Web

Application
Security
Introduction to common classes of security
faws and testing methodologies
Cade Cairns
<cade@thoughtworks.com
!eb "#$%
&resented to'
(houghtWorks )uito
*oche +eek
"
Intent'

,iscuss common classes of web security

faws

,emonstrate tools that de-elopers and

testers can use to harden web applications

,escribe other ways to mitigate risks

Show what a professional tester .or attacker/

might do
0utline
1
(houghtWorks Canada
Software ,e-eloper
23con Security Conference .http'44recon.c54/
Conference 0rgani6er
&ast'
Security!ocus 7 threat analyst8 software de-eloper
I+S* 7 security analyst for gaming companies
Subgraph 7 software de-eloper for 9ega
.and -arious others/
About me
%
As the web continues to e-ol-e8 so do the threats
Attack surface keeps increasing
,e-elopers want features to enhance their web
application functionality8 but that comes at a cost
:any more massi-e online ser-ices
35ploit markets now e5ist; -alue of -ulnerabilities
increasing
2esult' much higher moti-ation to break security
(hreat
e-olution
<
(esting methodology with o-er-iews of common
security faws
Attacks against ser-ers
Attacks against clients
Agenda
=
Information gathering

:ap application content

Identify hidden content

Identify hints for attack -ectors

>ook for accidental leakage

3numerate other resources

Analysis

(arget analysis

2esearch
Automated scanning
(est authentication mechanisms
9erify access controls
(est input -alidation
>ook for ?SS8 CS2!
(esting
plan
@
(ypes of tools'

Intercepting pro5y .supporting SS> :I(:/

Web application spider .passi-e8 acti-e/

Content disco-ery

,ata analysis

!u66ing

Automated -ulnerability scanning .passi-e8 acti-e/

Automated attacks

*etwork scanners

2esource scanner
(ools lists'
http'44sectools.org4
:ore reading'
http'44sectooladdict.blogspot.com4
(oolkit
A
&opular choice for use by security testers
Integrates a lot of tools'

Intercepting pro5y

Spider .acti-e and passi-e/

Scanner .acti-e and passi-e/

!u66er

,isco-ery and test attack automation

B((& reCuest tester .repeater/

,ata analysis and comparison

Content encoders4decoders
Supports thirdDparty plugDins
:ultiDplatform' written in Ea-a
!ree -ersion with crippled features; F"GG HS,4year
Iurp Suite
G
BighlyDrated security tool J$K
&ro-ides many useful functions'

Intercepting pro5y

Spider .acti-e and passi-e; supports ALa5/

Scanner .acti-e and passi-e/

!u66er

!ile4directory brute forcer

Supports thirdDparty addDons; online marketplace
:ultiDplatform' Swing Ea-a
0pen source; Apache >icense ".#
J$K http'44www.toolswatch.org4"#$14$"4"#$1DtopDsecurityDtoolsDasD-otedD
byDtoolswatchDorgDreaders4
0WAS& Med
Attack
&ro5y .MA&/
$#
Software attempting to integrate more features
than Iurp8 for free
Bas se-eral useful features'

Intercepting pro5y

Spider .acti-e and passi-e/

Scanner .acti-e and passi-e/

WellDdesigned probes for security faws

Scanner modules are written in Ea-ascript;

easily e5tensible
:ultiDplatform' 3clipse 2C&
0pen source; 3clipse &ublic >icense $.#
Subgraph
9ega
$$
Web application security reconnaissance tool
!eatures'

Scanner .acti-e/

WellDdesigned probes for security faws

Attempts to do nonDdisrupti-e checks

Irute force resource identiNcation using a

dictionary' combinations of FOkeywordP.F
Oe5tensionP
:ultiDplatform' >inu58 !reeIS,8 :ac 0S ?8 Windows
0pen source; Apache >icense ".#
skipNsh
$"
SimpliNes detecting and e5ploiting S)> inLection
faws
!eatures'

