Web Application Hacking Workshop
Step-by-Step Live WorkshopHow Web Applications Get Hacked
Agenda
INTRODUCTIONS
PART 1: The Evolution of Web Applications andWhy They Need to Be Secured
PART 2: Web Application Vulnerabilities in Depth and Hacking Demonstration
PART 3: Business Drivers Behind Web Application Security and Current Regulations
PART 4: Managing and Detecting Web Application Vulnerabilities Throughout the ApplicationLifecycle
PART 5: About WebInspect, About Our Partner, Closing and Q&A
SPI Dynamics
The Expert in Web Application Security Assessment
SPI Dynamics delivers security products and services that protect enterprises at the web application layer. These products are backed by the industry’s leading security experts, SPI Labs.
WebInspect is our industry leading web application security assessment product line and is licensed to enterprises, consultants, and other institutions, both directly and via global partners.
SPI Dynamics
The Expert in Web Application Security Assessment
SPI Dynamics believes that security must be implemented across the application lifecycle. The earlier a security defect is detected the less it will ultimately cost an organization.
SPI Dynamics is dedicated to maintaining a leadership position in vulnerability assessment and we truly measure our success through the success of our customers.
PART 1
The Evolution of Web Applications and Why They Need to Be Secured
Web Sites Evolve to Web Applications
Open on Port 80, Open for Business, Open to Attack
Hack Examples
Web Sites
Simple, single server solutions
Web ServerHTMLCGI
Browser
Web Applications
Very complex architectures, multiple platforms, multiple protocols
Web Services
Database Server
Customer Identification
Access Controls
Transaction Information
Core Business Data
Application Server
Business Logic
Content services
Web Servers
Presentation Layer
Media Store
Wireless
Browser
Common Web Applications
Web Applications Invite Public Access
“Today over 70% of attacks against a company’s website or web application come at the ‘Application Layer’ not the Network or System layer.”
- Gartner Group
Web Applications Breach the Perimeter
HTTP(S)
INTER
NET
DM
ZTR
USTED
INSID
EC
OR
POR
ATE
INSID
E
FTP TELNET
Firewall only allows PORT 80 (or 443 SSL) traffic from the Internet to the web server.
Any – Web Server: 80
Firewall only allows applications on the web server to talk to application server.
Web Server Application Server
Firewall only allows application
server to talk to database server.
Application Server Database
IMAP SSH POP3
IISSunOneApache
ASP.NET
WebSphereJava
SQLOracle
DB2
Web Application Risk
“Web application incidents cost companies more than $320,000,000 in 2001.”
Forty-four percent (223 respondents) to the 2002 Computer Crime and Security Survey were willing and/or able to quantify their financial losses. These 223 respondents reported $455,848,000 in financial losses.
“2002 Computer Crime and Security Survey”
Computer Security Institute & San Francisco FBI Computer Intrusion Squad
Web Application Hack Example
January 3, 2003RIAA was hacked 6 times in 6 months The 6th time the RIAA site was hacked, downloadable, pirated music was posted.This time, a URL allowing access to the RIAA's system for posting press releases was made publicly accessible, allowing people to post messages that then appeared on the RIAA's official press release page.
Recording Industry Association of America
Web Application Hack Example
Victoria’s Secret, November 27, 2002A vulnerability at the Victoria’s Secret web site allowed customers who purchased items there to view other customers’ orders.By simply changing the data in the URL address line the web application was manipulated.
Victoria’s Secret
Recent Web Application Hack Example
Ziff DavisHacked August 2002Ziff Davis Media has agreed to revamp its website's security and pay affected customers $500 each after lax security exposed the personal data of thousands of subscribers last year.The agreement between Ziff Davis -- publisher of PC Magazine and other tech titles, including a slew of gaming magazines -- and attorneys general from New York, Vermont and California came after web surfers discovered an unprotected data file on Ziff Davis' site in November. The file contained names, addresses, e-mail addresses -- and, in some instances, credit card numbers -- of 12,000 people who signed up for a special promotion to receive Electronic Gaming Monthly magazine.
