Softpanorama

Home Switchboard Unix Administration Red Hat TCP/IP Networks Neoliberalism Toxic Managers
May the source be with you, but remember the KISS principle ;-)

WEB Application Security

News Recommended Links Cross Site Scripting CGI and CGI Security Helping webmasters with hacked sites
Browser Security   Chrome Security Humor Etc

There are specific coding practices that needs to be explicitly avoided in order to avoid compromises. For Perl this is mainly connected with the CGI security. The top issues probably include:

For Java this is connected with both applet and server side security.

We tried to evaluate the security of older version of World Account application and hired Sun professional services a year or two ago. They did not do a good job, but still it was better then nothing and I learned a lot. I still have some materials from then and can send them to you if you wish.

 


Sun Microsystems - SunFlash News Report The Top Ten Most Critical Web Application Security Vulnerabilities

From the Open Web Application Security Project

The Open Web Application Security Project (OWASP) has chosen the top ten most critical Web application security vulnerabilities. Unvalidated parameters, broken access control, and broken account and session management were the top three on the list of selections chosen by the open source community project.

The top ten selections by OWASP are:

S5 Hacking and Securing Web-Based Applications NEW
David Rhoades, Maven Security Consulting

USENIX - LISA '02 - TUTORIALS

S5 S5 Hacking and Securing Web-Based Applications NEW
David Rhoades, Maven Security Consulting

Who should attend: People who are auditing Web application security, developing Web applications, or managing the development of a Web application.

Although numerous commercial and freeware tools assist in locating network-level security vulnerabilities, these tools are incapable of locating application-level issues. This course will demonstrate how to identify security weaknesses for Web-enabled services that could be exploited by remote users.

With numerous real-world examples, this informative and entertaining course is based on fact and experience, not theory. The course material is presented in a step-by-step approach, and will apply to Web portals, e-commerce, online banking, shopping, subscription-based services, and any Web-enabled application.

Topics include:

 

Assessing Internet Security Risk, Part Five: Custom Web Applications Continued
by Charl van der Walt
last updated October 8, 2002
 

This article is the fifth and final in a series that is designed to help readers to assess the risk that their Internet-connected systems are exposed to. In the first installment, we established the reasons for doing a technical risk assessment. In the second article, we started to discuss the methodology that we follow in performing this kind of assessment. The third part discussed methodology in more detail, focussing on visibility and vulnerability scanning. The fourth installment discussed a relatively unexplored aspect of Internet security, custom Web applications. This article will conclude the discussion of security risks of Web applications.

Risk Categories

A detailed discussion of all the possible vulnerabilities associated with custom Web applications would be somewhat beyond the scope of this paper. What I've done instead is to list and describe all the categories. I'll then single out some specific instances and describe them in more detail as examples.

Here then a list of mistakes that are commonly made, even by experienced programmers. Having answered all the other questions from the previous list, we will carefully search for the following common vulnerability categories:

1. Server Application Vulnerabilities:

As with any network service, Web servers are applications that are often exploitable via the known vulnerabilities we discussed in the "Vulnerability Scanning" section in the third installment in this series. Specialized "CGI" scanners like Whisker, Nikto and the appropriately named CGI-Scanner are especially designed to find vulnerabilities in Web servers. We've discussed this concept at length already, so I won't spend much time on it again.

2. Sample Scripts:

Many Web servers and Web development platforms ship with sample applications built in to serve as examples of what can be achieved. These applications are designed to serve as examples only and have not been built with security in mind. Indeed, sample scripts are often blatantly insecure. Once again, most of these scripts are commonly known and can quickly be identified with a CGI scanner.

3. Hidden directories:

Directories that are accessible to the Web server but are considered "hidden" because there are no references or HTTP links to them. Once more, scanners like Nikto and Whisker make short work of discovering such directories through brute force.

4. Administrative Back-ends:

Complex Web sites are often developed by specialists at a high price. To facilitate cost-effective management and updates of such sites the developers often provide an administrative back-end through which the site owner can easily add or modify content without having to understand the HTML and other underlying technologies. Discovering such a back-end (again via brute force) presents an easy vector for Web site defacement and other attacks.

5. Directory Traversal:

A directory traversal attack involves stepping through multiple levels of the file system structure using "..\". This feature is often used by attackers to trick an application into accessing a part of the file system it was never meant to.

6. Input sanitation:

These wise words from my colleague Haroon Meer sum up the problem with input sanitation: "People have been screaming about poor (non) validation of user input for as long as I can remember, so I don't even think that any of the normal excuses apply anymore. By now developers should simply have learned that all user input should be inherently distrusted and therefore sanitized. Unfortunately, most of the sites you come across seem to ignore sanitization of user input completely or do it selectively (often forgetting hidden fields)."

A common mistake in developing Web applications is to make assumptions about the inputs that user will provide, whether it is done manually or via some automated process. Manual inputs include the data entered by users into fields and forms. Automated inputs are submitted without the user being directly involved and include things like cookies, URLs and hidden HTTP fields. Nothing that is provided by the user should ever be trusted and an application that does so is opening itself up to abuse. Possibly the most significant category of attack that stems from inappropriate input sanitation is SQL Injection.

7. State Tracking:

An enormous problem facing any Web application developer is the question of how to keep track of a single user as he or she makes their way through the various areas of the Web site. This is difficult for many reasons. The primary obstacle is the fact that each page of an HTML application and each object on an HTML page is fetched using a new HTTP session. Unlike "stateful" applications like Telnet or FTP, HTTP is stateless and there is no standard way for the application to keep track of a user who has logged in. Mechanisms used for this include cookies, session keys and hidden fields. Mistakes made in the way state is tracked can allow an attacker to "highjack" a session and gain access to applications and data without being properly authenticated.

8. Cross-Site Scripting:

Cross-site scripting (also called XSS) is somewhat different to the other attacks discussed thus far. Rather than attack the server or the application XSS attacks are aimed at the end-user's browser. XSS is not a problem of input sanitation, but rather a problem of output sanitation. It is typically used against sites that redisplay values that are input by the user. If the information presented by the user is not properly sanitized before it is displayed then an attacker may be able to use HTML tags to influence the way it is displayed by the site. This becomes particularly dangerous when the attacker inserts the <SCRIPT> tag, thereby forcing other users' browsers to execute the code the attacker specifies. An easy way to test for this is to insert HTML like this:

<SCRIPT>alert('Vulnerable!')</SCRIPT>

If the Web site does not clean this up before displaying it will cause a pop-up message to be displayed by the visitor's browser. Obviously an attacker could do much worse than cause pop-ops, particularly when the site is trusted by other users.

Web Security Assessment Tools

Having looked at a number of different threat categories at a very high level,

Allright, so if you've decided to assess the security of your Web applications and you just can't bear the thought of paying someone like me to do it, what do you need in your tool box? Here's a good start:

  • Whitehat Arsenal To the best of my knowledge the WhiteHat Arsenal is the first (and, to date, only) comprehensive Web application security scanning tool. The tool was written by Jeremiah Grossman and is commercially available from the address given above. All of the other tools I'll be discussing are available under some form of freeware arrangement.
  • @Stake Web Proxy The @Stake proxy is an amazingly tight and powerful tool that allows you to intercept and manipulate the data that your browser would normally send to a server. Thus one can play around with fields, URLs, cookies and the like through a handy graphical interface. This tool is by far the slickest offering of its kind and serves to suggest that @stake may well have been well ahead of the rest us in this particular game. The @stake proxy is a must.
  • Spike v2.6 The Spike proxy is written by Dave Aitel and is really two programs combined into one. The Spike proxy does very much the same thing as the @stake proxy, though with perhaps a little less finesse. The second component is what's known as a protocol "Fuzzer", which is essentially used to brute-force applications over the network in search of possible overflow conditions. This element of the tool is relatively new and exciting, but is a little beyond the scope of this paper.
  • HTTrack HTTrack is what's known as a Web site "whacker". It basically performs a mirror of the selected site to your local drive, mimicking the site's structure and recreating each file. A local mirror allows one to examine and analyze the site at his or her leisure. We use a mirror, amongst other things, to search for active content, to search for links to other sites, and as an input to the Mieliekoek SQL Injection scanner. HTTrack is both smart and robust and has to be one of the best of this generation of tools.
  • Mieliekoek v2 Mielielkoek can probably best be described as an SQL Injection brute-forcer. You have to have a locally mirrored copy of the site, as provided by HTTrack. Point Mieliekoek at the mirror and it will identify every field in every form. For each field identified, Mieliekoek will then attempt to inject the character you specify (typically ') and measure the server's response. The correct kind of SQL error indicates that the site may be vulnerable to attack. Mieliekoek will allow you to browse through the findings and also to experiment with different inputs to measure their impact on the site.
  • WebSleuth Call WebSleuth the hacker's browser. It's essentially a standard Web browser that affords you a higher level of interaction and control over the site you're browsing. Available functions include the ability to disable scripts, to view hidden fields and to edit data before it is submitted to the site. WebSleuth supports the use of independently written plugins and has gained the support of various respected security practitioners in this way.
  • Nessus: Nessus is the excellent open source network security scanner written by Renaud Derraison. Although this not a Web-specific tool it does include a number of scripts that search for issues like cross-site scripting. Nessus was discussed in more detail in the previous section.
  • Nikto Nikto, like Whisker, Arirang and others, is probably best described as a CGI-scanner. As discussed in earlier sections, the CGI scanner is a specialized vulnerability scanner that has been optimized to find known problems with Web server vulnerabilities. Apart from the usual stuff, CGI scanners can also be used to track down false positives and the like.

Conclusion

This concludes our basic overview of Internet security risk assessments. Certainly, this procedure is a valuable process for anyone who is charged with maintaining the security of a network that is connected to the Internet. While this series should not be taken as a comprehensive, in-depth guide to assessing Internet security risks, we hope that it has given readers an idea of what needs to be taken into account when conducting assessment of the security risks that their Internet-connected network may face.


 

Relevant Links

Assessing Internet Security Risk, Part One
Charl Van der Walt, SecurityFocus

Assessing Internet Security Risk, Part Two
Charl Van der Walt, SecurityFocus

Assessing Internet Security Risk, Part Three
Charl Van der Walt, SecurityFocus

Assessing Internet Security Risk, Part Four
Charl Van der Walt, SecurityFocus


Etc

Society

Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers :   Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism  : The Iron Law of Oligarchy : Libertarian Philosophy

Quotes

War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda  : SE quotes : Language Design and Programming Quotes : Random IT-related quotesSomerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose BierceBernard Shaw : Mark Twain Quotes

Bulletin:

Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 :  Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method  : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law

History:

Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds  : Larry Wall  : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOSProgramming Languages History : PL/1 : Simula 67 : C : History of GCC developmentScripting Languages : Perl history   : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history

Classic books:

The Peter Principle : Parkinson Law : 1984 : The Mythical Man-MonthHow to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Haterís Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite

Most popular humor pages:

Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor

The Last but not Least


Copyright © 1996-2018 by Dr. Nikolai Bezroukov. www.softpanorama.org was initially created as a service to the (now defunct) UN Sustainable Development Networking Programme (SDNP) in the author free time and without any remuneration. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

 

FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.

This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...

You can use PayPal to make a contribution, supporting development of this site and speed up access. In case softpanorama.org is down you can use the at softpanorama.info

Disclaimer:

The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.

The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.

Last modified: September 12, 2017