Académique Documents
Professionnel Documents
Culture Documents
Security Statements
Q&A
© Virtual Forge 2004, SAP TechEd, SDN101, Writing Secure Web Applications / Andreas Wiegenstein
>>
>>
Security Statements
© Virtual Forge 2004, SAP TechEd, SDN101, Writing Secure Web Applications / Andreas Wiegenstein
>>
>> Security Statements
The challenge:
In order to secure an IT system, all of its components,
functions and threats must be understood
In order to break an IT system, only one flaw in any of its
components/functions has to be found
The problem:
Each new technology brings with it new vulnerabilities
Firewalls, Intrusion Detection Systems and Encryption don't
make a secure IT system
© Virtual Forge 2004, SAP TechEd, SDN101, Writing Secure Web Applications / Andreas Wiegenstein
>>
>>
Security Statements
© Virtual Forge 2004, SAP TechEd, SDN101, Writing Secure Web Applications / Andreas Wiegenstein
>>
>> Know Your Enemy - How Hackers "Work"
Types of attackers:
Hackers
Script Kiddies
Social Engineers
(Disgruntled) Employees
© Virtual Forge 2004, SAP TechEd, SDN101, Writing Secure Web Applications / Andreas Wiegenstein
>>
>> Know Your Enemy - How Hackers "Work"
© Virtual Forge 2004, SAP TechEd, SDN101, Writing Secure Web Applications / Andreas Wiegenstein
>>
>> Know Your Enemy - How Hackers "Work"
© Virtual Forge 2004, SAP TechEd, SDN101, Writing Secure Web Applications / Andreas Wiegenstein
>>
>> Know Your Enemy - How Hackers "Work"
© Virtual Forge 2004, SAP TechEd, SDN101, Writing Secure Web Applications / Andreas Wiegenstein
>>
>> Know Your Enemy - How Hackers "Work"
© Virtual Forge 2004, SAP TechEd, SDN101, Writing Secure Web Applications / Andreas Wiegenstein
>>
>> Know Your Enemy - How Hackers "Work"
© Virtual Forge 2004, SAP TechEd, SDN101, Writing Secure Web Applications / Andreas Wiegenstein
>>
>> Know Your Enemy - How Hackers "Work"
Stages of an attack
Reconnaissance
Data analysis
Attack preparation
Attack
Clean up
© Virtual Forge 2004, SAP TechEd, SDN101, Writing Secure Web Applications / Andreas Wiegenstein
>>
>> Know Your Enemy - How Hackers "Work"
© Virtual Forge 2004, SAP TechEd, SDN101, Writing Secure Web Applications / Andreas Wiegenstein
>>
>> Know Your Enemy - How Hackers "Work"
© Virtual Forge 2004, SAP TechEd, SDN101, Writing Secure Web Applications / Andreas Wiegenstein
>>
>> Know Your Enemy - How Hackers "Work"
© Virtual Forge 2004, SAP TechEd, SDN101, Writing Secure Web Applications / Andreas Wiegenstein
>>
>> Know Your Enemy - How Hackers "Work"
© Virtual Forge 2004, SAP TechEd, SDN101, Writing Secure Web Applications / Andreas Wiegenstein
>>
>> Know Your Enemy - How Hackers "Work"
Be very careful
which piece of data makes it into productive code
to remove old code/pages
what questions you ask in forums
to exhaustively test your applications
© Virtual Forge 2004, SAP TechEd, SDN101, Writing Secure Web Applications / Andreas Wiegenstein
>>
>>
Security Statements
© Virtual Forge 2004, SAP TechEd, SDN101, Writing Secure Web Applications / Andreas Wiegenstein
>>
>> Web Application Characteristics
Web application
processes client data
requests server data (through API calls)
© Virtual Forge 2004, SAP TechEd, SDN101, Writing Secure Web Applications / Andreas Wiegenstein
>>
>> Web Application Characteristics
Threats:
Javascript may not work, hence input validation might not be
possible
client might change "unchangeable" data
hidden fields
select box values
Cookies
user agent
Referrer
...
