Web Application Security

ISACA Bangalore Chapter Aug 2007

Runa Dwibedi
In a recent application security audit

An adversary could:

 View bank statements of any user

 Siphon off funds easily
 Login without a password
 Deny access to all users
 Hijack active sessions
 Steal encryption keys
This morning…

The HTTP Protocol

Attacks on Input Validation

Insecurities in Session Management

Threats at the browser

Authentication Weaknesses

Threat Modeling
Attacks on Input Validation
Attacks on Input Validation

Client-side validation

Breach business rules

SQL Injection

XPATH Injection
Input Validation - Audit Checklist

Is input validated at server?

Are inputs checked with business rules?

Is the filter a white list?

Are SQL queries pre-compiled?

Are XPATH queries pre-compiled?
References – SSL & Encryption
• SSL Basics, RSA Security,
http://www.rsasecurity.com/standards/ssl/basics.html
• The pros and cons of securing Web services with
SSL, Jack Loftus,
http://searchwebservices.techtarget.com/qna/0,289202,
sid26_gci995388,00.html
• Understanding SSL, Shalini Gupta,
http://palisade.paladion.net/issues/2005Sep/understandi
ng-ssl/
• Encrypting data in Databases, Priyali Vibhute,
http://palisade.paladion.net/issues/2005Jun/database-
encryption/
References - SQL Injection
• SQL Injection Walkthrough, Securiteam,
http://www.securiteam.com/securityreviews/5DP0N1P76
E.html
• Introduction to SQL Injection Attacks,
Integrigy,
http://www.integrigy.com/info/IntegrigyIntrotoSQLInjectio
nAttacks.pdf
• Best Practices in Input Validation, Roshen
Chandran,
http://palisade.paladion.net/issues/2004Dec/input-
validation/
References - XML Injection
• XML Tutorial, W3Schools,
http://www.w3schools.com/xml/
• XPATH Tutorial, W3Schools,
http://www.w3schools.com/xpath/
• Mitigating XPath Injection Attacks in .NET,
Oleg Tkachenko,
http://www.tkachenko.com/blog/archives/00038
5.html
References - XML Injection

• XPath injection in XML databases, Runa

Dwibedi,
http://palisade.paladion.net/issues/2005Jul/xpath
-injection/
• Blind XPath Injection, Amit Klein,
http://www.watchfire.com/resources/blind-xpath-
injection.pdf
Insecurities in Managing
Sessions
Insecurities in Managing Sessions

Predictable session tokens

Transmitting tokens

On Logout

Session timeout

On Login

Cross Site Scripting
Session Management - Audit Checklist

Are session tokens random?

Do session tokens use cookies?

Are session tokens sent over SSL?

Are sessions invalidated on logout?

Is session timeout duration acceptable?

Are session tokens changed on login?

Are special characters escaped?
References - Session Management

• Web-based Session Management, Gunter Ollmann,

http://www.technicalinfo.net/papers/WebBasedSessi
onManagement.html
• Securing your session with Page Tokens, Sangita
Pakala,
http://palisade.paladion.net/issues/2005Aug/page-
tokens/
• Transmitting Session IDs, Salil Aroskar,
http://palisade.paladion.net/issues/2005Jul/quiz/
References - Cross Site Scripting
• The Cross Site Scripting FAQ, CGISecurity,
http://www.cgisecurity.net/articles/xss-faq.shtml
• HTML Code Injection and Cross-site scripting,
Gunter Ollmann,
http://www.technicalinfo.net/papers/index.html#Pap
er6
• Cross Site Scripting, Are your web applications
vulnerable?, Kevin Spett,
http://www.spidynamics.com/whitepapers/SPIcross-
sitescripting.pdf
Threats at the Browser
Threats at the Browser

The browser cache

History

Browser memory

The Refresh button
Threats at the Browser - Audit
Checklist

Has cache-control: no-store been set?

Are the links in History safe?

Are passwords stored as hashes?

Are passwords sent as salted hashes?

