Presentation is loading. Please wait.

Presentation is loading. Please wait.

Web Application Bug Hunting

Published byMarvin Harrington Modified over 6 years ago

Similar presentations

Presentation on theme: "Web Application Bug Hunting"— Presentation transcript:

1 Web Application Bug Hunting

2 About Me... Who I am: Who I am NOT: Nick Wender
Software Engineer at TechSmith Amateur bug bounty hunter Who I am NOT: Not a tester! Not a security expert Not a web expert

3 About You... How many testers? Any developers? Any managers?
Who works with web applications?

4 About this talk... Topic is too large for this talk
Hopefully a good introduction... … And you leave knowing your next steps

5 Overview Web application overview Common vulnerabilities
Looking for bugs & useful tools Resources

6 Web Application Overview

7 Input & Output Requests Responses

8 In Browser

9 Request (input)

10 Response (output)

11 Access Control Web apps need to give you a way to prove who you are
Often use cookies or request headers

12 Common Vulnerabilities

13 Some Security Terms Vulnerability vs. Bug Exploit Risk

14 Common Vulnerabilities
Who has heard of the OWASP Top 10? Ten most common web application vulnerabilities Let's get familiar with a couple...

15 Vulnerabilities Cross-Site Scripting (XSS)
Insecure Direct Object Reference (IDOR)

16 Cross-Site Scripting (XSS)
Injection of JavaScript Often allows attacks against other users Wide ranging possibilities for attackers

17 Cross-Site Scripting (XSS)
Attacker could hijack developer accounts and apps

18 XSS Example #1

19 XSS Example #1 HackerOne researcher albinowax found XSS on developer.uber.com Could have been used to take control of developers accounts and apps Consequence of not sanitizing user input Uber paid a $3,000 bounty

20 XSS Example #2

21 XSS Example #2 HackerOne researcher siddiki found XSS through insecure redirect on love.uber.com Failure to sanitize redirect parameter Could use javascript://alert('XSS example') Uber paid a $3,000 bounty

22 Insecure Direct Object Reference (IDOR)
Failure to ensure authorization Consequences wide ranging Easy to find and easy to exploit

23 IDOR Example #1

24 IDOR Example #1 HackerOne researcher tfairane found way to chane any Vimeo user's password Used reset password feature, only required knowing other user's ID Account IDs could be looked up on another page Vimeo paid a $5,000 bounty

25 IDOR Example #2

26 IDOR Example #2 HackerOne researcher secgeek found way to delete any user's credit card from ads.twitter.com Simply had to change credit card identifier Credit card identifiers were just 6 numbers Twitter paid a $2,800 bounty

27 Needle in Haystack The flaws may be simple
Finding them is where the work lies

28 Looking for Bugs

29 Looking for bugs is... … about testing assumptions … often tedious
… often boring … rewarding when you find a good bug

30 Disclaimer Assuming you have permission to look for flaws

31 Useful tools Intercepting proxy Browser dev tools EditThisCookie
Great for observing requests & responses Great for bypassing client-side validation and controls Fiddler on Windows Charles on Mac Browser dev tools EditThisCookie

32 Simple Steps Gather information Identify requests of interest
Replay and evaluate

33 Gather Information Start your proxy
Interact with the website through your browser

34 Interesting Requests Review the requests your proxy captured
Think about: "What happens if I change this?"

35 Interesting Requests: XSS
Requests that accept your input Commenting, user profile, and so on Look for responses or pages where your input comes back Especially interesting if shown to other users

36 Interesting Requests: IDOR
For insecure direct object reference Data or account modification Retrieval of sensitive information Think about "How does the site know I am authorized?"

37 Replay and Evaluate Use proxy to replay requests Modify requests
Observe the responses

38 Replay and Evaluate: IDOR
Remove or change authorization from request Modify resource identifiers or other parameters Should be rejected

39 Replay and Evaluate: XSS
Try submitting JavaScript or HTML Should be safely displayed Very much depends on context

40 Automation Automation is a time saver Use it to augment your testing
Plenty of good vulnerability scanners available Use them if you want Make effort to understand and verify what scanners find

41 I've found a vulnerability, now what?
Proof of concept exploit is pretty much necessary Describe the impact and consequences Demos can be effective to drive the point home Relate to similar bug in Big Company XYZ

42 Additional Resources Where can I learn more?

43 Books Web Application Hacker's Handbook by Dafydd Stuttard
Tangled Webs by Michal Zalewski

44 Online Too many to list, honestly! Troy Hunt @albinowax
@filedescriptor HackerOne "Hacktivity" Reddit r/netsec Pluralsight - Highly recommend Troy Hunt's courses

45 Hands-on Google Gruyere Google XSS Game Damn Vulnerable Web App

Download ppt "Web Application Bug Hunting"

Similar presentations

Past, Present and Future By Eoin Keary and Jim Manico

Past, Present and Future By Eoin Keary and Jim Manico
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
SO YOU WANT TO BE A HACKER? Maybe not yet, but you will at the end of the hour!

SO YOU WANT TO BE A HACKER? Maybe not yet, but you will at the end of the hour!
Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!

Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
Cross Site Scripting a.k.a. XSS Szymon Siewior. Disclaimer Everything that will be shown, was created for strictly educational purposes. You may reuse.

Cross Site Scripting a.k.a. XSS Szymon Siewior. Disclaimer Everything that will be shown, was created for strictly educational purposes. You may reuse.
Into the Mind of the Hacker: Hands-On Web Application Hacking Adam Doupé University of California, Santa Barbara 4/23/12.

Into the Mind of the Hacker: Hands-On Web Application Hacking Adam Doupé University of California, Santa Barbara 4/23/12.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.

Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?

CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?
Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.

Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.
WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.

WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.
Expert System Approach on Web Vulnerability Analysis 20103272 / Jong Heon, PARK 20103616 / Hyun Woo, CHO CS548 Advanced Information Security Term Project.

Expert System Approach on Web Vulnerability Analysis / Jong Heon, PARK / Hyun Woo, CHO CS548 Advanced Information Security Term Project.
Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.

Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.
Introduction to Application Penetration Testing

Introduction to Application Penetration Testing
Matthew Hughes. Who am I? Pen tester Coder Blogger All around nice guy.

Matthew Hughes. Who am I? Pen tester Coder Blogger All around nice guy.
IDENTIFYING SECURITY ISSUES IN A HIGHER INSTITUTE CMS LAB SITE Panagiotis Loumpardias Konstantinos Chimos.

IDENTIFYING SECURITY ISSUES IN A HIGHER INSTITUTE CMS LAB SITE Panagiotis Loumpardias Konstantinos Chimos.

Similar presentations

Ads by Google