Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Web Application Security

Web Application Security

Sibiu Web Meetup

November 17, 2022
Tweet

More Decks by Sibiu Web Meetup

Other Decks in Programming

Transcript

  1. Razvan Preda WEB APPLICATION SECURITY 1.Introduction 2.API’s - the new

    Apps 3.OWASP Top API security 4.Tips & Tricks 5.5G impact on security 6.Latest news
  2. It is the most vulnerable part of any IT security

    infrastructure. Most cyber-attacks we see today are a result of some form of human error. Educate and train professionals to be aware of cybersecurity attacks - phishing attacks, good password protocols, recent cyber scams … WEB APPLICATION SECURITY Human Layer
  3. WEB APPLICATION SECURITY The layer closest to the end-users, this

    layer interacts directly with the software application, which in turn, will interact with the end-users. Application Layer (Layer 7)
  4. • Improper asset management • Broken object level authorization •

    Excessive data exposure • Broken user authentication • Lack of resources & rate limiting • Broken Function Level Authorization • Mass Assignment • Insu ff icient Logging & Monitoring • XXE injection OWASP - API security WEB APPLICATION SECURITY
  5. 1. Improper asset management Is a vulnerability caused by lack

    of a technical overview of deployed API assets where these assets may be vulnerable to exploits due to stagnation and lack of oversight and ownership.
  6. Improper asset management HTTP Request POST /api/v2/validate-code HTTP/1.1 Host: www.test.com

    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/ 76.0.3809.100 Safari/537.36 Referer: www.test.com Connection: close Content-Lenght: 97 { “code”: “2200” } HTTP/1.1 401 Unauthorized Content-Type: application/json Transfer-Encoding chunked Keep-Alive: timeout=60 { “message”: “The supplied token is invalid”, “remaining_attempts”: 4 } HTTP Response
  7. Improper asset management HTTP Request POST /api/v1/validate-code HTTP/1.1 HTTP/1.1 401

    Unauthorized Content-Type: application/json Transfer-Encoding chunked Keep-Alive: timeout=60 { “message”: “The supplied token is invalid” } Could v1 vulnerable to token brute force attack?
  8. Improper asset management APIs tend to expose multiple endpoints over

    traditional web applications, making proper and updated documentation highly important. Further, to mitigate against vulnerabilities caused by improper asset management, developers should always make sure that no outdated or legacy API endpoints are available for use in the production environment.
  9. BOLA - It occurs when an attacker can successfully make

    a request for a data object that should be restricted. 2.Broken object level authorization
  10. Broken object level authorization HTTP Request GET /api/users/3432/orders HTTP/1.1 Host:

    www.test.com User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/ 76.0.3809.100 Safari/537.36 Referer: www.test.com Connection: close Content-Lenght: 33 { “ fi lter”: “all” } HTTP/1.1 200 OK Content-Type: application/json Transfer-Encoding chunked Keep-Alive: timeout=60 { “user”: { “name”: “Bob”, “age”: 92 }, “orders”: [{ “id”: “20038483” “name”: “Test” “cost”: 5.40 “status”: “delivered” }] HTTP Response
  11. Broken object level authorization HTTP Request GET /api/users/{user}/orders HTTP/1.1 -

    Server responds with an array of orders, associated with the current user. -Additionally, the response contains personal information about the user. GET /api/users/85848/orders HTTP/1.1
  12. Broken object level authorization HTTP Request GET /api/users/85848/orders HTTP/1.1 HTTP/1.1

    200 OK Content-Type: application/json Transfer-Encoding chunked Keep-Alive: timeout=60 { “user”: { “name”: “Alice”, “age”: 30 }, “orders”: [{ “id”: “88187” “name”: “Test 2” “cost”: 10.40 “status”: “delivered” }]
  13. Broken object level authorization The vulnerability is known as a

    Broken Object Level Authorization attack in which a malicious user gains access to a resource belonging to another user due to the lack of proper authorization checks. This attack can potentially occur in any application feature where untrusted parameter values are passed to the application without performing authentication and authorization checks.
  14. Excessive data exposure HTTP Request POST /api/forgot-password HTTP/1.1 Host: www.test.com

    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/ 76.0.3809.100 Safari/537.36 Referer: www.test.com Connection: close Content-Lenght: 97 { “email”: “[email protected]” }
  15. Excessive data exposure HTTP Response HTTP/1.1 202 Accepted Content-Type: application/json

    Transfer-Encoding chunked Connection: keep-alive { “lastLogin”: “2020-03-18T11:40:23.3”, “resetLink”: “https://test.com/account/reset- password?token=hsd6336y8w76dg2763d”, “email”: “[email protected]", “username”: “test123” } Account Takeover?
  16. Excessive data exposure HTTP Request Account Takeover! Access: https://test.com/account/reset-password?token=hsd6336y8w76dg2763d Woah!

