Web Application Hacking Workshop

How Web Applications Get Hacked

Step-by-Step Live Workshop
Agenda

INTRODUCTIONS
PART 1: The Evolution of Web Applications and
Why They Need to Be Secured
PART 2: Web Application Vulnerabilities in
Depth and Hacking Demonstration
PART 3: Business Drivers Behind Web Application
Security and Current Regulations
PART 4: Managing and Detecting Web Application
Vulnerabilities Throughout the Application
Lifecycle
PART 5: About WebInspect, About Our Partner,
Closing and Q&A
SPI Dynamics

The Expert in Web Application

Security Assessment
SPI Dynamics delivers security products and services
that protect enterprises at the web application
layer. These products are backed by the industry’s
leading security experts, SPI Labs.

WebInspect is our industry leading web application

security assessment product line and is licensed to
enterprises, consultants, and other institutions, both
directly and via global partners.
SPI Dynamics

The Expert in Web Application

Security Assessment
SPI Dynamics believes that security must be
implemented across the application lifecycle. The
earlier a security defect is detected the less it will
ultimately cost an organization.

SPI Dynamics is dedicated to maintaining a

leadership position in vulnerability assessment and
we truly measure our success through the success of
our customers.
PART 1

The Evolution of Web Applications

and Why They Need to Be Secured

Web Sites Evolve to Web Applications

Open on Port 80, Open for Business,
Open to Attack
Hack Examples
Web Sites

Simple, single server solutions

Web Server
Browser HTML
CGI
Web Applications

Very complex architectures, multiple

platforms, multiple protocols
Web Services

Application Database
Wireless Web Servers Server Server
Presentation Business Customer
Layer Logic Identification
Media Store Content Access
Browser services Controls

Transaction
Information

Core Business
Data
Common Web Applications
Web Applications Invite Public Access

“Today over 70% of

attacks against a
company’s website or
web application come
at the ‘Application
Layer’ not the Network
or System layer.”
- Gartner Group
Web Applications Breach the Perimeter

HTTP(S)
INTERNET

FTP TELNET IMAP SSH POP3

Firewall only allows PORT 80 (or 443

SSL) traffic from the Internet to the
DMZ

web server.

ASP Any – Web Server: 80

.NET
IIS WebSphere
SunOne Java
Apache
TRUSTED
INSIDE

Firewall only allows applications SQL

on the web server to talk to
Oracle
application server.
DB2
Web Server Application Server
CORPORATE

Firewall only
INSIDE

allows application
server to talk to
database server.

Application Server Database

Web Application Risk

“Web application incidents cost companies

more than $320,000,000 in 2001.”

Forty-four percent (223 respondents) to the

2002 Computer Crime and Security Survey were
willing and/or able to quantify their financial
losses. These 223 respondents reported
$455,848,000 in financial losses.

“2002 Computer Crime and Security Survey”

Computer Security Institute & San Francisco

FBI Computer Intrusion Squad
Web Application Hack Example

Recording Industry January 3, 2003

Association of America RIAA was hacked 6 times in 6
months
The 6th time the RIAA site was
hacked, downloadable, pirated
music was posted.
This time, a URL allowing
access to the RIAA's system for
posting press releases was
made publicly accessible,
allowing people to post
messages that then appeared
on the RIAA's official press
release page.
Web Application Hack Example

Victoria’s Secret,
Victoria’s Secret November 27, 2002
A vulnerability at the
Victoria’s Secret web
site allowed
customers who
purchased items
there to view other
customers’ orders.
By simply changing
the data in the URL
address line the web
application was
manipulated.
Recent Web Application Hack Example

Ziff Davis
Hacked August 2002
Ziff Davis Media has agreed to revamp its website's
security and pay affected customers $500 each after lax
security exposed the personal data of thousands of
subscribers last year.
The agreement between Ziff Davis -- publisher of PC
Magazine and other tech titles, including a slew of
gaming magazines -- and attorneys general from New
York, Vermont and California came after web surfers
discovered an unprotected data file on Ziff Davis' site in
November.
The file contained names, addresses, e-mail addresses -
- and, in some instances, credit card numbers -- of
12,000 people who signed up for a special promotion to
receive Electronic Gaming Monthly magazine.
Other Hacked Websites

