SlideShare a Scribd company logo
© COPYRIGHT 2017 COVEROS, INC. ALL RIGHTS RESERVED. 1
Agility. Security. Delivered.
How to test for (the new)
OWASP Top 10 in 10 Minutes?
An all out sprint by Ben Pick
© COPYRIGHT 2017 COVEROS, INC. ALL RIGHTS RESERVED. 2
© COPYRIGHT 2017 COVEROS, INC. ALL RIGHTS RESERVED. 3
A1 - Injection
Username:
Password:
admin
myPassword
select * from Users where user_id = ‘admin’
and password = ‘myPassword’
Username:
Password:
‘ OR 1=1; --
myPassword
select * from Users where user_id = ‘’ OR 1=1; --
and password = ‘myPassword’
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<foo>&xxe;</foo>
© COPYRIGHT 2017 COVEROS, INC. ALL RIGHTS RESERVED. 4
A1 - Injection, tools
© COPYRIGHT 2017 COVEROS, INC. ALL RIGHTS RESERVED. 5
A2 - Broken Authentication and Session
Management
• http://example.com/sale/mycart?sessionid=abcd
• http://internalcompanyHRservice.com/search?role=user
• Cookie replay from valid session
© COPYRIGHT 2017 COVEROS, INC. ALL RIGHTS RESERVED. 6
A3 - Cross Site Scripting (XSS)
• Client-side scripts interpreted by the end user
<script>alert(‘Label XSSed’)</script>
<script>alert(123)</script>
<script>alert(document.cookie)</script>
© COPYRIGHT 2017 COVEROS, INC. ALL RIGHTS RESERVED. 7
A3 – XSS, Tools
© COPYRIGHT 2017 COVEROS, INC. ALL RIGHTS RESERVED. 8
A4 - Broken Access Controls
• http://example.com/app/accountInfo?acct=notmyacct
• https://example.com/auth
• https://example.com/myprofile?action=updatepassword
• https://example.com/admin
© COPYRIGHT 2017 COVEROS, INC. ALL RIGHTS RESERVED. 9
A5 - Security Misconfigurations
• Look for default passwords!
© COPYRIGHT 2017 COVEROS, INC. ALL RIGHTS RESERVED. 10
A6 - Sensitive Data Exposure
• Look for stacktraces, relative or absolute directory structures, listings
of running software and versions
• User objects that include name, SSN, DoB, address…
• IP addresses, usernames, and os information in source code
• View page source
© COPYRIGHT 2017 COVEROS, INC. ALL RIGHTS RESERVED. 11
A7 – Insufficient Attack Protections
• Detect
• Prevent
• Patch
© COPYRIGHT 2017 COVEROS, INC. ALL RIGHTS RESERVED. 12
A8 - Cross Site Request Forgery
• www.bank.com/transfermymoney=-1000&toaccount=maliciousBen
© COPYRIGHT 2017 COVEROS, INC. ALL RIGHTS RESERVED. 13
A9 - Using issues with known vulnerabilities
• Vulnerable components = vulnerable application
© COPYRIGHT 2017 COVEROS, INC. ALL RIGHTS RESERVED. 14
A10 – Underprotected APIs
• http://www.example.com/supersecretendpoint?internalfile=notmine
• http://www.example.com/deleteaccount?acct=12345
© COPYRIGHT 2017 COVEROS, INC. ALL RIGHTS RESERVED. 15
Summary – Good Security Testing
• Send garbage input
• Malicious content
• Attempt to obfuscate to avoid detection
• Try to break frameworks and processes
• Do the unexpected
• Play “What if” with the application
• Assume a service or server is compromised and determine the impact
© COPYRIGHT 2017 COVEROS, INC. ALL RIGHTS RESERVED. 16
Supplemental Notes: Tools Mentioned
• Static Analysis
• SonarQube
• HP Fortify
• Sonatype CLM
• OWASP Dependency Check
• Dynamic Analysis:
• sqlmap
• Wfuzz
• w3af
• Burp Suite (Free or Professional)
• OWASP Zed Attack Proxy
• SOAP UI
• ModSecurity
• Wireshark
• Contrast RASP

More Related Content

What's hot

Nexus Protocol Gateway and BYOD
Nexus Protocol Gateway and BYODNexus Protocol Gateway and BYOD
Nexus Protocol Gateway and BYOD
Samuel Erdtman
 
Secure Coding For Java - Une introduction
Secure Coding For Java - Une introductionSecure Coding For Java - Une introduction
Secure Coding For Java - Une introduction
Sebastien Gioria
 
Csp july2015
Csp july2015Csp july2015
A CISO’s Journey at Vonage: Achieving Unified Security at Scale - SID210 - re...
A CISO’s Journey at Vonage: Achieving Unified Security at Scale - SID210 - re...A CISO’s Journey at Vonage: Achieving Unified Security at Scale - SID210 - re...
A CISO’s Journey at Vonage: Achieving Unified Security at Scale - SID210 - re...
Amazon Web Services
 
SSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOSSSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOS
Anant Shrivastava
 
A Risk-Based Mobile App Security Testing Strategy
A Risk-Based Mobile App Security Testing StrategyA Risk-Based Mobile App Security Testing Strategy
A Risk-Based Mobile App Security Testing Strategy
NowSecure
 

What's hot (6)

Nexus Protocol Gateway and BYOD
Nexus Protocol Gateway and BYODNexus Protocol Gateway and BYOD
Nexus Protocol Gateway and BYOD
 
Secure Coding For Java - Une introduction
Secure Coding For Java - Une introductionSecure Coding For Java - Une introduction
Secure Coding For Java - Une introduction
 
Csp july2015
Csp july2015Csp july2015
Csp july2015
 
A CISO’s Journey at Vonage: Achieving Unified Security at Scale - SID210 - re...
A CISO’s Journey at Vonage: Achieving Unified Security at Scale - SID210 - re...A CISO’s Journey at Vonage: Achieving Unified Security at Scale - SID210 - re...
A CISO’s Journey at Vonage: Achieving Unified Security at Scale - SID210 - re...
 
SSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOSSSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOS
 
A Risk-Based Mobile App Security Testing Strategy
A Risk-Based Mobile App Security Testing StrategyA Risk-Based Mobile App Security Testing Strategy
A Risk-Based Mobile App Security Testing Strategy
 

Similar to Lightning talk owasp_top10in10

D3TLV17- Keeping it Safe
D3TLV17-  Keeping it SafeD3TLV17-  Keeping it Safe
D3TLV17- Keeping it Safe
Imperva Incapsula
 
Adding the Sec to Your DevOps Pipelines
Adding the Sec to Your DevOps PipelinesAdding the Sec to Your DevOps Pipelines
Adding the Sec to Your DevOps Pipelines
Amazon Web Services
 
10 Lessons from 10 Years of AWS
10 Lessons from 10 Years of AWS10 Lessons from 10 Years of AWS
10 Lessons from 10 Years of AWS
Adrian Hornsby
 
Security at Scale: How Autodesk Leverages Native AWS Technologies to Provide ...
Security at Scale: How Autodesk Leverages Native AWS Technologies to Provide ...Security at Scale: How Autodesk Leverages Native AWS Technologies to Provide ...
Security at Scale: How Autodesk Leverages Native AWS Technologies to Provide ...
Amazon Web Services
 
ARC201_Scaling Up to Your First 10 Million Users
ARC201_Scaling Up to Your First 10 Million UsersARC201_Scaling Up to Your First 10 Million Users
ARC201_Scaling Up to Your First 10 Million Users
Amazon Web Services
 
Manage Infrastructure Securely at Scale and Eliminate Operational Risks - DEV...
Manage Infrastructure Securely at Scale and Eliminate Operational Risks - DEV...Manage Infrastructure Securely at Scale and Eliminate Operational Risks - DEV...
Manage Infrastructure Securely at Scale and Eliminate Operational Risks - DEV...
Amazon Web Services
 
CIS14: Best Practices You Must Apply to Secure Your APIs
CIS14: Best Practices You Must Apply to Secure Your APIsCIS14: Best Practices You Must Apply to Secure Your APIs
CIS14: Best Practices You Must Apply to Secure Your APIs
CloudIDSummit
 
Security crawl walk run presentation mckay v1 2017
Security crawl walk run presentation mckay v1 2017Security crawl walk run presentation mckay v1 2017
Security crawl walk run presentation mckay v1 2017
Adam Tice
 
DEV325_Application Deployment Techniques for Amazon EC2 Workloads with AWS Co...
DEV325_Application Deployment Techniques for Amazon EC2 Workloads with AWS Co...DEV325_Application Deployment Techniques for Amazon EC2 Workloads with AWS Co...
DEV325_Application Deployment Techniques for Amazon EC2 Workloads with AWS Co...
Amazon Web Services
 
Keys to Successfully Monitoring and Optimizing Innovative and Sophisticated C...
Keys to Successfully Monitoring and Optimizing Innovative and Sophisticated C...Keys to Successfully Monitoring and Optimizing Innovative and Sophisticated C...
Keys to Successfully Monitoring and Optimizing Innovative and Sophisticated C...
Amazon Web Services
 