    Submitted password reset token URL, attacker managed to load the password reset page, thereby allowing him to successfully change user account credentials and hijack the account!
  17. Excessive data exposure This can be achieved by making sure

    that each API endpoint only responds with the data which is essential for the endpoint's purpose and does not leak any other data.
  18. Broken User Authentication refers to weaknesses in authentication mechanisms in

    your application work fl ow 4.Broken user authentication
  19. HTTP Request Broken user authentication GET /api/validate-code HTTP/1.1 Host: www.test.com

    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/ 537.36 Referer: www.test.com Connection: close Content-Lenght: 97 { “code”: “345334” }
  20. HTTP Response Broken user authentication HTTP/1.1 200 OK Content-Type: application/json

    Transfer-Encoding chunked Keep-Alive: timeout=60 { “valid”: false 
 } Could v1 vulnerable to token brute force attack?
  21. Broken user authentication GET /api/validate-code HTTP/1.1 { “code”: ‘3453453’ 


    } Could endpoint be vulnerable to token brute force attack?
  22. • Understand exactly how your authentication mechanisms work, don't just

    blindly implement something like oauth 2, a lot of developers implement this incorrectly.
 • Do not implement your own authentication mechanisms but use well known authentication solutions
 • All authentication endpoints (Including forgot password) should be protected by rate limiting it and implementing lockout mechanisms. These mechanisms have to be stricted than on other endpoints.
 • If possible, implement multi-factor authentication such as SMS or authenticators
 • Do not use API keys for authentication , these should be used for client/app authentication Broken user authentication
  23. 5.Lack of resources & rate limiting In such situations, an

    API can no longer operate, and will no longer be able to service requests, or potentially even be unable to complete those currently in progress.
  24. HTTP Request GET /api/sign-up HTTP/1.1 Host: www.test.com User-Agent: Mozilla/5.0 (Macintosh;

    Intel Mac OS X 10_13_6) AppleWebKit/ 537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36 Referer: www.test.com Connection: close Content-Lenght: 97 { “name”: “Bob”, “lastName”: “Tour”, “email”: “[email protected]” “mobile”: “076584574”, “password”: “alfa”, “city”: “Sibiu” } 5.Lack of resources & rate limiting
  25. HTTP Response Lack of resources & rate limiting HTTP/1.1 409

    Con fl ict Content-Type: application/json Transfer-Encoding chunked Keep-Alive: timeout=60 { “error”: true, “ fi eld”: “mobile” “message”: “The phone number already exists!” 
 } The above message is indicative of a User Enumeration vulnerability since the application returns an error message indicating that the submitted phone number is already registered
  26. Lack of resources & rate limiting Brute Force attack: Try:

    0683663746 … Try: 0684564746 … Try: 0768956474 registered Try: 0684564778 …
  27. Lack of resources & rate limiting Implement Rate Limiting Additionally,

    a generic response message should be displayed
  28. Broken Function Level Authorization (BFLA) can be considered a higher

    level version of BOLA. This is because it's focussed on general functions rather than individual objects. The consequence of BFLA is that clients can access functionality beyond their intended access level, such as administrative functions 6.Broken Function Level Authorization
  29. 6.Broken Function Level Authorization GET /api/users/647 HTTP/1.1 Host: www.test.com Referer:

    www.test.com Connection: close Content-Lenght: 97 HTTP/1.1 200 OK Content-Type: application/json Transfer-Encoding chunked Keep-Alive: timeout=60 { “name”:”Test”, “email”: “[email protected], “phone”: “073535254”
 }
  30. Broken Function Level Authorization GET /api/users/600 HTTP/1.1 Host: www.test.com Referer:

    www.test.com Connection: close Content-Lenght: 97 HTTP/1.1 403 Forbidden Content-Type: application/json Transfer-Encoding chunked Keep-Alive: timeout=60 Connection: Close
  31. Broken Function Level Authorization DELETE /api/users/600 HTTP/1.1 Host: www.test.com Referer:

    www.test.com Connection: close Content-Lenght: 97 HTTP/1.1 200 OK Content-Type: application/json Transfer-Encoding chunked Keep-Alive: timeout=60 { “status”:”success”, “message”: “User [email protected] has been deleted”, }
  32. Mitigation Enforce proper authentication and authorization checks for each API

    endpoint, even if some of them are "hidden" from the user interface. Broken Function Level Authorization
  33. 7.Mass Assignment https://mail.com/reset-password?token=bc13-dc8a-80ee-be4837fb948e A malicious user modi fi es properties

    that they are not supposed to on the data objects, gaining unauthorized access or corrupting data as a result.
  34. Mass Assignment HTTP Request POST /api/reset-password HTTP/1.1 Host: www.test.com User-Agent:

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/ 76.0.3809.100 Safari/537.36 Referer: www.test.com Connection: close Content-Lenght: 33 { “password”: “password123”, “isAdmin”: “false” }
  35. Mass Assignment HTTP Request POST /api/reset-password HTTP/1.1 Host: www.test.com User-Agent:

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/ 537.36 Referer: www.test.com Connection: close Content-Lenght: 33 { “password”: “password123”, “isAdmin”: “true” } HTTP/1.1 202 Accepted Content-Type: application/json Transfer-Encoding chunked Keep-Alive: timeout=60
  36. 8. Insuf f icient Logging & Monitoring curl --header "Private-Token:

    t_zPRYZ4pMRQXyznF72g" https://www.blog.com/ api/v4/projects
  37. 8. Insuf f icient Logging & Monitoring Mitigation 1.Login, access

    control failures, and server-side input validation failures can be logged with suf fi cient user context to identify suspicious or malicious accounts, and held for suf fi cient time to allow analysis. (timestamp-method-uri-ip) 2.Ensure logs are generated in a format that can be easily consumed by centralised log management solutions. 3.Establish effective monitoring and alerting such that suspicious activities are detected and responded to in a timely fashion.
  38. XML external entity injection is a web security vulnerability that

    allows an attacker to interfere with an application's processing of XML data. It allows an attacker to view fi les on the application server even interact with any back-end or external systems that the application itself access. 9.XXE injection
  39. <?xml version="1.0" encoding="UTF-8"?> <patients><patientId>381</patientId></patients> XXE injection <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE

    foo [ <!ENTITY somefile SYSTEM "file:///etc/passwd"> ]> <patients> <patientId>381</patientId> <loadthis>&somefile;</loadthis> </patients> Invalid product ID: root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin
  40. Mitigation Con fi gure your XML parsers to disable the

    parsing of XML eXternal Entities (XXE) and Document Type De fi nitions (DTD) when parsing XML documents. If DTDs cannot be completely disabled, disable the parsing of external general entities and external parameter entities when parsing untrusted XML fi les. libxml_disable_entity_loader(true) - php 8.0 > deprecated XXE injection
  41. Build your application having in mind the zero trust strategy

    - never trust, always verify ⁃ fi lter input and escaping output ⁃ always use prepared statements when interact with database ⁃ add rate limiting or captcha where necessary ⁃ always validate data in backend ⁃ use high level authentication, acces control and roles management ⁃ keep your packages, system, libraries up to date ⁃ implement proper logging mechanism ⁃ build a proper exception management ⁃ encript everything - avoid MITM ⁃ log rotation or clear your log fi les regularly to avoid database/app hangs ⁃ max request size max fi le upload max request timeout ⁃ keep in mid ext3 is limited to 64000 fi les/folder ⁃ block tra fi c from unwanted geographical regions, data centres, and Tor relay nodes ⁃ Remove security headers - X-powered-by, Sever, add security headers Strait-Transport- Security, X-Content-Type-Option ⁃ Reduce the risk of API de fi nitions, documentation and sensitive data in untrusted tools Tips & Tricks
  42. Unfortunately, there's not yet a way to make any web

    technology completely invulnerable to hackers and cybercrime. Cyber attacks continue to evolve every day, resulting in a need to be constantly improving and implementing new cybersecurity measures. The web security landscape is changing constantly: Never Stop Learning and be proactive Tips & Tricks Implement a cybersecurity strategy
  43. Latest news Site-ul Poliției Locale, spart de un adolescent cu

    patru clase. Review Webpage Content for Information Leakage
  44. WEB APPLICATION SECURITY Don’t be scared by a developer who

    thinks like a hacker, be scared by a hacker who thinks like a developer! Thank you! Razvan Preda