Low and medium vulnerabilities found by vulnerability scanners in web applications can still pose serious risks if exploited. Some examples provided include clear text transmission of credentials, which could enable credential reuse on other sites; HTTP debug being turned on, which was how the Patreon breach occurred; and information leakage revealing version numbers that can be used to exploit known vulnerabilities. The presentation emphasized that application security requires understanding how specific vulnerabilities could impact an individual application beyond the generic risk rating.

1. HOW LOW TO MEDIUM
VULNS CAN OWN YOUR SITE

2. IT’S JUST A FLESH WOUND!

3. ALLOW ME TO
INTRODUCE…. MYSELF!
whoami: Brett Gravois
@security_panda
Email: staticeffect@staticeffect.com
Application Security Enthusiast
Test of Pens/Application Security Engineer
OWASP Chapter Leader
Owner of a Majestic Beard

4. General CYAVerbiage
1) Everything stated in this
talk is to be considered
my own opinion, and not
an official representation
of my Employer. Some
assembly required. Each
sold separately. Batteries
not included. Keep out of
reach of children.
2) Don’t test sites that you
DO NOT have prior
permission to test on!
Oh And Please Don’t Be
This Guy

5. WHAT WE
ARE
COVERING…
q Our Story Begins
q NetSec Vs AppSec
q What is AppSec?
q AppSec overview
q Why is AppSec so
Hard?
q Examples
q TL;DR

6. OUR STORY BEGINS….
§ While working on a Perimeter Scanning
Services team, I would see a lot of different
Vulnerability Findings. However, many
tended to be Informational/Low/Med
Vulnerabilities.
§ The most common Customer response
tended to be “This is a low severity finding,
and more than likely does not effect me/my
network/my web application/my
customers/data.” Without even looking to
see how this effects them.

7. NETSEC VS APPSEC
Show of Hands, how many of you are
Application Security Folks?

8. NETSEC VS APPSEC
As found on the internet:
A simple way to think of it is in terms of devices you have
in your kitchen; microwave, toaster, blender.The "network
level" is the connection. Perhaps the electricity powering
the devices in our example.The "application level" is
specific to the thing, perhaps it involves what you put into
the device or the buttons you press.
So in our example, a "network level attack" would be
something like cutting the power or sending the wrong
voltage. An "application level attack" would be something
like putting tinfoil in the microwave.

9. NETSEC
q Historically Network security has been a focus on
the Network, Firewalls, and the Perimeter.
qVulnerabilities tend to be know CVE’s with a “fairly
reliable” rating system.
qVulnerability Management programs are shaped
around Network security.

10. NETSEC
qBest example is CVE-2008-4250
qBetter known as MS08-067
qCVSS of 10
qNetwork Exploitable
qWe know that we can get a Remote Shell

11. WHAT IS APPSEC?
qAppSec is what an organization does to
protect its critical data from external threats
by ensuring the security of all of the software
used to run the business, whether built
internally, bought or downloaded. Application
security helps identify, fix and prevent
security vulnerabilities in any kind of software
application.

12. WHY IS APPSEC
SO HARD?
qNo two Web Applications are the same.
qDAST tools are using CWEs, which tend to be a
little looser than CVEs
qA web “vulnerability” is an unintended flaw or
weakness in the application that leads it to
process critical data in an insecure way.
Essentially we are finding Zero Days within the
code.
qFun fact: About 70 percent of all applications
had at least one vulnerability classified as one of
the top 10 web vulnerability types.

13. WHY ARE
THESE
BEING
MISSED?
q No Training
q No Time
q Don’t Care
q I just want to
check a box
(PCI/SOX/HIPPA).

14. WHY ARE WE EVEN TALKING
ABOUT THIS?

15. USER CREDENTIALS SENT IN CLEAR TEXT
q I now know your username and password.
q Password reuse rates are between 12 and 20 percent.

16. USER CREDENTIALS SENT IN CLEAR TEXT
§ I now know your username and password.
§ Password reuse rates are between 12 and 20 percent.

18. § Session Token High jacking to access the site
in question.
§ All we need to do is copy the URL and paste it
into another browser!

19. HTTP DEBUG TURNED ON
qPretty much
designed to show
information or
execute remote
code
qThis is how Patreon
was breached

20. INFORMATION LEAKAGE

21. INFORMATION LEAKAGE
qI now know your what OS/Web Server
Version/Database Version you are using.
qNow it is possible to use this information to
look up your out of date IIS/NGINX/PHP Version
you are running.

22. WEBDAV ENABLED
q Edit Files
q Deface Website
q Remote Code Execution
q There are even tools to help deface a site for you

23. LOCAL FILE INCLUSION
q Harvest useful information from the log files, such as
"/apache/logs/error.log" or "/apache/logs/access.log“
q Remotely execute commands by combining this vulnerability with
another attack vectors, such as file upload vulnerability or log injection
q Best Example of this is the Joomla Component om_svmap v1.1.1 LFI
Vulnerability.

25. CONTENT TYPE IS NOT SPECIFIED
qFailure to explicitly specify the type of the
content served by the requested resource can
allow attackers to conduct Cross-Site Scripting
attacks by exploiting the inconsistencies in
content sniffing techniques employed by the
browsers.
qCan also be the gateway to unrestricted file
upload.

32. TL;DR

33. TL;DR
qThe differences between Network Security
and Application Security.
qA few examples of Low/Med/Info ranked
Vulnerabilities and how they could be used.
qIn short: Don’t Discount vulnerabilities just
because it is ranked low by your scanner.
Knowing your application is key.
qAnd…..

34. QUESTIONS? COMMENTS?