WebGoat Lab session overview

Size: px
Start display at page:

Download "WebGoat Lab session overview"

Transcription

1

2 WebGoat Lab session overview Initial Setup Virtual Machine Tamper Data Web Goat Basics HTTP Basics Sniffing Web server attacks SQL Injection XSS

3 INITIAL SETUP

4 Tamper Data Hold alt to reveal the menu in IceWeasel/Firefox. Tools > Tamper Data In order to perform a manipulated HTTP request, press Start Tamper, then perform an action resulting in a request (clicking a button, link, etc.) You can also view the HTTP requests and responses in the ongoing requests window.

5 Wireshark Wireshark can also be used to analyze your HTTP traffic. Start Wireshark at command line as superuser for live capture: sudo wireshark Note: Running Wireshark as superuser is fine for testing on a virtual machine, but is not recommended for real life use. Pick the interface loopback : Captures requests within localhost (i.e. when both communicating applications are on the same machine, as in the local web server and your browser)

6 WEB GOAT Start (1) Close the VM s Internet Connection (your machine is extremely vulnerable when WebGoat is running) Go to the folder containing the installation: ~/WebGoat Execute./run_webgoat.sh file

7 WEB GOAT - Start (2) Type the address in the browser Login as username = netsec and pwd = secnet

8 BASICS HTTP BASICS SNIFFING

9 HTTP Request/Response While browsing, every time an action is taken, a HTTP Request is created The HTTP Request goes from the browser to the web server The web server make some elaboration (e.g. verify if you are a registered user) and send back a HTTP Response HTTP Request HTTP Response

10 HTTP Request HTTP REQUEST username and password are sent (most likely in clear!!) over the network. They can be intercepted

11 HTTP Response The response can be intercepted and parameters values can be changed

12 HTTP Basics - Exercise Goal: meet WebGoat and TamperData. Exercise: Go to; exercise General à Http Basics Start Tamper Data or Wireshark Insert your name in the field, press Go! Inspect the HTTP request and response messages Try to locate your name in the message

13 HTTP Basics - Lesson learned When parameters are in clear (i.e. not encrypted) they can be easily changed by who is listening your internet traffic. In this case it was only your name But Assume you want to make a payment of 800 Euro to the account of your landlord and insert as the account number The attacker can change such number to (his account number) In this way he managed to steal 800 Euro from you

14 Sniffing - Exercise Goal: Steal username and password of the user Exercise: Go to Insecure Communication à Insecure Login Press the button Log in and use Tamper Data to steal the password (or a packet sniffer)

15 Sniffing - Lesson learned You performed your first sniffing attack You intercepted the traffic of your victim and stolen his password If this is the same password he uses for his internet banking (or account) you can now easily access it Encryption is necessary to prevent the outsiders from eavesdropping.

16 Parameter Tampering Exercise Goal: change the total amount charged to your credit card Exercise: Go to Parameter Tamperingà Exploit Hidden Fields Purchase the TV for 1$ Important note: first click Purchase without tampering, this will open another purchase page. Perform the tampering on this new page

17 Parameter Tampering Solution Start Tampering Data then press the button Purchase Change the parameter Price to the value 1.00$ If successful you will get a Congratulations message

18 Lesson learned You used your recently learned hacking skills to gain personal advantages You paid 1$ a product worth 3000$ Why is that possible? The web server is not checking that you re paying the right amount of money An hacker who knows this vulnerability is able to exploit it

19 WEB SERVER ATTACKS SQL INJECTIONS XSS

20 SQL injection by example Client internet webserver webapplication database The WEBAPPLICATION presents a form with username and password What happens in the database?

21 In the database Client internet webserver webapplication database SELECT FROM users WHERE username = $username AND password = $password

22 What happens if Username: just any legal user name Password: anything' OR 'x'='x Recall the MySQL command is: SELECT FROM users WHERE username = $username AND password = $password It becomes: SELECT FROM users WHERE username = elisa AND password = anything OR x = x And it gets parsed the wrong way. Just to be clear: the above query selects all users, so the reply is the list of all users, together with all the parameters that are in the

23 The goal of an SQL injection Client internet webserver webapplication database Have the database do something that the programmer didn t think of. Particularly useful for data extrusion (stealing of data like passwords). But it can also be used for something else like having the database modify the data it has. Let s see an example

24 SQL Injection Stealing information Go to the exercise Injection FlawsàSQL Injection (lessons 7,8) Your goal is to retrieve all users from the user table using string SQL injection and numeric SQL injection (optional) Check how your import is encoded using TamperData or Wireshark

25 Solution String sql injection: Smith or 1 = 1 Numerical sql injection 101 or 1=1 5/12/18

26 SQL Injection: Pulling Data from Other Tables Go to the exercise Injection Flaws à SQL Injection (advanced) lesson 3 Your goal is join the user_system_data table with the get account info table and figure out the password of Dave You can take a look at a cheat sheet to see how to perform union on two tables:

27 Solution Smith union select null, user_name, password, null, null, null, null from user_system_data - - Password of Dave: dave (or) Finding password without union Smith ;select * from user_system_data where 1 = 1 5/12/18

28 Lesson Learned An attacker can use SQL Injection to read and modify data in a database An attacker could, for example, read the account numbers of all the costumer of a bank Web servers should make input sanitations to avoid SQL injection i.e. recognizing the user is inserting SQL or script commands and not accept such string as input Take a look at the SQL injection prevention cheat sheet heat_sheet

29 DENIAL OF SERVICE

30 Denial of Service Web servers have limited resources (bandwidth, processing power, memory, storage, ) Eating up these resources can slow down or stop the server from functioning, i.e. impair its availability. Here we look into Denial of Service attack on the application-layer: We try to create more sessions in the server than it can handle.

