Title: Designing and Testing Secure Web Applications
1Designing and Testing Secure Web Applications
2Background and Material
- Will Bechtel, Blue Oasis - CISSP
- 18 years of experience in Software Development,
IT and Security. - Development of web based applications for Sony,
American Express, Cellular One, Federal Express,
Sega, US Navy, Wells Fargo. - Example .Net Web application from
www.foundstone.com Hacme Bank. - Top ten vulnerabilities from Open Web Application
Security Project (OWASP) www.owasp.org
3Overview
- Application vulnerabilities why should you
care? - Review top ten web application vulnerabilities
(www.owasp.org). - Review simplified common Web Application
Architecture. - Review web application attack architecture.
- Show web application attacks on Foundstones
Hacme Bank example application. - Introduction to automated testing tools for
scanning web applications. - Overview of Web application security testing tool
SPI Dynamics WebInspect. - Overview of database server testing tool
Application Security Inc.s AppDetective.
4Application vulnerabilities why should you care?
- 2004 Victorias Secret fined 50,000 for breach
of privacy on website. Parameter alteration. - 2002 Tower Records agreement which could pay up
to 11,000 for each of occurrence (up to 5000 ).
Parameter alteration. - None of the above mention the lawsuits that are
sure to follow so LIABILITY is the issue.
5OWASP Top 10 Web App Vulnerabilities
- Unvalidated Input
- Broken Access Control
- Broken Authentication and Session Management
- Cross Site Scripting (XSS) flaws
- Buffer Overflows
- Injection Problems
- Improper Error Handling
- Insecure Storage
- Denial of Service
- Insecure Configuration Management
6Typical Web Application Scenario
DMZ
Internet
HTTP(S)
ODBC
Client Web Browser (Internet Explorer)
Web Server(IIS)
Firewall
Firewall
7Web Application Attack Scenario
DMZ
Internet
HTTP(S)
ODBC
HTTP(S)
Web Browser
Proxy Server
Web Server
Firewall
Firewall
Attack Workstation
Proxy Server allows changes to requests after
leaving web browser, but before reaching the
server changes to parameters, etc
8Hacme Bank Examples
- SQL Injection
- URL Parameter Manipulation
- FORM Parameter Manipulation
- Cross-Site scripting
- Cookie Manipulation
9Introduction to Automated Web Application Testing
Tools
- Tools automate the attack on the web
server/database server. - Send protocol specific requests to the server to
test for common vulnerabilities - Can execute policy based scans for specific
purposes
10What automated testing tools excel at
- Testing for 100s of common vulnerabilities and
misconfigurations that are impractical to test
for manually. - Regression testing of servers to ensure they stay
secure especially after activities like
patching or new code deployment. - Ability to schedule automated scanning/testing
for off-production hours to avoid conflicts.
11What automated testing tools have problems with
- Detailed exploits that require intelligent
feedback and analysis example Advanced SQL
Injection for Hacme Bank. - White box testing Automated tools are most
effective at guessing and using known
signatures to identify issues. Software code
reviews may find many more lurking issues that
the tools can not, especially with custom
developed software.
12Common issues with automated test tools
- Testing can adversely impact a system being
scanning. Performance issues and crashing can
happen. It is usually difficult to know what the
impact will be before scanning on any given
web/app or database server. - The most rigorous testing usually requires
special planning and may overload log files, set
off IDS sensors and leave junk application
data. - Information overload and false positives.
13Some techniques for addressing common issues with
automated test tools
- Always run scans on development, then test, then
production. This doesnt eliminate issues
because many times these environments are not
exactly the same, but it usually reduces the
likelihood of adverse effects. - The first scans for any given system should be
run manually and monitored with the system admin
so that any issues can be identified and the scan
can be stopped if needed. - If testing data will be injected, back up
database/system prior to testing, then restore
after test. You probably are better off creating
a second test environment for this case. - Coordinate testing around known process
schedules, ensure other security personnel who
monitor security sensors or management systems
are in the loop.
14SPI Dynamics - WebInspect
- Automated tool for scanning web applications and
web services. - Smart update to get latest vulnerability tests.
