Your Turn to Hack the OWASP Top 10!

Size: px

Start display at page:

Download "Your Turn to Hack the OWASP Top 10!"

Cleopatra Lawson
5 years ago
Views:

1 OWASP Top 10 Web Application Security Risks Your Turn to Hack OWASP Top 10 using Mutillidae Born to Be Hacked Metasploit in VMWare Page 1

2 The Open Web Application Security Project (OWASP) is a 501(c)(3) worldwide not-for-profit charitable organization focused on improving the security of software. Page 2

3 OWASP Top 10 Web Application Security Risks 2010 A1 - Injection A2 - Cross-site Scripting (XXS) A3 - Broken Authentication & Session Management A4 - Insecure Direct Object References A5 - Cross-Site Request Forgery (CSRF) A6 - Security Misconfiguration A7 - Insecure Cryptographic Storage A8 - Failure to Restrict URL Access A9 - Insufficient Transport Layer Protection A10 Un-validated Redirects & Forwards 2013 A1 - Injection A2 Broken Authentication & Session Management A3 Cross Site Scripting (XXS) A4 - Insecure Direct Object References A5 Security Misconfiguration A6 Sensitive Data Exposure A7 Missing Function Level Access Control A8 Cross-site Request Forgery (CSRF) A9 Using Components with Known Vulnerabilities A10 Un-validated Redirects & Forwards Page 3

4 A1 Injection Sending Untrusted Input to System SQL Injection Page 4

5 A1 Injection Results of SQL Injection Dump of all records in database table Administrator username & password Passwords not encrypted Page 5

6 A1 Injection Sending Untrusted Input to System OS Command Injection Page 6

7 A1 Injection Results of OS Command Injection Directory Traversal Access to folders & files to read, delete, corrupt Page 7

XSS")</SCRIPT>"> 2. Alert generated from Body tag with onload saying "BodyXSS" 3.

8 A2 - Cross-site Scripting (XXS) Three Samples of XXS using Alert 1. Malformed image tag with embedded javascript alert saying "Img XSS" <IMG """><SCRIPT>alert("IMG XSS")</SCRIPT>"> 2. Alert generated from Body tag with onload saying "BodyXSS" 3. XSS to bypass image SRC filters using mouseover saying "Bypass SRC filers XSS" <IMG SRC=# onmouseover="alert('bypass SRC filters XSS')"> Page 8

9 A2 - Cross-site Scripting (XXS) Malicious Input document.location=' Steal Session ID Page 9

10 A3 - Broken Authentication & Session Management Steal Session ID Sniff Clear Text Cookies Page 10

11 A4 - Insecure Direct Object References Applications may use the actual object name or key when generating web pages. The user may not be verified against the target object resulting in an insecure direct object reference flaw. For example, the query expects the account of the person requesting information but is given another account Page 11

12 A6 - Security Misconfiguration Examples of misconfiguration include: Forgetting to change default accounts Forgetting to update web application frameworks when there are known vulnerabilities Forgetting to disable access to directory listings Forgetting to route technical errors to logs rather than exposing key technical information to the web Page 12

13 A7 - Insecure Cryptographic Storage Typically attackers circumvent encryption because of poor implementation or points of failure where data is decrypted for transit or other reasons, eg: Front end web application decrypting credit card numbers! Encryption keys for encrypted backup may be included on backup media! Salting encrypted passwords can change the cracking time from 4 weeks to 3000 years! (OWASP A7) Salting involves appending a random bit of data to the end of the data element. That way, when it is hashed, instances of collision are minimized and patterns are more difficult to detect. This prevents pattern recognition, which can thwart most of the major exploits to hashed passwords. Page 13

14 A8 - Failure to Restrict URL Access Failure to Restrict URL Access occurs when web applications do not protect page requests properly Authenticate for TestUser Also get access to TestAdmin! Page 14

15 A9 - Insufficient Transport Layer Protection Request.form( getuser ) Request.form( getpwd ) Sample ODBC code & Wireshark capture showing username & password in clear text (escape characters) for SQL Injection Page 15

Forwards occur when web applications do not protect page requests

16 Page 16 Your Turn to Hack the OWASP Top 10! A10 Un-validated Redirects and Forwards Un-validated Redirects & Forwards occur when web applications do not protect page requests properly Authenticate for TestUser Redirected TestUser-USA Can also access TestAdmin-USA

17 Page 17 Your Turn to Hack the OWASP Top 10! Your Turn to Hack the Top 10

18 Lessons Learned Installing Metasploit in VMWare Metasploit (Framework) Metasploitable (virtual machine with Mutillidae) Lab Configuration Page 18

19 Mutillidae: Born to be Hacked Comes with Metasploitable put IP address of Metasploitable in browser Or Page 19

20 Mutillidae: Born to be Hacked How to fix error saying that metasploitable.accounts table is missing: Solution: modify the database setting of mutillidae configuration in /var/www/mutillidae/config.inc Change $dbname = 'metasploit' to $dbname = 'owasp10'. Page 20

21 Lessons Learned Installing Metasploit in VMWare - Metasploitable requires VMWare Player 5 (VMWare Workstation 9 works) - If using Windows XP Pro make sure SP3 (SP2 didn t work) - VMWare settings (XP and Ubuntu) - VMWare Workstation Shared Folders enabled - Network host only - VMWare Tools installed - Windows Firewall off & no anti-virus - On XP Pro SP3, Metasploit installer stalled due to config challenges with vc2008_redist.exe. Double click redist and choose repair - Upgrade Metasploit after installation - Don't install Nmap when Metasploit is running - causes Metasploit to crash Page 21

22 Results Metasploitable Security Assessment Page 22

Web Application Security. Philippe Bogaerts

Web Application Security. Philippe Bogaerts Web Application Security Philippe Bogaerts OWASP TOP 10 3 Aim of the OWASP Top 10 educate developers, designers, architects and organizations about the consequences of the most common web application security