Web application Security

Security Testing Precautions:

Thin line between Security Testing & Hacking
--> Do not use tools without proper approval of the authorities
--> Using tools on any web site can be a criminal offense
--> Use tools only on the specific Assets covered under the given scope.
--> Keep log of activities performed during Security Testing.

Web application:
Web application are applications delivered to users via a web-server over a network
such as the Internet or intranet.
Application

Presentation
Layer

Business Logic
Layer

Database Layer

Application Framework :
Web server is a central depository in the form of a computer that is used to
store web document and allow access to user.
--> A web server provide services to a client (browser) .
--> Generally communication takes place through HTTP or HTTP protocol.
--> A request is sent by client to the server for specific document or implementation of some data. The
server process the request and send response to the client.

How web application works:-

Definitions:-

Vulnerabilities:
Weakness in a system that may threaten the confidentiality ,integrity and availability.

Threat:
It is a condition or circumstance that could potentially cause harm ,damage or compromise to
an IT asset.

Risk:
probability of threat becoming a real ,and the corresponding potential damage.

Different Vulnerable component:

1. Client side 2. Communication channel side 3. Server side

How to check vulnerabilities:-

White box approach (code review):

-->Complete and thorough code check
-->Not a simple job. Needs good programming knowledge.
-->White Box Testers use this approach while implementing security testing.

Black box approach:

-->Inject all possible fault-inducing inputs using tools in the web app and look for hints that
something strange has happened.
-->Black Box testers use tools like AppScan, Acunetix to detect the vulnerabilities.
Code review in security testing life cycle:-
In Security TLC which follows threat analysis methodology will first identify the possible
interactions.
-->Prepare threat list
-->Perform code review for the identified threats.
-->Prepare Vulnerabilities list

Vulnerability scanner in security testing life cycle:-

-->Web Application Vulnerability Scanners are tools designed to automatically scan web
applications for potential vulnerabilities.
-->They perform checks, such as potential field manipulation which allows a more focused
assessment of web applications by exposing vulnerabilities of which standard VA methods are
unaware.

Security analysis techniques:-

White Box
Black Box
Testing
Testing
(Code
(Use tools)
Review)

Vulnerabilities
List

Penetration
Testing

Client side vulnerabilities:-

# Web Browser :
-->Patch should be updated
# Web browser configuration
--> AutoComplete: remember password - that should be disable .
--> Delete cookie or private data after closing the browser
--> Cookie :Cookie should be cleared Regularly.
# Office Software (eg. Media Player)

Communication Channel:-
Protocol –HTTP ,HTTPS
Vulnerable Port- eg. Telnet, Ftp , SMTP
Firewall

HTTP & HTTPS:-

HTTP:
-->HTTP-Hypertext Transfer Protocol
-->It uses port no.80
-->It send Request in plain text format.

HTTPS:
-->HTTPS-Hypertext Transfer Protocol Secure
-->It uses port no.443
-->It uses “SSL” to send Request
Vulnerable ports:-

Telnet:-
use for Remote Login .
Port no 23

FTP:-
Use for Downloading or Uploading Files.
Port no 21

Firewall:-
Firewall is used to restrict access to one network from another network. They
may also use firewall to restrict one internal network segment from accessing another network
segment.

Server side vulnerabilities:-

1. Cross Site Scripting
2. SQL Injection
3. Information Leakage
4. Session Hijacking
5. Failure to Restrict URL Access

Cross site scripting(XSS):-

Cross site scripting is a security exploit in which attacker insert malicious
coding in to a link that appears to be form a trustworthy source when someone click on that link ,the
embedded programming is submitted as a part of client web request and can be execute on client
computer.
Typically allow the attacker to steal identity or information.

XSS Protection:-
Protect your application from XSS attacks
1. Input Validation
2. Filter output by converting text/data which might have dangerous HTML characters to its encoded
format:
'<' and '>' to '&lt;' and '&gt;’
'(' and ')' to '&#40;' and '&#41;’
'#' and '&' to '&#35;' and '&#38;‘
3. Recommend filtering on input as much as possible.

SQL injection:-
--> SQL injection is a type of security exploit in which attacker adds SQL code to a web form input
box .
--> To gain access to resources or make changes in the database an SQL query is a request for some
action to be perform on Database.
--> Using SQL Injection attacker can “Bypass the Login Page”
--> Using SQL injection attacker can make changes in the Database.

SQL injection protection:-

1. Disable verbose error message that gives information to the attacker.
2. Restrict Length of Input
3. Avoid single quotes
4. Allow only Known Good Input
5. Use stored procedures
6. Data Validation (to ensure that isn’t malicious code)

Information leakage and improper error handling:-

Applications can unintentionally leak
information about their configuration, internal workings, or violate privacy through a variety of
application problems. Attackers use this weakness to steal sensitive data or conduct more serious
attacks.

Improper error handling protection:-

Prevent display of detailed internal error messages including
stack traces, messages with database or table names, protocols, and other error codes. (This can provide
attackers clues as to potential flaws.)
Good error handling systems should always enforce the security scheme in place while still being able
to handle any feasible input.

Session hijacking:-
The term session hijacking refers to the exploitation of a valid computer session -
sometimes also called a session key - to gain unauthorized access to information or services in a
computer system. In particular, it is used to refer to the theft of a magic cookie used to authenticate a
user to a remote server. It has particular relevance to web developers, as the HTTP cookies used to
maintain a session on many web sites can be easily stolen by an attacker using an intermediary
computer or with access to the saved cookies on the victim's computer.