31 Denial of Service - Multiple Logins Go to Lessons -> Denial of Service -> Denial of Service from Multiple Logins The server s database pool only allows two logins. Create a total of 3 logins to perform the attack Hint: Use SQL Injection to obtain a list of username/passwords.

32 XSS CROSS SITE SCRIPTING

33 XSS In a nutshell Client internet webserver webapplication database While with SQL injection the goal was to hack the DB now the goal is to hack the client of your victim for instance by storing something in the webserver that will trigger something in your victim s client when he will look at the page you tampered with. let s see an example.

34 / name of department PAGE 34

35 XSS in WebGoat Go to the exercise Cross Site Scripting (XSS)àEx 2 You have to check, using javascript, the cookies of the Webgoat webpage

36 Notice that Tom Cat can view his own profile, and he cannot see the profiles of his colleagues. On the other hand, David and Jerry can see the profiles of a few people. In particular Jerry can see Tom s profile. Now, Tom can try to attack Jerry by storing something a kind of virus on his profile. In the moment Jerry will look at Tom s profile, he will be infected.

37 Solution Open WebGoat in two different tabs and type javascript:alert(document.cookie); On both tabs the output should look something like this: The cookies are the same in every tab

38 Reflected XSS in WebGoat Go to the exercise 7 You have to find out which of the fields is susceptible to javascript and insert the suggested script. Forge an URL that contains such script.

39 Hint Inspect the Webpage source code to investigate the property of the fields Use your Tamper Data tool to help you forge the URL

40 Solution The field is field1 (Credit Card Number): <script>alert( my javascript here )</script> The URL is: &QTY2=1&QTY3=1&QTY4=1&field1= <script>a lert( my javascript here )</script>&field2=111

41 DOM-Based XSS in WebGoat Go to the exercise 10 and 11 Your goal is to find the test route of WebGoat. Discover the return value of the javascript function webgoat.customjs.phonehome()

42 Hints Try to locate the javascript GoatRouter.js Using the Debugger (Tool -> Web Developer-> Debugger) should help Check the UTF-8 encoding for /

43 Solution (Ex 10) The Test Route is: start.mvc#test/ TheWebGoat test route allows to execute command: Try typing:

44 Solution (Ex 11) The javascript function webgoat.customjs.phonehome() returns a random value on the console: Correct solution: Oh well too bad, let s just use a packet sniffer J

45 Stored XSS in WebGoat Go to the exercise 13 Your goal is to write a comment that calls the javascript function webgoat.customjs.phonehome()

46 Solution Write as comment: <script>webgoat.customjs.phonehome()</script> Obtaining the return value of webgoat.customjs.phonehome() is just the same as Ex 11 Caution: It is a STORED XSS: The function will be executed everytime you load the page

47 Solution (2) Now login as Jerry Mouse (password: moe) Select Tom Cat and view his profile At this point you should see the alert message, result of the script

48 Lesson Learned As well as for SQL injection, XSS attack are possible if no input sanitation takes place The application should have checked that the street you inserted was not a legal street name. In other words, the application should have sanitized your input. But it failed to do so. Your input was a script in javascript, and when a user looked at the page, the user s browser happily executed the script. That script could have done much more harm than just laughing. Could have stolen some information (cookies) Could have executed code at the client side

49 XSS recap Basic idea: force the browser to execute a script which has been injected in a web page/application Important: malicious code is executed at the client side There are two flavors Persistent [Stored] (requiring the storage of the script in the webapplication) Non-persistent [Reflected and DOM-Based] (in which the script is generated on-the-fly) #2 problem in the OWASP Top 10 Web Application Security Risks for 2010 (just under injections). See XSS is one of the most nasty vulnerabilities Sometimes considered erroneously non-critical due to (presumed) lower impact compared to SQL Injection

50 ADDITIONAL EXERCISES

51 Authentication Flaws; weak passwords Go to the exercise Authentication Flawsà Password Strength There are 5 password with different security level (some are much easier to guess than others) Use the tool available at to see how much time an hacker needs to guess such passwords

52 Lesson learned You learned that easy passwords are extremely easy to guess less than a second for the password Therefore, they should not be used neither accepted by web applications It would be ideally to use passwords that have low and upper case characters, at least one number and one special symbol These kind of password can better resist to brute force attacks

53 Blind SQL Injection Injection Flaws > Blind String SQL Injection The web form contains a field that returns a True/False value. Try to find out the name of a credit card account holder by injecting SQL statements.

54 Blind SQL Injection Hint: Check out the SQL function SUBSTRING. SUBSTRING( abc,1,1) would return a Hint II: Characters can be compared like numbers,.i.e. a > z would return FALSE Hint III: A FALSE return value would be represented with the string Account number is not valid. Hint IV: A SELECT statement can be used to return a string

55 Blind SQL - Solution Try inputs such as: 101 AND (SUBSTRING((SELECT name FROM pins WHERE cc_number ), 1, 1) <= Z ); 101 AND (SUBSTRING((SELECT name FROM pins WHERE cc_number ), 1, 1) <= a ); Gives a clue about the first character. They are valid letters. Try the same input with other characters, a, h, H, etc. and > to pinpoint the first character: 101 AND (SUBSTRING((SELECT name FROM pins WHERE cc_number= ), 1, 1) = J ); returns True, J is the first character of the name. Try for the second character: 101 AND (SUBSTRING((SELECT name FROM pins WHERE cc_number= ), 2, 1) < h ); Try with the 3 rd, 4 th letter etc. until it returns false for the range a-z. Ø Lesson learned: having a vulnerability that leaks a single bit of information can be sufficient for an attacker to steal sensitive data.