IOT308-One Message to a Million Things Done in 60 seconds with AWS IoT
IOT308-One Message to a Million Things Done in 60 seconds with AWS IoTIOT308-One Message to a Million Things Done in 60 seconds with AWS IoT
IOT308-One Message to a Million Things Done in 60 seconds with AWS IoT
Amazon Web Services
 
Related OSS Projects - Peter Rowe, Flexera Software
Related OSS Projects - Peter Rowe, Flexera SoftwareRelated OSS Projects - Peter Rowe, Flexera Software
Related OSS Projects - Peter Rowe, Flexera Software
OpenStack
 
Driving Innovation with Containers - CON203 - re:Invent 2017
Driving Innovation with Containers - CON203 - re:Invent 2017Driving Innovation with Containers - CON203 - re:Invent 2017
Driving Innovation with Containers - CON203 - re:Invent 2017
Amazon Web Services
 
CON203_Driving Innovation with Containers
CON203_Driving Innovation with ContainersCON203_Driving Innovation with Containers
CON203_Driving Innovation with Containers
Amazon Web Services
 
Containers on AWS - State of the Union - CON201 - re:Invent 2017
Containers on AWS - State of the Union - CON201 - re:Invent 2017Containers on AWS - State of the Union - CON201 - re:Invent 2017
Containers on AWS - State of the Union - CON201 - re:Invent 2017
Amazon Web Services
 
SID302_Force Multiply Your Security Team with Automation and Alexa
SID302_Force Multiply Your Security Team with Automation and AlexaSID302_Force Multiply Your Security Team with Automation and Alexa
SID302_Force Multiply Your Security Team with Automation and Alexa
Amazon Web Services
 
Easy and Scalable Log Analytics with Amazon Elasticsearch Service - ABD326 - ...
Easy and Scalable Log Analytics with Amazon Elasticsearch Service - ABD326 - ...Easy and Scalable Log Analytics with Amazon Elasticsearch Service - ABD326 - ...
Easy and Scalable Log Analytics with Amazon Elasticsearch Service - ABD326 - ...
Amazon Web Services
 
IOT311_Customer Stories of Things, Cloud, and Analytics on AWS
IOT311_Customer Stories of Things, Cloud, and Analytics on AWSIOT311_Customer Stories of Things, Cloud, and Analytics on AWS
IOT311_Customer Stories of Things, Cloud, and Analytics on AWS
Amazon Web Services
 
Testing and Troubleshooting with AWS Device Farm - MBL301 - re:Invent 2017
Testing and Troubleshooting with AWS Device Farm - MBL301 - re:Invent 2017Testing and Troubleshooting with AWS Device Farm - MBL301 - re:Invent 2017
Testing and Troubleshooting with AWS Device Farm - MBL301 - re:Invent 2017
Amazon Web Services
 
The Open Sourcing of Infrastructure
The Open Sourcing of InfrastructureThe Open Sourcing of Infrastructure
The Open Sourcing of Infrastructure
All Things Open
 

Similar to Lightning talk owasp_top10in10 (20)

D3TLV17- Keeping it Safe
D3TLV17-  Keeping it SafeD3TLV17-  Keeping it Safe
D3TLV17- Keeping it Safe
 
Adding the Sec to Your DevOps Pipelines
Adding the Sec to Your DevOps PipelinesAdding the Sec to Your DevOps Pipelines
Adding the Sec to Your DevOps Pipelines
 
10 Lessons from 10 Years of AWS
10 Lessons from 10 Years of AWS10 Lessons from 10 Years of AWS
10 Lessons from 10 Years of AWS
 
Security at Scale: How Autodesk Leverages Native AWS Technologies to Provide ...
Security at Scale: How Autodesk Leverages Native AWS Technologies to Provide ...Security at Scale: How Autodesk Leverages Native AWS Technologies to Provide ...
Security at Scale: How Autodesk Leverages Native AWS Technologies to Provide ...
 
ARC201_Scaling Up to Your First 10 Million Users
ARC201_Scaling Up to Your First 10 Million UsersARC201_Scaling Up to Your First 10 Million Users
ARC201_Scaling Up to Your First 10 Million Users
 
Manage Infrastructure Securely at Scale and Eliminate Operational Risks - DEV...
Manage Infrastructure Securely at Scale and Eliminate Operational Risks - DEV...Manage Infrastructure Securely at Scale and Eliminate Operational Risks - DEV...
Manage Infrastructure Securely at Scale and Eliminate Operational Risks - DEV...
 
