SlideShare uma empresa Scribd logo

How not to make a hacker friendly application

Abhinav Mishra
Abhinav Mishra

Presentation on application security basics and some common vulnerabilities like XSS, SQL Injection, IDOR etc.

Tecnologia
1 de 31
Baixar para ler offline
www.tothenew.com How not to make a Hacker friendly application
www.tothenew.com Table of Contents: 1. User input validation: a. Sql Injection Diagram Vulnerable Code & Common Mistakes b. Cross Site Scripting Type of XSS Common Mistakes c. Unrestricted File uploads Attack Scenario Common Mistakes What fields can be considered as user input? d. Client Side checks and reliability 2. Privacy model: a. IDOR (Insecure direct object reference) b. Privilege escalation Types of Privilege escalation c. Authorization bypass 3. Infrastructural weaknesses: a. Open ports, really, that's so old school b. Credentials are the jackpot… c. Insecure implementations
www.tothenew.com Why security??? Who will attack me? Are hackers really so much out of work…? Why will someone attack me? I have nothing to offer…. What the data is actually worth? No one is interested to read my emails, or fb chats…. IMAGE What all can be hacked? Network, laptops, web apps, mobile apps, routers, DNS….. uffff Cloud hosting and security? My hosting provider is the GOD OF SECURITY and he has my back…. “I earn so less… I hardly make a living…. why would anyone hack me??”
www.tothenew.com 1. User input: So, what fields can be considered as user input? The image above shows a sample POST request.
www.tothenew.com 1. User input validation: a. Sql injection ● SQL injection is a technique where malicious users can inject SQL commands into an SQL statement, via web page input. ● Injected SQL commands can alter SQL statement and compromise the security of a web application. ● The magic string: ’ or 1=1 ● A classic example: SELECT * FROM Users WHERE UserId = ‘105’ or 1=1 --------------------------------------------------------------------------------------------------- Quick Question: SQL injection will not leak any data in case the DB is encrypted. Agree or not? Why?
www.tothenew.com 1. User input validation: a. Sql injection Source: ibm.com
www.tothenew.com 1. User input validation: a. Sql injection Vulnerable Code Common Mistakes ● Lack of Input Sanitisation ● Absence of Parameterised queries and Stored Procedures ● Dependance upon database or libraries
www.tothenew.com 1. User input validation: b. Cross Site scripting ● Cross-site scripting (XSS) is a code injection attack that allows an attacker to execute malicious JavaScript in another user's browser. ● The attacker does not directly target his victim. Instead, he exploits a vulnerability in a website that the victim visits, in order to get the website to deliver the malicious JavaScript for him. ● To the victim's browser, the malicious JavaScript appears to be a legitimate part of the website, and the website has thus acted as an unintentional accomplice to the attacker. -------------------------------------------------------------------------------------------- -- https://www.xssexample.com/search?q= >’>”><img src=x onerror=alert(1)> Quick Question: How is XSS a threat? What can someone do with this?
www.tothenew.com 1. User input validation: Types of XSS ● Reflected or Non- Persistent XSS ● Stored or Persistent XSS ● DOM Based XSS --------------------------------------------------------------------------------------------------------------- Quick Question: What is DOM? How can DOM be exploited? How does it affect the application? And how to fix it?
www.tothenew.com 1. User input validation: Common Mistakes causing Cross Site scripting ● No Input Sanitisation: The application does not check whether the value entered by a user is of the type what it is intended to be. ● No Output Encoding: If a user input is reflected back in the output, and it is not being encoded, then a malicious user can take advantage of it. ● No Context based Encoding: Sometimes, the application accepts inputs from the user that finally become a part of a script or HTML attribute. If no encoding mechanism has been incorporated, a user may inject script or HTML. ------------------------------------------------------------------------------------------------- Quick Question: What is a context? How many can you name….?
