DC612 Day - Web Application Security: OWASP Top 10

4,328 views
4,185 views

Published on

Title: Web Application Security: OWASP Top 10 by Brian Johnson

Abstract: In this session we will learn how to find, demonstrate how to exploit and discuss how to prevent the OWASP Top 10 Security Issues. We will also discuss how these issues are exploited in the real world. Students will have the opportunity to have hands on experience testing for and exploiting these issues.

Requirements: All attendees interested in participating in the labs will need to bring their own laptop. Laptops should have a wired Ethernet port in order to participate in labs.

1 Comment
0 Likes
Statistics
Notes
  • kindly e-mail these slides to my e-mail keziagrt@yahoo.com
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

No Downloads
Views
Total views
4,328
On SlideShare
0
From Embeds
0
Number of Embeds
7
Actions
Shares
0
Downloads
0
Comments
1
Likes
0
Embeds 0
No embeds

No notes for slide

DC612 Day - Web Application Security: OWASP Top 10

  1. 1. OWASP Top 10Finding and Exploiting AppSec Flaws 1
  2. 2. Goals Understand common AppSec issues Be able to identify the OWASP Top 10 issues Understand what causes the issues 2 2
  3. 3. Why OWASP•Free information and projects•Defacto source for information on web security•Vendor and technology neutral•This is their mission 3 3
  4. 4. Terms HTTP Requests  GET vs POST URI/URL Cookies Parameters SSL/TLS 4 4
  5. 5. Tools Scanners  AppScan  WebInspect  N-Stalker  Skipfish  W3AF  More at: http://projects.webappsec.org/w/page/13246988/W eb%20Application%20Security%20Scanner%20List 5 5
  6. 6. Tools Intercepting proxies  Burp Suite  Web Scarab  Paros Proxy  Zed Attack Proxy 6 6
  7. 7. Tools Browser Plugins  TamperData  Web Developer  Firebug  Proxy Switcher 7 7
  8. 8. The Top 10InjectionBroken Authentication and Session ManagementCross-Site Scripting (XSS)Insecure Direct Object ReferencesSecurity Misconfiguration 8 8
  9. 9. The Top 10 (continued)Sensitive Data ExposureMissing Function Level Access ControlCross-Site Request ForgeryUsing Known Vulnerable ComponentsUnvalidated Redirects and Forwards 9 9
  10. 10. Scope of Attacks Client Side  Attack the end user and end user network Server Side  Attack the infrastructure 10 10
  11. 11. Causes of Vulnerabilities Improper input sanitization Programming errors Logic errors Configuration errors Missing security updates 11 11
  12. 12. Injection Result from improper input sanitization Multiple types  SQL  LDAP  XPATH  OS  ... 12 12
  13. 13. SQL Injection Two types  Vanilla (or “normal” or “first order”)  Blind Results from directly inserting user supplied data into a SQL Query 13 13
  14. 14. SQL QueriesSELECT * FROM events WHERE id=$id Developer expects $id to be an integer like 3 What if $id is 3 or 1=1 Or 3 union select name, password, role from users; -- 14 14
  15. 15. How to find Check all inputs to see if you can create an error message  Single quote  Double quote “  SQL comments  SQL verbs 15 15
  16. 16. How to find If errors are trapped you have to look for differences between query results  Unbalanced vs balanced quotes  SQL errors  ... 16 16
  17. 17. Demohttp://192.168.203.152/demo/comments.php 17 17
  18. 18. Try ithttps://challenge.subversiveresearch.org/index.php 18 18
  19. 19. Broken Authentication and Session Management Logic, programming or configuration errors Exposes password or tokens Allows users to act as another user  Horizontal  Vertical 19 19
  20. 20. Cause Logic errors Security through obscurity Enforcing permissions on the wrong portion of the application 20 20
  21. 21. How to find Try to access functionality that your user shouldnt have access to Modify user identifying information 21 21
  22. 22. Demohttp://192.168.203.152/demo/badlogin.php 22 22
  23. 23. Cross-Site Scripting (XSS) Results from improper input sanitization Client side attack Two types  Reflected  Stored 23 23
  24. 24. CauseDirect use of user supplied input:echo(“Hello $_POST[name]”); 24 24
  25. 25. How to find Check all inputs to see if dangerous characters are properly escaped or deleted  Text fields  Hidden variables  Cookies  etc Proper escaping varies depending on your context 25 25
  26. 26. Demohttp://192.168.203.152/demo/xss.phphttp://192.168.203.152/demo/xss-prevented.php 26 26
  27. 27. Try itReflected:https://challenge.subversiveresearch.org/Stored:https://challenge.subversiveresearch.org/image.php?i 27 27
  28. 28. Insecure Direct Object References Results from improper input validation Directly refer to variables used in business logic  Account numbers  Prices  File names  etc 28 28
  29. 29. How to find Check for parameter names that reference business logic Modify parameters to see how they affect what data is presented to you or calculated values 29 29
  30. 30. Demohttp://192.168.203.152/demo/idor.php 30 30
  31. 31. Security Misconfiguration Improper configurations 31 31
  32. 32. How to find•Vulnerability scanners•System audit 32 32
  33. 33. Sensitive Data Exposure Improper storage of sensitive data  Authentication data  Credit card data  SSNs Fail to encrypt sensitive data in transit  No SSL/TLS  More than just web traffic Unnecessary data returned to the client 33 33
  34. 34. How to find Improper storage of sensitive data  Look at data you retrieved from other attacks  Audits of the systems are more effective Fail to encrypt sensitive data in transit  Look at the URL  Capture traffic  Man in the middle if necessary 34 34
  35. 35. Missing Function Level Access Control Logic error on protecting links/functions Often vertical access control 35 35
  36. 36. How to find If you have multiple accounts at different privilege levels try to access content for a higher privilege level as a lower privilege user Guess common page names  Admin.[php|asp|html|...]  Console.[php|asp|html|...] 36 36
  37. 37. Demohttp://192.168.203.152/demo/login.php 37 37
  38. 38. Try ithttps://challenge.subversiveresearch.org/manage.php 38 38
  39. 39. Cross-Site Request Forgery (CSRF) Confused deputy attack Make a user make a request for you 39 39
  40. 40. How to find Look for actions that only depend on cookie values and well-known or public data Even if you have to guess a value, make sure the value is actually non-predictable 40 40
  41. 41. Demohttp://192.168.203.152/demo/xsrf.php 41 41
  42. 42. Try ithttps://challenge.subversiveresearch.org/manage.phphttps://challenge.subversiveresearch.org/image.php?i 42 42
  43. 43. Using Known Vulnerable Components Framework or third party components contain vulnerabilities  Missing patches  0-days 43 43
  44. 44. How to find•Vulnerability Scanners•Server headers/banners 44 44
  45. 45. Unvalidated Redirects and Forwards Improper validation of forwarding or redirect links Useful in phishing or drive by attacks Betrays a users trust in a site 45 45
  46. 46. How to find Look for URLs or URL fragments in parameters and modify these 46 46
  47. 47. Demohttp://192.168.203.152/demo/login.php 47 47
  48. 48. Try ithttps://challenge.subversiveresearch.org/image.php?i 48 48
  49. 49. In the news SQL Injection  Anonymous and Lulzsec  Sony et al Insecure Direct Object Access  Citibank 49 49
  50. 50. What nextVulnerable web applications• Damn Vulnerable Web Application• Bad Store• Hacme Bank|Casino|Books|Travel|...• Webmaven• Buggy Bank• ... 50 50
  51. 51. Questions?brian.l.johnson@gmail.com@brianljohnson 51 51

×