ibms application hacking
TRANSCRIPT
8/3/2019 IBMs Application Hacking
http://slidepdf.com/reader/full/ibms-application-hacking 1/45
®
IBM Software Group
Discovering the Value of Verifying Web Application
Ong Khai Wei Rational IT S ecialist
© 2009 IBM Corporation
8/3/2019 IBMs Application Hacking
http://slidepdf.com/reader/full/ibms-application-hacking 2/45
IBM Software Group | Rational software
ec ves
Understand the web application environment
Understand and differentiate between network and application level vulnerabilities
Understand where the vulnerabilities exist
Understand how to levera e A Scan to erform an automated scan for vulnerabilities
8/3/2019 IBMs Application Hacking
http://slidepdf.com/reader/full/ibms-application-hacking 3/45
IBM Software Group | Rational software
gen a
Security Landscape
Vulnerability Analysis
Automated Vulnerability Analysis
IBM® Rational® AppScan Overview
8/3/2019 IBMs Application Hacking
http://slidepdf.com/reader/full/ibms-application-hacking 4/45
®
IBM Software Group
Security Landscape
© 2009 IBM Corporation
8/3/2019 IBMs Application Hacking
http://slidepdf.com/reader/full/ibms-application-hacking 5/45
IBM Software Group | Rational software
Hacking Stage 6— Wikipedia, Feb 9 2007
8/3/2019 IBMs Application Hacking
http://slidepdf.com/reader/full/ibms-application-hacking 6/45
IBM Software Group | Rational software
8/3/2019 IBMs Application Hacking
http://slidepdf.com/reader/full/ibms-application-hacking 7/45
IBM Software Group | Rational software
8/3/2019 IBMs Application Hacking
http://slidepdf.com/reader/full/ibms-application-hacking 8/45
IBM Software Group | Rational software
y
pp ca on
ecur y
s a
g
r or y
Web applications are the #1 focus of hackers:
XSS and
SQL
Injection
are
#1
and
#2
reported
vulnerabilities
(Mitre)
Most sites are vulnerable:
90% of sites are vulnerable to application attacks (Watchfire)
78% percent of easily exploitable vulnerabilities affected Web applications (Symantec)
80% of
organizations
will
experience
an
application
security
incident
by
2010
(Gartner)
Web applications are high value targets for hackers:
Customer data, credit cards, ID theft, fraud, site defacement, etc
Compliance requirements:
Payment Card Industry (PCI) Standards, GLBA, HIPPA, FISMA,
8/3/2019 IBMs Application Hacking
http://slidepdf.com/reader/full/ibms-application-hacking 9/45
IBM Software Group | Rational software
e
ecur y
an scape o
e pas
Traditional Infrastructure was easier to protect . . .
Concrete entities that were easy to understand
Attack surface and vectors were very well‐defined
A lication foot rint ver static
Perimeter defense was king
8/3/2019 IBMs Application Hacking
http://slidepdf.com/reader/full/ibms-application-hacking 10/45
IBM Software Group | Rational software
ang ng
ecur y
an scape o
o ay
“Webification” has changed everything ...
Infrastructure is more abstract and less defined
Everything needs a web interface
A ents and heav clients are no lon er acce table
Traditional defenses no longer apply
8/3/2019 IBMs Application Hacking
http://slidepdf.com/reader/full/ibms-application-hacking 11/45
IBM Software Group | Rational software
op
ac
ac s
o ay
arge
e
pp ca ons
8/3/2019 IBMs Application Hacking
http://slidepdf.com/reader/full/ibms-application-hacking 12/45
IBM Software Group | Rational software
Hi h Level
Web
A lication
Architecture
Review Sensitive
data isstored here
CustomerApp is deployedhere
Internet
DatabaseClient Tier(Browser)
Firewall
(Presentation) App Server(Business
Logic)
SSL
Protects
Middle Tier ranspor
8/3/2019 IBMs Application Hacking
http://slidepdf.com/reader/full/ibms-application-hacking 13/45
IBM Software Group | Rational software
Networ
De enses
or We
App cat ons
SecuritySecurity
Perimeter IDS IPS
IntrusionDetection
IntrusionPrevention
App Firewall
ApplicationFirewall
Firewall
System System
8/3/2019 IBMs Application Hacking
http://slidepdf.com/reader/full/ibms-application-hacking 14/45
IBM Software Group | Rational software
“ ”
We Have Firewallsand IPS in Place
We Audit It Once aQuarter with Pen Testers
Port 80 & 443 are openfor the right reasons
Applications are constantlychanging
We Use Network
Vulnerability ScannersNeglect the security of the
software on the network/web
We Use SSL EncryptionOnly protects data betweensite and user not the web
app ca on se
8/3/2019 IBMs Application Hacking
http://slidepdf.com/reader/full/ibms-application-hacking 15/45
IBM Software Group | Rational software
ea y:
ecur y an
pen ng
re
n a ance
of All Attacks on Information Security areDirected to the Web Application Layer75%75%
of All Web Applications are Vulnerable **Gartner
8/3/2019 IBMs Application Hacking
http://slidepdf.com/reader/full/ibms-application-hacking 16/45
IBM Software Group | Rational software
Wh
Do
Hackers
Toda
Tar et
A lications? Because they know you have firewalls
So its not very convenient to attack the network anymore
But the still want to attack ‘cos the still want to steal data …
Because firewalls
do
not
protect
against
app
attacks!