www.tothenew.com 1. User input validation: c. Unrestricted File uploads ● Various web applications allow users to upload files. Uploaded files may pose a significant risk if not handled correctly. ● Attacks using file upload can happen if the Web application is not validating the file that is being uploaded. ● Attacker tries to upload the file with malicious path or filename so that the server can execute the file. ------------------------------------------------------------------------------------------ -- Quick Question: How much evil can you think, if you get to upload a php file to a server?
www.tothenew.com 1. User input validation: c. Unrestricted File uploads ● After successful upload, the attacker tries to find a way to execute his code either on the server side or on the client side. ● Some of the file uploads exploits may happen as: ● Attacker may host malwares, illegal software on the web site. ● Attacker can exploit client side vulnerabilities like Cross-Site Scripting by hosting a script in an HTML file. ● Attacker can exploit the server’s integrity by uploading virus or malicious code that can be executed on the server side. --------------------------------------------------------------------------------------------- -- Quick Questions: How do you suggest to validate a file upload in your application? Or what else can we do about it? What all parameters to check?
www.tothenew.com 1. User input validation: Common Mistakes ● Only Client side validation is used. ● Files are validated only using their extensions and not the content. ● The upload directory have execute permissions.
www.tothenew.com 1. User input validation: d. Client Side checks and reliability ● Enforcing Client side validation is not reliable at all. ● It is common to see customized client-side input validation implemented within scripts. Client-side controls of this kind are usually easy to circumvent; it is possible to enter a benign value into the input field in the browser, intercept the validated submission with your proxy(For e.g., Burp Proxy), and modify the data to your desired value. ● Developers must make sure to never trust user input and validate the user entered values at the server side too.
www.tothenew.com 1. User input validation: Example As you can see in the image alongside, the quantity of the first product is set to ‘-1’. This was done by bypassing the client side validation using a proxy tool. Note that this value was not being validated at the server end.
www.tothenew.com 2. Privacy model: a. IDOR (Insecure direct object reference) ● Insecure Direct Object References occur when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability, attackers can bypass authorization and access resources in the system directly, for example database records or files. ● Insecure Direct Object References allow attackers to bypass authorization and access resources directly by modifying the value of a parameter used to directly point to an object. --------------------------------------------------------------------------------------------- -- Quick Question: Can you give me an example of IDOR? Sample URL: https://www.idorexample.com/userdata/doc/5e072i81nm0as/transaction.aspx Looks vulnerable?
www.tothenew.com 2. Privacy model: a. IDOR (Insecure direct object reference) ● Applications frequently use the actual name or key of an object when generating web pages. Applications don’t always verify the user is authorized for the target object. ● Such flaws can compromise all the data that can be referenced by the parameter. Unless object references are unpredictable, it’s easy for an attacker to access all available data of that type. ● For example, Suppose a user can access his invoice as http://foo.bar/somepage?invoice=John Now, if the attacker changes the name in invoice parameter, such as http://foo.bar/somepage?invoice=Jane, he might me able to access the invoice of another user.
www.tothenew.com 2. Privacy model: b. Privilege escalation ● Privilege escalation occurs when a user gets access to more resources or functionality than they are normally allowed, and such elevation or changes should have been prevented by the application. ● This is usually caused by a flaw in the application. The result is that the application performs actions with more privileges than those intended by the developer or system administrator.
www.tothenew.com 2. Privacy model: ● Privilege Escalation can be of two types: Vertical Privilege Escalation - when it is possible to access resources granted to more privileged accounts (e.g.,acquiring administrative privileges for the application). Horizontal Privilege Escalation - when it is possible to access resources granted to a similarly configured account (e.g., in an online banking application, accessing information related to a different user).
