web application threats and remediation
DESCRIPTION
Web Application Threats and Remediation. Terry Labach, IST Security Team. IST Security Team. The problem. While we use firewalls and other means to prevent attackers from access to our networks, we encourage access to our web sites, literally inviting miscreants to attack us - PowerPoint PPT PresentationTRANSCRIPT
Web Application Threats and Remediation
Terry Labach, IST Security Team
WatITis | Strengthening Collaboration | December 8, 2009 | Web Application Threats and Remediation
IST Security Team
WatITis | Strengthening Collaboration | December 8, 2009 | Web Application Threats and Remediation
The problem
While we use firewalls and other means to prevent attackers from access to our networks, we encourage access to our web sites, literally inviting miscreants to attack us
Complex web application systems contain flaws that attackers can use for a variety of nefarious purposes
WatITis | Strengthening Collaboration | December 8, 2009 | Web Application Threats and Remediation
Risks
Loss of confidential data Vandalism of web sites Financial theft Denial of service Spread of spam or viruses Damaged reputation
WatITis | Strengthening Collaboration | December 8, 2009 | Web Application Threats and Remediation
OWASP Top Ten for 2010
A1 Injection A2 Cross Site Scripting (XSS) A3 Broken Authentication and Session Management A4 Insecure Direct Object References A5 Cross Site Request Forgery (CSRF) A6 Security Misconfiguration A7 Failure to Restrict URL Access A8 Unvalidated Redirects and Forwards A9 Insecure Cryptographic Storage A10 Insufficient Transport Layer Protection
WatITis | Strengthening Collaboration | December 8, 2009 | Web Application Threats and Remediation
SANS Institute
PHP Remote File Include SQL Injection Cross-Site Scripting (XSS) Cross-site request forgeries (CSRF)
WatITis | Strengthening Collaboration | December 8, 2009 | Web Application Threats and Remediation
General principles
Specify what is allowed, not what is forbidden Use software engineering best practices (no
cowboy coders) Test applications fully Test environments must duplicate production
environments Test bad input, not just good input
WatITis | Strengthening Collaboration | December 8, 2009 | Web Application Threats and Remediation
Trust no one
WatITis | Strengthening Collaboration | December 8, 2009 | Web Application Threats and Remediation
Example attacks
WatITis | Strengthening Collaboration | December 8, 2009 | Web Application Threats and Remediation
Failure to restrict URL access
OWASP A6 Includes elements of data leakage Attackers can access documents through URLs that
should be protected
WatITis | Strengthening Collaboration | December 8, 2009 | Web Application Threats and Remediation
Preventing data leakage
Permissions, server settings, .htaccess can help, but best to prevent unneeded files from being present at all
Limit development to dedicated machines, publish only final files to production server
WatITis | Strengthening Collaboration | December 8, 2009 | Web Application Threats and Remediation
Cross-site scripting (XSS)
OWASP A2 Crafted URLs can allow scripts to be run by client’s
browser This can result in victims:
Having authentication credentials stolen Being redirected to malicious web sites
WatITis | Strengthening Collaboration | December 8, 2009 | Web Application Threats and Remediation
Preventing cross-site scripting
Sanitize all user input Remove meta-characters e.g. “’`<> Characters may be encoded, best to remove
anything not obviously harmless (e.g. a-zA-Z0-9) Foreign language support allows pathway to inject
meta-characters Validation must be done on server end, validation
done in the browser (e.g. through Javascript) can be bypassed
WatITis | Strengthening Collaboration | December 8, 2009 | Web Application Threats and Remediation
Broken Authentication
OWASP A3 Authentication of users can be faked or credentials
stolen to allow access to resources
WatITis | Strengthening Collaboration | December 8, 2009 | Web Application Threats and Remediation
Preventing authentication theft
Don’t pass authentication information in hidden fields
WatITis | Strengthening Collaboration | December 8, 2009 | Web Application Threats and Remediation
SQL injection
OWASP A1 SQL commands are entered in user input fields If allowed as part of query to back-end database,
can result in data theft manipulation or vandalism of data
WatITis | Strengthening Collaboration | December 8, 2009 | Web Application Threats and Remediation
Preventing injection attacks
Sanitize user input Use appropriate data types and enumerations
instead of text fields
WatITis | Strengthening Collaboration | December 8, 2009 | Web Application Threats and Remediation
Automated Vulnerability Scanning
Hackers can perform vast numbers of typical attacks using automated processes to identify likely targets
The good guys can do the same, and a number of vendors provide such solutions
IBM AppScan selected after a lengthy evaluation process
IST Security Team will provide web application scans as a service
WatITis | Strengthening Collaboration | December 8, 2009 | Web Application Threats and Remediation
IBM AppScan
WatITis | Strengthening Collaboration | December 8, 2009 | Web Application Threats and Remediation
Resources
Security information OWASP
www.owasp.org
SANS Institute (SysAdmin, Audit, Network, Security) www.sans.org
Jeremiah Grossman www.whitehatsec.com/home/resource/grossman.html
WatITis | Strengthening Collaboration | December 8, 2009 | Web Application Threats and Remediation
Resources
Vendors IBM (Appscan)
www.ibm.com/software/awdtools/appscan/
Cenzic (Hailstorm) www.cenzic.com
HP (WebInspect) www.hp.com
WhiteHat www.whitehatsec.com
WatITis | Strengthening Collaboration | December 8, 2009 | Web Application Threats and Remediation
Questions and Comments