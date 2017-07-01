Welcome to Myanmar Cyber Conference
Hunting Security Bugs in Modern Web Applications Presented by Toe Khaing Oo
What is it exactly? ● Modern Web Application Technologies ● Security vulnerabilities of modern web application ● How attac...
Who am I ● Student ● Self-taught Hacker ● Freelance Web Developer ● Instructor at Cyber Wings ● Bug Bounty Hunter at BugCr...
Modern Web Application Technology : Overview ● Client – Server Architecture ● MVC Architecture ● RESTful API ● Users ● Sto...
Popular Web Framework ● CodeIgniter (PHP) ● Laravel (PHP) ● Rails (Ruby) ● Django (Python) ● Angular (JavaScript) ● React ...
Popular CMS
What is Web Application Security? ● Information Security deals with Security of web application ● Protecting Information b...
Bug Hunting 101 ● Finding vulnerabilities which are not easy to find ● Exploiting ● Determining the risks and impact ● Exa...
Benefits ● Better Profile ● Hall Of Fame, Responsible Disclosure, Acknowledgments ● Swags (T-Shirts, Stickers, etc) ● Bug ...
Bug Hunting Methodologies ● Mapping the Application ● Analyzing the Application ● Testing Authentication Mechanism ● Testi...
Mapping the Target ● Explore Visible Content (view source code) ● Check Public Resources (CSS, JS, SWF) ● Discover Hidden ...
Analyzing the Application ● Identify the Technologies Used ● Identify its functions ● Identify Data Entry ● Map attack sur...
OWASP Top Ten Vulnerabilities
Hunting for A1 : Injection ● ‘and 1=1 | ‘or 1=1 ● Neither easy nor difficult ● Frameworks & CMS have already prevented ● P...
A2 : Broken Authentication & Session Management ● Guess login credentials ● Check Error Messages "Login for User foo: inva...
A3 : Cross Site Scripting (XSS) ● XSS attacks allow a user to inject client side scripts into the browsers of other users ...
Hunting for XSS Vulnerability : 1 ● Still easy to find ● JavaScript code in search box (input box) eg: <script>alert(‘XSS’...
Hunting for XSS Vulnerability : 2 ● DOM XSS ● SWF ● File Upload XSS ● Tools XSSER (https://github.com/epsylon/xsser) Magen...
Hunting for XSS : 3 ● Flash XSS (SWF) /zeroclipboard.swf?id="))}catch(e) {alert(1);}//&width=500&height=500 /player.swf?pl...
A4 : Access Control ● All sites require to control access policy ● Most of them are bad coding ● Need to access as possibl...
IDOR ● Insecure Direct Object References ● Mostly found in API ● Profile Page, Settings Page, etc ● Check Bypass Methods –...
Remote Code Execution (RCE) ● Execute Commands on the web server. ● Difficult to find but not at all ● Need strongly under...
A5 : Security Misconfiguration ● Test for Default Credentials (Apache Tomcat, JBoss) ● Subdomain TakeOver ● Test for lates...
A6 : Sensitive Data Exposure ● Config File (eg : Github config) ● Path Disclosure (Low Impact) ● Source Code Disclosure ● ...
CSRF ● Cross Site Request Forgery ● Modern Web Frameworks have built-in CSRF protection ● Test for Bypass methods ● Bypass...
URL Redirect ● Unvalidated Redirects & Forwards ● Can find with Google Dorks - “redirect_url” - “URL?=” - “return?=” More ...
Known Vulnerabilities ● CVE, CWE, Metasploit Modules ● Mostly in CMS ● For example; - Drupal SQL injection (Drupageddon) -...
Business Logic Flaws ● Misuse a business rules of an application ● Shopping cart check out, payment transaction, etc ● Par...
Reporting ● Title/Vulnerable Information ● Specify Target ● Vulnerable URL/Parameter ● Description ● Impact ● Proof of Con...
The End Thanks for your attention
Hunting Security Bugs in Modern Web Applications