So the hackers are having a field day!
Because web sites have a large footprint
No need
to
worry
anymore
about
cumbersome
IP
addresses
Because t ey can
It is difficult or impossible to write a comprehensively robust application
Developers are yet to have secure coding as second nature
Deve opers
t in
i erent y
rom
ac ers Cheap, Fast, Good – choose two, you can’t have it all
It is also a nightmare to manually QA the application
e‐ ox s a c co e ana yzers on es or n er‐app re a ons ps
Many companies today still do not have a software security QA policy or resource
8/3/2019 IBMs Application Hacking
http://slidepdf.com/reader/full/ibms-application-hacking 17/45
IBM Software Group | Rational software
a
an
appen
8/3/2019 IBMs Application Hacking
http://slidepdf.com/reader/full/ibms-application-hacking 18/45
IBM Software Group | Rational software
y
o
pp ca on
ecur y
ro ems
x s IT security solutions and professionals are normally from the network
/infrastructure /sysadmin side
They usually have little or no experience in application development
And developers
typically
don’t
know
or
don’t
care
about
security
or
networking
Most companies today still do not have an application security QA policy or
resource
IT security staff are focused on other things and are swarmed
App Sec
is
their
job
but
they
don’t
understand
it
and
don’t
want
to
deal
with
it
Deve opers t in its not t eir jo or pro em to ave security in co ing
People who outsource expect the 3rd party to security‐QA for them
It is cultural currently to not associate security with coding
“ ”u er ver ow as een aroun or years
“Input Validation” is still often overlooked.
8/3/2019 IBMs Application Hacking
http://slidepdf.com/reader/full/ibms-application-hacking 19/45
®
IBM Software Group
Vulnerability Analysis
© 2009 IBM Corporation
8/3/2019 IBMs Application Hacking
http://slidepdf.com/reader/full/ibms-application-hacking 20/45
IBM Software Group | Rational software
ecur y
e ec s:
ose
manage vs.
ose
own
I n f ras t ruc tu re Vulnerab il i t i es
or Com m on Web Vulnera bi l i t iesAppl icat ion Spec i f i c
Vulnerabi l i t ies (ASVs)
Cause of Defec t Insecure application
development
by
3rd
party SWInsecure application development In‐house
Locat ion w i th in
App l i ca t ion
3rd party technical building blocks or
infrastructure (web servers,)
Business logic ‐ dynamic data consumed by
an application
Type(s) of Exp loi t s Known vulnerabilities
(patches
issued),
SQL
injection,
path
tampering,
Cross
site
scripting, Suspect content & cookie
m scon gura onpoisoning
Detec t ionMatch signatures & check for known
misconfigurations.Requires application specific knowledge
Business Risk Patch latency
primary
issue Requires
automatic
application
lifecycle
security
Cost Cont r o l As secure as 3rd art software Earl detection saves $$$
8/3/2019 IBMs Application Hacking
http://slidepdf.com/reader/full/ibms-application-hacking 21/45
IBM Software Group | Rational software
A lication Threat Ne ative
Im act Exam le
Im act
The OWASP Top 10 list
Cross‐Site®
scripting Identity Theft, Sensitive Information
Leakage, …
Hackers can impersonate legitimate users, and control
their accounts.
