Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Owasp top 10 web application security hazards part 2

554 views

Published on

Mission :- Understand / Learn / Practice OWASP Web Security Vulnerabilities https://www.owasp.org/index.php/Top102013-Top_10 In this session, Attendees will perform hands-on exercises to get a better understanding of the OWASP top ten security threats.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Owasp top 10 web application security hazards part 2

  1. 1.   TOP 10 WEB APPLICATION SECURITY HAZARDS { PART - 2 } @   by Abhinav Sejpal Null - Humla Session
  2. 2. FLIPKART - BANGALORE
  3. 3.         WHO AM I I' m Next-Gen Exploratory Testy  Student of Information Security field Researcher & Reader in free time Member of Crowd Tester (AKA. Bug bounty Hunter)   Proficient at Functional, Usability , Accessibility & Compatibility Testing Love to develop nasty code  & Hack it :) Works as Quality Analyst at AKA. Bug Wrangler Null Open Security Co mmunity passbrains.com
  4. 4. DISCLAIMER This presentation is intended for educational purpose only and I cannot be held liable for any kind of damages done, whatsoever to your machine, or any other damages.   Don't try this attack on any other system without having context knowledge or permission, this may harm someone directly or indirectly. Feel free to use this presentation for practice or education purpose. ^ I hope - You gotcha ^
  5. 5. AGENDA No Revision of Part - 1 Understand New Attacks Self exploratory exercise Learn + Hack    Q  &  A
  6. 6.    FOR SOCIAL MEDIA Twitter handle   @  @null0x00 Abhinav_Sejpal Hashtag for this session      # #Nullhumla nullblr
  7. 7. HUMLA MEANS 'ATTACK' IN HINDI                         
  8. 8.  
  9. 9.    
  10. 10. OBJECTIVES FOR THIS SESSION BUILD SECURITY AWARENESS FOR WEB APPLICATION LEARN WAY TO DISCOVER SECURITY VULNERABILITIES LEARN BASIC OF SECURE WEB APPLICATION VIA OWASP TOP 10
  11. 11. LET'S BEGIN OUR JOURNEY OF  TOP 10 WEB APPLICATION SECURITY HAZARDS  * We won't talk about Injection & XSS *
  12. 12. for: Setup the Test Lab Install XAMPP Acronym X (to be read as "cross", meaning )cross-platform Apache HTTP Server MySQL PHP Perl
  13. 13. TARGETED APPLICATION Client Side language : HTML & Javascript Server side Language: PHP DB : MYSQL  Why PHP ?  - Any answer Here? Why MySQL?  MySQL is  Girlfriend of PHP <3 
  14. 14. PHP IS USED BY 82.2% OF ALL THE WEBSITES AS SERVER-SIDE PROGRAMMING LANGUAGE. http://w3techs.com/technologies/overview/programming_lang
  15. 15. PHP: 244M SITES 2.1M IP ADDRESSES
  16. 16. 2013 Server-side Programming Language of the Year Don't Mind Power of PHP > Facebook & yahoo  http://w3techs.com/blog/entry/web_technologies_of_the_year
  17. 17. It's a free, open source web application provided to allow security enthusiast to pen-test and hack a web application. V.2X developed by  aka PLAY GROUND  MUTILLIDAE Jeremy Druin webpwnized.
  18. 18. ALL SET WITH MULTILLIDAE ?
  19. 19. AM I VULNERABLE TO 'CSRF' ?
  20. 20. OWASP A8 - CSRF CROSS-SITE REQUEST FORGERY
  21. 21. CSRF ATTACK CYCLE
  22. 22. CSRF AKA. XSRF   THE ATTACKER EXPLOITS THE TRUST A WEBSITE HAS AGAINST A USER’S BROWSER.  Permission fakingstealing  Disruption of the normal sequence of the site
  23. 23. DEMO #1 Login ID - admin password - adminpass HTTP GET Request http://127.0.0.1/xampp/mutillidae/index.php?do=logout
