Scribd
Upload
82 views49 pages

Web App Security Audit Insights

An audit of a web application found several serious security vulnerabilities, including the ability to view any user's bank statements, siphon off funds, log in without a password, and deny access to all users. The presentation covered common web application attacks like SQL injection, session hijacking, cross-site scripting and weaknesses in authentication. It provided checklists to audit applications for these issues and summarized best practices for input validation, session management, password security and threat modeling. References were given for further reading on specific topics.

Uploaded by

Akki ash
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
82 views49 pages

Web App Security Audit Insights

An audit of a web application found several serious security vulnerabilities, including the ability to view any user's bank statements, siphon off funds, log in without a password, and deny access to all users. The presentation covered common web application attacks like SQL injection, session hijacking, cross-site scripting and weaknesses in authentication. It provided checklists to audit applications for these issues and summarized best practices for input validation, session management, password security and threat modeling. References were given for further reading on specific topics.

Uploaded by

Akki ash
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 49

Web Application Security

ISACA Bangalore Chapter Aug 2007


Runa Dwibedi
In a recent application security audit

 An adversary could:

 View bank statements of any user


 Siphon off funds easily
 Login without a password
 Deny access to all users
 Hijack active sessions
 Steal encryption keys
This morning…

 The HTTP Protocol


 Attacks on Input Validation
 Insecurities in Session Management
 Threats at the browser
 Authentication Weaknesses
 Threat Modeling
Attacks on Input Validation
Attacks on Input Validation

 Client-side validation
 Breach business rules
 SQL Injection
 XPATH Injection
Input Validation - Audit Checklist

 Is input validated at server?


 Are inputs checked with business rules?
 Is the filter a white list?
 Are SQL queries pre-compiled?
 Are XPATH queries pre-compiled?
References – SSL & Encryption
• SSL Basics, RSA Security,
http://www.rsasecurity.com/standards/ssl/basics.html
• The pros and cons of securing Web services with
SSL, Jack Loftus,
http://searchwebservices.techtarget.com/qna/0,289202,
sid26_gci995388,00.html
• Understanding SSL, Shalini Gupta,
http://palisade.paladion.net/issues/2005Sep/understandi
ng-ssl/
• Encrypting data in Databases, Priyali Vibhute,
http://palisade.paladion.net/issues/2005Jun/database-
encryption/
References - SQL Injection
• SQL Injection Walkthrough, Securiteam,
http://www.securiteam.com/securityreviews/5DP0N1P76
E.html
• Introduction to SQL Injection Attacks,
Integrigy,
http://www.integrigy.com/info/IntegrigyIntrotoSQLInjectio
nAttacks.pdf
• Best Practices in Input Validation, Roshen
Chandran,
http://palisade.paladion.net/issues/2004Dec/input-
validation/
References - XML Injection
• XML Tutorial, W3Schools,
http://www.w3schools.com/xml/
• XPATH Tutorial, W3Schools,
http://www.w3schools.com/xpath/
• Mitigating XPath Injection Attacks in .NET,
Oleg Tkachenko,
http://www.tkachenko.com/blog/archives/00038
5.html
References - XML Injection

• XPath injection in XML databases, Runa


Dwibedi,
http://palisade.paladion.net/issues/2005Jul/xpath
-injection/
• Blind XPath Injection, Amit Klein,
http://www.watchfire.com/resources/blind-xpath-
injection.pdf
Insecurities in Managing
Sessions
Insecurities in Managing Sessions

 Predictable session tokens


 Transmitting tokens
 On Logout
 Session timeout
 On Login
 Cross Site Scripting
Session Management - Audit Checklist

 Are session tokens random?


 Do session tokens use cookies?
 Are session tokens sent over SSL?
 Are sessions invalidated on logout?
 Is session timeout duration acceptable?
 Are session tokens changed on login?
 Are special characters escaped?
References - Session Management

• Web-based Session Management, Gunter Ollmann,


http://www.technicalinfo.net/papers/WebBasedSessi
onManagement.html
• Securing your session with Page Tokens, Sangita
Pakala,
http://palisade.paladion.net/issues/2005Aug/page-
tokens/
• Transmitting Session IDs, Salil Aroskar,
http://palisade.paladion.net/issues/2005Jul/quiz/
References - Cross Site Scripting
• The Cross Site Scripting FAQ, CGISecurity,
http://www.cgisecurity.net/articles/xss-faq.shtml
• HTML Code Injection and Cross-site scripting,
Gunter Ollmann,
http://www.technicalinfo.net/papers/index.html#Pap
er6
• Cross Site Scripting, Are your web applications
vulnerable?, Kevin Spett,
http://www.spidynamics.com/whitepapers/SPIcross-
sitescripting.pdf
Threats at the Browser
Threats at the Browser

 The browser cache


 History
 Browser memory
 The Refresh button
Threats at the Browser - Audit
Checklist
 Has cache-control: no-store been set?
 Are the links in History safe?
 Are passwords stored as hashes?
 Are passwords sent as salted hashes?
 Is redirection used during login?
References - Cache

