HACKING 101Henallux, 2nd October 2014

Olivier HouyouxTechnology Security Architect @ Nitroxis Sprl

SCHEDULE FOR THE DAY 1. Why are we here?

2. Real Life Examples

3. Limited scope of this intervention

4. Owasp – Top 10 (2013)

5. Demo Web Hacking Simulation Walkthrough

6. Summary

7. Questions

DO WE NEED WEB APP. SECURITY?

Well managed infrastructure

Important data on web applications

Malware spreading

EXAMPLES

1. Barack Obama

EXAMPLES

1. Barack Obama

2. Maria Sharapova

EXAMPLES

1. Barack Obama

2. Maria Sharapova

3. Samy Kamkar

EXAMPLES

1. Barack Obama

2. Maria Sharapova

3. Samy Kamkar

4. Kevin Poulsen

EXAMPLES

1. Barack Obama

2. Maria Sharapova

3. Samy Kamkar

4. Kevin Poulsen

5. …

PREREQUISITES

VulnerabilityThreat ImpactRisk

OPEN WEB APPLICATION SECURITY PROJECT

Make software security visible

Cheat Sheets, Tutorials, Testing guides…

Tools (WebGoat, WebScarab, …)

Library (ESAPI)

…

OWASP TOP 10

Broad consensus about what the most critical web application security flaws are.

OWASP TOP 10

OWASP Top 10 - 2013

A1 - Injection

A2 - Broken Authentication and Session Management

A3 - Cross-Site Scripting (XSS)

A4 - Insecure Direct Object References

A5 - Security Misconfiguration

A6 - Sensitive Data Exposure

A7 - Missing Function Level Access Control

A8 - Cross-Site Request Forgery (CSRF)

A9 - Using Known Vulnerable Components

A10 - Unvalidatde Redirects and Forwards

OWASP TOP 10

OWASP Top 10 - 2013

A1 - Injection

A2 - Broken Authentication and Session Management

A3 - Cross-Site Scripting (XSS)

A4 - Insecure Direct Object References

A5 - Security Misconfiguration

A6 - Sensitive Data Exposure

A7 - Missing Function Level Access Control

A8 - Cross-Site Request Forgery (CSRF)

A9 - Using Known Vulnerable Components

A10 - Unvalidatde Redirects and Forwards

WEBGOAT

is a deliberately insecure web application designed to teach web application security lessons.

A1 – INJECTIONUser input injected without checking

SQL Injection example

LDAP, Command, XPATH, …

A2 – SESSION MANAGEMENT

1. Session HijackingStealing authenticated user’s session ID

2. Session FixationForcing user’s session IDExample

A3 – CROSS-SITE SCRIPTING (XSS)

Untrusted data sent to victim without validation and / or escaping

XSS allows attackers to execute script in browsers to:

hijacking users’ sessions,redirecting user to malicious site,…

1. Reflected XSS example

2. Stored XSS example

A5 – SECURITY MISCONFIGURATIONSecure configuration defined and deployed for

the:application,frameworks,application server,web server,database server,platform.

Example

A6 – SENSITIVE DATA EXPOSUREProtect sensitive data (credit cards, authentication credentials, ...)

Encryption at rest or in transit

A7 – MISSING ACCESS CONTROLVerify function level acces:

before making functionality visible in GUI ✓

when each function is accessed ✗

Access control bypass example

A8 – CROSS-SITE REQUEST FORGERY

CSRF example

1. User authenticates to bank.com2. User visits forum.com

3. Page contains tag<img src=bank.com/transfer.jsp?account=attacker&amount=300000>

4. User’s browser makes GET request bank.com/transfer.jsp?account=attacker&amount=300000without user knowing

A10 – UNVALIDATED REDIRECT1. Lure the user into clicking a redirect link

http://www.trusted.com/redirector?to=http://www.evil.com

2. Code does not perform any validationString location = (String) request.getParameter(« to »);

response.sendRedirect(location);

3. User thinks (s)he’s accessing trusted.com but is in fact at evil.com

SUMMARYLAYERS OF DEFENSE IN

DEPTHPolicies,

Procedures, Awareness

Physical

Perimeter

Internal Network

Host

App

Data

AND NOW …bWAPP

OWASP Top 10

CWE 25

Mitigations (SANS, OWASP Cheat Sheets, …)

Web Services (SOAP & REST)

Mobile

And more …

QUESTIONS ?

FOLLOW US ON …

@Nitroxis_sprl

nitroxis Nitroxis.BE

Training and Certification for information Security Professionals

Nitroxis sprl

ADD DEPTH TO YOUR INFORMATION SYSTEM

Olivier Houyoux Technology Security Architect

Version 1.0

Date 2/10/2014

Mail Contact (at) nitroxis.be

Website www.nitroxis.be