Is redirection used during login?
References - Cache

• Caching Tutorial for Web Authors and Webmasters,

Mark Nottingham http://www.mnot.net/cache_docs/
• HTTP/1.1: Caching in HTTP,
www.w3.org/Protocols/rfc2616/rfc2616-sec13.html
References - Passwords in memory

• Discovering passwords in the memory,

Abhishek Kumar,
http://paladion.net/papers/Discovering_Passwor
ds_In_Memory.pdf
• Passwords - In Memory Still Green, Sangita
Pakala,
http://palisade.paladion.net/issues/2004Aug/pas
swords-in-memory/
• WinHex – http://www.x-ways.net/winhex/index-
m.html
References - Browser Refresh

• Stealing Passwords via Browser Refresh,

Karmendra Kohli,
http://paladion.net/papers/Stealing_passwords_via_
browser_refresh.pdf
Insecurities in Authentication
Authentication - Forgot
Password
Best Practice

1. Ask a hint/custom question

2. Display a CAPTCHA
3. Send a short lived link to the user’s
registered email ID
4. Allow the user to reset the password over
SSL
5. Invalidate the link after one use
Authentication - Audit Checklist

Is “Forgot Password” question non-trivial?

Is the “Reset link” short-lived?

Is the new password exchanged over SSL?
References – Forgot Password

• Using Secret Questions, Mark Burnett,

http://www.owasp.org/columns/mburnett/questions
.html
The Attack of the Bots
Bots

Bots flood the server

 With fake requests in public pages

Comments page

Registration at Free e-mail sites

Support query page
How can we stop them?

Pose a question that is easy for humans to

answer but difficult for computers

Enter Captchas!
 “Completely Automated Public Turing Test to Tell
Computers and Humans Apart”
Types of CAPTCHAs

Image
 Display a distorted text image

Knowledge
 Pose a question “ What is the color of the sky?”

Arithmetic
 Pose a question “ What is 34 +15?”
How to implement a CAPTCHA

Use readily available classes

 Jcaptcha for Java

http://jcaptcha.sourceforge.net/main.html
 BotDetect for .Net

http://www.lanapsoft.com/products.html
 Authen-Captcha for Perl

http://search.cpan.org/dist/Authen-Captcha/

Build your own classes
Common Mistakes

Small set of images

 Image File-names always map to same word
 All the mappings can be discovered by attacker

Small set of images, dynamic filenames
 Attacker can brute force till the correct word is
submitted
Best Practices

1. Dynamically generate an image

2. Send it to client with random token
3. Accept user input along with token
4. Compare user input with correct word for
token
5. Invalidate the token after one use
 Do public forms have CAPTCHAs?
References - CAPTCHA

• PWntcha, http://sam.zoy.org/pwntcha/
• LanAp BotDetect,
http://www.lanapsoft.com/products.html
Audit Logs
Audit logs

An audit trail of activities enable us to trace

back fraud

Application layer activities are not logged by
system and web server logs

So, application should maintain own audit
trail

Access to logs should be controlled
The activities to be logged

Login and logout of users

Critical transactions (eg. fund transfer across
accounts)

Failed login attempts

Account lockouts

Violation of policies
 Are audit logs detailed?
 References – Logging and Audit Trails

• Application Logs - Security Best Practices, Dipesh

Rawal,
http://palisade.paladion.net/issues/2004Oct/security
-logging/
Threat Modeling
Threat Modeling

A structured technique to identify threats and

the security controls required to counter them
Across the SDLC

Threat
Modeling

SRS Design Development Testing Deployment

Evaluate against
Threat model
Phase1:Threat Profile

Is a list of all the possible threats to the

application

 For example, for an online banking application,

some of the threats would be –
- An adversary steals the password of other users
- An adversary transfers fund from others account
to his own account
Phase2: Threat Trees

Identify security controls for each threat in the

threat profile
 The 3 ways of compromising user password
would be –
- Access password
- Steal password from database
- Guess password
References - General

• Application Security FAQ, OWASP,

http://www.owasp.org/documentation/appsec_faq.
html
• HTTP/1.1: Header Field Definitions from RFC
2616,
http://www.w3.org/Protocols/rfc2616/rfc2616-
sec14.html
References - Books
• Writing Secure Code, Michael Howard, David
LeBlanc, Microsoft Press
• Secure Coding: Principles & Practices, Mark G.
Graff, Kenneth R. van Wyk, O’Reilly
• How to Break Software Security, James A.
Whittaker, Herbert H. Thompson, Addison Wesley
• Code Complete, Steve McConnell, Microsoft Press
• HTTP Developer's Handbook, Chris Shiflett, Sam’s
Publishing
• Threat Modeling, Frank Swiderski and Window
Snyder, Microsoft Press
References – Mailing List

• Security Focus Web Application Security -

http://www.securityfocus.com/archive/107
• Web Application Security Consortium Mailing List -
http://www.webappsec.org/lists/websecurity/archive
• Secure Coding Mailing List -
http://www.securecoding.org/list/
• Secure Programming Mailing List,
http://www.securityfocus.com/archive/98
Thank You