Web Application Security 101
Download as PPTX, PDF0 likes256 views
The document discusses web security fundamentals, emphasizing the importance of integrating security throughout the Software Development Life Cycle (SDLC). It categorizes vulnerabilities into technical, logical, and configuration issues while detailing specific examples and recommended fixes for each type of vulnerability, such as SQL injections and insecure deserialization. The importance of threat modeling and monitoring is also highlighted to prevent breaches and ensure application security.
Web Application Security 101
- 1. Recap: WebSec 101 Jannis Kirschner
- 3. S-SDLC • Secure Software Development Lifecycle • Integrating security measures in every part of the SDLC
- 5. OWASP Top 10 • Open Web Application Standard Project • List of current threats • Sorted by likelihood + impact • Updated every few years • Translated to several languages
- 6. Security Can Be Split Into 3 Classes Technical Logical Configuration Issues A1 Injection A2 Broken Authentication A3 Sensitive Data Exposure A4 XXE A5 Broken Access Control A6 Security Misconfiguration A7 XSS A9 Known Vulns A8 Insecure Deserialization A10 Insufficient Logging
- 7. Technical Vulnerabilities • Usually easiest to spot • Happens when data doesn’t get properly validated/escaped • When software can’t distinguish between data und logic context • Common examples are Injections, XXE, Buffer Overflows • Fixes usually involve validation
- 8. A1 Injection • Root Cause: When data input gets interpreted as code (sql, xml, ldap) • Impact: Depends on sql server config (from CRUD operations to RCE) • Fix: Prepared Statements, Stored Procedures, (Escaping) • Can be «blind» = no feedback from application (can be leaked by factors like time, different behaviour) 1) ‘ characters from input field get interpreted as sql query code 2) Query evaluates statement to true and returns all entries
- 9. A4 XXE • Root-Cause: Happens when external DTD’s/Stylesheets get resolved • Impact: Read arbitrary files & «portscan» (RCE with libs like php expect) • Fix: Disable parsing 1) Read file and save as DTD 2) Print content of «DTD»
- 10. A7 XSS • Root Cause: Browser interprets data as javascript code • Impact: Leak (non http-only) cookies, redirections... • Fix: Output escaping, CSP-Headers, NoScript • Multiple types: • 1: Reflected = Requires user interaction (eg. click on link) • 2: Stored = Affects all users because stored on server • 3: Dom-based = Never reaches server 1) User opens link, reflected js gets executed 2) User visits guestbook, stored js gets executed 3) User opens link, dom-based js gets executed 4) Because location.search gets text 5) And attr «rewrites» object
- 11. A8 Insecure Deserialization («Object Injection») • Root Cause: When serialized data (serialize, pickle, yaml) gets trusted/evaluated • Impact: From privilege escalation to rce • Fix: Validation 1) Input gets trusted, user becomes admin through setting flag clientside 2) User sends serialized object 3) Server deserializes data 4) Object gets interpreted as «inject» variable 5) Variable gets evaluated leading to RCE
- 12. Logical Vulnerabilities • Errors in application logic • Harder to identify • Examples are Access Control Issues, Race Conditions, Unexpected Behaviour • Fixes can range from validation to redesign of application
- 13. A2 Broken Authentication • Collection of issues connected to the authentication process • Examples are user pw’s not hashed, no session timeout, no rotating session id’s etc... • Fix: Application redesign, Implementation MFA
- 14. A5 Broken Access Control • Collection of issues connected to authorisation • Impact: Sensitive Data Exposure, Privilege Escalation • Fix: ACL’s and validation 1) Attacker could input arbitrary account name and view private information
- 15. Configuration Issues • Often easy to find by scanners • Can be caused when software is misconfigured • Examples are Path Traversal, Using Vulnerable Libraries, Unsufficient Logging, Open AWS S3 buckets etc... • Usually patched by editing configuration files
- 16. A3 Sensitive Data Exposure • Collection of issues regarding sensitive data • Examples are plaintext protocols, default crypto keys, public S3 buckets
- 17. A6 Security Misconfiguration • Collection of issues regarding various misconfigurations • Examples are unnecessary open ports, path traversal, default passwords, public error logs Admin:Admin
- 18. A9 Components with known vulnerabilities • Using libraries that contain known vulnerable code • Can be checked with: https://www.cvedetails.com/ • Case-Study: JS Event-Stream Library
- 19. A10 Insufficient Logging and Monitoring • When security issues only get detected after a breach or can’t be reconstructed due to missing logs • Logging/Monitoring has to be part of every step of the S-SDLC