FTD.com – February 14, 2003 sequential cookies

Source: CNET News “FTD Hole Leaks Personal Information “
Travelocity - January 22, 2001 open directory
Source: CNET News “Travelocity Exposes Customer Information”
Creditcards.com – December 12, 2000 SQL Injection
Source: CNET News “Company says extortion try exposes thousands of
card numbers “
CD Universe – January 9, 2000 SQL Injection
Source: Internetnews.com “Failed Blackmail Attempt Leads to Credit
Card Theft”
Visa and MasterCard - February 17, 2003 Partner Liability
Tower Records - December 5, 2002 Access permissions
PART 2

Web Application Vulnerabilities in Depth

and Hacking Demonstration

Why Web Application Vulnerabilities Occur

Web Application Attack Methodologies
Live Web Application Hacking
Why Web Application Risks Occur

The Web Application

Security Security Gap Application
Professionals Developers and
Don’t Know The QA Professionals
Applications Don’t Know
“As a Network Security Security
Professional, I don’t “As an Application
know how my Developer, I can
company’s web build great features
applications are and functions while
supposed to work so I meeting deadlines,
deploy a protective but I don’t know
solution…but don’t how to build
know if it’s protecting security into my
what it’s supposed to.” web applications.”
Why Web Application Risks Occur

Developers Are Not Security Professionals

Application development stresses functionality, not security
Lack of awareness of security issues in development
Lack of effective testing tools in QA
Resource constrained development teams

Security Professionals Are Not Developers

Lack of awareness of application vulnerabilities in security teams
Lack of effective testing tools
Certification and accreditations don’t examine the web
application
Development cycle missing from security procedures and audits
Security scrutinizes the desktop, the network, and the server.
The web application is missing.
Web Application Vulnerabilities

Web application vulnerabilities

occur in multiple areas.
Application
Parameter Manipulation
Administration Cross-Site Scripting

Extension Checking SQL Injection

Buffer Overflow
Common File Checks
Reverse Directory
Data Extension
Transversal
Checking
Platform JAVA Decompilation
Backup Checking
Known Path Truncation
Vulnerabilities Directory
Enumeration Hidden Web Paths
Path Truncation Cookie Manipulation
Application Mapping
Hidden Web Paths
Backup Checking
Forceful Browsing
Directory Enumeration
Web Application Vulnerabilities

Platform:
• Known vulnerabilities can be
exploited immediately with a
minimum of skill or experience –
“script kiddies”
• Most easily defendable of all web
vulnerabilities
• MUST have streamlined patching
procedures
Platform • MUST have inventory process
Known
Vulnerabilities
Web Application Vulnerabilities

Administration:
• Information Disclosures
• Hacking is 99% Information disclosure
• Less easily corrected than known issues
• Require increased awareness
Administration • More than just configuration, must be
Extension Checking aware of security flaws in actual
Common File Checks content
Data Extension • Remnant files can reveal applications
Checking and versions in use
Backup Checking • Backup files can reveal source code and
Directory database connection strings.
Enumeration
Path Truncation
Hidden Web Paths
Forceful Browsing
Web Application Vulnerabilities
Application Programming:
Application
Parameter Manipulation Administration
Cross-Site Scripting
SQL Injection
Buffer Overflow
Reverse Directory
Transversal
JAVA Decompilation
Path Truncation
Hidden Web Paths
Cookie Manipulation
Application Mapping
Backup Checking
Directory Enumeration
• Common coding techniques do not
necessarily include security
• Input is assumed to be valid, but not
tested
• Inappropriate file calls can reveal
source code and system files
• Unexamined input from a browser
can inject scripts into page for replay
against later visitors
• Unhandled error messages reveal
application and database structures
• Unchecked database calls can be
‘piggybacked’ with a hacker’s own
database call, giving direct access to
our business data through a web
browser
Live Web Application Hacking Demo

Lab 1: Insecurity, Inc. Lab 2: FreeBank

- Parameter Manipulation - Cross Site Scripting
- Directory Traversal - SQL Injection
- Source Code Disclosure - Cookie Manipulation
- Remote Administration - Session Hijacking
PART 3

Business Drivers Behind Web Application

Security and Current Regulations

Current Regulations – Who Do They Affect?

Web Application Security and HIPAA, GLBA,
Sarbanes-Oxley and SB 1386
Regulations and Accountability
Current Regulations – Who Do They Affect?

Some regulations are industry specific while

others apply cross-industry
Regulations are relevant to all organizations
conducting business with web-enabled
applications
Web App Security Assessment & HIPAA

What is HIPAA?
Health Insurance Portability and Accountability Act of 1996
US Public Law 104-191
Regulatory requirements for use of healthcare information

How does this affect my company?

