Your SlideShare is downloading. ×
Web Security - Introduction
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Web Security - Introduction


Published on

SQA Days 11. День 2. Cекция B …

SQA Days 11. День 2. Cекция B
Олесь Сегеда
Lohika Systems
Львов, Украина

Published in: Education, Technology

1 Comment
  • Подскажите, пожалуйста, где можно найти видео этого доклада? Спасибо
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. Web Security[websec] Introduction Prepared by Oles Seheda
  • 2. Agenda Why web? Google hacking $GET_READY (browser and proxy) Session hijacking (XSS, Session Fixation, Brute force) How to... easy passwords CSRF SQL injection and other injection types Parameter tampering File inclusion, path traversal Unrestricted file upload Tools Theory & Practice resources Q&A
  • 3. Agenda Vulnerability More info OverviewMitigation Image Tools Examples Demonstration Usage
  • 4. IntroQuality
  • 5. IntroQuality is not only functionality* *(Implemented and tested requirements) Non-functional?Baseline Load SecurityCompatibility L10n and i18n ScalabilityCompliance Performance StressDocumentation Recovery UsabilityEndurance Resilience Volume
  • 6. IntroQuality is value to some person - Jerry Weinberg
  • 7. Intro 75% of cyber attacksand Internet security violations are generated through Internet applications Source: Gartner Group
  • 8. Intro Amateurs hack systems,professionals hack people - Bruce Schneier
  • 9. Social Engineering Social EngineeringSocial Engineering is the act of manipulating a person toaccomplish goals that may or may not be in the "targets" bestinterest.This may include obtaining information, gaining access, or gettingthe target to take certain action.
  • 10. Social EngineeringSocial Engineering techniques• Pretexting• Diversion theft• Phishing• Vishing (IVR or phone phishing)• Baiting (Trojan Horse)• Quid pro quo (something for something)Useful resourceThe Official Social Engineering Portal
  • 11. Disclaimer ***** All the information provided in thispresentation are for educational purposesonly. The speaker is no way responsible for any misuse of the information. Use it on our own risk! *****
  • 12. Google Hacking Google Hacking AKA: Google Dorks, Google scanning, Search engine hackingGoogle hacking is the term used when an attacker tries to findexploitable targets or/and sensitive data by using advancedoperators in search engines or code search engines.Main targets are software vulnerabilities and misconfigurations.
  • 13. Google HackingExamplesSearch for vulnerable softwareintitle:powered by wordpressLogs containing usernames and/or passwords"admin account info" filetype:logOpen webcamsinurl:/view/index.shtmlSQL injectioninurl:"id="inurl:index.php? - deleted "Фотографии со страницы DELETED"Directory indexing (listing)intitle:index.ofRFIinurl:index.php?page=
  • 14. Google HackingThe Google Hacking Database (GHDB) is a database of queriesthat identify sensitive data.Useful resourcesGoogle Hacking Database (GHDB) Hacking Diggity Project
  • 15. Google HackingMitigation1. Do not upload info that you are not comfortable to share with whole world2. Mask server software that you are running on (e.g., default error messages)3. Use META tags <meta name="GOOGLEBOT" content="NOINDEX"/>4. Use robots.txt User-agent: * Disallow: /private/5. Use (Gooscan)
  • 16. Get readyFor web security testing we need the following tools: 1. Browser 2. Proxy
  • 17. Browsers Browsers can block reflected XSS???Chrome 16, 17, 18 YesIE 9, 10 YesFirefox 8, 9, 10 NoOpera 12 NoSafari 5.1 Yes Source:
  • 18. BrowsersThe Hacker Firefox Sandcat Browser add-ons: Features:• Firebug • Live HTTP Headers• Tamper Data • Request Editor extension• Web Developer • Fuzzer• HackBar • JavaScript Executor extension• Poster • Lua Executor extension• Live HTTP Headers • Syhunt Gelo• and more… • HTTP Brute Force • CGI Scanner scripts • and more…
  • 19. BrowsersMantra add-ons:• Firebug • Cookies Manager+• SQLite Manager • Firecookie• Hackbar • Autofill Forms• Tamper Data • Modify Headers• Live HTTP Headers • Poster• Web Developer • SeleniumIDE• SQL Inject Me • Websecurify• XSS Me • FoxyProxy • and more…
  • 20. ProxyBurp Suite Proxy Data (Firefox add-on)