client might ignore length restrictions
client might add or remove data
© Virtual Forge 2004, SAP TechEd, SDN101, Writing Secure Web Applications / Andreas Wiegenstein
>>
>> Web Application Characteristics
Threats:
data might be read or changed en route
someone else might assume the identity of the server
HTTPS
provides Confidentiality, Integrity, Authenticity (CIA)
! Caveat:
The quality of encryption can vary
Client authentication is not guaranteed
HTTPS might slip malicious code past a Firewall or IDS
HTTPS protects the data transfer between client and server -
nothing else
© Virtual Forge 2004, SAP TechEd, SDN101, Writing Secure Web Applications / Andreas Wiegenstein
>>
>> Web Application Characteristics
Threats:
system might not be configured securely
system might run unnecessary (dangerous) services/examples
system might be buggy
! Advice:
have an expert configure the systems for your needs
have an expert harden the systems
first test, then install patches
have an independent team run a penetration test
constantly repeat those steps
© Virtual Forge 2004, SAP TechEd, SDN101, Writing Secure Web Applications / Andreas Wiegenstein
>>
>> Web Application Characteristics
Web application
Threats:
unexpected user input
manipulated data from the database/configuration file
manipulated text from a text repository
! Advice:
don't trust any input
use positive filters: only allow what's valid
validate all input for its destined context
© Virtual Forge 2004, SAP TechEd, SDN101, Writing Secure Web Applications / Andreas Wiegenstein
>>
>> Web Application Characteristics
Summary
all client attacks against a web app must be carried out
through the HTTP(S) protocol
validating all input is the key to web application security
data transfer in an intranet/internet must be protected
keeping an IT system secure is an ongoing process, not a
single action
© Virtual Forge 2004, SAP TechEd, SDN101, Writing Secure Web Applications / Andreas Wiegenstein
>>
>>
Security Statements
© Virtual Forge 2004, SAP TechEd, SDN101, Writing Secure Web Applications / Andreas Wiegenstein
>>
>> Attack & Defense - Threats and Best Practices
In-Band Signaling
Cross-Site Scripting
SQL injection
OS command injection
Forceful Browsing
Session Hijacking
Fault Induction
Directory Traversal
Cookie Poisoning
© Virtual Forge 2004, SAP TechEd, SDN101, Writing Secure Web Applications / Andreas Wiegenstein
>>
>> Attack & Defense - Threats and Best Practices
Threat:
an application fails to separate the metadata and control
instructions from the data, resulting in Unwanted Command
Execution.
Risk:
arbitrary command execution on the server
Best practices:
metadata and control instructions must be escaped.
© Virtual Forge 2004, SAP TechEd, SDN101, Writing Secure Web Applications / Andreas Wiegenstein
>>
>> Attack & Defense - Threats and Best Practices
Threat:
an attacker manages to place HTML content into a page
someone else will open at a later time, possibly in a different
security context.
Risk:
Tampering with Data
execution of ActiveX commands
Information Disclosure
Stolen Cookie (SSO2 ticket)
Stolen data (Redirected forms)
© Virtual Forge 2004, SAP TechEd, SDN101, Writing Secure Web Applications / Andreas Wiegenstein
>>
>> Attack & Defense - Threats and Best Practices
© Virtual Forge 2004, SAP TechEd, SDN101, Writing Secure Web Applications / Andreas Wiegenstein
>>
>> Attack & Defense - Threats and Best Practices
Supposed output:
<br>Applicant:<u>Smith</u>
© Virtual Forge 2004, SAP TechEd, SDN101, Writing Secure Web Applications / Andreas Wiegenstein
>>
>> Attack & Defense - Threats and Best Practices
Smith
© Virtual Forge 2004, SAP TechEd, SDN101, Writing Secure Web Applications / Andreas Wiegenstein
>>
>> Attack & Defense - Threats and Best Practices
Visible output:
Applicant: Smith
© Virtual Forge 2004, SAP TechEd, SDN101, Writing Secure Web Applications / Andreas Wiegenstein
>>
>> Attack & Defense - Threats and Best Practices
© Virtual Forge 2004, SAP TechEd, SDN101, Writing Secure Web Applications / Andreas Wiegenstein
>>
>> Attack & Defense - Threats and Best Practices
SAP System
WAS/ABAP: cl_http_utility->escape_html
© Virtual Forge 2004, SAP TechEd, SDN101, Writing Secure Web Applications / Andreas Wiegenstein
>>
>> Attack & Defense - Threats and Best Practices
Threat:
An attacker manages to place SQL commands into an input
string that is used as a parameter in a database query.