Organizations working in the healthcare industry must take action to
secure their web applications in order to protect the confidential
healthcare information that they store, transmit and receive.

How can web application security assessment

products like WebInspect help you comply with
HIPAA?
WebInspect can be used to determine if your web applications are
vulnerable to a loss of confidential customer information, ascertain the
security of your authentication mechanisms, validate access control
procedures, and conduct ongoing auditing of your web applications to test
for newly discovered vulnerabilities.
Web App Security Assessment & GLBA

What is GLBA?
Gramm-Leach-Bliley Act of 1999
U.S. Public Law 106-102 (113 Stat. 1338)
Regulatory requirements for Financial Institutions

How does this affect my company?

GLBA requires all federally insured financial institutions to institute a
continuous security program that covers the entire organization. Risks
must be identified and managed, risk management practices must be
tested, and information security risks must be monitored at all times.
Those institutions found to be in noncompliance with GLBA are subject to
regulatory enforcement measures including fines, corrective actions, and
other penalties.

How can web application security assessment

products like WebInspect help you comply with
GLBA?
WebInspect can be used in a GLBA security risk assessment and for
ongoing GLBA compliance.
Web App Security Assessment & Sarbanes-Oxley

What is Sarbanes-Oxley?
Sarbanes-Oxley Act of 2002 (also known as SOX)
U.S. Public Law 107-204
Regulatory requirements for Public Company Accounting Practices
IT organizations must pay particular attention to Section 404:
Management Assessment Of Internal Controls

How does this affect my company?

Companies must enact security policies that ensure confidentiality of data,
and then follow those policies.

How can web application security assessment

products like WebInspect help you comply with
Sarbanes-Oxley?
WebInspect policies can be configured via a wizard to match your
company's security policy. You can then utilize WebInspect to test that
policy.
Web App Security Assessment & S.B. 1386

What is SB 1386?
In effect since July 1st, 2003, SB 1386 is a far reaching law that states any
breach of computer security which results in the loss of personal data of
any California resident, or which MIGHT have resulted in the loss of
personal data of any California resident, must be publicly disclosed.

How does this affect my company?

Companies that fail to disclose breaches of computer security are liable
for civil damages and open themselves to a bevy of potential class action
lawsuits.

How can web application security assessment

products like WebInspect help you comply with SB
1386?
The custom WebInspect Policy Wizard can be used to generate a security
policy which you can utilize to ensure the security of your confidential
customer information.
Regulations and Accountability

New regulations are requiring companies

to prove due diligence to an increasing
set of compliance standards.
Regulations and Accountability

Information Security “Due Diligence” requires:

Compliance with applicable regulatory considerations
Adherence to documented “best practices” for
control measure implementation
Maintaining information security at an appropriate
level, as defined by company policy
Implementation of a proper control environment
Ensuring tamper-proof logs of key transactions
Regular Audit and Validation of plans against results
Being able to prove your security!
PART 4

Managing and Detecting

Web Application Vulnerabilities
Bringing Security to the Application
Lifecycle
Web Application ROI
Managing and Addressing Web
Application Security Throughout the
Enterprise
Application Lifecycle Phases

Design Development

Auditors, Dev, Developers

and Business
Subject Matter
Experts (SME)

Production Testing
Security QA and
Operations Developers
and Auditors
Application Lifecycle Phases

Design Development

Auditors, Dev, Developers

and Business
Subject Matter
Experts (SME)

Production Testing
Security QA and
Operations Developers
and Auditors
Application Lifecycle Phases

Design Development

Auditors, Dev, Developers

and Business
Subject Matter
Experts (SME)

Production Testing
Security QA and
Operations Developers
and Auditors
Web Application ROI

“Gartner estimates that if 50 percent of software

vulnerabilities were removed prior to production use for
purchased and internally developed software, enterprise
configuration management costs and incident response
costs would be reduced by 75 percent each.”

John Pescatore
VP Gartner Group
Research Note
“Require Vulnerability Testing During Software
Development”
10 September 2003
Web Application ROI

“Bottom Line: Global 2000 organizations need to

institute security reviews of applications - not just at the
architecture level, but also for errors and vulnerabilities
during the QA process.”

Chris King
META Group
Return On Intelligence
Assessing Application Vulnerability Global
Networking Strategies Security & Risk Strategies
Client Advisor 2034, 12 August 2003
Web Application ROI

"The appropriate time to address security for

applications is during the development phase, when
there is still an opportunity to effect change without
impacting users. Products like WebInspect help
enterprises in the application development phase, but
also throughout the application lifecycle, providing the
opportunity for IT administrators to ensure that newly
developed hacks do not cripple or exploit existing
applications."