CIS14: Best Practices You Must Apply to Secure Your APIs
CIS14: Best Practices You Must Apply to Secure Your APIsCIS14: Best Practices You Must Apply to Secure Your APIs
CIS14: Best Practices You Must Apply to Secure Your APIs
 
Security crawl walk run presentation mckay v1 2017
Security crawl walk run presentation mckay v1 2017Security crawl walk run presentation mckay v1 2017
Security crawl walk run presentation mckay v1 2017
 
DEV325_Application Deployment Techniques for Amazon EC2 Workloads with AWS Co...
DEV325_Application Deployment Techniques for Amazon EC2 Workloads with AWS Co...DEV325_Application Deployment Techniques for Amazon EC2 Workloads with AWS Co...
DEV325_Application Deployment Techniques for Amazon EC2 Workloads with AWS Co...
 
Keys to Successfully Monitoring and Optimizing Innovative and Sophisticated C...
Keys to Successfully Monitoring and Optimizing Innovative and Sophisticated C...Keys to Successfully Monitoring and Optimizing Innovative and Sophisticated C...
Keys to Successfully Monitoring and Optimizing Innovative and Sophisticated C...
 
IOT308-One Message to a Million Things Done in 60 seconds with AWS IoT
IOT308-One Message to a Million Things Done in 60 seconds with AWS IoTIOT308-One Message to a Million Things Done in 60 seconds with AWS IoT
IOT308-One Message to a Million Things Done in 60 seconds with AWS IoT
 
Related OSS Projects - Peter Rowe, Flexera Software
Related OSS Projects - Peter Rowe, Flexera SoftwareRelated OSS Projects - Peter Rowe, Flexera Software
Related OSS Projects - Peter Rowe, Flexera Software
 
Driving Innovation with Containers - CON203 - re:Invent 2017
Driving Innovation with Containers - CON203 - re:Invent 2017Driving Innovation with Containers - CON203 - re:Invent 2017
Driving Innovation with Containers - CON203 - re:Invent 2017
 
CON203_Driving Innovation with Containers
CON203_Driving Innovation with ContainersCON203_Driving Innovation with Containers
CON203_Driving Innovation with Containers
 
Containers on AWS - State of the Union - CON201 - re:Invent 2017
Containers on AWS - State of the Union - CON201 - re:Invent 2017Containers on AWS - State of the Union - CON201 - re:Invent 2017
Containers on AWS - State of the Union - CON201 - re:Invent 2017
 
SID302_Force Multiply Your Security Team with Automation and Alexa
SID302_Force Multiply Your Security Team with Automation and AlexaSID302_Force Multiply Your Security Team with Automation and Alexa
SID302_Force Multiply Your Security Team with Automation and Alexa
 
Easy and Scalable Log Analytics with Amazon Elasticsearch Service - ABD326 - ...
Easy and Scalable Log Analytics with Amazon Elasticsearch Service - ABD326 - ...Easy and Scalable Log Analytics with Amazon Elasticsearch Service - ABD326 - ...
Easy and Scalable Log Analytics with Amazon Elasticsearch Service - ABD326 - ...
 
IOT311_Customer Stories of Things, Cloud, and Analytics on AWS
IOT311_Customer Stories of Things, Cloud, and Analytics on AWSIOT311_Customer Stories of Things, Cloud, and Analytics on AWS
IOT311_Customer Stories of Things, Cloud, and Analytics on AWS
 
Testing and Troubleshooting with AWS Device Farm - MBL301 - re:Invent 2017
Testing and Troubleshooting with AWS Device Farm - MBL301 - re:Invent 2017Testing and Troubleshooting with AWS Device Farm - MBL301 - re:Invent 2017
Testing and Troubleshooting with AWS Device Farm - MBL301 - re:Invent 2017
 
The Open Sourcing of Infrastructure
The Open Sourcing of InfrastructureThe Open Sourcing of Infrastructure
The Open Sourcing of Infrastructure
 

Recently uploaded

8 Best Automated Android App Testing Tool and Framework in 2024.pdf
8 Best Automated Android App Testing Tool and Framework in 2024.pdf8 Best Automated Android App Testing Tool and Framework in 2024.pdf
8 Best Automated Android App Testing Tool and Framework in 2024.pdf
kalichargn70th171
 
Webinar On-Demand: Using Flutter for Embedded
Webinar On-Demand: Using Flutter for EmbeddedWebinar On-Demand: Using Flutter for Embedded
Webinar On-Demand: Using Flutter for Embedded
ICS
 
