Improving Web Application Security

with effective countermeasures

Jan 29, 2008

D P Dube, Information Security Group (ISG), Reliance

 Preview

Web Application: Security Implications

Vulnerabilities
Countermeasures
Web 2.0- Opportunities
Q/A
Web Application-Security Implications
 Conventional Security

Network Security
Firewalls
Intrusion Detection Systems (IDS)
Access Controls on network devices
Vulnerability Scanners
Host Security
Authentication and Logging Mechanisms
Host based IDS
File Integrity Checkers
What about Web Applications?

4
Conventional Security (contd)

TELNET
Network Security
Controls
N-BIOS

HTTP(S)

FTP
Firewall Web Server Data Base
Server
RPC
 Are Web Applications Vulnerable?

HTTP is a stateless protocol and inherently insecure

Each HTTP request is discrete
Application has to keep track of user session
Trusting Browser input is a myth and so are these:
The user will only send required input
The user cannot manipulate drop-down lists
The user cannot manipulate hidden fields
Java scripts will take care of validation
Using SSL is an airtight solution
 Are Web Applications Vulnerable? (contd)

Attractive targets yielding high value results

Credit Card Numbers
Bank account information
Confidential information
Personal Email
Conventional security solutions (SSL and Firewalls) not
adequate
Often developed in house - poor code and frequent updates
Gartner:75% of the cyber attacks in 2006 were at the
application level
 Pressures on Application Lifecycle

Time-to-Market/Deploy

Design
Bringing new applications to
Design market/deploy quickly
Complexity is Growing
Increasing application
Deployment
Deployment Coding
Coding lifecycle complexity
Increasing Business Demand
More inclination on getting
Testing/
Testing/QA
QA the job done functionality
Vs security
Lack of security awareness
 Wearing the White Hat Our Experiences

Technical Vulnerabilities Business Risks

URL Manipulation
SQL Injection
Cross Site Scripting
Weak Session Tracking
Passwords in Memory
Buffer Overflows
Web server configuration
Hidden Variable
Manipulation
And so on
Personal information
modification
Pricelist modification
User impersonation
Unauthorized funds
transfer to accounts
Privilege escalation of user
account
And so on
Web Application Vulnerabilities
Web Application Vulnerabilities
URL Manipulation
URL Manipulation
URL Manipulation (contd)
 URL Manipulation (contd)

GET request sends important parameters on the URL

The parameters can be manipulated to give undesired
results
The GET requests are stored in the browser history
Impact is HIGH
Variants work on any user input on web page, hidden
values or information stored in cookies.

http://www.mybank.com/example?accountnumber=12345&debitamo
unt=1
 URL Manipulation - Solution

The best solution is to avoid sending critical

parameters in a query string

Validate with session token

All sensitive data sent in the query string must be

cryptographically protected.
Web Application Vulnerabilities
Hidden Variable Manipulation
Hidden variable Manipulation
Web Application Vulnerabilities
SQL Injection
 SQL Injection The Problem

Expected:
username: abc
password: test123

When submitted, the SQL query will be built up as:

select * from users where username='abc' and password = 'test123'

The unexpected:
username: abc'; --
password:

The following is the query sent onto the DB:

select * from users where uname='abc; --' and password=''
 SQL Injection The Problem

Expected:
Username: doug
Password: p@$$w0rd

SELECT COUNT(*)
FROM Users
WHERE username='doug' and password='p@$$w0rd'

The unexpected:
Username: ' OR 1=1 --
Password:

SELECT COUNT(*)
FROM Users
WHERE username='' OR 1=1 -- and password=''
 SQL Injection

Target Site

Login Successful
http://target.site/login.jsp

Expected
The Unexpected
from user
Malicious User
 SQL Injection - Solution

How do attackers know?

