SlideShare uma empresa Scribd logo

Exploitation of Injection and XSS

Transferir como ODP, PDF
Kim Carter
Kim Carter
Tecnologia
1 de 24
OWASP Top 10 Vulnerabilities Lets exploit Injection and XSS Kim Carter – ANZTB Monday 2013-08-26 Meetup
OWASP is coming to Christchurch OWASP Day 2013 https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2013 OWASP Resources ● Top 10 ● Cheat Sheets ● Tutorials ● Guides ● Projects, Tools and Code Libraries
Most common security vulnerabilities found in web apps in 2013
Kali Linux ● Free and open source (GNU Linux) OS ● Targets professional security auditors and penetration testers ● All tools shipped are free and open source ● No profit involved ● Many of the over 300 security tools have been provided as free versions that do the same job as the paid for versions Up and Running with Kali Linux
Discuss tools I use very frequently FireFox Add-Ons ● Tamper Data. Very simple proxy, but very easy to use ● Foxy proxy : a real time saver ● HackBar ● XSS Me ● SQL Inject Me Chrome extensions ● FoxyProxy ● Cookies ● Edit this Cookie Burp suite
There are a large number of training apps and intentionally vulnerable web apps freely available I've organised three to work through to wet your appetite I'd encourage you to take them further
What is Injection 1.Attacker Injects (generally malicious) code into website. 2.Change the course of execution on related system/s. Gain information. Privilege escalation. Manipulate / destroy stored data. Destroy system/s. Varieties ● Command, SQL, Xpath, Query String ● Lots of derivatives of these
Workshop WebGoat Start here: http://owaspbwa/WebGoat/attack Injection Command Injection
Workshop DVWA Start here: http://owaspbwa/dvwa Injection SQL String Injection
Injection Mitigation techniques ● Similar techniques to XSS + ● Avoid accessing external interpreters ● Use well structured parameters ● Least privilege ● OWASP Prevention Cheat Sheets ● Break it! Further details found here: https://www.owasp.org/index.php/Top_10_2013-A1-Injection
What is XSS 1.Attacker Injects (generally malicious) code into website. 2.When victim requests website code, attackers code is executed. Varieties ● File Upload ● Reflected (non-persistent) ● Stored ● Lots of derivatives of these
Workshop Gruyere Start here: http://google-gruyere.appspot.com/ XSS: http://google-gruyere.appspot.com/part2 File Upload XSS
Workshop Gruyere Start here: http://google-gruyere.appspot.com/ XSS: http://google-gruyere.appspot.com/part2 Reflected XSS Handy Links: URL Encodings: http://www.w3schools.com/tags/ref_urlencode.asp ASCII: http://asciitable.com XSS Strings: https://owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
Workshop Gruyere Start here: http://google-gruyere.appspot.com/ XSS: http://google-gruyere.appspot.com/part2 Stored XSS
Workshop Gruyere Start here: http://google-gruyere.appspot.com/ XSS: http://google-gruyere.appspot.com/part2 Stored XSS via HTML Attribute
Workshop Gruyere Start here: http://google-gruyere.appspot.com/ XSS: http://google-gruyere.appspot.com/part2 Stored XSS via AJAX
When the user clicks refresh button, response looks like In the mark-up the snippet looks like:
Workshop Gruyere Start here: http://google-gruyere.appspot.com/ XSS: http://google-gruyere.appspot.com/part2 Reflected XSS via AJAX
XSS Mitigation techniques ● Constrain all input fields to well structured data ● White-lists for each type of structured data ● Sanitise ● OWASP Prevention Cheat Sheets ● Break it! Further details found here: https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS)
Extra Resources Sanitising User Input http://blog.binarymist.net/2012/11/04/sanitising-user-input-from-browser-p http://blog.binarymist.net/2012/11/16/sanitising-user-input-from-browser-p Write-up on Kali Linux http://pentestmag.com/ Tool junky? Check out this collection http://www.softwareqatest.com/qatweb1.html
Deliberate Insecure Targets and Training Platforms that I've screened. ● Hacking Lab: https://www.hacking-lab.com/ ● Nebula: http://exploit-exercises.com/ ● gruyere: http://google-gruyere.appspot.com/ Can run locally, but best to run from web ● Web Security Dojo: https://www.mavensecurity.com/web_security_dojo/ - VMware and Virtual Box versions. Looks like quite a bit of documentation. Actively maintained. - Vulnerable targets: WebGoat Gruyere Damn Vulnerable Web App. http://sourceforge.net/p/websecuritydojo/bugs/ says database setup is broken
Deliberate Insecure Targets and Training Platforms that I've screened. w3af test website: https://github.com/andresriancho/w3af-moth VMware image http://www.bonsai-sec.com/en/research/moth.php Various other unmaintained websites ● Dam Vulnerable Web Application (DVWA) http://dvwa.co.uk/ Not sure where the documentation is? Maybe embedded in the download? ● Acunetix 1: http://testphp.vulnweb.com/ These three are online. ● Acunetix 2: http://testasp.vulnweb.com/ ● Acunetix 3: http://testaspnet.vulnweb.com/ ● Mutillidae: http://www.irongeek.com/i.php?page=mutillidae/mutillidae-delibera Easy to follow. Geared towards Classroom Environment.
Deliberate Insecure Targets and Training Platforms that I've screened. ● WebGoat -Platform: J2EE web application -Install: Self contained Tomcat server you can run from a directory under Windows or Linux -Notes: Love the fact it's so self contained and easy to run. By default it only listens on the loop-back address, so you can run it from your workstation a production network with little worries. -Howto's: http://webappsecmovies.sourceforge.net/webgoat/ -Setting up on non localhost: https://code.google.com/p/webgoat/wiki/FAQ OWASP Broken Web Applications project: -https://code.google.com/p/owaspbwa/wiki/UserGuide This has a great selection of training apps along with intentionally vulnerable apps. -It contains a lot of the apps already discussed.