Other Hacked Websites
FTD.com – February 14, 2003 sequential cookies
Source: CNET News “FTD Hole Leaks Personal Information “
Travelocity - January 22, 2001 open directory
Source: CNET News “Travelocity Exposes Customer Information”Creditcards.com – December 12, 2000 SQL InjectionSource: CNET News “Company says extortion try exposes thousands of
card numbers “
CD Universe – January 9, 2000 SQL InjectionSource: Internetnews.com “Failed Blackmail Attempt Leads to Credit
Card Theft”
Visa and MasterCard - February 17, 2003 Partner Liability
Tower Records - December 5, 2002 Access permissions
PART 2
Web Application Vulnerabilities in Depth and Hacking Demonstration
Why Web Application Vulnerabilities OccurWeb Application Attack MethodologiesLive Web Application Hacking
Why Web Application Risks Occur
Security Professionals Don’t Know The Applications
“As an Application Developer, I can build great features and functions while meeting deadlines, but I don’t know how to build security into my web applications.”
The Web ApplicationSecurity Gap
“As a Network Security Professional, I don’t know how my company’s web applications are supposed to work so I deploy a protective solution…but don’t know if it’s protecting what it’s supposed to.”
Application Developers and QA Professionals Don’t Know Security
Why Web Application Risks Occur
Developers Are Not Security ProfessionalsApplication development stresses functionality, not securityLack of awareness of security issues in developmentLack of effective testing tools in QAResource constrained development teams
Security Professionals Are Not DevelopersLack of awareness of application vulnerabilities in security teamsLack of effective testing tools Certification and accreditations don’t examine the web applicationDevelopment cycle missing from security procedures and auditsSecurity scrutinizes the desktop, the network, and the server. The web application is missing.
Web Application Vulnerabilities
Web application vulnerabilities occur in multiple areas.
Application
Parameter Manipulation
Cross-Site Scripting
SQL Injection
Buffer Overflow
Reverse Directory Transversal
JAVA Decompilation
Path Truncation
Hidden Web Paths
Cookie Manipulation
Application Mapping
Backup Checking
Directory Enumeration
AdministrationExtension Checking
Common File Checks
Data Extension Checking
Backup Checking
Directory Enumeration
Path Truncation
Hidden Web Paths
Forceful Browsing
PlatformKnown Vulnerabilities
Web Application Vulnerabilities
Platform:• Known vulnerabilities can be
exploited immediately with a minimum of skill or experience –“script kiddies”
• Most easily defendable of all web vulnerabilities
• MUST have streamlined patching procedures
• MUST have inventory processPlatformKnown Vulnerabilities
Web Application Vulnerabilities
Administration:• Information Disclosures• Hacking is 99% Information disclosure• Less easily corrected than known issues• Require increased awareness• More than just configuration, must be
aware of security flaws in actual content
• Remnant files can reveal applications and versions in use
• Backup files can reveal source code and database connection strings.
AdministrationExtension Checking
Common File Checks
Data Extension Checking
Backup Checking
Directory Enumeration
Path Truncation
Hidden Web Paths
Forceful Browsing
Web Application Vulnerabilities
AdministrationAdministration
Application
Parameter Manipulation
Cross-Site Scripting
SQL Injection
Buffer Overflow
Reverse Directory Transversal
JAVA Decompilation
Path Truncation
Hidden Web Paths
Cookie Manipulation
Application Mapping
Backup Checking
Directory Enumeration
Application Programming:
• Common coding techniques do not necessarily include security
• Input is assumed to be valid, but not tested
• Inappropriate file calls can reveal source code and system files
• Unexamined input from a browser can inject scripts into page for replay against later visitors
• Unhandled error messages reveal application and database structures
• Unchecked database calls can be ‘piggybacked’ with a hacker’s own database call, giving direct access to our business data through a web browser
Live Web Application Hacking Demo
Lab 1: Insecurity, Inc.- Parameter Manipulation- Directory Traversal- Source Code Disclosure- Remote Administration
Lab 2: FreeBank- Cross Site Scripting- SQL Injection- Cookie Manipulation- Session Hijacking
PART 3
Business Drivers Behind Web Application Security and Current Regulations
Current Regulations – Who Do They Affect?Web Application Security and HIPAA, GLBA, Sarbanes-Oxley and SB 1386Regulations and Accountability
Current Regulations – Who Do They Affect?
Some regulations are industry specific while others apply cross-industryRegulations are relevant to all organizations conducting business with web-enabled applications
Web App Security Assessment & HIPAA
What is HIPAA?Health Insurance Portability and Accountability Act of 1996US Public Law 104-191Regulatory requirements for use of healthcare information
How does this affect my company?Organizations working in the healthcare industry must take action to secure their web applications in order to protect the confidential healthcare information that they store, transmit and receive.
