Author Archives: Jason Lam

Adoption of X-FRAME-OPTIONS header

2
Posted by Jason Lam on October 15, 2009 – 1:42 am
Filed under Clickjacking, defense

Late 2008, Jeremiah Grossman and Robert Hansen publicized the clickjacking problem and got the web app security experts all trying to come up with solutions. One of the more viable solution is the X-FRAME-OPTIONS header that allow a site to control whether its content can be within a frame. There are two settings to this header, DENY blocks the content from being in a frame and SAMEORIGIN only allows the content to be framed by pages within the same origin. While it is not the end all and be all of clickjacking solution and won’t work in some sites that extensively use frames across multiple sites, it is considered as a more reasonable approach for sites to protect their own content.

Johannes Ullrich and I got a little curious about the adoption of X-FRAME-OPTIONS header in the major sites. We went and got the list of top sites according to Alexa and see if the top sites actually use X-FRAME-OPTIONS header. We expected the results to be low, but when we looked at the results from visiting all these sites, we were a slight bit surprised. Of the TOP 10,000 sites from the Alexa’s list, only 4 sites have the header specified. That number obviously is very low.

Not having the X-FRAME-OPTIONS header does not mean these site are not protected from clickjacking, maybe they are using some type of Javascript framebusting, we haven’t looked at how many have framebusting deployed yet. It is widely believe that the Javascript only defense is not as good as the attacker could disable Javascript in the frame by setting SECURITY=RESTRICTED on the IFrame to disable the Javascript defense.

As a side note, I am doing my personal part on promoting the X-FRAME-OPTION. In the next major update of my SANS DEV422 course (soon to be 522), there will be emphasis on various defenses against Clickjacking that a site owner can leverage.

Results from Webhoneypot project

1
Posted by Jason Lam on September 18, 2009 – 10:32 pm
Filed under honeypot

The SANS ISC Webhoneypot project was started over a year ago and the client had been in public beta since June. We have been collecting data from honeypots since January. The goal of the project is to collect quantitative data about the prevalence of large scale automated attacks.

We are now ready to share some collected data with the community. Our intention is to share the data and findings with the community in the same manner as the original DShield project.

The high level stats of the Webhoneypot can be found at
http://isc.sans.org/weblogs/

Various reports can be found at
http://isc.sans.org/weblogs/reports.html

A limited search interface can be found at
http://isc.sans.org/weblogs/filter.html

These report pages and especially the search interface is in beta currently. We intend to refine these as the project matures. We appreciate any feedback on these reports and search capabilities.

Feel free to analyze the data as you wish, if you spot anything interesting, please write to us. Thanks and happy log reading.

Argument for Database encryption in web apps

5
Posted by Jason Lam on June 25, 2009 – 12:34 pm
Filed under Database, defense, encryption

I regularly get consulted on various web application security issues and defensive strategies. One of the recent “frequently asked questions” is around database encryption of web application. My answers to these kind of questions usually lead to awkward looking faces. I always start off asking more questions about the requirements, “Who are you trying to protect the data from?” and “What data are you trying to protect?”  The  answers to those questions are usually good indicator whether the person is on the right path or not.

In most cases, database encryption does not prevent the hacker from accessing the backend database via an application compromisse. The reasoning is very simple. If the web application needs to be able to access the data for normal operation and hackers are able to compromise the application, the hackers can essentially access the same data by controlling the applicaton (attacker owns the application). Encryption does not prevent a hacker to access the backend database if the hacker can control the application.

Some may argue that if the database encryption is per user based, then one user’s compromise does not lead to compromise of another user’s data. That is very valid but that usually requires authentication of the user to some backend pieces (or the database itself). Maybe authentication alone is sufficient for the security requirement? The database can provide access control based on user’s identity so one user’s compromise does not lead to access to other user’s data.

You might think I am an anti-encryption person. The fact is – I am not. Encryption totally has its place for web application security reasons. Asymmetric encryption usage to protect data that is “one way” in nature is a good example. As a retail store trying to store the user’s credit card details for recurring monthly payment, the data should be encrypted with asymmetric encryption so that the Web frontend can never read the data back but another party with another related key can. Also, there are numerous other scenario where encryption should be used, such as backup, protecting against rogue DB administrators and against physical theft of database machine.

I often recommend a threat risk assessment before deciding on the database encryption solution. That would allow you to quickly understand the threats that affect the web application and also  possible countermeasures that can help protect against the threat. Due to the cost of deploying and maintaining database encryption, I am seeing very limited deployment of database encryption, most folks tend to turn to other alternatives for risk mitigation.

Encryption is a useful defensive technology that can help protect the web application but it is not a silver bullet, blindly deploying it may not address any threats that you are trying to mitigate. The managers and auditors tend to request these technologies to be deployed to defend against web application compromise after seeing another competitor getting compromised thru web application security flaws (eg. SQL injection). Encryption is likely not the best choice of defensive technology given the scenario.

Dshield Web Honeypot going beta

0
Posted by Jason Lam on June 11, 2009 – 5:44 pm
Filed under honeypot

[Cross posted from SANS ISC]

SANS ISC started the Dshield Web Honeypot project roughly one year ago. The goal of this project is to replicate what Dshield had done for the community on the web application side. We are not trying to detect targeted attacks but fast scanning and replicating threats that has potential to affect the whole community quickly.

Similar to the original Dshield project, we rely on volunteers to feed us logs. In the case of web logs, it is not easy to collect detailed log (eg. HTTP header, HTTP body) by using the web server logs alone,  this is why we have a PHP + Apache based client component for volunteer to install as their log collector (or honeypot). We are announcing today that the client software for this project is turning beta. Special thanks to the volunteers on this project

For this project to be successful, we need your support in sending us logs. The honeypot client software can be downloaded from the Dshield portal under My Information (login first).

For the impatient, here are the high level instruction.

The installation start off with downloading and untar’ing the code into a directory. Run the config.php under /lib to configure the client. Then run the update-client.php to ensure you have the latest copy of all the code. This process should be followed by running of the update-template.php, which updates all the web pages in the honeypot. After that, it’s a matter of configuring the Apache virtual host (sample config under /docs) and it should be all set.

Once you are submitting web logs, the Dshield main portal page should let you view all the logs you are submitting (1 hr time delay). Let us know how this is working out for you.

Web application penetration testing VS vulnerability assessment

2
Posted by Jason Lam on May 27, 2009 – 11:47 pm
Filed under Pentest, Uncategorized

I deal with infrastructure and application security testing on a regular basis. On the infrastructure/network side, the consulting and testing market is much more mature, definition of pentest and vulnerability assessment are industry accepted. It is easy to communicate with other folks about the work involved. On the application side, things are not as well defined. It will be at least a couple more years before the definition or an “application pentest” is accepted.

What is vulnerability assessment?

According to Wikipedia, “A vulnerability Assessment is the process of identifying, quantifying, and prioritizing (or ranking) the vulnerabilities in a system.” In short, it involves anything to determine if there is a weakness or vulnerability in the system subjected to the assessment, then report on it. For application testing, you would throw some test input at the application or try a number of test cases and see if it is vulnerable to any of the vulnerabilities you are testing for.

In general real world terms, the tester for a VA (vulnerability assessment) is expected to perform the reconnaissance phase which allows the tester to understand the application well enough and determine if there are any short cuts to compromising the system. Also, gathering enough data about the application (such as platform it is running on or what other virtual hosts are running) to allow later testing phases.

Then, the tester is expected to map out the application and understand the application flow and relationship between objects in the application. Some of the vulnerabilities such as business logic flaws may also be revealed at this phase. Following mapping is the discovery of vulnerabilities, for input related flaws it might involve automated tools and manual validation test. There are also various other test cases that need to be manually test,  especially on the session related and access controls related flaws that are not easily automated.

In general, testers follow a common testing framework such as the OWASP Testing Guide, to ensure sufficient coverage of vulnerabilities during the process. After the discovery, the vulnerabilities are evaluated and usually manually verified again. Then a risk rating is given to each vulnerability to be included in a report.

Running a vulnerability scanner against a web application is a form of vulnerability assessment. It is also a form of assessment that is not very complete or thorough, in general, an automated scanner covers about 50-70% of the vulnerabilities in a given application.

What is penetration testing?

Penetration testing or “pentesting” includes all of the process in vulnerability assessment plus an important extra step, which is to exploit the vulnerabilities found in the discovery phase. You may ask, “Just a one step difference?” Pretty much, but this one step could separate the boys from the men. I often tell the students in my pentest class that it is common for a pentester to spend 20% of his/her time locating a single vulnerability and then 80% of the time is spent exploiting that vulnerability. The process of exploitation usually involves a lot of trial and error and may not work the first time. Depending on the type of vulnerability being exploited, some other system general knowledge maybe required to aid the exploitation process.

The better pentesters don’t usually stop at exploiting one single vulnerability. For example, a single CSRF vulnerability can be somewhat limited, bundle that with a XSS vulnerability and you have a much bigger problem at hand. In a lot of cases, an expert pentester can leverage two or three low to medium  risk vulnerabilities and turn the result into a critical exposure.

The added benefit of a pentest is able to see the vulnerabilities being put into active exploitation and show the actual maximum effect.Due to the nature of pentesting, the exploitation does not really have any established framework. The exploitation is highly dependent on the skillset of the invidual/team performing the test.

An example to show the difference

Let’s use an example to illustrate the difference. Let’s say the tester is testing for SQL injection and a single quote (’) is put into all input field. In a particular field, when a quote is put to the field, a SQL error is generated in the resulting page like this, “You have an error in your SQL syntax near ‘\’0′ at line 1″  This is tell-tale sign of error SQL injection. A vulnerability assessment might just do a bit further validation such as trying to dump current user name to validate the vulnerability and then goes into reporting.

A pentest on the other hand would likely be taking a lot more time on this error alone. The pentester would figure out how to tag on extra logic or command structure into the current SQL statement so that the tester can control the SQL database. If possible, the tester will enumerate the database structure and possibly dump the whole database content. If the permission is not set properly, the pentester may also be able to jump into OS command context and start executing commands in the OS. Obviously, all these attacks requires patience and takes a lot of time to succeed.

What’s more popular?

If there is such as difference and pentesting is so much more in demonstration, why don’t we just do pentesting then? Well, there is always a costing difference making pentesting significantly more expensive than a vulnerability assessment. In fact the market is currently leaning towards pentesting; those who are concerned about web app sec are willing to spend the money to get what they think is the best. (cost more, it must be better)  In the next few years, as the general public are more educated about security testing for web applications, I am sure the market will adopt both services – vulnerability assessment and penetration testing. Until then, I have to be very careful about listing requirements and looking at quotation for security testing consulting work.

Logging Links to 3rd party provider

0
Posted by Jason Lam on May 25, 2009 – 1:03 am
Filed under Uncategorized

While web application spans over multiple sites boundary, it is essential to keep track of where the users are being directed. This is pretty much a basic logging and audit trail concept. While it is easy to understand in theory, it is not always easy to see where it should be implemented. Development communities sometimes have a harder time to understand why this is important, so let’s examine why it is a good idea to do so. If you ever have to explain to others why you should do this, hope this info will become useful.

Internal redirection or links

While directing users on the same site (same server) using HTML links, it is easy to track where the user is visiting. Each of the link that the user followed will be in the web server log and it is not difficult to trace the footstep of a specific user (with IP address).

External redirection or links

When directing to an external site using HTML links, there is no way by default to track the user’s activity. The webserver log doesn’t track the user’s visit to an external site, only the destination server logs it. The browser fetch page from another site and does not necessarily report back.

Why is this even important?

It is common for applications to be spread out in different servers or even different organizations. An online retailer may present products for user’s selection and then let the user click on the checkout button to be directed to a payment processor for finishing the transaction. If the payment processor in this example is compromised, how do the retailer know who clicked on the checkout button if the button is a straight link to the payment processor? The chances of an audit trail is minimal.

On December 2nd, 2008, Checkfree Billpay site was compromised, this is the organization that owns about 70-80 percent of online bill payment in the US. A lot of the banks simply forward their clients to Billpay using HTML link for bill payment function. It is essentially an application service provider for a lot of the US banks. The attackers were able to hijack the DNS entry of Billpay’s domain to a malicious site hosting malware awaiting to infect visiting users.

When performing incident handling on issues like this one, “who went to the compromised site” might be one of the first question to be answered. If a straight HTML link <a href=> style external link is used, there is not a whole lot of chance to be able to answer that question.

What’s the right way to do it?

While directing user to an external service provider, make the link internal. The link should be targeted at a redirection script. The script uses a 301 redirection header to direct the user to external provider’s site. This way, there is web server log (for IP logging) and also application log which is done by the redirection script. The application log should have user name information since it should be session aware.

For the redirection script, it is important to ensure the issue of open redirect does not exist. User should never be able to tell the script the exact URL to be redirected to.

——————————————————

More information on the Checkfree compromised can be found here and here

Examine HTTP compressed gzip content

1
Posted by Jason Lam on May 21, 2009 – 9:33 pm
Filed under Uncategorized

For incident handling, forensics or troubleshooting purposes, packet sniffing is often used to understand the information exchange between two hosts.  HTTP traffic packets are often sniffed so that the full header and body can be revealed easily, especially on the server side. On the client side, most commonly used technique is to use a proxy tool like Webscarab to intercept the request. While making new exercise for my DEV422, I noticed some interesting behavior of how different programs handles the gzip compressed HTTP content.

Normally, if the server sends gzipped content to the client, it sends a special HTTP header indicating to the browser the content should be decompressed before rendering on screen, this is the header normally sent

Content-Encoding: gzip

When there is a sniffer or interception proxy in the middle, the condition is complicated, as these man-in-the-middle need to be able to decode to read the actual content.

Let examine how Webscarab handles gzipped content, here is an interception on response coming from server.

Webscarab gzip encoding

Webscarab gzip encoding

Webscarab shows a “X-Content-Encoding: gzip” indicating the gzip process had already been performed. The browser does not have to take any action as the content is already decompressed by Webscarab.

Wireshark, on the other hand is a simple sniffer, it doesn’t alter anything the user is able to view. Let’s see what Wireshark can see while sniffing packets on the wire.

09-05-21-wireshark-full

Unlike Webscarab, Wireshark does not alter the headers and only shows what is actually transferred. At the bottom of the above screen cap, Wireshark is able to decode the gzipped data and show the HTTP data.

Everything is good so far, Webscarab and Wireshark essentially handled gzip data transparently by default.

Now, what if I follow TCP stream within Wireshark? This is a very common function used by a lot of users to view the full conversation between two hosts.

Wireshark follow TCP stream

Wireshark follow TCP stream

Wireshark Follow TCP Stream function does not decode gzip compression. The content is not decoded while displayed on screen.

While handling packet sniffer or using a man-in-the-middle manipulating HTTP responses, make sure you are aware that some compression encoding could be at play if things are not displaying properly on screen.

Welcome to the new blog!

0
Posted by Jason Lam on May 21, 2009 – 3:47 am
Filed under Uncategorized

Welcome to the SANS Application Security Blog. This is a collective effort by SANS web app sec instructors and volunteers to bring you the latest techniques in defending and testing web applications and well as interesting secure development related information.

Hope you will enjoy the information provided on this blog. Thanks!