Recomendados

Content Security Policy
Content Security PolicyContent Security Policy
Content Security Policy
Ryan LaBouve
 
Security Testing
Security TestingSecurity Testing
Security Testing
BJ Edward Taduran
 
Web vulnerabilities
Web vulnerabilitiesWeb vulnerabilities
Web vulnerabilities
Oleksandr Kovalchuk
 
Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)
Francois Marier
 
How We Hacked LinkedIn and What Happened Next | JFall 2016
How We Hacked LinkedIn and What Happened Next | JFall 2016How We Hacked LinkedIn and What Happened Next | JFall 2016
How We Hacked LinkedIn and What Happened Next | JFall 2016
Ruben van Vreeland
 
Cross Site Scripting Augusta For Matrix Session
Cross Site Scripting Augusta For Matrix SessionCross Site Scripting Augusta For Matrix Session
Cross Site Scripting Augusta For Matrix Session
Abhishek kumar
 
Jon Stace Web Cryptography API
Jon Stace Web Cryptography APIJon Stace Web Cryptography API
Jon Stace Web Cryptography API
Jon Stace
 
WordCamp Miami 2016 SiteLock Presentation
WordCamp Miami 2016 SiteLock PresentationWordCamp Miami 2016 SiteLock Presentation
WordCamp Miami 2016 SiteLock Presentation
SiteLock
 

Recomendados

Content Security Policy
Content Security PolicyContent Security Policy
Content Security Policy
Ryan LaBouve
 
Security Testing
Security TestingSecurity Testing
Security Testing
BJ Edward Taduran
 
Web vulnerabilities
Web vulnerabilitiesWeb vulnerabilities
Web vulnerabilities
Oleksandr Kovalchuk
 
Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)
Francois Marier
 
How We Hacked LinkedIn and What Happened Next | JFall 2016
How We Hacked LinkedIn and What Happened Next | JFall 2016How We Hacked LinkedIn and What Happened Next | JFall 2016
How We Hacked LinkedIn and What Happened Next | JFall 2016
Ruben van Vreeland
 
Cross Site Scripting Augusta For Matrix Session
Cross Site Scripting Augusta For Matrix SessionCross Site Scripting Augusta For Matrix Session
Cross Site Scripting Augusta For Matrix Session
Abhishek kumar
 
Jon Stace Web Cryptography API
Jon Stace Web Cryptography APIJon Stace Web Cryptography API
Jon Stace Web Cryptography API
Jon Stace
 
