Top 5 Web Hacks

Adrian Owens Certified Client Technical Professional, Southeast

2011 IBM Corporation

IBM Security Solutions

The Bad Guys Want In

Black Hat Hacker: Wants to steal your important data, especially financial information, which they can sell for a gain. Hactivist: Take your website down. Could be motivated by politics, religion, may wish to expose wrongdoing, or exact revenge. Script Kiddie: May deface your website to make a name for them selves.

2011 IBM Corporation

IBM Security Solutions

How: Right Through You The Front Door

Resource Access - Address Bar XSS- Search Field

SQL Injection - Web Form

2011 IBM Corporation

4
IBM Security Solutions

OWASP and the OWASP Top 10 list

Open Web Application Security Project an open organization dedicated to fight insecure software The OWASP Top Ten
document represents a broad consensus about what the most critical web application security flaws are www.owasp.org

2011 IBM Corporation

5
IBM Security Solutions

OWASP Top 10 Vulnerabilities

2011 IBM Corporation

TechWorks
IBM Security Solutions

1. Injection Flaws (SQL Injection)

What is it?
User-supplied data is sent to an interpreter as part of a command, query or data.

What are the implications?

SQL Injection - Access/modify data in DB SSI Injection - Execute commands on server and access sensitive data LDAP Injection Bypass authentication

6 2008 IBM Corporation Discovering the Value of Web Application Security Testing with IBM Rational AppScan

2011 IBM Corporation

TechWorks
IBM Security Solutions

SQL Injection

User input inserted into SQL Command:

Get product details by id: Select * from products where id=$REQUEST[id]; Hack: send param id with value or 1=1 Resulting executed SQL: Select * from products where id= or 1=1 All products returned

7 2008 IBM Corporation Discovering the Value of Web Application Security Testing with IBM Rational AppScan

2011 IBM Corporation

TechWorks
IBM Security Solutions

SQL Injection Example I

Select user from tvalidateuser where username=

8 2008 IBM Corporation Discovering the Value of Web Application Security Testing with IBM Rational AppScan

2011 IBM Corporation

TechWorks
IBM Security Solutions

SQL Injection Example II

9 2008 IBM Corporation Discovering the Value of Web Application Security Testing with IBM Rational AppScan

2011 IBM Corporation

1 0

TechWorks
IBM Security Solutions

SQL Injection Example - Exploit

or 1=1-Select user from tvalidateuser where username=or

1=1--

10 2008 IBM Corporation Discovering the Value of Web Application Security Testing with IBM Rational AppScan

2011 IBM Corporation

1 1

TechWorks
IBM Security Solutions

SQL Injection Example - Outcome

11 2008 IBM Corporation Discovering the Value of Web Application Security Testing with IBM Rational AppScan

2011 IBM Corporation

1 2

TechWorks
IBM Security Solutions

2. Cross-Site Scripting (XSS)

What is it?
Malicious script echoed back into HTML returned from a trusted site, and runs under trusted context

What are the implications?

Session Tokens stolen Complete page content compromised Future pages in browser compromised

12 2008 IBM Corporation Discovering the Value of Web Application Security Testing with IBM Rational AppScan

2011 IBM Corporation

1 3

TechWorks
IBM Security Solutions

XSS Example I

<H1>aSdF</h1>

13 2008 IBM Corporation Discovering the Value of Web Application Security Testing with IBM Rational AppScan

2011 IBM Corporation

1 4

TechWorks
IBM Security Solutions

XSS Example II

HTML code:

14 2008 IBM Corporation Discovering the Value of Web Application Security Testing with IBM Rational AppScan

2011 IBM Corporation

1 5

IBM Security Solutions

Cross Site Scripting The Exploit Process

Evil.org

1) Link to bank.com sent to user via E-mail or HTTP

5) Evil.org uses stolen session information to impersonate user

4) Script sends users cookie and session information without the users consent or knowledge

User

bank.com
2) User sends script embedded as data 3) Script/data returned, executed by browser

15

2011 IBM Corporation

1 6

IBM Security Solutions

3. Broken Authentication & Session Management

What is it?
Session tokens arent guarded and invalidated properly

What are the implications?

Session tokens can be planted by hackers in XSS/XSFR attack, hence leaked Session tokens more easily available (valid longer, less protection) to be stolen in different ways

16

2011 IBM Corporation

1 7

IBM Security Solutions

Broken Authentication and Session Management - Examples

Unprotected Session Tokens
Session ID kept in Persistent Cookie Not using http-only value for cookies

Sessions valid for too long

Session not invalidated after logout Session timeout too long

Session fixation possible

Session ID not replaced after login

17

2011 IBM Corporation

1 8

TechWorks
IBM Security Solutions

4. Insecure Direct Object Reference

What is it?
Part or all of a resource (file, table, etc.) name controlled by user input.

