Addressing Web Application Security: Handout

Texas A&M Tech Summit 2017

Gil Muñoz and Jeremy Tarpley

General concepts for securing your web application

  • Basics for writing secure code
  • Constrain variables - examples: check variable length, allowed characters, type (int, string, etc),
  • Don’t trust data from anywhere – validate / sanitize input AND output
  • Require SSL everywhere (force redirects to https)* see https notes below
  • Patch / update everything regularly
  • Exercise least privilege – ex: database user is unique to your app and only has access to the db and tables that it should have access to and only has privileges it must have to function.
  • Follow development best practices, ex:
  • Learn and follow programming and dev best practices, in general (ex, use version control) and specifically know and follow best practices for your language, framework, cms.
  • Work withother developers for code review and possibility even penetration testing as part of your workflow.
  • Make and use a checklist to make sure you do everything you need to before pushing code to production.
  • Monitor – learn how to check for vulnerabilities on web applications, for your server OS, etc. Set up automatized monitoring and alerts. This goes both for security and for server / application performance. Do you know what normal traffic looks like on your server in terms of memory, cpu, disk and network usage? Get a baseline then set up alerts for odd behavior.
  • Use log monitoring software (ex: Logwatch)
  • Use a system to automatically block and alert you to intrusion attempts at the server level (ex: Fail2ban, other tools that work with the host firewall)
  • Start sending a copy of your logs off your server where they can’t be manipulated as easily. (Syslog server, Splunk, Logrythm, etc)
  • Set up internal server monitoring
  • Set up external monitoring (Monitis, Pingdom, NewRelic, etc)
  • Defense in depth – Harden at every layer. Examples: Become an expert at your web server software (IIS, Apache, Nginx, Lighttpd, etc), learn best practices for configuration and hardening. Same goes for the operating system on your web and db servers. What OS user is your application running as? Check the configuration of your OS firewall – only open the ports that need to be open for it to function. Find out how the network that hosts your servers is structured. Are your servers isolated from the rest of the network? How? On your db server, only allow your application server to connect on the db port. Do admin / login pages need to be accessible from off your network?

HTTPS Notes

  • Permanently redirect all non-SSL traffic to SSL
  • Use HSTS for SSL cert
  • Remove weak ciphers (SSL 2.0, SSL 3.0, RC4, TLS 1 compression), use most secure ciphers first
  • Tool for checking crts and sslconfig: SSL Labs ssl test

Resources to learn more

PHP

Documentation on PHP filters and validation functions:
  • Validate filters
  • Sanitize filters
  • Filter flags
PHP Online tutorials and classes
  • One of the many tutorial articles available for using PHP validation functions: Tuts Plus: Sanitize and Validate Data with PHP Filters
  • Online class from Lynda.com: Creating Secure PHP Websites by Kevin Skoglund
  • Online class from Pluralsight: PHP Web Application Security by Christian Wenz

.NET

.NET Online tutorials and classes
  • Online class from Pluralsight: ASP.NET Security Secrets Revealedby Troy Hunt
  • Online class from Pluralsight: OWASP Top 10 Web Application Security Risks for ASP.NET by Troy Hunt

Learning defense

  • Web Security and the OWASP Top 10: The Big Picture by Troy Hunt
  • Play by Play: Website Security Review with Troy Hunt and Lars Klint by Lars Klint and Troy Hunt
  • Ethical Hacking: Hacking Web Applicationsby Troy Hunt
  • Ethical Hacking: Hacking Web Serversby Troy Hunt

Server configs for forcing redirect to https

Apache 2.4

IIS

Nginx

Web security testing tools

Important- A few remembers for responsible pen-testing

·Communicate! If you are going to start scanning one of your sites, let everyone know ahead of time!

oTalk to the folks running your web & db servers, IT security, networking, your boss, etc.

oClearly communicate what you plan to test, why, how, and when you are going to test.

·Don’t scan other’s sites without their permission.

·Some tools can generate a bunch of traffic. If not properly configured, some scans can overwhelm a web server. Learn how a tool works locally on your own computer before using it on a production website. Test outside of business hours.

There are dozens of scanners for web application security out there.Sectools.org keeps a good list. Here’s a few mentioned Friday:

Burp Suite

Powerful tool to scan and perform attacks for web application security testing. This is what Chris demonstrated. (Also seeNexsposecommunity edition,Nickto– a good open source option for scanning,WPScan, a WordPress specific vulnerability scanner.)

Nmap

One of my personal favorites. Nmap is a Swiss-Army knife for server and network discovery. It can do a quick scan to see what ports you have open on your webserver all the way to mapping an entire network.

Samurai

Samurai is a Linux distribution with a bunch of testing tools already installed. (AlsoKali Linux)

Resources for pen testing

YouTube -Just search YouTube for web application security, OWASP top 10, etc. Here’s a few vids that are a good place to start:

  • Computerphile:XSS,SQL injectionintro,SQL injection demo
  • MIT Open Course Ware:Securing Web Applications

Mutillidae

An open source, deliberately vulnerable web-application. Run this locally or within a VM on your desktop, or laptop. (NEVERput this on a server connected to the internet). Use Mutillidate to learn how to identify different kinds of vulnerabilities and as a target website for learning pen-testing tools. (Also seeBWapp.)

Fuzz DB

Fuzz DB is a maintained list of patterns used to attack web applications. For example, they have a list of strings for testing for vulnerability to cross site scripting (XSS): and paste into form fields in your site or web application to check for vulnerabilities. Or use to demonstrate a vulnerability that a scanner such as Burp Suite finds.

OWASP Top 10

OWASP is a wealth of information. They maintain a top 10 list of most critical web application security vulnerabilities that includes descriptions, examples and guidance on how to protect against them. Example –OWASP SQL injectioninfo.

Lynda.com & PluralSight classes

Lynda and PluralSight both have paid online courses. I think most, if not all of us have access to Lynda. PluralSight is like Lynda but with more technical classes.

·Lynda– Creating Secure PHP Websites I highly recommend this course to every PHP programmer on campus.

·PluralSight –Ethical Hacking: Hacking Web Applications

·PluralSight –Web Security and the OWASP Top 10: The Big Picture

·PluralSight –Web Application Penetration Testing with Burp Suite

Also mentioned –

Logwatch for monitoring logs. (btw – export your logs to some sort of syslog server!).

References

OWASP Top 10

OWASP Web Application Security Testing Cheat Sheet

SANS Security Checklist for Web Application Design

Jeff Attwood: Your Password is Too Damned Short

Improving Web Application Security: Threats and Countermeasures

Take Advantage of ASP.NET Built-In Features to Fend Off Web Attacks

How to: Protect from injection attacks in ASP.NET

ASP.NET Validators