View
343
Download
2
Category
Tags:
Preview:
DESCRIPTION
Guestlecture for Hogeschool Zeeland at 12th of March 2014 by Boy Baukema from Ibuildings on the topic of Web Application Security and the OWASP Top 10.
Citation preview
Boy Baukema12th March, HZ, Vlissingen
Practical Hacking: OWASP Top 10
Wednesday, March 12, 14
So who’s this guy?
Boy BaukemaSecurity Specialist & Senior Engineer @ Ibuildings.nl
boy@ibuildings.nltwitter: @relaxnow
2
Wednesday, March 12, 14
By what company?
Ibuildings (not owned by Apple)
3
Wednesday, March 12, 14
A Security what?
Security Specialist:
Senior Software Engineer + R&D Security + Security Training+ Internal Consulting+ Internal Security Audits+ External Security Audits
4
Wednesday, March 12, 14
Okay, what’s he doing here?
‣ Introduction (10m)
‣Before We Dive In (10m)
‣OWASP TOP 11 2013 (+/- 15m per item)
‣Where To Next? (10m)
5
Wednesday, March 12, 14
Wednesday, March 12, 14
Wednesday, March 12, 14
Before we dive in...
8
Wednesday, March 12, 14
Ethical Hacking & The (Dutch) Law
9blog.iusmentis.com
Artikel 138ab & 138b
Wednesday, March 12, 14
Responsible Disclosure
10
Wednesday, March 12, 14
of 2013OWASP Top 11
11
Wednesday, March 12, 14
OWASP Top 10 2013 BONUS - Clickjacking
12http://www.youtube.com/watch?v=DRQ8oC2MWAgWednesday, March 12, 14
A10-Unvalidated Redirects and Forwards
13
Wednesday, March 12, 14
A10-Unvalidated Redirects and Forwards
http://goo.gl/Gmzqvhttps://www.bank.com:login.html@phisher.cn/http://www.bank.com:login.html@74.125.131.105http://www.bank.com:login.html@1249739625/http://www.bank.com:login.html@0x4a.0x7d.0x83.0x69/http://www.bank.com:login.html@0112.0175.0203.0151/http://pc-help.org/o%62s%63ur%65%2e%68t%6D
14
Wednesday, March 12, 14
A9-Using Components with Known Vulnerabilities174.34.252.13 – - [03/Feb/2014:01:01:08 -0500] “POST /index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a7981f4fe1f5ac65c1246b5f=cf6dd3cf1923c950586d0dd595c8e20b HTTP/1.1″ 500 885 “-” “BOT/0.1 (BOT for JCE)”
174.34.252.13 – - [03/Feb/2014:01:01:08 -0500] “POST /index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20 HTTP/1.1″ 404 5923 “-” “BOT/0.1 (BOT for JCE)”174.34.252.13 – - [03/Feb/2014:01:01:08 -0500] “POST /blog/2014/01/14/vulnerability-in-joomla-1-6-1-7-and-2-5-0-2-5-2-being-exploited-now/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a7981f4fe1f5ac65c1246b5f=cf6dd3cf1923c950586d0dd595c8e20b HTTP/1.1″ 500 885 “-” “BOT/0.1 (BOT for JCE)”174.34.252.13 – - [03/Feb/2014:01:01:08 -0500] “POST /blog/2014/01/14/vulnerability-in-joomla-1-6-1-7-and-2-5-0-2-5-2-being-exploited-now/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20 HTTP/1.1″ 404 6290 “-” “BOT/0.1 (BOT for JCE)”174.34.252.13 – - [03/Feb/2014:01:01:10 -0500] “POST /blog/2014/01/14/vulnerability-in-joomla-1-6-1-7-and-2-5-0-2-5-2-being-exploited-now/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a7981f4fe1f5ac65c1246b5f=cf6dd3cf1923c950586d0dd595c8e20b HTTP/1.1″ 500 885 “-” “BOT/0.1 (BOT for JCE)”174.34.252.13 – - [03/Feb/2014:01:01:10 -0500] “POST /blog/2014/01/14/vulnerability-in-joomla-1-6-1-7-and-2-5-0-2-5-2-being-exploited-now/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20 HTTP/1.1″ 404 6290 “-” “BOT/0.1 (BOT for JCE)”174.34.252.13 – - [03/Feb/2014:01:01:11 -0500] “GET /blog/2014/01/14/vulnerability-in-joomla-1-6-1-7-and-2-5-0-2-5-2-being-exploited-now/images/stories/food.php?rf HTTP/1.1″ 404 6237 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6″
15
Wednesday, March 12, 14
A8-Cross-Site Request Forgery (CSRF)
16http://www.youtube.com/watch?v=vRBihr41JToWednesday, March 12, 14
A7-Missing Function Level Access Control
17
Wednesday, March 12, 14
A6-Sensitive Data Exposure
18
Wednesday, March 12, 14
A6-Sensitive Data Exposure
19
Wednesday, March 12, 14
A5-Security Misconfiguration
http://www.exploit-db.com/google-dorks/20
Wednesday, March 12, 14
A4-Insecure Direct Object References
21
Wednesday, March 12, 14
A3-Cross-Site Scripting (XSS)
22
http://www.youtube.com/watch?v=a9WNy2ZSq8Y
Wednesday, March 12, 14
A3-Cross-Site Scripting (XSS)
23
Wednesday, March 12, 14
A2-Broken Authentication and Session Management
24
Wednesday, March 12, 14
A2-Broken Authentication and Session Management
‣ Session Fixation‣Missing Session Timeout‣ Login over HTTP‣Unprotected Password Reset
25
Wednesday, March 12, 14
HTTP Strict Transport Security
Strict-Transport-Security: ‣max-age=60000; ‣ includeSubDomains
26
Wednesday, March 12, 14
A1-Injection
27
Wednesday, March 12, 14
Now What?
28
Wednesday, March 12, 14
29
Wednesday, March 12, 14
Conferences, People & Resources
‣ Security.nl‣Owasp.org‣Hackvertor‣Webappsec.io‣ Chris Cornutt‣Bruce Schneider
‣OWASP BeNeLux‣OWASP EU‣Hack In The Box‣Black Hat Europe 30
Wednesday, March 12, 14
Companies
‣ Fox-IT‣Madison Ghurka‣ Pine‣ Ibuildings.nl
31
Wednesday, March 12, 14
QUESTIONS
32Slides @ http://www.slideshare.net/relaxnow/2014-guestlectureinfosec
Wednesday, March 12, 14
Recommended