- Data :Original data: Text, images, files
- Database : Access, SQL Server, MySQL, ORACLE
- Code : Perl, php, servelet, jsp, asp
- Webserver : Apache, IIS, Websphere, Weblogic, Netscape Enterprise
- User interface Code : Html, Forms, Javascript, Coldfusion
- Browser
- Input
Top 10 Reason :
- – Unvalidated input
- – Broken access control
- – Broken authentication and session management
- – Cross site scripting
- – Buffer overflows
- – Injection flaws
- – Improper error handling
- – Insecure storage
- – Denial of service
- – Insecure configuration management
– Never trust input from a user
– Malicious user can tamper with anything and try to:
- Cause errors to occur and give up info
- Buffer overflow
- Modify parameters
- Modifying URL
- SQL Injection
- Cross Site Scripting
- Session hijacking with cookie modification
Types of attacks:
– Insecure ID (guess IDs)
– Forced browsing past access control checks
- “/client” is checked for access control
- “/client/client1/data” is not
- If someone guesses the full URL….
– File permissions (OS permission + web server permission)
– Client side caching
Authentication and Session Management
– Two main issues, credential management and session hijacking
– Flawed credential management functions:
- Password changes (expiry, etc)
- Forgot my password
Web applications need to keep track of users
HTTP does not offer session management
Web application must take care of this by session IDs stored in either:
- – Cookies
- – Embedded in the URL
- – Embedded in dynamic web page
How is your session ID being generated?
– Time based?
– Sequential?
How do you protect it?
– Integrity with hash?
– Encryption?
– Encode it with easily reversible scheme?
– Timeouts for length of session ID?
Buffer overflows
– Corrupt execution stack of web application
– Cause application to execute arbitrary code
– Very common problem
– Keep your apps and OS patched!
Improper error handling
– Debug messages that can help attacker gain information that can be leveraged into a compromise
– Turn your debug off!
– Personalize error messages to ensure no information is given
Insecure configuration management
– 90%* of breakins can be stopped by properly configuring your web server!
– Don’t do default installations!
Insecure configuration management: Default directories
Dot dot sequence (../../) directory traversal:
– /../../winnt/system32/cmd.exe?/c dir +
Unicode directory traversal
– /..%5c..%5cwinnt/system32/cmd.exe?/c dir +
– /cgi-bin/..%c1%1c..%c1%1c../winnt/system32/cmd.exe?/c +dir
Unicode %5c..%5c=\..\
Unicode %c1%c1..%c1%c1=\..\
How to stop Web application attacks
- – Error message customization
- – Restricted access to sensitive information
- – Patch Web servers
- – Remove the sensitive page from Google
- – Regularly perform application test
- – Deploy a web application firewall
- – Deploy IPS that will analyze application level
No comments:
Post a Comment