2014 guestlecture-infosec
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share

2014 guestlecture-infosec

  • 340 views
Uploaded on

Guestlecture for Hogeschool Zeeland at 12th of March 2014 by Boy Baukema from Ibuildings on the topic of Web Application Security and the OWASP Top 10.

Guestlecture for Hogeschool Zeeland at 12th of March 2014 by Boy Baukema from Ibuildings on the topic of Web Application Security and the OWASP Top 10.

More in: Education
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
340
On Slideshare
335
From Embeds
5
Number of Embeds
1

Actions

Shares
Downloads
1
Comments
0
Likes
0

Embeds 5

https://twitter.com 5

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Boy Baukema 12th March, HZ, Vlissingen Practical Hacking: OWASP Top 10 Wednesday, March 12, 14
  • 2. So who’s this guy? Boy Baukema Security Specialist & Senior Engineer @ Ibuildings.nl boy@ibuildings.nl twitter: @relaxnow 2 Wednesday, March 12, 14
  • 3. By what company? Ibuildings (not owned by Apple) 3 Wednesday, March 12, 14
  • 4. A Security what? Security Specialist: Senior Software Engineer + R&D Security + Security Training + Internal Consulting + Internal Security Audits + External Security Audits 4 Wednesday, March 12, 14
  • 5. Okay, what’s he doing here? ‣ Introduction (10m) ‣ Before We Dive In (10m) ‣ OWASP TOP 11 2013 (+/- 15m per item) ‣ Where To Next? (10m) 5 Wednesday, March 12, 14
  • 6. Wednesday, March 12, 14
  • 7. Wednesday, March 12, 14
  • 8. Before we dive in... 8 Wednesday, March 12, 14
  • 9. Ethical Hacking & The (Dutch) Law 9 blog.iusmentis.com Artikel 138ab & 138b Wednesday, March 12, 14
  • 10. Responsible Disclosure 10 Wednesday, March 12, 14
  • 11. of 2013 OWASP Top 11 11 Wednesday, March 12, 14
  • 12. OWASP Top 10 2013 BONUS - Clickjacking 12http://www.youtube.com/watch?v=DRQ8oC2MWAg Wednesday, March 12, 14
  • 13. A10-Unvalidated Redirects and Forwards 13 Wednesday, March 12, 14
  • 14. A10-Unvalidated Redirects and Forwards http://goo.gl/Gmzqv https://www.bank.com:login.html@phisher.cn/ http://www.bank.com:login.html@74.125.131.105 http://www.bank.com:login.html@1249739625/ http://www.bank.com:login.html@0x4a.0x7d.0x83.0x69/ http://www.bank.com:login.html@0112.0175.0203.0151/ http://pc-help.org/o%62s%63ur%65%2e%68t%6D 14 Wednesday, March 12, 14
  • 15. A9-Using Components with Known Vulnerabilities 174.34.252.13 – - [03/Feb/2014:01:01:08 -0500] “POST /index.php? option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a7981f4f e1f5ac65c1246b5f=cf6dd3cf1923c950586d0dd595c8e20b HTTP/1.1″ 500 885 “-” “BOT/0.1 (BOT for JCE)” 174.34.252.13 – - [03/Feb/2014:01:01:08 -0500] “POST /index.php? option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20 HTTP/1.1″ 404 5923 “-” “BOT/0.1 (BOT for JCE)” 174.34.252.13 – - [03/Feb/2014:01:01:08 -0500] “POST /blog/2014/01/14/vulnerability-in-joomla-1-6-1-7- and-2-5-0-2-5-2-being-exploited-now/index.php? option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a7981f4fe1f5a c65c1246b5f=cf6dd3cf1923c950586d0dd595c8e20b HTTP/1.1″ 500 885 “-” “BOT/0.1 (BOT for JCE)” 174.34.252.13 – - [03/Feb/2014:01:01:08 -0500] “POST /blog/2014/01/14/vulnerability-in-joomla-1-6-1-7- and-2-5-0-2-5-2-being-exploited-now/index.php? option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20 HTTP/1.1″ 404 6290 “-” “BOT/0.1 (BOT for JCE)” 174.34.252.13 – - [03/Feb/2014:01:01:10 -0500] “POST /blog/2014/01/14/vulnerability-in-joomla-1-6-1-7- and-2-5-0-2-5-2-being-exploited-now/index.php? option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a7981f4fe1f5a c65c1246b5f=cf6dd3cf1923c950586d0dd595c8e20b HTTP/1.1″ 500 885 “-” “BOT/0.1 (BOT for JCE)” 174.34.252.13 – - [03/Feb/2014:01:01:10 -0500] “POST /blog/2014/01/14/vulnerability-in-joomla-1-6-1-7- and-2-5-0-2-5-2-being-exploited-now/index.php? option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20 HTTP/1.1″ 404 6290 “-” “BOT/0.1 (BOT for JCE)” 174.34.252.13 – - [03/Feb/2014:01:01:11 -0500] “GET /blog/2014/01/14/vulnerability-in-joomla-1-6-1-7- and-2-5-0-2-5-2-being-exploited-now/images/stories/food.php?rf HTTP/1.1″ 404 6237 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6″ 15 Wednesday, March 12, 14
  • 16. A8-Cross-Site Request Forgery (CSRF) 16http://www.youtube.com/watch?v=vRBihr41JTo Wednesday, March 12, 14
  • 17. A7-Missing Function Level Access Control 17 Wednesday, March 12, 14
  • 18. A6-Sensitive Data Exposure 18 Wednesday, March 12, 14
  • 19. A6-Sensitive Data Exposure 19 Wednesday, March 12, 14
  • 20. A5-Security Misconfiguration http://www.exploit-db.com/google-dorks/ 20 Wednesday, March 12, 14
  • 21. A4-Insecure Direct Object References 21 Wednesday, March 12, 14
  • 22. A3-Cross-Site Scripting (XSS) 22 http://www.youtube.com/watch?v=a9WNy2ZSq8Y Wednesday, March 12, 14
  • 23. A3-Cross-Site Scripting (XSS) 23 Wednesday, March 12, 14
  • 24. A2-Broken Authentication and Session Management 24 Wednesday, March 12, 14
  • 25. A2-Broken Authentication and Session Management ‣ Session Fixation ‣ Missing Session Timeout ‣ Login over HTTP ‣ Unprotected Password Reset 25 Wednesday, March 12, 14
  • 26. HTTP Strict Transport Security Strict-Transport-Security: ‣ max-age=60000; ‣ includeSubDomains 26 Wednesday, March 12, 14
  • 27. A1-Injection 27 Wednesday, March 12, 14
  • 28. Now What? 28 Wednesday, March 12, 14
  • 29. 29 Wednesday, March 12, 14
  • 30. Conferences, People & Resources ‣ Security.nl ‣ Owasp.org ‣ Hackvertor ‣ Webappsec.io ‣ Chris Cornutt ‣ Bruce Schneider ‣ OWASP BeNeLux ‣ OWASP EU ‣ Hack In The Box ‣ Black Hat Europe 30 Wednesday, March 12, 14
  • 31. Companies ‣ Fox-IT ‣ Madison Ghurka ‣ Pine ‣ Ibuildings.nl 31 Wednesday, March 12, 14
  • 32. QUESTIONS 32Slides @ http://www.slideshare.net/relaxnow/2014-guestlectureinfosec Wednesday, March 12, 14