  • 21. Session Hijacking Session HijackingSession hijacking is the act of taking control of a user sessionafter successfully obtaining or generating an authenticationsession ID.Methods1. Capture/Steal (sniffing, MitM, XSS)2. Fixation3. Prediction (calculate, fuzzing, brute force)
  • 22. Cross-Site Scripting Cross-Site Scripting AKA: CSS, XSSXSS is a type of vulnerability in web applications which allow code injection bymalicious web users into the web pages viewed by other users.TypesType 1: Non-persistent, Non-permanent, Reflected, First-order, PassiveType 2: Persistent, Permanent, Stored, Second-order, Active
  • 23. Cross-Site Scripting | Reflected ‫׼‬<script>alert(XSS)</script><script>alert(XSS)</script>A XSS OK Cookie grabber or malicious web site ‫׼‬<script>code</script>V
  • 24. Cross-Site Scripting | ReflectedExamples<script>document.location=</script>Masking malicious URLURL escaping ( shortening:
  • 25. Cross-Site Scripting | Stored ‫׼‬ <img height="0" width="0" src=code>A XSS OK Cookie grabber or malicious web site DB ID=7 ‫׼‬http://example.comV
  • 26. Cross-Site Scripting | StoredExamples<h1>LOL<blink><marquee><br><br>XSS<script>alert(1)</script>"><script>alert(1)</script><!—<script type="text/javascript" src=alert(1)></script><b onMouseOver=alert(1)>bolded text</b><form><button formaction="javascript:alert(1)">xss<video><source onerror="javascript:alert(1)“<input autofocus onfocus=alert(1)><select autofocus onfocus=alert(1)><textarea autofocus onfocus=alert(1)><math href="javascript:alert(1)">CLICKME</math>
  • 27. Cross-Site ScriptingMitigation1. Filter all input2. Escape all output3. Encoding of all HTML special characters (in potentially malicious data) before display by web applications (or client- side script) AKA quoting or escaping <script>alert(xss);</script> V V V &lt;script&gt;alert(xss);&lt;/script&gt;4. Whitelist is better then blacklist policy (blacklist easier to bypass)
  • 28. Cross-Site ScriptingUseful resourcesXSS cheat sheet</xssed> - xss attacks information Me (Firefox add-on)X5s (Fiddler add-on)DOM XSS Scanner (
  • 29. Session Fixation Session fixationSession fixation attacks attempt to exploit the vulnerability of asystem which allows one person to fixate (set) another personssession identifier (SID).
  • 30. Session Fixation ‫׼‬http://example.comA Set-Cookie: SESSIONID=1234 ‫׼‬ LoginV Password OK
  • 31. Session FixationExamplesUsing URL;JSESSIONID=1234 (J2EE) (PHP)Using XSS<script>document.cookie="SESSIONID=1234";</script><script>document.cookie="SESSIONID=1234;%20Expires=Friday,%201-Jan2015%2000:00:00%20GMT";</script>Using Meta tag<meta%20http-equiv=Set-Cookie%20content="SESSIONID=1234">
  • 32. Session FixationMitigation1. Regenerate session ID after a successful login2. Validate user specific data (Agent, IP, HTTP-X-Forwarded-For etc)
  • 33. Fuzzing Fuzzing AKA: Fuzz testingFuzzing is a software testing technique, often automated or semi-automated, that involves providing invalid, unexpected, orrandom data to the inputs of a web application or computerprogram.Fuzzing is commonly used to test for security problems insoftware or computer systems.
  • 34. Brute Force Brute ForceBrute-force attacks are mainly used for guessing passwords andbypassing access control.TypesDictionary attackHybrid attackSearch attack (Brute Force)Rainbow table (Memory Trade Off Attacks)
  • 35. Brute ForceMitigation1. Use CAPTHA2. Use timeout3. Black list suspicious IPsToolsTHC HydraMedusaBurp SuiteMD5 Cracker online resourcesMore at
  • 36. Easy Password v1PasswordCard ( My Facebook password is -  8 RED (3) symbols from right to left: 5R6wfc86 (to hack this password it would take about 106 years)
  • 37. Easy Password v2I used to be an adventurer like you, then I took an arrow in the knee… - Every Skyrim guard
  • 38. Easy Password v2I used to be an adventurer like you, then I took an arrow in the knee… i = 1, !, l iutbaaly a = @, 4 !uTb@aly 8 symbols s = $, 5 8 symbols (about 13 minutes to hack) (about 18 days to hack) g = 9, 6 Host: DOB: 12.06 mk12!uTb@aly06cf 16 symbols (about 193 trillion years to hack)
  • 39. Cross-Site Request Forgery Cross-Site Request Forgery AKA: CSRF (sea surf), XSRF, Session Ridding, One-click, Confused DeputyCSRF is an attack which forces an end user to execute unwanted actions on aweb application in which he/she is currently authenticated.
