Deconstructing website attacks - Eric Vanderburg
Download as PPTX, PDF1 like496 views
The document discusses various types of website attacks such as injection attacks, cross-site scripting, session management attacks, and object reference attacks. It provides details on the nature of each attack, their potential impacts, and techniques for protecting against them. Some key points are that the average breach costs $214 per record and $7.2 million per incident, while the US is increasing cybersecurity funding by 35% to $548 million. Injection attacks can allow access to entire databases or operating systems if not properly protected against with input validation and encoding. Cross-site scripting can steal user data or install malware if raw user input is reflected in outputs. The document recommends output encoding and validating all user input to prevent attacks.
Deconstructing website attacks - Eric Vanderburg
- 1. Deconstructing website attacks © 2015 Property of JurInnov Ltd. All Rights Reserved Eric A. Vanderburg, MBA, CISSP Director, Information Systems and Security Computer Forensic and Investigation Services
- 2. © 2015 Property of JurInnov Ltd. All Rights Reserved© 2015 Property of JurInnov Ltd. All Rights Reserved The nature of website attacks • Current state • Attacks – Injection attacks – Cross Site Scripting (XSS) – Session Management attacks – Object reference attacks 2
- 3. © 2015 Property of JurInnov Ltd. All Rights Reserved Threats Impacts Threat and Impact
- 4. © 2015 Property of JurInnov Ltd. All Rights Reserved© 2015 Property of JurInnov Ltd. All Rights Reserved Current state Average breach costs $214 per record Average organizational cost $7.2 million per incident Risk and compliance budgets expected to increase by 21% 4
- 5. © 2015 Property of JurInnov Ltd. All Rights Reserved© 2015 Property of JurInnov Ltd. All Rights Reserved $548 million The US government is increasing cyber security R&D by 35% to $548 million next year More organized outside attacks Facts and Figures
- 6. © 2015 Property of JurInnov Ltd. All Rights Reserved© 2015 Property of JurInnov Ltd. All Rights Reserved Injection attacks • Injection - Tricking an application into including unintended commands in the data sent to an interpreter • Interpreter – Take strings and interpret them as commands – SQL, OS Shell, LDAP, XPath, Hibernate, etc… • SQL injection – Many applications still susceptible – Even though it’s usually very simple to avoid 6
- 7. © 2015 Property of JurInnov Ltd. All Rights Reserved© 2015 Property of JurInnov Ltd. All Rights Reserved Injection impact • Usually severe. • Entire database can usually be read or modified • May also allow full database schema, or account access, or even operating system level access 7
- 8. © 2015 Property of JurInnov Ltd. All Rights Reserved© 2015 Property of JurInnov Ltd. All Rights Reserved Injection process 1. Application presents a form to the attacker 2. Attacker sends an attack in the form data 3. Application forwards attack to the database in a SQL query 4. Database runs query containing attack and sends encrypted results 5. back to application 6. Application decrypts data as normal and sends results to the user 8
- 9. © 2015 Property of JurInnov Ltd. All Rights Reserved© 2015 Property of JurInnov Ltd. All Rights Reserved Injection Protection • Avoid the interpreter entirely • Use an interface that supports bind variables (e.g., prepared statements, or stored procedures), – Bind variables allow the interpreter to distinguish between code and data • Encode all user input before passing it to the interpreter • Always perform ‘white list’ input validation on all user supplied input • Always minimize database privileges to reduce the impact of a flaw 9
- 10. © 2015 Property of JurInnov Ltd. All Rights Reserved© 2015 Property of JurInnov Ltd. All Rights Reserved Cross-Site Scripting (XSS) • Cross-Site Scripting (XSS) - Raw data from attacker is sent to an innocent user’s browser • Raw data – Stored in database – Reflected from web input (form field, hidden field, URL, etc…) – Sent directly into rich JavaScript client 10
- 11. © 2015 Property of JurInnov Ltd. All Rights Reserved© 2015 Property of JurInnov Ltd. All Rights Reserved XSS Example • Try this in your browser • javascript:alert(document.cookie) 11
- 12. © 2015 Property of JurInnov Ltd. All Rights Reserved© 2015 Property of JurInnov Ltd. All Rights Reserved XSS Impact • Steal user’s session, steal sensitive data, rewrite web page, redirect user to phishing or malware site • Most Severe: Install XSS proxy which allows attacker to observe and direct all user’s behavior on vulnerable site and force user to other sites 12
- 13. © 2015 Property of JurInnov Ltd. All Rights Reserved© 2015 Property of JurInnov Ltd. All Rights Reserved XSS Protection • Eliminate Flaw – Don’t include user supplied input in the output page • Defend Against the Flaw – Primary Recommendation: Output encode all user supplied input – Perform ‘white list’ input validation on all user input to be included in page – For large chunks of user supplied HTML, use OWASP’s AntiSamy to sanitize this HTML to make it safe 13
