Top 5 Web Hacks Adrian Owens Certified Client Technical Professional, Southeast

1

© 2011 IBM Corporation

IBM Security Solutions

The Bad Guys Want In Black Hat Hacker: Wants to steal your important data, especially financial information, which they can sell for a gain. Hactivist: Take your website down. Could be motivated by politics, religion, may wish to expose wrongdoing, or exact revenge. Script Kiddie: May deface your website to make a name for them selves.

2

© 2011 IBM Corporation

2

IBM Security Solutions

How: Right Through You The Front Door Resource Access - Address Bar XSS- Search Field

SQL Injection - Web Form

3

© 2011 IBM Corporation

3

4 IBM Security Solutions

OWASP and the OWASP Top 10 list

Open Web Application Security Project • an open organization dedicated to fight insecure software The OWASP Top Ten • “…document represents a broad consensus about what the most critical web application security flaws are” • www.owasp.org

4

© 2011 IBM Corporation

5 IBM Security Solutions

OWASP Top 10 Vulnerabilities

5

© 2011 IBM Corporation

5

6

TechWorks IBM Security Solutions

1. Injection Flaws (SQL Injection) What is it? • User-supplied data is sent to an interpreter as part of a command, query or data.

What are the implications? • SQL Injection - Access/modify data in DB • SSI Injection - Execute commands on server and access sensitive data • LDAP Injection – Bypass authentication

6 © 2008 IBM Corporation

© 2011 IBM Corporation

Discovering the Value of Web Application Security Testing with IBM Rational AppScan

7

TechWorks IBM Security Solutions

SQL Injection

User input inserted into SQL Command: • Get product details by id: Select * from products where id=‘$REQUEST[“id”]’; • Hack: send param id with value ‘ or ‘1’=‘1 • Resulting executed SQL: Select * from products where id=‘’ or ‘1’=‘1’ • All products returned

7 © 2008 IBM Corporation

© 2011 IBM Corporation

Discovering the Value of Web Application Security Testing with IBM Rational AppScan

8

TechWorks IBM Security Solutions

SQL Injection Example I

‘ Select user from tvalidateuser where username=‘’

8 © 2008 IBM Corporation

© 2011 IBM Corporation

Discovering the Value of Web Application Security Testing with IBM Rational AppScan

9

TechWorks IBM Security Solutions

SQL Injection Example II

9 © 2008 IBM Corporation

© 2011 IBM Corporation

Discovering the Value of Web Application Security Testing with IBM Rational AppScan

1 0

TechWorks IBM Security Solutions

SQL Injection Example - Exploit

‘or 1=1-Select user from tvalidateuser where username=‘’or

1=1--

10 © 2008 IBM Corporation

© 2011 IBM Corporation

Discovering the Value of Web Application Security Testing with IBM Rational AppScan

1 1

TechWorks IBM Security Solutions

SQL Injection Example - Outcome

11 © 2008 IBM Corporation

© 2011 IBM Corporation

Discovering the Value of Web Application Security Testing with IBM Rational AppScan

1 2

TechWorks IBM Security Solutions

2. Cross-Site Scripting (XSS)

What is it? • Malicious script echoed back into HTML returned from a trusted site, and runs under trusted context

What are the implications? • Session Tokens stolen • Complete page content compromised • Future pages in browser compromised

12 © 2008 IBM Corporation

© 2011 IBM Corporation

Discovering the Value of Web Application Security Testing with IBM Rational AppScan

1 3

TechWorks IBM Security Solutions

XSS Example I

aSdF

13 © 2008 IBM Corporation

© 2011 IBM Corporation

Discovering the Value of Web Application Security Testing with IBM Rational AppScan

1 4

TechWorks IBM Security Solutions

XSS Example II

HTML code:

14 © 2008 IBM Corporation

© 2011 IBM Corporation

Discovering the Value of Web Application Security Testing with IBM Rational AppScan

1 5

IBM Security Solutions

Cross Site Scripting – The Exploit Process Evil.org

1) Link to bank.com sent to user via E-mail or HTTP

5) Evil.org uses stolen session information to impersonate user

4) Script sends user’s cookie and session information without the user’s consent or knowledge

User

bank.com 2) User sends script embedded as data 3) Script/data returned, executed by browser

15

© 2011 IBM Corporation

1 6

IBM Security Solutions

3. Broken Authentication & Session Management What is it? • Session tokens aren’t guarded and invalidated properly

What are the implications? • Session tokens can be planted by hackers in XSS/XSFR attack, hence leaked • Session tokens more easily available (valid longer, less protection) to be stolen in different ways

16

© 2011 IBM Corporation

1 7

IBM Security Solutions

Broken Authentication and Session Management - Examples Unprotected Session Tokens • Session ID kept in Persistent Cookie • Not using http-only value for cookies

Sessions valid for too long • Session not invalidated after logout • Session timeout too long

Session fixation possible • Session ID not replaced after login

17

© 2011 IBM Corporation

1 8

TechWorks IBM Security Solutions

4. Insecure Direct Object Reference What is it? • Part or all of a resource (file, table, etc.) name controlled by user input.

