Tweet
Tweet

Slide 1

Slide 1 text

Web Security Thierry Sans

Slide 2

Slide 2 text

1991 Sir Tim Berners-Lee

Slide 3

Slide 3 text

2014 Collaboration Customer Resources Managemen Accounting and Billing Content Management E-Learning E-Health Publishing Web Portals Social Networks

Slide 4

Slide 4 text

Web security is a major concern

Slide 5

Slide 5 text

No content

Slide 6

Slide 6 text

No content

Slide 7

Slide 7 text

No content

Slide 8

Slide 8 text

No content

Slide 9

Slide 9 text

No content

Slide 10

Slide 10 text

The Big Picture

Slide 11

Slide 11 text

The web architecture Server Side Client Side Web Server Database Web Browser

Slide 12

Slide 12 text

Securing the web architecture means securing ... • The network • The DNS (Domain Name System) • The web server operating system • The web server application (Apache for instance) • The database application (Oracle for instance) • The web application Our focus here!

Slide 13

Slide 13 text

What is a web application? program running 
 on the browser + program running 
 on the server

Slide 14

Slide 14 text

The State of Web Security

Slide 15

Slide 15 text

How big is the threat? Statistics based on data collected by the Whitehat security tool that monitors15,000 websites source “WhiteHat Website Security Statistics report 2013” from WhiteHat Security

Slide 16

Slide 16 text

Overall Vulnerability Population source “WhiteHat Website Security Statistics report 2013” from WhiteHat Security What are the attacks?

Slide 17

Slide 17 text

Average Number of Vulnerabilities (based on 7000 websites) source “WhiteHat Website Security Statistics report 2012” from WhiteHat Security Who is vulnerable?

Slide 18

Slide 18 text

Anatomy of a web application

Slide 19

Slide 19 text

The HTTP protocol Network protocol for requesting/receiving data on the Web • Standard TCP protocol on port 80 (by default) • URI/URL specifies what resource is being accessed • Different request methods

Slide 20

Slide 20 text

Let’s look at what a web server does > telnet whitehat.local 80 GET / telnet to a web server enter HTTP requests

Slide 21

Slide 21 text

Anatomy of a URL http://whitehat.local/index.php?filter=hello protocol server query string path resource get parameters

Slide 22

Slide 22 text

Authentication and Authorization ✓ Authentication • Who are the authorized users?
 ✓ Authorization • Who can access what and how?

Slide 23

Slide 23 text

The simple recipe for user authentication 1. Ask the user for a login and password and send it to the server (HTTP/POST request) 2. Verify the login/password based on information stored on the server (usually in the database) 3. Start a session once the user has been authenticated 4. Grant access to resources according to the session

Slide 24

Slide 24 text

The concept of session There is a session id (aka token) 
 between the browser and the web application This session id should be unique and unforgeable 
 (usually a long random number or a hash) ➡ Stored in the cookie The session id is bind to key/value pairs data ➡ Stored on the server

Slide 25

Slide 25 text

The big picture Web Server Web Browser HTTP request HTTP response HTTP request HTTP response Cookie : key/value pairs stored in the requests The user can create, modify, delete the session ID in the cookie Session : key/value pairs stored on the server But cannot access the key/value pairs stored on the server

Slide 26

Slide 26 text

Hacking Authentication

Slide 27

Slide 27 text

How to steal user’s credentials • Brute force the password • Brute force the session ID • Steal the user’s password • Steal the user’s session ID

Slide 28

Slide 28 text

Where to start? password = 123456 password = 123456 password = 123456

Slide 29

Slide 29 text

Do you trust the network? interesting! id=scACRSm... <... ๏ An attacker can eavesdrop messages sent back and forth

Slide 30

Slide 30 text

Do you really trust the network? I am id=scACRSm... <... ๏ An attacker can tamper with messages sent back and forth

Slide 31

Slide 31 text

Confidentiality and Integrity Confidentiality: how do exchange information secretly? ✓ Encryption Integrity: How do we exchange information reliably? ✓ Digital Signature