What are the implications?

Access to sensitive resources Information Leakage, aids future hacks

18 2008 IBM Corporation Discovering the Value of Web Application Security Testing with IBM Rational AppScan

2011 IBM Corporation

1 9

TechWorks
IBM Security Solutions

Insecure Direct Object Reference - Example

Attacker may attempt to manipulate parameter Content Change to Boot.ini system file

19 2008 IBM Corporation Discovering the Value of Web Application Security Testing with IBM Rational AppScan

2011 IBM Corporation

2 0

TechWorks
IBM Security Solutions

Insecure Direct Object Reference Example Cont.

Poison Null Byte Use NULL Character rather than .htm

20 2008 IBM Corporation Discovering the Value of Web Application Security Testing with IBM Rational AppScan

2011 IBM Corporation

2 1

TechWorks
IBM Security Solutions

Insecure Direct Object Reference Example Cont.

Bingo Sensitive File Information at our finger tips!

21 2008 IBM Corporation Discovering the Value of Web Application Security Testing with IBM Rational AppScan

2011 IBM Corporation

2 2

IBM Security Solutions

5. Cross Site Request Forgery (CSRF/XSRF)

What is it?
Tricking a victim into sending an unwitting (often blind) request to another site, using the users session and/or network access.

What are the implications?

Internal network compromised Users web-based accounts exploited

22

2011 IBM Corporation

2 3

IBM Security Solutions

XSRF Exploit Illustration

4) Private mails accessed, possibly containing passwords

WebMail

Bank.com
4) Money Withdrawn

3) Money Transferred

Wireless Router

3) All mails forwarded to hacker 3) Router opened for outside access

2) Script (or link) is downloaded and executed in browser 1) User browses page with malicious content

Evil.org

Victim

4) Firewalls surpassed, internal computers hacked

23
2011 IBM Corporation

IBM Security Solutions

Security Testing Technologies... Combination of the Two Delivers Comprehensive Solution Static Code Analysis = Whitebox
Scanning source code for security issues
Total Potential Security Issues

Dynamic Analysis = Blackbox

Security analysis of a compiled application

Static Analysis

Complete Coverage

Dynamic Analysis

24

2011 IBM Corporation24

IBM Software Group Watchfire Solutions IBM Software Group | |Rational software IBM IBM Security Solutions Software Group | Rational software

Automated Security Testing AppScan Standard Edition Black-box, dynamic

Desktop Version connects to Enterprise Reporting

AppScan Enterprise Edition Black-box, dynamic

Web-based Version connects to Enterprise Reporting

AppScan Source Edition White-Box, Static

IDE, Desktop, Web Based connects to Enterprise Reporting

AppScan Source For Automation Build Component

Part of Build Engine Build Forge Enabled

AppScan Policy Tester Quality, Privacy, Accessibility

Web-based Version connects to Enterprise Reporting

25

2011 IBM Corporation

25

IBM Security Solutions

AppScan
Compliance Officers
Review compliance reports ASE Web Based Views (BB & WB)

Management
Review most common security issues View trends Assess risk AppScan Enterprise (ASE) Web Based Views (BB & WB)

Developers Build automation

Source code analysis (WB) Part of build verification Publish findings for remediation/trending Headless Source Edition App integration with Build Forge Ant Maven Make View assessment results Remediate issues Assign issue status Languages: PHP Perl ColdFusion Client-Side JavaScript C/C++ Java/JSP .NET (C#, ASP.NET, VB.NET) Classic ASP (VB6) VBScript Server-Side JavaScript ASE Quick Scans (BB) Visual Studio .Net (WB) Eclipse Java (WB)

Source Edition Core

ASE Scan Agents (BB)

QC, CQ
Publish Security Defects AppScan Enterprise Integration

Rational AppScan Enterprise portal

AppScan Enterprise Policy Tester Enterprise Source Edition for Core

QA & Accessibility
Conduct Quality / Privacy / Accessibility Tests Publish findings for remediation/trending AppScan Enterprise Web Based Views (BB) Policy Tester Module in ASE (BB) AppScan Tester Edition for RQM (BB)

Security specialists
Conduct security assessments Publish findings for remediation/trending AppScan Standard Edition Desktop (BB) AppScan Enterprise Web Based Views (WB & BB) Source Edition Desktop (WB) for Assessments

26
26

2011 IBM Corporation

IBM Security Solutions

Security testing within the application life cycle

% of Issue Found by Stage of SDLC

Desired Profile

27

2011 IBM Corporation

IBM Security Solutions

Questions & Thank You!

28

2011 IBM Corporation