The OWASP Top 10 is the standard first reference we give web developers who are interested in making their applications more secure. It is also the categorization scheme we give to web vulnerabilities on our security assessment reports. And finally, and perhaps most frighteningly, it is the most common framework used by organizations for securing their web applications. But what if there was more to web application security than the OWASP Top 10? In this talk, we will discuss vulnerabilities that don't fit into the OWASP Top 10 categories, but are just as dangerous if present in a web application. Developers and pentesters will benefit from this talk, as both exploits and mitigations will be covered for each of the vulnerabilities.
6. @insp3ctre
OWASP TOP 10 2013
A1- Injection
A2- Broken authentication and session management
A3- Cross-site scripting (XSS)
A4- Insecure direct object references (IDOR)
A5- Security misconfiguration
@insp3ctre
7. @insp3ctre
OWASP TOP 10 2013 (CONT’D)
A6- Sensitive data exposure
A7- Missing function level access control
A8- Cross-site request forgery (CSRF)
A9- Using components with known vulnerabilities
A10- Unvalidated redirects and forwards
@insp3ctre
16. @insp3ctre
WHITE BOX TESTING
1. Identify all shared data
2. Identify where that shared data is accessed across
systems
3. Find where that data access is not synchronized
4. Make a ton of requests
17. @insp3ctre
BLACK BOX TESTING
•Race The Web (RTW): https://github.com/insp3ctre/race-the-
web
‣Free, open-source tool
‣Built specifically to easily test for race conditions in web
applications.
‣Accompanying vulnerable web application for practicing
race condition testing: http://RaceTheWeb.io
•Burp Suite Intruder
21. @insp3ctre
LOCKS
•Use locks on any shared resources.
‣Use pessimistic locking in your database.
‣Use our ORM’s optimistic locking.
‣Most programming languages have locking built-in.
‣File locks
✦This is what Microsoft Word uses (~$somefile.docx), as
well as most file synching platforms.
38. @insp3ctre
DEFENCE AND MITIGATION
•Dynamic testing (DAST)
•Find instances of parameters in source code- explicitly
select first or last
•Check your WAF
•Output encoding
•Best case- strip duplicate parameters before processing
40. @insp3ctre
SOURCES & FURTHER READING
•https://dunnesec.com/category/attacks-defence/http-parameter-pollution/ (@Dunn3)
•https://www.owasp.org/index.php/Testing_for_HTTP_Parameter_pollution_(OTG-
INPVAL-004)
•AppSec EU 2009 - presentation by Luca Carettoni and Stefano di Paola (https://
www.owasp.org/images/b/ba/AppsecEU09_CarettoniDiPaola_v0.8.pdf)
•Split and Join white paper on bypassing web application firewalls with HTTP
parameter pollution, by Lavakumar Kuppan (http://www.andlabs.org/whitepapers/
Split_and_Join.pdf)
•Automated Discovery of Parameter Pollution Vulnerabilities in Web Applications, by
Marco Balduzzi, Carmen Torrano Gimenez, Davide Balzarotti, and Engin Kirda (https://
www.isoc.org/isoc/conferences/ndss/11/pdf/6_1.pdf)
42. @insp3ctre
SSRF - OVERVIEW
•Bypass firewalls
•Reach internal network
•Often an application attack becomes network attack
•Useful for enumeration and reconnaissance
‣Further hides attacker’s source IP
•Often introduced to bypass SOP (it’s a feature!)
•Can be leveraged to get XSS via returned content
52. @insp3ctre
TESTING FOR SSRF
•Is a URL provided in a request? Change to:
‣Another remote URL (e.g. google.com)
‣Loopback address (e.g. localhost, 127.0.0.1)
‣Local IP (e.g. 192.168.0.1, 10.10.0.1, 172.16.0.1)
‣Different protocol URL (e.g. “file://“, “ssh://“, “ftp://“)
‣Different port
•Burp Suite Intruder works really well for automating this
‣Sort by response sizes
53. @insp3ctre
TESTING FOR SSRF (CONT’D)
•Got XXE? Try specifying system or external URIs (e.g. file:///
etc/passwd)
‣More info: https://www.owasp.org/index.php/
XML_External_Entity_(XXE)_Processing
•Use Burp Suite’s Collaborator servers for external resources,
if you don’t have your own
55. @insp3ctre
DEFENCE AND MITIGATION
•SOP exists for a reason
‣DO NOT use JSONP or other server workarounds
‣DO use CORS
•Again- whitelist allowed domains and protocols, and
sanitize input
•Access control between server and internal network
58. @insp3ctre
OWASP TOP 10 2013
A1- Injection
A2- Broken authentication and session management
A3- Cross-site scripting (XSS)
A4- Insecure direct object references (IDOR)
A5- Security misconfiguration
59. @insp3ctre
OWASP TOP 10 2013 (CONT’D)
A6- Sensitive data exposure
A7- Missing function level access control
A8- Cross-site request forgery (CSRF)
A9- Using components with known vulnerabilities
A10- Unvalidated redirects and forwards