Why bother? Causes of data breaches OWASP. Top ten attacks. Now what? Do it yourself Questions?

Similar documents
Penetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant

Cyber Security & Ethical Hacking Training. Introduction to Cyber Security Introduction to Cyber Security. Linux Operating System and Networking: LINUX

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

Web Application Security. Philippe Bogaerts

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

C1: Define Security Requirements

OWASP Top 10 The Ten Most Critical Web Application Security Risks

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

Copyright

EasyCrypt passes an independent security audit

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Security Course. WebGoat Lab sessions

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

Application Layer Security

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

Your Turn to Hack the OWASP Top 10!

CSWAE Certified Secure Web Application Engineer

Solutions Business Manager Web Application Security Assessment

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

DEFENSIVE PROGRAMMING. Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

Aguascalientes Local Chapter. Kickoff

Evaluating the Security Risks of Static vs. Dynamic Websites

Welcome to the OWASP TOP 10

Web Application Penetration Testing

Combating Common Web App Authentication Threats

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

Web Applications Penetration Testing

Application Security Introduction. Tara Gu IBM Product Security Incident Response Team

SECURITY TESTING. Towards a safer web world

Module 1: Penetration Testing Planning and Scoping. Module 2: Basic Usage of Linux and its services

Domino Web Server Security

Securing Your Web Application against security vulnerabilities. Alvin Wong, Brand Manager IBM Rational Software

Advanced Web Technology 10) XSS, CSRF and SQL Injection

epldt Web Builder Security March 2017

THREAT MODELING IN SOCIAL NETWORKS. Molulaqhooa Maoyi Rotondwa Ratshidaho Sanele Macanda

Mobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing

1 About Web Security. What is application security? So what can happen? see [?]

Don t blink or how to create secure software. Bozhidar Bozhanov, LogSentinel

INNOV-09 How to Keep Hackers Out of your Web Application

Featuring. and. Göteborg. Ulf Larson Thursday, October 24, 13

OWASP Top 10. Copyright 2017 Ergon Informatik AG 2/13

(System) Integrity attacks System Abuse, Malicious File upload, SQL Injection

Certified Secure Web Application Engineer

The Attacker s POV Hacking Mobile Apps. in Your Enterprise to Reveal Real Vulns and Protect the Business. Tony Ramirez

INF3700 Informasjonsteknologi og samfunn. Application Security. Audun Jøsang University of Oslo Spring 2015

Hacking Our Way to Better Security: Lessons from a Web Application Penetration Test. Tyler Rasmussen Mercer Engineer Research Center

Excerpts of Web Application Security focusing on Data Validation. adapted for F.I.S.T. 2004, Frankfurt

ETHICAL HACKING & COMPUTER FORENSIC SECURITY


OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

Why bother? Default configurations Buffer overflows Authentication mechanisms Reverse engineering Questions?

OPEN WEB APPLICATION SECURITY PROJECT OWASP TOP 10 VULNERABILITIES

TIBCO Cloud Integration Security Overview

Ethical Hacking as a Professional Penetration Testing Technique ISSA Southern Tier & Rochester Chapters

SAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West

Web Application & Web Server Vulnerabilities Assessment Pankaj Sharma

01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED

Ethical Hacking and Prevention

Secure Coding, some simple steps help. OWASP EU Tour 2013

Why bother? Default configurations Buffer overflows Authentication mechanisms Reverse engineering Questions?

Curso: Ethical Hacking and Countermeasures

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

AURA ACADEMY Training With Expertised Faculty Call Us On For Free Demo

CSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis

Security Best Practices. For DNN Websites

"Charting the Course to Your Success!" Securing.Net Web Applications Lifecycle Course Summary

Perslink Security. Perslink Security. Eleonora Petridou Pascal Cuylaerts. System And Network Engineering University of Amsterdam.

Sichere Software vom Java-Entwickler

Protect Your Application with Secure Coding Practices. Barrie Dempster & Jason Foy JAM306 February 6, 2013

CNIT 129S: Securing Web Applications. Ch 8: Attacking Access Controls

Hacker Attacks on the Horizon: Web 2.0 Attack Vectors

OWASP Broken Web Application Project. When Bad Web Apps are Good

MWR InfoSecurity Advisory. 26 th April Elastic Path Administrative. Quit. Session Hijacking through Embedded XSS

CPTE: Certified Penetration Testing Engineer

Web Application Security GVSAGE Theater

Securing Connections for IBM Traveler Apps. Bill Wimer STSM for IBM Collaboration Solutions December 13, 2016

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web


Penetration Testing with Kali Linux

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

ME?

