1. OWASP Top 10 Vulnerabilities
Lets exploit Injection and XSS
Kim Carter – ANZTB Monday 2013-08-26 Meetup

2. OWASP is coming to Christchurch
OWASP Day 2013
https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2013
OWASP Resources
●
Top 10
●
Cheat Sheets
●
Tutorials
●
Guides
●
Projects, Tools and Code Libraries

3. Most common security vulnerabilities
found in web apps in 2013

4. Kali Linux
●
Free and open source (GNU Linux) OS
●
Targets professional security auditors and
penetration testers
●
All tools shipped are free and open source
●
No profit involved
●
Many of the over 300 security tools have been
provided as free versions that do the same job as
the paid for versions
Up and Running with Kali Linux

5. Discuss tools I use very frequently
FireFox Add-Ons
●
Tamper Data. Very simple proxy, but very easy
to use
●
Foxy proxy : a real time saver
●
HackBar
●
XSS Me
●
SQL Inject Me
Chrome extensions
●
FoxyProxy
●
Cookies
●
Edit this Cookie
Burp suite

6. There are a large number of training apps
and intentionally vulnerable web apps
freely available
I've organised three to work through to
wet your appetite
I'd encourage you to take them further

7. What is Injection
1.Attacker Injects (generally malicious) code into
website.
2.Change the course of execution on related
system/s. Gain information. Privilege escalation.
Manipulate / destroy stored data. Destroy
system/s.
Varieties
●
Command, SQL, Xpath, Query String
●
Lots of derivatives of these

8. Workshop WebGoat
Start here: http://owaspbwa/WebGoat/attack
Injection
Command Injection

9. Workshop DVWA
Start here: http://owaspbwa/dvwa
Injection
SQL String Injection

10. Injection Mitigation techniques
●
Similar techniques to XSS +
●
Avoid accessing external interpreters
●
Use well structured parameters
●
Least privilege
●
OWASP Prevention Cheat Sheets
●
Break it!
Further details found here:
https://www.owasp.org/index.php/Top_10_2013-A1-Injection

11. What is XSS
1.Attacker Injects (generally malicious) code into
website.
2.When victim requests website code, attackers
code is executed.
Varieties
●
File Upload
●
Reflected (non-persistent)
●
Stored
●
Lots of derivatives of these

12. Workshop Gruyere
Start here: http://google-gruyere.appspot.com/
XSS: http://google-gruyere.appspot.com/part2
File Upload XSS

13. Workshop Gruyere
Start here: http://google-gruyere.appspot.com/
XSS: http://google-gruyere.appspot.com/part2
Reflected XSS
Handy Links:
URL Encodings: http://www.w3schools.com/tags/ref_urlencode.asp
ASCII: http://asciitable.com
XSS Strings: https://owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet

14. Workshop Gruyere
Start here: http://google-gruyere.appspot.com/
XSS: http://google-gruyere.appspot.com/part2
Stored XSS

15. Workshop Gruyere
Start here: http://google-gruyere.appspot.com/
XSS: http://google-gruyere.appspot.com/part2
Stored XSS via HTML Attribute

16. Workshop Gruyere
Start here: http://google-gruyere.appspot.com/
XSS: http://google-gruyere.appspot.com/part2
Stored XSS via AJAX

17. When the user clicks refresh button,
response looks like
In the mark-up the snippet looks like:

18. Workshop Gruyere
Start here: http://google-gruyere.appspot.com/
XSS: http://google-gruyere.appspot.com/part2
Reflected XSS via AJAX

19. XSS Mitigation techniques
●
Constrain all input fields to well structured
data
●
White-lists for each type of structured data
●
Sanitise
●
OWASP Prevention Cheat Sheets
●
Break it!
Further details found here:
https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS)

21. Extra Resources
Sanitising User Input
http://blog.binarymist.net/2012/11/04/sanitising-user-input-from-browser-p
http://blog.binarymist.net/2012/11/16/sanitising-user-input-from-browser-p
Write-up on Kali Linux
http://pentestmag.com/
Tool junky? Check out this collection
http://www.softwareqatest.com/qatweb1.html

22. Deliberate Insecure Targets and Training
Platforms that I've screened.
●
Hacking Lab: https://www.hacking-lab.com/
●
Nebula: http://exploit-exercises.com/
●
gruyere: http://google-gruyere.appspot.com/ Can run locally, but
best to run from web
●
Web Security Dojo:
https://www.mavensecurity.com/web_security_dojo/
- VMware and Virtual Box versions. Looks like quite a bit of
documentation. Actively maintained.
- Vulnerable targets:
WebGoat
Gruyere
Damn Vulnerable Web App.
http://sourceforge.net/p/websecuritydojo/bugs/ says
database setup is broken

23. Deliberate Insecure Targets and Training
Platforms that I've screened.
w3af test website:
https://github.com/andresriancho/w3af-moth
VMware image
http://www.bonsai-sec.com/en/research/moth.php
Various other unmaintained websites
●
Dam Vulnerable Web Application (DVWA)
http://dvwa.co.uk/
Not sure where the documentation is? Maybe embedded in the
download?
●
Acunetix 1: http://testphp.vulnweb.com/ These three are online.
●
Acunetix 2: http://testasp.vulnweb.com/
●
Acunetix 3: http://testaspnet.vulnweb.com/
●
Mutillidae:
http://www.irongeek.com/i.php?page=mutillidae/mutillidae-delibera
Easy to follow. Geared towards Classroom Environment.

24. Deliberate Insecure Targets and Training
Platforms that I've screened.
●
WebGoat
-Platform: J2EE web application
-Install: Self contained Tomcat server you can run from a
directory under Windows or Linux
-Notes: Love the fact it's so self contained and easy to run. By
default it only listens on the loop-back address, so you can run
it from your workstation a production network with little worries.
-Howto's: http://webappsecmovies.sourceforge.net/webgoat/
-Setting up on non localhost:
https://code.google.com/p/webgoat/wiki/FAQ
OWASP Broken Web Applications project:
-https://code.google.com/p/owaspbwa/wiki/UserGuide
This has a great selection of training apps along with
intentionally vulnerable apps.
-It contains a lot of the apps already discussed.