SlideShare a Scribd company logo

6 - Web Application Security.pptx

Download as PPTX, PDF
A
AlmaOraevi

Web application security

Education
1 of 52
Rasheed Hussain, PhD Assistant Professor, Secure System and Network Engineering r.hussain@innopolis.ru https://sites.google.com/site/rasheedinfosec/ Offensive Technologies (OT) March 30, 2017 Web Application Security OWASP top 10 (2013)
 Motivation  Causes of data breaches  OWASP ◦ Top ten attacks  Now what?  Do it yourself  Questions?
 In many cases the web application stores: ◦ Credit card details ◦ Personal information ◦ Passwords that also might be used elsewhere  Media likes hacks ◦ You company doesn’t…  Governments want to enforce data protection ◦ USA ◦ Russia? ◦ EU will follow soon(?)
 Your company doesn’t like that Lektober is used as a reference to the month of October 2011 in which there every day sensitive data from a federal government agency, company or association was announced. The name was given by the Dutch technology site: Macworld. The editors of Macworld hacked the websites of public authorities, business networks or associations. At the head of the editorial was Brenno de Winter, Brenno specializing in IT security and privacy. He was the leading investigative journalist in the Lektober project.
 Do you share your Phone’s Location Data with Everyone?  Do you always stay logged in on social nets?  Do you log into private services on public computers?  Do you share all kinds of data with retailers?  Do you put too much trust in “secure” apps?  Do you hook all your online services together? http://lifehacker.com/how-you-leak-your-privacy-every-day-and-how-to-stop-1547653862
 In many cases caused by technical issues: ◦ Poor/no input filtering ◦ Outdated software with known weaknesses ◦ Weak passwords  Non-techies are creating technical solutions: ◦ Click and play enterprise website ◦ Not aware of security issues  Techies are also not always aware ◦ What about you?  In many cases the issues are quite easy to solve ◦ If you know what to do…
 The same issues keep on coming back ◦ People make the same mistakes over and over again…  Open Web Application Security Project (OWASP): ◦ Free and open ◦ Top ten project  Documents the 10 most critical webapp security flaws  http://www.owasp.org/index.php/Category:OWASP_Top_Te n_Project  Latest version: 2013 ◦ Documents solutions  For all popular webapp environments https://storage.googleapis.com/google-code-archive- downloads/v2/code.google.com/owasptop10/OWASP%20Top%2010%20-%202013.pdf
 E.g. contact form forwards you to the home page after submitting your message ◦ http://www.example.com/redirect.jsp?url=/home.htm  Malicious URLs might be used ◦ http://www.example.com/redirect.jsp?url=malware.com ◦ Download malware from external site after submitting form
 Keep your software up-to-date ◦ Patching doesn’t stop at operating system level!  Database  Web server  Libraries  …  Lots of automated tools available ◦ Mapping: nmap, … ◦ Scanning: Nessus, Nexpose, … ◦ Exploiting: Metasploit, Canvas, … ◦ Script kiddies can and will do this!
 Nmap ◦ Open tcp ports ◦ Open udp ports ◦ OS version ◦ Wildcards ◦ Range ◦ Mask notation
 Cross Site Request Forgery (23% by IBM)  Inject code that: ◦ Runs in the victim’s browser ◦ Open a session to a vulnerable 3rd party service  Using the victim’s credentials  Example: ◦ Insert a money transfer in a page  Forum post  Email message (phising)  CSRF made easy! https://www.youtube.com/watch?v=m0EHlfTgGUU
 Server side authorization checks are not performed on all actions (all functions)  Attacks: ◦ Escalate from anonymous user to authenticated user ◦ Escalate for authenticated user to admin  Examples: ◦ If /users/user1/show_accounts/ exists, it might be worth checking if /users/userN/show_accounts/ also exists  Difficult to identify with automated tools
 Hidden and unchecked parameter: ◦ Add to POST data when updating a user: &ctl00%24ContentPlaceHolder1%24dvUser%24cbxUs erAdmin=on https://www.youtube.com/watch?v=VMv_gyCNGpk&t=107s
Secure transport:  Sending sensitive information over an unencrypted link ◦ No encryption / obfuscation ◦ Weak encryption ◦ Downgrade attacks  Check for no encryption / obfuscation ◦ Sniff data GET http://target/INSTALL.pgsql.txt HTTP/1.0 Accept: */* User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322) Host: target Proxy-Authorization: Basic YWQxxxxxxxxxxxxxxxxxxxxxxxx= Connection: Close Pragma: no-cache Referer: http://target/robots.txt
Secure transport:  Weak transport encryption ◦ Allowed SSL ciphers  Known flaws is SSLv2/3  SSLv2/3 still enabled in many cases  Weak ciphers can be cracked  openssl s_client -no_tls1 -connect www.google.com:443 (?) ◦ Weak algorithms  E.g. MD5, SHA-1 https://mta.openssl.org/pipermail/openssl- users/2015-December/002399.html
Secure transport:  Downgrade attacks ◦ Strip SSL layer: stripssl  http://www.blackhat.com/presentations/bh-dc- 09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating- SSL.pdf  http://www.youtube.com/watch?v=Dd5qGS-5C0I ◦ Hijack e.g. Facebook and Twitter sessions: Firesheep  http://codebutler.github.com/firesheep/  http://www.youtube.com/watch?v=O3NAM8oG1WM ◦ IBM’s Appscan (Not Free) https://www.youtube.com/watch?v=rYlzTQlF8Ws
 SSLstrip through hotspot https://avicoder.me/2016/02/22/SSLstrip-for-newbies/
 SSLstrip
Secure storage:  Not encrypting sensitive data  Using home grown algorithms  Insecure use of strong algorithms  Continued use of proven weak algorithms (MD5, SHA-1, RC3, RC4, …)  Hard coded keys, and storing keys in unprotected environments
 Real-life example same passwords <password>1 <password>2 … different length passwords
 How to decode the passwords? ◦ Create your own account ◦ Password = ‘aaaaaaaa’  Store password hash, e.g. 0102030405060708 ◦ Password = ‘bbbbbbbb’  Store password hash, e.g. 0203040506070809 ◦ Etc. ◦ Find the link password ↔ hash ◦ Write a decoder for (i = 0; i < in.length(); i++) print (alfabet(in.position(i) + i)) ◦ Decode all passwords ◦ Dump sensitive information
