - an act of penetration into a computer system or network.
• The term "attack" is usually used to describe the actions of hackers.
In the category of malicious acts "of DoS" and "cracking" includes
various types of attacks.

12
 Definition of web application security
A security test is a method of evaluating the security of a computer
system or network by methodically validating and verifying the
effectiveness of application security controls.
A web application security test focuses only on evaluating the security of
a web application. The process involves an active analysis of the
application for any weaknesses, technical flaws, or vulnerabilities. Any
security issues that are found will be presented to the system owner,
together with an assessment of the impact, a proposal for mitigation or a
technical solution.

13
 Threats, Vulnerabilities, Attacks
A threat – A negative effect or undesired
event. A potential occurrence, often best
described as an effect that might damage
or compromise an asset or objective. It
may or may not be malicious in nature.
An Attack (or exploit) – An action
taken that uses one or more
vulnerabilities to realize a threat. This
could be someone following through on
a threat or exploiting a vulnerability.
A Vulnerability – A weakness in some
aspect or feature of a system that makes
an exploit possible. Vulnerabilities can
exist at the network, host, or application
levels and include operational practices.
Countermeasure - An
action, device, procedure, or technique that
reduces a threat, a vulnerability, or
an attack by eliminating or preventing it, by
minimizing the harm it can cause, or by
discovering and reporting it so that
corrective action can be taken.
14
IMPLEMENTATION of THREAT

15
THREAT MODEL STRIDE (Microsoft)
Understanding Threat Categories
• Spoofing.
• Tampering.
• Repudiation.
• Information disclosure.
• Denial of service.
• Elevation of privilege.
• Sniffing or eavesdropping
• Session hijacking

17
 Web Spoofing
How does the attack work?
• Hacker spoofs an IP address
through a Web site
• Hacker can transfer information or
get information
• Hacker can spoof using a strategy
– That ensures that all
communication between the
Web site and the user is
directed to the hacker’s What can we do ?
computer ❖ Do not reply to or click on a link that will lead you to
• Hacker may also falsely acquire a a webpage asking you for info.
certificate used by a Web site
❖ Look for the presence of a padlock and https://.
Both must be present for a connection to be secure

❖ Keep up with updates

18
 Tampering
The Web Parameter Tampering attack is based on the manipulation of parameters
exchanged between client and server in order to modify application data, such as user
credentials and permissions, price and quantity of products, etc. Usually, this information
is stored in cookies, hidden form fields, or URL Query Strings, and is used to increase
application functionality and control.

This attack can be performed by a malicious user who wants to exploit the application for
their own benefit, or an attacker who wishes to attack a third-person using a Man-in-the-
middle attack.

In both cases, tools likes Webscarab and Paros proxy are mostly used.
The attack success depends on integrity and logic validation mechanism errors, and its
exploitation can result in other consequences including XSS, SQL Injection, file inclusion,
and path disclosure attacks.

19
 Tampering. Examples

Example 1
The parameter modification of form fields can be considered a typical example of Web Parameter Tampering
attack.
For example, consider a user who can select form field values (combo box, check box, etc.) on an application page.
When these values are submitted by the user, they could be acquired and arbitrarily manipulated by an attacker.

Example 2
When a web application uses hidden fields to store status information, a malicious user can tamper with the
values stored on his browser and change the referred information. For example, an e-commerce shopping site
uses hidden fields to refer to its items, as follows:
<input type=”hidden” id=”1008” name=”cost” value=”70.00”>
An attacker can modify the “value” information of a specific item, thus lowering its cost.

20
 Repudiation
Repudiation is the ability of users (legitimate or otherwise) to deny that they performed specific actions or
transactions. Without adequate auditing, repudiation attacks are difficult to prove.
Information disclosure
Information disclosure is the unwanted exposure of private data. For example, a user views the contents of a
table or file he or she is not authorized to open, or monitors data passed in plaintext over a network. Some
examples of information disclosure vulnerabilities include the use of hidden form fields, comments embedded in
Web pages that contain database connection strings and connection details, and weak exception handling that
can lead to internal system level details being revealed to the client. Any of this information can be very useful to
the attacker.
Denial of service
Denial of service is the process of making a system or application unavailable. For example, a denial of service
attack might be accomplished by bombarding a server with requests to consume all available system resources or
by passing it malformed input data that can crash an application process.
Elevation of privilege
Elevation of privilege occurs when a user with limited privileges assumes the identity of a privileged user to gain
privileged access to an application. For example, an attacker with limited privileges might elevate his or her
privilege level to compromise and take control of a highly privileged and trusted process or account.
21
THREAT MODEL STRIDE (Microsoft)
DREAD