56 Blind SQL - Solution Try inputs such as: 101 AND (SUBSTRING((SELECT name FROM pins WHERE cc_number ), 1, 1) <= Z ); 101 AND (SUBSTRING((SELECT name FROM pins WHERE cc_number ), 1, 1) <= a ); Gives a clue about the first character. They are valid letters. Try the same input with other characters, a, h, H, etc. and > to pinpoint the first character: 101 AND (SUBSTRING((SELECT name FROM pins WHERE cc_number= ), 1, 1) = J ); returns True, J is the first character of the name. Try for the second character: 101 AND (SUBSTRING((SELECT name FROM pins WHERE cc_number= ), 2, 1) < h ); Try with the 3 rd, 4 th letter etc. until it returns false for the range a-z. Ø Answer: The name is Jill Ø Lesson learned: having a vulnerability that leaks a single bit of information can be sufficient for an attacker to steal sensitive data.

57 Session Fixation Go to Lessons -> Session Management Flaws-> Session Fixation Exercise: You are Hacker Joe You want to pretend to be Jane, when communicating to Jane s bank. To do so, you want to steal Jane s session in the moment that Jane is logged in the bank. To do so, you need to know what is the session identifier (SID) of Janes session when she talks to the bank. That s the difficult thing One way of getting to know what is Jane s SID, is to induce her to start a session with the bank using the session identifier you want. This may be less difficult than you think WebGoat is not the same as webgoat, change the URL in the accordingly

58 Session Fixation - Exercise Goal: steal Jane s credit card information.

59 Session Fixation in practice Stage 1 (Hacker Joe) Write an to Jane, in which you try to convince her to click on the link you have made:.. <a href=/webgoat/attack?... &SID= > Stage 2 (Jane) By reading the and clicking on the link, Jane will be redirected to the bank, starting a session with the SID you have determined! Stage 3 (Jane) If Jane logs in the bank with her username and password, then the session becomes active Stage 4 (Hacker Joe) Hacker Joe can now simply connect to the bank using the SID The bank server will think that it is talking to Jane.

60 Lesson Learned You learned how to carry on a (very basic) phishing attack and to use it to steal a session This happens because the bank accepts in a silly way the token to be fixated by the user The bank should fix her own token.

Security Course. WebGoat Lab sessions

Security Course. WebGoat Lab sessions Security Course WebGoat Lab sessions WebGoat Lab sessions overview Initial Setup Tamper Data Web Goat Lab Session 4 Access Control, session information stealing Lab Session 2 HTTP Basics Sniffing Parameter

More information

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang WEB SECURITY WORKSHOP TEXSAW 2014 Presented by Solomon Boyd and Jiayang Wang Introduction and Background Targets Web Applications Web Pages Databases Goals Steal data Gain access to system Bypass authentication

More information

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11 Attacks Against Websites Tom Chothia Computer Security, Lecture 11 A typical web set up TLS Server HTTP GET cookie Client HTML HTTP file HTML PHP process Display PHP SQL Typical Web Setup HTTP website:

More information

Web Application Security. Philippe Bogaerts

Web Application Security. Philippe Bogaerts Web Application Security Philippe Bogaerts OWASP TOP 10 3 Aim of the OWASP Top 10 educate developers, designers, architects and organizations about the consequences of the most common web application security

More information

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14 Attacks Against Websites 3 The OWASP Top 10 Tom Chothia Computer Security, Lecture 14 OWASP top 10. The Open Web Application Security Project Open public effort to improve web security: Many useful documents.

More information

Introduction to Ethical Hacking

Introduction to Ethical Hacking Introduction to Ethical Hacking Summer University 2017 Seoul, Republic of Korea Alexandre Karlov Today Some tools for web attacks Wireshark How a writeup looks like 0x04 Tools for Web attacks Overview

More information

P2_L12 Web Security Page 1

P2_L12 Web Security Page 1 P2_L12 Web Security Page 1 Reference: Computer Security by Stallings and Brown, Chapter (not specified) The web is an extension of our computing environment, because most of our daily tasks involve interaction

More information

EasyCrypt passes an independent security audit

EasyCrypt passes an independent security audit July 24, 2017 EasyCrypt passes an independent security audit EasyCrypt, a Swiss-based email encryption and privacy service, announced that it has passed an independent security audit. The audit was sponsored

More information

Bank Infrastructure - Video - 1

Bank Infrastructure - Video - 1 Bank Infrastructure - 1 05/09/2017 Threats Threat Source Risk Status Date Created Account Footprinting Web Browser Targeted Malware Web Browser Man in the browser Web Browser Identity Spoofing - Impersonation

More information

CIS 4360 Secure Computer Systems XSS

CIS 4360 Secure Computer Systems XSS CIS 4360 Secure Computer Systems XSS Professor Qiang Zeng Spring 2017 Some slides are adapted from the web pages by Kallin and Valbuena Previous Class Two important criteria to evaluate an Intrusion Detection

More information

Lecture Overview. IN5290 Ethical Hacking

Lecture Overview. IN5290 Ethical Hacking Lecture Overview IN5290 Ethical Hacking Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks Universitetet i Oslo Laszlo Erdödi How to use Burp

More information

Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks

Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks IN5290 Ethical Hacking Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks Universitetet i Oslo Laszlo Erdödi Lecture Overview How to use Burp

More information

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing Advancing Expertise in Security Testing Taming the Wild West Canberra, Australia 1 Who is this guy? Andrew

More information

Application vulnerabilities and defences

Application vulnerabilities and defences Application vulnerabilities and defences In this lecture We examine the following : SQL injection XSS CSRF SQL injection SQL injection is a basic attack used to either gain unauthorized access to a database

More information

Your Turn to Hack the OWASP Top 10!

