Web Application Security

Razvan Preda WEB APPLICATION SECURITY 1.Introduction 2.API’s - the new
Apps 3.OWASP Top API security 4.Tips & Tricks 5.5G impact on security 6.Latest news

WEB APPLICATION SECURITY Security Model Layers OSI Model Layers

It is the most vulnerable part of any IT security
infrastructure. Most cyber-attacks we see today are a result of some form of human error. Educate and train professionals to be aware of cybersecurity attacks - phishing attacks, good password protocols, recent cyber scams … WEB APPLICATION SECURITY Human Layer

WEB APPLICATION SECURITY OSI - Open System Interconnection

WEB APPLICATION SECURITY The layer closest to the end-users, this
layer interacts directly with the software application, which in turn, will interact with the end-users. Application Layer (Layer 7)

WEB APPLICATION SECURITY

• Improper asset management • Broken object level authorization •
Excessive data exposure • Broken user authentication • Lack of resources & rate limiting • Broken Function Level Authorization • Mass Assignment • Insu ff icient Logging & Monitoring • XXE injection OWASP - API security WEB APPLICATION SECURITY

1. Improper asset management Is a vulnerability caused by lack
of a technical overview of deployed API assets where these assets may be vulnerable to exploits due to stagnation and lack of oversight and ownership.

1. Improper asset management Test the forgotten password functionality by
submitting request to server

Improper asset management HTTP Request POST /api/v2/validate-code HTTP/1.1 Host: www.test.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/ 76.0.3809.100 Safari/537.36 Referer: www.test.com Connection: close Content-Lenght: 97 { “code”: “2200” } HTTP/1.1 401 Unauthorized Content-Type: application/json Transfer-Encoding chunked Keep-Alive: timeout=60 { “message”: “The supplied token is invalid”, “remaining_attempts”: 4 } HTTP Response

Improper asset management HTTP Request POST /api/v1/validate-code HTTP/1.1 HTTP/1.1 401
Unauthorized Content-Type: application/json Transfer-Encoding chunked Keep-Alive: timeout=60 { “message”: “The supplied token is invalid” } Could v1 vulnerable to token brute force attack?

Improper asset management APIs tend to expose multiple endpoints over
traditional web applications, making proper and updated documentation highly important. Further, to mitigate against vulnerabilities caused by improper asset management, developers should always make sure that no outdated or legacy API endpoints are available for use in the production environment.

BOLA - It occurs when an attacker can successfully make
a request for a data object that should be restricted. 2.Broken object level authorization

2.Broken object level authorization Order details

Broken object level authorization HTTP Request GET /api/users/3432/orders HTTP/1.1 Host:
www.test.com User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/ 76.0.3809.100 Safari/537.36 Referer: www.test.com Connection: close Content-Lenght: 33 { “ fi lter”: “all” } HTTP/1.1 200 OK Content-Type: application/json Transfer-Encoding chunked Keep-Alive: timeout=60 { “user”: { “name”: “Bob”, “age”: 92 }, “orders”: [{ “id”: “20038483” “name”: “Test” “cost”: 5.40 “status”: “delivered” }] HTTP Response

Broken object level authorization HTTP Request GET /api/users/{user}/orders HTTP/1.1 -
Server responds with an array of orders, associated with the current user. -Additionally, the response contains personal information about the user. GET /api/users/85848/orders HTTP/1.1

Broken object level authorization HTTP Request GET /api/users/85848/orders HTTP/1.1 HTTP/1.1
200 OK Content-Type: application/json Transfer-Encoding chunked Keep-Alive: timeout=60 { “user”: { “name”: “Alice”, “age”: 30 }, “orders”: [{ “id”: “88187” “name”: “Test 2” “cost”: 10.40 “status”: “delivered” }]

Broken object level authorization The vulnerability is known as a
Broken Object Level Authorization attack in which a malicious user gains access to a resource belonging to another user due to the lack of proper authorization checks. This attack can potentially occur in any application feature where untrusted parameter values are passed to the application without performing authentication and authorization checks.

When these API's return all data to the client 3.Excessive
data exposure

3.Excessive data exposure Forgotten password functionality by submitting request to
server

Excessive data exposure HTTP Request POST /api/forgot-password HTTP/1.1 Host: www.test.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/ 76.0.3809.100 Safari/537.36 Referer: www.test.com Connection: close Content-Lenght: 97 { “email”: “[email protected]” }

Excessive data exposure HTTP Response HTTP/1.1 202 Accepted Content-Type: application/json
Transfer-Encoding chunked Connection: keep-alive { “lastLogin”: “2020-03-18T11:40:23.3”, “resetLink”: “https://test.com/account/reset- password?token=hsd6336y8w76dg2763d”, “email”: “[email protected]", “username”: “test123” } Account Takeover?