- 14. © 2015 Property of JurInnov Ltd. All Rights Reserved© 2015 Property of JurInnov Ltd. All Rights Reserved Session Management • HTTP as a stateless protocol – Credentials have to go with every request – SSL should be used for everything requiring authentication • Session management flaws – SESSION ID used to track state since HTTP doesn’t – SESSION ID is typically exposed on the network, in browser, in logs 14
- 15. © 2015 Property of JurInnov Ltd. All Rights Reserved© 2015 Property of JurInnov Ltd. All Rights Reserved Session Management • Methods – Change my password – Remember my password – Forgot my password – Secret question – Logout – email address • Impact - User accounts compromised or user sessions hijacked 15
- 16. © 2015 Property of JurInnov Ltd. All Rights Reserved© 2015 Property of JurInnov Ltd. All Rights Reserved Protection techniques • Verify your architecture – Authentication should be simple, centralized, and standardized – Use the standard session id provided by your container – Be sure SSL protects both credentials and session id at all times • Verify the implementation – Forget automated analysis approaches – Check your SSL certificate – Examine all the authentication-related functions – Verify that logoff actually destroys the session – Use WebScarab to test the implementation 16
- 17. © 2015 Property of JurInnov Ltd. All Rights Reserved© 2015 Property of JurInnov Ltd. All Rights Reserved Object references • Caused by failed access control at the presentation layer allowing attackers to modify parameter values. – Only listing the ‘authorized’ objects for the current user, or – Hiding the object references in hidden fields and then not enforcing these restrictions on the server side • Impact - Users are able to access unauthorized files or data 17
- 18. © 2015 Property of JurInnov Ltd. All Rights Reserved© 2015 Property of JurInnov Ltd. All Rights Reserved Example • www.banking.com/user?acct=10579 • Attacker notices his acct parameter is 10579 ?acct=10579 • He modifies it to a nearby number ?acct=10580 • Attacker views the victim’s account information 18
- 19. © 2015 Property of JurInnov Ltd. All Rights Reserved© 2015 Property of JurInnov Ltd. All Rights Reserved Protection techniques • Eliminate the direct object reference • Replace them with a temporary mapping value • ESAPI provides support for numeric & random mappings » IntegerAccessReferenceMap » RandomAccessReferenceMap • Validate the direct object reference • Verify the parameter value is properly formatted • Verify the user is allowed to access the target object • Verify the requested mode of access is allowed to the target object (e.g., read, write, delete) 19
- 20. © 2015 Property of JurInnov Ltd. All Rights Reserved© 2015 Property of JurInnov Ltd. All Rights Reserved Cross Site Request Forgery (CSRF) • Cross Site Request Forgery (CSRF) – An attack where the victim’s browser is tricked into issuing a command to a vulnerable web application – Vulnerability is caused by browsers automatically including user authentication data (session ID, IP address, Windows domain credentials, …) with each request 20
- 21. © 2015 Property of JurInnov Ltd. All Rights Reserved© 2015 Property of JurInnov Ltd. All Rights Reserved Impact • Initiate transactions – transfer funds – close account • Access sensitive data • Change account details 21
- 22. © 2015 Property of JurInnov Ltd. All Rights Reserved© 2015 Property of JurInnov Ltd. All Rights Reserved Protection techniques • Add a secret, not automatically submitted, token to ALL sensitive requests – This makes it impossible for the attacker to spoof the request – Tokens should be cryptographically strong or random • Don’t allow attackers to store attacks on your site – Properly encode all input on the way out – This renders all links/requests inert in most interpreters 22
- 23. © 2015 Property of JurInnov Ltd. All Rights Reserved© 2015 Property of JurInnov Ltd. All Rights Reserved Protection techniques • Store a single token in the session and add it to all forms and links – Hidden Field: <input name="token" value="687965fdfaew87agrde" type="hidden"/> – Single use URL: /accounts/687965fdfaew87agrde – Form Token: /accounts?auth=687965fdfaew87agrde … • Use hidden fields so that the token in a referrer header is not exposed • Have a unique token for each function • Require secondary authentication for functions 23
- 24. © 2015 Property of JurInnov Ltd. All Rights Reserved Questions
- 25. © 2015 Property of JurInnov Ltd. All Rights Reserved© 2015 Property of JurInnov Ltd. All Rights Reserved For assistance or additional information • Phone: 216-664-1100 • Web: www.jurinnov.com • Email: eric.vanderburg@jurinnov.com • Twitter: @evanderburg • Facebook: www.facebook.com/VanderburgE • Linkedin: www.linkedin.com/in/evanderburg • Youtube: www.youtube.com/user/evanderburg JurInnov Ltd. The Idea Center 1375 Euclid Avenue, Suite 400 Cleveland, Ohio 44115