Web Application Security

1
Web Application Security
2
Introduction

• Security is a process of authenticating users and
  controlling what a user can see or do

3
3-tier architecture
Web Browser
4
Some Internet Security Protocols

• Application Layer Security
• Electronic mail security
• PGP (Pretty Good Privacy)
• S/MIME (Secure Multi-Purpose Internet Mail
  Extensions)
• Transport Layer Security
• SSL/TLS (Secure Sockets Layer/Transport Layer
  Security )
• SSH (Secure Shell )
• Network Layer Security
• IP Security (IPsec)
• Infrastructure protection
• DNSSEC (DNS Security Extensions)
• SNMPv3 security (Simple Network Management
  Protocol Version 3)

5
How do you measure security?

• Does 128-bit encryption make you feel safer?

6
The client

• Common web browser
• Communicates to server with HTTP (PUT, POST, GET)
• HTML markup language for layout of pages
• Scripting languages built into client to control
  client side content and communications with
  server dynamically
• Cookies to store state

7
The server

• Analyses HTTP requests from client and responds
  accordingly.
• Either send plain HTML page
• Process query data and send back dynamically
  produced page to client.

8
The web server

• Common examples Apache, IIS.
• These servers and the hosts have their own
  security problems
• Server side programming
• Perl, ASP (Jscript/VBScript), PHP, C

9
The DBMS

• SQL
• DBMS
• Microsoft SQL server
• Oracle
• MySQL
• DB2
• These DBMS also have their own security problems

10
Attacks

• On the server
• Using out of the box security holes to gain
  escalated privileges, or execute commands on the
  server.
• Make the server do something it is not supposed
  to do.
• Examples
• ColdFusion, Showcode.asp, FrontPage, etc. etc.
  etc.

11
Attacks

• Through holes found using a common security
  scanner
• Scanners simply request a fixed file name to see
  if the file exists or not
• Assumes that exploitable files/server have not
  been patched, can bring false positives
• Old techniques, but effective.
• EASY to protect against.

12
Attacks

• On out of the box applications
• Attacker can setup and audit the application in
  their own environment
• If one goes down, they all do
• Targets of common scanners

13
Attacks

• On custom applications
• More difficult to audit
• Black box auditing techniques
• Looks for common stupid mistakes

14
Case one

• IIS Security hole used to view ASP
• Database settings extracted
• SQL server live to internet
• Information from server-side scripts used to
  connect to server

15
Case two

• ASP not filtering input
• Able to directly manipulate SQL query
• Manipulating the SQL query extracts a valid
  cookie and creates the password

16
The problems?

• Unfiltered user input
• User data not checked and can be crafted to
  manipulate processing on the server to reveal
  file contents or bypass and gain access
• Backdoor straight to the Crown Jewels

17
The enablers

• Reliance on cryptography for security
• Security through obscurity
• Poor development
• Poor experience
• Limited resources
• Awareness
• Monitoring and plan

18
The solution(s)

• Good initial setup
• Programming practices
• Internal Audits
• Awareness
• Updates, patches and hotfixes

19
The solution(s)

• Intrusion detection
• Network design
• System architecture

20
Security Analogy
21
Internet Security
Crown
Jewels
Internal Firewall
Internet
Internal Network
DMZ
Mission Critical Systems