www.tothenew.com 2. Privacy model: c. Authorization bypass Authorization Bypass occurs when an unauthorised user is able to access what he cannot normally. ● How do you ensure the session and login? JSESSIONID=absgcfrtena8829n userid=10983311 ● How do you ensure authorization…. ○ Random Paths …??? Really is that it? ● Let’s design a foolproof method of authorization...
www.tothenew.com 3. Infrastructural weaknesses: ● Publicly accessible console (such as Grails) ---------------------------------------------------------------------------------------------------------- Quick Question: What all ports do you block and why? What else do you care to block?
www.tothenew.com 3. Infrastructural weaknesses: ● Publicly accessible Jenkins (or any other CI Tool)
www.tothenew.com 3. Infrastructural weaknesses: b. Credentials are the jackpot… ● How complex is the credential i.e. password, private key etc. ○ What about password policy to administrators? ○ How do you create the admin accounts? Or how many does your application has? ● Where are the credentials stored ? i.e. dropbox folder, confluence etc. ○ searching GitHub for access key and code ● Let’s guess some passwords.. ○ Ummm….. ● How one access key can make you loose all the money?
www.tothenew.com 3. Infrastructural weaknesses: c. Insecure implementations: ● Directory listing: logs, backup files, older version of application
www.tothenew.com 3. Infrastructural weaknesses: c. Insecure implementations: ● Directory listing vulnerability in IBM InfoSphere Data Replication Dashboard (CVE-2012-4861)
www.tothenew.com 3. Infrastructural weaknesses: c. Insecure implementations: ● admin portals: Bruteforcing The admin portal should only be accessible from certain IP Address (say only from the organization).Publicly accessible admin portal pose a serious threat to the complete infrastructure and all the applications associated with it. Admin portals may be open to brute force attack as it might not have any mechanism to restrict the number of unsuccessful login attempts. “There is currently a significant attack being launched at a large number of WordPress blogs across the Internet. The attacker is brute force attacking the WordPress administrative portals, using the username “admin” and trying thousands of passwords. It appears a botnet is being used to launch the attack and more than tens of thousands of unique IP addresses have been recorded attempting to hack WordPress installs.” Source: www.mnxsolutions.com
www.tothenew.com 3. Infrastructural weaknesses: c. Insecure implementations: ● Unprotected/vulnerable sub domains Domains such as cms.domain.com or cpanel.domain.com A Salesforce subdomain “admin.salesforce.com” used for blogging was affected by a reflected cross-site scripting (XSS) vulnerability that could have been exploited by attackers to distribute malware and carry out phishing attacks. http://www.scmagazine.com/xxs-vulnerability-in-salesforce-subdomain-could- have-been-used-for-malware-distribution/article/432654/ ------------------------------------------------------------------------------------------------------------ Quick Question: How do you make sure that no one (out of your team/company) knows about a sub-domain “console. mydomain.com”? Google search?
www.tothenew.com 3. Infrastructural weaknesses: c. Insecure implementations: ● Missing headers CORS X-Frame-Options X-XSS-Protection Strict Transport Security Content Security Policy Origin Header
www.tothenew.com 3. Infrastructural weaknesses: c. Insecure implementations: Vulnerabilities in SSH Vulnerability : CVE-2015-5600 We have servers that use OpenSSH for authentication. Such servers can be exploited to carry out a brute force attack on OpenSSH protocol, making repetitive attempts to login with random passwords. Preventing Brute Force attacks due to OpenSSH Vulnerability (MaxAuthTries bypass) http://www.tothenew.com/blog/preventing-brute-force-attacks-due-to-openssh-vulnerability- maxauthtries-bypass/
www.tothenew.com 3. Infrastructural weaknesses: ● An auth bypass web vulnerability has been discovered in the official WebComIndia Content Management System 2015Q4. The vulnerability allows remote attackers to bypass the login mechanism of the web-application to compromise the service. For more details, visit: http://www.securityfocus.com/archive/1/5366484
www.tothenew.com “Judge a man by his questions rather than by his answers.” ― Voltaire