Hand Rolled Applicative User Validation Code Kata
Hand Rolled Applicative User ValidationCode KataHand Rolled Applicative User ValidationCode Kata
Hand Rolled Applicative User Validation Code Kata
Philip Schwarz
 
E-Invoicing Implementation: A Step-by-Step Guide for Saudi Arabian Companies
E-Invoicing Implementation: A Step-by-Step Guide for Saudi Arabian CompaniesE-Invoicing Implementation: A Step-by-Step Guide for Saudi Arabian Companies
E-Invoicing Implementation: A Step-by-Step Guide for Saudi Arabian Companies
Quickdice ERP
 
SMS API Integration in Saudi Arabia| Best SMS API Service
SMS API Integration in Saudi Arabia| Best SMS API ServiceSMS API Integration in Saudi Arabia| Best SMS API Service
SMS API Integration in Saudi Arabia| Best SMS API Service
Yara Milbes
 
SQL Accounting Software Brochure Malaysia
SQL Accounting Software Brochure MalaysiaSQL Accounting Software Brochure Malaysia
SQL Accounting Software Brochure Malaysia
GohKiangHock
 
How Can Hiring A Mobile App Development Company Help Your Business Grow?
How Can Hiring A Mobile App Development Company Help Your Business Grow?How Can Hiring A Mobile App Development Company Help Your Business Grow?
How Can Hiring A Mobile App Development Company Help Your Business Grow?
ToXSL Technologies
 
Top Benefits of Using Salesforce Healthcare CRM for Patient Management.pdf
Top Benefits of Using Salesforce Healthcare CRM for Patient Management.pdfTop Benefits of Using Salesforce Healthcare CRM for Patient Management.pdf
Top Benefits of Using Salesforce Healthcare CRM for Patient Management.pdf
VALiNTRY360
 
Requirement Traceability in Xen Functional Safety
Requirement Traceability in Xen Functional SafetyRequirement Traceability in Xen Functional Safety
Requirement Traceability in Xen Functional Safety
Ayan Halder
 
KuberTENes Birthday Bash Guadalajara - Introducción a Argo CD
KuberTENes Birthday Bash Guadalajara - Introducción a Argo CDKuberTENes Birthday Bash Guadalajara - Introducción a Argo CD
KuberTENes Birthday Bash Guadalajara - Introducción a Argo CD
rodomar2
 
Artificia Intellicence and XPath Extension Functions
Artificia Intellicence and XPath Extension FunctionsArtificia Intellicence and XPath Extension Functions
Artificia Intellicence and XPath Extension Functions
Octavian Nadolu
 
Microservice Teams - How the cloud changes the way we work
Microservice Teams - How the cloud changes the way we workMicroservice Teams - How the cloud changes the way we work
Microservice Teams - How the cloud changes the way we work
Sven Peters
 
Using Query Store in Azure PostgreSQL to Understand Query Performance
Using Query Store in Azure PostgreSQL to Understand Query PerformanceUsing Query Store in Azure PostgreSQL to Understand Query Performance
Using Query Store in Azure PostgreSQL to Understand Query Performance
Grant Fritchey
 
Transform Your Communication with Cloud-Based IVR Solutions
Transform Your Communication with Cloud-Based IVR SolutionsTransform Your Communication with Cloud-Based IVR Solutions
Transform Your Communication with Cloud-Based IVR Solutions
TheSMSPoint
 
Vitthal Shirke Java Microservices Resume.pdf
Vitthal Shirke Java Microservices Resume.pdfVitthal Shirke Java Microservices Resume.pdf
Vitthal Shirke Java Microservices Resume.pdf
Vitthal Shirke
 
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOMLORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
lorraineandreiamcidl
 
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
XfilesPro
 
2024 eCommerceDays Toulouse - Sylius 2.0.pdf
2024 eCommerceDays Toulouse - Sylius 2.0.pdf2024 eCommerceDays Toulouse - Sylius 2.0.pdf
2024 eCommerceDays Toulouse - Sylius 2.0.pdf
Łukasz Chruściel
 
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Crescat
 
WWDC 2024 Keynote Review: For CocoaCoders Austin
WWDC 2024 Keynote Review: For CocoaCoders AustinWWDC 2024 Keynote Review: For CocoaCoders Austin
WWDC 2024 Keynote Review: For CocoaCoders Austin
Patrick Weigel
 

Recently uploaded (20)

8 Best Automated Android App Testing Tool and Framework in 2024.pdf
8 Best Automated Android App Testing Tool and Framework in 2024.pdf8 Best Automated Android App Testing Tool and Framework in 2024.pdf
8 Best Automated Android App Testing Tool and Framework in 2024.pdf
 
