Web Engineering Web Application Security Issues

(1)

Web Engineering

Web Application Security Issues

D 14 2009

Dec 14 2009 Katharina Siorpaes

• It is NOT Network Security

• It is securing:

3 “Custom Code” that drives a web application 3 Libraries 3 Backend Systems 3 Web and Application servers

(2)

Application Layer

Attacker sends attacks inside

valid HTTP requests

Your custom code is tricked

tab ases c y Sy st ems b Serv ices ect o ries a n Resrcs B illing tion Lay e r c c ounts F in an ce m inistration nsact io n s m unic a tion le dge M g mt C ommer c e Func tions Your custom code is tricked into doing something it should not Security requires software development expertise, not signatures Network Layer Firewall, hardening, patching,

IDS and SSL cannot detect or Web Server App Server Da t Le ga c We b Dir Hum a B Custom Code APPLICATION ATTACK e r A pplica t A c F Ad m Tr a n Com m Know E-C Bus. Web Engineering IDS, and SSL cannot detect or stop attacks inside HTTP requests. Security relies on signature databases Fir e w a ll Hardened OS Fir e w a ll Netw ork Lay e Insider

How likely is a successful web application

attack?

Consequences?

Web Application Security is just as

(3)

Need for Securing

Web

Sites/Applications

¾ Defaced Sites Reported on the

Internet

¾ Defacement reasons

¾ Application Vulnerability ¾ Site owner authored

(accidental/intentional)

Web Engineering 12/7/2007

¾ Web Server Misconfiguration

Corporate Security

Interne

t

Server

(4)

Security at Network and

Transport layer

Port 23 Port 139 INTERNET Port 21 Port 80/8080

Securing traditionally was not

enough

N t

k C

t l

l

iti

t t ffi

Web Engineering

12/7/2007

Network Controls – legitimate traffic

Above 70% attacks at the

application level

Web Application

¾ A web application is generally i d f ll ti f i t comprised of a collection of scripts , that reside on a web server and interact with a database and other sources of dynamic content.

¾ Runs generally at port 80/8080

Attacks Undetected

¾Data as part of legitimate traffic on port 80/8080 go undetected. ¾Conventional Network devices and Firewalls cannot distinguish bad data from the genuine data

(5)

Web Application

Security

¾

Refers to the combination of People,

Processes and Technology

¾ Identify, Measure and Manage the

risks

¾ Presented by Open source and

custom web applications

Risks identified in

applications

¾ A malicious user can log in without a valid

account.

¾ An unauthorised user view, add, update,

delete data.

¾ An authenticated user can Add/Update

data as another user.

¾ A malicious user can upload malicious

t

contents.

¾ A malicious user can steal user

credentials.

(6)

People Processes

Technology

•Awareness

•Training

•Guidelines

•Secure

Development

•Secure

code Review

•Security

Testing

•Secure

•Application •Automated

Web Engineering

Secure

Configuration

Firewalls

Application

Scanners

Automated

Web Application Security

Standards

¾ OWASP (Open Web Application

Security Project)

¾ WASC ( Web Application Security

Consortium)

(7)

OWASP

The Open Web Application Security Project

is a project dedicated to sharing

knowledge and developing open source

software that promotes understanding of

web application security.

F

i f

htt //

For more info see

http://www.owasp.org

9 OWASP Top 10

WASC

Is an international group of experts,

titi

d

i ti

l

practitioners and organizational

representatives who produce open source

and widely agreed upon best practice

security standards for the world wide web.

http://www.webappsec.org

9Web Hacking Incidents Database

9Web Security Threat classification

(8)

OWASP Top Ten

Project

9It Provides a minimum standard for web application

security. security.

9 The OWASP top ten represents a broad consensus about what the most critical web applications

vulnerabilities are. 9 Adopter

9 US Federal Trade commission US DOD VISA

9 US Federal Trade commission, US DOD , VISA 9 Other companies including Sprint, IBM etc..

OWASP Top Ten Most Critical Web Application

Vulnerabilities

9 A1 - Unvalidated Input

Information from Web requests is not validated

before being used by a Web application. Attackers

can use these flaws to attack backend components

through a Web application.

(9)

Vulnerabilities

9 A2 -Broken Access Control

Restrictions on what authenticated users are allowed to do are not properly enforced. Attackers can exploit these flaws to access other users' accounts, view sensitive files, or use unauthorized functions.

Web Engineering 17

Vulnerabilities

9 A3 - Broken Authentication and Session Management

Account credentials and session tokens are not properly protected. Attackers that can compromise passwords, keys, session cookies, or other tokens can defeat authentication restrictions and assume other users' identities.

(10)

Vulnerabilities

9 A4 - Cross Site Scripting (XSS) Flaws

The Web application can be used as a mechanism to transport an attack to an end user's browser. A successful attack can disclose the end user's session token, attack the local machine, or spoof content to fool the user.

Web Engineering 19

Vulnerabilities

9 A5 - Buffer Overflow

Web application components in some languages that do not properly validate input can be crashed and, in some cases, used to take control of a process. These components can include CGI, libraries, drivers, and Web application server components.

(11)

Vulnerabilities

9 A6 - Injection Flaws

Web applications pass parameters when they access external systems or the local operating system. If an attacker can embed malicious commands in these parameters, the external system may execute those commands on behalf of the web application.

Web Engineering 21

Vulnerabilities

• A7 - Improper Error Handling

Error conditions that occur during normal operation are not handled properly. If an attacker can cause errors to occur that the Web application does not handle, they can gain detailed system information, deny service, cause security mechanisms to fail, or crash the server.

(12)

Vulnerabilities

9 A8 - Insecure Storage

Web applications frequently use

pp

q

y

cryptographic functions to protect

information and credentials. These functions

and the code to integrate them have proven

difficult to code properly, frequently resulting

in weak protection.

Vulnerabilities

9 A9 - Denial of Service

Attackers can consume Web application resources to a point where other legitimate users can no longer access or use the application. Attackers can also lock users out of their accounts or even cause the entire application to fail.

(13)

Vulnerabilities

9 A10 - Insecure Configuration Management Having a strong server configuration standard is critical to a secure web application. These servers have many configuration options that affect security and are not secure out of the box.

Web Engineering 25 • Developers must: – Work with solution architects and systems administrators to ensure application security – Contribute to security by: • Adopting good application security development practices • Knowing where security vulnerabilities occur and how to avoid them • Using secure programming techniques

(14)

• Security must be considered at: – All stages of a project • Design • Development • Deployment – All layers • Network • Host • Application Web Engineering

“Security is only as good as the weakest link”

OWASP Top Ten Project http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project UA Web Applications Best Practices

http://confluence ltc arizona edu/confluence/display/WEBPRACTICES/Web+A http://confluence.ltc.arizona.edu/confluence/display/WEBPRACTICES/Web+A pplication+Best+Practices Web Application Security Consortiumhttp://www.webappsec.org/ Microsoft Corporation http://www.microsoft.com/DOWNLOADS/details.aspx?familyid=84B3AA98‐ A1E5‐4A74‐A56B‐7ADDBDED79CC&displaylang=en

UA Info Sec Office Webpage for Application Developer

(15)

Questions?