,etecting8 e5ploiting S)> inLection faws

!ull support for many ,I:Ss

Supports multiple S)> inLection techniCues

,atabase Nngerprinting

!etching data from database

35ecuting arbitrary 0S commands

:ultiDplatform' &ython ".=.5 and ".@.5
0pen source; +&>-"
sClmap
$1
(ool to identify dangerous applications8 Nles8 and
conNgurations
!eatures'

>arge database of dangerous Nles4web apps

Common web ser-er misconNgurations

!ingerprinting web ser-ers

:ultiDplatform' &erl
0pen source; +&>
*ikto
$%
>inu5 penetration testing distribution
!ormerly known as Iack(rack >inu5
Contains most of the tools used in this
presentation and many more
0pen source; -arious licenses
Qali >inu5
$<
Some more helpful tools'

nmap

,*Senum

netcat

stunnel
:ore tools
$=
0WAS& IWA .Iroken Web Applications/
>inu5 -irtual machine running applications with
known -ulnerabilities
Hseful for learning about web application security
testing and testing tools
!or this presentation8 focus on testing Wacko&icko8
which was used for the paper Why Johnny Can't
Pentest: An Analysis of Black-box Web Vulnerability
Scanners
(est target'
0WAS&
IWA
$@
Step $' mapping the application
&urpose'

+et a thorough -iew of the target

Identify common misconNgurations

Can reuse information later as you disco-er

problems
:ethodology'

&assi-e spidering' e5plore -isible content using

a security pro5y tool

:ap the application using multiple users

.pri-ileged8 nonDpri-ileged/ if applicable

Check against public resources e.g. +oogle

Acti-e spidering .if desired/

(ools'

Iurp &ro5y or MA& &ro5y

Information
gathering
$A
,emo
Mapping the application
$G
Step "' identify hidden content
&urpose'

!ind content that wasnRt linked to publicly

!ind default content

:ethodology'

Scan the web site using tools

(ools'

*ikto
Information
gathering
"#
,emo
Identifying hidden content
"$
Step 1' target analysis
&urpose'

!igure out what youRre up against

+ain insight to better tune later attacks

:ethodology'

Identify the technologies used

Identify functionality

,etermine how core functionality works8 H2>

style8 etc.

3numerate inputs

Identify redirects

Hnderstand security model

2e-iew use of cookies

0WAS& A$#DHn-alidated redirects and fowards
Analysis
""
Step %' identify hints for attack -ectors
&urpose'

>ook for anything the that unintentionally

identiNes weak functionality
:ethodology'

2e-iew robots.t5t

>ook for commented out code8 links

2e-iew crossDdomain Nles' !lash8 Sil-erlight

Analysis
"1
35ample robots.t5t
HserDagent' S
,isallow' 4admin4
,isallow' 4siteDold4
,isallow' 4api4 T new A&I
,isallow' 4partner4 T partner A&I
"%
Step <' look for accidental leakage
&urpose'

>ook for content that should not be accessible

:ethodology'

Identify error handling with information

leakage

Search for copies of edited script Nles8 i.e.

where e5tension was changed .Nle.phpU8
.Nle.php.swp/

>ook for the .,SVStore Nle or other Nles that

inde5 a directory

+uess Nlenames' Annual2eport"#$%.pdf when

Annual2eport"#$1.pdf e5ists
Analysis
"<
Bow much does your site need to re-ealW ,o any
components actually need to know your web
ser-er -ersion or -ersion of 2ailsW
Princile of least ri!ile"e' e-ery modulemust be
able to access only the information and resources
that are necessary for its legitimate purpose
&rotect sensiti-e information; use access controls
where it must be disclosed
Hse generic error messages
A-oiding
leakage
"=
Step =' enumerate other resources
&urpose'

>ook for other network resources 7 web sites8

etc.
:ethodology'

3numerate ,*S hostnames8 network blocks of

other systems

Identify other systems related to the target

(ools'

nmap

,*Senum
Information
gathering
"@
Step @' scan the target for security faws
Warning' do not run an automated scanner in a
production en-ironmentY
&urpose'

Identify possible security faws in the target

web application
Ca-eats'

Scanners lack intuition and understanding of

reCuirements

Scanners cannot impro-ise

!alse positi-es and false negati-es are common

(ools'