  • 40. Cross-Site Request Forgery ‫׼‬ Password was changed successfully Malicious web site OKV
  • 41. Cross-Site Request ForgeryExamplesUsing URL Payloads Formatting<img src="><img height="0" width="0"src=""><iframesrc="">
  • 42. Cross-Site Request ForgeryExamplesIframe<iframe style="width: 0px; height: 0px; visibility: hidden"name="hidden"></iframe><form name="csrf" action=""method="post" target="hidden"><input type="hidden" name="email" value=""/><script>document.csrf.submit();</script>HTML Form<html><body> <form method=POST action=""> <input type="text" name="email" value=""> <input type="submit" id="submit"> </form> <script> document.getElementById("submit").click(); </script></body></html>
  • 43. Cross-Site Request ForgeryMitigation1. Use POST rather than GET in forms (partial solution)2. Check HTTP Referrer header3. Require verification (password, CAPTCHA)4. Use session tokens (hash, secret) <input type="hidden" name="sessid" id="sessid" value="sdf8awh2oid0fh">ToolsPinataCSRFTesterCSRF Formbuilder and Formgrabber
  • 44. SQL Injection SQL Injection AKA: SQLi, SQLiaSQL injection is a code injection technique that exploits a security vulnerabilityoccurring in the database layer of an application.
  • 45. SQL Injection ‫׼‬http://example.comA Login Login: admin Password Password: x or 1=1 -- OK OKDB WebApp TRUESELECT * FROM users WHERE login = $login AND password = $password;SELECT * FROM users WHERE login = ‘admin AND password = x OR 1=1 --
  • 46. SQL InjectionExamples and 1=1 (true) and 2=1 (false)Time based wait for delay 0:0:15 and sleep(15)Guessing number of fields union select 1,2 # group by 2 # order by 2 # union select null,@@version # union select null,table_name from information_schema.tables #Semicolon for statement termination; drop table tableName; #; update tableName set filedName=value where...; --
  • 47. SQL InjectionUseful resourcesSQLi cheat sheet Power InjectorSQL Inject Me (Firefox add-on)
  • 48. SQL InjectionMitigation1. Escape/Quotesafe the input (string quoting/parsing)2. Filter input (use whitelists not blacklists)3. Use mechanisms that enforce separation between data and code (prepared statements, parameterized queries, or stored procedures)4. Limit database permissions (start with the lowest permissions)5. Handle errors
  • 49. Email Injection Email Injection AKA: Email Header InjectionEmail injection is a vulnerability that can occur in webapplications that are used to send email messages.User may exploit the MIME format to append additionalinformation to the message being sent, such as a new list ofrecipients or a completely different message body or to sendlarge numbers of messages anonymously.
  • 50. Email InjectionExamplesTO: uses a CR and LF for new LineLinux uses only LFWhere:%0A = LF, line feed, newline (n)%0D = CR, carriage return (r)Mitigation1. Filter input for "r" and "n"
  • 51. Parameter Tampering Parameter Tampering AKA: Parameter manipulation, Insecure direct object referenceParameter Tampering attack is based on the manipulation ofparameters exchanged between client and server in order tomodify application data, such as user credentials andpermissions, price and quantity of products, etc.
  • 52. Parameter TamperingExamplesForm fields<input type="hidden" id="791" name="cost" value="19.99">URL parameters;RequestsPOST /index.php HTTP/1.1Host: example.comUser-Agent: Mozilla/5.0 Gecko/20100101 Firefox/9.0.1Accept-Language: en-US,en;q=0.8,hi-IN;q=0.5,hi;q=0.3Proxy-Connection: keep-aliveReferer: security=low; PHPSESSID=ioodvlu1e0re8draciu5bk1qc3Content-Type: application/x-www-form-urlencodedContent-Length: 45name=test&price=50
  • 53. Parameter TamperingMitigation1. All input must be validated server side for each request (client side validation is easy to bypass)2. Use parameter and cookie encryption3. Do not show internals (such as IDs) to end user (use sessions)4. Use indirect reference map with hard to guess keys (hash) where zS8an31g=5ToolsBurp SuiteWebScarabParos ProxyTamper Data (Firefox add-on)
  • 54. Unrestricted File Upload Unrestricted File UploadUploaded files represent a significant risk to applications.If the attacker succeeds with uploading malicious file to thesystem consequences can vary, including complete systemtakeover.
