Your SlideShare is downloading. ×
TDIS 2014 - Dealing with the risks: web applications
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

TDIS 2014 - Dealing with the risks: web applications

386
views

Published on

Event: Trusted Digital Identity Symposium 2014 …

Event: Trusted Digital Identity Symposium 2014
Topic: Dealing with the risks - web applications
Location: Living Tomorrow (Brussels Vilvoorde)
Organizer: Vasco Data Security


0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
386
On Slideshare
0
From Embeds
0
Number of Embeds
6
Actions
Shares
0
Downloads
15
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Dealing with the risks web applications Malik Mesellem
  • 2. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. About me  Malik Mesellem, Ethical Hacker  MME BVBA, founded in 2010  Specialized in audits & training  Objective approach, independent  Focus to advise and to educate @MME_IT #bWAPP | ITAudits&SecurityMME
  • 3. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Dealing with the risks  Contents  Defense needed  Security framework  Attack scenarios  Superbees wanted
  • 4. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Dealing with the risks  Contents  Defense needed  Security framework  Attack scenarios  Superbees wanted
  • 5. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Defense needed  Web application security is today's most overlooked aspect of securing the enterprise  Hackers are concentrating their efforts on websites and web applications  Web apps are an attractive target for cyber criminality, cyber warfare and hacktivism
  • 6. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Defense needed  Why are web applications an attractive target?  Easily available via the Internet (24/7)  Mission-critical business applications with sensitive data  Often direct access to backend data  Traditional firewalls and SSL provide no protection  Many applications are custom-made == vulnerable
  • 7. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Defense needed  Why are web applications an attractive target?  Easily available via the Internet (24/7)  Mission-critical business applications with sensitive data  Often direct access to backend data  Traditional firewalls and SSL provide no protection  Many applications are custom-made == vulnerable
  • 8. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. DEFENSE is needed !
  • 9. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Dealing with the risks  Contents  Defense needed  Security framework  Attack scenarios  Superbees wanted
  • 10. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Security framework  bWAPP, or a buggy Web APPlication  Deliberately insecure web application, includes all major known web vulnerabilities  Helps security enthusiasts, developers and students to discover and to prevent issues  Prepares one for successful penetration testing and ethical hacking projects
  • 11. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Security framework  Web application security is not just installing a firewall, or scanning a site for ‘potential’ issues  Black-box penetration testing, simulating real attack scenarios, is still needed!  Confirms potential vulnerabilities, and excludes false positives  Guarantees that your defense measures are working effectively  bWAPP helps to improve your security-testing skills…
  • 12. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved.
  • 13. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Security framework  What makes bWAPP so unique?  Well, it has over 100 web vulnerabilities  Covering all major known web bugs  Including all risks from the OWASP Top 10  Focus is not on one specific issue!
  • 14. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Commercial Web Scanners
  • 15. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Security framework  Which bug do you want to hack today? (1)  SQL, HTML, SSI, OS Command, XML, XPath, LDAP, PHP Code, Host Header and SMTP injections  Authentication, authorization and session management issues  Malicious, unrestricted file uploads and backdoor files  Arbitrary file access and directory traversals  Heartbleed vulnerability (OpenSSL)  Local and remote file inclusions (LFI/RFI)  Server Side Request Forgery (SSRF)
  • 16. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Security framework  Which bug do you want to hack today? (2)  Configuration issues: Man-in-the-Middle, Cross-Domain policy file, FTP, SNMP, WebDAV, information disclosures,...  HTTP parameter pollution and HTTP response splitting  XML External Entity attacks (XXE)  HTML5 ClickJacking, Cross-Origin Resource Sharing (CORS) and web storage issues  Unvalidated redirects and forwards  Denial-of-Service (DoS) attacks
  • 17. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Security framework  Which bug do you want to hack today? (3)  Cross-Site Scripting (XSS), Cross-Site Tracing (XST) and Cross-Site Request Forgery (CSRF)  AJAX and Web Services issues (JSON/XML/SOAP)  Parameter tampering and cookie poisoning  HTTP verb tampering  PHP-CGI remote code execution  Local privilege escalations  And much more 
  • 18. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Security framework  Which bug do you want to hack today?
  • 19. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Security framework
