© 2010 IBM Corporation
IBM Rational Application Security
Web Application SecurityWhat hackers are doing with your bugs
Adi SharabaniIBM Rational Security StrategistIBM Master Inventor
© 2009 IBM Corporation
ILSL - IBM Israel Software Lab
About Me
My name is Adi Sharabani
Security Strategist for IBM Rational
Used to manage the Rational Application Security Research
15 years of experience in Security
OWASP IL Committee
Application Security Insider Blog:http://blog.watchfire.com
Also, very proud to be a teacher in Ohel Shem, Ramat GanAlso, very proud to be a teacher in Ohel Shem, Ramat Gan
© 2009 IBM Corporation
ILSL - IBM Israel Software Lab
Web App Vulnerabilities Continue to Dominate
55% of all vulnerabilities are Web application vulnerabilities.
Cross-Site Scripting & SQL injection vulnerabilities continue to dominate.
© 2009 IBM Corporation
ILSL - IBM Israel Software Lab
Agenda
Theoretical part:
– Same Origin Policy
– Cross-Site Scripting
Practical part:
– Demonstrating a real attack
© 2009 IBM Corporation
ILSL - IBM Israel Software Lab
Browser Scripting Capabilities
What can scripts do:
– Scripts can perform user interactions with the site
– Scripts can seamlessly interact with the web site
– Can perform any action that is related to the site
– Can launch signed and safe ActiveX control
© 2009 IBM Corporation
ILSL - IBM Israel Software Lab
Scripting Restrictions – Same Origin Policy
What scripts can not do:
– Scripts can only interact with the domain they came from
– Scripts can see send and receiveresponses only from their own domain
– Scripts can access other browser’s framesonly from same domain
– Scripts can issue requests to other domains (but cannot view the corresponding responses)
a.coma.com
b.comb.coma.coma.com
© 2009 IBM Corporation
ILSL - IBM Israel Software Lab
XSS 101
XSS occurs when user input (JavaScript) is returned by the web application as is:
Simple exploit:
– http://www.thebank.site/action?param=<script>...</script>
Result:
– Injected script returned by the server and executed by the victim’s browser
XSS breaks Same-Origin Policy
– Vulnerable domain may now return arbitrary JavaScripts
String data = request.getParameter(“param”);out.println(data)
© 2009 IBM Corporation
ILSL - IBM Israel Software Lab
Cross Site Scripting – The Exploit Process
Evil.orgEvil.org
TheBank.siteTheBank.siteUserUser
Script returned, executed by browser
3
User sends script embedded as data
2
1Link to bank.com sent to user via E-mail or HTTP
© 2009 IBM Corporation
ILSL - IBM Israel Software Lab
Exploiting XSS
If I can get you to run my JavaScript, I can…
– Steal your cookies for the domain you’re browsing
– Completely modify the content of any page you see on this domain
– Track every action you do in that browser from now on
– Redirect you to a Phishing site
– Exploit browser vulnerabilities to take over your machine
XSS is one of the Top Web Security Risk today (most exploited)
© 2010 IBM Corporation
IBM Rational Application Security
Demo
© 2009 IBM Corporation
ILSL - IBM Israel Software Lab
There are solutions for this!
Education:
– Secure coding for developers
– Security testing for QA
Tools:
– Such as Rational AppScan (both blackbox and whitebox)
Development process:
– Integration into the development lifecycle