Best practices of web app security (samvel gevorgyan)
- 3. STATISTICS OF RISK LEVELSSource: ptresearch.blogspot.com/2010/06/web-application-vulnerability.html
- 4. TOP 10 HIGH LEVEL VULNERABILITIES01. Cross-Site Scripting (XSS) [Symantec - 2007]02. Information leakage03. SQL Injection [~2005]04. Cross-Site Request Forgery (CSRF) [1990s]05. ClickJacking [J.Grossman and R.Hansen - 2008]06. Phishing[1987, 1996]07. Path Traversal or Local/Remote File Inclusion08. Shell injection09. Session Hijacking [early 2000s]10. File uploads
- 8. CROSS-SITE SCRIPTING2.Persistant:In this case attacker stores his executable script in the vulnerable website database which is being executed every time webpage is showing that data.Common targets are:Comments
- 53. Safe HTML Checker, etc.BEST SOLUTIONOWASP HTML Purifier:SAFE HTML Purifier defeats XSS with an audited whitelistCLEANHTML Purifier ensures standards-compliant outputOPEN HTML Purifier is open-source and highly customizable
- 56. INFORMATION LEAKAGEDESCRIPTION: Information Leakage is an application weakness where an application reveals sensitive data, such as technical details of the web application, environment, or user-specific data.EXAMPLE: Warning: include(pages/../../../../../../etc/passwd1) [function.include]: failed to open stream: No such file or directory in /usr/www/users/kint/view.php on line 20
- 57. INFORMATION LEAKAGECOUSES OF:Directory listening misconfigurationUnproper error handlingUnproper filetype handlingSensitive HTML comments, etc.1.Directory listening misconfiguration:Leaving directory listening enabled allows the attacker to read the list of all files in a directory.
- 59. INFORMATION LEAKAGE2.Unproper error handling:Because of unproper error handling all the unexpecting requests will generate error messages which will be visible to the attacker.EXAMPLE: Warning: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in /home/aes/public_html/news/list.php on line 81
- 66. INFORMATION LEAKAGE4.Sensitive HTML comments: Notes left by webdevelopers may content important information which will cause of the information leakage. EXAMPLE:<form enctype="multipart/form-data" action="upload.php" method="POST"> <!--check for filetypes php, cgi, pl, bat, exe, dll, reg--> <input name="upload_file" type="file" /> …
- 67. BEST SOLUTIONDirectory listening misconfigurationput a blank file named index.html in that directory.put a file named .htaccess in that directory consisting of only this line:Options –indexes NOTE: all sub-directories of that directory will also get their directory listings turned off.
- 71. error_log = path/PHP_errors.log //any file in which the web server has write privileges.BEST SOLUTIONUnproper error handlingCreate an .htaccess file in public_html directory with the following lines: php_flag display_errors off php_flag log_errors on php_value error_log path/PHP_errors.log <Files path/PHP_errors.log> Order allow,deny Deny from all Satisfy All </Files
- 72. BEST SOLUTIONUnproper filetype handlingDon’t keep your important files with the following extentions in your public web directory if you don’t link to them in the website:Compressed files(*.zip, *.rar, *.tar.gz, etc.)
- 74. Unknown files(*.inc, *.copy, *.bkp, etc.)BEST SOLUTIONSensitive HTML commentsNo sensetive HTML comment must be used in a website as every user will be able to view the webpage source code.
- 75. SQL INJECTIONDESCRIPTION: This is a type of vulnerability when attacker injects his custom SQL query to the request to get sensetive data from the database, read or write a file.EXAMPLE:http://site.com/product.php?id=4+AND+1=2+UNION+SELECT+0,database(),1,2+--
- 77. SQL INJECTIONNormal SQL InjectionEXAMPLE: http://site.com/product.php?id=1348+AND+1=2+union+select+1,2,user(),database(), 5,version(),7+--
- 78. SQL INJECTION2.Blind:This type of injection is identical to normal SQL Injection except that the SQL query returns positive or negative response.EXAMPLE: http://site.com/view.php?page=10+ and+substring(@@version,1,1)=5+--
- 86. Assign min privilages for mysql usersBEST SOLUTIONGreenSQL open source database firewall:Activity monitoring and auditUser rights managementReal-time database protectionIntrusion preventation(IPS)Database cachingEncrypted comunication over SSLVirtual patchingReporting
- 88. CROSS-SITE REQUEST FORGERYDESCRIPTION: This vulnerability of web application allows attacker’s website to manipulate its actions using authorized user’s session.EXAMPLE: <img src=“http://site.com/share.php?url=http://bad.com” style=“display:none” />
- 89. CROSS-SITE REQUEST FORGERYEXAMPLE:<div style=“display:none”> <iframe name=“hidden”></iframe> <form name=“Form” action= “http://site.com/post.php” target=“hidden” method=“POST”> <input type=“text” name=“message” value=“I like www.bad.com” /> <input type=“submit” /> </form> <script>document.Form.submit();</script> </div>
- 90. CROSS-SITE REQUEST FORGERYUSELESS DEFANCES:Only accept POSTStops simple link-based attacks (IMG, frames, etc.)But hidden POST requests can be created with frames, scripts, etc. Referer checkingSome users prohibit referers, so you can’t just require referer headersTechniques to selectively create HTTP request without referers existRequiring multi-step transactionsCSRF attack can perform each step in order
- 91. CROSS-SITE REQUEST FORGERYSOLUTIONS: CAPTHCAsThis is a type of challenge-response test used in computing to ensure that the response is not generated by a computer. One-time tokensUnlike the CAPTCHA’s system this is a unique number stored in the form field and in session to compare them after submiting the form.
- 100. CLICK-JACKINGDESCRIPTION: This is the advanced version of Cross-Site Request Forgery. It uses all the flexibility of front-end languages to bypass protected forms and send a request using victim’s active session.EXAMPLE: <div style="position:fixed; width:100%; height:100%; z-index:999;" onclick="alert(‘ClickJacked');"></div>
Editor's Notes
- “A clever person solves a problem. A wise person avoids it.”Albert Einstein