Credera is a full-service management and technology consulting firm that provides expert, objective advice to help solve complex business and technology challenges for clients ranging from Fortune 1000 companies to emerging industry leaders. The firm has multiple U.S. offices located in Dallas, Houston, Austin, and Denver.
Take It to the Cloud: The Evolution of Security Architecture
Addressing Top Dallas Web Security Threats
1. Credera is a full-service management and Dallas Office Houston Office Austin Office Denver Office
15303 Dallas Parkway 800 Town & Country Blvd 9020 N Capital of Texas Hwy 5445 DTC Parkway
technology consulting firm. Our clients range Suite 300 Suite 300 Suite 345 Suite 1040
from Fortune 1,000 companies to emerging Addison, TX 75001 Houston, TX 77024 Austin, TX 78759 Greenwood Village, CO 80111
industry leaders. We provide expert, objective
advice to help solve complex business and 972.692.0010 Phone 713.496.0711 Phone 512.327.1112 Phone 303.623.1344 Phone
technology challenges. 972.692.0019 Fax 713.401.9650 Fax 512.233.0844 Fax 303.484.4577 Fax
2. Addressing Top Security
Threats in Web Applications
Dallas, TX
February 12, 2013
Dallas Web Security Group Inaugural Meeting
Dustin Talk
Josh Hamit
Discussion document – Strictly Confidential & Proprietary
3. Agenda …
Welcome to the Dallas Web Security User Group, where we will discuss all things
related to web security
• Introductions
• Expectations and Objectives
• Why is Security Important?
• What are Common Security Issues?
– The OWASP Top 10
• How Common are Security Vulnerabilities?
– 2012 Research Findings
• Looking at Some Examples
– SQL Injection (SQLi)
– Cross Site Scripting (XSS)
– A Real Life Example
• What Can I do?
• Q&A
Dallas Web Security Group
2/13/2013 3
5. Introductions…
Dustin Talk and Josh Hamit (both not Anonymous)
Dustin Talk
Dustin Talk is an Architect with Credera in the eCommerce practice. He holds a B.S. and Masters
degree in Computer Science from Texas A&M University. Dustin has several years experience in
custom web application development with a focus on security, emerging technologies, and
Spring/JPA Frameworks. During tenure with Credera, he has led and worked on various teams
building applications in Java including supply chain optimization, large scale eCommerce
implementations utilizing Broadleaf Commerce, and eCommerce conversion efforts.
Past Presentations:
• OWASP Top 10 - Live Exploits by Example
• Stripe’s Capture The Flag #2
• OAuth 1.0 / 2.0
• OpenID
Josh Hamit
Joshua Hamit is a Consultant in the Custom Java Development Practice at Credera. He earned
his B.B.A in Management Information Systems from Baylor University. Joshua has several years
experience designing and implementing technology solutions utilizing a broad range of
technologies while adhering to industry best practices. While at Credera, he has lead the design
and implementation of multiple single sign-on authentication systems, enterprise integrations,
complex UI solutions, analytic tracking pixels, and mobile web applications.
Past Presentations:
• Addressing Cross-Cutting Concerns with AOP
• Functional Testing with Geb
• Stripe’s Capture The Flag #2
• Effective Front-End Design with SASS
Dallas Web Security Group
2/13/2013 5
7. Expectations and Objectives …
The Organizational Goal is to equip you with knowledge that you may
incorporate in your job, your next project, or just to have fun (not lulz)
Participant Expectations
• Focus on DFW Area
• Provide Education to Seed Investigation
• Learn more about Software / Infrastructure / etc…
Dallas Web Security Group
2/13/2013 7
8. Why is Security Important?
Dallas Web Security Group
2/13/2013 8
9. Why is Security Important? …
Not limited to business the web is a mans to showcase capabilities and engage
with others providing hackers with a variety of attack vectors to be defended
The Importance of Security
• Legal Risk: Many organizations are legally bound to protect privacy and security, this is often an
integral part of application development
– COPPA
– HIPPA
– Sarbanes-Oxley
– PCI Compliance
• Financial Risk: Computer security attacks cost $48 billion in 2011
– 2011 cost of individual data breach estimated to be $5.5 million
– Organized hacking groups may be more well funded than your IT department
• Reputation Risk: Trust is a key component to customer adoption and retention
– 20% of businesses that lost data, lost customers as a direct result
– The reputation impact of a single angry customer may be from 40-80 people
• Doxing: Living in a digital information age allows others to know more about you than ever before
– Expectation of privacy, when there may be none due to data leakage
– Can be used to encroach on physical security
*https://devcentral.f5.com/blogs/us/quantifying-reputation-loss-from-a-breach
Dallas Web Security Group
http://www.informationweek.com/security/attacks/data-breach-costs-drop/232602891
2/13/2013 9
http://www.druva.com/blog/2012/08/15/security-breaches-are-on-the-rise-but-preventable/
10. Why is Security Important? …
With constant code deployments and a steady stream of exploits released the
organizational importance placed on web security does not vary
The Importance of Security
Website security is a moving target. New attacks techniques are frequently disclosed. New website
launches are common. New Web technologies are made available every day. New application code is
released constantly. Enterprises need timely information about how they can best defend their
websites, gain visibility into their vulnerability lifecycle, measure the performance of their security
programs, and determine how they compare to their industry peers. Establishing these metrics is crucial
towards improving enterprise security.
Dallas Web Security Group
*Figure and statistics from June 2012 WhiteHat Security Statistics Report 2/13/2013 10
11. What are Common Security Issues?
Dallas Web Security Group
2/13/2013 11
12. What are Common Security Issues? …
OWASP collects data from successful web application attacks to produce a list
of the top 10 web attacks seen over the past year by security experts
#1 – Injection
Pro Tip: Let Google find these exploitable pages for you by searching
for them (ex: “intext:SQL syntax & inurl:index.php?=id & inurl:edu”
Dallas Web Security Group
*Data provided by the Open Web Application Security Project 2/13/2013 12
13. What are Common Security Issues? …
OWASP collects data from successful web application attacks to produce a list
of the top 10 web attacks seen over the past year by security experts
#2 – Cross Site Scripting (XSS)
Occurs any time…
•Raw data from attacker is sent to an innocent user’s browser
Raw data…
•Stored in database
•Reflected from web input (form field, hidden field, URL, etc…)
•Sent directly into rich JavaScript client
Virtually every web application has this problem
•Try this in your browser – javascript:alert(document.cookie)
Typical Impact
•Steal user’s session, steal sensitive data, rewrite web page, redirect user to phishing or malware
site
•Most Severe: Install XSS proxy which allows attacker to observe and direct all user’s behavior on
vulnerable site and force user to other sites
Pro Tip: Use a cheat sheet when penetration testing for this
(http://ha.ckers.org/xsscalc.html)
Dallas Web Security Group
*Data provided by the Open Web Application Security Project 2/13/2013 13
14. What are Common Security Issues? …
OWASP collects data from successful web application attacks to produce a list
of the top 10 web attacks seen over the past year by security experts
#3 – Broken Authentication and Session Management
HTTP is a “stateless” protocol
•Means credentials have to go with every request
•Should use SSL for everything requiring authentication
Session management flaws
•SESSION ID used to track state since HTTP doesn’t
•and it is just as good as credentials to an attacker
•SESSION ID is typically exposed on the network, in browser, in logs, …
Beware the side-doors
•Change my password, remember my password, forgot my password, secret question, logout,
email address, etc…
Typical Impact
•User accounts compromised or user sessions hijacked
Pro Tip: Using tools like Cookie Cadger can quickly help check Session
Management or hijacking issues
Dallas Web Security Group
*Data provided by the Open Web Application Security Project 2/13/2013 14
15. What are Common Security Issues? …
OWASP collects data from successful web application attacks to produce a list
of the top 10 web attacks seen over the past year by security experts
#4 – Insecure Direct Object References
How do you protect access to your data?
• This is part of enforcing proper “Authorization”, along with
A7 – Failure to Restrict URL Access
A common mistake …
• Only listing the ‘authorized’ objects for the current user, or
• Hiding the object references in hidden fields
• … and then not enforcing these restrictions on the server side
• This is called presentation layer access control, and doesn’t work
• Attacker simply tampers with parameter value
Typical Impact
• Users are able to access unauthorized files or data
Pro Tip: Using Google’s cache feature can tell hackers how a page’s
form used to appear on a site
Dallas Web Security Group
*Data provided by the Open Web Application Security Project 2/13/2013 15
16. What are Common Security Issues? …
OWASP collects data from successful web application attacks to produce a list
of the top 10 web attacks seen over the past year by security experts
#5 – Cross Site Request Forgery (CSRF)
Cross Site Request Forgery
• An attack where the victim’s browser is tricked into issuing a command to a vulnerable web
application
• Vulnerability is caused by browsers automatically including user authentication data (session ID,
IP address, Windows domain credentials, …) with each request
Imagine…
• What if a hacker could steer your mouse and get you to click on links in your online banking
application?