Excessive data exposure HTTP Request Account Takeover! Access: https://test.com/account/reset-password?token=hsd6336y8w76dg2763d Woah!
Submitted password reset token URL, attacker managed to load the password reset page, thereby allowing him to successfully change user account credentials and hijack the account!

Excessive data exposure This can be achieved by making sure
that each API endpoint only responds with the data which is essential for the endpoint's purpose and does not leak any other data.

Broken User Authentication refers to weaknesses in authentication mechanisms in
your application work fl ow 4.Broken user authentication

Broken user authentication Password Dump - website

Broken user authentication

HTTP Request Broken user authentication GET /api/validate-code HTTP/1.1 Host: www.test.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/ 537.36 Referer: www.test.com Connection: close Content-Lenght: 97 { “code”: “345334” }

HTTP Response Broken user authentication HTTP/1.1 200 OK Content-Type: application/json
Transfer-Encoding chunked Keep-Alive: timeout=60 { “valid”: false   } Could v1 vulnerable to token brute force attack?

Broken user authentication GET /api/validate-code HTTP/1.1 { “code”: ‘3453453’  
} Could endpoint be vulnerable to token brute force attack?

• Understand exactly how your authentication mechanisms work, don't just
blindly implement something like oauth 2, a lot of developers implement this incorrectly.  • Do not implement your own authentication mechanisms but use well known authentication solutions  • All authentication endpoints (Including forgot password) should be protected by rate limiting it and implementing lockout mechanisms. These mechanisms have to be stricted than on other endpoints.  • If possible, implement multi-factor authentication such as SMS or authenticators  • Do not use API keys for authentication , these should be used for client/app authentication Broken user authentication

5.Lack of resources & rate limiting In such situations, an
API can no longer operate, and will no longer be able to service requests, or potentially even be unable to complete those currently in progress.

HTTP Request GET /api/sign-up HTTP/1.1 Host: www.test.com User-Agent: Mozilla/5.0 (Macintosh;
Intel Mac OS X 10_13_6) AppleWebKit/ 537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36 Referer: www.test.com Connection: close Content-Lenght: 97 { “name”: “Bob”, “lastName”: “Tour”, “email”: “[email protected]” “mobile”: “076584574”, “password”: “alfa”, “city”: “Sibiu” } 5.Lack of resources & rate limiting

HTTP Response Lack of resources & rate limiting HTTP/1.1 409
Con fl ict Content-Type: application/json Transfer-Encoding chunked Keep-Alive: timeout=60 { “error”: true, “ fi eld”: “mobile” “message”: “The phone number already exists!”   } The above message is indicative of a User Enumeration vulnerability since the application returns an error message indicating that the submitted phone number is already registered

Lack of resources & rate limiting Brute Force attack: Try:
0683663746 … Try: 0684564746 … Try: 0768956474 registered Try: 0684564778 …

Lack of resources & rate limiting Implement Rate Limiting Additionally,
a generic response message should be displayed

Broken Function Level Authorization (BFLA) can be considered a higher
level version of BOLA. This is because it's focussed on general functions rather than individual objects. The consequence of BFLA is that clients can access functionality beyond their intended access level, such as administrative functions 6.Broken Function Level Authorization

6.Broken Function Level Authorization GET /api/users/647 HTTP/1.1 Host: www.test.com Referer:
www.test.com Connection: close Content-Lenght: 97 HTTP/1.1 200 OK Content-Type: application/json Transfer-Encoding chunked Keep-Alive: timeout=60 { “name”:”Test”, “email”: “[email protected], “phone”: “073535254”  }

Broken Function Level Authorization GET /api/users/600 HTTP/1.1 Host: www.test.com Referer:
www.test.com Connection: close Content-Lenght: 97 HTTP/1.1 403 Forbidden Content-Type: application/json Transfer-Encoding chunked Keep-Alive: timeout=60 Connection: Close

Broken Function Level Authorization GET /api/users/600 HTTP/1.1 DELETE /api/users/600 HTTP/1.1

Broken Function Level Authorization DELETE /api/users/600 HTTP/1.1 Host: www.test.com Referer:
www.test.com Connection: close Content-Lenght: 97 HTTP/1.1 200 OK Content-Type: application/json Transfer-Encoding chunked Keep-Alive: timeout=60 { “status”:”success”, “message”: “User [email protected] has been deleted”, }

Mitigation Enforce proper authentication and authorization checks for each API
endpoint, even if some of them are "hidden" from the user interface. Broken Function Level Authorization

7.Mass Assignment https://mail.com/reset-password?token=bc13-dc8a-80ee-be4837fb948e A malicious user modi fi es properties
that they are not supposed to on the data objects, gaining unauthorized access or corrupting data as a result.

