Recommended
More Related Content
What's hot
What's hot (20)
Similar to Its just a flesh wound
Similar to Its just a flesh wound (20)
Recently uploaded
Recently uploaded (20)
Its just a flesh wound
- 1. HOW LOW TO MEDIUM VULNS CAN OWN YOUR SITE
- 2. IT’S JUST A FLESH WOUND!
- 3. ALLOW ME TO INTRODUCE…. MYSELF! whoami: Brett Gravois @security_panda Email: staticeffect@staticeffect.com Application Security Enthusiast Test of Pens/Application Security Engineer OWASP Chapter Leader Owner of a Majestic Beard
- 4. General CYAVerbiage 1) Everything stated in this talk is to be considered my own opinion, and not an official representation of my Employer. Some assembly required. Each sold separately. Batteries not included. Keep out of reach of children. 2) Don’t test sites that you DO NOT have prior permission to test on! Oh And Please Don’t Be This Guy
- 5. WHAT WE ARE COVERING… q Our Story Begins q NetSec Vs AppSec q What is AppSec? q AppSec overview q Why is AppSec so Hard? q Examples q TL;DR
- 6. OUR STORY BEGINS…. § While working on a Perimeter Scanning Services team, I would see a lot of different Vulnerability Findings. However, many tended to be Informational/Low/Med Vulnerabilities. § The most common Customer response tended to be “This is a low severity finding, and more than likely does not effect me/my network/my web application/my customers/data.” Without even looking to see how this effects them.
- 7. NETSEC VS APPSEC Show of Hands, how many of you are Application Security Folks?
- 8. NETSEC VS APPSEC As found on the internet: A simple way to think of it is in terms of devices you have in your kitchen; microwave, toaster, blender.The "network level" is the connection. Perhaps the electricity powering the devices in our example.The "application level" is specific to the thing, perhaps it involves what you put into the device or the buttons you press. So in our example, a "network level attack" would be something like cutting the power or sending the wrong voltage. An "application level attack" would be something like putting tinfoil in the microwave.
- 9. NETSEC q Historically Network security has been a focus on the Network, Firewalls, and the Perimeter. qVulnerabilities tend to be know CVE’s with a “fairly reliable” rating system. qVulnerability Management programs are shaped around Network security.
- 10. NETSEC qBest example is CVE-2008-4250 qBetter known as MS08-067 qCVSS of 10 qNetwork Exploitable qWe know that we can get a Remote Shell
- 11. WHAT IS APPSEC? qAppSec is what an organization does to protect its critical data from external threats by ensuring the security of all of the software used to run the business, whether built internally, bought or downloaded. Application security helps identify, fix and prevent security vulnerabilities in any kind of software application.
- 12. WHY IS APPSEC SO HARD? qNo two Web Applications are the same. qDAST tools are using CWEs, which tend to be a little looser than CVEs qA web “vulnerability” is an unintended flaw or weakness in the application that leads it to process critical data in an insecure way. Essentially we are finding Zero Days within the code. qFun fact: About 70 percent of all applications had at least one vulnerability classified as one of the top 10 web vulnerability types.
- 13. WHY ARE THESE BEING MISSED? q No Training q No Time q Don’t Care q I just want to check a box (PCI/SOX/HIPPA).
- 14. WHY ARE WE EVEN TALKING ABOUT THIS?
- 15. USER CREDENTIALS SENT IN CLEAR TEXT q I now know your username and password. q Password reuse rates are between 12 and 20 percent.
- 16. USER CREDENTIALS SENT IN CLEAR TEXT § I now know your username and password. § Password reuse rates are between 12 and 20 percent.
- 18. § Session Token High jacking to access the site in question. § All we need to do is copy the URL and paste it into another browser!
- 19. HTTP DEBUG TURNED ON qPretty much designed to show information or execute remote code qThis is how Patreon was breached
- 21. INFORMATION LEAKAGE qI now know your what OS/Web Server Version/Database Version you are using. qNow it is possible to use this information to look up your out of date IIS/NGINX/PHP Version you are running.
- 22. WEBDAV ENABLED q Edit Files q Deface Website q Remote Code Execution q There are even tools to help deface a site for you
- 23. LOCAL FILE INCLUSION q Harvest useful information from the log files, such as "/apache/logs/error.log" or "/apache/logs/access.log“ q Remotely execute commands by combining this vulnerability with another attack vectors, such as file upload vulnerability or log injection q Best Example of this is the Joomla Component om_svmap v1.1.1 LFI Vulnerability.
- 25. CONTENT TYPE IS NOT SPECIFIED qFailure to explicitly specify the type of the content served by the requested resource can allow attackers to conduct Cross-Site Scripting attacks by exploiting the inconsistencies in content sniffing techniques employed by the browsers. qCan also be the gateway to unrestricted file upload.
- 32. TL;DR
- 33. TL;DR qThe differences between Network Security and Application Security. qA few examples of Low/Med/Info ranked Vulnerabilities and how they could be used. qIn short: Don’t Discount vulnerabilities just because it is ranked low by your scanner. Knowing your application is key. qAnd…..