How can web application security assessment products like WebInspect help you comply with HIPAA?WebInspect can be used to determine if your web applications arevulnerable to a loss of confidential customer information, ascertain the security of your authentication mechanisms, validate access control procedures, and conduct ongoing auditing of your web applications to test for newly discovered vulnerabilities.
Web App Security Assessment & GLBA
What is GLBA?Gramm-Leach-Bliley Act of 1999U.S. Public Law 106-102 (113 Stat. 1338)Regulatory requirements for Financial Institutions
How does this affect my company?GLBA requires all federally insured financial institutions to institute a continuous security program that covers the entire organization. Risks must be identified and managed, risk management practices must be tested, and information security risks must be monitored at all times. Those institutions found to be in noncompliance with GLBA are subject to regulatory enforcement measures including fines, corrective actions, and other penalties.
How can web application security assessment products like WebInspect help you comply with GLBA?WebInspect can be used in a GLBA security risk assessment and for ongoing GLBA compliance.
Web App Security Assessment & Sarbanes-Oxley
What is Sarbanes-Oxley?Sarbanes-Oxley Act of 2002 (also known as SOX)U.S. Public Law 107-204Regulatory requirements for Public Company Accounting PracticesIT organizations must pay particular attention to Section 404: Management Assessment Of Internal Controls
How does this affect my company?Companies must enact security policies that ensure confidentiality of data, and then follow those policies.
How can web application security assessment products like WebInspect help you comply with Sarbanes-Oxley?WebInspect policies can be configured via a wizard to match yourcompany's security policy. You can then utilize WebInspect to test that policy.
Web App Security Assessment & S.B. 1386
What is SB 1386?In effect since July 1st, 2003, SB 1386 is a far reaching law that states any breach of computer security which results in the loss of personal data of any California resident, or which MIGHT have resulted in the loss of personal data of any California resident, must be publicly disclosed.
How does this affect my company?Companies that fail to disclose breaches of computer security are liable for civil damages and open themselves to a bevy of potential class action lawsuits.
How can web application security assessment products like WebInspect help you comply with SB 1386?The custom WebInspect Policy Wizard can be used to generate a security policy which you can utilize to ensure the security of your confidential customer information.
Regulations and Accountability
New regulations are requiring companies to prove due diligence to an increasing set of compliance standards.
Regulations and Accountability
Information Security “Due Diligence” requires:
Compliance with applicable regulatory considerationsAdherence to documented “best practices” for control measure implementationMaintaining information security at an appropriate level, as defined by company policyImplementation of a proper control environmentEnsuring tamper-proof logs of key transactionsRegular Audit and Validation of plans against resultsBeing able to prove your security!
PART 4
Managing and Detecting Web Application Vulnerabilities
Bringing Security to the Application LifecycleWeb Application ROIManaging and Addressing Web Application Security Throughout the Enterprise
Application Lifecycle Phases
Design Development
TestingProduction
Developers
QA and Developers
Auditors, Dev, and Business Subject Matter Experts (SME)
Security Operations and Auditors
Application Lifecycle Phases
Design Development
TestingProduction
Security Operations and Auditors
Developers
QA and Developers
Auditors, Dev, and Business Subject Matter Experts (SME)
Application Lifecycle Phases
Design Development
TestingProduction
Developers
QA and Developers
Auditors, Dev, and Business Subject Matter Experts (SME)
Security Operations and Auditors
Web Application ROI
“Gartner estimates that if 50 percent of software vulnerabilities were removed prior to production use for purchased and internally developed software, enterprise configuration management costs and incident response costs would be reduced by 75 percent each.”
John PescatoreVP Gartner GroupResearch Note“Require Vulnerability Testing During Software Development”10 September 2003
Web Application ROI
“Bottom Line: Global 2000 organizations need to institute security reviews of applications - not just at the architecture level, but also for errors and vulnerabilities during the QA process.”
Chris KingMETA Group Return On IntelligenceAssessing Application Vulnerability Global Networking Strategies Security & Risk StrategiesClient Advisor 2034, 12 August 2003
Web Application ROI
"The appropriate time to address security for applications is during the development phase, when there is still an opportunity to effect change without impacting users. Products like WebInspect help enterprises in the application development phase, but also throughout the application lifecycle, providing the opportunity for IT administrators to ensure that newly developed hacks do not cripple or exploit existing applications."