 Out of the box installs ◦ Next, next, next, finish  Find it using Google: ◦ Web front-end for Oracle  intitle:iSQL intitle:Release inurl:isqlplus ◦ Indexing of sensitive information  intitle:"Index of" .mysql_history  filetype:pdf paspoortnummer koopcontract  filetype:sql "phpMyAdmin SQL Dump” ◦ Many many useful Google Dorks online  http://www.hackersforcharity.org/ghdb/
 Default passwords ◦ http://www.phenoelit-us.org/dpl/dpl.html
 iPhone botnet ◦ Default SSH password after jailbreak  Routers
 User can access and modify object values  Example: ◦ Login using your credentials ◦ Link refers to http://app/details?userid=1 ◦ Script download of all files  userid=[1-9999]  Hashing doesn’t help ◦ Reverse MD5 hash lookup ◦ http://tools.benramsey.com/md5/
 The App uses unverified data in a SQL call  The attacker modifies the query parameter in their browser to point to Admin String sqlquery = "SELECT * FROM useraccounts WHERE account = ?"; PreparedStatement st = connection.prepareStatement(sqlquery , � ); st.setString( 1, request.getParameter("acct")); ResultSet results = st.executeQuery( ); http://webapp.com/app/accountInfo?acct=admin
 Cross Site Scripting ◦ Attacker can inject untrusted snippets of JS into your application without validation ◦ JS is then executed by the victim who visits the target site ◦ 3 types of XSS  Reflected XSS  Attacker sends the victim a link to the target app through email, social media, etc.  The link has script embedded which executes when target site is visited  Stored XSS  Attacker plants persistent script in target website…
 Around 17% of all apps are vulnerable to XSS according to IBM
 Cross Site Scripting Effects ◦ Execute scripts in the victim’s browser  Hijack user sessions  Deface web sites  Insert hostile content  Conduct phishing attacks  Take over the user’s browser using scripting malware ◦ In most cases Javascript based  Also applicable to other scripting languages
 Types Revisited ◦ Reflective  Code injected by e.g. sending phishing email  victim.com/get.php?id=<script>alert(123)</script>  E.g. one phishing email per attack ◦ Stored  Evil code is stored in the database  Store once, run for all users  E.g. store <script>alert(123)</script> in record for welcome message of CMS ◦ DOM-based  No HTTP request is required, the script is injected as a result of modifying the DOM of the target site in the client side code in the victim’s browser and executed
 Advanced tools are out there to abuse flaws ◦ Tunnel traffic using XSS  http://www.portcullis- security.com/uplds/whitepapers/XSSTunnelling.pdf  http://www.portcullis-security.com/tools/free/xssshell- xsstunnell.zip
 Prevention ◦ Use vetted libraries or frameworks ◦ Use HttpOnly attribute ◦ Input validation ◦ Demonstration https://www.youtube.com/watch?v=i38LMZyKIqI
 Broken authentication and session management
 A vulnerability that allows the capture or bypass of authentication methods  Most common authentication ◦ Username and Password  Approximately 23% of application suffer from this type of vulnerability
 Steps to log in ◦ User provides credentials ◦ Username= john, Password=asdf1234 ◦ The information is submitted to the application ◦ Session ID is generated and linked to the credentials  Sessionid=1gLXXEnpGewaf14LieSDkNVPWL37H7D7Bm
 Web apps can fail to protect these values ◦ Unencrypted connections ◦ Predictable Login credentials ◦ Session value does not timeout or does not get invalidated after logout ◦ User credentials are not protected when stored ◦ Session IDs used in URLs
 Predictable sessions IDs allow an attacker to: ◦ Disconnect all users ◦ Hijack existing sessions  Weak implementations typically use: ◦ Sequential numbers ◦ Hash of sequential numbers ◦ Time elapsed since starting of server / service ◦ Demo https://www.youtube.com/watch?v=HsExXjBhR0Y
 SQL-injection  Also applicable for other languages  User input is directly used in a query ◦ Manipulation of database query ◦ User input ‘search’ = alex ◦ Backend uses select details from users where name=‘alex’ ◦ Attacker input ‘search’ = alex’ or 1=1-- ◦ Backend uses select details from users where name=‘alex’ or 1=1  Display all records
 Advanced tools are out there to abuse flaws ◦ File upload ◦ File download ◦ OS command execution ◦ …  sqlmap ◦ http://sqlmap.sourceforge.net/ ◦ http://www.youtube.com/watch?v=ylttGlSkrGU ◦ Tunnel shell over http using SQL-injection!
 Example  Demo (demo.testfire.net) ◦ <% SQLquery=“SELECT * FROM roguetable” Set Conn=Server.CreateObject(“ADODB.Connection”)Conn.O pen “DSN=websql;UID=sa;PWD=pwd;DATABASE=master” Set rec=Server.CreateObject(“ADODB.RecordSet”) rec.ActiveConnection=Conn rec.Open SQLquery%>
 Example  Demo (demo.testfire.net) ◦ <% SQLquery=“SELECT * FROM roguetable” Set Conn=Server.CreateObject(“ADODB.Connection”)Conn.O pen “DSN=websql;UID=DATA’-- ;PWD=pwd;DATABASE=master” Set rec=Server.CreateObject(“ADODB.RecordSet”) rec.ActiveConnection=Conn rec.Open SQLquery%>  Comments https://www.youtube.com/watch?v=KnQIbyK779I
 Detection: ◦ Detection of well-known attacks using IDS ◦ Check web server logs ◦ Check network flows ◦ Difficult to detect all attacks!  Prevention: ◦ Use good practices  http://www.owasp.org/index.php/Category:OWASP_Guide_Project ◦ Review and/or test the application before going live  Source code review  http://www.owasp.org/index.php/Category:OWASP_Code_Review_Project  Penetration test  http://www.owasp.org/index.php/Category:OWASP_Testing_Project  http://www.owasp.org/index.php/Appendix_A:_Testing_Tools
 Hacking is not allowed ◦ “Computer Crime Act” (Is there any in Russia?) ◦ Testing without breaking in is also not allowed  If you want to test your (organization’s) apps: ◦ Use a letter of authorization  Document the type of activities you will be performing  Document the IPs that will be tested  Signed by the system’s owner
 More hands on hacking: ◦ Hacking Exposed books  http://www.webhackingexposed.com/products.html ◦ Certified Ethical Hacker  https://www.eccouncil.org/certification/certified_ethical_h acker.aspx