WordCamp Miami 2016 SiteLock Presentation
WordCamp Miami 2016 SiteLock PresentationWordCamp Miami 2016 SiteLock Presentation
WordCamp Miami 2016 SiteLock Presentation
SiteLock
 
Content Security Policy - The application security Swiss Army Knife
Content Security Policy - The application security Swiss Army KnifeContent Security Policy - The application security Swiss Army Knife
Content Security Policy - The application security Swiss Army Knife
Scott Helme
 
Preventing XSS with Content Security Policy
Preventing XSS with Content Security PolicyPreventing XSS with Content Security Policy
Preventing XSS with Content Security Policy
Ksenia Peguero
 
Don't Get Stung
Don't Get StungDon't Get Stung
Don't Get Stung
Barry Dorrans
 
Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10
Barry Dorrans
 
Bünyamin Demir - Secure YourApp
Bünyamin Demir - Secure YourAppBünyamin Demir - Secure YourApp
Bünyamin Demir - Secure YourApp
CypSec - Siber Güvenlik Konferansı
 
Xssya
XssyaXssya
Xssya
Mindfire Solutions
 
W3C Content Security Policy
W3C Content Security PolicyW3C Content Security Policy
W3C Content Security Policy
Markus Wichmann
 
Content Security Policies: A whole new way of securing your website that no o...
Content Security Policies: A whole new way of securing your website that no o...Content Security Policies: A whole new way of securing your website that no o...
Content Security Policies: A whole new way of securing your website that no o...
Miriam Schwab
 
Node.JS security
Node.JS securityNode.JS security
Node.JS security
Deepu S Nath
 
Mitigate Maliciousness -- jQuery Europe 2013
Mitigate Maliciousness -- jQuery Europe 2013Mitigate Maliciousness -- jQuery Europe 2013
Mitigate Maliciousness -- jQuery Europe 2013
Mike West
 
Securing Java EE Web Apps
Securing Java EE Web AppsSecuring Java EE Web Apps
Securing Java EE Web Apps
Frank Kim
 
Meteor Meets Mallory
Meteor Meets MalloryMeteor Meets Mallory
Meteor Meets Mallory
Emily Stark
 
Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016
Francois Marier
 
How to get recover from a hacked website
How to get recover from a hacked websiteHow to get recover from a hacked website
How to get recover from a hacked website
mounika k
 
Xss mitigation php [Repaired]
Xss mitigation php [Repaired]Xss mitigation php [Repaired]
Xss mitigation php [Repaired]
Tinashe Makuti
 
Security in cloud
Security in cloudSecurity in cloud
Security in cloud
vikash4225
 
[Cluj] CSP (Content Security Policy)
[Cluj] CSP (Content Security Policy)[Cluj] CSP (Content Security Policy)
[Cluj] CSP (Content Security Policy)
OWASP EEE
 
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfDefeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
drewz lin
 
Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Cross Site Scripting (XSS)
Cross Site Scripting (XSS)
Avi Aryan
 
Flash Security
Flash SecurityFlash Security
Flash Security
Ferruh Mavituna
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
IBM Security
 
Owasp top 10 web application security hazards part 2
Owasp top 10 web application security hazards part 2Owasp top 10 web application security hazards part 2
Owasp top 10 web application security hazards part 2
Abhinav Sejpal
 

Mais conteúdo relacionado

Mais procurados

Securing Java EE Web Apps
Securing Java EE Web AppsSecuring Java EE Web Apps
Securing Java EE Web Apps
Frank Kim
 
Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016
Francois Marier
 
Xss mitigation php [Repaired]
Xss mitigation php [Repaired]Xss mitigation php [Repaired]
Xss mitigation php [Repaired]
Tinashe Makuti
 
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfDefeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
drewz lin
 

Mais procurados (20)

Content Security Policy - The application security Swiss Army Knife
Content Security Policy - The application security Swiss Army KnifeContent Security Policy - The application security Swiss Army Knife
Content Security Policy - The application security Swiss Army Knife
 
Preventing XSS with Content Security Policy
Preventing XSS with Content Security PolicyPreventing XSS with Content Security Policy
Preventing XSS with Content Security Policy
 
