SlideShare a Scribd company logo

Andrew Useckas Csa presentation hacking custom webapps 4 3

Download as PPTX, PDF
T
Trish McGinity, CCSK

The document discusses securing custom web applications and the challenges involved. It notes that web applications are often overlooked during design and development, leaving them exposed to attacks. The document then covers various attack vectors hackers use against web applications, such as exploiting authentication, session management, access controls, and lack of input validation. It recommends secure development practices, next-generation web application firewalls, and penetration testing to help secure custom web applications.

Technology
1 of 15
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
www.cloudsecurityalliance.org Custom web applications as a way into your internal network Andrew Useckas Copyright © 2016 Cloud Security Alliance
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Introduction • Securing custom web applications is more challenging than most people realize: - Security is often overlooked during design and development - As long as the site is indexed by at least one search engine, it is exposed to hacks, attacks, and full-blown assaults from anywhere in the world - There’s big money in hacking and web applications are seen as an easy target with potential to use them as a jump board to the internal network or private customer cloud - No “security patch” for custom WebApps (vs. infrastructure) • It’s simply not as difficult to compromise a web application as most people think - You don’t have to be a hacking wiz to exploit most badly written apps – there are plenty of tools out there to help you do it
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance About Me • CTO at Threat X working on a new approach to Web Application security. • Over 15 years of experience in penetration testing / ethical hacking. • Author and architect of multiple security sensors. • Consulted for multiple enterprises in technical and compliance aspects of security.
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Agenda • Basic overview of hacker’s mindset. • Overview of most currently popular security measures. • Web Application Attacks • Authentication • Session Management • Access Controls • Client Side checks • Server Side checks
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Who is the target? • According to Verizon 2016 DBIR Report: • 40% of confirmed breaches were Web App Attacks. • 95% of confirmed WebApp breaches financially motivated. • Top Industries attacked: Finance, Information, Retail. • Higher percentage of confirmed data disclosure as security measures are lacking. • Botnets. Is my company too small to be attacked? • My perimeter is secure – we run quarterly scans.
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance The wild west of WebApps • Security is often an afterthought. Time to market is more important than security. • Developer education on safe coding techniques is lacking. • Traditional Layer 3 firewall does nothing for WebApp Security. • IDS / IPS systems do very little as the focus is more on the network applications. • New ciphers use ephemeral keys making it harder to decrypt and examine the flows at the edge (no more decryption in passive sensors). • Piping all the logs to a SIEM tool may overwhelm the administrators. • Most of these tools are useless in a cloud deployment model.
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Tools • Browser – Firefox • Intercepting Proxy – Burpsuite • SQLMap • Target apps – Bodgeit from Google
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Authentication • Login forms are often the first thing a hacker will try to break. • Common issues: • Weak or default passwords • Default pages • Guessable protected URIs • Navigation tree leaks in JS • Lack of proper server side sanitization
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Session Management • Sessions are used to track users • First line of defense • Common attacks • Session hijacking • Missing idle session timeouts • Session riding (CSRF) • Cookie manipulation
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Access Controls • Defective access controls are often used after the initial penetration. • Hidden information in HTML • Information leaks through JS • Horizontal privilege escalation • Vertical privilege escalation
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Client Side Checks • Validation of input fields before they are passed to the server • Usually based on JS • Can be easily bypassed with transparent proxy
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Server Side Checks • Server side usually talking to a database engine such as MySql. • User input can be passed to the backend scripts without proper validation, resulting in the backend attacks such as SQL injection (SQLi). • SQLi can be used to • Bypass authentication controls • Bypass access controls • Execute full database dumps • Write script files to the remote file system. Scripts can then be executed from the browser giving an attacker shell access to the remote system
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Further Exploits • It is possible to upload server side scripts via backends such as MySQL. • Scripts can then be executed from the browser giving shell access. • Sample injection: UNION SELECT '<%Runtime.getRuntime().exec(request.getParameter("cmd"));%>',null INTO OUTFILE '/some/webdir/dir/cmd.jsp'
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Parting Recommendations • Secure development and QA • Next-generation Web Application Firewall • Pen testing
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance References • Verizon DBIR report: http://www.verizonenterprise.com/verizon-insights- lab/dbir/

