Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

TDIS 2014 - Dealing with the risks: web applications

701 views

Published on

Event: Trusted Digital Identity Symposium 2014
Topic: Dealing with the risks - web applications
Location: Living Tomorrow (Brussels Vilvoorde)
Organizer: Vasco Data Security

  • Be the first to comment

TDIS 2014 - Dealing with the risks: web applications

  1. 1. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Dealing with the risks web applications Malik Mesellem
  2. 2. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. About me  Malik Mesellem, Ethical Hacker  MME BVBA, founded in 2010  Specialized in audits & training  Objective approach, independent  Focus to advise and to educate @MME_IT #bWAPP | ITAudits&SecurityMME
  3. 3. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Dealing with the risks  Contents  Defense needed  Security framework  Attack scenarios  Superbees wanted
  4. 4. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Dealing with the risks  Contents  Defense needed  Security framework  Attack scenarios  Superbees wanted
  5. 5. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Defense needed  Web application security is today's most overlooked aspect of securing the enterprise  Hackers are concentrating their efforts on websites and web applications  Web apps are an attractive target for cyber criminality, cyber warfare and hacktivism
  6. 6. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Defense needed  Why are web applications an attractive target?  Easily available via the Internet (24/7)  Mission-critical business applications with sensitive data  Often direct access to backend data  Traditional firewalls and SSL provide no protection  Many applications are custom-made == vulnerable
  7. 7. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Defense needed  Why are web applications an attractive target?  Easily available via the Internet (24/7)  Mission-critical business applications with sensitive data  Often direct access to backend data  Traditional firewalls and SSL provide no protection  Many applications are custom-made == vulnerable
  8. 8. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. DEFENSE is needed !
  9. 9. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Dealing with the risks  Contents  Defense needed  Security framework  Attack scenarios  Superbees wanted
  10. 10. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Security framework  bWAPP, or a buggy Web APPlication  Deliberately insecure web application, includes all major known web vulnerabilities  Helps security enthusiasts, developers and students to discover and to prevent issues  Prepares one for successful penetration testing and ethical hacking projects
  11. 11. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Security framework  Web application security is not just installing a firewall, or scanning a site for ‘potential’ issues  Black-box penetration testing, simulating real attack scenarios, is still needed!  Confirms potential vulnerabilities, and excludes false positives  Guarantees that your defense measures are working effectively  bWAPP helps to improve your security-testing skills…
  12. 12. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved.
  13. 13. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Security framework  What makes bWAPP so unique?  Well, it has over 100 web vulnerabilities  Covering all major known web bugs  Including all risks from the OWASP Top 10  Focus is not on one specific issue!
  14. 14. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Commercial Web Scanners
  15. 15. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Security framework  Which bug do you want to hack today? (1)  SQL, HTML, SSI, OS Command, XML, XPath, LDAP, PHP Code, Host Header and SMTP injections  Authentication, authorization and session management issues  Malicious, unrestricted file uploads and backdoor files  Arbitrary file access and directory traversals  Heartbleed vulnerability (OpenSSL)  Local and remote file inclusions (LFI/RFI)  Server Side Request Forgery (SSRF)
  16. 16. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Security framework  Which bug do you want to hack today? (2)  Configuration issues: Man-in-the-Middle, Cross-Domain policy file, FTP, SNMP, WebDAV, information disclosures,...  HTTP parameter pollution and HTTP response splitting  XML External Entity attacks (XXE)  HTML5 ClickJacking, Cross-Origin Resource Sharing (CORS) and web storage issues  Unvalidated redirects and forwards  Denial-of-Service (DoS) attacks
  17. 17. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Security framework  Which bug do you want to hack today? (3)  Cross-Site Scripting (XSS), Cross-Site Tracing (XST) and Cross-Site Request Forgery (CSRF)  AJAX and Web Services issues (JSON/XML/SOAP)  Parameter tampering and cookie poisoning  HTTP verb tampering  PHP-CGI remote code execution  Local privilege escalations  And much more 
  18. 18. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Security framework  Which bug do you want to hack today?
  19. 19. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Security framework
