This document outlines an agenda for a training on web application hacking and security. It introduces common web application vulnerabilities like injection, broken authentication, cross-site scripting, and more. Examples of real-world hacking incidents are provided. The bulk of the training focuses on the OWASP Top 10 list of critical security risks, demonstrating each one through examples and a demo of the WebGoat vulnerability practice application. The training concludes with a discussion of additional topics and a question/answer period.

1. HACKING 101
Henallux, 2nd October 2014
Olivier Houyoux
Technology Security Architect @ Nitroxis Sprl

2. SCHEDULE FOR THE DAY
1. Why are we here?
2. Real Life Examples
3. Limited scope of this intervention
4. Owasp – Top 10 (2013)
5. Demo Web Hacking Simulation Walkthrough
6. Summary
7. Questions

3. DO WE NEED WEB APP.
SECURITY?
 Well managed infrastructure
 Important data on web applications
 Malware spreading

4. EXAMPLES
1. Barack Obama

5. EXAMPLES
1. Barack Obama
2. Maria Sharapova

6. EXAMPLES
1. Barack Obama
2. Maria Sharapova
3. Samy Kamkar

7. EXAMPLES
1. Barack Obama
2. Maria Sharapova
3. Samy Kamkar
4. Kevin Poulsen

8. EXAMPLES
1. Barack Obama
2. Maria Sharapova
3. Samy Kamkar
4. Kevin Poulsen
5. …

9. PREREQUISITES
Risk Threat Vulnerability Impact

10. OPEN WEB APPLICATION
SECURITY PROJECT
Make software security visible
 Cheat Sheets, Tutorials, Testing guides…
 Tools (WebGoat, WebScarab, …)
 Library (ESAPI)
 …

11. OWASP TOP 10
Broad consensus about what the most critical web
application security flaws are.

12. OWASP TOP 10
OWASP Top 10 - 2013
A1 - Injection
A2 - Broken Authentication and Session Management
A3 - Cross-Site Scripting (XSS)
A4 - Insecure Direct Object References
A5 - Security Misconfiguration
A6 - Sensitive Data Exposure
A7 - Missing Function Level Access Control
A8 - Cross-Site Request Forgery (CSRF)
A9 - Using Known Vulnerable Components
A10 - Unvalidatde Redirects and Forwards

13. OWASP TOP 10
OWASP Top 10 - 2013
A1 - Injection
A2 - Broken Authentication and Session Management
A3 - Cross-Site Scripting (XSS)
A4 - Insecure Direct Object References
A5 - Security Misconfiguration
A6 - Sensitive Data Exposure
A7 - Missing Function Level Access Control
A8 - Cross-Site Request Forgery (CSRF)
A9 - Using Known Vulnerable Components
A10 - Unvalidatde Redirects and Forwards

14. WEBGOAT
is a deliberately insecure web application designed to
teach web application security lessons.

15. A1 – INJECTION
User input injected without checking
 SQL Injection example
 LDAP, Command, XPATH, …

16. A2 – SESSION MANAGEMENT
1. Session Hijacking
 Stealing authenticated user’s session ID
2. Session Fixation
 Forcing user’s session ID
 Example

17. A3 – CROSS-SITE SCRIPTING (XSS)
Untrusted data sent to victim without validation and / or
escaping
XSS allows attackers to execute script in browsers to:
 hijacking users’ sessions,
 redirecting user to malicious site,
 …
1. Reflected XSS example
2. Stored XSS example

18. A5 – SECURITY MISCONFIGURATION
 Secure configuration defined and deployed for the:
 application,
 frameworks,
 application server,
 web server,
 database server,
 platform.
 Example

19. A6 – SENSITIVE DATA EXPOSURE
Protect sensitive data (credit cards, authentication
credentials, ...)
Encryption at rest or in transit

20. A7 – MISSING ACCESS CONTROL
Verify function level acces:
 before making functionality visible in GUI ✓
 when each function is accessed ✗
Access control bypass example

21. A8 – CROSS-SITE REQUEST FORGERY
2. User visits forum.com 1. User authenticates to bank.com
3. Page contains tag
<img
src=bank.com/transfer.jsp?account=atta
cker&amount=300000>
CSRF example
4. User’s browser makes GET request
bank.com/transfer.jsp?account=attacker&
amount=300000
without user knowing

22. A10 – UNVALIDATED REDIRECT
1. Lure the user into clicking a redirect link
http://www.trusted.com/redirector?to=http://www.evil.com
2. Code does not perform any validation
String location = (String) request.getParameter(« to »);
response.sendRedirect(location);
3. User thinks (s)he’s accessing trusted.com but is in fact
at evil.com

23. SUMMARY
LAYERS OF DEFENSE IN DEPTH
Policies, Procedures,
Awareness
Physical
Perimeter
Internal Network
Host
App
Data

24. AND NOW …
 bWAPP
 OWASP Top 10
 CWE 25
 Mitigations (SANS, OWASP Cheat Sheets, …)
 Web Services (SOAP & REST)
 Mobile
 And more …

25. QUESTIONS ?

26. FOLLOW US ON …
nitroxis Nitroxis.BE
@Nitroxis_sprl
Nitroxis sprl
Training and Certification for
information Security
Professionals

27. ADD DEPTH TO YOUR INFORMATION SYSTEM
Olivier Houyoux Technology Security Architect
Version 1.0
Date 2/10/2014
Mail Contact (at) nitroxis.be
Website www.nitroxis.be