Scribd
Upload
47 views

10 Web Application Security 20110827

The document provides an overview of web application security concepts including: - Basic web technologies like URLs, HTTP requests and responses - Secure Socket Layer (SSL) and how it is used to encrypt communications - Cookies and how they can be used for authentication - The Document Object Model (DOM) interface for manipulating web pages - Examples of common web application attacks like SQL injection, cross-site scripting, and session hijacking

Uploaded by

zinefine
Copyright
© © All Rights Reserved
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
47 views

10 Web Application Security 20110827

The document provides an overview of web application security concepts including: - Basic web technologies like URLs, HTTP requests and responses - Secure Socket Layer (SSL) and how it is used to encrypt communications - Cookies and how they can be used for authentication - The Document Object Model (DOM) interface for manipulating web pages - Examples of common web application attacks like SQL injection, cross-site scripting, and session hijacking

Uploaded by

zinefine
Copyright
© © All Rights Reserved
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 57

Web Application

Security

Example Web Application


Internet

DMZ

HTTP
request

IIOP
T9
etc.

Cleartext or
SSL
transport

Web
client:
IE,
Mozilla,
etc.
HTTP reply
(HTML,
JavaScript,
VBScript,
etc.)

AJP

Apache
IIS
Netscape
etc.

DB
Web app
Web app

App
server
(optional)

Web
server

Servlet
engine
J2EE
server

ColdFusio
n
Oracle

Internal
network

Protected
network

Web app
Web app

Perl
C++
CGI
Java
ASP
PHP
etc.

DB

ADO
ODB
C

JDB
C
etc.

Oracl
e
SQL
Serv
er

Basic Web
Technology

URLs

Global identifiers of network-retrievable documents


Example:
http://stanford.edu:81/class?name=cs155#homework

Protocol

Hostname

Port

Path

Special characters are encoded as hex:


%0A = newline
%20 = space

Query

Fragment

HTTP Request
Method

File

HTTP version

Headers

GET /index.html HTTP/1.1


Accept: image/gif, image/x-bitmap, image/jpeg, */*
Accept-Language: en
User-Agent: Mozilla/1.22 (compatible; MSIE 2.0; Windows 95)
Connection: Keep-Alive
Host: www.example.com

Blank line
Data none for GET

HTTP Response
HTTP version

Status code

Reason phrase

Headers

HTTP/1.0 200 OK
Date: Sun, 21 Apr 1996 02:20:42 GMT
Server: Microsoft-Internet-Information-Server/5.0
Connection: keep-alive
Content-Type: text/html
Last-Modified: Thu, 18 Apr 1996 17:39:05 GMT
Content-Length: 2543
<HTML> Some data... blah, blah, blah </HTML>

Data

SECURE SOCKET LAYER

SSL

Client & Server Authentication


Data Integrity

SSL Handshake

Mixed Content: HTTP and HTTPS

Page loads over HTTPS, but contains content over HTTP

IE: displays mixed-content dialog to user

Firefox: displays a red slash over lock icon (no dialog)

Flash files over HTTP are loaded with no warning (!)


Note: Flash can script the embedding page

Flash files over HTTP do not trigger the slash

Safari: does not attempt to detect mixed content

Mixed Content: HTTP and HTTPS


silly dialogs

Mixed content and network attacks

after login all content served over HTTPS

Developer error:

Somewhere on bank site write

<script src=http://www.site.com/script.js> </script>

Active network attacker can now hijack any session

Better way to include content:


<script src=www.site.com/script.js> </script>
served over the same protocol as embedding page

Cookies: client state

14

Cookies
Used

to store state on users machine


GET

Browser

Server

HTTP Header:
Set-cookie: NAME=VALUE ;
domain = (who can read) ;
expires = (when expires) ;
If expires=NULL:
this session only
secure = (only over SSL)

Browser

GET
Cookie: NAME = VALUE

Server

HTTP is stateless protocol; cookies add state

Cookie authentication
Browser

Web Server
POST login.cgi
Username & pwd

Set-cookie: auth=val

GET restricted.html
Cookie: auth=val

If YES,
restricted.html

Auth server
Validate user
auth=val
Store val

restricted.html
auth=val
YES/NO

Check val

DOCUMENT OBJECT MODEL

What is the DOM?

The DOM is a platform- and language-neutral interface


that will allow programs and scripts to dynamically acces
s and update the content, structure and style of documen
ts.

The document can be further processed and the results


of that processing can be incorporated back into the pres
ented page.