Slide 32

Slide 32 text

Generic solution - HTTPS ➡ SSL provides • end-to-end secure channel (confidentially) • authentication handshake (integrity) ✓ HTTPS = HTTP + SSL


Slide 33

Slide 33 text

When to use HTTPS? We need to protect • Login and password • Session ID ✓ HTTPS must be used during the entire session

Slide 34

Slide 34 text

Limitation of HTTPS password = 123456 password = 123456 E#%FY7*5EZ$#G

Slide 35

Slide 35 text

Stealing passwords from the client • Social engineering - Phishing • Keyloggers (keystroke logging) • Data mining (emails, logs) • Hack the client’s code

Slide 36

Slide 36 text

Stealing passwords from the server • Hack the server • Hack the server’s side code

Slide 37

Slide 37 text

Hacking the Client’s Side Code

Slide 38

Slide 38 text

Client side’s attacks Incomplete Mediation ➡ hijacking the interactions between the client and the server Content Spoofing ➡ inject arbitrary HTML content into a webpage CSRF ➡ inject arbitrary urls into a webpage XSS ➡ inject arbitrary Javascript code into a webpage

Slide 39

Slide 39 text

Incomplete Mediation
 The shopping cart attack order=(#2956,10,9,90) Server Trusted Domain Client Trusted Domain * Notice that Amazon is not vulnerable to this attack * Thank you for your order! The total is calculated by a script on the client The order is generated based on the request 10

Slide 40

Slide 40 text

comment = “Fun stuff ... * Notice that Youtube is not vulnerable to this attack GET /?videoid=527

Slide 41

Slide 41 text

GET View/?profileid=53 GET Delete/?profileid=53 ??? ...... GET setProfile/?url=Delete/?profileid=53 GET View/?profileid=86

Slide 42

Slide 42 text

comment = “ ... * Notice that Youtube is not vulnerable to this attack login=Alice&password=123456 GET /?videoid=527 <html ... GET /?videoid=527 <html ... The script contained in the comments modifies the page to look like the login page! XSS attack
 injecting arbitrary javascript into a webpage

Slide 43

Slide 43 text

Scope of XSS attacks ๏ Inject illegitimate content in the page
 (same as content spoofing) ๏ Perform illegitimate HTTP requests through Ajax 
 (same as a CSRF attack) ๏ Steal Session ID from the cookie ๏ Steal user’s login/password by modifying the page to forge a perfect scam

Slide 44

Slide 44 text

It gets worst - XSS Worms Spread on social networks • Samy targeting MySpace (2005) • JTV.worm targeting Justin.tv (2008) • Twitter worm targeting Twitter (2010)

Slide 45

Slide 45 text

Hacking the Server’s Side Code

Slide 46

Slide 46 text

Server’s side attacks SQL injection ➡ inject arbitrary SQL code executed on the server’s database File inclusion ➡ inject arbitrary code executed on the server

Slide 47

Slide 47 text

SQL Injection Attack inject arbitrary SQL code executed on the server’s database Access Deny! name=Alice&pwd=123456 checkPassword.php loginPage.html 123456’ OR ‘1’=‘1 Access Granted!

Slide 48

Slide 48 text

Scope of SQL injection attacks ๏ retrieves, adds, modifies, deletes arbitrary information ๏ bypasses authentication ๏ installs a reverse shell

Slide 49

Slide 49 text

File Inclusion Attack
 inject arbitrary code executed on the server

Slide 50

Slide 50 text

Web Penetration Testing

Slide 51

Slide 51 text

Web application security tools • Proxy mapper • Vulnerability scanner • Replay HTTP requests • (Exploit tool) Nikto Burp Suite W3af Acunetix AppScan Vega Commercial Open Source … among others

Slide 52

Slide 52 text

Conclusion Server Side Client Side Web Server Database Web Browser You have absolutely no control on the client

Slide 53

Slide 53 text

References • Mozilla Secure Coding Guideline
 https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines • Ruby on Rails Security Page
 http://guides.rubyonrails.org/security.html • Django Security Page
 https://docs.djangoproject.com/en/dev/topics/security/ • PHP Security Pages
 http://php.net/manual/en/security.php
 http://phpsec.org/projects/guide/