McAfee Certified Assessment Specialist Network

Exam : JK Title : CompTIA E2C Security+ (2008 Edition) Exam. Version : Demo

Lecture Overview. IN5290 Ethical Hacking

Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks

Bank Infrastructure - Video - 1

TRENDS IN WEB VULNERABILITIES MICHEL CHAMBERLAND

Ruby on Rails Secure Coding Recommendations

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

F5 Application Security. Radovan Gibala Field Systems Engineer

CS 155 Project 2. Overview & Part A

ANZTB SIGIST May 2011 Perth OWASP How minor vulnerabilities can do very bad things. OWASP Wednesday 25 th May The OWASP Foundation

Web Security II. Slides from M. Hicks, University of Maryland

PRESENTED BY:

SECURITY STORY WE NEVER SEE, TOUCH NOR HOLD YOUR DATA

WAPT in pills: Self-paced, online, flexible access interactive slides. 4+ hours of video materials

Under the hood testing - Code Reviews - - Harshvardhan Parmar

Transcription:

Jeroen van Beek 1

Why bother? Causes of data breaches OWASP Top ten attacks Now what? Do it yourself Questions? 2

In many cases the web application stores: Credit card details Personal information Passwords that also might be used elsewhere Media likes hacks You company doesn t Governments want to enforce data protection USA NL Meldplicht Datalekken EU will follow soon(?) 3

Your company doesn t like that 4

5

In many cases caused by technical issues: Poor/no input filtering Outdated software with known weaknesses Weak passwords Non-techies are creating technical solutions: Click and play enterprise website Not aware of security issues Techies are also no always aware What about you? In many cases the issues are quite easy to solve If you know what to do 6

The same issues keep on coming back People make the same mistakes over and over again Open Web Application Security Project (OWASP): Free and open Top ten project Documents the 10 most critical webapp security flaws http://www.owasp.org/index.php/category:owasp_top_ Ten_Project Latest version: 2013 Documents solutions For all popular webapp environments 7

8

E.g. contact form forwards you to the home page after submitting your message http://www.example.com/redirect.jsp?url=/home.htm Malicious URLs might be used http://www.example.com/redirect.jsp?url=malware.com Download malware from external site after submitting form 9

Keep your software up-to-date Patching doesn t stop at operating system level! Database Web server Libraries Lots of automated tools available Mapping: nmap, Scanning: Nessus, Nexpose, Exploiting: Metasploit, Canvas, Script kiddies can and will do this! 10

Cross Site Request Forgery Inject code that: Runs in the victim s browser Open a session to a vulnerable 3rd party service Using the victim s credentials Example: Insert a money transfer in a page Forum post Email message (phising) 11

Server side authorization checks are not performed on all actions Attacks: Escalate from anonymous user to authenticated user Escalate for authenticated user to admin Examples: If /users/user1/show_accounts/ exists, it might be worth checking if /users/usern/show_accounts/ also exists Difficult to identify with automated tools 12

Hidden and unchecked parameter: Add to POST data when updating a user: &ctl00%24contentplaceholder1%24dvuser%24cb xuseradmin=on 13

Problem can also occur with secret files: 14

Secure transport: Sending sensitive information over an unencrypted link No encryption / obfuscation Weak encryption Downgrade attacks Check for no encryption / obfuscation Sniff data GET http://target/install.pgsql.txt HTTP/1.0 Accept: */* User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0;.NET CLR 1.1.4322) Host: target Proxy-Authorization: Basic YWQxxxxxxxxxxxxxxxxxxxxxxxx= Connection: Close Pragma: no-cache Referer: http://target/robots.txt 15

Secure transport: Weak transport encryption Allowed SSL ciphers Known flaws is SSLv2/3 SSLv2/3 still enabled in many cases Weak ciphers can be cracked openssl s_client -no_tls1 -connect www.google.com:443 Weak algorithms E.g. MD5, SHA-1 16

Secure transport: Downgrade attacks Strip SSL layer: stripssl http://www.blackhat.com/presentations/bh-dc- 09/Marlinspike/BlackHat-DC-09-Marlinspike- Defeating-SSL.pdf http://www.youtube.com/watch?v=dd5qgs-5c0i Hijack e.g. Facebook and Twitter sessions: Firesheep http://codebutler.github.com/firesheep/ http://www.youtube.com/watch?v=o3nam8og1wm 17

Secure storage: Not encrypting sensitive data Using home grown algorithms Insecure use of strong algorithms Continued use of proven weak algorithms (MD5, SHA-1, RC3, RC4, ) Hard coded keys, and storing keys in unprotected environments 18

Real-life example <password>1 <password>2 same passwords different length passwords 19