Recomendados

Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
Chris Hillman
 
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter
Nilesh Sapariya
 
A8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentationA8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentation
Albena Asenova-Belal
 
Vulnerabilities in Web Applications
Vulnerabilities in Web ApplicationsVulnerabilities in Web Applications
Vulnerabilities in Web Applications
Venkat Ramana Reddy Parine
 
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka IrongeekMutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
Magno Logan
 
Web security: OWASP project, CSRF threat and solutions
Web security: OWASP project, CSRF threat and solutionsWeb security: OWASP project, CSRF threat and solutions
Web security: OWASP project, CSRF threat and solutions
Fabio Lombardi
 
Web Security 101
Web Security 101Web Security 101
Web Security 101
Michael Peters
 
Owasp eee 2015 csrf
Owasp eee 2015 csrfOwasp eee 2015 csrf
Owasp eee 2015 csrf
Aurelijus Stanislovaitis
 

Recomendados

Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
Chris Hillman
 
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter
Nilesh Sapariya
 
A8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentationA8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentation
Albena Asenova-Belal
 
Vulnerabilities in Web Applications
Vulnerabilities in Web ApplicationsVulnerabilities in Web Applications
Vulnerabilities in Web Applications
Venkat Ramana Reddy Parine
 
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka IrongeekMutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
Magno Logan
 
Web security: OWASP project, CSRF threat and solutions
Web security: OWASP project, CSRF threat and solutionsWeb security: OWASP project, CSRF threat and solutions
Web security: OWASP project, CSRF threat and solutions
Fabio Lombardi
 
Web Security 101
Web Security 101Web Security 101
Web Security 101
Michael Peters
 
Owasp eee 2015 csrf
Owasp eee 2015 csrfOwasp eee 2015 csrf
Owasp eee 2015 csrf
Aurelijus Stanislovaitis
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request Forgery
Daniel Miessler
 
Evolution Of Web Security
Evolution Of Web SecurityEvolution Of Web Security
Evolution Of Web Security
Chris Shiflett
 
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
Samvel Gevorgyan
 
Web Hacking
Web HackingWeb Hacking
Web Hacking
Information Technology
 
Web Security - Introduction v.1.3
Web Security - Introduction v.1.3Web Security - Introduction v.1.3
Web Security - Introduction v.1.3
Oles Seheda
 
Grey H@t - Cross-site Request Forgery
Grey H@t - Cross-site Request ForgeryGrey H@t - Cross-site Request Forgery
Grey H@t - Cross-site Request Forgery
Christopher Grayson
 
Web Aplication Vulnerabilities
Web Aplication Vulnerabilities Web Aplication Vulnerabilities
Web Aplication Vulnerabilities
Jbyte
 
Advanced xss
Advanced xssAdvanced xss
Advanced xss
Gajendra Saini
 
Cross Site Request Forgery (CSRF) Scripting Explained
Cross Site Request Forgery (CSRF) Scripting ExplainedCross Site Request Forgery (CSRF) Scripting Explained
Cross Site Request Forgery (CSRF) Scripting Explained
Valency Networks
 
Owasp top 10 vulnerabilities 2013
Owasp top 10 vulnerabilities 2013Owasp top 10 vulnerabilities 2013
Owasp top 10 vulnerabilities 2013
Vishrut Sharma
 
CSRF Basics
CSRF BasicsCSRF Basics
CSRF Basics
n|u - The Open Security Community
 
Do security toolbars actually prevent phishing attacks
Do security toolbars actually prevent phishing attacksDo security toolbars actually prevent phishing attacks
Do security toolbars actually prevent phishing attacks
Pankaj Saharan
 
Cross-Site Request Forgery Vulnerability: “A Sleeping Giant”
Cross-Site Request Forgery Vulnerability: “A Sleeping Giant”Cross-Site Request Forgery Vulnerability: “A Sleeping Giant”
Cross-Site Request Forgery Vulnerability: “A Sleeping Giant”
Capgemini
 
CSRF Attack and Its Prevention technique in ASP.NET MVC
CSRF Attack and Its Prevention technique in ASP.NET MVCCSRF Attack and Its Prevention technique in ASP.NET MVC
CSRF Attack and Its Prevention technique in ASP.NET MVC
Suvash Shah
 
Web Security: A Primer for Developers
Web Security: A Primer for DevelopersWeb Security: A Primer for Developers
Web Security: A Primer for Developers
Mike North
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )
Jay Nagar
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by Default
Mohammed ALDOUB
 
Introduction to CSRF Attacks & Defense
Introduction to CSRF Attacks & DefenseIntroduction to CSRF Attacks & Defense
Introduction to CSRF Attacks & Defense
Surya Subhash
 
Hack using firefox
Hack using firefoxHack using firefox
Hack using firefox
Reza Nurfachmi
 
DEFCON 17 Presentation: CSRF - Yeah, It Still Works
DEFCON 17 Presentation: CSRF - Yeah, It Still WorksDEFCON 17 Presentation: CSRF - Yeah, It Still Works
DEFCON 17 Presentation: CSRF - Yeah, It Still Works
Russ McRee
 
Security Testing Training With Examples
Security Testing Training With ExamplesSecurity Testing Training With Examples
Security Testing Training With Examples
Alwin Thayyil
 