Eric HemmendingerResearch director for security and privacyAberdeen Group
Web Application ROI
”If security is not an integral part of your company’s development process for custom Web-based applications, your Web interfaces may be vulnerable. Ideally, security concerns should be addressed during development, but with limited internal resources, it’s difficult to cover all thebases and account for every single possible exploit.”
“Because it automates many of the auditing tasks, WebInspect can greatly expedite the process of conducting a security assessment.”
Ray Geroski"WebInspect Learns as it Automates Web App Security Assessment"Jan 7, 2003 TechRepublic
Managing Web Application Vulnerabilities
Bring security to web development …
Create and enforce secure coding practices created during the definition phase
Test code during development
Implement security tests within the QA cycle
Consider security during Change Control proceedings and test for it following all changes
Managing Web Application Vulnerabilities
… and the application to security!
Create internal awareness campaigns
Develop and publish best practices
Create procedures to work with Development to remediate vulnerabilities
Perform frequent routine audits of production systems
Baseline and trend application vulnerabilities
Add web application to Certification and Accreditation programs
Enterprise-Wide Web Application Security
Security Auditors
Must find all the vulnerabilities in the enterprise and evaluate risks.
Quality Assurance
Must address security defects as well as
functional and technical defects.
Security Operations
Must have confidence that their systems don’t have an exploitable weak point.
Application Developers
Must unit test for code related security issues
during the development cycle.
SS QQ
DDAA
Enterprise-Wide Web Application Security
• Help define regulatory requirements during the Definition phase of the Application Lifecycle
• Assess applications once they are in the Production phase to validate compliance
• Must act as resource for what is and is not acceptable
Security Auditors and Risk and Compliance Officers
DD
QQSS
WebWebApplication
WebApplication
Security
WebApplication
Security
A
Enterprise-Wide Web Application Security
• Must have clear cut security requirement to follow during Development and QA phases
• Need to run automated tests on code during Development phase
• Must utilize secure code for re-use• Require automated testing products
that integrate into current environment
Application Developers
QQSS
AWebWeb
ApplicationWeb
Application
Security
WebApplication
Security
A
DD
Enterprise-Wide Web Application Security
Quality Assurance Professionals
• Must test applications not only for functionality but also for security
• Must test environments for potential flaws and insecurities
• Must provide detailed security flaw reports to development
• Require automated testing products that integrate into current environment
DD
SS
AWebWeb
ApplicationWeb
Application
Security
WebApplication
Security
A
Enterprise-Wide Web Application Security
Security Operations
Security
• Must continually test application in a real world environment to asses impact of ongoing code changes
• Must look for all levels of web vulnerabilities
• Platform• Informational• Application
DD
AWebWeb
ApplicationWeb
Application
Security
WebApplication
Security
A
SS
Enterprise-Wide Web Application Security
Web Application Security testing must be applied in all phases of the Application Lifecycle and by all constituencies throughout the enterprise – Auditors, Application Developers, QA and Security Operations.
AA DD
QQSS
WebApplication
Security
WebApplication
Security
WebApplication
Security
WebApplication
Security
PART 5
Closing and Q&A
About WebInspectAbout Our PartnerQ & A
WebInspect Product Line
Automated
Works with all web applications and web services (WebSphere, ColdFusion, Oracle Application Server, .NET, Weblogic and others)
Used across application lifecycle (development, QA, security operations/production, auditing)
Extensible, Flexible, Accurate, Comprehensive
Used by major organizations in all industries
WebInspect Product Line
WebInspect FeaturesAdaptive-Agents™ Technology
RCA (Recursive Crawl and Attack) Technology
Custom Scripting
Securebase™
SPI Tools
Smart Update™
Enterprise Framework
Survey-based policy generation
AVDL support (emerging interoperability standard being proposed by leading application security vendors as part of the OASIS standards process)
WebInspect Product Line
For a free WebInspect 15-day trial product download visit:
www.spidynamics.com
About Our Partner
SPI Dynamics is committed to developing and maintaining strategic partner programs with technology and industry leaders focused on delivering security products and services to our customers.
Q & A
Questions?
PART 5 – WebInspect Live Demo
SPI Dynamics, Inc.115 Perimeter Center Place
Suite 270Atlanta, GA 30346
After the 5 minute break!
For a free WebInspectTM 15-day trial download visit:
www.spidynamics.com