OWASP Top 10 Vulnerabilities
Lets exploit Injection and XSS
Kim Carter – ANZTB Monday 2013-08-26 Meetup
OWASP is coming to Christchurch
OWASP Day 2013
https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2013
OWASP Resources
...
Most common security vulnerabilities
found in web apps in 2013
Kali Linux
●
Free and open source (GNU Linux) OS
●
Targets professional security auditors and
penetration testers
●
All to...
Discuss tools I use very frequently
FireFox Add-Ons
●
Tamper Data. Very simple proxy, but very easy
to use
●
Foxy proxy : ...
There are a large number of training apps
and intentionally vulnerable web apps
freely available
I've organised three to w...
What is Injection
1.Attacker Injects (generally malicious) code into
website.
2.Change the course of execution on related
...
Workshop WebGoat
Start here: http://owaspbwa/WebGoat/attack
Injection
Command Injection
Workshop DVWA
Start here: http://owaspbwa/dvwa
Injection
SQL String Injection
Injection Mitigation techniques
●
Similar techniques to XSS +
●
Avoid accessing external interpreters
●
Use well structure...
What is XSS
1.Attacker Injects (generally malicious) code into
website.
2.When victim requests website code, attackers
cod...
Workshop Gruyere
Start here: http://google-gruyere.appspot.com/
XSS: http://google-gruyere.appspot.com/part2
File Upload X...
Workshop Gruyere
Start here: http://google-gruyere.appspot.com/
XSS: http://google-gruyere.appspot.com/part2
Reflected XSS...
Workshop Gruyere
Start here: http://google-gruyere.appspot.com/
XSS: http://google-gruyere.appspot.com/part2
Stored XSS
Workshop Gruyere
Start here: http://google-gruyere.appspot.com/
XSS: http://google-gruyere.appspot.com/part2
Stored XSS vi...
Workshop Gruyere
Start here: http://google-gruyere.appspot.com/
XSS: http://google-gruyere.appspot.com/part2
Stored XSS vi...
When the user clicks refresh button,
response looks like
In the mark-up the snippet looks like:
Workshop Gruyere
Start here: http://google-gruyere.appspot.com/
XSS: http://google-gruyere.appspot.com/part2
Reflected XSS...
XSS Mitigation techniques
●
Constrain all input fields to well structured
data
●
White-lists for each type of structured d...
Extra Resources
Sanitising User Input
http://blog.binarymist.net/2012/11/04/sanitising-user-input-from-browser-p
http://bl...
Deliberate Insecure Targets and Training
Platforms that I've screened.
●
Hacking Lab: https://www.hacking-lab.com/
●
Nebul...
Deliberate Insecure Targets and Training
Platforms that I've screened.
w3af test website:
https://github.com/andresriancho...
Deliberate Insecure Targets and Training
Platforms that I've screened.
●
WebGoat
-Platform: J2EE web application
-Install:...
Exploitation of Injection and XSS
Upcoming SlideShare
Loading in …5
×

Exploitation of Injection and XSS

1,952 views

Published on

Published in: Technology
1 Comment
2 Likes
Statistics
Notes
No Downloads
Views
Total views
1,952
On SlideShare
0
From Embeds
0
Number of Embeds
7
Actions
Shares
0
Downloads
50
Comments
1
Likes
2
Embeds 0
No embeds