Your Turn to Hack the OWASP Top 10! OWASP Top 10 Web Application Security Risks Your Turn to Hack OWASP Top 10 using Mutillidae Born to Be Hacked Metasploit in VMWare Page 1 https://www.owasp.org/index.php/main_page The Open Web Application

More information

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web Security and Privacy SWE 432, Fall 2016 Design and Implementation of Software for the Web Today Security What is it? Most important types of attacks Privacy For further reading: https://www.owasp.org/index.php/

More information

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

Application Security through a Hacker s Eyes James Walden Northern Kentucky University Application Security through a Hacker s Eyes James Walden Northern Kentucky University waldenj@nku.edu Why Do Hackers Target Web Apps? Attack Surface A system s attack surface consists of all of the ways

More information

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security. Web Security Web Programming Uta Priss ZELL, Ostfalia University 2013 Web Programming Web Security Slide 1/25 Outline Web insecurity Security strategies General security Listing of server-side risks Language

More information

CSWAE Certified Secure Web Application Engineer

CSWAE Certified Secure Web Application Engineer CSWAE Certified Secure Web Application Engineer Overview Organizations and governments fall victim to internet based attacks every day. In many cases, web attacks could be thwarted but hackers, organized

More information

Certified Secure Web Application Engineer

Certified Secure Web Application Engineer Certified Secure Web Application Engineer ACCREDITATIONS EXAM INFORMATION The Certified Secure Web Application Engineer exam is taken online through Mile2 s Assessment and Certification System ( MACS ),

More information

Solution of Exercise Sheet 5

Solution of Exercise Sheet 5 Foundations of Cybersecurity (Winter 16/17) Prof. Dr. Michael Backes CISPA / Saarland University saarland university computer science Solution of Exercise Sheet 5 1 SQL Injection Consider a website foo.com

More information

OWASP Top 10 The Ten Most Critical Web Application Security Risks

OWASP Top 10 The Ten Most Critical Web Application Security Risks OWASP Top 10 The Ten Most Critical Web Application Security Risks The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain

More information

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s Session I of III JD Nir, Security Analyst Why is this important? ISE Proprietary Agenda About ISE Web Applications

More information

NET 311 INFORMATION SECURITY

NET 311 INFORMATION SECURITY NET 311 INFORMATION SECURITY Networks and Communication Department Lec12: Software Security / Vulnerabilities lecture contents: o Vulnerabilities in programs Buffer Overflow Cross-site Scripting (XSS)

More information

Overview Cross-Site Scripting (XSS) Christopher Lam Introduction Description Programming Languages used Types of Attacks Reasons for XSS Utilization Attack Scenarios Steps to an XSS Attack Compromises

More information

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any OWASP Top 10 Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any tester can (and should) do security testing

More information

CS 161 Computer Security

CS 161 Computer Security Paxson Spring 2017 CS 161 Computer Security Discussion 4 Week of February 13, 2017 Question 1 Clickjacking (5 min) Watch the following video: https://www.youtube.com/watch?v=sw8ch-m3n8m Question 2 Session

More information

Application Layer Attacks. Application Layer Attacks. Application Layer. Application Layer. Internet Protocols. Application Layer.

Application Layer Attacks. Application Layer Attacks. Application Layer. Application Layer. Internet Protocols. Application Layer. Application Layer Attacks Application Layer Attacks Week 2 Part 2 Attacks Against Programs Application Layer Application Layer Attacks come in many forms and can target each of the 5 network protocol layers

More information

Avoiding Web Application Flaws In Embedded Devices. Jake Edge LWN.net URL for slides:

Avoiding Web Application Flaws In Embedded Devices. Jake Edge LWN.net URL for slides: Avoiding Web Application Flaws In Embedded Devices Jake Edge LWN.net jake@lwn.net URL for slides: http://lwn.net/talks/elce2008 Overview Examples embedded devices gone bad Brief introduction to HTTP Authentication

More information

Information Security CS 526 Topic 8

Information Security CS 526 Topic 8 Information Security CS 526 Topic 8 Web Security Part 1 1 Readings for This Lecture Wikipedia HTTP Cookie Same Origin Policy Cross Site Scripting Cross Site Request Forgery 2 Background Many sensitive

More information

INF3700 Informasjonsteknologi og samfunn. Application Security. Audun Jøsang University of Oslo Spring 2015

INF3700 Informasjonsteknologi og samfunn. Application Security. Audun Jøsang University of Oslo Spring 2015 INF3700 Informasjonsteknologi og samfunn Application Security Audun Jøsang University of Oslo Spring 2015 Outline Application Security Malicious Software Attacks on applications 2 Malicious Software 3

More information

Copyright

Copyright 1 Security Test EXTRA Workshop : ANSWER THESE QUESTIONS 1. What do you consider to be the biggest security issues with mobile phones? 2. How seriously are consumers and companies taking these threats?

More information

SPOOFING. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006

SPOOFING. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006 SPOOFING Information Security in Systems & Networks Public Development Program Sanjay Goel University at Albany, SUNY Fall 2006 1 Learning Objectives Students should be able to: Determine relevance of

More information

Web 2.0 and AJAX Security. OWASP Montgomery. August 21 st, 2007

Web 2.0 and AJAX Security. OWASP Montgomery. August 21 st, 2007 Web 2.0 and AJAX Security OWASP Montgomery August 21 st, 2007 Overview Introduction Definition of Web 2.0 Basics of AJAX Attack Vectors for AJAX Applications AJAX and Application Security Conclusions 1

More information

Perslink Security. Perslink Security. Eleonora Petridou Pascal Cuylaerts. System And Network Engineering University of Amsterdam.