Risk:
Tampering with Data
data can be changed/deleted without authorization
Information Disclosure
data can be read without authorization
Denial of Service
data can be deleted without authorization
Elevation of Privilege
depending on the database, system commands can be executed
© Virtual Forge 2004, SAP TechEd, SDN101, Writing Secure Web Applications / Andreas Wiegenstein
>>
>> Attack & Defense - Threats and Best Practices
Best practices:
validate input
remove/escape the character ' in strings
© Virtual Forge 2004, SAP TechEd, SDN101, Writing Secure Web Applications / Andreas Wiegenstein
>>
>> Attack & Defense - Threats and Best Practices
Conn = Server.CreateObject("ADODB.Connection");
Conn.Open(pDBName);
inSQL = "SELECT * FROM User WHERE UID='" + cUser + "'";
exSQL = sql_Exec(Conn, inSQL);
© Virtual Forge 2004, SAP TechEd, SDN101, Writing Secure Web Applications / Andreas Wiegenstein
>>
>> Attack & Defense - Threats and Best Practices
(valid credentials)
URL http://www.example.com/hack.asp?user=smith23
SQL SELECT * FROM User WHERE UID='smith23'
> Welcome back, Mr. Smith!
(invalid credentials)
URL http://www.example.com/hack.asp?user=bad_guy
SQL SELECT * FROM User WHERE UID='bad_guy'
> Please provide the correct credentials.
© Virtual Forge 2004, SAP TechEd, SDN101, Writing Secure Web Applications / Andreas Wiegenstein
>>
>> Attack & Defense - Threats and Best Practices
© Virtual Forge 2004, SAP TechEd, SDN101, Writing Secure Web Applications / Andreas Wiegenstein
>>
>> Attack & Defense - Threats and Best Practices
Threat:
An attacker manages to place OS commands into an input
string that is used as part of a system command issued by the
web app.
Risk:
complete system compromise
Best practices:
Don't execute system commands from a web app.
If you must execute commands, don't base them on user
input.
© Virtual Forge 2004, SAP TechEd, SDN101, Writing Secure Web Applications / Andreas Wiegenstein
>>
>> Attack & Defense - Threats and Best Practices
Forceful Browsing
Threat:
A resource that is not reachable through normal application
logic is a accessed by directly navigating to its URL.
Risk:
(resource is a document)
Information Disclosure
(resource is a page)
Information Disclosure
Elevation of Privilege
Best practices:
All sensitive resources must be protected by strict access
control.
© Virtual Forge 2004, SAP TechEd, SDN101, Writing Secure Web Applications / Andreas Wiegenstein
>>
>> Attack & Defense - Threats and Best Practices
Application URLs
A) http://www.example.com/page1.html
B) http://www.example.com/2003/report.pdf
C) http://www.example.com/2003/report.pdf
Deductions
A) http://www.example.com/page2.html
B) http://www.example.com/2004/report.pdf
C) http://www.example.com/2003/
© Virtual Forge 2004, SAP TechEd, SDN101, Writing Secure Web Applications / Andreas Wiegenstein
>>
>> Attack & Defense - Threats and Best Practices
Forceful Browsing
SAP System
© Virtual Forge 2004, SAP TechEd, SDN101, Writing Secure Web Applications / Andreas Wiegenstein
>>
>> Attack & Defense - Threats and Best Practices
Session Hijacking
Threat:
An attacker might deduce another users session ID from his
own.
Risk:
Spoofing
Tampering With Data
Information Disclosure
Elevation of privilege
Best practices:
Use proven industry standards that have been reviewed by
experts.
If you must create your own session management, consult a
cryptographic expert.
