It seems like every day that another company's logo is plastered across the media and they have lost thousands, if not millions of customer records. This kind of data loss is damaging to a company's reputation and their customers have little control of their private information. Attackers often want this data for financial gain or to embarrass that company. There are several methods a malicious attacker will use to gain access to this data. Injection-based attacks leverage an application's lack of input validation to extract information and allow for unauthorized data access. In addition, the platform on which the application resides can be leveraged to gain unauthorized admin access and ultimately, data access. Both scenarios will be discussed and demonstrated in this talk. Finally, mitigating steps will be discussed at every level of the attack. The approach will be a defense in depth model that will proactively protect a web application. While there is no silver bullet against a determined attacker, these mitigations will make their lives more difficult.

1. Breaching a Web Application
Common Issues and Mitigating Steps

2. My Name is Jason
Frank Director of Veris Group’s Adaptive
Threat Division
Trainer for Black Hat
You can find me at @jasonjfrank
Hello!

3. Agenda
◉An Attacker’s View
◉Injection Attacks 101
◉Misconfigurations
◉Remediation and Mitigations

4. An Attacker’s View1

5. Testing Process
Discovery
ExploitationPost Exploitation
Pre-
Assessment
Activities
Post-
Assessment
Activities

6. http://tutorials.jenkov.com/images/software-architecture/n-tier-architecture-2.png

7. http://tutorials.jenkov.com/images/software-architecture/n-tier-architecture-2.png

8. http://tutorials.jenkov.com/images/software-architecture/n-tier-architecture-2.png
DMZ
Protected
Enclave
Internet

9. https://www.w3.org/2005/03/Demos/insurance.png

10. https://www.w3.org/2005/03/Demos/insurance.png

11. ◉Provides free documentation on offensive and
defensive application measures
◉Curated “OWASP Top Ten” Vulnerabilities
◉OWASP Web Testing Guide
◉Contains material for:
Web Applications
Mobile
Software Development
Tools

12. https://www.owasp.org/images/thumb/7/7e/WebTT_thumb.png/400px-WebTT_thumb.png

13. https://www.owasp.org/images/thumb/7/7e/WebTT_thumb.png/400px-WebTT_thumb.png

14. Injection Attacks
1012

15. Injection Attacks
◉Occurs when unintended data is sent to an
application
◉Proper input validation / server-side validation
is not being performed
◉A dynamically built query can be altered to
execute arbitrary calls or requests
◉Common Types of Injection
SQL
XML
OS Command

16. https://itswadesh.files.wordpress.com/2011/11/sql-injection.jpg

17. Users
Posts
Comments
Themes
Wordpress
Server
WPDB
User
WP Table

18. Users
Posts
Comments
Themes
Wordpress
Server
DBA WP
Table
Names
SSNs
Salaries
Addresses
HR
App

19. “
Quotations are commonly printed
as a means of inspiration and to
invoke philosophical thoughts from
the reader.

20. SQL Injection
Tools
◉Burp Suite Pro Scanner(Identification)
◉SQLMap
◉SQLNinja

21. Misconfigurations3

22. Misconfigurations
◉Serves as a catchup for many facets of the
implementation
◉Can occur at all levels of the technology stack
◉Identifies both technical and procedural
weaknesses

23. Operating System
Web Servers
Applications
Add-ons

24. http://www.rvrsh3ll.net/blog/offensive/leveraging-adobe-livecycle/

25. http://www.rvrsh3ll.net/blog/offensive/leveraging-adobe-livecycle/

26. http://www.rvrsh3ll.net/blog/offensive/leveraging-adobe-livecycle/

27. DMZ
Protected
Enclave
Internet
Internal
Systems

28. DMZ
Protected
Enclave
Internet
Internal
Systems

29. DMZ
Protected
Enclave
Internet
Internal
Systems

30. DMZ
Protected
Enclave
Internet
Internal
Systems

31. DMZ
Protected
Enclave
Internet
Internal
Systems

32. DMZ
Protected
Enclave
Internet
Internal
Systems

33. Tools
◉Nikto
◉Web Scanners
Acunetix
NTOSpider
Burp Suite Pro
◉Vulnerability Scanners
Nessus
NeXpose

34. Remediation and
Mitigation4

35. OWASP SAMM
◉Software Assurance Maturity Model
◉Integrating Assessment and Review Activities
throughout your SDLC
◉Based on your organization’s security drivers
◉https://www.owasp.org/index.php/Category:Softw
are_Assurance_Maturity_Model

36. Static Reviews
Source code reviews
that are incorporated
throughout the
development cycle.
A Note About
Testing Types
Dynamic Testing
Assessment of the final
solution in an
operational context.

37. SQL Injection
Prevention
◉OWASP has language specific recommendations
◉Parameterized Queries
◉Input Validation – White Listing
◉Escaping User Input
◉https://www.owasp.org/index.php/SQL_Injection_
Prevention_Cheat_Sheet#Defense_Option_1:_Pr
epared_Statements_.28Parameterized_Queries.
29

38. Misconfiguration
Prevention
◉Review of all technologies in the stack
◉Implement available hardening guides
◉Have your solution dynamically tested
periodically

39. Any questions ?
You can find me at
◉ @jasonjfrank
◉ Slides posted at:
http://www.slideshare.net/jasonjfrank
Thanks!