Perslink Security. Perslink Security. Eleonora Petridou Pascal Cuylaerts. System And Network Engineering University of Amsterdam. Eleonora Petridou Pascal Cuylaerts System And Network Engineering University of Amsterdam June 30, 2011 Outline Research question About Perslink Approach Manual inspection Automated tests Vulnerabilities

More information

Integrity attacks (from data to code): Malicious File upload, code execution, SQL Injection

Integrity attacks (from data to code): Malicious File upload, code execution, SQL Injection Pattern Recognition and Applications Lab Integrity attacks (from data to code): Malicious File upload, code execution, SQL Injection Igino Corona igino.corona _at_ diee.unica.it Computer Security May 2nd,

More information

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report. Report on IRONWASP Software Product: IronWASP Description of the Product: IronWASP (Iron Web application Advanced Security testing Platform) is an open source system for web application vulnerability testing.

More information

CSCE 813 Internet Security Case Study II: XSS

CSCE 813 Internet Security Case Study II: XSS CSCE 813 Internet Security Case Study II: XSS Professor Lisa Luo Fall 2017 Outline Cross-site Scripting (XSS) Attacks Prevention 2 What is XSS? Cross-site scripting (XSS) is a code injection attack that

More information

Web Application Penetration Testing

Web Application Penetration Testing Web Application Penetration Testing COURSE BROCHURE & SYLLABUS Course Overview Web Application penetration Testing (WAPT) is the Security testing techniques for vulnerabilities or security holes in corporate

More information

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP OWASP Top 10 Risks Dean.Bushmiller@ExpandingSecurity.com Many thanks to Dave Wichers & OWASP My Mom I got on the email and did a google on my boy My boy works in this Internet thing He makes cyber cafes

More information

Excerpts of Web Application Security focusing on Data Validation. adapted for F.I.S.T. 2004, Frankfurt

Excerpts of Web Application Security focusing on Data Validation. adapted for F.I.S.T. 2004, Frankfurt Excerpts of Web Application Security focusing on Data Validation adapted for F.I.S.T. 2004, Frankfurt by fs Purpose of this course: 1. Relate to WA s and get a basic understanding of them 2. Understand

More information

Information Security CS 526 Topic 11

Information Security CS 526 Topic 11 Information Security CS 526 Topic 11 Web Security Part 1 1 Readings for This Lecture Wikipedia HTTP Cookie Same Origin Policy Cross Site Scripting Cross Site Request Forgery 2 Background Many sensitive

More information

Security Engineering by Ross Andersson Chapter 18. API Security. Presented by: Uri Ariel Nepomniashchy 31/05/2016

Security Engineering by Ross Andersson Chapter 18. API Security. Presented by: Uri Ariel Nepomniashchy 31/05/2016 Security Engineering by Ross Andersson Chapter 18 API Security Presented by: Uri Ariel Nepomniashchy 31/5/216 Content What is API API developing risks Attacks on APIs Summary What is API? Interface for

More information

Application Security Introduction. Tara Gu IBM Product Security Incident Response Team

Application Security Introduction. Tara Gu IBM Product Security Incident Response Team Application Security Introduction Tara Gu IBM Product Security Incident Response Team About Me - Tara Gu - tara.weiqing@gmail.com - Duke B.S.E Biomedical Engineering - Duke M.Eng Computer Engineering -

More information

Project 2: Web Security

Project 2: Web Security EECS 388 September 30, 2016 Intro to Computer Security Project 2: Web Security Project 2: Web Security This project is due on Thursday, October 13 at 6 p.m. and counts for 8% of your course grade. Late

More information

Web Security. Jace Baker, Nick Ramos, Hugo Espiritu, Andrew Le

Web Security. Jace Baker, Nick Ramos, Hugo Espiritu, Andrew Le Web Security Jace Baker, Nick Ramos, Hugo Espiritu, Andrew Le Topics Web Architecture Parameter Tampering Local File Inclusion SQL Injection XSS Web Architecture Web Request Structure Web Request Structure

More information

Solutions Business Manager Web Application Security Assessment

Solutions Business Manager Web Application Security Assessment White Paper Solutions Business Manager Solutions Business Manager 11.3.1 Web Application Security Assessment Table of Contents Micro Focus Takes Security Seriously... 1 Solutions Business Manager Security

More information

Web Security II. Slides from M. Hicks, University of Maryland

Web Security II. Slides from M. Hicks, University of Maryland Web Security II Slides from M. Hicks, University of Maryland Recall: Putting State to HTTP Web application maintains ephemeral state Server processing often produces intermediate results; not long-lived

More information

Authentication and Password CS166 Introduction to Computer Security 2/11/18 CS166 1

Authentication and Password CS166 Introduction to Computer Security 2/11/18 CS166 1 Authentication and Password CS166 Introduction to Computer Security 2/11/18 CS166 1 CIA Triad Confidentiality Prevent disclosure of information to unauthorized parties Integrity Detect data tampering Availability

More information

Hacking Our Way to Better Security: Lessons from a Web Application Penetration Test. Tyler Rasmussen Mercer Engineer Research Center

Hacking Our Way to Better Security: Lessons from a Web Application Penetration Test. Tyler Rasmussen Mercer Engineer Research Center Hacking Our Way to Better Security: Lessons from a Web Application Penetration Test Tyler Rasmussen Mercer Engineer Research Center About Me Cybersecurity Engineering Intern @ MERC Senior IT/Cybersecurity

