Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
The project has been funded by the European Commission. The Education, Audiovisual and Culture Executive program (EACEA), TEMPUS IV.
The content of this presentation reflects the opinion of the author.
1
Content
• Basics and protection methods in the protocol for the Web
• Web attacks and vulnerabilities
- Web system architecture
- Authentication / Authorization
- Client Attacks
- Command Execution
- Logical Attacks
• Development of protected websites
- Methodologies
- OWASP (OWASP) implementation
/ testing
- Security Audit
2
Why we study the attacks
3
4
Lecture 1
Web Application Security Fundamentals
5
Agenda
• Web application architecture
• Client-side and server-side functionalities
• Web security organizations
• OWASP top 10
• Certification of the security experts
• Course logistic
• Web app pentester’s toolkit
• Interception tools
6
Web Application is
7
How do web applications work?
Client Side Browser & PC Server Side System
Database Servers
8
COMPONENTS of WEB APP ARCHITECTURE
Client-Side Functionality
11
Categories of Attacks
• Denial of Service, DoS - actions that violate the functioning of the
automated information system in accordance with a purpose.
• Hacking - unauthorized use, attempts to deceive or circumvent the
security systems of computer information system or network.
• Cracking - an act of penetration into a computer system or network.
• The term "attack" is usually used to describe the actions of hackers.
In the category of malicious acts "of DoS" and "cracking" includes
various types of attacks.
12
Definition of web application security
A security test is a method of evaluating the security of a computer
system or network by methodically validating and verifying the
effectiveness of application security controls.
A web application security test focuses only on evaluating the security of
a web application. The process involves an active analysis of the
application for any weaknesses, technical flaws, or vulnerabilities. Any
security issues that are found will be presented to the system owner,
together with an assessment of the impact, a proposal for mitigation or a
technical solution.
13
Threats, Vulnerabilities, Attacks
Countermeasure - An
An Attack (or exploit) – An action action, device, procedure, or technique that
taken that uses one or more reduces a threat, a vulnerability, or
vulnerabilities to realize a threat. This an attack by eliminating or preventing it, by
could be someone following through on minimizing the harm it can cause, or by
a threat or exploiting a vulnerability. discovering and reporting it so that
corrective action can be taken.
14
IMPLEMENTATION of THREAT
15
THREAT MODEL STRIDE (Microsoft)
Understanding Threat Categories
• Spoofing.
• Tampering.
• Repudiation.
• Information disclosure.
• Denial of service.
• Elevation of privilege.
• Sniffing or eavesdropping
• Session hijacking
17
Web Spoofing
How does the attack work?
• Hacker spoofs an IP address
through a Web site
• Hacker can transfer information or
get information
• Hacker can spoof using a strategy
– That ensures that all
communication between the
Web site and the user is
directed to the hacker’s What can we do ?
computer ❖ Do not reply to or click on a link that will lead you to
• Hacker may also falsely acquire a a webpage asking you for info.
certificate used by a Web site
❖ Look for the presence of a padlock and https://.
Both must be present for a connection to be secure
This attack can be performed by a malicious user who wants to exploit the application for
their own benefit, or an attacker who wishes to attack a third-person using a Man-in-the-
middle attack.
In both cases, tools likes Webscarab and Paros proxy are mostly used.
The attack success depends on integrity and logic validation mechanism errors, and its
exploitation can result in other consequences including XSS, SQL Injection, file inclusion,
and path disclosure attacks.
19
Tampering. Examples
Example 1
The parameter modification of form fields can be considered a typical example of Web Parameter Tampering
attack.
For example, consider a user who can select form field values (combo box, check box, etc.) on an application page.
When these values are submitted by the user, they could be acquired and arbitrarily manipulated by an attacker.
Example 2
When a web application uses hidden fields to store status information, a malicious user can tamper with the
values stored on his browser and change the referred information. For example, an e-commerce shopping site
uses hidden fields to refer to its items, as follows:
<input type=”hidden” id=”1008” name=”cost” value=”70.00”>
An attacker can modify the “value” information of a specific item, thus lowering its cost.
20
Repudiation
Repudiation is the ability of users (legitimate or otherwise) to deny that they performed specific actions or
transactions. Without adequate auditing, repudiation attacks are difficult to prove.
Information disclosure
Information disclosure is the unwanted exposure of private data. For example, a user views the contents of a
table or file he or she is not authorized to open, or monitors data passed in plaintext over a network. Some
examples of information disclosure vulnerabilities include the use of hidden form fields, comments embedded in
Web pages that contain database connection strings and connection details, and weak exception handling that
can lead to internal system level details being revealed to the client. Any of this information can be very useful to
the attacker.
