2. SCHEDULE FOR THE DAY
1. Why are we here?
2. Real Life Examples
3. Limited scope of this intervention
4. Owasp – Top 10 (2013)
5. Demo Web Hacking Simulation Walkthrough
6. Summary
7. Questions
3. DO WE NEED WEB APP.
SECURITY?
Well managed infrastructure
Important data on web applications
Malware spreading
10. OPEN WEB APPLICATION
SECURITY PROJECT
Make software security visible
Cheat Sheets, Tutorials, Testing guides…
Tools (WebGoat, WebScarab, …)
Library (ESAPI)
…
11. OWASP TOP 10
Broad consensus about what the most critical web
application security flaws are.
12. OWASP TOP 10
OWASP Top 10 - 2013
A1 - Injection
A2 - Broken Authentication and Session Management
A3 - Cross-Site Scripting (XSS)
A4 - Insecure Direct Object References
A5 - Security Misconfiguration
A6 - Sensitive Data Exposure
A7 - Missing Function Level Access Control
A8 - Cross-Site Request Forgery (CSRF)
A9 - Using Known Vulnerable Components
A10 - Unvalidatde Redirects and Forwards
13. OWASP TOP 10
OWASP Top 10 - 2013
A1 - Injection
A2 - Broken Authentication and Session Management
A3 - Cross-Site Scripting (XSS)
A4 - Insecure Direct Object References
A5 - Security Misconfiguration
A6 - Sensitive Data Exposure
A7 - Missing Function Level Access Control
A8 - Cross-Site Request Forgery (CSRF)
A9 - Using Known Vulnerable Components
A10 - Unvalidatde Redirects and Forwards
14. WEBGOAT
is a deliberately insecure web application designed to
teach web application security lessons.
15. A1 – INJECTION
User input injected without checking
SQL Injection example
LDAP, Command, XPATH, …
16. A2 – SESSION MANAGEMENT
1. Session Hijacking
Stealing authenticated user’s session ID
2. Session Fixation
Forcing user’s session ID
Example
17. A3 – CROSS-SITE SCRIPTING (XSS)
Untrusted data sent to victim without validation and / or
escaping
XSS allows attackers to execute script in browsers to:
hijacking users’ sessions,
redirecting user to malicious site,
…
1. Reflected XSS example
2. Stored XSS example
18. A5 – SECURITY MISCONFIGURATION
Secure configuration defined and deployed for the:
application,
frameworks,
application server,
web server,
database server,
platform.
Example
19. A6 – SENSITIVE DATA EXPOSURE
Protect sensitive data (credit cards, authentication
credentials, ...)
Encryption at rest or in transit
20. A7 – MISSING ACCESS CONTROL
Verify function level acces:
before making functionality visible in GUI ✓
when each function is accessed ✗
Access control bypass example
21. A8 – CROSS-SITE REQUEST FORGERY
2. User visits forum.com 1. User authenticates to bank.com
3. Page contains tag
<img
src=bank.com/transfer.jsp?account=atta
cker&amount=300000>
CSRF example
4. User’s browser makes GET request
bank.com/transfer.jsp?account=attacker&
amount=300000
without user knowing
22. A10 – UNVALIDATED REDIRECT
1. Lure the user into clicking a redirect link
http://www.trusted.com/redirector?to=http://www.evil.com
2. Code does not perform any validation
String location = (String) request.getParameter(« to »);
response.sendRedirect(location);
3. User thinks (s)he’s accessing trusted.com but is in fact
at evil.com
23. SUMMARY
LAYERS OF DEFENSE IN DEPTH
Policies, Procedures,
Awareness
Physical
Perimeter
Internal Network
Host
App
Data
24. AND NOW …
bWAPP
OWASP Top 10
CWE 25
Mitigations (SANS, OWASP Cheat Sheets, …)
Web Services (SOAP & REST)
Mobile
And more …
26. FOLLOW US ON …
nitroxis Nitroxis.BE
@Nitroxis_sprl
Nitroxis sprl
Training and Certification for
information Security
Professionals
27. ADD DEPTH TO YOUR INFORMATION SYSTEM
Olivier Houyoux Technology Security Architect
Version 1.0
Date 2/10/2014
Mail Contact (at) nitroxis.be
Website www.nitroxis.be