More information

Penetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant

Penetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant Penetration Testing following OWASP Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant За Лирекс Penetration testing A method of compromising the security of a computer system or network by

More information

Assignment 6: Web Security

Assignment 6: Web Security COS 432 November 20, 2017 Information Security Assignment 6: Web Security Assignment 6: Web Security This project is due on Monday, December 4 at 11:59 p.m.. Late submissions will be penalized by 10% per

More information

Security: Threats and Countermeasures. Stanley Tan Academic Program Manager Microsoft Singapore

Security: Threats and Countermeasures. Stanley Tan Academic Program Manager Microsoft Singapore Security: Threats and Countermeasures Stanley Tan Academic Program Manager Microsoft Singapore Session Agenda Types of threats Threats against the application Countermeasures against the threats Types

More information

Evaluating the Security Risks of Static vs. Dynamic Websites

Evaluating the Security Risks of Static vs. Dynamic Websites Evaluating the Security Risks of Static vs. Dynamic Websites Ballard Blair Comp 116: Introduction to Computer Security Professor Ming Chow December 13, 2017 Abstract This research paper aims to outline

More information

THREAT MODELING IN SOCIAL NETWORKS. Molulaqhooa Maoyi Rotondwa Ratshidaho Sanele Macanda

THREAT MODELING IN SOCIAL NETWORKS. Molulaqhooa Maoyi Rotondwa Ratshidaho Sanele Macanda THREAT MODELING IN SOCIAL NETWORKS Molulaqhooa Maoyi Rotondwa Ratshidaho Sanele Macanda INTRODUCTION Social Networks popular web service. 62% adults worldwide use social media 65% of world top companies

More information

5 IT security hot topics How safe are you?

5 IT security hot topics How safe are you? 5 IT security hot topics How safe are you? Why this whitepaper? We meet many people in IT, of various levels of experience and fields of work. This whitepaper is written for everybody who wants to read

More information

Advanced Web Technology 10) XSS, CSRF and SQL Injection

Advanced Web Technology 10) XSS, CSRF and SQL Injection Berner Fachhochschule, Technik und Informatik Advanced Web Technology 10) XSS, CSRF and SQL Injection Dr. E. Benoist Fall Semester 2010/2011 1 Table of Contents Cross Site Request Forgery - CSRF Presentation

More information

1 About Web Security. What is application security? So what can happen? see [?]

1 About Web Security. What is application security? So what can happen? see [?] 1 About Web Security What is application security? see [?] So what can happen? 1 taken from [?] first half of 2013 Let s focus on application security risks Risk = vulnerability + impact New App: http://www-03.ibm.com/security/xforce/xfisi

More information

WebGoat& WebScarab. What is computer security for $1000 Alex?

WebGoat& WebScarab. What is computer security for $1000 Alex? WebGoat& WebScarab What is computer security for $1000 Alex? Install WebGoat 10 Download from Google Code 20 Unzip the folder to where ever you want 30 Click on WebGoat.bat 40 Goto http://localhost/webgoat/attack

More information

Curso: Ethical Hacking and Countermeasures

Curso: Ethical Hacking and Countermeasures Curso: Ethical Hacking and Countermeasures Module 1: Introduction to Ethical Hacking Who is a Hacker? Essential Terminologies Effects of Hacking Effects of Hacking on Business Elements of Information Security

More information

Jacksonville Linux User Group Presenter: Travis Phillips Date: 02/20/2013

Jacksonville Linux User Group Presenter: Travis Phillips Date: 02/20/2013 Jacksonville Linux User Group Presenter: Travis Phillips Date: 02/20/2013 Welcome Back! A Quick Recap of the Last Presentation: Overview of web technologies. What it is. How it works. Why it s attractive

More information

CNIT 129S: Securing Web Applications. Ch 10: Attacking Back-End Components

CNIT 129S: Securing Web Applications. Ch 10: Attacking Back-End Components CNIT 129S: Securing Web Applications Ch 10: Attacking Back-End Components Injecting OS Commands Web server platforms often have APIs To access the filesystem, interface with other processes, and for network

More information

Web Security 2 https://www.xkcd.com/177/ http://xkcd.com/1323/ Encryption basics Plaintext message key secret Encryp)on Func)on Ciphertext Insecure network Decryp)on Func)on Curses! Foiled again! key Plaintext

More information

eb Security Software Studio

eb Security Software Studio eb Security Software Studio yslin@datalab 1 OWASP Top 10 Security Risks in 2017 Rank Name 1 Injection 2 Broken Authentication and Session Management 3 Cross-Site Scripting (XSS) 4 Broken Access Control

More information

Security. CSC309 TA: Sukwon Oh

Security. CSC309 TA: Sukwon Oh Security CSC309 TA: Sukwon Oh Outline SQL Injection NoSQL Injection (MongoDB) Same Origin Policy XSSI XSS CSRF (XSRF) SQL Injection What is SQLI? Malicious user input is injected into SQL statements and

More information

Don t blink or how to create secure software. Bozhidar Bozhanov, LogSentinel

Don t blink or how to create secure software. Bozhidar Bozhanov, LogSentinel Don t blink or how to create secure software Bozhidar Bozhanov, CEO @ LogSentinel About me Senior software engineer and architect Founder & CEO @ LogSentinel Former IT and e-gov advisor to the deputy prime

More information

WEB SECURITY: XSS & CSRF

WEB SECURITY: XSS & CSRF WEB SECURITY: XSS & CSRF CMSC 414 FEB 22 2018 Cross-Site Request Forgery (CSRF) URLs with side-effects http://bank.com/transfer.cgi?amt=9999&to=attacker GET requests should have no side-effects, but often