Andrews whitakrer lecture18-security.ppt
Andrews whitakrer lecture18-security.pptAndrews whitakrer lecture18-security.ppt
Andrews whitakrer lecture18-security.ppt
SilverGold16
 

Mais conteúdo relacionado

Mais procurados

Cross Site Request Forgery (CSRF) Scripting Explained
Cross Site Request Forgery (CSRF) Scripting ExplainedCross Site Request Forgery (CSRF) Scripting Explained
Cross Site Request Forgery (CSRF) Scripting Explained
Valency Networks
 
Cross-Site Request Forgery Vulnerability: “A Sleeping Giant”
Cross-Site Request Forgery Vulnerability: “A Sleeping Giant”Cross-Site Request Forgery Vulnerability: “A Sleeping Giant”
Cross-Site Request Forgery Vulnerability: “A Sleeping Giant”
Capgemini
 
CSRF Attack and Its Prevention technique in ASP.NET MVC
CSRF Attack and Its Prevention technique in ASP.NET MVCCSRF Attack and Its Prevention technique in ASP.NET MVC
CSRF Attack and Its Prevention technique in ASP.NET MVC
Suvash Shah
 

Mais procurados (20)

Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request Forgery
 
Evolution Of Web Security
Evolution Of Web SecurityEvolution Of Web Security
Evolution Of Web Security
 
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
 
Web Hacking
Web HackingWeb Hacking
Web Hacking
 
Web Security - Introduction v.1.3
Web Security - Introduction v.1.3Web Security - Introduction v.1.3
Web Security - Introduction v.1.3
 
Grey H@t - Cross-site Request Forgery
Grey H@t - Cross-site Request ForgeryGrey H@t - Cross-site Request Forgery
Grey H@t - Cross-site Request Forgery
 
Web Aplication Vulnerabilities
Web Aplication Vulnerabilities Web Aplication Vulnerabilities
Web Aplication Vulnerabilities
 
Advanced xss
Advanced xssAdvanced xss
Advanced xss
 
Cross Site Request Forgery (CSRF) Scripting Explained
Cross Site Request Forgery (CSRF) Scripting ExplainedCross Site Request Forgery (CSRF) Scripting Explained
Cross Site Request Forgery (CSRF) Scripting Explained
 
Owasp top 10 vulnerabilities 2013
Owasp top 10 vulnerabilities 2013Owasp top 10 vulnerabilities 2013
Owasp top 10 vulnerabilities 2013
 
CSRF Basics
CSRF BasicsCSRF Basics
CSRF Basics
 
Do security toolbars actually prevent phishing attacks
Do security toolbars actually prevent phishing attacksDo security toolbars actually prevent phishing attacks
Do security toolbars actually prevent phishing attacks
 
Cross-Site Request Forgery Vulnerability: “A Sleeping Giant”
Cross-Site Request Forgery Vulnerability: “A Sleeping Giant”Cross-Site Request Forgery Vulnerability: “A Sleeping Giant”
Cross-Site Request Forgery Vulnerability: “A Sleeping Giant”
 
CSRF Attack and Its Prevention technique in ASP.NET MVC
CSRF Attack and Its Prevention technique in ASP.NET MVCCSRF Attack and Its Prevention technique in ASP.NET MVC
CSRF Attack and Its Prevention technique in ASP.NET MVC
 
Web Security: A Primer for Developers
Web Security: A Primer for DevelopersWeb Security: A Primer for Developers
Web Security: A Primer for Developers
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by Default
 
Introduction to CSRF Attacks & Defense
Introduction to CSRF Attacks & DefenseIntroduction to CSRF Attacks & Defense
Introduction to CSRF Attacks & Defense
 
Hack using firefox
Hack using firefoxHack using firefox
Hack using firefox
 
DEFCON 17 Presentation: CSRF - Yeah, It Still Works
DEFCON 17 Presentation: CSRF - Yeah, It Still WorksDEFCON 17 Presentation: CSRF - Yeah, It Still Works
DEFCON 17 Presentation: CSRF - Yeah, It Still Works
 

Semelhante a How not to make a hacker friendly application

Andrews whitakrer lecture18-security.ppt
Andrews whitakrer lecture18-security.pptAndrews whitakrer lecture18-security.ppt
Andrews whitakrer lecture18-security.ppt
SilverGold16
 