Denial of service
Denial of service is the process of making a system or application unavailable. For example, a denial of service
attack might be accomplished by bombarding a server with requests to consume all available system resources or
by passing it malformed input data that can crash an application process.
Elevation of privilege
Elevation of privilege occurs when a user with limited privileges assumes the identity of a privileged user to gain
privileged access to an application. For example, an attacker with limited privileges might elevate his or her
privilege level to compromise and take control of a highly privileged and trusted process or account.
21
THREAT MODEL STRIDE (Microsoft)
DREAD
23
THREATS to WEB APPLICATIONS
The objectives of the attacker hacking website:
• Black SEO;
• Distribution of spam;
• The spread of malicious code;
• Theft and corruption of data provided on the website;
• Deleting the contents of a site;
• DoS-attack;
• Use site as a launching pad for attacks on other resources;
• For fun
Kinds of vulnerabilities on WebAPP
• Server vulnerability
• Client vulnerability.
• They differ in purpose of possible attacks:
• - Server vulnerabilities allow to receive data
directly from the server.
• - Client vulnerabilities allow the user to
receive data (personal information from the
site, the data browser (COOKIE), etc.) or to
perform actions on behalf of the user without
his knowledge
Server vulnerabilities
vulnerabilities, which can directly perform
unauthorized actions on the server.
Examples:
Execute arbitrary operating system commands:
• read, write files,
• Reboot system,
Client Vulnerability
31
Web Security organizations
OWASP (The Open Web Application Security Project)
OWASP seeks to educate developers, designers, architects and business
owners about the risks associated with the most common Web application
security vulnerabilities. OWASP, which supports both open source and
commercial security products, has become known as a forum in which
information technology professionals can network and build expertise.
32
Web Security organizations
Information Systems Security Association (ISSA)
ISSA is a non profit organization for the information security
profession committed to promoting effective cyber security on a
global basis.
Information Systems Security Certification Consortium, Inc. (ISC)²®
(ISC)²® is the global, not-for-profit leader in educating and certifying
information security professionals throughout their careers.
SANS is the most trusted and by far the largest source for
information security training and security certification in the
world. It also develops, maintains, and makes available at no cost,
the largest collection of research documents about various aspects
of information security.
Want know more?
http://cybersecurityventures.com/cybersecurity-associations/
33
.
34
CISSP
Domains Weight
1. Security and Risk Management 16%
2. Asset Security 10%
3. Security Engineering 12%
4. Communication and Network Security 12%
5. Identity and Access Management 13%
6. Security Assessment and Testing 11%
7. Security Operations 16%
8. Software Development Security 10%
Total 100%
35
The incidence of some common web application vulnerabilities
in applications
36
OWASP Top Ten
Broken
SQL, OS, and LDAP Authentication and Cross-Site Scripting
injection Session
Management
Using Components
Missing Function Cross-Site Request
with Known
Level Access Control Forgery
Vulnerabilities
Unvalidated
Redirects and
Forwards
The rate of Web security vulnerabilities
37
The OWASP Guides
There are three different OWASP Guides. They are full of useful information about
how to perform application security activities.
• The OWASP Guide to Building Secure Web Applications and Web Services
This OWASP Guide has hundreds of articles about all the major security issues you'll
encounter when designing or building a secure web application or web service.
• The OWASP Testing Guide
This OWASP Guide has articles specifically about performing security penetration
testing on web applications and web services.
• The OWASP Code Review Guide
This OWASP Guide covers all the same vulnerabilities and security mechanisms as
the Testing Guide, but provides guidance on finding the problems in the source
code.
38
Useful Materials
OWASP Video
https://www.owasp.org/index.php/Category:OWASP_Video
OWASP Cornucopia
https://www.owasp.org/index.php/OWASP_Cornucopia
Ongoing Research Initiatives
• OWASP Research
• OWASP Benchmark
• OWASP Python Security Project
• OWASP IoT Embedded Web Interface (new)
• Securing NodeJS (new) 39
OWASP Cornucopia – Ecommerce Website Edition
Imogen Martin
8 4 Q 9 2 9 5 A 10 2
0Requirements 0Requirements
1
0Rounds 0Rounds
40
Cornucopia
Let play – First round
1
0Requirements 1
0Requirements
0Rounds 1
0Rounds
10 7 8 7 3 J K J A 8
Schedule of requirements
Imogen Martin
8 4 Q 9 2 9 5 A 10 2
0Requirements 0Requirements
1
0Rounds 0Rounds
41
42
From what to start?