  24. 24. <a href= > : ANSWER  DEMO 1: <html> <title> CSRF Demo 1 </title> http://127.0.0.1/xampp/mutillidae/index.php? do=logout Click me </a> </html>
  25. 25. UNDERSTANDING Logout page was a simple HTTP GET that required no confirmation Every user who visited that page would immediately be logged out - that's CSRF in action. Yes it's not dangerous but annoying
  26. 26. SO WHAT DO YOU THINK, IT'S ALL ABOUT CLICK ? ssh, No!! Would you like to write CSRF exploit without click ??
  27. 27. IMAGE TAG <img style="display:none;" src="your Request">   Image tag does not require clicking the link compared Tag- A requires clicking on the link to activate the HTTP request Can we try Demo 1 with Image tag ?
  28. 28. <img src= > CSRF GET Request with Image Tag <html> <title> CSRF Demo 1 </title> http://127.0.0.1/xampp/mutillidae/index.php? do=logout </html>
  29. 29. THE NATURE OF BROWSERS IS TO SEND HTTP REQUESTS TO VISUAL OBJECTS SUCH AS PICTURE OR REMOTE FILES (CSS, JS, ETC.) EVEN WHILE LOADING THE PAGE WITHOUT THE USER'S PERMISSIONS. Iframe tag <iframe src="your Request"></iframe> Java Script code                  <script> var X= new Image();                                                X.src = "URL";                 </script>                         Can we try Demo 1 with Iframe & JS ?
  30. 30. HTTP REQUEST <iframe src=" http://127.0.0.1/xampp/mutillidae/index.php? do=logout"></iframe>            <script> var X= new Image();                                                X.src= " http://127.0.0.1/xampp/mutillidae/index.php?do=logout ";                 </script>
  31. 31. CHALLENGE  #1
  32. 32. :: SOLUTION #1 :: <html> <title> CSRF Demo 1 </title> <a href = http://127.0.0.1/xampp/mutillidae/index.php? page=user-poll.php&csrf- token=&choice=nmap&initials=n&user-poll-php-submit- button=Submit+Vote> Click me </a> </html>
  33. 33. CHALLENGE  #2 { Post HTTP Request }
  34. 34. : Solution Available : http://127.0.0.1/xampp/CSRF Attack/Add New Blog Entry - CSRF POST.html
  35. 35. DOES IT EASY TO CREATE CSRF HTTP REQUEST ? No - you should try out   ~   ~CSRF Finder Firefox add-on * One Click POC * * Hybrid automation * Thank you -  Piyush Pattanayak
  36. 36. CSRF FINDER DEMO
  37. 37. LIVE CHALLENGE * SIGNUP DISABLED * PLEASE USE THE USERNAME TEST AND THE PASSWORD TEST CSRF & XSRF Update the user info. without their knowledge http://testphp.vulnweb.com/userinfo.php Copyright © 2014, Acunetix Ltd
  38. 38. You've been CSRF'd with static token!  Can we exploit this with Level #2 ?
  39. 39. POPULAR COOL FINDINGS by AmolFacebook CSRF worth USD 5000 GOOGLE GROUPS PROFILE CSRF Google Account display pic deletion Facebook Account deactivation Advance Leanings -  CSRF Token Validation Fail http://haiderm.com/csrf-token-protection-bypass-methods/
  40. 40.  
  41. 41. Am I Vulnerable To 'Broken Authentication   & Session Management'? A2 - OWASP TOP 10
  42. 42. LETS' BYPASS THE MUTILLIDAE  Can we do it  ? Part -1 Learning with SQL Injection
  43. 43. APPLY BRUTE FORCE ATTACK /xampp/mutillidae/index.php?page=login.php Account Lock Policy & Captcha missing :P
  44. 44. IN-SECURED SESSION-ID Cookies Flag HTTP ONLY  Secure flag would be complimentary
  45. 45. XSS SESSION HIJACKING  PHPSESSID=0ebmp37g8v8stqsjpf1ln40c20 JSESSIONID ASP Session.SessionID Let's Try out Part 1 learning and exploit   the session
  46. 46. So, Let's Learn about Web App DB structure Passwords are stored in plain text. oh really  -- ':( OWASP #A6
