AppSec3

Web application

Software
accessible using a web browser
Multi-tiered (got web, database servers)
First generation = CGI

HTTP

Set of rules
Stateless
HTTP Request + HTTP Response
o Header fields: Server, Host, Length, etc.
o Response codes 200, 403, 404 etc.
o Request

Format
Method URI Protocol/Version
GET http://library.nyp.edu.sg HTTP/1.1
Request Header
Accept-Language: en-us
UA-CPU: x86
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows
NT 5.1; .NET
CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR
3.0.04506.648; .NET CLR
3.5.21022; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR
3.5.30729;
.NET4.0C; .NET4.0E) Paros/3.2.13
Host: library.nyp.edu.sg
Proxy-Connection: Keep-Alive
Content-length: 0
Entity Body
Methods GET, POST, HEAD, etc
HEAD
o return response headers only
o Does not contain a message body, just status
line and headers
o check characteristics of a resource without
actually downloading it
GET
o Data sent using name/value pair appended to
URL
o Query length is limited
o Data seen in address bar
http://myhost.com/register.jsp?

AppSec3
name=Mike&country=SG

POST
o Data sent as part of the HTTP request entity
body
o send large amount of data
o data sent as input stream
o Data hidden from users

Response
o

Format
Protocol status code Description
HTTP/1.1 200 OK
Response Header
Server: Netscape-Enterprise/6.0
Date: Tue, 31 Aug 2010 09:16:29 GMT
Content-length: 406
Content-type: text/html
Etag: "49ff3a46-12-0-196"
Last-modified: Fri, 29 Sep 2006 12:03:23 GMT
Accept-ranges: bytes
Entity Body
<HTML>
<HEAD><TITLE>New Document</TITLE></HEAD>
<BODY>Hello !!</BODY>
</HTML>

Session Management

client side identification (session id) and server side storage to maintain state
used in network communications (often over HTTP) to identify a session
forms
o embedded in URL
can be used even disabled use of cookies
disadvantages
others can retrieve using browsing history
logging by intermediary systems
attacks just by modifying URL and session ID
surf new site, URL containing sessionID can be sent to
new site via HTTP REFERER field
o stored within fields of forms and submitted to the application
can be used even disabled use of cookies
not as obvious
need tools to manipulate values
they are commonly available
o cookies

AppSec3

can be used to preserve knowledge of theclient browser across

many pages and over period of time
persistent = stored on hard disk (text files)
non-persistent = stored on RAM
cannot be used if browser disabled cookies

Session Management

Session ID
o Random and unpredictable
o Sufficient length so that brute force guess is not feasible
Secure transmission
o Use encryption when sending session information
Length of Session Validity
o Client cancellation, session time-out and server-side revocation
Session Verification
o Ensure correct session ID length, no unexpected information
Re-authenticate all significant system actions and re-issue new tokens

Entry Point

One can talk with an application using them

o Querystring
o Forms
o Java applet
o Object
o Web services
Each of them can be attacked
Impact
o Each of them have its own impact on application
o Hitting internal database or application logic
o How entry point is handled defines it security
o Entry point not well guarded = vulnerable

URL

Tampering with specific area of URL have effects at different layers

o HTTP = protocol
o 10.0.0.1 = IP address
o Catalogue = virtual directory mapping
o Display.asp = application component
o Pg=1 = application parameter
Modification will have effects on application logic
o Product=7 = SQL application parameter
Modification will have effects at database layer

AppSec3
Web Application threats
Buffer overflow
cross-site scripting
SQL injection
canonicalization
Network eavesdropping
brute force attacks
dictionary attacks
cookie replay
credential theft
Elevation of privilege
disclosure of confidential data
data tampering
luring attacks
Unauthorized access to administration
interfaces
Unauthorized access to configuration
stores
Retrieval of clear text configuration data
Lack of individual accountability
Over privileged process and service
accounts
Access sensitive data in storage
Network eavesdropping
Data tampering
Session hijacking
Session replay
Man in the middle
Poor key generation or key management
Weak or custom encryption
Query string manipulation
Form field manipulation
Cookie manipulation
HTTP header manipulation
User denies performing an operation
Attacker exploits an application without
trace
Attacker covers his tracks
Information disclosure
Denial of service

Input Validation

Authentication

Authorization

Configuration management

Sensitive data
Session management
Cryptography
Parameter manipulation

Auditing and logging

Exception management

Network firewalls do not work for HTTP

Analyzing traffic

Need to know HTTP

Things to look out for (methods/cookie/querystring/etc)

AppSec3

Everything (even response)

AppSec3
Tools

Sniffing
o Wireshark
o Ngrep
Browser plugins
o FF
LiveHttpHeaders
Allow users to view HTTP request & response headers of a
page while browsing
Able to edit request headers & replay an URL
Tamperdata
Show all headers of the traffic
Able to tamper data & values
Firebug
Good for assessment and web development
Edit and inspect HTML, debug javascript
o IE
Fiddler
HTTP debugging proxy written in C#
Inspect & modify traffic
Logs all HTTP traffic between computer & internet