Web Security

Web

Web Security
Almost everything relies on computers and the Internet now
Communication - email, cell phones Transportation - car engine systems, airplane navigation Medicine - equipment, medical records Shopping - online stores, credit cards

Entertainment - digital cable, mp3s

What Web User Can Do?

How to Avoid Web Attack?

How to Avoid Web Attack?

MUST!
Understand your web application. Understand the attack methods. Understand and able to recognize evasion techniques to solve the problem.

Web Security
Web Security, also known as Cyber Security involves
protecting that information by preventing, detecting, and responding to attacks.

Malaysia Web Security Incidents

What Web User Can Do?

The first step in protecting yourself is to recognize the risks and
become familiar with some of the terminology associated with them.

Web Security Terminologies

Hacker - people who seek to exploit weaknesses in software
and computer systems for their own gain. Viruses - It you to actually do something before it infects your computer. This action could be opening an email attachment or going to a particular web page.

Web Security Terminologies

Worms - Worms propagate without user intervention. Once
the victim computer has been infected the worm will attempt to find and infect other computers. Trojan Horse - A Trojan horse program is software that claims to be one thing while in fact doing something different behind the scenes.

Web Security Terminologies

Keyloggers
Traditionally, Keyloggers are software that monitor user activity such as keys typed using keyboard.

Web Security Terminologies

Such recorded data could be uploaded in real-time or when internet connection becomes available, by,
Email attachment IRC Channel File Transfer (FTP)

Web Security Terminologies

Firewall
Mechanism for content regulation and data filtering

Blocking unwanted traffic from entering the sub-network (inbound)

ASPECTS OF DATA SECURITY

Privacy
Keeping your information private

Integrity
Knowing that the information has not been changed

Authenticity
Knowing who sent the information

Privacy

Your personal details are a valuable asset

Businesses are increasingly looking to target individuals more effectively, data about those individuals is in demand Buying and selling lists of email addresses and demographic details is big business

Integrity

Maintaining the data integrity of any communication is vital.

Integrity can be preserved by using strong encryption methods. Even if an intruder see the transmission, it would be useless since its encrypted.

Authentication

We need to authenticate a message to make sure it was sent by the correct person.
Digital signature is used for the purpose Public key , Private key method can also be used to authenticate.

EXPLOITATIVE BEHAVIORS ON WEB HACKING

WEB APPLICATIONS THREATS

Cross Site Scripting

An Example of XSS

Countermeasures of XSS

HACKING ANATOMY

Steps in Hacking Anatomy

RECONNAISSANCE

Reconnaissance
Gathering information about the target in active or passive manner to prepare himself for the attack.

Passive Investigation
Fingerprinting
Information available on public domain such as search engine, newspaper, dumpster diving Social engineering Sniffing

Active Investigation
List of accessible hosts.
Details of target machines.

Fingerprinting
A way of non intrusive information gathering
The information gained can range from Domain names

Network blocks
Specific IP addresses Contact addresses

Initial Information
Domain Name Lookups
a name that identifies one or more IP addresses

Websites

checking for meta tags,

comments, the code itself blogs, search engines,

web pages saved offline

Tools
1.
2. 3. 4. 5.

Google
Whois Nslookup LiveHTTPHeaders Web Spider

1. Google
Using its query modifier
filetype inurl

site
intitle link

allintitle
allinurl

Meta Search Engine - Dogpile

Example - Google

Example - Google

2. Whois
Several operating system provide this utility
Information that can be retrieved Owner

Registrar
Domain Network

Point of Contact
Addresses

Example - Whois

Example - Whois

3. Nslookup
Queries the default name server specified in the current
machines TCP/IP configuration

Example - Nslookup

4. LiveHTTPHeaders

5. Web Spider
A tool to crawl an entire website

SCANNING

Scanning
Detecting systems running on target network
Map the network by discovering extra hosts and devices discover the open ports and services

get more information on services by comparing the target with

the vulnerability signatures

Types of scanning
port scanning vulnerability scanning

1. Port Scanning
Information gathering
discovery of ports that are listening or open determination of which ports refuse connections

determination of connections that time out

Some activities to avoid detection

he may starts scanning slowly, a few ports at a time

he tries the same port across several hosts scanning done from a number of different systems, optimally

from different networks.

Port Scanning Tools - Nmap

Network Mapper
Open source utility for network exploration or security handling Used to scan the ports of the target system also used for

UDP/ICMP scan and OS fingerprinting

1. Vulnerability Scanning
Focuses on known weaknesses
detect vulnerabilities assign risk levels to discovered vulnerabilities

identify vulnerabilities that have not been remedied

determined improvement in network security

Vulnerability Scanning Tools - Nessus

Checks the network for possible security vulnerabilities by
scanning the target hosts or network.

GAINING ACCESS

Gaining Access
If vulnerability is found, exploit it
Search and use exploits or techniques underground resources

mailing lists & chat rooms

security alerts & advisories security tools

Gaining Access
Types of most popular vulnerabilities for gaining access
user enumeration & privilege escalation default installation

default username and passwords

outdated versions or software not patched web application vulnerabilities

Underground Resources

http://1337day.com

Chat Rooms

KEEPING ACCESS
Once a hacker has gained access, they want to keep that access for future exploitation and attacks. Sometimes, hackers harden the system from other hackers or security personnel by securing their exclusive access with backdoors, rootkits, and Trojans. Once the hacker owns the system, they can use it as a base to launch additional attacks. In this case, the owned system is sometimes referred to as zombie system.

COVERING TRACK
Hackers have been able to gain and maintain access, they cover their tracks to avoid detection by security personnel, to continue to use the owned system, to remove evidence of hacking, or to avoid legal action. Hackers try to remove all traces of the attack, such as log files or intrusion detection system (IDS) alarms. Examples of activities during this phase of the attack include steganography, the use of tunneling protocols, and altering log files. Steganography and use of tunneling for purposes of hacking will be discussed in later posts.

Tips on Keeping Your Web Application Being Hack

1. Backup your Web Application
Always make backups of your files and folders and store them in a separate place

2. Penetration Testing This is part of security testing in which a deliberate and simulated

attack is carried out to circumvent security of a system.This is a

must to be deployed step for commercial websites.Security can not be full-proof, as secured wordpress web hosting can be

compromised with c99 madshell script written in php.

Tips on Keeping Your Web Application Being Hack

3. Vulnerability Assessment
A vulnerability scanner is a tool that searches and maps a system or network for different possible weakness and report it with

feedback for the use of administrator. They can give you possible
web application vulnerabilities like sql injection, XSS and firewall security breach. Nikto is a very useful open source scanner and

also you can use Acunetix Web Vulnerability scanner.

Tips on Keeping Your Web Application Being Hack

4. Client Security Tools
A web-master can do everything from his part to secure a server.But, risk management has to be one of the most important

priority.One can never predict about security in the future.So,

clients have to advised by web-masters to use some of browser security tool to save themselves from any loss.Such a tool can be

XSS me FireFox add on or Internet Explorer 8's in built XSS filter.

Tips on Keeping Your Web Application Being Hack

5. Application Whitelists
It is a policy that is employed by administrators to document congiguration pf applications put in the whitelist.This way they

can detect any unauthorized changes to the server environment.

Another Important

Tips on Keeping Your Blog Being Hack

Update your Blog Software
blog platforms periodically update their versions for a variety of reasons one of which is security. Old versions of some platforms

expose your blog and server to being hacked.

Backup your Blog

Being hacked does happen, even to the smartest bloggers from

time to time. When it does happen you need to have some way of getting your blog back up and running and a backup is an

essential part of this.

Tips on Keeping Your Blog Being Hack

Keep an Eye on Dead Blogs
I suspect that of the 50 million or so blogs that technorati are tracking that many of them are non active blogs on old blogging

platforms. One of the dangers of retiring a blog and not updating

it is that you can have old and un-updated blogging platforms sitting on your server which could prove to be a vulnerability in

your set up. Even if youre not actively updating a dead blog you
should consider updating its version.

Tips on Keeping Your Blog Being Hack

Protect Your Passwords
this goes without saying but Im constantly surprised by the stories I hear of people using obvious passwords or giving them

out. Basic password protection strategies and common sense

should prevail. Choose Your Host Carefully

I am in the fortunate position of having a quality host who offers

me personal and comprehensive help in those times when things go wrong. Without this I dont know what Id have done.