The document discusses detecting and defending against security vulnerabilities in Web 2.0 applications. It begins by outlining the top security issues in Web 1.0 vs Web 2.0 applications. Examples of vulnerabilities in Web 2.0 like cross-site scripting and JSON poisoning are provided. Strategies for detection include using security tools and custom security testing. Defense techniques include secure coding practices and security testing. The document emphasizes learning about security vulnerabilities and limitations of detection and defense.
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
TS-5358
1. Detecting and Defending Against Security
Vulnerabilities for Web 2.0 Applications
Ray Lai, Intuit
TS-5358
2. Share experience how to detect and defend
security vulnerabilities in Web 2.0 applications
using open source security tools
2008 JavaOneSM Conference | java.sun.com/javaone | 2
4. Which is Easier to Hack?
Google finds 2M suspicious sites
Web 1.0 App Web 2.0 App
Top 3 Security Vulnerabilities Top 3 Security Vulnerabilities
•Unvalidated input parameters •Cross-site scripting
•Broken access control •Injection flaw
•Broken authentication and session management •Malicious file execution
Note: Single loss expectancy - $690 per incident, Average annual loss $350,424 (CSI 2007)
2008 JavaOneSM Conference | java.sun.com/javaone | 4
5. What’s New About Web 2.0 Security?
OWASP 2007 Top 10 Web 2.0 Examples
Cross-site scripting +++ Flash: cross-site flashing
Injection flaws ++++ AJAX, mash-up
Malicious file execution +++
Insecure direct object reference + JavaScript™ Object Notation
(JSON)
Cross-site request forgery +++ Flash
Information leakage / improper error +++++ AJAX, JSON
handling
Broken authentication and session ++++ Cross-domain, mash-up
management
Insecure cryptographic storage +
Insecure communications ++
Failure to restrict URL access ++
http://www.owasp.org/index.php/Top_10_2007
2008 JavaOneSM Conference | java.sun.com/javaone | 5
6. Use Case Scenario
Use Open Source / commercial security tools to examine
WebGoat (and Roller) from SecuriBench
http://suif.stanford.edu/~livshits/securibench/intro.html
2008 JavaOneSM Conference | java.sun.com/javaone | 6
7. Example #1: Post-Me
Scenarios: newsgroup, forum, blogs, etc.
Characteristics How can I re-direct readers
•Plain data input screen to my malicious website?
•No sensitive personal data
•High usage, high traffic
2008 JavaOneSM Conference | java.sun.com/javaone | 7
8. Example #1: What’s the Issue?
Cross-site Request Forgery
What happens: Hackers post a message with the malicious URL or parameters:
<IMG SRC="attack?screen=7&menu=410&transferFunds=4000"
width="1" height="1" />
Result: when reading the posting, newsgroup readers will invoke a malicious URL
without noticing the tiny “1x1 image” (cross-site request forgery)!
2008 JavaOneSM Conference | java.sun.com/javaone | 8
9. Example #2: Online Travel
Scenarios: online travel service, mash-up
Characteristics
•AJAX with JSON Can I change the price?
•Financial transactions
•Mash-up, possibly
2008 JavaOneSM Conference | java.sun.com/javaone | 9
10. Example #2: What’s the Issue?
JSON Poisoning
What happens: Hackers intercepts the JSON, tampers it,
and posts it.
{ "From": "Boston", "To": "Seattle",
"flights": [ {"stops": "0", "transit"
: "N/A", "price": "$0"},
{"stops": "2", "transit" :
"Newark,Chicago", "price": "$900"} ] }
Result: hackers pay $0
2008 JavaOneSM Conference | java.sun.com/javaone | 10
11. Example #3: Change Password
Scenarios: online services, mash-up
Characteristics
•SOAP-based Web services Can I change
•Perhaps mash-up somebody’s password?
•HTTP or HTTPS, depends
2008 JavaOneSM Conference | java.sun.com/javaone | 11
12. Example #3: What’s the Issue
SOAP Injection
What happens: Hackers tries changing the password,
intercepts the SOAP message, tampers it, and posts it.