Recommended

Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013Edouard de Lansalut
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Moataz Kamel
 
Presentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationPresentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationMd Mahfuzur Rahman
 
Web Apps Security
Web Apps SecurityWeb Apps Security
Web Apps SecurityVictor Bucutea
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008abhijitapatil
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSebastien Deleersnyder
 
Flipping the script
Flipping the scriptFlipping the script
Flipping the scriptChris Nickerson
 
Security in microservices architectures
Security in microservices architecturesSecurity in microservices architectures
Security in microservices architecturesinovia
 

Recommended

Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013Edouard de Lansalut
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Moataz Kamel
 
Presentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationPresentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationMd Mahfuzur Rahman
 
Web Apps Security
Web Apps SecurityWeb Apps Security
Web Apps SecurityVictor Bucutea
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008abhijitapatil
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSebastien Deleersnyder
 
Flipping the script
Flipping the scriptFlipping the script
Flipping the scriptChris Nickerson
 
Security in microservices architectures
Security in microservices architecturesSecurity in microservices architectures
Security in microservices architecturesinovia
 
Is your mobile app as secure as you think?
Is your mobile app as secure as you think?Is your mobile app as secure as you think?
Is your mobile app as secure as you think?Matt Lacey
 
OWASP Top 10 2017 - New Vulnerabilities
OWASP Top 10 2017 - New VulnerabilitiesOWASP Top 10 2017 - New Vulnerabilities
OWASP Top 10 2017 - New VulnerabilitiesDilum Bandara
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelinesZakaria SMAHI
 
[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answers[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answersOWASP
 
Neoito — Secure coding practices
Neoito — Secure coding practicesNeoito — Secure coding practices
Neoito — Secure coding practicesNeoito
 
BSides Columbus: Active Defense - Helping threat actors hack themselves!
BSides Columbus: Active Defense - Helping threat actors hack themselves!BSides Columbus: Active Defense - Helping threat actors hack themselves!
BSides Columbus: Active Defense - Helping threat actors hack themselves!ThreatReel Podcast
 
Threat Modeling for Web Applications (and other duties as assigned)
Threat Modeling for Web Applications (and other duties as assigned)Threat Modeling for Web Applications (and other duties as assigned)
Threat Modeling for Web Applications (and other duties as assigned)Mike Tetreault
 
Secure Android Development
Secure Android DevelopmentSecure Android Development
Secure Android DevelopmentShaul Rosenzwieg
 
Toward a Mobile Data Commons
Toward a Mobile Data CommonsToward a Mobile Data Commons
Toward a Mobile Data CommonskingsBSD
 
Web 20 Security - Vordel
Web 20 Security - VordelWeb 20 Security - Vordel
Web 20 Security - Vordelguest2a1135
 
Bridging the Gap: Lessons in Adversarial Tradecraft
Bridging the Gap: Lessons in Adversarial TradecraftBridging the Gap: Lessons in Adversarial Tradecraft
Bridging the Gap: Lessons in Adversarial Tradecraftenigma0x3
 
Database security for PHP
Database security for PHPDatabase security for PHP
Database security for PHPRohan Faye
 
FBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopFBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopErnest Staats
 
Andrews whitakrer lecture18-security.ppt
Andrews whitakrer lecture18-security.pptAndrews whitakrer lecture18-security.ppt
Andrews whitakrer lecture18-security.pptSilverGold16
 
