OWASP Broken Web Application Project. When Bad Web Apps are Good

Similar documents
Getting Ready. I have copies on flash drives Uncompress the VM. Mandiant Corporation. All rights reserved.

CSWAE Certified Secure Web Application Engineer

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Web Application Penetration Testing

RiskSense Attack Surface Validation for Web Applications

Advanced Ethical Hacking & Penetration Testing. Ethical Hacking

Certified Secure Web Application Engineer

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

Notes From The field

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

Security Solutions. Overview. Business Needs

Why bother? Causes of data breaches OWASP. Top ten attacks. Now what? Do it yourself Questions?

Penetration Testing. James Walden Northern Kentucky University

Online Intensive Ethical Hacking Training

Advanced Security Tester Course Outline

What Ails Our Healthcare Systems?

01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED

CPTE: Certified Penetration Testing Engineer

DIS10.1 Ethical Hacking and Countermeasures

SECURITY TESTING. Towards a safer web world

Web Applications Penetration Testing

Cyber Security & Ethical Hacking Training. Introduction to Cyber Security Introduction to Cyber Security. Linux Operating System and Networking: LINUX

Mobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing

hidden vulnerabilities

Ruby on Rails Secure Coding Recommendations

AURA ACADEMY Training With Expertised Faculty Call Us On For Free Demo

Hacking Our Way to Better Security: Lessons from a Web Application Penetration Test. Tyler Rasmussen Mercer Engineer Research Center

Ethical Hacking and Prevention

Securing Your Web Application against security vulnerabilities. Alvin Wong, Brand Manager IBM Rational Software

Certified Ethical Hacker V9

WebGoat Lab session overview

Fundamentals of Information Systems Security Lesson 5 Auditing, Testing, and Monitoring

TRAINING CURRICULUM 2017 Q2

Security Course. WebGoat Lab sessions

PracticeDump. Free Practice Dumps - Unlimited Free Access of practice exam

Protect your apps and your customers against application layer attacks

EC-Council C EH. Certified Ethical Hacker. Program Brochure

Web Application Threats and Remediation. Terry Labach, IST Security Team

Evaluating Website Security with Penetration Testing Methodology

MARCH Secure Software Development WHAT TO CONSIDER

Solutions Business Manager Web Application Security Assessment

Integrity attacks (from data to code): Malicious File upload, code execution, SQL Injection

Copyright

OWASP Top 10 The Ten Most Critical Web Application Security Risks

Penetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant

VULNERABILITY ASSESSMENT: SYSTEM AND NETWORK PENETRATION TESTING. Presented by: John O. Adeika Student ID:

Introductions. Jack Katie

Authentication and Password CS166 Introduction to Computer Security 2/11/18 CS166 1

State of the. Union. (or: How not to use Krebs as an IDS ) (Information Security) Jeff McJunkin Senior Technical Analyst Counter Hack Challenges

CEH: CERTIFIED ETHICAL HACKER v9

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

DEFENSIVE PROGRAMMING. Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology

Introduction to Penetration Testing: Part One. Eugene Davis UAH Information Security Club February 21, 2013

TexSaw Penetration Te st in g

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

Kishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009

A D V I S O R Y S E R V I C E S. Web Application Assessment

DIS10.1:Ethical Hacking and Countermeasures

Pass4suresVCE. Pass4sures exam vce dumps for guaranteed success with high scores

Certified Vulnerability Assessor

DXC Security Training

OWASP InfoSec Romania 2013

ETHICAL HACKING & COMPUTER FORENSIC SECURITY

ShiftLeft. Real-World Runtime Protection Benchmarking

Security Testing. John Slankas

Web Applications (Part 2) The Hackers New Target

WEB APPLICATION VULNERABILITIES

EC-Council C EH. Certified Ethical Hacker. Program Brochure

Tiger Scheme SST Standards Web Applications

Web Application & Web Server Vulnerabilities Assessment Pankaj Sharma

CRAW Security. CRAW Security

The 3 Pillars of SharePoint Security

Principles of ICT Systems and Data Security

INNOV-09 How to Keep Hackers Out of your Web Application

Hands-On Hacking Course Syllabus

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

ASSURANCE PENETRATION TESTING

What someone said about junk hacking

A Passage to Penetration Testing!

Jacksonville Linux User Group Presenter: Travis Phillips Date: 02/20/2013

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

A Model for Penetration Testing

Advanced Vmware Security The Lastest Threats and Tools

Web Application Attacks

CyberSecurity. Penetration Testing. Penetration Testing. Contact one of our specialists for more information CYBERSECURITY SERVICE DATASHEET

Certified Ethical Hacker (CEH)

EXPLOITING CLOUD SYNCHRONIZATION TO HACK IOTS

SCALE 15x (c) 2017 Ty Shipman

Seth & Ken s Excellent Adventures in Secure Code Review. Training Course 17th & 18th of October. Table of Contents

CompTIA. PT0-001 EXAM CompTIA PenTest+ Certification Exam Product: Demo. m/

Internet infrastructure

Penetration Testing with Kali Linux

Protect Your Organization from Cyber Attacks

Penetration testing a building automation system

Metasploit: The Penetration Tester's Guide PDF

BEST PRACTICES FOR SELECTING A WEB APPLICATION SCANNING (WAS) SOLUTION

Terms, Methodology, Preparation, Obstacles, and Pitfalls. Vulnerability Assessment Course

ATTACKING SYSTEM & WEB Desmond Alexander CISSP / GIAC/ GPEN CEO FORESEC

Human vs Artificial intelligence Battle of Trust

Transcription:

OWASP Broken Web Application Project When Bad Web Apps are Good

About Me Mordecai (Mo) Kraushar Director of Audit, CipherTechs OWASP Project Lead, Vicnum OWASP New York City chapter member

Assessing the assessor Network Assessment Known methodologies Reconnaissance Discover Fingerprint Enumerate Exploit Known tools Nmap Vulnerability Manager Metasploit Known Goal Shell Predictable Results Web Application Assessment Methodology is uncertain* Assorted approaches Assorted tools exist to target the technical side of a web app* Assorted Goals Unpredictable Results* * Getting better but still not as good as network assessments

Why the Difference? Network Assessment Mature and stable TCP/IP protocols Well defended by network firewalls (usually) Web Application Assessment New technologies are constantly emerging Web Services Mobile platforms Different databases New CMS and Web frameworks Ruby on Rails Django (Python based) Node.js Business logic Human element

Vulnerable Web Applications Many unintentional broken web applications Many intentionally broken web applications Different frameworks, languages, databases Some available live, others to be downloaded and installed Several vendor provided apps exist Test their product Training apps such as the OWASP WebGoat project WebGoat originally written in J2EE now available on other platforms An interactive teaching environment for web application security

Broken Web Application Project Goal Broken Web Applications are needed to know evil Introduce people to the topic Test web application scanner people Test web application scanner products Test source code analysis tools Test web application firewalls Collect evidence left by attackers Develop business logic perspectives Develop human element perspectives

Bad Web Apps Problems Some web sites are built on proprietary systems Back end databases may need licensing Can conflict with one another Can be difficult to install Should be set up in a secured and isolated environment

DISCLAIMER OWASPBWA A Virtual Machine that is a collection of broken web applications

OWASP BWA Training Applications Web Goat (multiple platforms) Damn Vulnerable Web Application Real applications OWASP Vicnum project Cyclone Transfers Older (broken) versions of real applications/frameworks such as WordPress and Joomla

Vicnum Flexible vulnerable web application useful to auditor s honing their web application security skills And anyone else needed a web security primer Based on games commonly used to kill time Used as a hacker challenge for several security events including http://www.appseceu.org/ Available on Sourceforge Guess the number (Guessnum) Guess the word (Jotto) Union Challenge Usually available live at http://vicnum.ciphertechs.com/

Demonstration of Vicnum Two games to review in Vicnum Guessnum - The computer will think of a three digit number with unique digits. After you attempt to guess the number, the computer will tell you how many of your digits match and how many are in the right position. Keeping on submitting three digit numbers until you have guessed the computer's number. Jotto - The computer will think of a five letter word with unique letters. After you attempt to guess the word, the computer will tell you whether you guessed the word successfully, or how many of the letters in your guess match the computer's word. Keep on submitting five letter words until you have guessed the computer's word. Where do we start? What methodology? What tools? What are we after?

Demo Demo of Vicnum Guessnum Jotto Some OWASP tools to use: Zap DirBuster JBroFuzz

Hacking Vicnum Are input fields sanitized? Cross site scripting attacks GET POST SQL injections URL manipulation Backdoors in the application Administration and Authentication issues The question of state Encryption and encoding issues Business logic and the human element

Vicnum Review Did we find all the technical problems? Did we find non technical problems?

Cyclone Transfers Ruby on Rails Framework Available on github git://github.com/fridaygoldsmith/bwa_cyclone_transfers.git A fictional money transfer service, that consists of multiple vulnerabilities including: mass assignment vulnerability cross site scripting sql injections file upload weaknesses session management issues

Demo of Cyclone Transfers Demo

Cyclone Review Did we find all the technical problems? Did we find non technical problems? Mass assignment allows Rails web apps to set many attributes at once Rails is convention-heavy and certain fields like :admin, and :public_key are easily guessable curl -d "user[email]=mo@abc.com&user[password]=password&user[p assword_confirmation]=password&user[name]=mo&user[admi n]=true" localhost/cyclone/users Many Rails based web sites were exploited in 2012 were exploited via the mass assignment vulnerability

Technical Issues in Web Hacking Hacking a network is different than hacking a web app Similarities do exist in certain areas Cryptography checking Credential attacks Tools exist for scanning, fuzzing. But major technical challenges exist A request/response protocol where state is always an issue How do you know you have found every vulnerability? How do you know you have blocked every attack?

Non Technical Issues in Web Hacking Ultimately web pages are set up by application programmers meeting a business requirement Data works its way into web sites that might be difficult for a tool or a security analyst to evaluate Comments might contain inappropriate data URL fields can be manipulated and might show unintended web pages URL parameters can also be guessed and may leak information Hidden fields in form fields can be viewed and manipulated Fields might be guessed How can we prepare hackers for the non technical piece of an assessment?

Some Political Questions Should web app security be done by network security? What kind of assessment? Black Box Gray Box White Box How do you make sure that the latest web update is secure? Who is responsible for securing the app? Network team Application developer Security team How does one remediate? Code fix Firewall block Manage the risk

Going Forward New tools to discover New Technologies New Security Issues New ways to or detect or block attacks Broken web applications needed to raise awareness and sharpen skills

Questions and Review https://www.owasp.org/index.php/owasp_broken_web_applications_project @owaspbwa @fridaygoldsmith http://vicnum.ciphertechs.com http://cyclone.ciphertechs.com mo@ciphertechs.com

http://appsecusa.org/2013/ More Questions?

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback