html5-img
1 / 33

E-Security Solutions: Web Applications Security and Challenges

E-Security Solutions: Web Applications Security and Challenges. Need for Securing Web Sites/Applications. Defaced Sites Reported on the Internet Defacement reasons Application Vulnerability Site owner authored (accidental/intentional) Web Server Misconfiguration. Internet. Server (Data).

zareh
Télécharger la présentation

E-Security Solutions: Web Applications Security and Challenges

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. E-Security Solutions: Web Applications Security and Challenges Cyber Security Division/NIC

  2. Need for Securing Web Sites/Applications • Defaced Sites Reported on the Internet • Defacement reasons • Application Vulnerability • Site owner authored (accidental/intentional) • Web Server Misconfiguration Cyber Security Division/NIC

  3. Internet Server(Data) Workstations (Green Segment) Firewall !!!!!!!!!!!! Wild Wild West Corporate Security Cyber Security Division/NIC

  4. Security at Network and Transport layer INTERNET Port 23 Port 139 Port 21 Port 80/8080 Securing traditionally was not enough Network Controls – legitimate traffic Above 70% attacks at the application level Cyber Security Division/NIC

  5. Web Application • A web application is generally comprised of a collection of scripts , that reside on a web server and interact with a database and other sources of dynamic content. • Runs generally at port 80/8080 Attacks Undetected • Data as part of legitimate traffic on port 80/8080 go undetected. • Conventional Network devices and Firewalls cannot distinguish bad data from the genuine data Cyber Security Division/NIC

  6. Web Application Security • Refers to the combination of People, Processes and Technology • Identify, Measure and Manage the risks • Presented by Open source and custom web applications Cyber Security Division/NIC

  7. Risks identifiedin applications • A malicious user can log in without a valid account. • An unauthorised user view, add, update, delete data. • An authenticated user can Add/Update data as another user. • A malicious user can upload malicious contents. • A malicious user can steal user credentials. Cyber Security Division/NIC

  8. People Processes Technology Cyber Security Division/NIC

  9. Web Application Security Standards • OWASP (Open Web Application Security Project) • WASC ( Web Application Security Consortium) Cyber Security Division/NIC

  10. OWASP • The Open Web Application Security Project is a project dedicated to sharing knowledge and developing open source software that promotes understanding of web application security. • For more info see http://www.owasp.org • OWASP Top 10 Cyber Security Division/NIC

  11. WASC • Is an international group of experts, practitioners and organizational representatives who produce open source and widely agreed upon best practice security standards for the world wide web. • http://www.webappsec.org • Web Hacking Incidents Database • Web Security Threat classification Cyber Security Division/NIC

  12. OWASP Top Ten Project • It Provides a minimum standard for web application security. • The OWASP top ten represents a broad consensus about what the most critical web applications vulnerabilities are. • Adopter • US Federal Trade commission, US DOD , VISA • Other companies including Sprint, IBM etc.. Cyber Security Division/NIC

  13. OWASP Top Ten Most Critical Web Application Vulnerabilities • A1 - Unvalidated Input • A2 -Broken Access Control • A3 - Broken Authentication and Session Management • A4 - Cross Site Scripting (XSS) Flaws • A5 - Buffer Overflow • A6 - Injection Flaws • A7 - Improper Error Handling Cyber Security Division/NIC

  14. Top ten contd.. • A8 - Insecure Storage • A9 - Denial of Service • A10 - Insecure Configuration Management Cyber Security Division/NIC

  15. Vulnerability Explained - Unvalidated Input • Web sites are host to applications which accept input in URL strings, form fields, hidden form fields etc • Information from web requests is not validated before being used by a web application. Attackers can use these flaws to attack backside components through a web application. Cyber Security Division/NIC

  16. Florists Un-validated input Example Rose Dahlia Chrysanthamum Web Server Rs.18 Rs.11 Rs.6 Quantity Shopping cart To Pay Florists Rose Dahlia Chrysanthamum Hidden fields Rs.18 Rs.11 Rs.6 Quantity 50 To Pay Rs. 300 Florists Order Rose Dahlia Chrysanthamum Price manipulated Rs.18 Rs.11 Rs.1 Order Accepted. Thank You Quantity 50 To Pay Rs. 50 Cyber Security Division/NIC

