View
134
Download
4
Category
Preview:
DESCRIPTION
Top 10 Owasp vulnerabilities and introduction to Webgoat (Live Demo only)
Citation preview
HACKING 101Henallux, 2nd October 2014
Olivier HouyouxTechnology Security Architect @ Nitroxis Sprl
SCHEDULE FOR THE DAY 1. Why are we here?
2. Real Life Examples
3. Limited scope of this intervention
4. Owasp – Top 10 (2013)
5. Demo Web Hacking Simulation Walkthrough
6. Summary
7. Questions
DO WE NEED WEB APP. SECURITY?
Well managed infrastructure
Important data on web applications
Malware spreading
EXAMPLES
1. Barack Obama
EXAMPLES
1. Barack Obama
2. Maria Sharapova
EXAMPLES
1. Barack Obama
2. Maria Sharapova
3. Samy Kamkar
EXAMPLES
1. Barack Obama
2. Maria Sharapova
3. Samy Kamkar
4. Kevin Poulsen
EXAMPLES
1. Barack Obama
2. Maria Sharapova
3. Samy Kamkar
4. Kevin Poulsen
5. …
PREREQUISITES
VulnerabilityThreat ImpactRisk
OPEN WEB APPLICATION SECURITY PROJECT
Make software security visible
Cheat Sheets, Tutorials, Testing guides…
Tools (WebGoat, WebScarab, …)
Library (ESAPI)
…
OWASP TOP 10
Broad consensus about what the most critical web application security flaws are.
OWASP TOP 10
OWASP Top 10 - 2013
A1 - Injection
A2 - Broken Authentication and Session Management
A3 - Cross-Site Scripting (XSS)
A4 - Insecure Direct Object References
A5 - Security Misconfiguration
A6 - Sensitive Data Exposure
A7 - Missing Function Level Access Control
A8 - Cross-Site Request Forgery (CSRF)
A9 - Using Known Vulnerable Components
A10 - Unvalidatde Redirects and Forwards
OWASP TOP 10
OWASP Top 10 - 2013
A1 - Injection
A2 - Broken Authentication and Session Management
A3 - Cross-Site Scripting (XSS)
A4 - Insecure Direct Object References
A5 - Security Misconfiguration
A6 - Sensitive Data Exposure
A7 - Missing Function Level Access Control
A8 - Cross-Site Request Forgery (CSRF)
A9 - Using Known Vulnerable Components
A10 - Unvalidatde Redirects and Forwards
WEBGOAT
is a deliberately insecure web application designed to teach web application security lessons.
A1 – INJECTIONUser input injected without checking
SQL Injection example
LDAP, Command, XPATH, …
A2 – SESSION MANAGEMENT
1. Session HijackingStealing authenticated user’s session ID
2. Session FixationForcing user’s session IDExample
A3 – CROSS-SITE SCRIPTING (XSS)
Untrusted data sent to victim without validation and / or escaping
XSS allows attackers to execute script in browsers to:
hijacking users’ sessions,redirecting user to malicious site,…
1. Reflected XSS example
2. Stored XSS example
A5 – SECURITY MISCONFIGURATIONSecure configuration defined and deployed for
the:application,frameworks,application server,web server,database server,platform.
Example
A6 – SENSITIVE DATA EXPOSUREProtect sensitive data (credit cards, authentication credentials, ...)
Encryption at rest or in transit
A7 – MISSING ACCESS CONTROLVerify function level acces:
before making functionality visible in GUI ✓
when each function is accessed ✗
Access control bypass example
A8 – CROSS-SITE REQUEST FORGERY
CSRF example
1. User authenticates to bank.com2. User visits forum.com
3. Page contains tag<img src=bank.com/transfer.jsp?account=attacker&amount=300000>
4. User’s browser makes GET request bank.com/transfer.jsp?account=attacker&amount=300000without user knowing
A10 – UNVALIDATED REDIRECT1. Lure the user into clicking a redirect link
http://www.trusted.com/redirector?to=http://www.evil.com
2. Code does not perform any validationString location = (String) request.getParameter(« to »);
response.sendRedirect(location);
3. User thinks (s)he’s accessing trusted.com but is in fact at evil.com
SUMMARYLAYERS OF DEFENSE IN
DEPTHPolicies,
Procedures, Awareness
Physical
Perimeter
Internal Network
Host
App
Data
AND NOW …bWAPP
OWASP Top 10
CWE 25
Mitigations (SANS, OWASP Cheat Sheets, …)
Web Services (SOAP & REST)
Mobile
And more …
QUESTIONS ?
FOLLOW US ON …
@Nitroxis_sprl
nitroxis Nitroxis.BE
Training and Certification for information Security Professionals
Nitroxis sprl
ADD DEPTH TO YOUR INFORMATION SYSTEM
Olivier Houyoux Technology Security Architect
Version 1.0
Date 2/10/2014
Mail Contact (at) nitroxis.be
Website www.nitroxis.be
Recommended