Mass Assignment HTTP Request POST /api/reset-password HTTP/1.1 Host: www.test.com User-Agent:
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/ 76.0.3809.100 Safari/537.36 Referer: www.test.com Connection: close Content-Lenght: 33 { “password”: “password123”, “isAdmin”: “false” }

Mass Assignment HTTP Request POST /api/reset-password HTTP/1.1 Host: www.test.com User-Agent:
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/ 537.36 Referer: www.test.com Connection: close Content-Lenght: 33 { “password”: “password123”, “isAdmin”: “true” } HTTP/1.1 202 Accepted Content-Type: application/json Transfer-Encoding chunked Keep-Alive: timeout=60

Types expected in the requests should be explicitly de fi
ned at design time Mass Assignment

8. Insuf f icient Logging & Monitoring curl --header "Private-Token:
t_zPRYZ4pMRQXyznF72g" https://www.blog.com/ api/v4/projects

8. Insuf f icient Logging & Monitoring

8. Insuf f icient Logging & Monitoring Mitigation 1.Login, access
control failures, and server-side input validation failures can be logged with suf fi cient user context to identify suspicious or malicious accounts, and held for suf fi cient time to allow analysis. (timestamp-method-uri-ip) 2.Ensure logs are generated in a format that can be easily consumed by centralised log management solutions. 3.Establish effective monitoring and alerting such that suspicious activities are detected and responded to in a timely fashion.

XML external entity injection is a web security vulnerability that
allows an attacker to interfere with an application's processing of XML data. It allows an attacker to view fi les on the application server even interact with any back-end or external systems that the application itself access. 9.XXE injection

XXE injection

<?xml version="1.0" encoding="UTF-8"?> <patients><patientId>381</patientId></patients> XXE injection <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE
foo [ <!ENTITY somefile SYSTEM "file:///etc/passwd"> ]> <patients> <patientId>381</patientId> <loadthis>&somefile;</loadthis> </patients> Invalid product ID: root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin

XXE injection

Mitigation Con fi gure your XML parsers to disable the
parsing of XML eXternal Entities (XXE) and Document Type De fi nitions (DTD) when parsing XML documents. If DTDs cannot be completely disabled, disable the parsing of external general entities and external parameter entities when parsing untrusted XML fi les. libxml_disable_entity_loader(true) - php 8.0 > deprecated XXE injection

Build your application having in mind the zero trust strategy
- never trust, always verify ⁃ fi lter input and escaping output ⁃ always use prepared statements when interact with database ⁃ add rate limiting or captcha where necessary ⁃ always validate data in backend ⁃ use high level authentication, acces control and roles management ⁃ keep your packages, system, libraries up to date ⁃ implement proper logging mechanism ⁃ build a proper exception management ⁃ encript everything - avoid MITM ⁃ log rotation or clear your log fi les regularly to avoid database/app hangs ⁃ max request size max fi le upload max request timeout ⁃ keep in mid ext3 is limited to 64000 fi les/folder ⁃ block tra fi c from unwanted geographical regions, data centres, and Tor relay nodes ⁃ Remove security headers - X-powered-by, Sever, add security headers Strait-Transport- Security, X-Content-Type-Option ⁃ Reduce the risk of API de fi nitions, documentation and sensitive data in untrusted tools Tips & Tricks

Unfortunately, there's not yet a way to make any web
technology completely invulnerable to hackers and cybercrime. Cyber attacks continue to evolve every day, resulting in a need to be constantly improving and implementing new cybersecurity measures. The web security landscape is changing constantly: Never Stop Learning and be proactive Tips & Tricks Implement a cybersecurity strategy

5G impact on security

Latest news Site-ul Poliției Locale, spart de un adolescent cu
patru clase.

Latest news Site-ul Poliției Locale Ploiești, spart de un adolescent
cu patru clase.

Latest news Site-ul Poliției Locale, spart de un adolescent cu
patru clase. Review Webpage Content for Information Leakage

WEB APPLICATION SECURITY Don’t be scared by a developer who
thinks like a hacker, be scared by a hacker who thinks like a developer! Thank you! Razvan Preda

Web Application Security

Web Application Security

More Decks by Sibiu Web Meetup

Other Decks in Programming

Featured

Transcript