Why bother? Causes of data breaches OWASP. Top ten attacks. Now what? Do it yourself Questions?

Size: px

Start display at page:

Download "Why bother? Causes of data breaches OWASP. Top ten attacks. Now what? Do it yourself Questions?"

Amber White
6 years ago
Views:

1 Jeroen van Beek 1

2 Why bother? Causes of data breaches OWASP Top ten attacks Now what? Do it yourself Questions? 2

3 In many cases the web application stores: Credit card details Personal information Passwords that also might be used elsewhere Media likes hacks You company doesn t Governments want to enforce data protection USA NL Meldplicht Datalekken EU will follow soon(?) 3

4 Your company doesn t like that 4

5 5

6 In many cases caused by technical issues: Poor/no input filtering Outdated software with known weaknesses Weak passwords Non-techies are creating technical solutions: Click and play enterprise website Not aware of security issues Techies are also no always aware What about you? In many cases the issues are quite easy to solve If you know what to do 6

the 10 most critical webapp security flaws http://www.owasp.org/index.

7 The same issues keep on coming back People make the same mistakes over and over again Open Web Application Security Project (OWASP): Free and open Top ten project Documents the 10 most critical webapp security flaws Ten_Project Latest version: 2013 Documents solutions For all popular webapp environments 7

8 8

9 E.g. contact form forwards you to the home page after submitting your message Malicious URLs might be used Download malware from external site after submitting form 9

10 Keep your software up-to-date Patching doesn t stop at operating system level! Database Web server Libraries Lots of automated tools available Mapping: nmap, Scanning: Nessus, Nexpose, Exploiting: Metasploit, Canvas, Script kiddies can and will do this! 10

11 Cross Site Request Forgery Inject code that: Runs in the victim s browser Open a session to a vulnerable 3rd party service Using the victim s credentials Example: Insert a money transfer in a page Forum post message (phising) 11

12 Server side authorization checks are not performed on all actions Attacks: Escalate from anonymous user to authenticated user Escalate for authenticated user to admin Examples: If /users/user1/show_accounts/ exists, it might be worth checking if /users/usern/show_accounts/ also exists Difficult to identify with automated tools 12

13 Hidden and unchecked parameter: Add to POST data when updating a user: &ctl00%24contentplaceholder1%24dvuser%24cb xuseradmin=on 13

14 Problem can also occur with secret files: 14

15 Secure transport: Sending sensitive information over an unencrypted link No encryption / obfuscation Weak encryption Downgrade attacks Check for no encryption / obfuscation Sniff data GET HTTP/1.0 Accept: */* User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0;.NET CLR ) Host: target Proxy-Authorization: Basic YWQxxxxxxxxxxxxxxxxxxxxxxxx= Connection: Close Pragma: no-cache Referer: 15

many cases Weak ciphers can be cracked openssl s_client

16 Secure transport: Weak transport encryption Allowed SSL ciphers Known flaws is SSLv2/3 SSLv2/3 still enabled in many cases Weak ciphers can be cracked openssl s_client -no_tls1 -connect Weak algorithms E.g. MD5, SHA-1 16

17 Secure transport: Downgrade attacks Strip SSL layer: stripssl 09/Marlinspike/BlackHat-DC-09-Marlinspike- Defeating-SSL.pdf Hijack e.g. Facebook and Twitter sessions: Firesheep

18 Secure storage: Not encrypting sensitive data Using home grown algorithms Insecure use of strong algorithms Continued use of proven weak algorithms (MD5, SHA-1, RC3, RC4, ) Hard coded keys, and storing keys in unprotected environments 18

19 Real-life example <password>1 <password>2 same passwords different length passwords 19

20 How to decode the passwords? Create your own account Password = aaaaaaaa Store password hash, e.g. \01\02\03\04\05\06\07\08 Password = bbbbbbbb Store password hash, e.g. \02\03\04\05\06\07\08\09 Etc. Find the link password hash Write a decoder for (i = 0; i < in.length(); i++) print (alfabet(in.position(i) + i)) Decode all passwords Dump sensitive information 20