Don't Get Stung
Don't Get StungDon't Get Stung
Don't Get Stung
 
Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10
 
Bünyamin Demir - Secure YourApp
Bünyamin Demir - Secure YourAppBünyamin Demir - Secure YourApp
Bünyamin Demir - Secure YourApp
 
Xssya
XssyaXssya
Xssya
 
W3C Content Security Policy
W3C Content Security PolicyW3C Content Security Policy
W3C Content Security Policy
 
Content Security Policies: A whole new way of securing your website that no o...
Content Security Policies: A whole new way of securing your website that no o...Content Security Policies: A whole new way of securing your website that no o...
Content Security Policies: A whole new way of securing your website that no o...
 
Node.JS security
Node.JS securityNode.JS security
Node.JS security
 
Mitigate Maliciousness -- jQuery Europe 2013
Mitigate Maliciousness -- jQuery Europe 2013Mitigate Maliciousness -- jQuery Europe 2013
Mitigate Maliciousness -- jQuery Europe 2013
 
Securing Java EE Web Apps
Securing Java EE Web AppsSecuring Java EE Web Apps
Securing Java EE Web Apps
 
Meteor Meets Mallory
Meteor Meets MalloryMeteor Meets Mallory
Meteor Meets Mallory
 
Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016
 
How to get recover from a hacked website
How to get recover from a hacked websiteHow to get recover from a hacked website
How to get recover from a hacked website
 
Xss mitigation php [Repaired]
Xss mitigation php [Repaired]Xss mitigation php [Repaired]
Xss mitigation php [Repaired]
 
Security in cloud
Security in cloudSecurity in cloud
Security in cloud
 
[Cluj] CSP (Content Security Policy)
[Cluj] CSP (Content Security Policy)[Cluj] CSP (Content Security Policy)
[Cluj] CSP (Content Security Policy)
 
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfDefeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
 
Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Cross Site Scripting (XSS)
Cross Site Scripting (XSS)
 
Flash Security
Flash SecurityFlash Security
Flash Security
 

Destaque

Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
IBM Security
 
OWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesOWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root Causes
Marco Morana
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
Software Guru
 
Owasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root Causes
Marco Morana
 

Destaque (11)

Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
 
Owasp top 10 web application security hazards part 2
Owasp top 10 web application security hazards part 2Owasp top 10 web application security hazards part 2
Owasp top 10 web application security hazards part 2
 
Beyond the OWASP Top 10
Beyond the OWASP Top 10Beyond the OWASP Top 10
Beyond the OWASP Top 10
 
Owasp top 10 web application security hazards - Part 1
Owasp top 10 web application security hazards - Part 1Owasp top 10 web application security hazards - Part 1
Owasp top 10 web application security hazards - Part 1
 
The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20
The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20
The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20
 
Presentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationPresentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web Application
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security Vulnerabilities
 
OWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesOWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root Causes
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
 
Owasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root Causes
 

Semelhante a Exploitation of Injection and XSS

Web Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your websiteWeb Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your website
Andrew Sorensen
 
Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]
Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]
Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]
Websec México, S.C.
 
ISC2: AppSec & OWASP Primer
ISC2: AppSec & OWASP PrimerISC2: AppSec & OWASP Primer
ISC2: AppSec & OWASP Primer
ThreatReel Podcast
 
OISC 2019 - The OWASP Top 10 & AppSec Primer
OISC 2019 - The OWASP Top 10 & AppSec PrimerOISC 2019 - The OWASP Top 10 & AppSec Primer
OISC 2019 - The OWASP Top 10 & AppSec Primer
ThreatReel Podcast
 
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdfEN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
GiorgiRcheulishvili
 
Tw noche geek quito webappsec
Tw noche geek quito webappsecTw noche geek quito webappsec
Tw noche geek quito webappsec
Thoughtworks
 
Cq3210191021
Cq3210191021Cq3210191021
Cq3210191021
IJMER
 
Oh, WASP! Security Essentials for Web Apps
Oh, WASP! Security Essentials for Web AppsOh, WASP! Security Essentials for Web Apps
Oh, WASP! Security Essentials for Web Apps
TechWell
 