9ega

skipNsh
Automated
scanning
"A
,emo
Automated scanning
"G
0WAS& A"DIroken Authentication and Session
:anagement
Authentication is the main defense against
unauthori6ed access and typically core to security
3asy to make mistakes
Common types'

!ormDbased authentication

B((& authentication .basic8 digest8 Windows/

:ultifactor authentication

SS> certiNcates

Authentication ser-ices
Authentication
1#
Step A' test authentication mechanisms
:ethodology'

(est password Cuality

Attempt to enumerate usernames

Attempt to brute force passwords

(est account reco-ery function for

enumerated users

35amine cookies if Rremember meR option

e5ists

9erify credentials are submitted securely

If multiDphase athentication is used8 test

for logic faws
(ools'

Web browser

Iurp
Authentication
1$
:ost common passwords of "#$1 J$K
$. $"1%<= .up $/
". password .down $/
1. $"1%<=@A .unchanged/
%. Cwerty .up $/
<. abc$"1 .down $/
=. $"1%<=@AG .new/
@. $$$$$$ .up "/
A. $"1%<=@ .up </
G. ilo-eyou .up "/
$#. adobe$"1 .new/
$$. $"1$"1 .up </
$". Admin .new/
$1. $"1%<=@AG# .new/
$%. letmein .down @/
$<. photoshop .new/
J$K http'44splashdata.com4press4worstpasswords"#$1.htm
Authentication
1"
Iasic guidelines for safer authentication

&asswords should be of a minimum length and

contain a combination of alphabetic8 numeric8
uppercase8 lowercase characters

,onRt limit the characters that can be used

A-oid -erbose authentication failure messages'

use a single8 generic error message

Consider reCuiring periodic password changes

&re-ent brute force' lockout8 CA&(CBAs

,onRt use unsafe Cuestions for forgotten

password

,onRt generate predictable usernames or

passwords

(ransmit credentials using B((&S

Authentication
11
+uidelines to pre-ent sessions of legitimate users
from being hiLacked

+enerate strong random tokens' do not use

predictable -alues or elements

(ransmit session tokens using B((&S; use the

RSecureR attribute when setting the cookie

,o not permit concurrent logins for the same

user; in-alidate older sessions

3nforce inacti-ity timeouts

,o not e5pose session identiNers in H2>s

In-alidate session identiNers during logout

9erify information e.g. userDagent is -alid

throughout session
Session
:anagement
1%
Attack where one person attempts to set another
personRs session identiNer
35ample'

An airline includes session tokens in its H2>s.

An authenticated user shares a H2> with his
friend8 allowing the friend to book a trip using
his credit card.
:ore guidelines'

,o not accept session identiNers from +3( or

&0S( Cuery data

Assign a new session identiNer when a user

logs in
Session
!i5ation
1<
0WAS& A%DInsecure ,irect 0bLect 2eferences
Applications often e5pose references to'

,atabase keys

!iles

,irectories
A-oid e5posing resources directly. When these
resources are e5posed8 it is important checks e5ist
to ensure a user is authori6ed to access them.
35ample'

3numerating customers of a system by

changing the customer I, on an account
details page

2eCuest parameter used in a Nlesystem path

Access
control
1=
,emo
Site map comparison
1@
35ample simple Nlesystem tra-ersal
35ample'
http'44somesite.com4getVimage.phpWNleZwelcome.png
Some possible attacks'
WNleZ..4..4..4etc4passwd
WNleZ4etc4passwd
WNleZ4etc4passwd[##
WNleZ..4getVimage.php
1A
Cookie scope'
Specify the domain when setting a cookie. A cookie
set -ia attacker.e5ample.com will otherwise be sent
to any e5ample.com host
2estrict the cookie path when possible
Access
control
1G
Step G' -erify access controls
&urpose'

9erify access controls are properly applied to

sensiti-e functionality
:ethodology'

:ap the site using a di\erent user

Access
control
%#
0WAS& A=DSensiti-e ,ata 35posure
&rotect user data in transit'

Hse B((&S

https'44www.ssllabs.com4ssltest4
Bardening data'

3ncrypt sensiti-e data .e5. passwords8 credit

cards/

Hse strong encryption and rotate keys where

applicable

&IQ,I!" for salted passwords

Iackups'

:ake sure backups are protected

,ata
e5posure
%$
Assume all input from a client is malicious. 3-en if
the client is trusted8 it may be under control of an
attacker
,o not use the client to relay sensiti-e parameters8
e5. price of an item in a shopping cart.