23
 THREATS to WEB APPLICATIONS
The objectives of the attacker hacking website:
• Black SEO;
• Distribution of spam;
• The spread of malicious code;
• Theft and corruption of data provided on the website;
• Deleting the contents of a site;
• DoS-attack;
• Use site as a launching pad for attacks on other resources;
• For fun
 Kinds of vulnerabilities on WebAPP

• Server vulnerability
• Client vulnerability.
• They differ in purpose of possible attacks:
• - Server vulnerabilities allow to receive data
directly from the server.
• - Client vulnerabilities allow the user to
receive data (personal information from the
site, the data browser (COOKIE), etc.) or to
perform actions on behalf of the user without
his knowledge
 Server vulnerabilities
vulnerabilities, which can directly perform
unauthorized actions on the server.

Examples:
Execute arbitrary operating system commands:
• read, write files,
• Reboot system,
 Client Vulnerability

vulnerability, the use of which is only possible on the

client side (the user's browser).

Using client vulnerability allows attackers:

• Introduce malicious html-code (java-script, iframe);
• To act on behalf of users (without their knowledge);
• Redirect of user traffic;
• Stealing personal information and accounts.
 Classification of Web Attacks (Vulnerabilities)

Lack of clarity in terminology

The confusion in concepts:
Attack Vulnerability Threat Weakness Impact
The confusion in the classification and ratings:
• "Audit classification OWASP Top 10”
• OWASP Top Ten - severity rating of vulnerabilities in web applications
• SANS Top 25 - criticality rating errors in the software
• WASC Threat Classification - attempt to classify attacks
• CWE Common Weakness Enumeration - inductive classification
shortcomings.
 The Foundations of Web Security
Authentication Authorization Auditing

Confidentiality Integrity Availability

Most web applications handle access using a trio of

interrelated security:
Strong authentication
Session management
Access control

31
 Web Security organizations
OWASP (The Open Web Application Security Project)
OWASP seeks to educate developers, designers, architects and business
owners about the risks associated with the most common Web application
security vulnerabilities. OWASP, which supports both open source and
commercial security products, has become known as a forum in which
information technology professionals can network and build expertise.

The Web Application Security Consortium (WASC )

WASC is non profit made up of an international group of experts,
industry practitioners, and organizational representatives who
produce open source and widely agreed upon best-practice security
standards for the World Wide Web.

32
 Web Security organizations
Information Systems Security Association (ISSA)
ISSA is a non profit organization for the information security
profession committed to promoting effective cyber security on a
global basis.
Information Systems Security Certification Consortium, Inc. (ISC)²®
(ISC)²® is the global, not-for-profit leader in educating and certifying
information security professionals throughout their careers.

SANS is the most trusted and by far the largest source for
information security training and security certification in the
world. It also develops, maintains, and makes available at no cost,
the largest collection of research documents about various aspects
of information security.
Want know more?
http://cybersecurityventures.com/cybersecurity-associations/
33
.

(ISC)² Information Security Certifications

”1) This is no a CCNA exam. You are not
required to know what goes on under the
hood of protocols.
2) This is not a VMware exam. You are not
required to know how to set up the
different cloud offerings”

34
 CISSP

Domains Weight
1. Security and Risk Management 16%
2. Asset Security 10%
3. Security Engineering 12%
4. Communication and Network Security 12%
5. Identity and Access Management 13%
6. Security Assessment and Testing 11%
7. Security Operations 16%
8. Software Development Security 10%
Total 100%

35
The incidence of some common web application vulnerabilities
in applications

36
 OWASP Top Ten
Broken
SQL, OS, and LDAP Authentication and Cross-Site Scripting
injection Session
Management

Insecure Direct Security Sensitive Data

Object References Misconfiguration Exposure

Using Components
Missing Function Cross-Site Request
with Known
Level Access Control Forgery
Vulnerabilities