/ LDAP / Other system
,
it or steal it.
Malicious File Execution Execute shell commands on server, up to
full control
Site modified to transfer all interactions to the hacker.
Insecure Direct Object Reference Attacker can access sensitive files and
resources
Web application returns contents of sensitive file
(instead of harmless one)
Cross‐Site Request Forgery Attacker can invoke “blind” actions on web
applications, impersonating
as
a trusted
user
Blind requests to bank account transfer money to
hacker
Information Leakage and Improper
Error Handling
Attackers can gain detailed system
information
Malicious system reconnaissance may assist in
developing further attacks
Broken Authentication & Session Session tokens not guarded or invalidated Hacker can “force” session token on victim; session
anagemen proper y o ens can e s o en a er ogou
Insecure Cryptographic Storage Weak encryption techniques may lead to
broken encryption
Confidential information (SSN, Credit Cards) can be
decrypted by malicious users
Insecure Communications Sensitive info sent unencr ted over Unencr ted credentials “sniffed” and used b hacker
insecure channel
to impersonate user
Failure
to
Restrict
URL
Access Hacker
can
access
unauthorized
resources Hacker
can
forcefully
browse
and
access
a
page
past
the
login page
8/3/2019 IBMs Application Hacking
http://slidepdf.com/reader/full/ibms-application-hacking 22/45
IBM Software Group | Rational software
.
ross‐
e
cr p ng
What is it?
Malicious script echoed back into HTML returned from a trusted site, and runs under
trusted context
What are the implications?
Session Tokens stolen (browser security circumvented)
Complete page
content
compromised
Future pages in browser compromised
8/3/2019 IBMs Application Hacking
http://slidepdf.com/reader/full/ibms-application-hacking 23/45
IBM Software Group | Rational software
y
ere
appens
User data is embedded in
HTML response
JS is embedded in page, as iforiginating from the trusted site
8/3/2019 IBMs Application Hacking
http://slidepdf.com/reader/full/ibms-application-hacking 24/45
IBM Software Group | Rational software
Cross Site Scripting – The Exploit Process
Evil.orgEvil.org
Evil.org uses stolensession informationto impersonate user
5
1Link to bank.comsent to user via E-mail or HTTP
Script sends user’scookie and sessioninformation without
the user’s consent
4
or now e ge
Bank.comBank.comUserUser
embedded as data
2
Script returned,
executed by browser
8/3/2019 IBMs Application Hacking
http://slidepdf.com/reader/full/ibms-application-hacking 25/45
IBM Software Group | Rational software
.
n ec on
aws
User‐supplied
data
is
sent
to
an
interpreter
as
part
of
a command,
query
or
data.
What are the implications?
SQL Injection – Access/modify/delete data in DB
SSI Injection
– Execute
commands
on
server
and
access
sensitive
data
LDAP Injection – Bypass authentication
8/3/2019 IBMs Application Hacking
http://slidepdf.com/reader/full/ibms-application-hacking 26/45
IBM Software Group | Rational software
n ec on
xamp e
8/3/2019 IBMs Application Hacking
http://slidepdf.com/reader/full/ibms-application-hacking 27/45
IBM Software Group | Rational software
n ec on
xamp e
8/3/2019 IBMs Application Hacking
http://slidepdf.com/reader/full/ibms-application-hacking 28/45
IBM Software Group | Rational software
n ec on
xamp e
‐xp o
8/3/2019 IBMs Application Hacking
http://slidepdf.com/reader/full/ibms-application-hacking 29/45
IBM Software Group | Rational software
n ec on
xamp e
‐u come
8/3/2019 IBMs Application Hacking
http://slidepdf.com/reader/full/ibms-application-hacking 30/45
®
IBM Software Group
Automated Vulnerability
Analysis
IBM® Rational® AppScan
© 2009 IBM Corporation
8/3/2019 IBMs Application Hacking
http://slidepdf.com/reader/full/ibms-application-hacking 31/45
IBM Software Group | Rational software
Collaborative Application Lifecycle Management
SDLC Quality Assurance
Quality Dashboard
ManageTest LabCreatePlan BuildTests ReportResults
Test Management and Execution DefectManagement