More Related Content

PPTX
The cyber house of horrors - securing the expanding attack surface
Jason Bloomberg
 
PDF
Web Application Firewall - Web Application & Web Services Security integrated...
Thomas Malmberg
 
PPTX
Why Network and Endpoint Security Isn’t Enough
Imperva
 
PDF
Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...
centralohioissa
 
PDF
The Non-Advanced Persistent Threat
Imperva
 
PPTX
Mitigating the Top 5 Cloud Security Threats
Bitglass
 
PDF
SecureSphere ThreatRadar: Improve Security Team Productivity and Focus
Imperva
 
PPTX
All your files now belong to us
Peter Wood
 
The cyber house of horrors - securing the expanding attack surface
Jason Bloomberg
 
Web Application Firewall - Web Application & Web Services Security integrated...
Thomas Malmberg
 
Why Network and Endpoint Security Isn’t Enough
Imperva
 
Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...
centralohioissa
 
The Non-Advanced Persistent Threat
Imperva
 
Mitigating the Top 5 Cloud Security Threats
Bitglass
 
SecureSphere ThreatRadar: Improve Security Team Productivity and Focus
Imperva
 
All your files now belong to us
Peter Wood
 

What's hot (20)

PDF
An Inside Look at a Sophisticated, Multi-vector DDoS Attack
Imperva
 
PDF
Journey to the Cloud: Securing Your AWS Applications - April 2015
Alert Logic
 
PPT
Why current security solutions fail
DaveEdwards12
 
PDF
More databases. More hackers.
Imperva
 
PDF
Top Five Security Must-Haves for Office 365
Imperva
 
PPTX
Security O365 Using AI-based Advanced Threat Protection
Bitglass
 
PDF
Trust No One - Zero Trust on the Akamai Platform
Elisabeth Bitsch-Christensen
 
PPTX
Shared Security Responsibility in the AWS Public Cloud
Alert Logic
 
PPTX
What's Wrong with Vulnerability Management & How Can We Fix It
Skybox Security
 
PPTX
Man in the Cloud Attacks
Imperva
 
PDF
Extend Enterprise Application-level Security to Your AWS Environment
Imperva
 
PPT
The State of Application Security: Hackers On Steroids
Imperva
 
PPTX
5 Steps to Reduce Your Window of Vulnerability
Skybox Security
 
PDF
Zero trust in a hybrid architecture
Hybrid IT Europe
 
PDF
Micro-Segmentation for Data Centers - Without Using Internal Firewalls
ColorTokens Inc
 
PPTX
Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...
Digital Bond
 
PPTX
The Top 10 Most Common Weaknesses in Serverless Applications 2018
PureSec
 
PPTX
Network Security Best Practices - Reducing Your Attack Surface
Skybox Security
 
PDF
CyberArk Cleveland Defend End Point Infection and Lateral Movement
Chad Bowerman
 
PPTX
Bil Harmer - Myths of Cloud Security Debunked!
centralohioissa
 
An Inside Look at a Sophisticated, Multi-vector DDoS Attack
Imperva
 
Journey to the Cloud: Securing Your AWS Applications - April 2015
Alert Logic
 
Why current security solutions fail
DaveEdwards12
 
More databases. More hackers.
Imperva
 
Top Five Security Must-Haves for Office 365
Imperva
 
Security O365 Using AI-based Advanced Threat Protection
Bitglass
 
Trust No One - Zero Trust on the Akamai Platform
Elisabeth Bitsch-Christensen
 
Shared Security Responsibility in the AWS Public Cloud
Alert Logic
 
What's Wrong with Vulnerability Management & How Can We Fix It
Skybox Security
 
Man in the Cloud Attacks
Imperva
 
Extend Enterprise Application-level Security to Your AWS Environment
Imperva
 
The State of Application Security: Hackers On Steroids
Imperva
 
5 Steps to Reduce Your Window of Vulnerability
Skybox Security
 
Zero trust in a hybrid architecture
Hybrid IT Europe
 
Micro-Segmentation for Data Centers - Without Using Internal Firewalls
ColorTokens Inc
 
Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...
Digital Bond
 
The Top 10 Most Common Weaknesses in Serverless Applications 2018
PureSec
 
Network Security Best Practices - Reducing Your Attack Surface
Skybox Security
 
CyberArk Cleveland Defend End Point Infection and Lateral Movement
Chad Bowerman
 
Bil Harmer - Myths of Cloud Security Debunked!
centralohioissa
 

Viewers also liked (17)

PPT
I Love Linux - Pawel Zorzan Urban & Bocelli Davide
Pawel Zorzan Urban
 
DOCX
Salomon 7e
IE Simona Duque
 
PDF
&lt;img src="xx">
testslidesha12
 
PDF
One pagepdf
testslidesha12
 
PPT
Startup Sorocaba: Palestra Davi Paunovic - Pivotagem
Startup Sorocaba
 
PPTX
4_C_CEM_2016
Alexis Rodriguez
 
PPTX
Ed Rios - New ncc brief
Trish McGinity, CCSK
 
DOCX
Resultados finales municipio_de_giraldo
alcaldiagiraldo antioquia
 
PDF
Underground hacker Nazionale - Clima & Eventi
Pawel Zorzan Urban
 
PDF
Sicurezza Informatica e Hacking - Università di Teramo 23/10/2015
Pawel Zorzan Urban
 
PPTX
Privileged accesss management for den csa user group CA Technologies
Trish McGinity, CCSK
 
PPT
Hrvatska u napoleonovo doba
Škola Futura
 
PPT
Napoleon bonaparte
Škola Futura
 
PPT
Engleska u 18. stoljeću
batica1
 
PPT
Diseño e innovación
R. Sosa
 
PDF
Understanding the evolving healthcare ecosystem -- Aimia -- 052714
David Nickelson, PsyD, JD
 
PDF
Ready
Agus Cahyo
 
I Love Linux - Pawel Zorzan Urban & Bocelli Davide
Pawel Zorzan Urban
 
Salomon 7e
IE Simona Duque
 
&lt;img src="xx">
testslidesha12
 
One pagepdf
testslidesha12
 
Startup Sorocaba: Palestra Davi Paunovic - Pivotagem
Startup Sorocaba
 
4_C_CEM_2016
Alexis Rodriguez
 
Ed Rios - New ncc brief
Trish McGinity, CCSK
 
Resultados finales municipio_de_giraldo
alcaldiagiraldo antioquia
 
Underground hacker Nazionale - Clima & Eventi
Pawel Zorzan Urban
 
Sicurezza Informatica e Hacking - Università di Teramo 23/10/2015
Pawel Zorzan Urban
 
Privileged accesss management for den csa user group CA Technologies
Trish McGinity, CCSK
 
Hrvatska u napoleonovo doba
Škola Futura
 
Napoleon bonaparte
Škola Futura
 
Engleska u 18. stoljeću
batica1
 
Diseño e innovación
R. Sosa
 
Understanding the evolving healthcare ecosystem -- Aimia -- 052714
David Nickelson, PsyD, JD
 
Ready
Agus Cahyo
 

Similar to Andrew Useckas Csa presentation hacking custom webapps 4 3 (20)

PPT
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
IBM Security
 
PPT
Cloud security
Tushar Kayande
 
PDF
Presd1 10
Niels Groeneveld
 
PDF
Migrating Critical Applications to the Cloud - isaca seattle - sanitized
UnifyCloud
 
PDF
Migrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Norm Barber
 
PPTX
Certes webinar securing the frictionless enterprise
Jason Bloomberg
 
PPT
Insecurity in security products 2013
DaveEdwards12
 
PPTX
Application Control - Maintenance Headache or Manageable Solution?
Ivanti
 
PDF
Expand Your Control of Access to IBM i Systems and Data
Precisely
 
PPTX
A DevOps Guide to Web Application Security
Imperva Incapsula
 
PPTX
Joomla Security Simplified —  Seven Easy Steps For a More Secure Website
Imperva Incapsula
 
PDF
Scalar Security Roadshow: Toronto Presentation - April 15, 2015
Scalar Decisions
 
PPTX
Top Application Security Trends of 2012
DaveEdwards12
 
PPTX
Defending Today's Threats with Tomorrow's Security by Microsoft by Aidan Finn
John Moran
 