  17. Applications incorporate input validations. • Implemented on Client side of the application. • Intercepting tools make the client side checks inadequate Cyber Security Division/NIC

  18. Vulnerability - SQL Injection • This is a form of attack affecting Database Driven sites • It’s impact can range from mild damage to complete system compromise. • It effects a large number of sites on the Internet and can be completely prohibited. • It is largely caused by developers who us string building techniques to execute SQL code Web app SQL Query Client Web server SQL Server Firewall Cyber Security Division/NIC

  19. Remote Shutdown of DB http://abc.xyz.com/Bull_No.asp?number=41213';shutdown-- Shutdown command injected DB no longer available to the app Cyber Security Division/NIC

  20. Impacts of SQL Injection • Denial of Service • Database shutdown remotely • Integrity of Data ? • Gain authentication and privileged access to CUG applications • Deleted Records in Database • Inserted Junk data in Database • Modify data • Drop Tables Cyber Security Division/NIC

  21. Data Validation • Validation strategies • Accept only known valid data • Reject known bad data • Sanitize all data • All three methods must check • Data Type • Syntax • Length • Never Rely on Client Side Validations alone • Assess Database level privileges Cyber Security Division/NIC

  22. Vulnerability - Insecure configuration Management Server configuration problems include 1.Unpatched flaws in the server s/w 2.Server s/w flaws or misconfiguration that allow directory listing or directory traversal 3.Improper file and directory permission 4.Unnecessary services enabled including remote administration 5.Default a/cs with default passwords Cyber Security Division/NIC

  23. Example : Application based upload Application allows file upload File uploaded could be executed. => malicious content based file also can be uploaded and executed. Cyber Security Division/NIC

  24. Solution • Assess the requirement of the application for file upload facility. • In this case, the directory used for file repository must not be in the direct path of the web application. • The permissions on this folder must only be having write privilege for the account usedby the application. • Note: A combination of write and execute permissions on web hosting folders is strictly forbidden. Cyber Security Division/NIC

  25. Tests and Tools • Penetration Tests • Manual • Automated • Tools • Manual viz. Burp Proxy • Automatic Scan Tools • Open Source – • websphinx, Paros, Nikto • Commercial – • ScanDo, Appscan Cyber Security Division/NIC

  26. User’s Client M/c Intercepted HTTP Request/Response Browser Web Server Burp Interceptor Cyber Security Division/NIC

  27. Application Security Audit Framework Awareness Secure Code Delivery Audit Code Hardening Convincing Developers Compliance Check Cyber Security Division/NIC

  28. Challenges – People, Processes and Technology • Large number of sites with applications. • Testing may not be accurate • Black box based Pen Test used to test. Limited by the known vulnerabilities. • Source code auditing is not feasible as many of the sites are legacy and it is a time consuming process. • Limited by the skill set of the tester. • Vulnerabilities identified remain Unpatched due to Developer un-availibility Cyber Security Division/NIC

  29. Tools not readily available : immature technology • Large amount of resources required for logistics arrangements • Large amount of Coordination and communication efforts • Effective monitoring, detection and response to security incidents • Correlation of Events • Keeping up to date with new attacks and delivery mechanism Cyber Security Division/NIC

  30. Achievement • Lessons Learnt in improving security • Separation of Security boundaries of sites in a multi hosting environment recommended • Security of developed sites has improved • Turnaround time in audit is reduced • Awareness of developers increased • Requirement of Security Audit has been propagated Cyber Security Division/NIC

  31. Road Ahead • Security needs to be built into applications in the SDLC. • A policy of asset classification to be adopted and security rating given to sites/applications. • Adaptive Framework for People, Processes and Technology for Web Application Security Cyber Security Division/NIC

  32. References • Audit Reports of Web sites audited • http://www.Owasp.org • http://www.Sans.org • http://www.webappsec.org Cyber Security Division/NIC

  33. Thank YouWrite to Snigdha Acharya snigdha.acharya@nic.in Cyber Security Division/NIC

More Related