RequirementsManagement
O en Platform
TEAM SERVER
Best Practice Processes
FunctionalTesting Performance
TestingWeb Service
Quality
CodeQuality
Security andCompliance
Open Lifecycle Service Integrations
home rown
JavaSystem z, iSAP
.NET
8/3/2019 IBMs Application Hacking
http://slidepdf.com/reader/full/ibms-application-hacking 32/45
IBM Software Group | Rational software
pp can
n
e
a ona
o r o oBUSINESS
Defects
Test and Change Management
Requirements Test Change
Rational RequisitePro Rational ClearQuest Rational ClearQuest
M
E N T
O
I N S
Rational ClearQuest
Developer Test Functional Test
Automated Manual
Performance Test
D E V E L O
O P E R A
Rational PurifyPlus
Rational Test
Rational Functional Tester Plus
Rational Rational
RationalPerformance Tester
Security andCompliance Test
AppScan
Quality Metrics
RealTime Functional Tester
Rational Robot
Manual Tester
PolicyTester
Project Dashboards Detailed Test Result s Quality Reports
8/3/2019 IBMs Application Hacking
http://slidepdf.com/reader/full/ibms-application-hacking 33/45
IBM Software Group | Rational software
a ona
pp can
What is it?
AppScan is an automated tool used to perform vulnerability assessments
on Web
Applications
To simplify finding and fixing web application security problems
What does
it
do?
Scans web applications, finds security issues and reports on them in an
actionable fashion
Security Auditors – main users today
QA engineers – when the auditors become the bottle neck
Developers – to find issues as early as possible (most efficient)
8/3/2019 IBMs Application Hacking
http://slidepdf.com/reader/full/ibms-application-hacking 34/45
IBM Software Group | Rational software
ow
oes
pp can wor
Approaches an application as a black‐box
Traverses a web application and builds the site model
Determines the
attack
vectors
based
on
the
selected
Test
policy
Tests by sending modified HTTP requests to the application and examining the HTTP
response accor ng to va ate ru es
HTTP Request
Web Application
8/3/2019 IBMs Application Hacking
http://slidepdf.com/reader/full/ibms-application-hacking 35/45
IBM Software Group | Rational software
pp can
oes
eyon
o n ng ou
ro ems
8/3/2019 IBMs Application Hacking
http://slidepdf.com/reader/full/ibms-application-hacking 36/45
IBM Software Group | Rational software
on gura on
zar
IBM S f G | R i l f
8/3/2019 IBMs Application Hacking
http://slidepdf.com/reader/full/ibms-application-hacking 37/45
IBM Software Group | Rational software
cann ng
n
rogress
IBM S ft G | R ti l ft
8/3/2019 IBMs Application Hacking
http://slidepdf.com/reader/full/ibms-application-hacking 38/45
IBM Software Group | Rational software
en y
u nera es
IBM Software Group | Rational software
8/3/2019 IBMs Application Hacking
http://slidepdf.com/reader/full/ibms-application-hacking 39/45
IBM Software Group | Rational software
x MOST
IMPORTANT
IBM Software Group | Rational software
8/3/2019 IBMs Application Hacking
http://slidepdf.com/reader/full/ibms-application-hacking 40/45
IBM Software Group | Rational software
epor s
IBM Software Group | Rational software
8/3/2019 IBMs Application Hacking
http://slidepdf.com/reader/full/ibms-application-hacking 41/45
IBM Software Group | Rational software
pp can w
e ec
ogger
or
ear ues
IBM Software Group | Rational software
8/3/2019 IBMs Application Hacking
http://slidepdf.com/reader/full/ibms-application-hacking 42/45
IBM Software Group | Rational software
ess on summary
Understand
and
differentiate
between
network
and
application
level
vulnerabilities Understand where the vulnerabilities exist
Hands on exercises to understand types of vulnerabilities
Hands on exercise to leverage automated scan for vulnerabilities
IBM Software Group | Rational software
8/3/2019 IBMs Application Hacking
http://slidepdf.com/reader/full/ibms-application-hacking 43/45
p |
IBM Software Group | Rational software
8/3/2019 IBMs Application Hacking
http://slidepdf.com/reader/full/ibms-application-hacking 44/45
p |
IBM Software Group | Rational software