  • 20. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Security framework  External links  Home page - www.itsecgames.com  Download location - sourceforge.net/projects/bwapp  Blog - itsecgames.blogspot.com
  • 21. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Dealing with the risks  Contents  Defense needed  Security framework  Attack scenarios  Superbees wanted
  • 22. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. SQL injection  SQL injection is very common in web applications  Occurs when user input is sent to a SQL interpreter as part of a query  The attacker tricks the interpreter into executing unintended SQL queries
  • 23. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. SQL injection  Injection in the OWASP Top 10
  • 24. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. SQL injection  Normal operation DATABASE SQL interpreter WEB APP HTML | SQL BROWSER HTML (GET/POST) login password SELECT * FROM table WHERE login = ‘login’ AND password = ‘password’ result HTML SQL
  • 25. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. DATABASE SQL interpreter WEB APP HTML | SQL BROWSER HTML (GET/POST) login ’ or 1=1-- SELECT * FROM table WHERE login = ‘login’ AND password = ‘’ or 1=1-- ’ result HTML SQL SQL injection  Abnormal operation
  • 26. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. SQL injection  Simple injections  '--  ' or 'a'='a  ' or 'a'='a'--  ' or '1'='1  ' or 1=1--
  • 27. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. SQL injection  Union injections  ' UNION SELECT field1, field2 FROM table--  ' UNION SELECT table_name FROM INFORMATION_SCHEMA.TABLES WHERE table_schema=database()--  Stacked queries  '; DROP TABLE table;--
  • 28. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. SQL Injection
  • 29. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Don’t try @ home!  SQL injection  Bypassing login forms  Manually extracting data  Automated SQL injection  Website defacement
  • 30. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved.
  • 31. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved.
  • 32. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Cross-Site Scripting  Cross-Site Scripting, or XSS, occurs when an attacker injects a browser script into a web application  Insufficient validation of user-supplied data  Dangerous when it is stored permanently!  XSS can lead to  Website defacements  Phishing / session hijacking  Client-side exploitation
  • 33. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Cross-Site Scripting  XSS in the OWASP Top 10
  • 34. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Don’t try @ home!  Cross-Site Scripting  Detecting XSS  Phishing attack  Client-side exploitation
  • 35. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Heartbleed bug  Vulnerability in the popular OpenSSL cryptographic software library, discovered in April 2014 (!)  Allows stealing information protected by SSL/TLS… just by sending a simple heartbeat request!  Sensitive data that might be stolen  Logon credentials  Session data  Private keys
  • 36. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Don’t try @ home!  Heartbleed bug  Stealing credentials
  • 37. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Denial-of-Service  Denial-of-Service attack, or DoS attack  Attacker attempts to prevent legitimate users from accessing the application, server or network  Consumes bandwidth, server sockets, or CPU resources  Distributed Denial-of-Service attack, or DDoS  Popular techniques used by hacktivists
  • 38. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Denial-of-Service  Newer layer 7 DoS attacks are more powerful!  “Low-bandwidth application layer DoS”  Advantages of layer 7 DoS  Legitimate TCP/UDP connections, difficult to differentiate from normal traffic  Requires lesser number of connections, possibility to stop a web server from a single attack  Reach resource limits of services, regardless of the hardware capabilities of the server
  • 39. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Denial-of-Service  Layer 7 DoS methods  HTTP Slow Headers  HTTP Slow POST  HTTP Slow Reading  Apache Range Header  SSL/TLS Renegotiation  XML Bombs
  • 40. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Don’t try @ home!  Denial-of-Service  HTTP Slow POST
  • 41. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Dealing with the risks  Contents  Defense needed  Security framework  Attack scenarios  Superbees wanted
  • 42. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Superbees wanted  Hi little bees, during this talk we  Defaced the website  Compromised the server  Compromised a client  Made the server unreachable  Hijacked a session  Stole credentials…
  • 43. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved.  And we have so much more bugs to exploit…  Definitely time to improve your web security  Defense is needed, security-testing is required!  Downloading bWAPP is a first start  Remember: every bee needs a superbee  Are you that superbee? Superbees wanted @MME_IT #bWAPP
  • 44. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. About me  Malik Mesellem Email | malik@itsecgames.com LinkedIn | be.linkedin.com/in/malikmesellem Twitter | twitter.com/MME_IT Blog | itsecgames.blogspot.com