More information

Web Application Security

Web Application Security Web Application Security Rajendra Kachhwaha rajendra1983@gmail.com October 16, 2015 Lecture 16: 1/ 14 Outline Browser Security Principles: 1 Cross Site Scripting (XSS) 2 Types of XSS 3 Lecture 16: 2/ 14

More information

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition Chapter 3 Investigating Web Attacks Objectives After completing this chapter, you should be able to: Recognize the indications

More information

Sichere Software vom Java-Entwickler

Sichere Software vom Java-Entwickler Sichere Software vom Java-Entwickler Dominik Schadow Java Forum Stuttgart 05.07.2012 BASEL BERN LAUSANNE ZÜRICH DÜSSELDORF FRANKFURT A.M. FREIBURG I.BR. HAMBURG MÜNCHEN STUTTGART WIEN We can no longer

More information

Authentication Security

Authentication Security Authentication Security Hui Zhu Copyright 2005 www.ebizsec.com Agenda Authentication Components Authentication Hacking Consideration for Authentication Security Principle for Authentication Security Case

More information

Web Security Computer Security Peter Reiher December 9, 2014

Web Security Computer Security Peter Reiher December 9, 2014 Web Security Computer Security Peter Reiher December 9, 2014 Page 1 Web Security Lots of Internet traffic is related to the web Much of it is financial in nature Also lots of private information flow around

More information

Web Application & Web Server Vulnerabilities Assessment Pankaj Sharma

Web Application & Web Server Vulnerabilities Assessment Pankaj Sharma Web Application & Web Server Vulnerabilities Assessment Pankaj Sharma Indian Computer Emergency Response Team ( CERT - IN ) Department Of Information Technology 1 Agenda Introduction What are Web Applications?

More information

Advanced Ethical Hacking & Penetration Testing. Ethical Hacking

Advanced Ethical Hacking & Penetration Testing. Ethical Hacking Summer Training Internship Program 2017 (STIP - 2017) is a practical oriented & industrial level training program for all students who have aspiration to work in the core technical industry domain. This

More information

WEB APPLICATION SCANNERS. Evaluating Past the Base Case

WEB APPLICATION SCANNERS. Evaluating Past the Base Case WEB APPLICATION SCANNERS Evaluating Past the Base Case GREG OSE PATRICK TOOMEY Presenter Intros Overview An overview of web application scanners Why is it hard to evaluate scanner efficacy? Prior Work

More information

Some Facts Web 2.0/Ajax Security

Some Facts Web 2.0/Ajax Security /publications/notes_and_slides Some Facts Web 2.0/Ajax Security Allen I. Holub Holub Associates allen@holub.com Hackers attack bugs. The more complex the system, the more bugs it will have. The entire

More information

(System) Integrity attacks System Abuse, Malicious File upload, SQL Injection

(System) Integrity attacks System Abuse, Malicious File upload, SQL Injection Pattern Recognition and Applications Lab (System) Integrity attacks System Abuse, Malicious File upload, SQL Injection Igino Corona igino.corona (at) diee.unica.it Computer Security April 9, 2018 Department

More information

OWASP Broken Web Application Project. When Bad Web Apps are Good

OWASP Broken Web Application Project. When Bad Web Apps are Good OWASP Broken Web Application Project When Bad Web Apps are Good About Me Mordecai (Mo) Kraushar Director of Audit, CipherTechs OWASP Project Lead, Vicnum OWASP New York City chapter member Assessing the

More information

CS 161 Computer Security

CS 161 Computer Security Nick Weaver Fall 2018 CS 161 Computer Security Homework 3 Due: Friday, 19 October 2018, at 11:59pm Instructions. This homework is due Friday, 19 October 2018, at 11:59pm. No late homeworks will be accepted

More information

ANALYSIS OF VARIOUS LEVELS OF PENETRATION BY SQL INJECTION TECHNIQUE THROUGH DVWA

ANALYSIS OF VARIOUS LEVELS OF PENETRATION BY SQL INJECTION TECHNIQUE THROUGH DVWA ANALYSIS OF VARIOUS LEVELS OF PENETRATION BY SQL INJECTION TECHNIQUE THROUGH DVWA By Ashish Kumar, Dr. Swapnesh Taterh 1st AIIT, Amity University, Rajasthan. 2nd Asst Prof, AIIT, Amity University, Rajasthan.

More information

PROBLEMS IN PRACTICE: THE WEB MICHAEL ROITZSCH

PROBLEMS IN PRACTICE: THE WEB MICHAEL ROITZSCH Faculty of Computer Science Institute of Systems Architecture, Operating Systems Group PROBLEMS IN PRACTICE: THE WEB MICHAEL ROITZSCH THE WEB AS A DISTRIBUTED SYSTEM 2 WEB HACKING SESSION 3 3-TIER persistent

More information

Combating Common Web App Authentication Threats

Combating Common Web App Authentication Threats Security PS Combating Common Web App Authentication Threats Bruce K. Marshall, CISSP, NSA-IAM Senior Security Consultant bmarshall@securityps.com Key Topics Key Presentation Topics Understanding Web App

More information

CS 161 Computer Security

CS 161 Computer Security Popa & Wagner Spring 2016 CS 161 Computer Security Homework 2 Due: Monday, February 22nd, at 11:59pm Instructions. This homework is due Monday, February 22nd, at 11:59pm. It must be submitted electronically

More information

Internet Security [1]