Semelhante a Exploitation of Injection and XSS (20)

Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013
 
Web Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your websiteWeb Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your website
 
Drupal Security Basics for the DrupalJax January Meetup
Drupal Security Basics for the DrupalJax January MeetupDrupal Security Basics for the DrupalJax January Meetup
Drupal Security Basics for the DrupalJax January Meetup
 
Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]
Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]
Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]
 
Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016
 
ISC2: AppSec & OWASP Primer
ISC2: AppSec & OWASP PrimerISC2: AppSec & OWASP Primer
ISC2: AppSec & OWASP Primer
 
Threat Modeling for Web Applications (and other duties as assigned)
Threat Modeling for Web Applications (and other duties as assigned)Threat Modeling for Web Applications (and other duties as assigned)
Threat Modeling for Web Applications (and other duties as assigned)
 
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
 
FBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopFBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise Workshop
 
OISC 2019 - The OWASP Top 10 & AppSec Primer
OISC 2019 - The OWASP Top 10 & AppSec PrimerOISC 2019 - The OWASP Top 10 & AppSec Primer
OISC 2019 - The OWASP Top 10 & AppSec Primer
 
Web Apps Security
Web Apps SecurityWeb Apps Security
Web Apps Security
 
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdfEN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
 
Web Application Security: Introduction to common classes of security flaws an...
Web Application Security: Introduction to common classes of security flaws an...Web Application Security: Introduction to common classes of security flaws an...
Web Application Security: Introduction to common classes of security flaws an...
 
Tw noche geek quito webappsec
Tw noche geek quito webappsecTw noche geek quito webappsec
Tw noche geek quito webappsec
 
Breaking Bad CSP
Breaking Bad CSPBreaking Bad CSP
Breaking Bad CSP
 
Cq3210191021
Cq3210191021Cq3210191021
Cq3210191021
 
OSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainOSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ Infosectrain
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersOWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript Developers
 
Oh, WASP! Security Essentials for Web Apps
Oh, WASP! Security Essentials for Web AppsOh, WASP! Security Essentials for Web Apps
Oh, WASP! Security Essentials for Web Apps
 

Último

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Roshan Dwivedi
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Principled Technologies
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 

Último (20)

Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 

Exploitation of Injection and XSS

  • 1. OWASP Top 10 Vulnerabilities Lets exploit Injection and XSS Kim Carter – ANZTB Monday 2013-08-26 Meetup
  • 2. OWASP is coming to Christchurch OWASP Day 2013 https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2013 OWASP Resources ● Top 10 ● Cheat Sheets ● Tutorials ● Guides ● Projects, Tools and Code Libraries
  • 3. Most common security vulnerabilities found in web apps in 2013
  • 4. Kali Linux ● Free and open source (GNU Linux) OS ● Targets professional security auditors and penetration testers ● All tools shipped are free and open source ● No profit involved ● Many of the over 300 security tools have been provided as free versions that do the same job as the paid for versions Up and Running with Kali Linux
  • 5. Discuss tools I use very frequently FireFox Add-Ons ● Tamper Data. Very simple proxy, but very easy to use ● Foxy proxy : a real time saver ● HackBar ● XSS Me ● SQL Inject Me Chrome extensions ● FoxyProxy ● Cookies ● Edit this Cookie Burp suite
  • 6. There are a large number of training apps and intentionally vulnerable web apps freely available I've organised three to work through to wet your appetite I'd encourage you to take them further
  • 7. What is Injection 1.Attacker Injects (generally malicious) code into website. 2.Change the course of execution on related system/s. Gain information. Privilege escalation. Manipulate / destroy stored data. Destroy system/s. Varieties ● Command, SQL, Xpath, Query String ● Lots of derivatives of these
  • 8. Workshop WebGoat Start here: http://owaspbwa/WebGoat/attack Injection Command Injection
  • 9. Workshop DVWA Start here: http://owaspbwa/dvwa Injection SQL String Injection
  • 10. Injection Mitigation techniques ● Similar techniques to XSS + ● Avoid accessing external interpreters ● Use well structured parameters ● Least privilege ● OWASP Prevention Cheat Sheets ● Break it! Further details found here: https://www.owasp.org/index.php/Top_10_2013-A1-Injection
  • 11. What is XSS 1.Attacker Injects (generally malicious) code into website. 2.When victim requests website code, attackers code is executed. Varieties ● File Upload ● Reflected (non-persistent) ● Stored ● Lots of derivatives of these
  • 12. Workshop Gruyere Start here: http://google-gruyere.appspot.com/ XSS: http://google-gruyere.appspot.com/part2 File Upload XSS
  • 13. Workshop Gruyere Start here: http://google-gruyere.appspot.com/ XSS: http://google-gruyere.appspot.com/part2 Reflected XSS Handy Links: URL Encodings: http://www.w3schools.com/tags/ref_urlencode.asp ASCII: http://asciitable.com XSS Strings: https://owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
  • 14. Workshop Gruyere Start here: http://google-gruyere.appspot.com/ XSS: http://google-gruyere.appspot.com/part2 Stored XSS
  • 15. Workshop Gruyere Start here: http://google-gruyere.appspot.com/ XSS: http://google-gruyere.appspot.com/part2 Stored XSS via HTML Attribute
  • 16. Workshop Gruyere Start here: http://google-gruyere.appspot.com/ XSS: http://google-gruyere.appspot.com/part2 Stored XSS via AJAX
  • 17. When the user clicks refresh button, response looks like In the mark-up the snippet looks like:
  • 18. Workshop Gruyere Start here: http://google-gruyere.appspot.com/ XSS: http://google-gruyere.appspot.com/part2 Reflected XSS via AJAX
  • 19. XSS Mitigation techniques ● Constrain all input fields to well structured data ● White-lists for each type of structured data ● Sanitise ● OWASP Prevention Cheat Sheets ● Break it! Further details found here: https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS)
  • 20.
  • 21. Extra Resources Sanitising User Input http://blog.binarymist.net/2012/11/04/sanitising-user-input-from-browser-p http://blog.binarymist.net/2012/11/16/sanitising-user-input-from-browser-p Write-up on Kali Linux http://pentestmag.com/ Tool junky? Check out this collection http://www.softwareqatest.com/qatweb1.html
  • 22. Deliberate Insecure Targets and Training Platforms that I've screened. ● Hacking Lab: https://www.hacking-lab.com/ ● Nebula: http://exploit-exercises.com/ ● gruyere: http://google-gruyere.appspot.com/ Can run locally, but best to run from web ● Web Security Dojo: https://www.mavensecurity.com/web_security_dojo/ - VMware and Virtual Box versions. Looks like quite a bit of documentation. Actively maintained. - Vulnerable targets: WebGoat Gruyere Damn Vulnerable Web App. http://sourceforge.net/p/websecuritydojo/bugs/ says database setup is broken
  • 23. Deliberate Insecure Targets and Training Platforms that I've screened. w3af test website: https://github.com/andresriancho/w3af-moth VMware image http://www.bonsai-sec.com/en/research/moth.php Various other unmaintained websites ● Dam Vulnerable Web Application (DVWA) http://dvwa.co.uk/ Not sure where the documentation is? Maybe embedded in the download? ● Acunetix 1: http://testphp.vulnweb.com/ These three are online. ● Acunetix 2: http://testasp.vulnweb.com/ ● Acunetix 3: http://testaspnet.vulnweb.com/ ● Mutillidae: http://www.irongeek.com/i.php?page=mutillidae/mutillidae-delibera Easy to follow. Geared towards Classroom Environment.
  • 24. Deliberate Insecure Targets and Training Platforms that I've screened. ● WebGoat -Platform: J2EE web application -Install: Self contained Tomcat server you can run from a directory under Windows or Linux -Notes: Love the fact it's so self contained and easy to run. By default it only listens on the loop-back address, so you can run it from your workstation a production network with little worries. -Howto's: http://webappsecmovies.sourceforge.net/webgoat/ -Setting up on non localhost: https://code.google.com/p/webgoat/wiki/FAQ OWASP Broken Web Applications project: -https://code.google.com/p/owaspbwa/wiki/UserGuide This has a great selection of training apps along with intentionally vulnerable apps. -It contains a lot of the apps already discussed.