PDF
Realities of Security in the Cloud
Alert Logic
 
PDF
Top Cyber Security Trends for 2016
Imperva
 
PPTX
Cloud Security: A matter of trust?
Mark Williams
 
PDF
Cloudflare_Everywhere_Security_Solution_Brief (1).pdf
petchphumsanit40
 
PDF
Managing Your Application Security Program with the ThreadFix Ecosystem
Denim Group
 
PDF
Controlling Access to IBM i Systems and Data
Precisely
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
IBM Security
 
Cloud security
Tushar Kayande
 
Presd1 10
Niels Groeneveld
 
Migrating Critical Applications to the Cloud - isaca seattle - sanitized
UnifyCloud
 
Migrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Norm Barber
 
Certes webinar securing the frictionless enterprise
Jason Bloomberg
 
Insecurity in security products 2013
DaveEdwards12
 
Application Control - Maintenance Headache or Manageable Solution?
Ivanti
 
Expand Your Control of Access to IBM i Systems and Data
Precisely
 
A DevOps Guide to Web Application Security
Imperva Incapsula
 
Joomla Security Simplified —  Seven Easy Steps For a More Secure Website
Imperva Incapsula
 
Scalar Security Roadshow: Toronto Presentation - April 15, 2015
Scalar Decisions
 
Top Application Security Trends of 2012
DaveEdwards12
 
Defending Today's Threats with Tomorrow's Security by Microsoft by Aidan Finn
John Moran
 
Realities of Security in the Cloud
Alert Logic
 
Top Cyber Security Trends for 2016
Imperva
 
Cloud Security: A matter of trust?
Mark Williams
 
Cloudflare_Everywhere_Security_Solution_Brief (1).pdf
petchphumsanit40
 
Managing Your Application Security Program with the ThreadFix Ecosystem
Denim Group
 
Controlling Access to IBM i Systems and Data
Precisely
 

More from Trish McGinity, CCSK (14)

PDF
Csa privacy by design &amp; gdpr austin chambers 11-4-17
Trish McGinity, CCSK
 
PPTX
Privacy 101
Trish McGinity, CCSK
 
PPTX
Cloud Seeding
Trish McGinity, CCSK
 
PPTX
Token Binding as the Foundation for a More Secure Web
Trish McGinity, CCSK
 
PPTX
Security and Automation: Can they work together? Can we survive if they don't?
Trish McGinity, CCSK
 
PDF
GDPR Overview
Trish McGinity, CCSK
 
PDF
Practical AWS Security - Scott Hogg
Trish McGinity, CCSK
 
PDF
CSA colorado 2016 presentation CloudPassage
Trish McGinity, CCSK
 
PPTX
Csa presentation november 2016 sloane ghx
Trish McGinity, CCSK
 
PPTX
Steve Kosten - Exploiting common web application vulnerabilities
Trish McGinity, CCSK
 
PPTX
Shawn Harris - CCSP SAH v2
Trish McGinity, CCSK
 
PPTX
Larry Whiteside - Optiv Cloud ready or steam rolled csa version
Trish McGinity, CCSK
 
PPTX
Scott Hogg - Gtri cloud security knowledge and certs
Trish McGinity, CCSK
 
PPTX
Davitt Potter - CSA Arrow
Trish McGinity, CCSK
 
Csa privacy by design &amp; gdpr austin chambers 11-4-17
Trish McGinity, CCSK
 
Privacy 101
Trish McGinity, CCSK
 
Cloud Seeding
Trish McGinity, CCSK
 
Token Binding as the Foundation for a More Secure Web
Trish McGinity, CCSK
 
Security and Automation: Can they work together? Can we survive if they don't?
Trish McGinity, CCSK
 
GDPR Overview
Trish McGinity, CCSK
 
Practical AWS Security - Scott Hogg
Trish McGinity, CCSK
 
CSA colorado 2016 presentation CloudPassage
Trish McGinity, CCSK
 
Csa presentation november 2016 sloane ghx
Trish McGinity, CCSK
 
Steve Kosten - Exploiting common web application vulnerabilities
Trish McGinity, CCSK
 
Shawn Harris - CCSP SAH v2
Trish McGinity, CCSK
 
Larry Whiteside - Optiv Cloud ready or steam rolled csa version
Trish McGinity, CCSK
 
Scott Hogg - Gtri cloud security knowledge and certs
Trish McGinity, CCSK
 
Davitt Potter - CSA Arrow
Trish McGinity, CCSK
 

Recently uploaded (20)

PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PPTX
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
PDF
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PDF
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Cloud computing and distributed systems.
kkkkkhan
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
A Presentation on Artificial Intelligence
memembruh336
 
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 

Andrew Useckas Csa presentation hacking custom webapps 4 3

  • 1. www.cloudsecurityalliance.org Custom web applications as a way into your internal network Andrew Useckas Copyright © 2016 Cloud Security Alliance
  • 2. www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Introduction • Securing custom web applications is more challenging than most people realize: - Security is often overlooked during design and development - As long as the site is indexed by at least one search engine, it is exposed to hacks, attacks, and full-blown assaults from anywhere in the world - There’s big money in hacking and web applications are seen as an easy target with potential to use them as a jump board to the internal network or private customer cloud - No “security patch” for custom WebApps (vs. infrastructure) • It’s simply not as difficult to compromise a web application as most people think - You don’t have to be a hacking wiz to exploit most badly written apps – there are plenty of tools out there to help you do it
  • 3. www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance About Me • CTO at Threat X working on a new approach to Web Application security. • Over 15 years of experience in penetration testing / ethical hacking. • Author and architect of multiple security sensors. • Consulted for multiple enterprises in technical and compliance aspects of security.
  • 4. www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Agenda • Basic overview of hacker’s mindset. • Overview of most currently popular security measures. • Web Application Attacks • Authentication • Session Management • Access Controls • Client Side checks • Server Side checks
  • 5. www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Who is the target? • According to Verizon 2016 DBIR Report: • 40% of confirmed breaches were Web App Attacks. • 95% of confirmed WebApp breaches financially motivated. • Top Industries attacked: Finance, Information, Retail. • Higher percentage of confirmed data disclosure as security measures are lacking. • Botnets. Is my company too small to be attacked? • My perimeter is secure – we run quarterly scans.
  • 6. www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance The wild west of WebApps • Security is often an afterthought. Time to market is more important than security. • Developer education on safe coding techniques is lacking. • Traditional Layer 3 firewall does nothing for WebApp Security. • IDS / IPS systems do very little as the focus is more on the network applications. • New ciphers use ephemeral keys making it harder to decrypt and examine the flows at the edge (no more decryption in passive sensors). • Piping all the logs to a SIEM tool may overwhelm the administrators. • Most of these tools are useless in a cloud deployment model.
  • 7. www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Tools • Browser – Firefox • Intercepting Proxy – Burpsuite • SQLMap • Target apps – Bodgeit from Google
  • 8. www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Authentication • Login forms are often the first thing a hacker will try to break. • Common issues: • Weak or default passwords • Default pages • Guessable protected URIs • Navigation tree leaks in JS • Lack of proper server side sanitization
  • 9. www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Session Management • Sessions are used to track users • First line of defense • Common attacks • Session hijacking • Missing idle session timeouts • Session riding (CSRF) • Cookie manipulation
  • 10. www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Access Controls • Defective access controls are often used after the initial penetration. • Hidden information in HTML • Information leaks through JS • Horizontal privilege escalation • Vertical privilege escalation
  • 11. www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Client Side Checks • Validation of input fields before they are passed to the server • Usually based on JS • Can be easily bypassed with transparent proxy
  • 12. www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Server Side Checks • Server side usually talking to a database engine such as MySql. • User input can be passed to the backend scripts without proper validation, resulting in the backend attacks such as SQL injection (SQLi). • SQLi can be used to • Bypass authentication controls • Bypass access controls • Execute full database dumps • Write script files to the remote file system. Scripts can then be executed from the browser giving an attacker shell access to the remote system
  • 13. www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Further Exploits • It is possible to upload server side scripts via backends such as MySQL. • Scripts can then be executed from the browser giving shell access. • Sample injection: UNION SELECT '<%Runtime.getRuntime().exec(request.getParameter("cmd"));%>',null INTO OUTFILE '/some/webdir/dir/cmd.jsp'
  • 14. www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance Parting Recommendations • Secure development and QA • Next-generation Web Application Firewall • Pen testing
  • 15. www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance References • Verizon DBIR report: http://www.verizonenterprise.com/verizon-insights- lab/dbir/

Editor's Notes