OWASP Top 10 2013 x CTF Fun and Profit

  • 959 views
Uploaded on

 

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
959
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
10
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP http://www.owasp.org OWASP Half-Day Event (Hong Kong Chapter) Anthony LAI Chapter Leader {Alan HO, Zetta KE} Chapter Researcher OWASP (Hong Kong Chapter) July 2013
  • 2. 2OWASP OWASP Standard Web application security and awareness Top 10, coding guidelines and tools Well-known industry standard set up for nearly 10 years. Good reference for web application developer, security officer, penetration tester, IT security management, compliance officer and auditor.
  • 3. 3OWASP OWASP Membership and Our Approach Membership launched APAC Chapters 20 USD per year for individual member ( 抵到爛 !) Corporate member is welcomed (5000 USD per year) We commit to give 3-4 half-day events per year From next seminar, only paid member could join the event. No bullshit, no sales talk, no starch, practical work and research. :-)
  • 4. 4OWASP RIP. He passed away in SF before Blackhat (disclosing hack against heart pacemaker)
  • 5. 5OWASP Speaker Profiles
  • 6. 6OWASP Speaker Biography and Introduction Alan HO Worked as Application Security specialist Experienced developer Passionate over Android and Web hacking VXRL security researcher and CTF crew member  SANS GWAPT (Gold paper) holder
  • 7. 7OWASP Speaker Biography and Introduction Zetta KE PhD Student in Information System in HKUST VXRL Researcher and CTF MVP (Most Valuable Player) Passionate over Web hack, Crypto and PHP Leading web hack and penetration workshops in Polytechnic university and HKPC with Anthony Lai.
  • 8. 8OWASP Speaker Biography and Introduction Anthony LAI Chapter Leader, OWASP HK Chapter Founder and Researcher, VXRL Focus on penetration test, reverse engineering, malware analysis and incident response. Passionate over CTF wargame Speaking at DEFCON 18-20, Blackhat USA 2010, AVTokyo 2011-2012, HITCON 2010-2011, Codegate 2012 and HTCIA APAC Conference 2012 SANS GWAPT, GREM and GCFA mentor
  • 9. 9OWASP Agenda Introduction (10 minutes) OWASP Top 10 2013 Update (Anthony) (15-20 minutes) XSS flaws in mobile phone browser (Alan) (30-40 minutes) 15 minutes break Length Extension Attack (Zetta) 30-40 minutes CTF for fun and profit (Anthony) 15 - 20 minutes
  • 10. Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP http://www.owasp.org OWASP Top 10 2013 Update Anthony LAI Chapter Leader OWASP (Hong Kong Chapter) anthonylai@owasp.org <phone> July 2013
  • 11. 11OWASP We have got an update this year
  • 12. 12OWASP OWASP Top 10: 2010 Vs 2013
  • 13. 13OWASP OWASP Top 10: 2010 Vs 2013
  • 14. 14OWASP How to interpret each Top 10 item? Threat, vulnerability and risk
  • 15. 15OWASP How to interpret each Top 10 item? Threat, vulnerability and risk
  • 16. 16OWASP How to interpret each Top 10 item? Exposure, vulnerable scenario, fix and references
  • 17. 17OWASP OWASP Top 10 Details and follow up Left to you to read over It is a process you must walk through Identify the top items on your managed or owned web applications. Implement guidelines and policy with reference to OWASP standard.
  • 18. 18OWASP Alan's show time: Mobile Phone's Browser XSS (SANS gold paper published)
  • 19. 19OWASP Break Time: 15 minutes Relax a bit … :)
  • 20. 20OWASP Zetta's show time: Length Extension Attack (LEA)
  • 21. 21OWASP CTF (Capture The Flag for Fun and Profit)
  • 22. 22OWASP What is CTF game? You need to get the key for points Challenges include crypto, network, forensics, binary/reverse engineering/exploitation, web hack and miscellaneous. Top teams could enter final round of contest DEFCON, Plaid CTF, Codegate, Secuinside are famous CTFs in the planet and we join every year.
  • 23. 23OWASP Why do we enjoy to play? Challenges are practical Need your knowledge Need your skills Understanding vulnerabilities Thinking like an attacker Train you up to manipulate proper tools
  • 24. 24OWASP Our rank? Any rewards? Www.ctftime.org 4th prize in HITCON CTF 2013 (19-20 July, Taipei)
  • 25. 25OWASP Our world ranking
  • 26. 26OWASP Sample Question (1) Please read the following code, how can you solve it?
  • 27. 27OWASP Sample Question (1) Please read the following code, how can you solve it?
  • 28. 28OWASP Question 1 There are a couple of things to note: We must do the operations in reverse order since this is the inverse function. The hex2bin function is only available in PHP >= 5.4.0. Had to resort to the documentation to find the alternative: pack ("H*", $str)
  • 29. 29OWASP Sample Question (2) How about this? Let us do it together: http://natas14.natas.labs.overthewire.org/
  • 30. 30OWASP Sample Question (2) Remember the basic :)
  • 31. 31OWASP Question (3) – Django RCE Vulnerability HITCON 2013 Pwn500 question Django Remote Code Execution (RCE) vulnerability In Django, there is a library called Pickle to serialize the Django object into a string and put cookie is signed with key. The reverse action is called “Unpickle”. However, “Pickle” library has always trusted the data which is passed in without validation Discovered in Y2011.
  • 32. 32OWASP A Vulnerable Django https://github.com/OrangeTW/Vulnerable-Django/
  • 33. 33OWASP If the key leaks We could generate our own cookie and sign it over.
  • 34. 34OWASP We even could include command execution 1. Generate and sign the new cookie with command execution 2. Replace the original cookie with our generated one.
  • 35. 35OWASP Pwned :) (Simply input Guest, type in some text in box and submit)
  • 36. 36OWASP More than that, we could get the key from the server to change our command to read file instead ...
  • 37. 37OWASP CTF fun and profit The fun is to practice our security and “kungfu” The profit is to earning knowledge, building trust and friendship. Sometimes, we could get reward :)
  • 38. 38OWASP Thank you for your listening anthonylai@owasp.org alanh0@vxrl.org Ozetta@vxrl.org P.S: Non-members cannot get the slide for sure, it depends on the willingness of speakers to share the slide or not