Designing and Testing Secure Web Applications

1
Designing and Testing Secure Web Applications
2
Background and Material

• Will Bechtel, Blue Oasis - CISSP
• 18 years of experience in Software Development,
  IT and Security.
• Development of web based applications for Sony,
  American Express, Cellular One, Federal Express,
  Sega, US Navy, Wells Fargo.
• Example .Net Web application from
  www.foundstone.com Hacme Bank.
• Top ten vulnerabilities from Open Web Application
  Security Project (OWASP) www.owasp.org

3
Overview

• Application vulnerabilities why should you
  care?
• Review top ten web application vulnerabilities
  (www.owasp.org).
• Review simplified common Web Application
  Architecture.
• Review web application attack architecture.
• Show web application attacks on Foundstones
  Hacme Bank example application.
• Introduction to automated testing tools for
  scanning web applications.
• Overview of Web application security testing tool
  SPI Dynamics WebInspect.
• Overview of database server testing tool
  Application Security Inc.s AppDetective.

4
Application vulnerabilities why should you care?

• 2004 Victorias Secret fined 50,000 for breach
  of privacy on website. Parameter alteration.
• 2002 Tower Records agreement which could pay up
  to 11,000 for each of occurrence (up to 5000 ).
  Parameter alteration.
• None of the above mention the lawsuits that are
  sure to follow so LIABILITY is the issue.

5
OWASP Top 10 Web App Vulnerabilities

• Unvalidated Input
• Broken Access Control
• Broken Authentication and Session Management
• Cross Site Scripting (XSS) flaws
• Buffer Overflows
• Injection Problems
• Improper Error Handling
• Insecure Storage
• Denial of Service
• Insecure Configuration Management

6
Typical Web Application Scenario
DMZ
Internet
HTTP(S)
ODBC
Client Web Browser (Internet Explorer)
Web Server(IIS)
Firewall
Firewall
7
Web Application Attack Scenario
DMZ
Internet
HTTP(S)
ODBC
HTTP(S)
Web Browser
Proxy Server
Web Server
Firewall
Firewall
Attack Workstation
Proxy Server allows changes to requests after
leaving web browser, but before reaching the
server changes to parameters, etc
8
Hacme Bank Examples

• SQL Injection
• URL Parameter Manipulation
• FORM Parameter Manipulation
• Cross-Site scripting
• Cookie Manipulation

9
Introduction to Automated Web Application Testing
Tools

• Tools automate the attack on the web
  server/database server.
• Send protocol specific requests to the server to
  test for common vulnerabilities
• Can execute policy based scans for specific
  purposes

10
What automated testing tools excel at

• Testing for 100s of common vulnerabilities and
  misconfigurations that are impractical to test
  for manually.
• Regression testing of servers to ensure they stay
  secure especially after activities like
  patching or new code deployment.
• Ability to schedule automated scanning/testing
  for off-production hours to avoid conflicts.

11
What automated testing tools have problems with

• Detailed exploits that require intelligent
  feedback and analysis example Advanced SQL
  Injection for Hacme Bank.
• White box testing Automated tools are most
  effective at guessing and using known
  signatures to identify issues. Software code
  reviews may find many more lurking issues that
  the tools can not, especially with custom
  developed software.

12
Common issues with automated test tools

• Testing can adversely impact a system being
  scanning. Performance issues and crashing can
  happen. It is usually difficult to know what the
  impact will be before scanning on any given
  web/app or database server.
• The most rigorous testing usually requires
  special planning and may overload log files, set
  off IDS sensors and leave junk application
  data.
• Information overload and false positives.

13
Some techniques for addressing common issues with
automated test tools

• Always run scans on development, then test, then
  production. This doesnt eliminate issues
  because many times these environments are not
  exactly the same, but it usually reduces the
  likelihood of adverse effects.
• The first scans for any given system should be
  run manually and monitored with the system admin
  so that any issues can be identified and the scan
  can be stopped if needed.
• If testing data will be injected, back up
  database/system prior to testing, then restore
  after test. You probably are better off creating
  a second test environment for this case.
• Coordinate testing around known process
  schedules, ensure other security personnel who
  monitor security sensors or management systems
  are in the loop.