- Scriptable can automate login process/etc.
- Has 2 phases
- Crawl
- Read only does not post any data
- Determines vulnerabilities by interacting with
app uses informed guessing and reads signatures - Lower impact
- Audit
- Submits data to exposes vulnerabilities
- High impact will put test data into application
15SPI Dynamics WebInspect - Challenges
- False positives and noise.
- Can be difficult to know how best to test an
application. Multiple scans with and without
credentials provide best coverage but are most
complicated. - Although there are explanations for
vulnerabilities and references to how to mitigate
the risk, it can be difficult to determine how to
prioritize remediation/control analysis. - Tool can automatically find the issues, but
addressing them can be overwhelming. - Application usage/environment must be factored
into risk ratings.
16Application Security Inc AppDetective
- Automated tool for scanning databases.
- Smart update to get latest vulnerability tests.
- Has 2 primary phases
- Pen Test
- Black Box tests without authentication or
access. - Determines vulnerabilities by interacting with
app uses informed guessing and reads signatures - Acts as an outsider would
- Audit
- Utilizes supplied credentials to read
configuration - Can identify configuration/patching/other
problems
17Application Security Inc AppDetective -
Challenges
- Getting the DBAs to let you test their systems
without having a stroke? - Potential impact on other applications that use
shared DB Server. - Can be difficult to determine the real level of
risk there is always a trade-off between the
risk of the fix breaking something and leaving
the opening.
18Licensing Issues
- WebInspect licensed by company, not per server.
Good for large organizations prices out smaller
companies. - AppDetective licenses per instance. More
practical for small companies, can get pricey for
larger organizations.
19OWASP Top Ten Mitigation Techniques
- Unvalidated Input, Cross Site Scripting(XSS),
Injection Problems, Buffer overflows - Mitigation techniques Code reviews. Do not rely
on client-side (javascript) validation. Develop
or purchase common input validation routines
(validated), then put policies/standards in place
that require they be used or if not, that other
routines used pass similar validation. - Broken Access Control
- Mitigation techniques Code reviews of custom
code. Use trusted components. URL filtering.
Avoid client-side caching (for cookies, etc). - Broken Authentication and Session Management
- Mitigation techniques Ensure password
complexity and secure storage, SSL to protect
credentials in transit, avoicd client-side
caching. - Cross Site Scripting (XSS) flaws
- Mitigation techniques Develop or purchase
common input validation routines (validate them),
then put policies/standards in place that require
they be used or if not, that other routines used
pass similar validation.
20OWASP Top Ten Mitigation Techniques
- Injection Flaws
- Mitigation Techniques Use Prepared statements
and stored procedures. Check return codes for
proper/expected values - Improper Error Handling
- Mitigation Techniques Fail closed. Do not
return unneeded information to the user (log it). - Insecure Storage
- Mitigation Techniques Avoid storing sensitive
information if possible require re-entry. Do
not roll your own encryption use industry
validated components. - Denial of Service
- Mitigation Techniques If possible limit
resources a single user can utilize. Do not
allow unauthenticated users to execute expensive
operations. - Insecure Configuration Management
- Mitigation Techniques Patch regularly. Utilize
vendor and industry supplied hardening guidelines
for web/app/database at both the OS and
application tier.
21Web Application Security References
- Open Web Application Security Organization -
http//www.owasp.org/ - Web Application Security Consortium -
http//www.webappsec.org/
22Web Application Testing Tools
- Paros Proxy http//www.parosproxy.org/download.sh
tml - Proxy Server - Foundstone Hacme Bank and other free tools -
http//www.foundstone.com/index.htm?subnavproduct
s/navigation.htmsubcontent/products/overview.htm
- SPI Dynamics WebInspect http//www.spidynamics.c
om/products/webinspect/index.html - Web app
security assessment tool - Watchfire (purchased) Sanctum AppScan
http//www.watchfire.com/products/security/default
.aspx - Web app security assessment tool - Application Security Inc - AppDetectivehttp//www
.appsecinc.com/products/appdetective/ - Database
security assessment tool.