Insider Information
Trial and Error
Error message often reveal too much
Malicious user can force an error to discover information
about the database
How to prevent?
Strong validation at server side for user input
Data validation strategies
Accept Only Known Valid Data
Reject Known Bad Data
Sanitize Bad Data
All the methods must check Data Type, Syntax, Length
Web Application Vulnerabilities
Error Message
 Error Messages on Web pages

Enumeration of application and backend

database used by the application
Gives a lot of information about the
application.
Is in itself a class of attacks.
 Error Messages

Incorrect Login
Invalid Username / Invalid Password
Username not found in database
Server: Error executing Database query: user_id returned
empty rows
Error executing Database query
[Macromedia][SQL Server JDBC Driver][SQL Server]: no rows
returned for following query:
select * from user_table where user_id=#UserID# and
password=#Password#

RETURN
Error Messages Enumerate Databases
 Error Messages Damage Potential

Shutdown database
Delete all tables
Execute system commands on database
server
Give access to command shell on server
Modify Windows registry
Start or stop system services
 Error Messages The Solution

Error handling through well thought out

scheme
Errors should provide necessary message
to user, information to developers and no
information to attackers
The Countermeasures
 The Thumb Rule

Never trust any information that comes from

the client and never assume anything about it
Anything that can be theoretically manipulated
by the user will be manipulated in reality
It is always to secure simple logic than
complex logic
Security of the web application is not
securing the code or patching the web server-
The entire infrastructure needs to be secured
A stitch in time saves Nine
 The Challenges

Type of Design Coding Integration Beta Deployment

Errors
Design 1* 5* 10* 15* 30*

Coding 1* 10* 20* 30*

Integration 1* 10* 20*

Source-IBM security Management White paper Jan 2008

 Web Application Layers
Valid Input HTML, HTTPS Invalid Input HTML, HTTPS

Browser
Firewall
Web server
Web host
Application Server
Middle ware
Data Base

Data Center
Internal Network

People
Management
 Typical Internet Application Infrastructure
DMZ2 Web Server with Host based IDS

SSL
Accelerator
DMZ1
Central
Database Customer
PayWay
Server Middleware Server

Transaction
Switch

Internet
Load Balancing
device

ATM Switch
Network IDS Load- Network IDS Load-
Balanced Balanced
Firewalls Local LAN Firewalls

To ATMs
and
Branch
Offices Domain
Controller Content
Proxy
Accelerator Firewall
Server Reporting Server
 The Security implications

Protecting
Input Protecting
Denial
Denialofof Secure Input sensitive
Secure Validation sensitive
Service Configurat Validation data
Service Configurat data
ion
ion

Authentica
Authentica
ting
tingUser
User

Web Application
Server DB
Server

Protecting
Protecting
Sensitive
Sensitive
Data
Data Input
Input
Validation Authorizing
Validation Authorizing
Users Auditing
Users Auditing
and
Preventing and
PreventingParameter
Parameter Logging
Manipulation Logging
Manipulation
Securing 3-Tiered Enterprise Web Application :
Defence in Depth

Securing the Application

Input Validation Session Management
Authentication Cryptography
Authorization Parameter Manipulation
Configuration Management Exception Management
Sensitive Data Auditing and Logging
DB Server
App Server
Web Server

Firewall
Apps Apps Database
Firewall

Host Host Host

Securing the Network

Securing the Host
Router
Patches Accounts Ports
Firewall
and Updates Files and Directories Registry
Switch
Services Shares Auditing and Logging
Protocols

<------Threats and Countermeasures------->

Web 2.0 A Challenge
 Web 2.0-A Opprtunities

Web2.0 practices are not designed having security in

mind. The afterthought may be too costly
More importance on client side will lead to more
vulnerabilities like XSS
Free for all is free for hackers too- the recent worm
planted in MySpace affected 1 Million users
Hackers and spammers can join MySpace to create their
own pages, riddled with malicious code, to infect their
social-networking peers
Hackers are beginning to target vulnerabilities in Ajax
applications, which help make the Web 2.0 Web sites so
dynamic.
 Thank You

D P Dube
Durga.dube@ril.com