10 server security hacks to secure your web servers
10 server security hacks to secure your web servers10 server security hacks to secure your web servers
10 server security hacks to secure your web serversTemok IT Services
 
Securing your WordPress Website - Vlad Lasky - WordCamp Sydney 2012
Securing your WordPress Website - Vlad Lasky - WordCamp Sydney 2012Securing your WordPress Website - Vlad Lasky - WordCamp Sydney 2012
Securing your WordPress Website - Vlad Lasky - WordCamp Sydney 2012WordCamp Sydney
 
Securing Your WordPress Website - WordCamp Sydney 2012
Securing Your WordPress Website - WordCamp Sydney 2012Securing Your WordPress Website - WordCamp Sydney 2012
Securing Your WordPress Website - WordCamp Sydney 2012Vlad Lasky
 
Oracle UCM Security: Challenges and Best Practices
Oracle UCM Security: Challenges and Best PracticesOracle UCM Security: Challenges and Best Practices
Oracle UCM Security: Challenges and Best PracticesBrian Huff
 
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedLayer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedfangjiafu
 
Bridging the Gap
Bridging the GapBridging the Gap
Bridging the GapWill Schroeder
 
Interdisciplinary_Insights_Data_Collection_Methods.pptx
Interdisciplinary_Insights_Data_Collection_Methods.pptxInterdisciplinary_Insights_Data_Collection_Methods.pptx
Interdisciplinary_Insights_Data_Collection_Methods.pptxPooja Bhuva
 
Philosophy of china and it's charactistics
Philosophy of china and it's charactisticsPhilosophy of china and it's charactistics
Philosophy of china and it's charactisticshameyhk98
 

More Related Content

Similar to 6 - Web Application Security.pptx

Is your mobile app as secure as you think?
Is your mobile app as secure as you think?Is your mobile app as secure as you think?
Is your mobile app as secure as you think?Matt Lacey
 
OWASP Top 10 2017 - New Vulnerabilities
OWASP Top 10 2017 - New VulnerabilitiesOWASP Top 10 2017 - New Vulnerabilities
OWASP Top 10 2017 - New VulnerabilitiesDilum Bandara
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelinesZakaria SMAHI
 
[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answers[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answersOWASP
 
Neoito — Secure coding practices
Neoito — Secure coding practicesNeoito — Secure coding practices
Neoito — Secure coding practicesNeoito
 
BSides Columbus: Active Defense - Helping threat actors hack themselves!
BSides Columbus: Active Defense - Helping threat actors hack themselves!BSides Columbus: Active Defense - Helping threat actors hack themselves!
BSides Columbus: Active Defense - Helping threat actors hack themselves!ThreatReel Podcast
 
Threat Modeling for Web Applications (and other duties as assigned)
Threat Modeling for Web Applications (and other duties as assigned)Threat Modeling for Web Applications (and other duties as assigned)
Threat Modeling for Web Applications (and other duties as assigned)Mike Tetreault
 
Secure Android Development
Secure Android DevelopmentSecure Android Development
Secure Android DevelopmentShaul Rosenzwieg
 
Toward a Mobile Data Commons
Toward a Mobile Data CommonsToward a Mobile Data Commons
Toward a Mobile Data CommonskingsBSD
 
Web 20 Security - Vordel
Web 20 Security - VordelWeb 20 Security - Vordel
Web 20 Security - Vordelguest2a1135
 
Bridging the Gap: Lessons in Adversarial Tradecraft
Bridging the Gap: Lessons in Adversarial TradecraftBridging the Gap: Lessons in Adversarial Tradecraft
Bridging the Gap: Lessons in Adversarial Tradecraftenigma0x3
 
Database security for PHP
Database security for PHPDatabase security for PHP
Database security for PHPRohan Faye
 
FBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopFBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopErnest Staats
 
Andrews whitakrer lecture18-security.ppt
Andrews whitakrer lecture18-security.pptAndrews whitakrer lecture18-security.ppt
Andrews whitakrer lecture18-security.pptSilverGold16
 
10 server security hacks to secure your web servers
10 server security hacks to secure your web servers10 server security hacks to secure your web servers
10 server security hacks to secure your web serversTemok IT Services
 
Securing your WordPress Website - Vlad Lasky - WordCamp Sydney 2012
Securing your WordPress Website - Vlad Lasky - WordCamp Sydney 2012Securing your WordPress Website - Vlad Lasky - WordCamp Sydney 2012
Securing your WordPress Website - Vlad Lasky - WordCamp Sydney 2012WordCamp Sydney
 
Securing Your WordPress Website - WordCamp Sydney 2012
Securing Your WordPress Website - WordCamp Sydney 2012Securing Your WordPress Website - WordCamp Sydney 2012
Securing Your WordPress Website - WordCamp Sydney 2012Vlad Lasky
 
Oracle UCM Security: Challenges and Best Practices
Oracle UCM Security: Challenges and Best PracticesOracle UCM Security: Challenges and Best Practices
Oracle UCM Security: Challenges and Best PracticesBrian Huff
 
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedLayer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedfangjiafu
 

Similar to 6 - Web Application Security.pptx (20)

Is your mobile app as secure as you think?
Is your mobile app as secure as you think?Is your mobile app as secure as you think?
Is your mobile app as secure as you think?
 