Technical Testing of Web Application:
(OWASP Testing Guide v.4)
1. Manual
2. Threat Modeling
3. Source Code Review
4. Penetration Testing
43
1. Manual Inspections & Reviews
Manual Testing
45
3. Manual checking of source code
What to looking for? Example of code review:
https://nioguard.blogspot.se/2017/07/comparing-medoc-
backdoors-in-176-186.html
- Concurrency problems
- Flawed business logic Stolen data
- Access control problems, The MeCom class contains the code responsible for retrieving
information from your MEDoc environment and sending to C&C
- Cryptographic weaknesses server in the form of Cookies.In the version 176 and 181,
- Backdoors TeleDoor sent only your Tax Id (edrpou).
- Trojans
- Easter eggs
- Time bombs
- Logic bombs,
- etc.
However, in version 189, your proxy and email setting
including logins and passwords were sent as well. See
+Accuracy
the code of one of the MeCom constructors.
- Needed Highly skilled developers 46
4. Penetration Testing
(Black box testing = Ethical hacking)
NMap
Ping
Web application Scanners Traceroute
Superscan
Netcat
NeoTrace
Different Penetration Tools Winscan
Nessus
Whois
47
OTG: Testing categories
• Information gathering (INFO)
• Configuration and deployment management (CONFIG)
• Identity management (IDENT)
• Authentication (AUTHN)
• Authorization (AUTHZ)
• Session management (SESS)
• Input validation (INVAL)
• Error handling (ERR)
• Cryptograghy (CRYPST)
• Bussiness logic (BUSLOGIC)
• Client side (CLIENT)
48
How to make good report?
49
Course logistic
• 15 lectures
• 12 labs (among them 6 with report U, G, VG)
• Final lab is very important
• Exam
• Additional point on exam: presence on the
lectures, well-written report VG give you +1p
50
Course logistic
• 15 lectures
• 12 labs (among them 6 with report U, G, VG)
• Final lab is very important
• Exam
• Additional point on exam: presence on the
lectures, well-written report VG give you +1p
51
Course logistic
• 12 lectures
• 9 labs (without report)
• NEW! Only 4 assignments
- 2 assignments are summary of 3-4 labs
- 3rd assignment Seminar
- 4th assignment Ethical hacking of web application with reporting
• Exam
• Additional point on exam: attendance on the
lectures, well-written report VG give you +1p
52
Web app pentester’s toolkit
• Some key consideration are:
✓ Attack platform - WebGoat, SamuraiWTF, Acunetix websites,
Kali-linux-web, bWAPP, DVWA
✓ Dynamic web app security scanner(s) – VEGA, IBM AppScan,
Burp Pro, ZAP, Acunetix, WhiteHat Sentinel etc.
https://resources.infosecinstitute.com/top-5-web-application-
security-scanners-2017/#gref
✓ Browser(s)
✓ Interception proxies -
53
Interception tool
Penetration tester
• Interception is one of our
• main goals:
- Can we get between application and server
• Interception tools do more
• than intercept: Interception tool
- They can analyze the traffic
- They can inject attacks
Web application
54
Fiddler
Free debugging proxy
Runs on Microsoft
Windows
Support extensions:
- Watcher
- ViewStateViewer
- x5s
55
OWASP Zed Attack Proxy (ZAP)
ZAP is fully featured
open source
interception proxy
Release 2.7.0
Project:
https://www.owasp.org/index.ph
p/OWASP_Zed_Attack_Proxy_
Project
Manuals:
https://github.com/zaproxy/zap-core-
help/wiki/HelpReleases2_7_0
56
Burp Suite
Has 2 versions:
free and pro
Requier more
knowledge of
HTTP than
similar tools
https://portswigger.n
et/burp/communityd
ownload
57
Burp Suite videos
• https://www.youtube.com/watch?v=G-v581pXerE Sequencer and Scanner
modules (14min)
• https://www.youtube.com/watch?v=9Zh_7s5csCc Repeater module (14min)
• https://www.youtube.com/watch?v=PDTwYFkjQBE Proxy module (25min)
• https://www.youtube.com/watch?v=dCKPZUSOlr8 Target and Spider modules
(13min)
• https://www.youtube.com/watch?v=7OXe8THhmao Intruder and Compare
modules (27min)
58
What to read