OWASP Broken Web Application Project Bad Web Apps are Good.

Slides:

Advertisements

Similar presentations

Advertisements

PHP I.

OWASP Broken Web Applications (OWASP BWA): Beyond 1.0

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

DEV333. Describe each main attack Demo how the attack works Fix our poor vulnerable application! Why Script Kiddies, Why? Click to Hack.

System Security Scanning and Discovery Chapter 14.

Web 2.0 security Kushal Karanjkar Under guidance of Prof. Richard Sinn.

The OWASP Foundation AppSec DC Learning by Breaking A New Project for Insecure Web Apps Chuck Willis Technical Director MANDIANT

CS 290C: Formal Models for Web Software Lecture 1: Introduction Instructor: Tevfik Bultan.

Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.

Computer Security and Penetration Testing

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

E-Commerce The technical side. LAMP Linux Linux Apache Apache MySQL MySQL PHP PHP All Open Source and free packages. Can be installed and run on most.

COMPUTER TERMS PART 1. COOKIE A cookie is a small amount of data generated by a website and saved by your web browser. Its purpose is to remember information.

Nikto LUCA ALEXANDRA ADELA. Nikto  Web server assessment tool  Written by Chris Solo and David Lodge  Released on December 27, 2001  Stable release:

Drupal Workshop Introduction to Drupal Part 1: Web Content Management, Advantages/Disadvantages of Drupal, Drupal terminology, Drupal technology, directories.

Dennis  Application Security Specialist  WhiteHat Security  Full-Time Student  University of Houston – Main Campus ▪ Computer.

Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.

Introduction to Application Penetration Testing

NOWASP Mutillidae 2.3.x An open-source web pen-testing environment for security training, practice, instruction, and you Jeremy Druin Information Security.

Architecture Of ASP.NET. What is ASP?  Server-side scripting technology.  Files containing HTML and scripting code.  Access via HTTP requests.  Scripting.

Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.

WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.

CSCI 6962: Server-side Design and Programming Secure Web Programming.

April 14, 2008 Secure Coding Faculty Workshop Web Application Security: Exercise Development Approaches James Walden

Ladd Van Tol Senior Software Engineer Security on the Web Part One - Vulnerabilities.

1-Vulnerabilities 2-Hackers 3-Categories of attacks 4-What a malicious hacker do? 5-Security mechanisms 6-HTTP Web Servers 7-Web applications attacks.

 Prototype for Course on Web Security ETEC 550.  Huge topic covering both system/network architecture and programming techniques.  Identified lack.

Penetration Testing James Walden Northern Kentucky University.

Web Application Security ECE ECE Internetwork Security What is a Web Application? An application generally comprised of a collection of scripts.

OWASP Top Ten #1 Unvalidated Input. Agenda What is the OWASP Top 10? Where can I find it? What is Unvalidated Input? What environments are effected? How.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

October 3, 2008IMI Security Symposium Application Security through a Hacker’s Eyes James Walden Northern Kentucky University

Web Applications Testing By Jamie Rougvie Supported by.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

EECS 354: Network Security Group Members: Patrick Wong Eric Chan Shira Schneidman Web Attacks Project: Detecting XSS and SQL Injection Vulnerabilities.

Penetration Testing By Blaze Sterling. Roadmap What is Penetration Testing How is it done? Penetration Testing Tools Kali Linux In depth included tools.

By Collin Donaldson. Hacking is only legal under the following circumstances: 1.You hack (penetration test) a device/network you own. 2.You gain explicit,

Final Project: Advanced Security Blade IPS and DLP blades.

Common System Exploits Tom Chothia Computer Security, Lecture 17.

2440: 141 Web Site Administration Web Forms Instructor: Joseph Nattey.

1 Chapter 1 INTRODUCTION TO WEB. 2 Objectives In this chapter, you will: Become familiar with the architecture of the World Wide Web Learn about communication.

ArcGIS for Server Security: Advanced

Google’s Gruyere1 : An XSS Example Presented by: Terry Gregory

Web Application Security

Module: Software Engineering of Web Applications

Web Application Vulnerabilities, Detection Mechanisms, and Defenses

CITA 352 Chapter 5 Port Scanning.

CISC103 Web Development Basics: Web site:

Daniel Kouril, Ivo Nutar Masaryk University

Penetration Testing following OWASP

Relevance of the OWASP Top 10

Migrating Oracle Forms Using Oracle Application Express

Web Application Penetration Testing

SharePoint-Hosted Apps and JavaScript

Ways to Secure CMS Websites. The most widely used Content Management Systems are Wordpress, Joomla and Drupal as per statistics. The highest CMS platforms.

CISC103 Web Development Basics: Web site:

Risk Assessment = Risky Business

Lecture 2 - SQL Injection

Web Hacking: Beginners

Lecture 14: JSON and Web SERVICES

Protecting Against Common Web Application Vulnerabilities

Lecture 27 Security I April 4, 2018 Open news web sites.

Lecture 34: Testing II April 24, 2017 Selenium testing script 7/7/2019

6. Application Software Security

Exploring DOM-Based Cross Site Attacks

ECCouncil v10 Certified Ethical Hacker Exam (CEH V10) Get certified in one attempt!

