Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

[DevDay2018] Securing the Web - By Sumanth Damarla, Tech Speaker at Mozilla

119 views

Published on

The talk will be including the following:
– The importance of Web Security
– Discussing latest release of OWASP Top 10 2017 vulnerabilities
– Discussing available open source security tools such as OWASP ZAP, Vega Scanner, Open VAS, Nikto and Uniscan
– Live Demo
– Q&A

Published in: Technology
  • Be the first to comment

  • Be the first to like this

[DevDay2018] Securing the Web - By Sumanth Damarla, Tech Speaker at Mozilla

  1. 1. Securing the Web 4.14.2018 Sumanth Damarla Tech Speaker, Mozilla
  2. 2. Importance of Web Security
  3. 3. CEOs worrying about security’s impact on company growth Source: Global State of Information Security Survey 61% 1400 CEOs 83 Countries
  4. 4. OWASP TOP 10 2017 Source: Imperva blog.
  5. 5. Code Injection
  6. 6. Example The application uses untrusted data in the construction of the following vulnerable SQL call: String query = "SELECT * FROM accounts WHERE custID='" + request.getParameter("id") + "'"; In this case, the attacker modifies the ‘id’ parameter value in her browser to send: ' or '1'='1. For example: http://example.com/app/accountView?id=' or '1'='1 This changes the meaning of query to return all the records from the accounts table. More dangerous attacks could modify data or even invoke stored procedures.
  7. 7. • Information leakage • Disclosure of data • Manipulation of stored data • Bypassing authorisation controls Hacker Goals
  8. 8. Broken Authentication
  9. 9. Example Scenario #1: Airline reservations application supports URL rewriting, putting session IDs in the URL: http://example.com/sale/saleitems?sessionid=268544541&dest=Hawaii An authenticated user of the site wants to let his friends know about the sale. He emails the above link without knowing he is also giving away his session ID. When his friends use the link they will use his session and credit card. Scenario #2: Application’s timeouts aren’t set properly. User uses a public computer to access site. Instead of selecting “logout” the user simply closes the browser tab and walks away. Attacker uses the same browser an hour later, and that browser is still authenticated.
  10. 10. • Undermined authorization and accountability controls. • Cause privacy violation. • Identity theft. Hacker Goals Source: Placeholder text. Delete this box if source is not needed
  11. 11. Sensitive Data Exposure
  12. 12. Example Scenario #1: A site simply doesn’t use SSL for all authenticated pages. Attacker simply monitors network traffic (like an open wireless network), and steals the user’s session cookie. Attacker then replays this cookie and hijacks the user’s session, accessing the user’s private data.
  13. 13. XML External Entities
  14. 14. Example Scenario #1: An attacker probes the server's private network by changing the above ENTITY line to: <?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "http://192.168.0.1/secret.txt">]> <foo>&xxe;</foo> Response: HTTP/1.0 200 OK Hello, I'm a file on the local network (behind the firewall)
  15. 15. Scenario #2: An attacker attempts a denial-of-service attack by including a potentially endless file: POST http://example.com/xml HTTP/1.1 <!DOCTYPE foo [ <!ELEMENT foo ANY> <!ENTITY bar "World "> <!ENTITY t1 "&bar;&bar;"> <!ENTITY t2 "&t1;&t1;&t1;&t1;"> <!ENTITY t3 "&t2;&t2;&t2;&t2;&t2;"> ]> <foo> Hello &t3; </foo>
  16. 16. Response: HTTP/1.0 200 OK Hello World World World World World World World World World World World World World World World World World World World World World World World World World World World World World World World World World World World World World World World World
  17. 17. Broken Access Control
  18. 18. Example Scenario #1: An attacker simply force browses to target URLs. Admin rights are required for access to the admin page. http://example.com/app/getappInfo http://example.com/app/admin_getappInfo
  19. 19. Security Misconfiguration
  20. 20. Example Scenario #1: The app server admin console is automatically installed and not removed. Default accounts aren’t changed. Attacker discovers the standard admin pages are on your server, logs in with default passwords, and takes over.
  21. 21. Cross Site Scripting (XSS)
  22. 22. • Cookie stealing • Alert pop-up on page • Redirecting to another website/page/phishing site • Executing browser exploits Hacker Goals Source: Placeholder text. Delete this box if source is not needed
  23. 23. Insecure Deserialization
  24. 24. Example Scenario #1: A PHP forum uses PHP object serialization to save a "super" cookie, containing the user's user ID, role, password hash, and other state: a:4:{i:0;i:132;i:1;s:7:"Mallory";i:2;s:4:"user"; i:3;s:32:"b6a8b3bea87fe0e05022f8f3c88bc960";} An attacker changes the serialized object to give themselves admin privileges: a:4:{i:0;i:1;i:1;s:5:"Alice";i:2;s:5:"admin"; i:3;s:32:"b6a8b3bea87fe0e05022f8f3c88bc960";}
  25. 25. Using Components with Known Vulnerabilities
  26. 26. HEARTBLEED
  27. 27. Insufficient Logging&Monitoring
  28. 28. Example Scenario #1: An open source project forum software run by a small team was hacked using a flaw in its software. The attackers managed to wipe out the internal source code repository containing the next version, and all of the forum contents. Although source could be recovered, the lack of monitoring, logging or alerting led to a far worse breach. The forum software project is no longer active as a result of this issue.
  29. 29. Open Web App Security Tools
  30. 30. VEGA Vulnerability Scanner
  31. 31. • Cross Site Scripting (XSS) • SQL Injection • Directory Traversal • URL Injection • Error Detection • File Uploads • Sensitive Data Discovery Modules used in VEGA
  32. 32. Open Vulnerability Assessment System (OpenVAS)
  33. 33. Zed Attack Proxy(ZAP)
  34. 34. ZAP Features • Open source Cross platform • Easy to install (just requires java 1.7) • Completely free (no paid for 'Pro' version) • Ease of use a priority • Comprehensive help pages • Fully internationalized Translated into a dozen languages • Community based, with involvement actively encouraged • Under active development by an international team of volunteers
  35. 35. ZAP Functionality • Intercepting Proxy • Traditional and AJAX spiders • Automated scanner • Passive scanner • Forced browsing • Fuzzer • Dynamic SSL certificates • Smartcard and Client Digital Certificates support
  36. 36. • Web sockets support • Support for a wide range of scripting languages • Plug-n-Hack support • Authentication and session support • Powerful REST based API • Automatic updating option • Integrated and growing marketplace of add-ons
  37. 37. Thank You @Sumanth_Damarla

×