Unvalidated
Redirects and
Forwards
The rate of Web security vulnerabilities
37
 The OWASP Guides
There are three different OWASP Guides. They are full of useful information about
how to perform application security activities.
• The OWASP Guide to Building Secure Web Applications and Web Services
This OWASP Guide has hundreds of articles about all the major security issues you'll
encounter when designing or building a secure web application or web service.
• The OWASP Testing Guide
This OWASP Guide has articles specifically about performing security penetration
testing on web applications and web services.
• The OWASP Code Review Guide
This OWASP Guide covers all the same vulnerabilities and security mechanisms as
the Testing Guide, but provides guidance on finding the problems in the source
code.
38
 Useful Materials
OWASP Video
https://www.owasp.org/index.php/Category:OWASP_Video

OWASP Cornucopia
https://www.owasp.org/index.php/OWASP_Cornucopia
Ongoing Research Initiatives
• OWASP Research
• OWASP Benchmark
• OWASP Python Security Project
• OWASP IoT Embedded Web Interface (new)
• Securing NodeJS (new) 39
 OWASP Cornucopia – Ecommerce Website Edition

Let play commence – First round

1
0Requirements 1
0Requirements
0Rounds 1
0Rounds
10 7 8 7 3 J K J A 8

Erik Ferdinand ●Assume every player

Schedule of requirements
Except “Imogen” identified
a security requirement, thus
1 point each for the others
●“Ferdinand” won the round
with the King so he gets an
additional 1 point, and leads
the play for the next round

Imogen Martin

8 4 Q 9 2 9 5 A 10 2

0Requirements 0Requirements
1
0Rounds 0Rounds

40
 Cornucopia
Let play – First round
1
0Requirements 1
0Requirements
0Rounds 1
0Rounds
10 7 8 7 3 J K J A 8

Schedule of requirements

. Is this a viable attack for Erik Ferdinand ●Assume every player

the function/system under
consideration? Except “Imogen” identified
. Document the attack a security requirement, thus
. Subsequently use the cross- 1 point each for the others
references to help create
security requirements: ●“Ferdinand” won the round
. User stories
with the King so he gets an
. Unit tests
additional 1 point, and leads
. Configurations
. etc
the play for the next round

Imogen Martin

8 4 Q 9 2 9 5 A 10 2

0Requirements 0Requirements
1
0Rounds 0Rounds

41
42
 From what to start?
Technical Testing of Web Application:
(OWASP Testing Guide v.4)

1. Manual
2. Threat Modeling
3. Source Code Review
4. Penetration Testing
43
 1. Manual Inspections & Reviews
Manual Testing

Security Security Security Architecture

Policies Processes Implementation Design
Advantages:
• Requires no supporting technology
• Early in the SDLC
- Analysis of documentation
Disadvantages:
• Can be time consuming - Interview with application
• Requires significant human thought and skill to be designers
effective
44
 2. Threat Modeling
Step 1. Decomposing the application (how the application works, its assets,
functionality, and connectivity).

Step 2. Defining and classifying the assets according to business importance.

Step 3. Exploring potential vulnerabilities (whether technical, operational,or

management).

Step 4. Exploring potential threats – develop a potential attack vectors from an

attacker’s perspective, by using threat scenarios or attack trees.

Step 5. Creating mitigation strategies – develop mitigating controls for

each of the threats deemed to be realistic.

45
 3. Manual checking of source code
What to looking for?
- Concurrency problems
- Flawed business logic
- Access control problems,
- Cryptographic weaknesses
- Backdoors
- Trojans
- Easter eggs
- Time bombs
- Logic bombs,
- etc.
+Accuracy
- Needed Highly skilled developers
Example of code review:
https://nioguard.blogspot.se/2017/07/comparing-medoc-
backdoors-in-176-186.html
Stolen data
The MeCom class contains the code responsible for retrieving
information from your MEDoc environment and sending to C&C
server in the form of Cookies.In the version 176 and 181,
TeleDoor sent only your Tax Id (edrpou).
However, in version 189, your proxy and email setting
including logins and passwords were sent as well. See
the code of one of the MeCom constructors.
46
 4. Penetration Testing
(Black box testing = Ethical hacking)
NMap
Ping
Web application Scanners Traceroute
Superscan
Netcat
NeoTrace
Different Penetration Tools Winscan
Nessus
Whois

