Web Security Vulnerabilities - ajou.ac.krics.ajou.ac.kr/~aislab/WebGoat_Dant.pdf · OWASP Top Ten...

Preview:

Click to see full reader

Citation preview

Web Security Vulnerabilities

ICS Laboratory, AJOU Univ.

Hyun Soo Ch.

OWASP Top Ten

(Open Web Application Security Project)OWASP

Top Ten Project

List of 10 Most Critical Web Application Security Risks

https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

• Injection • Broken Authentication and Session Management• Cross-Site Scripting(XSS)• Insecure Direct Object Reference• Security Misconfiguration• Sensitive Data Exposure • Missing Function Level Access Control• Cross-Site Request Forgery• Using Components with known Vulnerabilities• Unvalidated Redirects and Forwards

https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

OWASP WebGoat

OWASP

WebGoat

Test bed Web Application for practicing OWASP Top 10 Risks

https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project

https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project

1. Move to Download Directory

Setting up WebGoat

2. Download Tomcat, JDK, WebGoat.war

Download packages

Setting up WebGoat

5. Move apache-tomcat file to /usr/local/

6. Move to /usr/local/java to extract tar file

4. Make directory for JDK and move JDK tar file to /usr/local/java

Extract Package

3. Check Downloaded file with ‘ls’

Setting up WebGoat

7. Symbolic Link Setting to use installed java

8. Check if it’s installed properly

9. Export Environmental Variable

Install JDK

Setting up WebGoat

11. Create a file tomcat641 in /etc/init.d directory

10. Move to ‘/usr/local’ and extract apache-tomcat-6.0.41.tar.gz

Setup Tomcat

- Fill the file contents like right figure ->

12. Then change privilege to 755(rwx rw- rw-)

Setting up WebGoat

13. Move to ‘apache-tomcat-XX/conf’ and edit ‘tomcat-users.xml’ files

Setup Tomcat

* To Start the service

** To automatically start when reboot

*** To Stop the service

Setting up WebGoat

Starting WebGoat

14. Copy Downloaded WebGoat.war to tomcat’s webapp directory

15. Start Tomcat

16. Open up Fire Fox(Browser) and get access to WebGoat server!

Setting up WebGoat

WebGoat Setup CompleteYou can also get to the server outside the VM

WebGoat… WebGoat?

General

General Web Technique – Http Basics

1. Enter your name in the input2. Press ‘Go!’

WebGoat… WebGoat?

Buffer Overflows

Buffer Overflows

Hello World!

12 characters

@$#@!_#

7 more characters

What’s Buffer Overflow?

WebGoat… WebGoat?

Buffer Overflows

Tools You’ll be needing

BURPSUITEWeb application Security Testing Tool

http://portswigger.net/burp/download.html

Portable FirefoxFirefox browser that is portable

http://portableapps.com/apps/internet/firefox_portable

JDKJava virtual machine

http://www.oracle.com/technetwork/java/javase/downloads/jdk7-downloads-1880260.html

http://portswigger.net/burp/download.html
http://portableapps.com/apps/internet/firefox_portable
http://www.oracle.com/technetwork/java/javase/downloads/jdk7-downloads-1880260.html

WebGoat… WebGoat?

Buffer Overflows

1. Open up CMD

2. Change Directory to where the burpsuite.jar file is.

3. Then Execute jar file with jdk

WebGoat… WebGoat?

Buffer Overflows

1. Open up CMD

2. Change Directory to where the burpsuite.jar file is.

3. Then Execute jar file with jdk

4. After some “NEXT”s you will see figure like →

WebGoat… WebGoat?

Buffer Overflows

But we’ll be using just Proxy feature

There are lots of features that Burp Suite supports

WebGoat… WebGoat?

Buffer Overflows

With Proxy Toolbar of Portable Firefox and Proxy-Intercept feature of Burp Suite

it’s possible to intercept and edit generated packet

WebGoat… WebGoat?

Buffer Overflows

1. Click Add ICON

2. Click Next

WebGoat… WebGoat?

Buffer Overflows

1. Click Add ICON

2. Click Next

3. Enter Proxy Info

Name For your Proxy Setting

IP address & Port# for Http Proxy

WebGoat… WebGoat?

Buffer Overflows

1. Click Add ICON

2. Click Next

3. Enter Proxy Info

Loopback Address(to myself) Port # that is not in use

4. Then Press OK

WebGoat… WebGoat?

