Black Hat Hacker: Wants to steal your important data, especially financial
information, which they can sell for a gain. Hactivist: Take your website down.
Could be ...
Top 5 Web Hacks Adrian Owens Certified Client Technical Professional, Southeast
1
© 2011 IBM Corporation
IBM Security Solutions
The Bad Guys Want In Black Hat Hacker: Wants to steal your important data, especially financial information, which they can sell for a gain. Hactivist: Take your website down. Could be motivated by politics, religion, may wish to expose wrongdoing, or exact revenge. Script Kiddie: May deface your website to make a name for them selves.
2
© 2011 IBM Corporation
2
IBM Security Solutions
How: Right Through You The Front Door Resource Access - Address Bar XSS- Search Field
SQL Injection - Web Form
3
© 2011 IBM Corporation
3
4 IBM Security Solutions
OWASP and the OWASP Top 10 list
Open Web Application Security Project • an open organization dedicated to fight insecure software The OWASP Top Ten • “…document represents a broad consensus about what the most critical web application security flaws are” • www.owasp.org
4
© 2011 IBM Corporation
5 IBM Security Solutions
OWASP Top 10 Vulnerabilities
5
© 2011 IBM Corporation
5
6
TechWorks IBM Security Solutions
1. Injection Flaws (SQL Injection) What is it? • User-supplied data is sent to an interpreter as part of a command, query or data.
What are the implications? • SQL Injection - Access/modify data in DB • SSI Injection - Execute commands on server and access sensitive data • LDAP Injection – Bypass authentication
6 © 2008 IBM Corporation
© 2011 IBM Corporation
Discovering the Value of Web Application Security Testing with IBM Rational AppScan
7
TechWorks IBM Security Solutions
SQL Injection
User input inserted into SQL Command: • Get product details by id: Select * from products where id=‘$REQUEST[“id”]’; • Hack: send param id with value ‘ or ‘1’=‘1 • Resulting executed SQL: Select * from products where id=‘’ or ‘1’=‘1’ • All products returned
7 © 2008 IBM Corporation
© 2011 IBM Corporation
Discovering the Value of Web Application Security Testing with IBM Rational AppScan
8
TechWorks IBM Security Solutions
SQL Injection Example I
‘ Select user from tvalidateuser where username=‘’
8 © 2008 IBM Corporation
© 2011 IBM Corporation
Discovering the Value of Web Application Security Testing with IBM Rational AppScan
9
TechWorks IBM Security Solutions
SQL Injection Example II
9 © 2008 IBM Corporation
© 2011 IBM Corporation
Discovering the Value of Web Application Security Testing with IBM Rational AppScan
1 0
TechWorks IBM Security Solutions
SQL Injection Example - Exploit
‘or 1=1-Select user from tvalidateuser where username=‘’or
1=1--
10 © 2008 IBM Corporation
© 2011 IBM Corporation
Discovering the Value of Web Application Security Testing with IBM Rational AppScan
1 1
TechWorks IBM Security Solutions
SQL Injection Example - Outcome
11 © 2008 IBM Corporation
© 2011 IBM Corporation
Discovering the Value of Web Application Security Testing with IBM Rational AppScan
1 2
TechWorks IBM Security Solutions
2. Cross-Site Scripting (XSS)
What is it? • Malicious script echoed back into HTML returned from a trusted site, and runs under trusted context
What are the implications? • Session Tokens stolen • Complete page content compromised • Future pages in browser compromised
12 © 2008 IBM Corporation
© 2011 IBM Corporation
Discovering the Value of Web Application Security Testing with IBM Rational AppScan
1 3
TechWorks IBM Security Solutions
XSS Example I
aSdF
13 © 2008 IBM Corporation
© 2011 IBM Corporation
Discovering the Value of Web Application Security Testing with IBM Rational AppScan
1 4
TechWorks IBM Security Solutions
XSS Example II
HTML code:
14 © 2008 IBM Corporation
© 2011 IBM Corporation
Discovering the Value of Web Application Security Testing with IBM Rational AppScan
1 5
IBM Security Solutions
Cross Site Scripting – The Exploit Process Evil.org
1) Link to bank.com sent to user via E-mail or HTTP
5) Evil.org uses stolen session information to impersonate user
4) Script sends user’s cookie and session information without the user’s consent or knowledge
User
bank.com 2) User sends script embedded as data 3) Script/data returned, executed by browser
15
© 2011 IBM Corporation
1 6
IBM Security Solutions
3. Broken Authentication & Session Management What is it? • Session tokens aren’t guarded and invalidated properly
What are the implications? • Session tokens can be planted by hackers in XSS/XSFR attack, hence leaked • Session tokens more easily available (valid longer, less protection) to be stolen in different ways
16
© 2011 IBM Corporation
1 7
IBM Security Solutions
Broken Authentication and Session Management - Examples Unprotected Session Tokens • Session ID kept in Persistent Cookie • Not using http-only value for cookies
Sessions valid for too long • Session not invalidated after logout • Session timeout too long
Session fixation possible • Session ID not replaced after login
17
© 2011 IBM Corporation
1 8
TechWorks IBM Security Solutions
4. Insecure Direct Object Reference What is it? • Part or all of a resource (file, table, etc.) name controlled by user input.
