Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Web Security attacks and defense

625 views

Published on

Presentation to expose web hacking techniques attack and defense. Look into OWASP Top 10 and perform some demos in real world and in a managed vulnerable web commerce.
XSS, SQLi, LFI and upload webshell were some cool demos :)

  • Be the first to comment

Web Security attacks and defense

  1. 1. Web Security ● Jose Mato Mariño
  2. 2. 3/5/15 - 12:52:45 AM Who am I? ● Web Developer ● Web security as hobby ● http://josemato.name ● @security4dev
  3. 3. 3/5/15 - 12:52:46 AM Is mandatory know web security to do a web? ● YES, If someone hacks your your server... you, developer, are screwed – Read logs, …, a lot of logs – Sometimes is difficult know what was happening – Web security is easier than computer forensic ● Your client – Angry – Lost branding and reputation
  4. 4. 3/5/15 - 12:52:46 AM Why cybercriminals want my server ??? ● SPAM ● BitCoins ● Phishing ● Botnet ● Ransomware ● Data theft
  5. 5. 3/5/15 - 12:52:46 AM ● Online community dedicated to web application security ● Guide practices and recommendations to be considered secure application development ● OWASP TOP 10
  6. 6. 3/5/15 - 12:52:46 AM OWASP TOP 10 – From 2010 to 2013
  7. 7. 3/5/15 - 12:52:46 AM A3 – Cross Site Scripting (XSS) ● Problem: User injects code ( ActiveX, Java, VBScript, Flash, HTML but typically javascript) into webpage ● Attacks: – Access user session (session hijacking) – Redirect user to exploit kit (blackhole) – Defacement. Phishing. – Network ip + ports scanner ● We have 5 contexts to exploit XSS ● There are two types of XSS
  8. 8. 3/5/15 - 12:52:46 AM A3 – XSS Context ● Context (by Ashar Javed @soaj1664ashar): "Context is an environment where user supplied input or input from other application(s) eventually ends-up or start living" ● Type of contexts: – HTML context (<title>XXS</title>) – Attribute context (input value=”XSS”) – Script context (<script>var a = “<?php echo XSS ?>”</script>) – URL context (write server variable to src, href, data flash, etc) – Style context (div style=”XSS” => custom editors)
  9. 9. 3/5/15 - 12:52:46 AM ● Reflective – Code is not store on any database or database repo – Payload must be on get parameter (discussion) – User needs to click on a malicious link ● Persistent – Code is store on a persistent store (database) – When user enter on a hacked page, he will exec the xploit A3 – XSS Types
  10. 10. 3/5/15 - 12:52:46 AM ● http://www.elmundo.es/elmundo/2010/01/04/union_europea/1262 610678.html A3 – Famous XSS “Mr. Bean 'se cuela' en la web oficial de la presidencia española”
  11. 11. 3/5/15 - 12:52:47 AM XSS DEMO I ● Check if there is some XSS ● Get access to user account
  12. 12. 3/5/15 - 12:52:47 AM ● Never trust on user input (inbound & outbound) ● Sanitize all inputs ● Enable flag httpOnly on cookies ● Content Security Policy (CSP) A3 – XSS Mitigation
  13. 13. 3/5/15 - 12:52:47 AM ● Access to not allowed resources ● Application fail to check if user is authorized to access to the resource ● Common scenario: – http://websecurity-demo.local/transcript.php?student=1536 ● Attacker see a parameter and know that “1536” is his student id ● Attacker change this student id and get the content of another student ● This parameter could be anywhere (get, post, cookie, …) A4 – Insecure Direct Object References
  14. 14. 3/5/15 - 12:52:47 AM ● Technique to alter queries into engine store through vulnerable application ● Mysql, MSQL, Postgres, LDAP, Access, Oracle, … ● We are going to focus on SQLi in this talk ● Many kind of SQLi A1 – Injection
  15. 15. 3/5/15 - 12:52:47 AM ● Access personal data. Dump database ● Dump local users (/etc/passwd) ● Access organization CMS ● Site infection – malware propagation – Click abuse A1 – SQL Injection Goals
  16. 16. 3/5/15 - 12:52:47 AM ● Lilupophilupop SQL Injection Attack Tops 1 Million Infected URLs – Search SQL Injection on ASP or ColdFusion pages with Microsoft SQL Server – More than one million url infected – the attackers used XSS Persistent to redirect users to pages showing fake computer issues to buy a fake AV ● http://threatpost.com/lilupophilupop-sql-injection-attack -tops-1-million-infected-urls-010412/76054 A1 – Famous SQL Injection I
  17. 17. 3/5/15 - 12:52:47 AM ● Barr’s claims that he would unmask and extinguish Anonymous proved to be the proverbial last straw on the camel’s back. ● Anonymous find a SQL Injection: – http://www.hbgaryfederal.com/pages.php?pageNav=2&page= 27 ● Passwords were hashed but Aaron just used lower case and numbers. ● Access CMS. Social engineer to reset email password and access SSH. (Aaron used same password for many services!) ● http://arstechnica.com/tech-policy/2011/02/anonymous-speaks-the -inside-story-of-the-hbgary-hack/ A1 – Famous SQL Injection II
  18. 18. 3/5/15 - 12:52:47 AM ● SQL Injection ● Blind SQLi – We only can use queries that retrieve a boolean value (true or false). – It's very slow – Binary search to enhance performance ● Time based SQLi – Based on heavy queries (sleep) – Very slow A1 – SQL Injection Types
  19. 19. 3/5/15 - 12:52:47 AM ● Database engine has a metadata, catalog, schema or something like that ● This catalog stores all database metainformation (table relations, database exists, columns names with length + datatype, …) ● Is mandatory know the catalog of the vulnerable app to perform a pentesting A1 – SQL Injection Walkthrough I
  20. 20. 3/5/15 - 12:52:47 AM ● Search vulnerability (test app request and check params) – Number of columns – Database names ● table names – Column names ● Dump or insert data ● Download files ● Upload webshell A1 – SQL Injection Walkthrough II
  21. 21. 3/5/15 - 12:52:47 AM ● MySQL Catalog – Retrieve databases: SELECT schema_name FROM information_schema.SCHEMATA; – Retrieve tables from specific database: SELECT table_schema, table_name FROM information_schema.TABLES WHERE table_schema = 'DATABASE'; – Retrieve columns from specific table: SELECT column_name, column_type FROM information_schema.columns WHERE table_name = 'TABLE' AND table_schema = 'DATABASE'; A1 – SQL Injection Walkthrough III
  22. 22. 3/5/15 - 12:52:47 AM A1 – SQL Injection Hacking Time :)
  23. 23. 3/5/15 - 12:52:47 AM Some Question?? THANKS!! ● Jose Mato – http://josemato.name – @security4dev – https://github.com/josemato/ – https://www.linkedin.com/in/josematomarino

×