OWASP Top 10 2017 - New Vulnerabilities
OWASP Top 10 2017 - New VulnerabilitiesOWASP Top 10 2017 - New Vulnerabilities
OWASP Top 10 2017 - New Vulnerabilities
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
 
[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answers[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answers
 
Neoito — Secure coding practices
Neoito — Secure coding practicesNeoito — Secure coding practices
Neoito — Secure coding practices
 
BSides Columbus: Active Defense - Helping threat actors hack themselves!
BSides Columbus: Active Defense - Helping threat actors hack themselves!BSides Columbus: Active Defense - Helping threat actors hack themselves!
BSides Columbus: Active Defense - Helping threat actors hack themselves!
 
Threat Modeling for Web Applications (and other duties as assigned)
Threat Modeling for Web Applications (and other duties as assigned)Threat Modeling for Web Applications (and other duties as assigned)
Threat Modeling for Web Applications (and other duties as assigned)
 
Secure Android Development
Secure Android DevelopmentSecure Android Development
Secure Android Development
 
Toward a Mobile Data Commons
Toward a Mobile Data CommonsToward a Mobile Data Commons
Toward a Mobile Data Commons
 
Web 20 Security - Vordel
Web 20 Security - VordelWeb 20 Security - Vordel
Web 20 Security - Vordel
 
Bridging the Gap: Lessons in Adversarial Tradecraft
Bridging the Gap: Lessons in Adversarial TradecraftBridging the Gap: Lessons in Adversarial Tradecraft
Bridging the Gap: Lessons in Adversarial Tradecraft
 
Database security for PHP
Database security for PHPDatabase security for PHP
Database security for PHP
 
FBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopFBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise Workshop
 
Andrews whitakrer lecture18-security.ppt
Andrews whitakrer lecture18-security.pptAndrews whitakrer lecture18-security.ppt
Andrews whitakrer lecture18-security.ppt
 
10 server security hacks to secure your web servers
10 server security hacks to secure your web servers10 server security hacks to secure your web servers
10 server security hacks to secure your web servers
 
Securing your WordPress Website - Vlad Lasky - WordCamp Sydney 2012
Securing your WordPress Website - Vlad Lasky - WordCamp Sydney 2012Securing your WordPress Website - Vlad Lasky - WordCamp Sydney 2012
Securing your WordPress Website - Vlad Lasky - WordCamp Sydney 2012
 
Securing Your WordPress Website - WordCamp Sydney 2012
Securing Your WordPress Website - WordCamp Sydney 2012Securing Your WordPress Website - WordCamp Sydney 2012
Securing Your WordPress Website - WordCamp Sydney 2012
 
Oracle UCM Security: Challenges and Best Practices
Oracle UCM Security: Challenges and Best PracticesOracle UCM Security: Challenges and Best Practices
Oracle UCM Security: Challenges and Best Practices
 
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedLayer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
 
Bridging the Gap
Bridging the GapBridging the Gap
Bridging the Gap
 

Recently uploaded

Interdisciplinary_Insights_Data_Collection_Methods.pptx
Interdisciplinary_Insights_Data_Collection_Methods.pptxInterdisciplinary_Insights_Data_Collection_Methods.pptx
Interdisciplinary_Insights_Data_Collection_Methods.pptxPooja Bhuva
 
Philosophy of china and it's charactistics
Philosophy of china and it's charactisticsPhilosophy of china and it's charactistics
Philosophy of china and it's charactisticshameyhk98
 
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...Nguyen Thanh Tu Collection
 
Google Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptxGoogle Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptxDr. Sarita Anand
 
How to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POSHow to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POSCeline George
 
Tatlong Kwento ni Lola basyang-1.pdf arts
Tatlong Kwento ni Lola basyang-1.pdf artsTatlong Kwento ni Lola basyang-1.pdf arts
Tatlong Kwento ni Lola basyang-1.pdf artsNbelano25
 
Details on CBSE Compartment Exam.pptx1111
Details on CBSE Compartment Exam.pptx1111Details on CBSE Compartment Exam.pptx1111
Details on CBSE Compartment Exam.pptx1111GangaMaiya1
 
How to Add New Custom Addons Path in Odoo 17
How to Add New Custom Addons Path in Odoo 17How to Add New Custom Addons Path in Odoo 17
How to Add New Custom Addons Path in Odoo 17Celine George
 
Basic Intentional Injuries Health Education
Basic Intentional Injuries Health EducationBasic Intentional Injuries Health Education
Basic Intentional Injuries Health EducationNeilDeclaro1
 
latest AZ-104 Exam Questions and Answers
latest AZ-104 Exam Questions and Answerslatest AZ-104 Exam Questions and Answers
latest AZ-104 Exam Questions and Answersdalebeck957
 
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptxHMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptxEsquimalt MFRC
 
Food safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdfFood safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdfSherif Taha
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxheathfieldcps1
 
General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...Poonam Aher Patil
 
How to Manage Call for Tendor in Odoo 17
How to Manage Call for Tendor in Odoo 17How to Manage Call for Tendor in Odoo 17
How to Manage Call for Tendor in Odoo 17Celine George
 
COMMUNICATING NEGATIVE NEWS - APPROACHES .pptx
COMMUNICATING NEGATIVE NEWS - APPROACHES .pptxCOMMUNICATING NEGATIVE NEWS - APPROACHES .pptx
COMMUNICATING NEGATIVE NEWS - APPROACHES .pptxannathomasp01
 
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptxHMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptxmarlenawright1
 