  47. 47. Password is protected, when stored using encryption algorithm.   Are you sure?  http://www.md5online.org/
  48. 48. YOU MAY ALSO TRY OUT HASH BUT PASSWORD SALT IS A RECOMMENDED SOLUTION SO FAR. P ASSWORD POLICY SHOULD BE APPLIED NICELY AND SHOULD NOT BE WEAKER. -- * -- SECURITY & BUSINESS LOGIC SHOULD BE APPLIED FOR CHANGING PASSWORD.  CHANGE PASSWORD DOESN'T ASK FOR CURRENT PASSWORD - LOL 
  49. 49. Robots.txt  All Sensitive data expose
  50. 50. TAKE AWAY 
  51. 51. AVOIDING INSECURE DIRECT OBJECT REFERENCES OWASP #A4  
  52. 52.  URLS' PATTERN
  53. 53. Demo  #1 Tamper the ID parameter http://127.0.0.1/xampp/sqli/secondorder_changepass.php
  54. 54. ENUMERATION USING PARAMETER LIVE https://profile.utest.com/ 67797 https://profile.utest.com/200 -- N
  55. 55. https://99tests.com/testers/ 3298
  56. 56. Secret PHP Server Configuration Page http://127.0.0.1/xampp/mutillidae/index.php? page=phpinfo.php
  57. 57. MISSING FUNCTION LEVEL ACCESS CONTROL OWASP #A7
  58. 58. CONCEPT
  59. 59. LIVE HTTP://STEPINFORUM.ORG/MAILERS2014/ http://demo.testfire.net/pr/
  60. 60. OWASP #A9 USING KNOWN VULNERABLE COMPONENTS
  61. 61. Source: https://www.aspectsecurity.com/uploads/downloads/2012/03/Aspect-Security-The-Unfortunate-Reality-of-Insecure- Libraries.pdf
  62. 62. COOL WORDPRESS PROJECTS Code Vigilant Latest buzzing known vulnerabilities #Heartbleed # BashBug
  63. 63. Can you verify that -  your website SSL  Cert isn't vulnerable to Heart bleed attack? Google - SSL Heart bleed Fix verification script https://lastpass.com/heartbleed/
  64. 64. HISTORY ATTACK !!!
  65. 65. A6 – Sensitive Data Exposure
  66. 66. SECURITY MISCONFIGURATION OWASP -#A5
  67. 67. CLICK JACKING Code: – <iframe src= http://www.testingcircus.com> </iframe> Live Demo: – http://goo.gl/6gEq2I Click jacking Testing tool: – http://goo.gl/27VgQb
  68. 68.      IF YOU ARE PLANNING TO HOST YOUR OWN SERVER  this talk matters for you  "SECURING A LINUX WEB SERVER IN 10 STEP S" BY   A KASH MAHAJAN  https://www.youtube.com/watch?v=ort9qxzu3h0
  69. 69. ELMAH.AXD ERROR LOGS  GOOGLE SEARCH
  70. 70. https://www.owasp.org/index.php/Top_10_2013- A10- Unvalidated_Redirects_and_Forwards
  71. 71. Vulnerable  Redirection http://127.0.0.1/xampp/mutillidae/index.php? page=redirectandlog.php& forwardurl=http://www.owasp.org I don't think so, i need to explain you what you can do here :D
  72. 72. Would like to do more practice ? Here is your Playground Copyright © 2014, IBM Corporation http://demo.testfire.net/
  73. 73. YES - I'M DONE! Feel free to write me at bug.wrangler at outlook.com
  74. 74. WE NEED YOU! Attend Null Meets-up & give presentations. Share your ideas & leanings. Talk to our community champions & gain from leanings. Your feedback helps us to build a good community. Looking forward to your ongoing support. HTTP://NULL.CO.IN/ Say 'Hello' @null0x00
  75. 75. - Twitter Folks -   @ , @ ,   @  #Nullblr Leads & Champions Big thank you to @ ,@   & you All. CREDITS TroyHunt yog3sharma @ Lavakumark HaiderMQ null0x00 ru94mb
  76. 76. INDIAN HACKERS/INFOSEC GUYS & GROUPS YOU SHOULD BE FOLLOWING IN TWITTER Thank-you http://garage4hackers.com/ community
  77. 77. THANK YOU!  KEEP THE SECURITY ANTE UP.
  78. 78. https://slides.com/abhinavsejpal/top-10-web-application- security-hazards--2 LICENSE AND COPYRIGHTS Copyrights 2013-2014 Abhinav Sejpal -----   ( CC BY-NC-ND 3.0) Attribution-NonCommercial-NoDerivs 3.0 Unported  Dedicated to my lovely daddy

×