Hsers can see hidden input

2eCuests can be intercepted

0bfuscation isnRt su]cient .e.g. 9iewState/

Irowser e5tensions can be decompiled or

debugged
9erify input on both the client side and ser-er side
for usability8 reliability
Attacks can come from surprising sources
9erifying
client input
%"
,emo
Request manipulation
%1
Attack from an une5pected source
http://www.infoworld.com/t/security/googles-dangerous-bots-put-the-whole-web-edge-230475
%%
0WAS& A$DInLection
(here are many types of inLection'

S)> inLection

*oS)> inLection

?&ath inLection

>,A& inLection

S0A& inLection

0S command inLection

S:(& inLection

IackDend reCuest inLection

Attackers can use these attacks to steal data8
e5ecute arbitrary commands8 or e-en to be
destructi-e
:itigation'

Separate untrusted data from commands or

Cueries
InLection
%<
(he most pre-alent inLection attack
(ypically tri-ial to e5ploit'
Applying escape characters to parameters before
using them works8 but it is easy to let a parameter
fall through the cracks
:itigation'

Hse parameteri6ed Cueries

S)>
InLection
.S)>i/
%=
,emo
SQL injection
%@
0WAS& A1DCrossDsite Scripting .?SS/
An attacker can e5ecute scripts in a userRs web
browser8 performing any action the user can
(wo main types of ?SS'

2efected' script is refected o\ the web ser-er

Stored' scripts are permanently stored8

displayed when a resource is loaded
SameDorigin policy' pre-ents an app from accessing
the ,0: on another site

Same origin' protocol8 host8 port

&olicy applies to ?:>Bttp2eCuest

CrossDorigin resource sharing .C02S/ permits

access across domain boundaries

<script tag can load data from another site;

e5ecutes in conte5t of loading site .e5. ES0*&/
?SS
%A
SameDorigin policy with C02S'

!or many reCuests8 a ^prefight reCuest_ is sent

to -erify the crossDorigin reCuest can be made

!or ^simple_ +3(8 B3A,8 and &0S( the reCuest

is sent8 but script cannot access the response

Credentials .e5. cookies/ are included in

reCuests .e5cept prefight/

?:>Bttp2eCuest can be used for blind

inLection as a result
:itigation'

&erform -alidation and escaping on the ser-er

side against any untrusted data that gets
output in B(:>

0WAS& ?SS &re-ention Cheat Sheet

?SS
%G
,emo
Cross-site scripting
<#
0WAS& AADCrossDSite 2eCuest !orgery .CS2!/
An attacker causes a userRs browser to submit a
reCuest to a website the user is authenticated with.
35ploits the websiteRs trust in the user.
35ample'

Cause the userRs browser to submit a reCuest

to send a malicious message to another user
+eneral :itigation'

Include an unpredictable token as a parameter

of any reCuest that performs sensiti-e actions

,o not e5posure the token in the H2>

&asswordDprotect e5ceptionally sensiti-e

actions .e5. changing account details/

2eLect all reCuests that do not contain the

token
CS2!
<$
35ample CS2!
Attacker gets user to open a link containing a malicious <img tag'
<"
CS2! :itigation
Including a token bound to the session in the form'
<1
Web 2esources
0WAS&' https'44www.owasp.org4
:I(23 CW3' https'44cwe.mitre.org4
SS> Ser-er (est' https'44www.ssllabs.com4ssltest4
Securityheaders' https'44securityheaders.com4
2eddit netsec' http'44reddit.com4r4netsec
<%
Iooks
Web Application BackerRs Bandbook edition "' ,afydd Stuttard8 :arcus &into
(angled Web' :ichal Malewski
55
)uestionsW
55