Web Application Security

OWASP
 Overview
• Background
• Web app vulnerabilities
• Securing web apps
 HTTP
 Hypertext Transfer Protocol
• “Hypertext Transfer Protocol (HTTP) is a
communications protocol for the transfer of
information on intranets and the World Wide Server
Web. Its original purpose was to provide a way to www.mybank.com
publish and retrieve hypertext pages over the
Internet.” (64.58.76.230)
• http://en.wikipedia.org/wiki/HTTP Port: 80

Client PC
(10.1.0.123)

Request

Response
 HTTP Request - GET
 Form data encoded in the URL
 Most common HTTP method used on the web
 Should be used to retrieve information, not for actions that
have side-effects
 HTTP Request - GET

GET http://www.mysite.com/kgsearch/search.php?catid=1 HTTP/1.1

Host: www.mysite.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.13) Gecko/20080311
Firefox/2.0.0.13
Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=
0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://www.mysite.com/
 HTTP Requests - POST
 Data is included in the body of the request.
 Should be used for any action that has side-effects
• Storing/updating data, ordering a product, etc…
 HTTP Requests - POST

POST http://www.mysite.com/kgsearch/search.php HTTP/1.1

Host: www.mysite.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.13) Gecko/20080311 Firefox/2.0.0.13
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://www.mysite.com/

catid=1
 GET v. POST Security
 There information contained in parameters can tell a user a
lot about how your application works
 GET parameters are easily visible in the address bar
 POST parameters are hidden from the average user
• Users can still view source code
• Users can still view the packets
• Users can still intercept & modify web requests
 Web Sites
No applications
Static pages
Hard coded links

Browser Web Server

 Web Applications

Very complex architectures, Web Application

multiple platforms, multiple
HTTP
Web Services protocols
Network

Application Database Server

Web Servers Server
Wireless Customer
Presentation Business Logic Identification
Layer
Content Services Access Controls
Media Store
Transaction
Browser Information

Core Business
Data
 Web Applications Breach the Perimeter

Trusted
Internet DMZ
Inside
IIS ASP
SunOne .NET
SQL
WebSphere
Apache Oracle
Java
DB2

HTTP(S) Corporate
Browser Firewall only Inside
allows Firewall only allows
Allows HTTP port 80 application server to
applications
on the web talk to database
Allows HTTPS port 443 server.
server to talk to
application
server.
 Why Web Application
Vulnerabilities Occur
The Web Application
Security Security Gap Application
Professionals Don’t Developers and
Know The QA Professionals
Applications Don’t Know
Security
“As a Network Security “As an Application
Professional, I don’t Developer, I can
know how my build great features
companies web and functions while
applications are meeting deadlines,
supposed to work so I but I don’t know
deploy a protective how to develop my
solution…but don’t web application
know if it’s protecting with security as a
what it’s supposed to.” feature.”
 Web Application Vulnerabilities
• Technical Vulnerabilities
– Result of insecure programming techniques
– Mitigation requires code changes
– Detectable by scanners
– http://example/order.asp?item=<script>alert(‘p0wned’)</script>&pric
e=300.00
• Logical Vulnerabilities
– Result of insecure program logic
– Most often to due to poor decisions regarding trust
– Mitigation often requires design/architecture changes
– Detection often requires humans to understand the context
– http://example/order.asp?item=toaster&price=30.00
 Web Application Vulnerabilities
Web application vulnerabilities occur
in multiple areas.
Application
Application Mapping
Administration Cookie Manipulation

Extension Checking Custom Application

Scripting
Common File Checks
Parameter Manipulation
Platform Data Extension Checking
Reverse Directory
Backup Checking Transversal
Known Vulnerabilities
Directory Enumeration Brute Force
Path Truncation Application Mapping
Hidden Web Paths Cookie Poisoning/Theft
Forceful Browsing Buffer Overflow
SQL Injection
Cross-site scripting
 Web Application Vulnerabilities

Platform:
– Known vulnerabilities can be
exploited immediately with a
minimum amount of skill or
experience – “script kiddies”
Platform
Known
– Most easily defendable of all
Vulnerabilities web vulnerabilities
– MUST have streamlined
patching procedures
 Web Application Vulnerabilities

Administration:
Administration
• Less easily corrected than known issues
Extension Checking • Require increased awareness
Common File Checks • More than just configuration, must be
Data Extension aware of security flaws in actual content
Checking
Backup Checking • Remnant files can reveal applications
Directory and versions in use
Enumeration
Path Truncation
• Backup files can reveal source code and
database connection strings
Hidden Web Paths
Forceful Browsing
 Web Application Vulnerabilities
Application Programming:
•
Common coding techniques do not necessarily
include security
Application
• Input is assumed to be valid, but not tested
Administration
Application Mapping
• Unexamined input from a browser can inject
Cookie Manipulation scripts into page for replay against later visitors
Custom Application
Scripting
• Unhandled error messages reveal application and
database structures
Parameter Manipulation
Reverse Directory
• Unchecked database calls can be ‘piggybacked’
Transversal with a hacker’s own database call, giving direct
Brute Force access to business data through a web browser
Application Mapping
Cookie Poisoning/Theft
Buffer Overflow
SQL Injection
Cross-site scripting
 How to Secure Web Applications
• Incorporate security into the lifecycle
– Apply information security principles to all
software development efforts
• Educate
– Issue awareness, Training, etc…
How to Secure Web Applications
• Incorporating security into lifecycle
– Integrate security into application
requirements
– Including information security
professionals in software
architecture/design review
– Security APIs & libraries (e.g. ESAPI,
Validator, etc.) when possible
– Threat modeling
– Web application vulnerability assessment
tools
How to Secure Web Applications

Educate
– Developers – Software security best practices
– Testers – Methods for identifying vulnerabilities
– Security Professionals – Software development,
Software coding best practices
– Executives, System Owners, etc. –
Understanding the risk and why they should be
concerned