Ref: http://www.w3c.org/

The DOM Interface Hierarchy


NamedNodeMap

DOMImplementation

NodeList

DOMException

Node

Fundamental Interface

Document
CharacterData

Comment

Attr

Text

Element
DocumentType
Notation
Entity
EntityReference
ProcessingInstruction

Extended Interface

CDATASection

The Relation Graph


XML
document

Web Client side program (e.g.: JavaScript)


Web Server side program (e.g.: ASP)
Console program (e.g.: C++, Java)

DOM

Output

Document Object Model (DOM)

Object-oriented interface used to read and write docs

web page in HTML is structured data


DOM provides representation of this hierarchy

Examples

Properties:

document.alinkColor
document.URL
document.forms[ ]
document.links[ ]
document.anchors[ ]

Methods:

document.write(document.referrer)

Document Object Model (DOM)

Also Browser Object Model (BOM)

Window
document
frames[]
History
Location
navigator (type and version of browser)

OWASP project
OWASP

project (http://www.owasp.org)
Open Web Application Security Project
Minimum standards for web application
security
International membership
Interesting project:

Developing and maintaining secure web


applications following the ISO17799 standard
Web application assessment tools

OWASP Top 10
Unvalidated input
Broken access control
Broken authentication and session management
Cross site scripting
Buffer overflows
Injection flaws
Improper error handling
Insecure storage
Denial of service
Insecure configuration management

Hidden Field

(View Source)
Tag HIDDEN

Cookie Poisoning
Cookie

S
ession

cookie



Session ID

Weak authenticators: security risk

Predictable cookie authenticator


Verizon Wireless - counter
user logs in, gets counter, can view sessions of other users

Weak authenticator generation: [Fu et al. 01]

WSJ.com: cookie = {user, MACk(user) }

Weak MAC exposes K from few cookies.

Apache Tomcat: generateSessionID()

MD5(PRNG) but weak PRNG


Predictable SessionIDs

[GM05].

Storing data on browser?


Unreliable:

User can change/clear values


Silly example: Shopping cart software
Set-cookie:shopping-cart-total = 150 ($)
User edits cookie file (cookie poisoning):
Cookie: shopping-cart-total = 15 ($)

Similar to problem with hidden fields


<INPUT TYPE=hidden NAME=price VALUE=150>

29

Application Buffer Overflow


Picture-in-picture attacks

Trained users are more likely to fall victim to this

[JSTB07]

The status Bar

Trivially

spoofable

<a href=http://www.paypal.com/
onclick=this.href = http://www.evil.com/;>
PayPal</a>

Cross Site Script

script

Cookie XSS

Forceful Browsing



/client
/client/client1/data
Path Traversal (../../../)

Google

keyword : index of parent


directory

Hacking Over SSL

NIDS
SSL NIDS

SQL Poisoning & Injections


SQL statement



Database Server

SQL Injection

www.test.com/cgi-bin/productdesc.asp?category=10;

SQL
v_cat = request("category") #v_cat=10;
sqlstr="SELECT description FROM product WHERE
category='" & v_cat & "'"
set rs=conn.execute(sqlstr)

Database

SELECT description FROM product WHERE category=10;

SQL Injection

SQL Injection

www.test.com/cgi-bin/productdesc.asp?category=10
UNION SELECT name,pwd FROM admins;--

SQL

v_cat = request("category") # v_cat= 10 UNION SELECT


name, pwd FROMadmins;-sqlstr="SELECT description FROM product WHERE
category='" & v_cat & "'"
set rs=conn.execute(sqlstr)

Database

SELECT description FROM product WHERE category=10


UNION SELECT name, pwd FROM admin;--

Java Script Injection


Javascript


Java Script Injection
Session

Hidden Field Session

Invalid
Java Script Injection
javascript:alert(document.cookie);
javascript:void(document.cookie="authorizatio
n=true");

Error Handling
Error message

Debug

Other Modification Technique


Proxy

HTTP Header
Client Web Server
Paros Porxy
TemperData Plugin
Mozila Firefox HTTP
Header

Network Architecture
Secure Web Application

Vulnerability Scanner
Penetration Testing

Secure Network Architecture


Layer
Firewall

IPS Monitor

Application Proxy Firewall

Secure Web Applications

Secure Coding

Secure Coding
input & output validation
SSL
HTML forms
Cookies
HTTP REFERER Header
POST & GET method
logout (logout
mechanism)
Error Handling

input & output validation


Client Side Script

NEVER TRUST CLIENT SIDE DATA !!!


Sanity Checking






Tag

HTML forms
Hidden element
SSL
Method Get Method Post

Cookies
2 (Persist , Non-Persist)

3

User Authentication
State Management
Saving user preference

Cookie

Cookies Plaintext

Cookies

Cookies
Cookies
Cookies

Token ID

Cookies Timeout Cookies

Authentication

header
User-Agent , Acce

HTTP REFERER Header


script attack

HTTP
REFERER

POST & GET method


GET : Proxy , Firewall , Web
Server Log

Post : Web Server

logout mechanism
Cookies
Cookies
session
session

Error Handling
Error Handling Error
Description


Error Description
Error Desciption

System Scanner and Security


Infrastructure Software

NMAP
NESSUS
OpenVAS
SQLmap

Penetration Testing


Hacker

Black box testing


White box testing

You might also like