Web Application Security. OWASP 11 th August, The OWASP Foundation Basic SQL injection Basic Click Jacking

Transcription

1 Web Application Security Basic SQL injection Basic Click Jacking OWASP 11 th August, 2012 Vinod Senthil T Director infysec vinod@infysec.com /43 Copyright The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation

2 $whoami Vinod T Senthil - Information security consultant/researcher for infysec. By Qualification he is a Computer Science engineer, MBA in IT along with a Diploma in Cyber crime. Also posses some certifications such as SANS Certified Intrusion Analyst GCIA Certified Ethical Hacker (CEH) Certified Hacker Forensics Investigator (CHFI) Checkpoint Certified Security Administrator (CCSA) Oracle Certified Associate (OCA) Microsoft Certified Professional (MCP) IT Infrastructure Library (ITIL V3) Cisco Certified Network Administrator (CCNA) OWASP 2

3 What is the Worlds MOST Secured System? The worlds most secured system is a system, That is dug 10ooo miles underground, and surrounded by 10ooo volts of electrified fences and filled with toxic nitrous gas on all sides, with a bunch of trained army men, and still it stays to be one of the most vulnerable piece of a code. OWASP 3

4 Little of History OWASP 4

5 OWASP 5

6 OWASP 6

7 OWASP 7

8 OWASP 8

9 OWASP 9

10 OWASP 10

11 OWASP 11

12 OWASP 12

13 OWASP 13

14 OWASP 14

15 OWASP 15

16 OWASP 16

17 OWASP 17

18 OWASP 18

19 Attacks shifted its focus from Outer layers to Inner layers of the OSI Model OWASP 19

20 OWASP 20

21 Famous Last Words "I think there is a world market for maybe five computers. --Thomas Watson, 1943 (President of IBM) "640K RAM ought to be enough for anybody for life time --Bill Gates, 1981 (Founder of M$) "32 bits should be enough address space for Internet --VintCerf, 1977 (Father of internet) OWASP 21

22 Top 10 ATTACKS Be Happy for being a elite crowd, why? OWASP 22

23 Top 10 attacks (Injection stays at top) OWASP 23

24 Typical Web Application Setup Web Client HTTP request (cleartext or SSL) Firewall Web Server Web app Web app Web app Web app SQL Database DB DB HTTP reply (HTML, Javascript, VBscript, etc) Apache IIS Netscape etc Plugins: Perl C/C++ JSP, etc Database connection: ADO, ODBC, etc. OWASP 24

25 OWASP 25

26 How it works? Example : OWASP 26

27 How it works? Example : OWASP 27

28 How it works? Example : OWASP 28

29 Examining AND STATEMENT (I love TRISHA) AND (I LOVE JENILIA) = TRUE (I love SANTHANAM) AND (I love JENILIA) = FALSE OR STATEMENT (I love TRISHA) OR (I LOVE JENILIA) = FALSE (I love SANTHANAM) OR (I love JENILIA) = TRUE OWASP 29

30 Examining OWASP 30

31 Question? OWASP 31

32 What is Click Jacking & Tab Nabbing? Want to hear from you OWASP 32

33 The Cruise-Missile Structure http: // / catalogue / display.asp? pg = 1 & product = 7 Web Server Web app Web app Web app Web app DB DB OWASP 33

34 Intro ERROR Based SQL injection Blind SQL Injection LDAP injection XML Path Injection OWASP 34

35 Other vectors than Top 10 Popular Tests Incubated vulnerability - Incubated vulnerability Testing for HTTP Splitting/Smuggling - HTTP Splitting, Smuggling SSI Injection - SSI Injection XPath Injection - XPath Injection IMAP/SMTP Injection - IMAP/SMTP Injection Code Injection - Code Injection OS Commanding - OS Commanding Buffer overflow - Buffer overflow Incubated vulnerability - Incubated vulnerability Testing for HTTP Splitting/Smuggling - HTTP Splitting, Smuggling Testing for File Extensions Handling - File extensions handling Old, backup and unreferenced files - Old, backup and unreferenced files Infrastructure and Application Admin Interfaces - Access to Admin interfaces Testing for HTTP Methods and XST Credentials transport over an encrypted channel Testing for user enumeration - User enumeration Testing for Guessable (Dictionary) User Account Brute Force Testing - Credentials Brute forcing Testing for bypassing authentication schema Testing for SQL Wildcard Attacks - SQL Wildcard vulnerability Locking Customer Accounts - Locking Customer Accounts Testing for DoS Buffer Overflows - Buffer Overflows User Specified Object Allocation - User Specified Object Allocation User Input as a Loop Counter - User Input as a Loop Counter Writing User Provided Data to Disk - Writing User Provided Data to Disk Failure to Release Resources - Failure to Release Resources Storing too Much Data in Session - Storing too Much Data in Session WS Information Gathering - N.A. Testing WSDL - WSDL Weakness XML Structural Testing - Weak XML Structure XML content-level Testing - XML content-level HTTP GET parameters/rest Testing - WS HTTP GET parameters/rest Naughty SOAP attachments - WS Naughty SOAP attachments Replay Testing - WS Replay Testing AJAX Vulnerabilities - N.A. AJAX Testing - AJAX weakness Testing for Reflected Cross Site Scripting - Reflected XSS Testing for Stored Cross Site Scripting - Stored XSS OWASP 35

36 Other vectors than Top 10 Popular Tests Testing for vulnerable remember password and pwd reset Testing for Logout and Browser Cache Management Testing for CAPTCHA - Weak Captcha implementation Testing Multiple Factors Authentication Testing for Race Conditions - Race Conditions vulnerability Testing for Session Management Schema Testing for Cookies attributes Testing for Session Fixation Testing for Exposed Session Variables Testing for CSRF Testing for Path Traversal Testing for bypassing authorization schema Testing for Privilege Escalation - Privilege Escalation Testing for Business Logic - Bypassable business logic Testing for Reflected Cross Site Scripting - Reflected XSS Testing for Stored Cross Site Scripting - Stored XSS Testing for DOM based Cross Site Scripting - DOM XSS Testing for Cross Site Flashing - Cross Site Flashing SQL Injection - SQL Injection LDAP Injection - LDAP Injection ORM Injection - ORM Injection Testing for DOM based Cross Site Scripting - DOM XSS Testing for Cross Site Flashing - Cross Site Flashing SQL Injection - SQL Injection LDAP Injection - LDAP Injection ORM Injection - ORM Injection XML Injection - XML Injection SSI Injection - SSI Injection XPath Injection - XPath Injection IMAP/SMTP Injection - IMAP/SMTP Injection Code Injection - Code Injection OS Commanding - OS Commanding Buffer overflow - Buffer overflow Spiders, Robots and Crawlers Search Engine Discovery/Reconnaissance Identify application entry points Testing for Web Application Fingerprint Application Discovery Analysis of Error Codes SSL/TLS Testing DB Listener Testing - DB Listener weak XML Injection - XML Injection OWASP 36

37 Thank you The Best Part in ones life IS DOING WHAT PEOPLE SAY YOU CANNOT DO - Vino Flow our blog at : vinod@infysec.com OWASP 37