• Caching Tutorial for Web Authors and Webmasters,


Mark Nottingham http://www.mnot.net/cache_docs/
• HTTP/1.1: Caching in HTTP,
www.w3.org/Protocols/rfc2616/rfc2616-sec13.html
References - Passwords in memory

• Discovering passwords in the memory,


Abhishek Kumar,
http://paladion.net/papers/Discovering_Passwor
ds_In_Memory.pdf
• Passwords - In Memory Still Green, Sangita
Pakala,
http://palisade.paladion.net/issues/2004Aug/pas
swords-in-memory/
• WinHex – http://www.x-ways.net/winhex/index-
m.html
References - Browser Refresh

• Stealing Passwords via Browser Refresh,


Karmendra Kohli,
http://paladion.net/papers/Stealing_passwords_via_
browser_refresh.pdf
Insecurities in Authentication
Authentication - Forgot
Password
Best Practice

1. Ask a hint/custom question


2. Display a CAPTCHA
3. Send a short lived link to the user’s
registered email ID
4. Allow the user to reset the password over
SSL
5. Invalidate the link after one use
Authentication - Audit Checklist

 Is “Forgot Password” question non-trivial?


 Is the “Reset link” short-lived?
 Is the new password exchanged over SSL?
References – Forgot Password

• Using Secret Questions, Mark Burnett,


http://www.owasp.org/columns/mburnett/questions
.html
The Attack of the Bots
Bots

 Bots flood the server


 With fake requests in public pages
 Comments page
 Registration at Free e-mail sites
 Support query page
How can we stop them?

 Pose a question that is easy for humans to


answer but difficult for computers
 Enter Captchas!
 “Completely Automated Public Turing Test to Tell
Computers and Humans Apart”
Types of CAPTCHAs

 Image
 Display a distorted text image
 Knowledge
 Pose a question “ What is the color of the sky?”
 Arithmetic
 Pose a question “ What is 34 +15?”
How to implement a CAPTCHA

 Use readily available classes


 Jcaptcha for Java
 http://jcaptcha.sourceforge.net/main.html
 BotDetect for .Net
 http://www.lanapsoft.com/products.html
 Authen-Captcha for Perl
 http://search.cpan.org/dist/Authen-Captcha/
 Build your own classes
Common Mistakes

 Small set of images


 Image File-names always map to same word
 All the mappings can be discovered by attacker
 Small set of images, dynamic filenames
 Attacker can brute force till the correct word is
submitted
Best Practices

1. Dynamically generate an image


2. Send it to client with random token
3. Accept user input along with token
4. Compare user input with correct word for
token
5. Invalidate the token after one use
 Do public forms have CAPTCHAs?
References - CAPTCHA

• PWntcha, http://sam.zoy.org/pwntcha/
• LanAp BotDetect,
http://www.lanapsoft.com/products.html
Audit Logs
Audit logs

 An audit trail of activities enable us to trace


back fraud
 Application layer activities are not logged by
system and web server logs
 So, application should maintain own audit
trail
 Access to logs should be controlled
The activities to be logged

 Login and logout of users


 Critical transactions (eg. fund transfer across
accounts)
 Failed login attempts
 Account lockouts
 Violation of policies
 Are audit logs detailed?
References – Logging and Audit Trails

• Application Logs - Security Best Practices, Dipesh


Rawal,
http://palisade.paladion.net/issues/2004Oct/security
-logging/
Threat Modeling
Threat Modeling

 A structured technique to identify threats and


the security controls required to counter them
Across the SDLC

Threat
Modeling

SRS Design Development Testing Deployment

Evaluate against
Threat model
Phase1:Threat Profile

 Is a list of all the possible threats to the


application

 For example, for an online banking application,


some of the threats would be –
- An adversary steals the password of other users
- An adversary transfers fund from others account
to his own account
Phase2: Threat Trees

 Identify security controls for each threat in the


threat profile
 The 3 ways of compromising user password
would be –
- Access password
- Steal password from database
- Guess password
References - General

• Application Security FAQ, OWASP,


http://www.owasp.org/documentation/appsec_faq.
html
• HTTP/1.1: Header Field Definitions from RFC
2616,
http://www.w3.org/Protocols/rfc2616/rfc2616-
sec14.html
References - Books
• Writing Secure Code, Michael Howard, David
LeBlanc, Microsoft Press
• Secure Coding: Principles & Practices, Mark G.
Graff, Kenneth R. van Wyk, O’Reilly
• How to Break Software Security, James A.
Whittaker, Herbert H. Thompson, Addison Wesley
• Code Complete, Steve McConnell, Microsoft Press
• HTTP Developer's Handbook, Chris Shiflett, Sam’s
Publishing
• Threat Modeling, Frank Swiderski and Window
Snyder, Microsoft Press
References – Mailing List

• Security Focus Web Application Security -


http://www.securityfocus.com/archive/107
• Web Application Security Consortium Mailing List -
http://www.webappsec.org/lists/websecurity/archive
• Secure Coding Mailing List -
http://www.securecoding.org/list/
• Secure Programming Mailing List,
http://www.securityfocus.com/archive/98
Thank You

You might also like