  • 55. Unrestricted File UploadExamples<?php passthru($_GET[cmd]);?><? system($_REQUEST[cmd]); ?><?php eval($_GET[cmd])?>Mitigation1. Filter input (file extension)2. Use Content-Type request header3. Use file type recognizer (resizer)4. Proper server configuration (restrict permissions)
  • 56. File Inclusion File Inclusion AKA: Local File Inclusion (LFI), Remote File Inclusion (RFI)File inclusion is an attack technique when web applications take user input(URL, parameter value, etc.) and pass them into file include commands, theweb application might be tricked into including (remote) files with maliciouscode.
  • 57. File InclusionExamplesLocal file inclusion (LFI) file inclusion (RFI)
  • 58. Path Traversal Path Traversal (Type of LFI) AKA: Directory Traversal, Dot-Dot-Slash, Directory Climbing, BacktrackingPath Traversal attack technique allows an attacker access to files, directories,and commands that potentially reside outside the web document rootdirectory. The most basic Path Traversal attack uses the ../ special charactersequence to alter the location of the request.
  • 59. Path TraversalExamples ../ = %2e%2e%2f .. = %2e%2e%5cDouble encoding ../ = %252e%252e%252f .. = %252e%252e%255cUnicode/UTF-8 encoding ../ = ..%c0%af .. = ..%c1%9c
  • 60. File InclusionMitigation1. Filter input2. Test incoming value against a regular expression3. Compare incoming value against an array of all possible legal values4. Proper server configuration (restrict permissions or/and disallow external include)ToolsFimap (RFI/LFI scanner)Local File Inclusion Vulnerability Scanner
  • 61. Imperva Top 4Web Application Attack Report 4% 37% 36% Directory traversal SQL injection 23% XSS RFI
  • 62. OWASP Top 10The OWASP Top 10 Web Application Security Risks for 2010 are:01 Injection02 Cross-Site Scripting (XSS)03 Broken Authentication and Session Management04 Insecure Direct Object References05 Cross-Site Request Forgery (CSRF)06 Security Misconfiguration07 Insecure Cryptographic Storage08 Failure to Restrict URL Access09 Insufficient Transport Layer Protection10 Unvalidated Redirects and Forwards
  • 63. CWE Top 252011 CWE/SANS Top 25 Most Dangerous Software Errors01 Improper Neutralization of Special Elements used in an SQL Command02 Improper Neutralization of Special Elements used in an OS Command03 Buffer Copy without Checking Size of Input (Classic Buffer Overflow)04 Improper Neutralization of Input During Web Page Generation (XSS)05 Missing Authentication for Critical Function06 Missing Authorization07 Use of Hard-coded Credentials08 Missing Encryption of Sensitive Data09 Unrestricted Upload of File with Dangerous Type10 Reliance on Untrusted Inputs in a Security Decision11 Execution with Unnecessary Privileges12 Cross-Site Request Forgery (CSRF)13 Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)14 Download of Code Without Integrity Check15 Incorrect Authorization16 Inclusion of Functionality from Untrusted Control Sphere17 Incorrect Permission Assignment for Critical Resource18 Use of Potentially Dangerous Function19 Use of a Broken or Risky Cryptographic Algorithm20 Incorrect Calculation of Buffer Size21 Improper Restriction of Excessive Authentication Attempts22 URL Redirection to Untrusted Site23 Uncontrolled Format String24 Integer Overflow or Wraparound25 Use of a One-Way Hash without a Salt
  • 64. ToolsVulnerability scanners:• Acunetix WVS • W3af• Skipfish • Grendel-Scan• AppScan • Websecurify• HP WebInspect • Burp Suite• Nikto (Wikto) • Uniscan• Netsparker • and morePentest Linuxback|track - - - more at…
  • 65. Looking for theoretical background?OWASP of vulnerable sites CAL9000 Project
  • 66. Theory is boring… what about some practical lessons?WebGoat (Damn Vulnerable Web Application) Application Exploits and Defenses SecuriBench hacking questshttp://mod-x.comhttp://hax.tor.hu
  • 67. Main security rules1. Do not trust user input – Use whitelists rather blacklists – Use server side validation2. Start with least privileges3. Keep sensitive information safely
  • 68. Questions?问题和答案Thanks for listening! To be continued… mail: skypename: oseheda