<?xml version='1.0'
encoding='UTF-8'?> …
<wsns0:Body>
<wsns1:changePassword>
<id xsi:type='xsd:int'>101</id>
<password xsi:type='xsd:string'>
bar</password>
</wsns1:changePassword>
</wsns0:Body>
</wsns0:Envelope>
Result: hackers change
someone’s password for future
access
2008 JavaOneSM Conference | java.sun.com/javaone | 12
13. What About Flex Application…
Cross-site Flashing
You can detect XSF using SwfIntruder
2008 JavaOneSM Conference | java.sun.com/javaone | 13
14. What About…
Phishing attack
Ad malware
Botnet
ActiveX controls
Serialization security, e.g. DOJO, JQUERY
2008 JavaOneSM Conference | java.sun.com/javaone | 14
16. Strategy #1: Security Development Lifecycle
Remark: Show demo or examples of these artifacts
2008 JavaOneSM Conference | java.sun.com/javaone | 16
17. Defensive Coding: Examples
Scenarios Sample Actions
Cross-site request forgery Filter specific tags (e.g. <IMG>)
Prompt user with security token for important
actions or high value transactions
Shorter time period for user sessions
JSON poisoning Client-side and server-side input validation
JavaScript output encoding
Obfuscate JavaScript
SOAP injection Use of nonce
WS-Security best practices
Turn off WSDL
2008 JavaOneSM Conference | java.sun.com/javaone | 17
18. Strategy #2: Custom Security Test
Category Public / Open Source Commercial
Discovery tools NMAP Nessus
Web server vulnerabilities Nikto
Code quality* OWASP, FindBugs Fortify, Klockwork
Application vulnerabilities Paros AppScan, Hailstorm
Penetration testing WebScarab, Paros,
SwfIntruder
Hybrid security testing
= white box* + black box testing
Remark: Show demo of running different security testing tools on Roller
2008 JavaOneSM Conference | java.sun.com/javaone | 18
21. Lesson 2: What You Can and Can’t Do
Obvious, e.g. Difficult ones, e.g.
• Information leakage • Cross-site Scripting
• Port scan • Cross-site Request Forgery
• OS fingerprinting • Denial of Service
• Web server Hard ones, e.g.
vulnerabilities scanner • New Web 2.0
vulnerabilities
2008 JavaOneSM Conference | java.sun.com/javaone | 21
22. Lesson 3: Summary
Don’t practice penetration testing tools on
production system!
“Trust no one”
Do we know what to detect, or to test
Different security testing tools provide different
findings
2008 JavaOneSM Conference | java.sun.com/javaone | 22
23. For More Information
Concepts
• OWASP top 10 vulnerabilities
http://www.owasp.org/index.php/Category:Vulnerability
• Cannings , Dwivedi and Lackey. Hacking Exposed Web 2.0.
McGrawHill, 2008
• Andrew Andreu. Professional Pen Testing for Web Applications
• Shyamsuda and Gould. You Are Hacked. JavaOneSM Conference 2007
http://developers.sun.com/learning/javaoneonline/2007/pdf/TS-6014.pdf
Security Incident Updates
• Top 10 Web 2.0 attack vectors
http://www.net-security.org/article.php?id=949
• http://www.us-cert.gov/current/current_activity.html
• CERN http://security.web.cern.ch/security/
Also RSA, Microsoft, Symantec major security vendor websites
2008 JavaOneSM Conference | java.sun.com/javaone | 23
24. For More Information (cont’d)
Tutorial
• http://www.irongeek.com/i.php?page=security/hackingillustrated
Tools
• http://sectools.org/
• http://www.cotse.com/tools/
• http://www.securityhaven.com/tools.html
• http://framework.metasploit.com/
• http://www.paneuropa.co.uk/penetration_testing.htm
• http://www.owasp.org/index.php/Category:OWASP_Download
2008 JavaOneSM Conference | java.sun.com/javaone | 24