No notes for slide

Exploitation of Injection and XSS

  1. 1. OWASP Top 10 Vulnerabilities Lets exploit Injection and XSS Kim Carter – ANZTB Monday 2013-08-26 Meetup
  2. 2. OWASP is coming to Christchurch OWASP Day 2013 https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2013 OWASP Resources ● Top 10 ● Cheat Sheets ● Tutorials ● Guides ● Projects, Tools and Code Libraries
  3. 3. Most common security vulnerabilities found in web apps in 2013
  4. 4. Kali Linux ● Free and open source (GNU Linux) OS ● Targets professional security auditors and penetration testers ● All tools shipped are free and open source ● No profit involved ● Many of the over 300 security tools have been provided as free versions that do the same job as the paid for versions Up and Running with Kali Linux
  5. 5. Discuss tools I use very frequently FireFox Add-Ons ● Tamper Data. Very simple proxy, but very easy to use ● Foxy proxy : a real time saver ● HackBar ● XSS Me ● SQL Inject Me Chrome extensions ● FoxyProxy ● Cookies ● Edit this Cookie Burp suite
  6. 6. There are a large number of training apps and intentionally vulnerable web apps freely available I've organised three to work through to wet your appetite I'd encourage you to take them further
  7. 7. What is Injection 1.Attacker Injects (generally malicious) code into website. 2.Change the course of execution on related system/s. Gain information. Privilege escalation. Manipulate / destroy stored data. Destroy system/s. Varieties ● Command, SQL, Xpath, Query String ● Lots of derivatives of these
  8. 8. Workshop WebGoat Start here: http://owaspbwa/WebGoat/attack Injection Command Injection
  9. 9. Workshop DVWA Start here: http://owaspbwa/dvwa Injection SQL String Injection
  10. 10. Injection Mitigation techniques ● Similar techniques to XSS + ● Avoid accessing external interpreters ● Use well structured parameters ● Least privilege ● OWASP Prevention Cheat Sheets ● Break it! Further details found here: https://www.owasp.org/index.php/Top_10_2013-A1-Injection
  11. 11. What is XSS 1.Attacker Injects (generally malicious) code into website. 2.When victim requests website code, attackers code is executed. Varieties ● File Upload ● Reflected (non-persistent) ● Stored ● Lots of derivatives of these
  12. 12. Workshop Gruyere Start here: http://google-gruyere.appspot.com/ XSS: http://google-gruyere.appspot.com/part2 File Upload XSS
  13. 13. Workshop Gruyere Start here: http://google-gruyere.appspot.com/ XSS: http://google-gruyere.appspot.com/part2 Reflected XSS Handy Links: URL Encodings: http://www.w3schools.com/tags/ref_urlencode.asp ASCII: http://asciitable.com XSS Strings: https://owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
  14. 14. Workshop Gruyere Start here: http://google-gruyere.appspot.com/ XSS: http://google-gruyere.appspot.com/part2 Stored XSS
  15. 15. Workshop Gruyere Start here: http://google-gruyere.appspot.com/ XSS: http://google-gruyere.appspot.com/part2 Stored XSS via HTML Attribute
  16. 16. Workshop Gruyere Start here: http://google-gruyere.appspot.com/ XSS: http://google-gruyere.appspot.com/part2 Stored XSS via AJAX
  17. 17. When the user clicks refresh button, response looks like In the mark-up the snippet looks like:
  18. 18. Workshop Gruyere Start here: http://google-gruyere.appspot.com/ XSS: http://google-gruyere.appspot.com/part2 Reflected XSS via AJAX
  19. 19. XSS Mitigation techniques ● Constrain all input fields to well structured data ● White-lists for each type of structured data ● Sanitise ● OWASP Prevention Cheat Sheets ● Break it! Further details found here: https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS)
  20. 20. Extra Resources Sanitising User Input http://blog.binarymist.net/2012/11/04/sanitising-user-input-from-browser-p http://blog.binarymist.net/2012/11/16/sanitising-user-input-from-browser-p Write-up on Kali Linux http://pentestmag.com/ Tool junky? Check out this collection http://www.softwareqatest.com/qatweb1.html
  21. 21. Deliberate Insecure Targets and Training Platforms that I've screened. ● Hacking Lab: https://www.hacking-lab.com/ ● Nebula: http://exploit-exercises.com/ ● gruyere: http://google-gruyere.appspot.com/ Can run locally, but best to run from web ● Web Security Dojo: https://www.mavensecurity.com/web_security_dojo/ - VMware and Virtual Box versions. Looks like quite a bit of documentation. Actively maintained. - Vulnerable targets: WebGoat Gruyere Damn Vulnerable Web App. http://sourceforge.net/p/websecuritydojo/bugs/ says database setup is broken
  22. 22. Deliberate Insecure Targets and Training Platforms that I've screened. w3af test website: https://github.com/andresriancho/w3af-moth VMware image http://www.bonsai-sec.com/en/research/moth.php Various other unmaintained websites ● Dam Vulnerable Web Application (DVWA) http://dvwa.co.uk/ Not sure where the documentation is? Maybe embedded in the download? ● Acunetix 1: http://testphp.vulnweb.com/ These three are online. ● Acunetix 2: http://testasp.vulnweb.com/ ● Acunetix 3: http://testaspnet.vulnweb.com/ ● Mutillidae: http://www.irongeek.com/i.php?page=mutillidae/mutillidae-delibera Easy to follow. Geared towards Classroom Environment.
  23. 23. Deliberate Insecure Targets and Training Platforms that I've screened. ● WebGoat -Platform: J2EE web application -Install: Self contained Tomcat server you can run from a directory under Windows or Linux -Notes: Love the fact it's so self contained and easy to run. By default it only listens on the loop-back address, so you can run it from your workstation a production network with little worries. -Howto's: http://webappsecmovies.sourceforge.net/webgoat/ -Setting up on non localhost: https://code.google.com/p/webgoat/wiki/FAQ OWASP Broken Web Applications project: -https://code.google.com/p/owaspbwa/wiki/UserGuide This has a great selection of training apps along with intentionally vulnerable apps. -It contains a lot of the apps already discussed.

×