Buffer Overflows

1. Click Add ICON

2. Click Next

3. Enter Proxy Info

4. Then Press OK

WebGoat… WebGoat?

Buffer Overflows

1. Click Add ICON

2. Click Next

3. Enter Proxy Info

4. Then Press OK

5. Edit proxy listener Info

6. Scroll Down &Check “Unhide hidden form fields”

WebGoat… WebGoat?

Buffer Overflows

1. Click Add ICON

2. Click Next

3. Enter Proxy Info

4. Then Press OK

5. Edit proxy listener Info

6. Scroll Down &Check “Unhide hidden form fields”

7. Go back to Firefox

8. Click Apply Button

WebGoat… WebGoat?

Buffer Overflows

Actual Intercepted PacketSubmit form Webpage

Pressing “Go” button, Browser will send msg to server,

which will be intercepted by Burp Suite

Intercepted msg can be edited and can be sent by pressing “Forward” button

WebGoat… WebGoat?

Buffer Overflows

Buffer Overflows

WebGoat… WebGoat?

For Solution

http://webappsecmovies.sourceforge.net/webgoat/

http://webappsecmovies.sourceforge.net/webgoat/

Recommended

Securing JSF Applications Against OWASP Top Ten
Documents
The OWASP Way Understanding the OWASP Vision and the Top Ten
Documents
Desarrollo Seguro ante Ciberataques para Java, …...2.3.- OWASP Top Ten Security Controls 2.4.- OWASP Mobile Security Testing Guide 2.5.- OWASP Mobile Application Security Verification
Documents
OWASP Web Application Security Top Ten List
Documents
OWASP Mobile Top Ten 2015 Data Synthesis and Key Trends · 2020-01-17 · OWASP Mobile Top Ten 2015 Data Synthesis and Key Trends Part of the OWASP Mobile Security Group Umbrella
Documents
SEC835 OWASP Top Ten Project. Top Ten Web App Vulnerabilities OWASP top ten web application vulnerabilities – 2007 report Vulnerabilities A1 - Cross Site
Documents
Securing MyFaces Applications Against the OWASP Top Ten
Documents
OWASP TOP TEN - C-MRiC · OWASP TOP TEN What is the state of practice among start-ups? Cyber Security 2018 Halldis Søhoel, ... A10: Unvalidated Redirects and Forwards . LESSONS Consider
Documents
Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls
Software
OWASP Top Ten Proactive Controls - OWASP Foundation | Open ...€¦ · Query Parameterization Cheat Sheet ... Apache Commons Validator תומיאתמ השיג תורקב םשיי
Documents
owasp top 10 the ten most critical web application security
Documents
OWASP Mobile Top Ten 2015 Strategic Roadmap · 2020. 1. 17. · • OWASP Mobile Top Ten Context • Key Goals / Strategies for 2015 • Produce a final roadmap of Objectives / Tactics
Documents
OWASP Top Ten 2007 - Sommaire executif - French version
Technology
OWASP TOP 10 vs OWASP ASVS - owasp-stl.orgowasp-stl.org/decks/Top10vsASVS.pdf · The OWASP Top Ten •The OWASP Top 10 provides a list of the 10 Most Critical Web Application Security
Documents
VULNERABILITIES BY OWASP TOP TEN 2013 - MME … vulnerabilities listed in OWASP Top Ten 2013 found on this web site. ... OWASP A3 - Cross-Site Scripting ... You can also use ORM (
Documents
OWASP Top 10 2010 · 2011-12-12 · OWASP - 2010 Introduction OWASP Top 10 Project “The OWASP Top Ten represents a broad consensus about what the most critical web application security
Documents
OWASP Top Ten in Practice
Technology
NetScaler Application Firewall and OWASP Top Ten – 2013support.citrix.com/.../dam/...OWASP_Top_Ten_2013.pdf · NetScaler Application Firewall and OWASP Top Ten – 2013. Page 2
Documents
OWASP Top Ten 2013 - ossir.org · OSSIR - OWASP Top Ten 2013 par Intrinsec sous licence CC-BY-NC-ND OWASP Top 10 –2010 (Précédent) OWASP Top 10 –2013 (Nouveau) 2010-A1 –Injection
Documents
OWASP Day IV•180 blog monitorati OWASP-Italy Day IV – 6th, Nov 09 OWASP 11 OWASP Top Ten
Documents