What are the implications? • Access to sensitive resources • Information Leakage, aids future hacks
18 © 2008 IBM Corporation
© 2011 IBM Corporation
Discovering the Value of Web Application Security Testing with IBM Rational AppScan
1 9
TechWorks IBM Security Solutions
Insecure Direct Object Reference - Example
• Attacker may attempt to manipulate parameter “Content” • Change to Boot.ini system file
19 © 2008 IBM Corporation
© 2011 IBM Corporation
Discovering the Value of Web Application Security Testing with IBM Rational AppScan
2 0
TechWorks IBM Security Solutions
Insecure Direct Object Reference – Example Cont.
• Poison Null Byte • Use NULL Character rather than .htm
20 © 2008 IBM Corporation
© 2011 IBM Corporation
Discovering the Value of Web Application Security Testing with IBM Rational AppScan
2 1
TechWorks IBM Security Solutions
Insecure Direct Object Reference – Example Cont.
• Bingo – Sensitive File Information at our finger tips!
21 © 2008 IBM Corporation
© 2011 IBM Corporation
Discovering the Value of Web Application Security Testing with IBM Rational AppScan
2 2
IBM Security Solutions
5. Cross Site Request Forgery (CSRF/XSRF) What is it? • Tricking a victim into sending an unwitting (often blind) request to another site, using the user’s session and/or network access.
What are the implications? • Internal network compromised • User’s web-based accounts exploited
22
© 2011 IBM Corporation
2 3
IBM Security Solutions
XSRF Exploit Illustration 4) Private mails accessed, possibly containing passwords
Bank.com
WebMail
3) Money Transferred
Wireless Router
3) All mails forwarded to hacker 3) Router opened for outside access
4) Money Withdrawn
2) Script (or link) is downloaded and executed in browser
Victim
Evil.org
1) User browses page with malicious content
4) Firewalls surpassed, internal computers hacked 23
© 2011 IBM Corporation
IBM Security Solutions
Security Testing Technologies... Combination of the Two Delivers Comprehensive Solution Static Code Analysis = Whitebox •Scanning source code for security issues Total Potential Security Issues
Dynamic Analysis = Blackbox
Static Analysis
Complete Coverage
Dynamic Analysis
•Security analysis of a compiled application
24
© 2011 IBM Corporation24
IBM Software Group Group | Watchfire Solutions IBM IBM Software Software Group || Rational Rational software software IBM Security Solutions
Automated Security Testing • AppScan Standard Edition – Black-box, dynamic • Desktop Version – connects to Enterprise Reporting
• AppScan Enterprise Edition – Black-box, dynamic • Web-based Version – connects to Enterprise Reporting
• AppScan Source Edition – White-Box, Static • IDE, Desktop, Web Based – connects to Enterprise Reporting
• AppScan Source For Automation – Build Component • Part of Build Engine – Build Forge Enabled
• AppScan Policy Tester – Quality, Privacy, Accessibility • Web-based Version – connects to Enterprise Reporting
25
© 2011 IBM Corporation
25
IBM Security Solutions
Management
AppScan
Review most common security issues View trends Assess risk AppScan Enterprise (ASE) Web Based Views (BB & WB)
Compliance Officers Review compliance reports ASE Web Based Views (BB & WB)
Developers Build automation Source code analysis (WB) Part of build verification Publish findings for remediation/trending Headless Source Edition App integration with Build Forge Ant Maven Make
QC, CQ Publish Security Defects AppScan Enterprise Integration
Source Edition Core
ASE Scan Agents (BB)
Rational AppScan Enterprise portal • AppScan Enterprise • Policy Tester Enterprise • Source Edition for Core
View assessment results Remediate issues Assign issue status Languages: PHP Perl ColdFusion Client-Side JavaScript C/C++ Java/JSP .NET (C#, ASP.NET, VB.NET) Classic ASP (VB6) VBScript Server-Side JavaScript ASE Quick Scans (BB) Visual Studio .Net (WB) Eclipse Java (WB)
QA & Accessibility
Security specialists
Conduct Quality / Privacy / Accessibility Tests Publish findings for remediation/trending AppScan Enterprise Web Based Views (BB) Policy Tester Module in ASE (BB) AppScan Tester Edition for RQM (BB)
Conduct security assessments Publish findings for remediation/trending AppScan Standard Edition Desktop (BB) AppScan Enterprise Web Based Views (WB & BB) Source Edition Desktop (WB) for Assessments
26
© 2011 IBM Corporation 26
IBM Security Solutions
% of Issue Found by Stage of SDLC
Security testing within the application life cycle
27
Desired Profile
© 2011 IBM Corporation
IBM Security Solutions
Questions & Thank You!
28
© 2011 IBM Corporation