• What could they make you do?
Typical Impact
• Initiate transactions (transfer funds, logout user, close account)
• Access sensitive data
• Change account details
Pro Tip: HTML Image Tags can be easily used for CSRF as the ‘src’
element can be any HTTP location and does not have to be an image
Dallas Web Security Group
*Data provided by the Open Web Application Security Project 2/13/2013 16
17. What are Common Security Issues? …
OWASP collects data from successful web application attacks to produce a list
of the top 10 web attacks seen over the past year by security experts
#6 – Security Misconfiguration
Pro Tip: The Metasploit Framework provides a vast repository of tests
for security misconfigurations
Dallas Web Security Group
*Data provided by the Open Web Application Security Project 2/13/2013 17
18. What are Common Security Issues? …
OWASP collects data from successful web application attacks to produce a list
of the top 10 web attacks seen over the past year by security experts
#7 – Insecure Cryptographic Storage
Storing sensitive data insecurely
• Failure to identify all sensitive data
• Failure to identify all the places that this sensitive data gets stored
• Databases, files, directories, log files, backups, etc.
• Failure to properly protect this data in every location
Typical Impact
• Attackers access or modify confidential or private information
• e.g, credit cards, health care records, financial data (yours or your customers)
• Attackers extract secrets to use in additional attacks
• Company embarrassment, customer dissatisfaction, and loss of trust
• Expense of cleaning up the incident, such as forensics, sending apology letters,
reissuing thousands of credit cards, providing identity theft insurance
• Business gets sued and/or fined
Pro Tip: Never hash passwords, use bcyrpt. In 3 days on old hardware
we are able to reverse over 300,000 complex hashed passwords
Dallas Web Security Group
*Data provided by the Open Web Application Security Project 2/13/2013 18
19. What are Common Security Issues? …
OWASP collects data from successful web application attacks to produce a list
of the top 10 web attacks seen over the past year by security experts
#8 – Avoiding URL Access Control Flaws
For each URL, a site needs to do 3 things
•Restrict access to authenticated users (if not public)
•Enforce any user or role based permissions (if private)
•Completely disallow requests to unauthorized page types (e.g., config files, log files, source files, etc.)
Verify your architecture
•Use a simple, positive model at every layer
•Be sure you actually have a mechanism at every layer
Verify the implementation
•Forget automated analysis approaches
•Verify that each URL in your application is protected by either
•An external filter, like Java EE web.xml or a commercial product
•Or internal checks in YOUR code – Use ESAPI’s isAuthorizedForURL() method
•Verify the server configuration disallows requests to unauthorized file types
•Use WebScarab or your browser to forge unauthorized requests
Pro Tip: Using Google you can quickly find admin login url’s (ex: search
for “inurl:admin/login.php”)
Dallas Web Security Group
*Data provided by the Open Web Application Security Project 2/13/2013 19
20. What are Common Security Issues? …
OWASP collects data from successful web application attacks to produce a list
of the top 10 web attacks seen over the past year by security experts
#9 – Insufficient Transport Layer Protection
Transmitting sensitive data insecurely
• Failure to identify all sensitive data
• Failure to identify all the places that this sensitive data is sent
• On the web, to backend databases, to business partners, internal communications
• Failure to properly protect this data in every location
Typical Impact
• Attackers access or modify confidential or private information
• e.g, credit cards, health care records, financial data (yours or your customers)
• Attackers extract secrets to use in additional attacks
• Company embarrassment, customer dissatisfaction, and loss of trust
• Expense of cleaning up the incident
• Business gets sued and/or fined
Pro Tip: While most servers attempt to promote a TLS connection, they
will usually still accept a less secure SSL 2.0 connection
Dallas Web Security Group
*Data provided by the Open Web Application Security Project 2/13/2013 20
21. What are Common Security Issues? …
OWASP collects data from successful web application attacks to produce a list
of the top 10 web attacks seen over the past year by security experts
#10 – Unvalidated Redirects and Forwards
Web application redirects are very common
• And frequently include user supplied parameters in the destination URL
• If they aren’t validated, attacker can send victim to a site of their choice
Forwards (aka Transfer in .NET) are common too
• They internally send the request to a new page in the same application
• Sometimes parameters define the target page
• If not validated, attacker may be able to use unvalidated forward to bypass
authentication or authorization checks
Typical Impact
• Redirect victim to phishing or malware site
• Attacker’s request is forwarded past security checks, allowing unauthorized function or
data access
Pro Tip: Most firewalls attempt to prevent this by blocking the text
“http://” in URLs, however using just “//” works in most browsers
Dallas Web Security Group
*Data provided by the Open Web Application Security Project 2/13/2013 21
22. How Common are Security
Vulnerabilities?
Dallas Web Security Group
2/13/2013 22
23. How Common are Security Vulnerabilities? …
The reality of Web Application Security is that while total number of
vulnerabilities are decreasing we are not out of the woods yet
Vulnerabilities are Decreasing
• Web Application Firewall
Adoption has improved to
mitigate 71% of vulnerabilities
• Remediation Rates are
increasing, fixed 38 days or
faster in 2011
• Reduced Window of Exposure,
from 233 days to 231 days
• Scope of scans increased to
include Energy and Non-Profit
Dallas, TX is Vulnerable
• Texas is the nations second
largest Cyberstate
• 456,500 High Tech Jobs
*Figure and statistics from June 2012 WhiteHat Security Statistics Report
Dallas Web Security Group
http://www.druva.com/blog/2012/08/15/security-breaches-are-on-the-rise-but-preventable/
2/13/2013 23
http://www.techamericafoundation.org/cyberstates2011-texas
24. How Common are Security Vulnerabilities? …
Despite the overall improvement of security vulnerabilities, the past year has
been rough with millions of accounts exposed to hackers from the biggest sites
A year in Security Breaches
Dallas Web Security Group
*Figure and statistics from Dashlane / Harris Interactive 2/13/2013 24
25. How Common are Security Vulnerabilities? …
Despite a reduction in the number of vulnerabilities discovered on average, the
possibility of a serious vulnerability remains high
Serious Vulnerabilities
• 55% of websites contain Cross Site Scripting Vulnerabilities
• Over half of websites expose sensitive data, useful to intruders
• More than 1/3 of websites allow for content spoofing (used in phishing or brand attacks)
Dallas Web Security Group
*Figure and statistics from June 2012 WhiteHat Security Statistics Report 2/13/2013 25
26. How Common are Security Vulnerabilities? …
Breaking down the data by industry accredits widely held beliefs about some
industries but exposes others
Industries Compared
• Banking and Healthcare rank lower
• Education in the middle
• Retail and Insurance are the most exposed
• IT is number three?
A High Standard Deviation
• Companies typically get it and invest in it, or
they don’t
Dallas Web Security Group
*Figure and statistics from June 2012 WhiteHat Security Statistics Report 2/13/2013 26
27. How Common are Security Vulnerabilities? …
The time of exposure is directly related to the developer and executive support
for information and application security
Window of Exposure
• Vulnerabilities can and will happen to every company
• Significantly reduced risk is possible with organizational focus
Dallas Web Security Group
*Figure and statistics from June 2012 WhiteHat Security Statistics Report 2/13/2013 27
28. How Common are Security Vulnerabilities? …
The time to fix vulnerabilities may be inhibited by the complexity of an
organization but the true time to fix involves a sense of Risk Management
Average Time to Fix Vulnerabilities
• 50% of Organizations required 38 days or less to remediate their serious vulnerabilities
Dallas Web Security Group
*Figure and statistics from June 2012 WhiteHat Security Statistics Report 2/13/2013 28
29. How Common are Security Vulnerabilities? …
Vulnerability remediation can take many forms and fixes performed at only one
level leave an opportunity for the issue to re-appear
Vulnerability Reopen Rates
The higher severity that a vulnerability
has, the higher the likelihood that the
vulnerability will reopen. Urgent: 23%,
Critical: 22%, High: 15%.
Dallas Web Security Group
*Figure and statistics from June 2012 WhiteHat Security Statistics Report 2/13/2013 29
30. A Look at Some Examples
(DEMO)
Dallas Web Security Group
2/13/2013 30
31. A Look at Some Examples …
Anyone can setup an exploit in a sandboxed environment, but these are real
vulnerabilities live and in the wild
A simple cross site scripting attack
Dallas Web Security Group
2/13/2013 31
32. What Can I Do?
Dallas Web Security Group
2/13/2013 32
33. What Can I do? …
Attend More Meetings…
What To Do Now
• Develop Secure Code using Industry Best Practices
• Review you Applications using an External Team
What Not To Do
• With the rate of attacks, don’t attract unwanted attention
– http://www.youtube.com/watch?feature=player_detailpage&v=5gPt8HYMO7Q#t=69s
Reference Materials
• The Open Web Application Security Project
– https://www.owasp.org/
Dallas Web Security Group
2/13/2013 33