© Virtual Forge 2004, SAP TechEd, SDN101, Writing Secure Web Applications / Andreas Wiegenstein
>>
>> Attack & Defense - Threats and Best Practices
Result
"Welcome Mr. Smith, you have no new messages"
Manipulated ID
"sid=u0000124"
Result
"Welcome Mr. Anderson, you have 5 new messages"
© Virtual Forge 2004, SAP TechEd, SDN101, Writing Secure Web Applications / Andreas Wiegenstein
>>
>> Attack & Defense - Threats and Best Practices
Fault Induction
Threat:
Error conditions are forced by manipulated input in order to
deduce information.
Risk:
Information Disclosure
Best practices:
Use proper input validation.
Display only general messages like "Invalid input" or "An error
has occurred."
© Virtual Forge 2004, SAP TechEd, SDN101, Writing Secure Web Applications / Andreas Wiegenstein
>>
>> Attack & Defense - Threats and Best Practices
Application URL:
http://www.example.com/main.asp?disp=start.html
Manipulated URL:
http://www.example.com/main.asp?disp=#%;xy?
Application output:
An Error has occurred:
The file "c:\app\html\#%;xy?" could not be found.
© Virtual Forge 2004, SAP TechEd, SDN101, Writing Secure Web Applications / Andreas Wiegenstein
>>
>> Attack & Defense - Threats and Best Practices
Directory Traversal
Threat:
Input that is used to look up files is modified in order to
access another file.
Risk:
Information Disclosure
Denial of Service
Best practices:
Use a positive filter to define all allowed resources.
© Virtual Forge 2004, SAP TechEd, SDN101, Writing Secure Web Applications / Andreas Wiegenstein
>>
>> Attack & Defense - Threats and Best Practices
Application URL
http://www.example.com/main.asp?disp=start.html
Exploit
http://www.example.com/main.asp?disp=..\..\winnt\win.ini
© Virtual Forge 2004, SAP TechEd, SDN101, Writing Secure Web Applications / Andreas Wiegenstein
>>
>> Attack & Defense - Threats and Best Practices
Cookie Poisoning
Threat:
Application data stored in a cookie might be manipulated.
Risk:
Tampering with Data
Information Disclosure
Best practices:
Don't rely on data stored in cookies (they are input) ...
...unless this data is protected by cryptography (SSO2 ticket)
© Virtual Forge 2004, SAP TechEd, SDN101, Writing Secure Web Applications / Andreas Wiegenstein
>>
>> Attack & Defense - Threats and Best Practices
(Manipulated cookie)
item1_ID=12369&item1_pr=0,95&item2_ID=10334&item2_pr=1,95
> Total Amount: $2,90
© Virtual Forge 2004, SAP TechEd, SDN101, Writing Secure Web Applications / Andreas Wiegenstein
>>
>> Attack & Defense - Threats and Best Practices
Summary
all attacks shown have one thing in common: unexpected input
the best way to protect against unexpected input is by using
positive filters: only allow what's valid
! Advice
validate all input
only rely on server side data validation
reduce your input to its simplest form : canonicalization
© Virtual Forge 2004, SAP TechEd, SDN101, Writing Secure Web Applications / Andreas Wiegenstein
>>
>>
Security Statements
© Virtual Forge 2004, SAP TechEd, SDN101, Writing Secure Web Applications / Andreas Wiegenstein
>>
>> General Best Practices
Management:
© Virtual Forge 2004, SAP TechEd, SDN101, Writing Secure Web Applications / Andreas Wiegenstein
>>
>> General Best Practices
Software Development:
© Virtual Forge 2004, SAP TechEd, SDN101, Writing Secure Web Applications / Andreas Wiegenstein
>>
>>
Security Statements
© Virtual Forge 2004, SAP TechEd, SDN101, Writing Secure Web Applications / Andreas Wiegenstein
>>
>> References and Further Reading
Application security:
Social engineering:
© Virtual Forge 2004, SAP TechEd, SDN101, Writing Secure Web Applications / Andreas Wiegenstein
>>
>>
Security Statements
© Virtual Forge 2004, SAP TechEd, SDN101, Writing Secure Web Applications / Andreas Wiegenstein
>>
>> Q&A
© Virtual Forge 2004, SAP TechEd, SDN101, Writing Secure Web Applications / Andreas Wiegenstein