Download presentation
Presentation is loading. Please wait.
1
Penetration Testing following OWASP
Boyan Yanchev – Chief Technology Officer Peter Dimkov – IS Consultant
2
За Лирекс
3
“Penetration testing”
A method of compromising the security of a computer system or network by simulating an attack by a malicious hacker.
4
Pentest Requirements by Standards
PCI-DSS Requirement 11: Regularly test security systems and processes. GDPR Article 32, 1 (d) - a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the procssing. ISO 27001 A.12.6 – Technical vulnerability management A.9.4 – System and application access control A – Protecting against external and environmental threats A.12.2 – Protection from malware A – System Security Testing …..
5
Types of “Penetration tests” (by target scope)
Vulnerability assessment Infrastructure Penetration tests Internal External WEB/Application Penetration tests Static WEB Site Dynamic content and applications Mobile application Penetration tests
6
Open Systems Interconnection model (OSI model)
7
Top 10 threats defined by OWASP for 2013
Open Web Application Security Project List of the Top 10 most critical WEB Application Security Risks The top 10 threats defined by OWASP for 2013 include: A1: Injection (Injection flaws, such as SQL, OS, and LDAP injection) A2: Broken Authentication and Session Management A3: Cross-Site Scripting (XSS) A4: Insecure Direct Object References A5: Security Misconfiguration A6: Sensitive Data Exposure A7: Missing Function Level Access Control A8: Cross-Site Request Forgery (CSRF) A9: Using Components with Known Vulnerabilities A10: Unvalidated Redirects and Forwards Totally free to use for personal and business use
8
OWASP Top 10 2017 RC2 – Released (20.10.2017)
OWASP Top RC1 – Rejected OWASP Top RC2 – Released ( ) New OWASP Top is to be released in late November 2017
9
Top 10 threats defined by OWASP for 2013
Author: Alan Zeichick Principal Analyst, Camden Associates
10
Data can be stolen, modified, deleted
A1. Injections Injection attacks occur when unvalidated input is embedded in an instruction stream Impact - SEVERE! Data can be stolen, modified, deleted Client-side controls can easily be bypassed by an attacker Related to: SQL LDAP Anything that builds up a query from a user input
11
SQL Injection – Illustrated (source: OWASP)
Account: SKU: Account: SKU: "SELECT * FROM accounts WHERE acct=‘’ OR 1=1--’" Account Summary Acct: Acct: Acct: Acct: HTTP response DB Table HTTP request SQL query Accounts Finance Administration Transactions Communication Knowledge Mgmt E-Commerce Bus. Functions Application Layer Databases Legacy Systems Web Services Directories Human Resrcs Billing APPLICATION ATTACK Custom Code 1. Application presents a form to the attacker 2. Attacker sends an attack in the form data App Server 3. Application forwards attack to the database in a SQL query Web Server Hardened OS 4. Database runs query containing attack and sends encrypted results back to application Network Layer Firewall Firewall 5. Application decrypts data as normal and sends results to the user
12
Injection
13
A1. Injections Source:
14
A2. Broken Authentication and Session Management
Hijacking a user’s session HTTP is a “stateless” protocol which means that credentials have to go with every request SESSION ID used to track state.
15
A2. Broken Authentication and Session Management
Vulnerabilities: sessionIDs are being stored in the URL Guessable sessionIDs sessionIDs are not timing out Passwords are not stored hashed Credentials are sent over plain text
16
A3. Cross-Site Scripting (XSS)
The most prevalent web application security flaw Enables the attacker to execute scripts in victim’s browser Used to: steal user’s session; steal sensitive data; rewrite web page (insert malicious content); redirect user to phishing or malware site Be sure to sanitize your input fields!
17
A3. Cross-Site Scripting (XSS)
<script>alert(XSS Attack!)</script> <script>document.location= ' ?foo='+document.cookie</script>
18
A4. Insecure Direct Object References
Accessing data or system by changing a parameter value which refers to an object that the user is not authorized to access
19
A7. Missing Function Level Access Control
Threat: unauthorized access to functionality (Privileged escalation) Authorization checks are used in order to generate appropriate menus and/or show/hide various options If an attacker is aware of the presence of these other functions he could attempt to call them If the server does not check the permissions for this user, the privilege escalation is successful
20
A5. Security Misconfiguration
Attack vectors: Missing (outdated) patches; Misconfigurations; Use of default accounts; Use of unnecessary services and features; Unprotected files and directories; Error messages not customized or blocked
21
A5. Security Misconfiguration
22
A6. Sensitive Data Exposure
When high value data (passwords, credit card data, s, etc.) is not properly handled by the application and not adequately protected on the WEB Site Data Exposure is at serious risk! Evaluate the high value data Use encryption
23
A8. Cross-Site Request Forgery (CSRF)
An attacker can cause the victim to change their password, username, , send private message from victim’s account, steal money, order stuff with a click of a link Most frameworks have a mechanism to protect from CSRF
24
A9. Using Components with Known Vulnerabilities
Using things like framework libraries, plugins and such Components often run with the full privilege of the application Finding exploits for particular component (is components are not updated) Exploit the vulnerability Prevention: Write your own components Always update with the most current version
25
A10. Unvalidated Redirects and Forwards
The possibility of a WEB application to accept an untrusted input that could cause the WEB application to redirect to the request URL, contained within the untrusted input Launching phishing scams Stealing credentials
26
Tools Vulnearbility Assessment tools: Metasploit Framework
OpenVAS Acunetix Qualys Nessus Metasploit Framework The Pentesters Framework (PTF) Kali Linux Nmap AirCrack SQLMap Ethercap Wireshark Nikto/Wikto SiteDigger Proxies Paros Proxy OWASP ZAP Burp Suite Various Browser Plugins
27
Thank you!
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.