Internet Security [1] Internet Security [1] VU 188.366 Web Application Security (2/2) Adrian Dabrowski, Markus Kammerstetter, Georg Merzdovnik, Stefan Riegler inetsec@seclab.tuwien.ac.at Last Lecture on Web Security OWASP Top

More information

Security and Authentication

Security and Authentication Security and Authentication Authentication and Security A major problem with computer communication Trust Who is sending you those bits What they allow to do in your system 2 Authentication In distributed

More information

C1: Define Security Requirements

C1: Define Security Requirements OWASP Top 10 Proactive Controls IEEE Top 10 Software Security Design Flaws OWASP Top 10 Vulnerabilities Mitigated OWASP Mobile Top 10 Vulnerabilities Mitigated C1: Define Security Requirements A security

More information

CSE 127 Computer Security

CSE 127 Computer Security CSE 127 Computer Security Fall 2015 Web Security I: SQL injection Stefan Savage The Web creates new problems Web sites are programs Partially implemented in browser» Javascript, Java, Flash Partially implemented

More information

e-commerce Study Guide Test 2. Security Chapter 10

e-commerce Study Guide Test 2. Security Chapter 10 e-commerce Study Guide Test 2. Security Chapter 10 True/False Indicate whether the sentence or statement is true or false. 1. Necessity refers to preventing data delays or denials (removal) within the

More information

Securing Your Web Application against security vulnerabilities. Alvin Wong, Brand Manager IBM Rational Software

Securing Your Web Application against security vulnerabilities. Alvin Wong, Brand Manager IBM Rational Software Securing Your Web Application against security vulnerabilities Alvin Wong, Brand Manager IBM Rational Software Agenda Security Landscape Vulnerability Analysis Automated Vulnerability Analysis IBM Rational

More information

CSE361 Web Security. Attacks against the server-side of web applications. Nick Nikiforakis

CSE361 Web Security. Attacks against the server-side of web applications. Nick Nikiforakis CSE361 Web Security Attacks against the server-side of web applications Nick Nikiforakis nick@cs.stonybrook.edu Threat model In these scenarios: The server is benign The client is malicious The client

More information

This slide shows the OWASP Top 10 Web Application Security Risks of 2017, which is a list of the currently most dangerous web vulnerabilities in

This slide shows the OWASP Top 10 Web Application Security Risks of 2017, which is a list of the currently most dangerous web vulnerabilities in 1 This slide shows the OWASP Top 10 Web Application Security Risks of 2017, which is a list of the currently most dangerous web vulnerabilities in terms of prevalence (how much the vulnerability is widespread),

More information

Web Attacks Lab. 35 Points Group Lab Due Date: Lesson 16

Web Attacks Lab. 35 Points Group Lab Due Date: Lesson 16 CS482 SQL and XSS Attack Lab AY172 1 Web Attacks Lab 35 Points Group Lab Due Date: Lesson 16 Derived from c 2006-2014 Wenliang Du, Syracuse University. Do not redistribute with explicit consent from MAJ

More information

CSCD 303 Essential Computer Security Fall 2018

CSCD 303 Essential Computer Security Fall 2018 CSCD 303 Essential Computer Security Fall 2018 Lecture 17 XSS, SQL Injection and CRSF Reading: See links - End of Slides Overview Idea of XSS, CSRF and SQL injection is to violate security of Web Browser/Server

More information

Featuring. and. Göteborg. Ulf Larson Thursday, October 24, 13

Featuring. and. Göteborg. Ulf Larson Thursday, October 24, 13 Featuring and Göteborg OWASP top ten 2013 Based on risk data from eight firms that specialize in application security, This data spans over 500,000 vulnerabilities across hundreds of organizations and

More information

Drone /12/2018. Threat Model. Description. Threats. Threat Source Risk Status Date Created

Drone /12/2018. Threat Model. Description. Threats. Threat Source Risk Status Date Created Drone - 2 04/12/2018 Threat Model Description Threats Threat Source Risk Status Date Created Mobile Phone: Sensitive Data Leakage Smart Devices Mobile Phone: Session Hijacking Smart Devices Mobile Phone:

More information

Web Application Threats and Remediation. Terry Labach, IST Security Team

Web Application Threats and Remediation. Terry Labach, IST Security Team Web Application Threats and Remediation Terry Labach, IST Security Team IST Security Team The problem While we use frewalls and other means to prevent attackers from access to our networks, we encourage

More information

Web Security, Summer Term 2012

Web Security, Summer Term 2012 IIG University of Freiburg Web Security, Summer Term 2012 Brocken Authentication and Session Management Dr. E. Benoist Sommer Semester Web Security, Summer Term 2012 7 Broken Authentication and Session

More information

Web Security, Summer Term 2012

Web Security, Summer Term 2012 Table of Contents IIG University of Freiburg Web Security, Summer Term 2012 Brocken Authentication and Session Management Dr. E. Benoist Sommer Semester Introduction Examples of Attacks Brute Force Session

More information

Web Security. Web Programming.

Web Security. Web Programming. Web Security Web Programming yslin@datalab 1 OWASP Top 10 Security Risks in 2017 Rank Name 1 Injection 2 Broken Authentication and Session Management 3 Cross-Site Scripting (XSS) 4 Broken Access Control

More information

Cyber Security. Web Application Security 2. Adrian Dabrowski, Christian Kudera

Cyber Security. Web Application Security 2. Adrian Dabrowski, Christian Kudera Cyber Security Web Application Security 2 Adrian Dabrowski, Christian Kudera inetsec@seclab.tuwien.ac.at Last Lecture on Web Security OWASP Top Ten Web Application Vulnerabilities injections caused through

More information