14
SPI Dynamics - WebInspect

• Automated tool for scanning web applications and
  web services.
• Smart update to get latest vulnerability tests.
• Scriptable can automate login process/etc.
• Has 2 phases
• Crawl
• Read only does not post any data
• Determines vulnerabilities by interacting with
  app uses informed guessing and reads signatures
• Lower impact
• Audit
• Submits data to exposes vulnerabilities
• High impact will put test data into application

15
SPI Dynamics WebInspect - Challenges

• False positives and noise.
• Can be difficult to know how best to test an
  application. Multiple scans with and without
  credentials provide best coverage but are most
  complicated.
• Although there are explanations for
  vulnerabilities and references to how to mitigate
  the risk, it can be difficult to determine how to
  prioritize remediation/control analysis.
• Tool can automatically find the issues, but
  addressing them can be overwhelming.
• Application usage/environment must be factored
  into risk ratings.

16
Application Security Inc AppDetective

• Automated tool for scanning databases.
• Smart update to get latest vulnerability tests.
• Has 2 primary phases
• Pen Test
• Black Box tests without authentication or
  access.
• Determines vulnerabilities by interacting with
  app uses informed guessing and reads signatures
• Acts as an outsider would
• Audit
• Utilizes supplied credentials to read
  configuration
• Can identify configuration/patching/other
  problems

17
Application Security Inc AppDetective -
Challenges

• Getting the DBAs to let you test their systems
  without having a stroke?
• Potential impact on other applications that use
  shared DB Server.
• Can be difficult to determine the real level of
  risk there is always a trade-off between the
  risk of the fix breaking something and leaving
  the opening.

18
Licensing Issues

• WebInspect licensed by company, not per server.
  Good for large organizations prices out smaller
  companies.
• AppDetective licenses per instance. More
  practical for small companies, can get pricey for
  larger organizations.

19
OWASP Top Ten Mitigation Techniques

• Unvalidated Input, Cross Site Scripting(XSS),
  Injection Problems, Buffer overflows
• Mitigation techniques Code reviews. Do not rely
  on client-side (javascript) validation. Develop
  or purchase common input validation routines
  (validated), then put policies/standards in place
  that require they be used or if not, that other
  routines used pass similar validation.
• Broken Access Control
• Mitigation techniques Code reviews of custom
  code. Use trusted components. URL filtering.
  Avoid client-side caching (for cookies, etc).
• Broken Authentication and Session Management
• Mitigation techniques Ensure password
  complexity and secure storage, SSL to protect
  credentials in transit, avoicd client-side
  caching.
• Cross Site Scripting (XSS) flaws
• Mitigation techniques Develop or purchase
  common input validation routines (validate them),
  then put policies/standards in place that require
  they be used or if not, that other routines used
  pass similar validation.

20
OWASP Top Ten Mitigation Techniques

• Injection Flaws
• Mitigation Techniques Use Prepared statements
  and stored procedures. Check return codes for
  proper/expected values
• Improper Error Handling
• Mitigation Techniques Fail closed. Do not
  return unneeded information to the user (log it).
• Insecure Storage
• Mitigation Techniques Avoid storing sensitive
  information if possible require re-entry. Do
  not roll your own encryption use industry
  validated components.
• Denial of Service
• Mitigation Techniques If possible limit
  resources a single user can utilize. Do not
  allow unauthenticated users to execute expensive
  operations.
• Insecure Configuration Management
• Mitigation Techniques Patch regularly. Utilize
  vendor and industry supplied hardening guidelines
  for web/app/database at both the OS and
  application tier.

21
Web Application Security References

• Open Web Application Security Organization -
  http//www.owasp.org/
• Web Application Security Consortium -
  http//www.webappsec.org/

22
Web Application Testing Tools

• Paros Proxy http//www.parosproxy.org/download.sh
  tml - Proxy Server
• Foundstone Hacme Bank and other free tools -
  http//www.foundstone.com/index.htm?subnavproduct
  s/navigation.htmsubcontent/products/overview.htm
  
• SPI Dynamics WebInspect http//www.spidynamics.c
  om/products/webinspect/index.html - Web app
  security assessment tool
• Watchfire (purchased) Sanctum AppScan
  http//www.watchfire.com/products/security/default
  .aspx - Web app security assessment tool
• Application Security Inc - AppDetectivehttp//www
  .appsecinc.com/products/appdetective/ - Database
  security assessment tool.