COMPUTERINFORMATIONTECHNOLOGYATNKU.ppt

Attack Surface of Web ApplicationsJames WaldenNorthern Kentucky Universitywaldenj@ Why Do Hackers Target Web Apps? Attack Surface A system’s attack surface consists of all of the ways an adversary can enter the system. Defender’s View of Attack Surface History of Web Security Firewalls don’t protect Web Apps SSL won’t stop injection attacks, XSS Revised View of Attack Surface Intranet Security Assumptions Since the firewall protects you Patches don’t have to be up to date. Passwords don’t have to be strong. There’s no need to be careful when you code. There’s no need to audit your source code. There’s no need to run penetration tests. But do your users have web browsers? Javascript Malware controls Clients Sources of Javascript Malware Evil web site owner inserts in page. Attacker inserts malware into defaced page. Attacker inserts malware into a public comment or forum post (stored XSS.)? Attacker creates link that causes web site to echo malware to user (reflected XSS.)? Re-revised View of Attack Surface Web Applications Web Application Vulnerabilities Input-based Security Problems Injection Flaws Insecure Remote File Inclusion Unvalidated Input Authentication and Authorization Authentication Access Control Cross-Site Attacks Other Bugs Error Handling and Information Leakage Insecure Storage Insecure Communications SQL Injection App sends form to user. Attacker submits form with SQL exploit data. Application builds string with exploit data. Application sends SQL query to DB. DB executes query, including exploit, sends data back to application. Application returns data to user. Cross-Site Scripting Application Feature Vulnerability Map Database interaction Displays user-supplied data Error messages File upload/download Login SQL injection. Cross-site scripting. Information leakage. Path traversal. Authentication, session management, access control flaws. Web Application Attack Surface Traditional Web Applications AJAX Asynchronous Javascript and XML User inte