08 Security for Web Applications Flashcards
Web Securtiy: Motivation
Insecure software is undermining our financial, healthcare, defense, energy and other critical infrastructure. As our digital infrastructure get increasingly complex and interconnected, the difficulty of achieving application security increases exponentially.
Application Security: Technical Challenges
No dedicated security experts
- Software developers are in most cases no security experts
- Just one mistake or omission can result in a vulnerability
- even the best-trained can focus on only a few issues at a time
Application security: Agressive Adversaries
Rising number of Adversaries
- cybercriminals
- hacktivists
- state-sponsered hackers
Immense Consequences
- data breaches
- customer data
- stealing intellectual property
Application Security: Organizational Factors
Wrong priorities: Bad incentives, staffing and tooling
- quick delivery vs eliminating security flaws
- handful security experts for dozens of development teams
- without experts often no security testing, just bug tracking
Applications security management as an ad-hoc approach
- no visibility into the state of application security across the enterprise
- no mechanism to set enterprise-wide priorities or to align security activities with business risks
- impossible to measure overall progress toward application security goals
*
Top 10 Web Application Security Risks
- Injection
- Broken Authentication and Session Management
- Cross-Site-Scripting (XSS)
- Insecure Direct Object Reference
- Security Misconfiguration
- Sensitive Data Exposure
- Missing Function Level Access Control
- Cross-Site Request Forgery (CSRF)
- Using Components with Know Vulnerabilities
- Unvalidated Redirects and Forwards
Injection
- SQL, OS, LDAP, Network protocols etc
- untrusted data sent to interpreter as a part of a command or query
- attackers hostile data tricks interpreter to execute unintended commands or accessing data without proper authorization
Prevention:
- Proper input validation
- safe API
- contextually escape user data
Broken Auth and Session Management
Application functions related to auth and session mgmt often not implemented correctly
attacker compromises password, keys or session tokens or exploits other implementation flaws to assume other users identities
Prevention:
- All account mangement functions should require re-authentication prior to change
- Password Strength, Storage, Use, Change Controls)
- Protecting credentials in transit
- Session ID Protection
- Only authorized are able to authenticate
- Unique sessions (no guessing or sharing)
- Session timer (becomes invalid)
Security Misconfiguration
- secure configuration defined and deployed for the application, frameworks, application server, web server, database server and platform
- secure settings should be defindet, implemented and maintained
- keeping software up to date
- disable unnecessary features
- default accounts?
- overly informative error messages for users?
- security settings set correctly?
Prevention:
- Automated, secure setup process for new environments
- Process to deploy updates and patches in a timely manner
- documented and transparent application architecture that provides effective, secure separation between components
- Running scans and doing audits periodically
Cross-Site Scripting (XSS)
Application takes untrusted data and sends it to a web browser without proper validation or escaping
XSS allows attackers to execute scripts in the victims browser which can hijack sessions, deface web sites or redirect user to malicious sites
Cross-Site Scripting: Classes
- Stored / Persistent XSS Attacks
- Reflected / Non-Persistent XSS Attacks
- DOM Based / Local XSS Attacks
Stored / Persistent XSS
Bug in Web-Application - Hacker injects malicious code
Database and HTML contain malicious code, server response to victim contains malicious code