Session hijacking protection:-

1. Session ID
1. Unique to the User
2. Used for only one authenticated session
3. Generated by the server
4. Sent to the client as
5. Hidden variable,
6. HTTP cookie,
7. URL query string (not a good practice)
8. The user is expected to send back the same ID in the next request.

2. Use long complex random session ID that cannot be guessed.

3. Protect the transmission and storage of the Session ID to prevent disclosure and hijacking.
4. A URL query string should not be used for Session ID or any User/Session information
-->URL is stored in browser cache
5. Entire session should be transmitted via HTTPS to prevent disclosure of the session ID. (not
just the authentication)
6. Session ID should expire and/or time-out (15 minutes )on the Server when idle or on logout.
7. Client side cookie expirations useful, but should not be trusted.

Failure to restrict URL access:-

Frequently, an application only protects sensitive functionality by
preventing the display of links or URLs to unauthorized users. Attackers can use this weakness to
access and perform unauthorized operations by accessing those URLs directly.
When the application fails to restrict access to administrative URLs, the attacker can access normally
unauthorized areas by type in the URL’s into the browser.

Failure to restrict URL access protection:-

Test Thoroughly!
1. Conduct extensive regression testing to ensure the access control scheme cannot be bypassed
2. Test all invalid access attempts as well as valid access.
3. Don't follow the normal application flow.

OWASP 2007 Top ten list:-

A1. Cross-Site Scripting (XSS)
A2. Injections Flaws
A3. Malicious File Execution
A4. Insecure Direct Object Reference
A5. Cross Site Request Forgery (CSRF)
A6. Information Leakage & Improper Error Handling
A7. Broken Authentication & Session Management
A8. Insecure Cryptographic Storage
A9. Insecure Communications
A10. Failure to Restrict URL Access.

Some important points:-

1. Application Security starts with the Architecture and Design
2. Security can’t be added on later without re-designing and rewriting
3. Custom code often introduces vulnerabilities
4. Application vulnerabilities are NOT prevented by traditional security controls.
5. Don’t invent your own security controls
6. Design, Design, Design, code, test, test, test

Source code analysis:-

1. Look at the web application source code
2. Identify cases where user input can reach sensitive functions
3. Related Issues:
--> Need developer and management commitment
--> Need process changes
--> Lots of false positives
--> Language dependent
--> Hard to cover cases when source unavailable
--> Miss issues across modules
Vulnerability assessment:-
1. Obtain Vulnerabilities List by exploring the developed Application
2. Connected Issues:
-> Needs Vulnerability detection Tools
-> For interpretation: Needs Code Access

Manual penetration testing:-

1.. Hire experienced companies/professionals to attack your web application
2. Connected Issues:
> High Cost: Testers & vulnerability fixing
> Time (to get people, cover apps)
> Thoroughness: Variability based on the individual
> If you get the right people, can be very effective
> Need to redo with new versions, bug fixes

Automated penetration testing:-

1. Do automated security testing of apps (ideally before deployment)
2. Connected Issues:
>Fits in very nicely with functionality testing
>Doesn’t require process changes
>Doesn’t need to be expensive
>Can’t test for everything manual testers can
>Limitation: Restricted by Tool’s knowledge base

Secured application maintenance:-

Periodic Application Testing:-

1. Continuous testing of applications is extremely important
> New vulnerabilities being discovered all the time
> New methods of attacks are being proposed (both by the black and white hats)
2. With new security test automation tools this isn’t as prohibitive as before
>Automation allows tests to be done automatically
>Time for a retest can be much lower
>With tools, there isn’t a huge consultant cost for a retest

Monitor your Site:-

1.Monitoring your site is important because:
> It let’s you know how effective your developer education/testing was
> Alerts you to new attack string and mechanisms
> Allows you to know if there has been a breach and respond to it
Have a vulnerability policy:-
1.. Policy When a Break-in Happens or a Vulnerability is Found
--> Need to have Backup and Restore Processes in place
--> Need to have Practice runs of the Response Process
--> Application Firewalls can help while you get a fix for vulnerabilities found in deployed
applications
>Avg time Exploit -> Vulnerability: 6.8 days
>Avg time Exploit -> Patch: 49 days
>The hackers have a faster release process!
Source: Symantec’s Internet Security Threat Report IX
-->Need a Hot fix process

Security testing Life cycle:-

Threat Analysis Code Review Vulnerability Assessment

Penetration Testing
Remediation

Black Box White

Testing Box
Testing
Security Testing Process:-
Insecure Web Application

Architecture & Design Threat Finding Important Interactions

Review Analysis Generate Threat List
Review the code for Map with OWASP
high Priority of Possible Threat List
threats
List of Vulnerabilities
Review Code Review

OWASP Top 10
Vulnerability Assessment Scanning
Vulnerability
AppScan
Open Source Tools

Exploits the vulnerability Penetration Testing

Exploit

solutions Suggest Remedies

Remediation
Why web application security is so important:-
1. Web applications are the #1 focus of Attackers:
>75% of attacks at Application layer
>XSS and SQL Injection are #1 and #2 reported vulnerabilities
2. Web applications are high value targets for Attackers:
>Customer data, credit cards, ID theft, fraud, site defacement, etc.
3. Most sites are vulnerable:
>90% of sites are vulnerable to application attacks
>78% percent of easily exploitable vulnerabilities affected Web applications (Symantec)
>80% of organizations will experience an application security incident by 2010 (Gartner)