Eric Hemmendinger
Research director for security and privacy
Aberdeen Group
Web Application ROI

”If security is not an integral part of your company’s

development process for custom Web-based applications,
your Web interfaces may be vulnerable. Ideally, security
concerns should be addressed during development, but
with limited internal resources, it’s difficult to cover all the
bases and account for every single possible exploit.”

“Because it automates many of the auditing tasks,

WebInspect can greatly expedite the process of conducting
a security assessment.”

Ray Geroski
"WebInspect Learns as it Automates Web App Security
Assessment"
Jan 7, 2003 TechRepublic
Managing Web Application Vulnerabilities

Bring security to web development …

Create and enforce secure coding practices created
during the definition phase
Test code during development
Implement security tests within the QA cycle
Consider security during Change Control proceedings
and test for it following all changes
Managing Web Application Vulnerabilities

… and the application to security!

Create internal awareness campaigns

Develop and publish best practices
Create procedures to work with Development to
remediate vulnerabilities
Perform frequent routine audits of production systems
Baseline and trend application vulnerabilities
Add web application to Certification and Accreditation
programs
Enterprise-Wide Web Application Security

Security Auditors Application Developers

A D
Must find all the Must unit test for code
vulnerabilities in related security issues
the enterprise and during the development
evaluate risks. cycle.

Security Operations S Q Quality Assurance

Must have confidence Must address security

that their systems don’t defects as well as
have an exploitable functional and
weak point. technical defects.
Enterprise-Wide Web Application Security

Security Auditors and Risk

and Compliance Officers
• Help define regulatory requirements
during the Definition phase of the
Application Lifecycle
A
• Assess applications once they are in
the Production phase to validate
compliance D
• Must act as resource for what is and
Web
Web
is not acceptable Web
Application
Application
Security

S Q
Enterprise-Wide Web Application Security

Application Developers
• Must have clear cut security

D
requirement to follow during
Development and QA phases
• Need to run automated tests on code
during Development phase
• Must utilize secure code for re-use
• Require automated testing products
A
that integrate into current Web
Web
environment
Web
Application
Application
Application
Security

S Q
Enterprise-Wide Web Application Security

Quality Assurance Professionals

• Must test applications not only for

functionality but also for security
• Must test environments for potential A D
flaws and insecurities Web
Web
• Must provide detailed security flaw Web
Application
Application
Application
reports to development
Security
• Require automated testing products
that integrate into current
environment
S

Q
Enterprise-Wide Web Application Security

Security Operations
• Must continually test application in a
real world environment to asses A D
impact of ongoing code changes
WebWeb
• Must look for all levels of web Web
Application
Application
Application
vulnerabilities Security
• Platform
• Informational Q
• Application

S
Security
Enterprise-Wide Web Application Security

Web Application
Security testing must
be applied in all
phases of the A D
Application Lifecycle
and by all Web
constituencies Application
throughout the Security
enterprise – Auditors,
Application S Q
Developers, QA and
Security Operations.
PART 5

Closing and Q&A

About WebInspect
About Our Partner
Q&A
WebInspect Product Line

Automated
Works with all web applications and web services
(WebSphere, ColdFusion, Oracle Application
Server, .NET, Weblogic and others)
Used across application lifecycle (development,
QA, security operations/production, auditing)
Extensible, Flexible, Accurate, Comprehensive
Used by major organizations in all industries
WebInspect Product Line

WebInspect Features
Adaptive-Agents™ Technology
RCA (Recursive Crawl and Attack) Technology
Custom Scripting
Securebase™
SPI Tools
Smart Update™
Enterprise Framework
Survey-based policy generation
AVDL support (emerging interoperability standard being
proposed by leading application security vendors as part
of the OASIS standards process)
WebInspect Product Line

For a free WebInspect 15-day trial

product download visit:

www.spidynamics.com
About Our Partner

SPI Dynamics is committed to developing and

maintaining strategic partner programs with
technology and industry leaders focused on
delivering security products and services to our
customers.
Q&A

Questions?
PART 5 – WebInspect Live Demo

After the 5 minute break!

TM
For a free WebInspect 15-day
trial download visit:

www.spidynamics.com

SPI Dynamics, Inc.

115 Perimeter Center Place
Suite 270
Atlanta, GA 30346