On National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsOn National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsMebane Rash
 
dusjagr & nano talk on open tools for agriculture research and learning
dusjagr & nano talk on open tools for agriculture research and learningdusjagr & nano talk on open tools for agriculture research and learning
dusjagr & nano talk on open tools for agriculture research and learningMarc Dusseiller Dusjagr
 
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdf
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdfUnit 3 Emotional Intelligence and Spiritual Intelligence.pdf
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdfDr Vijay Vishwakarma
 

Recently uploaded (20)

Interdisciplinary_Insights_Data_Collection_Methods.pptx
Interdisciplinary_Insights_Data_Collection_Methods.pptxInterdisciplinary_Insights_Data_Collection_Methods.pptx
Interdisciplinary_Insights_Data_Collection_Methods.pptx
 
Philosophy of china and it's charactistics
Philosophy of china and it's charactisticsPhilosophy of china and it's charactistics
Philosophy of china and it's charactistics
 
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
 
Google Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptxGoogle Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptx
 
How to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POSHow to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POS
 
Tatlong Kwento ni Lola basyang-1.pdf arts
Tatlong Kwento ni Lola basyang-1.pdf artsTatlong Kwento ni Lola basyang-1.pdf arts
Tatlong Kwento ni Lola basyang-1.pdf arts
 
Details on CBSE Compartment Exam.pptx1111
Details on CBSE Compartment Exam.pptx1111Details on CBSE Compartment Exam.pptx1111
Details on CBSE Compartment Exam.pptx1111
 
How to Add New Custom Addons Path in Odoo 17
How to Add New Custom Addons Path in Odoo 17How to Add New Custom Addons Path in Odoo 17
How to Add New Custom Addons Path in Odoo 17
 
Basic Intentional Injuries Health Education
Basic Intentional Injuries Health EducationBasic Intentional Injuries Health Education
Basic Intentional Injuries Health Education
 
latest AZ-104 Exam Questions and Answers
latest AZ-104 Exam Questions and Answerslatest AZ-104 Exam Questions and Answers
latest AZ-104 Exam Questions and Answers
 
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptxHMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
 
Food safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdfFood safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdf
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptx
 
General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...
 
How to Manage Call for Tendor in Odoo 17
How to Manage Call for Tendor in Odoo 17How to Manage Call for Tendor in Odoo 17
How to Manage Call for Tendor in Odoo 17
 
COMMUNICATING NEGATIVE NEWS - APPROACHES .pptx
COMMUNICATING NEGATIVE NEWS - APPROACHES .pptxCOMMUNICATING NEGATIVE NEWS - APPROACHES .pptx
COMMUNICATING NEGATIVE NEWS - APPROACHES .pptx
 
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptxHMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
 
On National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsOn National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan Fellows
 
dusjagr & nano talk on open tools for agriculture research and learning
dusjagr & nano talk on open tools for agriculture research and learningdusjagr & nano talk on open tools for agriculture research and learning
dusjagr & nano talk on open tools for agriculture research and learning
 
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdf
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdfUnit 3 Emotional Intelligence and Spiritual Intelligence.pdf
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdf
 