Webinar On-Demand: Using Flutter for Embedded
Webinar On-Demand: Using Flutter for EmbeddedWebinar On-Demand: Using Flutter for Embedded
Webinar On-Demand: Using Flutter for Embedded
 
Hand Rolled Applicative User Validation Code Kata
Hand Rolled Applicative User ValidationCode KataHand Rolled Applicative User ValidationCode Kata
Hand Rolled Applicative User Validation Code Kata
 
E-Invoicing Implementation: A Step-by-Step Guide for Saudi Arabian Companies
E-Invoicing Implementation: A Step-by-Step Guide for Saudi Arabian CompaniesE-Invoicing Implementation: A Step-by-Step Guide for Saudi Arabian Companies
E-Invoicing Implementation: A Step-by-Step Guide for Saudi Arabian Companies
 
SMS API Integration in Saudi Arabia| Best SMS API Service
SMS API Integration in Saudi Arabia| Best SMS API ServiceSMS API Integration in Saudi Arabia| Best SMS API Service
SMS API Integration in Saudi Arabia| Best SMS API Service
 
SQL Accounting Software Brochure Malaysia
SQL Accounting Software Brochure MalaysiaSQL Accounting Software Brochure Malaysia
SQL Accounting Software Brochure Malaysia
 
How Can Hiring A Mobile App Development Company Help Your Business Grow?
How Can Hiring A Mobile App Development Company Help Your Business Grow?How Can Hiring A Mobile App Development Company Help Your Business Grow?
How Can Hiring A Mobile App Development Company Help Your Business Grow?
 
Top Benefits of Using Salesforce Healthcare CRM for Patient Management.pdf
Top Benefits of Using Salesforce Healthcare CRM for Patient Management.pdfTop Benefits of Using Salesforce Healthcare CRM for Patient Management.pdf
Top Benefits of Using Salesforce Healthcare CRM for Patient Management.pdf
 
Requirement Traceability in Xen Functional Safety
Requirement Traceability in Xen Functional SafetyRequirement Traceability in Xen Functional Safety
Requirement Traceability in Xen Functional Safety
 
KuberTENes Birthday Bash Guadalajara - Introducción a Argo CD
KuberTENes Birthday Bash Guadalajara - Introducción a Argo CDKuberTENes Birthday Bash Guadalajara - Introducción a Argo CD
KuberTENes Birthday Bash Guadalajara - Introducción a Argo CD
 
Artificia Intellicence and XPath Extension Functions
Artificia Intellicence and XPath Extension FunctionsArtificia Intellicence and XPath Extension Functions
Artificia Intellicence and XPath Extension Functions
 
Microservice Teams - How the cloud changes the way we work
Microservice Teams - How the cloud changes the way we workMicroservice Teams - How the cloud changes the way we work
Microservice Teams - How the cloud changes the way we work
 
Using Query Store in Azure PostgreSQL to Understand Query Performance
Using Query Store in Azure PostgreSQL to Understand Query PerformanceUsing Query Store in Azure PostgreSQL to Understand Query Performance
Using Query Store in Azure PostgreSQL to Understand Query Performance
 
Transform Your Communication with Cloud-Based IVR Solutions
Transform Your Communication with Cloud-Based IVR SolutionsTransform Your Communication with Cloud-Based IVR Solutions
Transform Your Communication with Cloud-Based IVR Solutions
 
Vitthal Shirke Java Microservices Resume.pdf
Vitthal Shirke Java Microservices Resume.pdfVitthal Shirke Java Microservices Resume.pdf
Vitthal Shirke Java Microservices Resume.pdf
 
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOMLORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
 
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
 
2024 eCommerceDays Toulouse - Sylius 2.0.pdf
2024 eCommerceDays Toulouse - Sylius 2.0.pdf2024 eCommerceDays Toulouse - Sylius 2.0.pdf
2024 eCommerceDays Toulouse - Sylius 2.0.pdf
 
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
 
WWDC 2024 Keynote Review: For CocoaCoders Austin
WWDC 2024 Keynote Review: For CocoaCoders AustinWWDC 2024 Keynote Review: For CocoaCoders Austin
WWDC 2024 Keynote Review: For CocoaCoders Austin
 