21 21

22 22

23 Out of the box installs Next, next, next, finish Find it using Google: Web front-end for Oracle intitle:isql intitle:release inurl:isqlplus Indexing of sensitive information intitle:"index of".mysql_history filetype:pdf paspoortnummer koopcontract filetype:sql "phpmyadmin SQL Dump Many many useful Google Dorks online 23

24 Default passwords 24

25 iphone botnet Default SSH password after jailbreak Routers 25

26 User can access and modify object values Example: Login using your credentials Link refers to Script download of all files userid=[1-9999] Hashing doesn t help 26

27 Cross Site Scripting Execute scripts in the victim s browser Hijack user sessions Deface web sites Insert hostile content Conduct phishing attacks Take over the user s browser using scripting malware In most cases Javascript based Also applicable to other scripting languages 27

28 Two types: Reflective Code injected by e.g. sending phishing victim.com/get.php?id=<script>alert(123)</script> E.g. one phishing per attack Stored Evil code is stored in the database Store once, run for all users E.g. store <script>alert(123)</script> in record for welcome message of CMS 28

com/uplds/whitepapers/xsstunnelling.pdf http://www.

29 Advanced tools are out there to abuse flaws Tunnel traffic using XSS security.com/tools/free/xssshell-xsstunnell.zip 29

30 Broken authentication and session management 30

31 Predictable sessions IDs allow an attacker to: Disconnect all users Hijack existing sessions Weak implementations typically use: Sequential numbers Hash of sequential numbers Time elapsed since starting of server / service 31

$C:\tmp>java DateDiff Current milliseconds since 13 Oct, 2008 are:1290008271842 sessionsid part 2: 695042 ms = 695 sec = 11 min = 0 hours = 0 days sessionsid part 2: 216006786 ms = 216006 sec = 3600$

32 C:\tmp>java DateDiff Current milliseconds since 13 Oct, 2008 are: sessionsid part 2: ms = 695 sec = 11 min = 0 hours = 0 days sessionsid part 2: ms = sec = 3600 min = 60 hours = 2 days sessionsid part 2: ms = sec = 3639 min = 60 hours = 2 days sessionsid part 2: ms = sec = 3645 min = 60 hours = 2 days sessionsid part 2: ms = sec = 3649 min = 60 hours = 2 days sessionsid part 2: ms = sec = 3650 min = 60 hours = 2 days Boot time in ms = sessionsid part 1: ms = sec = min = 963 hours = 40 days Reference time for part 1 = ms = date Fri Oct 08 14:29:50 CEST

33 SQL-injection Also applicable for other languages User input is directly used in a query Manipulation of database query User input search = jeroen Backend uses select details from users where name= jeroen Attacker input search = jeroen or 1=1-- Backend uses select details from users where name= jeroen or 1=1 Display all records 33

34 Advanced tools are out there to abuse flaws File upload File download OS command execution sqlmap Tunnel shell over http using SQL-injection! 34

35 35

36 36

php/category:owasp_guide_project Review and/or test the application before going live Source code review http://www.owasp.org/index.

37 Detection: Detection of well-known attacks using IDS Check web server logs Check network flows Difficult to detect all attacks! Prevention: Use good practices Review and/or test the application before going live Source code review Penetration test

Hacking is not allowed Wet Computer Criminaliteit

If you want to test your (organization s) apps:

of activities you will be performing Document the

38 Hacking is not allowed Wet Computer Criminaliteit Testing without breaking in is also not allowed If you want to test your (organization s) apps: Use a letter of authorization Document the type of activities you will be performing Document the IPs that will be tested Signed by the system s owner 38

Hands on hacking environment Ten web based levels Six platform based levels In each level you can find a password Password gives access to the next level You need to exploit a

39 Hands on hacking environment Ten web based levels Six platform based levels In each level you can find a password Password gives access to the next level You need to exploit a weakness to get the password Most OWASP top ten issues are included We ll show hints on the screen to help you If needed ;) Work in teams We explicitly allow you to hack the system 39

40 More hands on hacking: Hacking Exposed books Certified Ethical Hacker al_hacker.aspx 40

41 J.C.vanBeek uva.nl 41

Penetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant

Penetration Testing following OWASP Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant За Лирекс Penetration testing A method of compromising the security of a computer system or network by