6 - Web Application Security.pptx

  • 1. Rasheed Hussain, PhD Assistant Professor, Secure System and Network Engineering r.hussain@innopolis.ru https://sites.google.com/site/rasheedinfosec/ Offensive Technologies (OT) March 30, 2017 Web Application Security OWASP top 10 (2013)
  • 2.  Motivation  Causes of data breaches  OWASP ◦ Top ten attacks  Now what?  Do it yourself  Questions?
  • 3.  In many cases the web application stores: ◦ Credit card details ◦ Personal information ◦ Passwords that also might be used elsewhere  Media likes hacks ◦ You company doesn’t…  Governments want to enforce data protection ◦ USA ◦ Russia? ◦ EU will follow soon(?)
  • 4.  Your company doesn’t like that Lektober is used as a reference to the month of October 2011 in which there every day sensitive data from a federal government agency, company or association was announced. The name was given by the Dutch technology site: Macworld. The editors of Macworld hacked the websites of public authorities, business networks or associations. At the head of the editorial was Brenno de Winter, Brenno specializing in IT security and privacy. He was the leading investigative journalist in the Lektober project.
  • 5.
  • 6.  Do you share your Phone’s Location Data with Everyone?  Do you always stay logged in on social nets?  Do you log into private services on public computers?  Do you share all kinds of data with retailers?  Do you put too much trust in “secure” apps?  Do you hook all your online services together? http://lifehacker.com/how-you-leak-your-privacy-every-day-and-how-to-stop-1547653862
  • 7.
  • 8.  In many cases caused by technical issues: ◦ Poor/no input filtering ◦ Outdated software with known weaknesses ◦ Weak passwords  Non-techies are creating technical solutions: ◦ Click and play enterprise website ◦ Not aware of security issues  Techies are also not always aware ◦ What about you?  In many cases the issues are quite easy to solve ◦ If you know what to do…
  • 9.  The same issues keep on coming back ◦ People make the same mistakes over and over again…  Open Web Application Security Project (OWASP): ◦ Free and open ◦ Top ten project  Documents the 10 most critical webapp security flaws  http://www.owasp.org/index.php/Category:OWASP_Top_Te n_Project  Latest version: 2013 ◦ Documents solutions  For all popular webapp environments https://storage.googleapis.com/google-code-archive- downloads/v2/code.google.com/owasptop10/OWASP%20Top%2010%20-%202013.pdf
  • 10.
  • 11.  E.g. contact form forwards you to the home page after submitting your message ◦ http://www.example.com/redirect.jsp?url=/home.htm  Malicious URLs might be used ◦ http://www.example.com/redirect.jsp?url=malware.com ◦ Download malware from external site after submitting form
  • 12.  Keep your software up-to-date ◦ Patching doesn’t stop at operating system level!  Database  Web server  Libraries  …  Lots of automated tools available ◦ Mapping: nmap, … ◦ Scanning: Nessus, Nexpose, … ◦ Exploiting: Metasploit, Canvas, … ◦ Script kiddies can and will do this!
  • 13.  Nmap ◦ Open tcp ports ◦ Open udp ports ◦ OS version ◦ Wildcards ◦ Range ◦ Mask notation
  • 14.  Cross Site Request Forgery (23% by IBM)  Inject code that: ◦ Runs in the victim’s browser ◦ Open a session to a vulnerable 3rd party service  Using the victim’s credentials  Example: ◦ Insert a money transfer in a page  Forum post  Email message (phising)  CSRF made easy! https://www.youtube.com/watch?v=m0EHlfTgGUU
  • 15.  Server side authorization checks are not performed on all actions (all functions)  Attacks: ◦ Escalate from anonymous user to authenticated user ◦ Escalate for authenticated user to admin  Examples: ◦ If /users/user1/show_accounts/ exists, it might be worth checking if /users/userN/show_accounts/ also exists  Difficult to identify with automated tools
  • 16.  Hidden and unchecked parameter: ◦ Add to POST data when updating a user: &ctl00%24ContentPlaceHolder1%24dvUser%24cbxUs erAdmin=on https://www.youtube.com/watch?v=VMv_gyCNGpk&t=107s
  • 17. Secure transport:  Sending sensitive information over an unencrypted link ◦ No encryption / obfuscation ◦ Weak encryption ◦ Downgrade attacks  Check for no encryption / obfuscation ◦ Sniff data GET http://target/INSTALL.pgsql.txt HTTP/1.0 Accept: */* User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322) Host: target Proxy-Authorization: Basic YWQxxxxxxxxxxxxxxxxxxxxxxxx= Connection: Close Pragma: no-cache Referer: http://target/robots.txt
  • 18. Secure transport:  Weak transport encryption ◦ Allowed SSL ciphers  Known flaws is SSLv2/3  SSLv2/3 still enabled in many cases  Weak ciphers can be cracked  openssl s_client -no_tls1 -connect www.google.com:443 (?) ◦ Weak algorithms  E.g. MD5, SHA-1 https://mta.openssl.org/pipermail/openssl- users/2015-December/002399.html
  • 19. Secure transport:  Downgrade attacks ◦ Strip SSL layer: stripssl  http://www.blackhat.com/presentations/bh-dc- 09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating- SSL.pdf  http://www.youtube.com/watch?v=Dd5qGS-5C0I ◦ Hijack e.g. Facebook and Twitter sessions: Firesheep  http://codebutler.github.com/firesheep/  http://www.youtube.com/watch?v=O3NAM8oG1WM ◦ IBM’s Appscan (Not Free) https://www.youtube.com/watch?v=rYlzTQlF8Ws
  • 20.  SSLstrip through hotspot https://avicoder.me/2016/02/22/SSLstrip-for-newbies/
  • 22. Secure storage:  Not encrypting sensitive data  Using home grown algorithms  Insecure use of strong algorithms  Continued use of proven weak algorithms (MD5, SHA-1, RC3, RC4, …)  Hard coded keys, and storing keys in unprotected environments
  • 23.  Real-life example same passwords <password>1 <password>2 … different length passwords
  • 24.  How to decode the passwords? ◦ Create your own account ◦ Password = ‘aaaaaaaa’  Store password hash, e.g. 0102030405060708 ◦ Password = ‘bbbbbbbb’  Store password hash, e.g. 0203040506070809 ◦ Etc. ◦ Find the link password ↔ hash ◦ Write a decoder for (i = 0; i < in.length(); i++) print (alfabet(in.position(i) + i)) ◦ Decode all passwords ◦ Dump sensitive information
  • 25.
  • 26.
  • 27.  Out of the box installs ◦ Next, next, next, finish  Find it using Google: ◦ Web front-end for Oracle  intitle:iSQL intitle:Release inurl:isqlplus ◦ Indexing of sensitive information  intitle:"Index of" .mysql_history  filetype:pdf paspoortnummer koopcontract  filetype:sql "phpMyAdmin SQL Dump” ◦ Many many useful Google Dorks online  http://www.hackersforcharity.org/ghdb/
  • 28.  Default passwords ◦ http://www.phenoelit-us.org/dpl/dpl.html
  • 29.  iPhone botnet ◦ Default SSH password after jailbreak  Routers
  • 30.  User can access and modify object values  Example: ◦ Login using your credentials ◦ Link refers to http://app/details?userid=1 ◦ Script download of all files  userid=[1-9999]  Hashing doesn’t help ◦ Reverse MD5 hash lookup ◦ http://tools.benramsey.com/md5/
  • 31.
  • 32.  The App uses unverified data in a SQL call  The attacker modifies the query parameter in their browser to point to Admin String sqlquery = "SELECT * FROM useraccounts WHERE account = ?"; PreparedStatement st = connection.prepareStatement(sqlquery , � ); st.setString( 1, request.getParameter("acct")); ResultSet results = st.executeQuery( ); http://webapp.com/app/accountInfo?acct=admin
  • 33.  Cross Site Scripting ◦ Attacker can inject untrusted snippets of JS into your application without validation ◦ JS is then executed by the victim who visits the target site ◦ 3 types of XSS  Reflected XSS  Attacker sends the victim a link to the target app through email, social media, etc.  The link has script embedded which executes when target site is visited  Stored XSS  Attacker plants persistent script in target website…
  • 34.  Around 17% of all apps are vulnerable to XSS according to IBM
  • 35.  Cross Site Scripting Effects ◦ Execute scripts in the victim’s browser  Hijack user sessions  Deface web sites  Insert hostile content  Conduct phishing attacks  Take over the user’s browser using scripting malware ◦ In most cases Javascript based  Also applicable to other scripting languages
  • 36.  Types Revisited ◦ Reflective  Code injected by e.g. sending phishing email  victim.com/get.php?id=<script>alert(123)</script>  E.g. one phishing email per attack ◦ Stored  Evil code is stored in the database  Store once, run for all users  E.g. store <script>alert(123)</script> in record for welcome message of CMS ◦ DOM-based  No HTTP request is required, the script is injected as a result of modifying the DOM of the target site in the client side code in the victim’s browser and executed
  • 37.  Advanced tools are out there to abuse flaws ◦ Tunnel traffic using XSS  http://www.portcullis- security.com/uplds/whitepapers/XSSTunnelling.pdf  http://www.portcullis-security.com/tools/free/xssshell- xsstunnell.zip
  • 38.  Prevention ◦ Use vetted libraries or frameworks ◦ Use HttpOnly attribute ◦ Input validation ◦ Demonstration https://www.youtube.com/watch?v=i38LMZyKIqI
  • 39.  Broken authentication and session management
  • 40.  A vulnerability that allows the capture or bypass of authentication methods  Most common authentication ◦ Username and Password  Approximately 23% of application suffer from this type of vulnerability
  • 41.  Steps to log in ◦ User provides credentials ◦ Username= john, Password=asdf1234 ◦ The information is submitted to the application ◦ Session ID is generated and linked to the credentials  Sessionid=1gLXXEnpGewaf14LieSDkNVPWL37H7D7Bm
  • 42.  Web apps can fail to protect these values ◦ Unencrypted connections ◦ Predictable Login credentials ◦ Session value does not timeout or does not get invalidated after logout ◦ User credentials are not protected when stored ◦ Session IDs used in URLs
  • 43.  Predictable sessions IDs allow an attacker to: ◦ Disconnect all users ◦ Hijack existing sessions  Weak implementations typically use: ◦ Sequential numbers ◦ Hash of sequential numbers ◦ Time elapsed since starting of server / service ◦ Demo https://www.youtube.com/watch?v=HsExXjBhR0Y
  • 44.  SQL-injection  Also applicable for other languages  User input is directly used in a query ◦ Manipulation of database query ◦ User input ‘search’ = alex ◦ Backend uses select details from users where name=‘alex’ ◦ Attacker input ‘search’ = alex’ or 1=1-- ◦ Backend uses select details from users where name=‘alex’ or 1=1  Display all records
  • 45.  Advanced tools are out there to abuse flaws ◦ File upload ◦ File download ◦ OS command execution ◦ …  sqlmap ◦ http://sqlmap.sourceforge.net/ ◦ http://www.youtube.com/watch?v=ylttGlSkrGU ◦ Tunnel shell over http using SQL-injection!
  • 46.
  • 47.  Example  Demo (demo.testfire.net) ◦ <% SQLquery=“SELECT * FROM roguetable” Set Conn=Server.CreateObject(“ADODB.Connection”)Conn.O pen “DSN=websql;UID=sa;PWD=pwd;DATABASE=master” Set rec=Server.CreateObject(“ADODB.RecordSet”) rec.ActiveConnection=Conn rec.Open SQLquery%>
  • 48.  Example  Demo (demo.testfire.net) ◦ <% SQLquery=“SELECT * FROM roguetable” Set Conn=Server.CreateObject(“ADODB.Connection”)Conn.O pen “DSN=websql;UID=DATA’-- ;PWD=pwd;DATABASE=master” Set rec=Server.CreateObject(“ADODB.RecordSet”) rec.ActiveConnection=Conn rec.Open SQLquery%>  Comments https://www.youtube.com/watch?v=KnQIbyK779I
  • 49.
  • 50.  Detection: ◦ Detection of well-known attacks using IDS ◦ Check web server logs ◦ Check network flows ◦ Difficult to detect all attacks!  Prevention: ◦ Use good practices  http://www.owasp.org/index.php/Category:OWASP_Guide_Project ◦ Review and/or test the application before going live  Source code review  http://www.owasp.org/index.php/Category:OWASP_Code_Review_Project  Penetration test  http://www.owasp.org/index.php/Category:OWASP_Testing_Project  http://www.owasp.org/index.php/Appendix_A:_Testing_Tools
  • 51.  Hacking is not allowed ◦ “Computer Crime Act” (Is there any in Russia?) ◦ Testing without breaking in is also not allowed  If you want to test your (organization’s) apps: ◦ Use a letter of authorization  Document the type of activities you will be performing  Document the IPs that will be tested  Signed by the system’s owner
  • 52.  More hands on hacking: ◦ Hacking Exposed books  http://www.webhackingexposed.com/products.html ◦ Certified Ethical Hacker  https://www.eccouncil.org/certification/certified_ethical_h acker.aspx