What are the implications? • Access to sensitive resources • Information Leakage, aids future hacks

18 © 2008 IBM Corporation

© 2011 IBM Corporation

Discovering the Value of Web Application Security Testing with IBM Rational AppScan

1 9

TechWorks IBM Security Solutions

Insecure Direct Object Reference - Example

• Attacker may attempt to manipulate parameter “Content” • Change to Boot.ini system file

19 © 2008 IBM Corporation

© 2011 IBM Corporation

Discovering the Value of Web Application Security Testing with IBM Rational AppScan

2 0

TechWorks IBM Security Solutions

Insecure Direct Object Reference – Example Cont.

• Poison Null Byte • Use NULL Character rather than .htm

20 © 2008 IBM Corporation

© 2011 IBM Corporation

Discovering the Value of Web Application Security Testing with IBM Rational AppScan

2 1

TechWorks IBM Security Solutions

Insecure Direct Object Reference – Example Cont.

• Bingo – Sensitive File Information at our finger tips!

21 © 2008 IBM Corporation

© 2011 IBM Corporation

Discovering the Value of Web Application Security Testing with IBM Rational AppScan

2 2

IBM Security Solutions

5. Cross Site Request Forgery (CSRF/XSRF) What is it? • Tricking a victim into sending an unwitting (often blind) request to another site, using the user’s session and/or network access.

What are the implications? • Internal network compromised • User’s web-based accounts exploited

22

© 2011 IBM Corporation

2 3

IBM Security Solutions

XSRF Exploit Illustration 4) Private mails accessed, possibly containing passwords

Bank.com

WebMail

3) Money Transferred

Wireless Router

3) All mails forwarded to hacker 3) Router opened for outside access

4) Money Withdrawn

2) Script (or link) is downloaded and executed in browser

Victim

Evil.org

1) User browses page with malicious content

4) Firewalls surpassed, internal computers hacked 23

© 2011 IBM Corporation

IBM Security Solutions

Security Testing Technologies... Combination of the Two Delivers Comprehensive Solution Static Code Analysis = Whitebox •Scanning source code for security issues Total Potential Security Issues

Dynamic Analysis = Blackbox

Static Analysis

Complete Coverage

Dynamic Analysis

•Security analysis of a compiled application

24

© 2011 IBM Corporation24

IBM Software Group Group | Watchfire Solutions IBM IBM Software Software Group || Rational Rational software software IBM Security Solutions

Automated Security Testing • AppScan Standard Edition – Black-box, dynamic • Desktop Version – connects to Enterprise Reporting

• AppScan Enterprise Edition – Black-box, dynamic • Web-based Version – connects to Enterprise Reporting

• AppScan Source Edition – White-Box, Static • IDE, Desktop, Web Based – connects to Enterprise Reporting

• AppScan Source For Automation – Build Component • Part of Build Engine – Build Forge Enabled

• AppScan Policy Tester – Quality, Privacy, Accessibility • Web-based Version – connects to Enterprise Reporting

25

© 2011 IBM Corporation

25

IBM Security Solutions

Management

AppScan


Review most common security issues
View trends
Assess risk
AppScan Enterprise (ASE) Web Based Views (BB & WB)

Compliance Officers
Review compliance reports
ASE Web Based Views (BB & WB)

Developers Build automation
Source code analysis (WB)
Part of build verification
Publish findings for remediation/trending
Headless Source Edition App integration with
Build Forge
Ant
Maven
Make

QC, CQ
Publish Security Defects
AppScan Enterprise Integration

Source Edition Core

ASE Scan Agents (BB)

Rational AppScan Enterprise portal • AppScan Enterprise • Policy Tester Enterprise • Source Edition for Core


View assessment results
Remediate issues
Assign issue status
Languages:
PHP
Perl
ColdFusion
Client-Side JavaScript
C/C++
Java/JSP
.NET (C#, ASP.NET, VB.NET)
Classic ASP (VB6)
VBScript
Server-Side JavaScript
ASE Quick Scans (BB)
Visual Studio .Net (WB)
Eclipse Java (WB)

QA & Accessibility

Security specialists


Conduct Quality / Privacy / Accessibility Tests
Publish findings for remediation/trending
AppScan Enterprise Web Based Views (BB)
Policy Tester Module in ASE (BB)
AppScan Tester Edition for RQM (BB)


Conduct security assessments
Publish findings for remediation/trending
AppScan Standard Edition Desktop (BB)
AppScan Enterprise Web Based Views (WB & BB)
Source Edition Desktop (WB) for Assessments

26

© 2011 IBM Corporation 26

IBM Security Solutions

% of Issue Found by Stage of SDLC

Security testing within the application life cycle

27

Desired Profile

© 2011 IBM Corporation

IBM Security Solutions

Questions & Thank You!

28

© 2011 IBM Corporation