How to decode the passwords? Create your own account Password = aaaaaaaa Store password hash, e.g. \01\02\03\04\05\06\07\08 Password = bbbbbbbb Store password hash, e.g. \02\03\04\05\06\07\08\09 Etc. Find the link password hash Write a decoder for (i = 0; i < in.length(); i++) print (alfabet(in.position(i) + i)) Decode all passwords Dump sensitive information 20

21

22

Out of the box installs Next, next, next, finish Find it using Google: Web front-end for Oracle intitle:isql intitle:release inurl:isqlplus Indexing of sensitive information intitle:"index of".mysql_history filetype:pdf paspoortnummer koopcontract filetype:sql "phpmyadmin SQL Dump Many many useful Google Dorks online http://www.hackersforcharity.org/ghdb/ 23

Default passwords http://www.phenoelit-us.org/dpl/dpl.html 24

iphone botnet Default SSH password after jailbreak Routers 25

User can access and modify object values Example: Login using your credentials Link refers to http://app/details?userid=1 Script download of all files userid=[1-9999] Hashing doesn t help http://tools.benramsey.com/md5/ 26

Cross Site Scripting Execute scripts in the victim s browser Hijack user sessions Deface web sites Insert hostile content Conduct phishing attacks Take over the user s browser using scripting malware In most cases Javascript based Also applicable to other scripting languages 27

Two types: Reflective Code injected by e.g. sending phishing email victim.com/get.php?id=<script>alert(123)</script> E.g. one phishing email per attack Stored Evil code is stored in the database Store once, run for all users E.g. store <script>alert(123)</script> in record for welcome message of CMS 28

Advanced tools are out there to abuse flaws Tunnel traffic using XSS http://www.portcullissecurity.com/uplds/whitepapers/xsstunnelling.pdf http://www.portcullis- security.com/tools/free/xssshell-xsstunnell.zip 29

Broken authentication and session management 30

Predictable sessions IDs allow an attacker to: Disconnect all users Hijack existing sessions Weak implementations typically use: Sequential numbers Hash of sequential numbers Time elapsed since starting of server / service 31

C:\tmp>java DateDiff Current milliseconds since 13 Oct, 2008 are:1290008271842 sessionsid part 2: 695042 ms = 695 sec = 11 min = 0 hours = 0 days sessionsid part 2: 216006786 ms = 216006 sec = 3600 min = 60 hours = 2 days sessionsid part 2: 218364694 ms = 218364 sec = 3639 min = 60 hours = 2 days sessionsid part 2: 218708589 ms = 218708 sec = 3645 min = 60 hours = 2 days sessionsid part 2: 218964423 ms = 218964 sec = 3649 min = 60 hours = 2 days sessionsid part 2: 219049296 ms = 219049 sec = 3650 min = 60 hours = 2 days Boot time in ms = 1292191288000 sessionsid part 1: 3467281656 ms = 3467281 sec = 57788 min = 963 hours = 40 days Reference time for part 1 = 1286540990186 + ms = date Fri Oct 08 14:29:50 CEST 2010 32

SQL-injection Also applicable for other languages User input is directly used in a query Manipulation of database query User input search = jeroen Backend uses select details from users where name= jeroen Attacker input search = jeroen or 1=1-- Backend uses select details from users where name= jeroen or 1=1 Display all records 33

Advanced tools are out there to abuse flaws File upload File download OS command execution sqlmap http://sqlmap.sourceforge.net/ http://www.youtube.com/watch?v=ylttglskrgu Tunnel shell over http using SQL-injection! 34

35

36

Detection: Detection of well-known attacks using IDS Check web server logs Check network flows Difficult to detect all attacks! Prevention: Use good practices http://www.owasp.org/index.php/category:owasp_guide_project Review and/or test the application before going live Source code review http://www.owasp.org/index.php/category:owasp_code_review_project Penetration test http://www.owasp.org/index.php/category:owasp_testing_project http://www.owasp.org/index.php/appendix_a:_testing_tools 37

Hacking is not allowed Wet Computer Criminaliteit Testing without breaking in is also not allowed If you want to test your (organization s) apps: Use a letter of authorization Document the type of activities you will be performing Document the IPs that will be tested Signed by the system s owner 38

Hands on hacking environment Ten web based levels Six platform based levels In each level you can find a password Password gives access to the next level You need to exploit a weakness to get the password Most OWASP top ten issues are included We ll show hints on the screen to help you If needed ;) Work in teams We explicitly allow you to hack the system 39

More hands on hacking: Hacking Exposed books http://www.webhackingexposed.com/products.html Certified Ethical Hacker https://www.eccouncil.org/certification/certified_ethic al_hacker.aspx 40

J.C.vanBeek uva.nl 41

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback