Web Security : Vulnerability and Threats

Presented by Deepti Patole

A Brief History of the World

Web Application Security

Securing the custom code that drives a web application Securing libraries Securing backend systems Securing web and application servers

Network Security Mostly Ignores the Contents of Application Layer Traffic such as HTTP Traffic.

Why do we need Security

Protect vital information while still allowing access to those who need it Provide authentication and access control for resources Guarantee availability of resources

vulnerability

A vulnerability is a hole or a weakness in the application, which can be a design flaw or an implementation bug, that allows an attacker to cause harm to the stakeholders of an application.

vulnerabilities that affect the current systems

Injection Cross-Site Scripting (XSS) Broken Authentication and Session Management Insecure Direct Object References Cross-Site Request Forgery (CSRF) Security Misconfiguration Insecure Cryptographic Storage Failure to Restrict URL Access Insufficient Transport Layer Protection Invalidated Redirects and Forwards

Who is vulnerable?

Financial institutions and banks Internet service providers Pharmaceutical companies Government and defense agencies Contractors to various government agencies Multinational corporations ANYONE ON THE NETWORK

Vulnerability Lifecycle

Vulnerability Lifecycle (Cont..)

Bug: The bug is the precursor to a vulnerability Vulnerability: If the bug can be reproduced reliably (e.g. for bypassing authentication, to cause a memory stack overflow, to allow access to restricted content, etc.) it will subsequently be classified as a security vulnerability.

Vulnerability Lifecycle (Cont..)

Proof-of-concept: realization of a certain method or idea(s)

to demonstrate its feasibility

Exploit: An exploit is code that takes advantage of a software vulnerability or security hole. Once exploit code is generally available the threat escalates
Malware and Tool Integration: Malware is a program that performs unexpected or unauthorized, but always malicious, actions. It is a general term used to refer to both viruses and Trojans, which respectively include replicating and non-replicating malicious code. Rapid integration of Bug into malware or security assessment and penetration tools sees the threat reach maximum potential.

Since vulnerabilities are almost always associated with a particular software flaw, they are usually remediated via a software patch (or update).

phases of the vulnerability lifecycle : Disclosed, Existing, Fixed, Eradicated

Web Threat:
A web threat is any threat that uses the internet to facilitate cybercrime. Web threats use multiple types of malware and fraud, all of which utilize HTTP or HTTPS protocols, but may also employ other protocols and components, such as links in email, or malware attachments or on servers that access the Web.

They benefit cybercriminals by stealing information for subsequent sale and help absorb infected PCs into botnets.

Threat classification: STRIDE

Spoofing of user identity

Attempt by an unauthorized entity to gain access to a system by authorized user. posing as an

Tampering
Deliberate alteration of a system's logic, data, or control information to interrupt or prevent correct operation of system functions.

Repudiation
A threat action whereby an entity deceives another by falsely denying responsibility for an act.

Information disclosure (privacy breach or Data leak) Denial of Service (D.o.S.)

Killing of User threads, Filling up disk or memory etc

Elevation of privilege
a lower privilege user or application accesses functions or content reserved for higher privilege users or applications

DREAD

DREAD is a classification scheme used by microsoft for quantifying, comparing and prioritizing the amount of risk presented by each evaluated threat. Risk_DREAD = ( DAMAGE + REPRODUCIBILITY + EXPLOITABILITY + AFFECTED USERS + DISCOVERABILITY) / 5

The calculation always produces a number between 0 and 10; the higher the number, the more serious the risk.

DREAD (Cont..)
Damage Potential If a threat exploit occurs, how much damage will be caused?
10 = Complete system or data destruction 0 = Nothing; 5 = Individual user data is compromised or affected;

Reproducibility -

How easy is it to reproduce the threat exploit?

0 = Very hard or impossible, even for administrators of the application. 5 = One or two steps required, may need to be an authorized user. 10 = Just a web browser and the address bar is sufficient, without authentication.

Exploitability-

What is needed to exploit this threat?

0 = Advanced programming and networking knowledge, with advanced attack tools. 5 = Malware exists on the Internet, or an exploit is easily performed, using available tools. 10 = Just a web browser

Affected Users(0 = None ;

How many users will be affected?

5 = Some users, but not all; 10 = All users)

Discoverability-

How easy is it to discover this threat?

0 = Very hard to impossible; requires source code or administrative access. 5 = Can figure it out by guessing or by monitoring network traces. 9 = Details of faults like this are already in the public domain and can be easily discovered using a search engine. 10 = The information is visible in the web browser address bar or in a form.

Threat Graph
Attacker may be able to read other users information

User may not have Data Validation Authorization may logged off on a fail, allowing Allowing Fail may shared Computer SQL injection unauthorized Access

Browser cache may contain contents of message

Implement Data Implement Implement Anti Validation Authorization caching HTTP Checks Headers

If risk is High use SSL

Malware Threat Lifecycle

Wormsthe most insidious form of malware are self-propagating and network-centric, and typically evolve through four sequential phases; as observed in the following graph

Examples of web Threats

In September 2008, malicious hackers broke into several sections of BusinessWeek.com to redirect visitors to malware-hosting websites. Hundreds of pages were compromised with malicious JavaScript pointing to thirdparty servers.

In August 2008, popular social networking sites were hit by a worm using social engineering techniques to get users to install a piece of malware. The worm installs comments on the sites with links to a fake site. If users follow the link, they are told they need to update their Flash Player. The installer then installs malware rather than the Flash Player. The malware then downloads a rogue anti-spyware application, AntiSpy Spider.

Conclusion

Organizations need to be aware that old threats never actually retire from the digital landscape. Rather, they tend to become background noise on the Internet ready to burst into life with each new software update, host recovery, device deployment or embedded system release. At the same time educating the developers and users in the context of security against continuously upcoming threats.

References

Cryptography and Network Security, Priciples and Practices: William Stallings( Pearson Education) http://www.technicalinfo.net/papers/OldThreats.html https://www.owasp.org/index.php/Threat_Risk_Mod eling https://www.owasp.org/index.php/Category:Attack msdn.microsoft.com/en-us/library/ff648644.aspx http://www.m86security.com/labs/glossary.asp

Thank you