  20. 20. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Security framework  External links  Home page - www.itsecgames.com  Download location - sourceforge.net/projects/bwapp  Blog - itsecgames.blogspot.com
  21. 21. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Dealing with the risks  Contents  Defense needed  Security framework  Attack scenarios  Superbees wanted
  22. 22. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. SQL injection  SQL injection is very common in web applications  Occurs when user input is sent to a SQL interpreter as part of a query  The attacker tricks the interpreter into executing unintended SQL queries
  23. 23. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. SQL injection  Injection in the OWASP Top 10
  24. 24. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. SQL injection  Normal operation DATABASE SQL interpreter WEB APP HTML | SQL BROWSER HTML (GET/POST) login password SELECT * FROM table WHERE login = ‘login’ AND password = ‘password’ result HTML SQL
  25. 25. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. DATABASE SQL interpreter WEB APP HTML | SQL BROWSER HTML (GET/POST) login ’ or 1=1-- SELECT * FROM table WHERE login = ‘login’ AND password = ‘’ or 1=1-- ’ result HTML SQL SQL injection  Abnormal operation
  26. 26. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. SQL injection  Simple injections  '--  ' or 'a'='a  ' or 'a'='a'--  ' or '1'='1  ' or 1=1--
  27. 27. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. SQL injection  Union injections  ' UNION SELECT field1, field2 FROM table--  ' UNION SELECT table_name FROM INFORMATION_SCHEMA.TABLES WHERE table_schema=database()--  Stacked queries  '; DROP TABLE table;--
  28. 28. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. SQL Injection
  29. 29. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Don’t try @ home!  SQL injection  Bypassing login forms  Manually extracting data  Automated SQL injection  Website defacement
  30. 30. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved.
  31. 31. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved.
  32. 32. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Cross-Site Scripting  Cross-Site Scripting, or XSS, occurs when an attacker injects a browser script into a web application  Insufficient validation of user-supplied data  Dangerous when it is stored permanently!  XSS can lead to  Website defacements  Phishing / session hijacking  Client-side exploitation
  33. 33. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Cross-Site Scripting  XSS in the OWASP Top 10
  34. 34. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Don’t try @ home!  Cross-Site Scripting  Detecting XSS  Phishing attack  Client-side exploitation
  35. 35. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Heartbleed bug  Vulnerability in the popular OpenSSL cryptographic software library, discovered in April 2014 (!)  Allows stealing information protected by SSL/TLS… just by sending a simple heartbeat request!  Sensitive data that might be stolen  Logon credentials  Session data  Private keys
  36. 36. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Don’t try @ home!  Heartbleed bug  Stealing credentials
  37. 37. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Denial-of-Service  Denial-of-Service attack, or DoS attack  Attacker attempts to prevent legitimate users from accessing the application, server or network  Consumes bandwidth, server sockets, or CPU resources  Distributed Denial-of-Service attack, or DDoS  Popular techniques used by hacktivists
  38. 38. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Denial-of-Service  Newer layer 7 DoS attacks are more powerful!  “Low-bandwidth application layer DoS”  Advantages of layer 7 DoS  Legitimate TCP/UDP connections, difficult to differentiate from normal traffic  Requires lesser number of connections, possibility to stop a web server from a single attack  Reach resource limits of services, regardless of the hardware capabilities of the server
  39. 39. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Denial-of-Service  Layer 7 DoS methods  HTTP Slow Headers  HTTP Slow POST  HTTP Slow Reading  Apache Range Header  SSL/TLS Renegotiation  XML Bombs
  40. 40. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Don’t try @ home!  Denial-of-Service  HTTP Slow POST
  41. 41. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Dealing with the risks  Contents  Defense needed  Security framework  Attack scenarios  Superbees wanted
  42. 42. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Superbees wanted  Hi little bees, during this talk we  Defaced the website  Compromised the server  Compromised a client  Made the server unreachable  Hijacked a session  Stole credentials…
  43. 43. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved.  And we have so much more bugs to exploit…  Definitely time to improve your web security  Defense is needed, security-testing is required!  Downloading bWAPP is a first start  Remember: every bee needs a superbee  Are you that superbee? Superbees wanted @MME_IT #bWAPP
  44. 44. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. About me  Malik Mesellem Email | malik@itsecgames.com LinkedIn | be.linkedin.com/in/malikmesellem Twitter | twitter.com/MME_IT Blog | itsecgames.blogspot.com

×