Introduction to OWASP & Web Application Security

Sreenath SasikumarInformation Security Consultant

Information Security Consultatnt IBM, QBurst, DBG Technical Reviewer - 3 Books (2 security books) Dev – 8 Mozilla Addons Dev – World's first security testing browser Speaker at Google DevFest, Unicom, Gtech ...

sreenath.sasikumar@gmail.comwww.sreenathsasikumar.com/about

OWASP● What is it?● Why do we need it?● How does it work?● Where is this?● Who can join?

OWASP Kerala● Founded 2006● Recent Activities● Planned Activities● How you can Contribute

Take Away

• Understanding web application security

• How to security test web applications

• Mitigating web application security risks

• Open source tools

How do web applications work

Understanding web security

Security testing web applications

• Information Gathering

• Configuration Management Testing

• Authentication Testing

• Session Management Testing

• Authorization Testing

• Business Logic Testing

• Data Validation Testing

• Denial of Service Testing

Information Gathering

www.google.com/robots.txt

Spiders Robots and Crawlers

Search Engine Discovery

Google Hacking

• site

• cache

• inurl

• filetype

How to:

Manual

HackSearch

Identify Application Entry points

• GET

• POST

• Cookies

• Server Parameters

• Files

How to:

Tamper Data, WebScarab, ZAP

Web Application Fingerprinting

How to:

Nikto

Vulnerability Scanners

Application Discovery

Different Base URL

• www.example.com/abc

Different port

• www.example.com:8000

Different sub domain ( Virtual host )

• abc.example.com

How to:

Zap, WebSlayer

Analysis of Error Code

Configuration Management

SSL Testing

Identify ssl ports and services

How strong is you cipher?

How to:

Nmap -sV, Nessus, OpenSSL

Configuration Management Testing

• Infrastructure Configuration Management

• Application Configuration Management

Old, Backup & Unreferenced Files

User-agent: *

Disallow: /Admin

Disallow: /uploads

Disallow: /backup

Disallow: /~jbloggs

How to:

HackSearch, Webslayer

Testing for HTTP Methods

• HEAD• GET• POST• PUT• DELETE• TRACE• OPTIONS• CONNECT

How to:

Netcat

Nikto

Authentication Testing

Credentials transport over an encrypted channel

Prevent man in the middle attack

Testing for user enumeration

Error Messages/Notifications

"Sorry, please enter a valid password"

"Sorry, please enter a valid username"

"Sorry, this user does not exist"

"Sorry, this user is no longer active"

Testing for Guessable Users & BruteForce Attacks

How to:

John the Ripper

Hydra

Testing for CAPTCHA

Testing Session & Cookies

Authorization Testing

Testing for privilege escalation

• vertical escalation

• horizontal escalation

www.example.com/?user=1&groupID=2

Business Logic Testing

Data Validation Testing

Injections

SQL

XSS

• SQL Injection

• XSS Injection

• LDAP Injection

• XML Injection

• HTML Injection

• SSI Injection

• ORM Injection

• XPath Injection

• IMAP/SMTP Injection

• Buffer Overflow

Testing for Denial of Service

Testing for SQL Wildcard Attacks

SELECT * FROM Article WHERE Content LIKE '%foo%'

SELECT TOP 10 * FROM Article WHERE Content LIKE

'%_[^!_%/%a?F%_D)_(F%)_%([)({}%){()}£$&N%_)$*£()$*R"_)][%](%[x])%a][$*"£$-9]_%'

Testing for DoS Locking Customer Accounts

Open Source Tools

Nikto

Nessus

W3AF

ZAP

WebSlayer

Netcat

Nmap

Skipfish

Hydra

Mozilla Firefox addons

Lots & lots more...

Questions ?