Web Application Development Using PHP

Presentation transcript:

OWASP Broken Web Application Project Bad Web Apps are Good

About Me Mordecai (Mo) Kraushar Director of Audit, CipherTechs QSA OWASP Project Lead, Vicnum OWASP New York City chapter member

Assessing the assessor Network Assessment – Known methodologies Reconnaissance Discover Fingerprint Enumerate Exploit – Known tools Nmap Vulnerability Manager Metasploit – Known Goal Shell – Predictable Results Web Application Assessment – Methodology is uncertain* – Assorted approaches – Assorted tools exist to target the technical side of a web app* – Assorted Goals – Unpredictable Results* * Getting better but still not as good as network assessments

Why the Difference? Network Assessment – Mature and stable TCP/IP protocols – Well defended by network firewalls (usually) Web Application Assessment – New technologies are constantly emerging Web Services Mobile platforms Different databases – New CMS and Web frameworks Ruby on Rails Django (Python based) Node.js – Business logic – Human element

Vulnerable Web Applications Many unintentional broken web applications Intentionally broken web applications exist as well – Different frameworks, languages, databases – Some available live, others to be downloaded and installed Several vendor provided apps exist – Test their product Training apps such as the OWASP WebGoat project – WebGoat originally written in J2EE now available on other platforms – An interactive teaching environment for web application security

Broken Web Application Project Goal Broken Web Applications are needed to know evil – Introduce people to the topic – Test web application scanner people – Test web application scanner products – Test source code analysis tools – Test web application firewalls – Collect evidence left by attackers – Develop business logic perspectives – Develop human element perspectives

Bad Web Apps Challenges Some web sites are built on proprietary systems Back end databases may need licensing Multiple bad web apps on one system can conflict with one another Can be difficult to install Should be set up in a secured and isolated environment

DISCLAIMER

What is it? OWASPBWA – A Virtual Machine that is a collection of broken web applications – Version released in September 2013 – Available in ova and vmware formats – Ubuntu Linux Server LTS

OWASP BWA “Training Applications” – Web Goat (multiple platforms) – Damn Vulnerable Web Application “Real applications” – OWASP Vicnum project – Cyclone Transfers Older (broken) versions of real applications/frameworks such as WordPress and Joomla

Vicnum Flexible, realistic, vulnerable web applications useful to auditor’s honing their web application security skills And anyone else needed a web security primer Used as a hacker challenge for several security events including PERL/PHP apps available on Sourceforge – Guess the number (Guessnum) – Guess the word (Jotto) – Union Challenge Ruby on Rails apps available on Github – Cyclone Transfers – Usually available live at

Demonstration of Vicnum A game to review in Vicnum Jotto - The computer will think of a five letter word with unique letters. After you attempt to guess the word, the computer will tell you whether you guessed the word successfully, or how many of the letters in your guess match the computer's word. Keep on submitting five letter words until you have guessed the computer's word. Where do we start? What methodology? What tools? What are we after?

Demo Demo of Vicnum Jotto Another OWASP project: ZAP

Hacking Vicnum Are input fields sanitized? – Cross site scripting attacks GET POST – SQL injections URL manipulation Backdoors in the application Administration and Authentication issues The question of state Encryption and encoding issues Business logic and the human element

Cyclone Transfers Ruby on Rails Framework Available on github – git://github.com/fridaygoldsmith/bwa_cyclone_transfers.git A fictional money transfer service, that consists of multiple vulnerabilities including: – mass assignment vulnerability – cross site scripting – sql injections – file upload weaknesses – session management issues

Demo Demo of Cyclone Transfers

Cyclone Review Mass assignment allows Rails web apps to set many attributes at once – Rails is convention-heavy and certain fields like :admin, and :public_key are easily guessable – curl -d ser[password_confirmation]=password&user[name]=mo& user[admin]=true" localhost/cyclone/users – Many Rails based web sites were exploited in 2012 via the mass assignment vulnerability

Demo A look at other BWA apps

Technical Issues in Web Hacking Hacking a network is different than hacking a web app Similarities do exist in certain areas – Cryptography checking – Credential attacks – Tools exist for scanning, fuzzing …. But major technical challenges exist – A request/response protocol where state is always an issue – Code to be evaluated on both server and browser!

Non Technical Issues in Web Hacking Ultimately web pages are set up by application programmers meeting a business requirement Data works its way into web sites that might be difficult for a tool or a security analyst to evaluate – Comments might contain inappropriate data – URL fields can be manipulated and might show unintended web pages – URL parameters can also be guessed and may leak information – Hidden fields in form fields can be viewed and manipulated And then there are those business logic issues! How can we prepare assessors for the non technical piece of an assessment?

Going Forward New Technologies New ways to or detect or block attacks New tools to discover New Security Issues Broken web applications needed to raise awareness and sharpen skills

Help needed! Near Term Items – Documentation can use some work – Catalog of vulnerabilities can be expanded Longer Term – Will get increasingly difficult to support older applications due to library and other dependency issues – May move to multiple VMs – Would like to improve set of applications

Wish List More applications in more languages – – ASP.NET – Python – Node.js More modern UIs – Rich JavaScript – HTML5 – Mobile optimized sites More database back ends – PostgreSQL – No SQL More web services

Questions and Review We welcome your feedback and contributions!