Lightning talk owasp_top10in10

  • 1. © COPYRIGHT 2017 COVEROS, INC. ALL RIGHTS RESERVED. 1 Agility. Security. Delivered. How to test for (the new) OWASP Top 10 in 10 Minutes? An all out sprint by Ben Pick
  • 2. © COPYRIGHT 2017 COVEROS, INC. ALL RIGHTS RESERVED. 2
  • 3. © COPYRIGHT 2017 COVEROS, INC. ALL RIGHTS RESERVED. 3 A1 - Injection Username: Password: admin myPassword select * from Users where user_id = ‘admin’ and password = ‘myPassword’ Username: Password: ‘ OR 1=1; -- myPassword select * from Users where user_id = ‘’ OR 1=1; -- and password = ‘myPassword’ <?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "file:///etc/passwd" >]> <foo>&xxe;</foo>
  • 4. © COPYRIGHT 2017 COVEROS, INC. ALL RIGHTS RESERVED. 4 A1 - Injection, tools
  • 5. © COPYRIGHT 2017 COVEROS, INC. ALL RIGHTS RESERVED. 5 A2 - Broken Authentication and Session Management • http://example.com/sale/mycart?sessionid=abcd • http://internalcompanyHRservice.com/search?role=user • Cookie replay from valid session
  • 6. © COPYRIGHT 2017 COVEROS, INC. ALL RIGHTS RESERVED. 6 A3 - Cross Site Scripting (XSS) • Client-side scripts interpreted by the end user <script>alert(‘Label XSSed’)</script> <script>alert(123)</script> <script>alert(document.cookie)</script>
  • 7. © COPYRIGHT 2017 COVEROS, INC. ALL RIGHTS RESERVED. 7 A3 – XSS, Tools
  • 8. © COPYRIGHT 2017 COVEROS, INC. ALL RIGHTS RESERVED. 8 A4 - Broken Access Controls • http://example.com/app/accountInfo?acct=notmyacct • https://example.com/auth • https://example.com/myprofile?action=updatepassword • https://example.com/admin
  • 9. © COPYRIGHT 2017 COVEROS, INC. ALL RIGHTS RESERVED. 9 A5 - Security Misconfigurations • Look for default passwords!
  • 10. © COPYRIGHT 2017 COVEROS, INC. ALL RIGHTS RESERVED. 10 A6 - Sensitive Data Exposure • Look for stacktraces, relative or absolute directory structures, listings of running software and versions • User objects that include name, SSN, DoB, address… • IP addresses, usernames, and os information in source code • View page source
  • 11. © COPYRIGHT 2017 COVEROS, INC. ALL RIGHTS RESERVED. 11 A7 – Insufficient Attack Protections • Detect • Prevent • Patch
  • 12. © COPYRIGHT 2017 COVEROS, INC. ALL RIGHTS RESERVED. 12 A8 - Cross Site Request Forgery • www.bank.com/transfermymoney=-1000&toaccount=maliciousBen
  • 13. © COPYRIGHT 2017 COVEROS, INC. ALL RIGHTS RESERVED. 13 A9 - Using issues with known vulnerabilities • Vulnerable components = vulnerable application
  • 14. © COPYRIGHT 2017 COVEROS, INC. ALL RIGHTS RESERVED. 14 A10 – Underprotected APIs • http://www.example.com/supersecretendpoint?internalfile=notmine • http://www.example.com/deleteaccount?acct=12345
  • 15. © COPYRIGHT 2017 COVEROS, INC. ALL RIGHTS RESERVED. 15 Summary – Good Security Testing • Send garbage input • Malicious content • Attempt to obfuscate to avoid detection • Try to break frameworks and processes • Do the unexpected • Play “What if” with the application • Assume a service or server is compromised and determine the impact
  • 16. © COPYRIGHT 2017 COVEROS, INC. ALL RIGHTS RESERVED. 16 Supplemental Notes: Tools Mentioned • Static Analysis • SonarQube • HP Fortify • Sonatype CLM • OWASP Dependency Check • Dynamic Analysis: • sqlmap • Wfuzz • w3af • Burp Suite (Free or Professional) • OWASP Zed Attack Proxy • SOAP UI • ModSecurity • Wireshark • Contrast RASP

Editor's Notes

  1. * The tools and processes I recommend are simply things which I have used on my projects or personal research which worked for me. There are many additional alternatives out there and I try to include both open source and commercial products. Intro into Coveros -> local software company who specializes in creating secure code and DevOps solutions Focus on tools, less on techniques. Not in depth -> list tools instead Ending -> now here is another related talk (Coveros presents) I will be available after the talk to answer some questions. And If you like what you heard here, please attend the talk X about Y… Before leaving for Japan, drop presentation onto Google drive in case Gene needs to take care of anything
  2. What is the OWASP Top 10? It is a list of vulnerabilities created by security professionals to define the most critical security risks. There are multiple top 10 OWASP lists, but their flagship list is the OWASP Top 10 Most Critical Web Application Security Risks. This talk highlights the release candidate for 2017. Although this candidate was recently rejected, the vulnerabilities have not changed drastically throughout the years and the methods of detection and the tools used will provide a stronger security posture for your applications
  3. Yeah. This slide is a little light. I’ve found a lot of issues with scanning tools and determining correctly if sql injection is possible and if so, how or what may be gained. Manual testing is important and you need to understand how SQL injection works, but the initial steps may be automated with a tool, such as Sqlmap. As the name implies, sqlmap focuses on sql injection attempts. To expand on the security tests performed, why not also use Wfuzz, a web application bruteforcing tool which attempts to find and exploit various known issues. In terms of xxe, that really requires an in depth knowledge of how data is stored and passed within the application.
  4. The OWASP Zed Attack Proxy, or ZAP for short, and Burp Suite Professional will attempt to find available web pages and fuzz data entry points. However, a tool can only take you so far. You can also use Wfuzz or a similar tool. However, these are only an initial step. The tester must attempt to break the business logic of an application. Meaning the responsibility for testing this should fall on someone very familiar with the target application. Running a blind scan may be as detrimental as not running a scan at all. Manual testing scenarios: attempt to break password reset functions. Or login as an administrator, record the pages traversed and attempt to reach them as a lower privileged user
  5. Mention obfuscation
  6. This is the fist slide where I really highlight ZAP and Burp because it’s the first slide where they tend to do well. These tools attempt to find where injection may be possible, but I have found those instances to be full of false positives in identifying a legitimate SQL injection vulnerability as opposed to just a part of the application which interacts with the database. Likewise for broken authentication, I have found these tools can quickly iterate through known or common authentication issues, but that they are incapable of a deep dive into an underlying business logic flaw. These tools to tend to do a great job at identifying XSS instances and in iterating through a wide library of vulnerabilities to verify if they vulnerability is exploitable.
  7. Formerly Insecure Direct Object References and Missing Function Level Access Control Much like authentication, tools, such as Burp and Zap attempt to break or identify weak access controls. These must also be supplemented with manual testing. Manual testing: I like running through 4 different steps to test access. Login as an administrator and browse to a critical file and perform an admin function Login as a regular user and attempt to access the file and admin function. Browse around to find a personal file for this account and perform a process unique to this user Login as another regular user, preferably with different credentials or access rights, and attempt to access the other regular user’s personal file and perform the process unique to that user. Also attempt to perform previously identified admin functions Access web app as an unauthenticated user. Attempt to reach and perform all of the above files and functions.
  8. Use Nessus to check for default configurations For those familiar with the recent Equifax compromise, it came to light that in Argentina, their privileges accounts used admin/admin as its username/password.
  9. It may not be returned in the gui, but review requests and responses to ensure data is not bleeding unnecessarily. Multipronged approach: static – sonarqube and fortify Dynamic – burp and zap and nikto and wireshark (bleeding sensitive data) Logging – splunk, This may be addressed by a two pronged approach. Review source code for objects containing sensitive data and check dynamically for sensitive data being used. Static analysis tools, such as SonarQube and HP Fortify will search within the code for potential vulnerabilities. Dynamic tools, such as Burp or ZAP will check for sensitive exposures in the deployed application. A logging or monitoring tool, such as Splunk, will alert on strings which appear to contain sensitive data based on regular expressions.
  10. “Detection is ideal, but prevention is a must” There are countless Host and Network Intrusion Detection services. My only recommendation is to read all of the fine print of every contract and I’m not going down that rabbit hole right now. Since this is the OWASP talk, I’ll mention one of their flagship projects, ModSecurity. This is a versatile and useful method of detecting and preventing when malicious activity is detected. That being said, all you need is a simple network monitoring tool such as wireshark to review communication across your network and gain an understanding of what is expected. This can help you create a baseline and identify when any anomalous traffic is generated.
  11. Blocked by using randomized tokens within body of request Burp and Zap can check for CSRF weaknesses. However, full exploitation and vulnerability assessments require manual review and testing. Issues I have observed which tools have failed to detect: csrf being constant throughout a session or the same for repeated sessions. Most tools will only check that a CSRF token exists. They do not track this value by default or perform sufficient testing to prove its predictability.
  12. Sonatype CLM OWASP Dependency Check Contrast’s RASP Equifax with struts2 Wannacry and its many variations ransomware attacks through samba
  13. New Category. This was rejected, but I have included it here because I routinely find this as a valid finding. Also, this is, in many ways, an extension of the old finding: Failure to restrict URL access. sSome of the endpoints I test have no validation performed on the passed user input. Not to be paranoid, but everything is connected. Soap UI