47
 OTG: Testing categories
• Information gathering (INFO)
• Configuration and deployment management (CONFIG)
• Identity management (IDENT)
• Authentication (AUTHN)
• Authorization (AUTHZ)
• Session management (SESS)
• Input validation (INVAL)
• Error handling (ERR)
• Cryptograghy (CRYPST)
• Bussiness logic (BUSLOGIC)
• Client side (CLIENT)
48
 How to make good report?

• The categorization of each vulnerability by type

• The security threat that the issue is exposed to
• The root cause of security issues (e.g., security bugs, security flaw)
• The testing technique used to find the issue
• The remediation of the vulnerability (e.g., the countermeasure)
• The severity rating of the vulnerability (High, Medium, Low and/or
CVSS score)

49
 Course logistic
• 15 lectures
• 12 labs (among them 6 with report U, G, VG)
• Final lab is very important
• Exam
• Additional point on exam: presence on the
lectures, well-written report VG give you +1p

50
 Course logistic
• 15 lectures
• 12 labs (among them 6 with report U, G, VG)
• Final lab is very important
• Exam
• Additional point on exam: presence on the
lectures, well-written report VG give you +1p

51
 Course logistic
• 12 lectures
• 9 labs (without report)
• NEW! Only 4 assignments
- 2 assignments are summary of 3-4 labs
- 3rd assignment Seminar
- 4th assignment Ethical hacking of web application with reporting
• Exam
• Additional point on exam: attendance on the
lectures, well-written report VG give you +1p
52
 Web app pentester’s toolkit
• Some key consideration are:
✓ Attack platform - WebGoat, SamuraiWTF, Acunetix websites,
Kali-linux-web, bWAPP, DVWA
✓ Dynamic web app security scanner(s) – VEGA, IBM AppScan,
Burp Pro, ZAP, Acunetix, WhiteHat Sentinel etc.
https://resources.infosecinstitute.com/top-5-web-application-
security-scanners-2017/#gref
✓ Browser(s)
✓ Interception proxies -
53
 Interception tool
Penetration tester
• Interception is one of our
• main goals:
- Can we get between application and server
• Interception tools do more
• than intercept: Interception tool
- They can analyze the traffic
- They can inject attacks

Web application

54
 Fiddler
Free debugging proxy

Runs on Microsoft
Windows

Support extensions:
- Watcher
- ViewStateViewer
- x5s

55
 OWASP Zed Attack Proxy (ZAP)
ZAP is fully featured
open source
interception proxy
Release 2.7.0
Project:
https://www.owasp.org/index.ph
p/OWASP_Zed_Attack_Proxy_
Project

Manuals:
https://github.com/zaproxy/zap-core-
help/wiki/HelpReleases2_7_0

56
 Burp Suite
Has 2 versions:
free and pro

Requier more
knowledge of
HTTP than
similar tools

https://portswigger.n
et/burp/communityd
ownload

57
 Burp Suite videos
• https://www.youtube.com/watch?v=G-v581pXerE Sequencer and Scanner
modules (14min)
• https://www.youtube.com/watch?v=9Zh_7s5csCc Repeater module (14min)
• https://www.youtube.com/watch?v=PDTwYFkjQBE Proxy module (25min)
• https://www.youtube.com/watch?v=dCKPZUSOlr8 Target and Spider modules
(13min)
• https://www.youtube.com/watch?v=7OXe8THhmao Intruder and Compare
modules (27min)

58
 What to read

1. D.Stuttard, M.Pinto. The Web Application

Hacker’s Handbook (2011). Chapter 1.
2. OWASP Testing Guide (OTG-4). Chapter 2.
3. J.Scambray, M. Shema. Hacking Exposed Web
Applications. Chapter 1.
4. P.Hope, B.Walther. Web Security Testing
Cookbook. Chapter 1.
59