Web application security
Web application securityWeb application security
Web application security
Jin Castor
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
IBM Security
 
15.3 Student Guide Web Application Tool TimeOverviewTodays c
15.3 Student Guide Web Application Tool TimeOverviewTodays c15.3 Student Guide Web Application Tool TimeOverviewTodays c
15.3 Student Guide Web Application Tool TimeOverviewTodays c
MatthewTennant613
 
15.3 Student Guide Web Application Tool TimeOverviewTodays c
15.3 Student Guide Web Application Tool TimeOverviewTodays c15.3 Student Guide Web Application Tool TimeOverviewTodays c
15.3 Student Guide Web Application Tool TimeOverviewTodays c
AnastaciaShadelb
 

Semelhante a How not to make a hacker friendly application (20)

Security Testing Training With Examples
Security Testing Training With ExamplesSecurity Testing Training With Examples
Security Testing Training With Examples
 
Andrews whitakrer lecture18-security.ppt
Andrews whitakrer lecture18-security.pptAndrews whitakrer lecture18-security.ppt
Andrews whitakrer lecture18-security.ppt
 
Web application security
Web application securityWeb application security
Web application security
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
 
Django (Web Applications that are Secure by Default)
Django �(Web Applications that are Secure by Default�)Django �(Web Applications that are Secure by Default�)
Django (Web Applications that are Secure by Default)
 
IRJET- Survey on Web Application Vulnerabilities
IRJET- Survey on Web Application VulnerabilitiesIRJET- Survey on Web Application Vulnerabilities
IRJET- Survey on Web Application Vulnerabilities
 
Secure client
Secure clientSecure client
Secure client
 
15.3 Student Guide Web Application Tool TimeOverviewTodays c
15.3 Student Guide Web Application Tool TimeOverviewTodays c15.3 Student Guide Web Application Tool TimeOverviewTodays c
15.3 Student Guide Web Application Tool TimeOverviewTodays c
 
15.3 Student Guide Web Application Tool TimeOverviewTodays c
15.3 Student Guide Web Application Tool TimeOverviewTodays c15.3 Student Guide Web Application Tool TimeOverviewTodays c
15.3 Student Guide Web Application Tool TimeOverviewTodays c
 
15.3 student guide web application tool time overviewtodays c
15.3 student guide web application tool time overviewtodays c15.3 student guide web application tool time overviewtodays c
15.3 student guide web application tool time overviewtodays c
 
Module 11 (hacking web servers)
Module 11 (hacking web servers)Module 11 (hacking web servers)
Module 11 (hacking web servers)
 
Security testing
Security testingSecurity testing
Security testing
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application Security
 
OWASP TOP 10 by Team xbios
OWASP TOP 10 by Team xbiosOWASP TOP 10 by Team xbios
OWASP TOP 10 by Team xbios
 
Module 1 - Information Assurance and Security 2.pdf
Module 1 - Information Assurance and Security 2.pdfModule 1 - Information Assurance and Security 2.pdf
Module 1 - Information Assurance and Security 2.pdf
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013
 
SeanRobertsThesis
SeanRobertsThesisSeanRobertsThesis
SeanRobertsThesis
 
VAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptxVAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptx
 
Owasp web security
Owasp web securityOwasp web security
Owasp web security
 

Mais de Abhinav Mishra

Mais de Abhinav Mishra (7)

Insecure direct object reference (null delhi meet)
Insecure direct object reference (null delhi meet)Insecure direct object reference (null delhi meet)
Insecure direct object reference (null delhi meet)
 
Peerlyst Delhi NCR Chapter Meet
Peerlyst Delhi NCR Chapter MeetPeerlyst Delhi NCR Chapter Meet
Peerlyst Delhi NCR Chapter Meet
 
The Game of Bug Bounty Hunting - Money, Drama, Action and Fame
The Game of Bug Bounty Hunting - Money, Drama, Action and FameThe Game of Bug Bounty Hunting - Money, Drama, Action and Fame
The Game of Bug Bounty Hunting - Money, Drama, Action and Fame
 
Android "Fight Club" : In pursuit of APPiness -- null Humla Delhi Chapter
Android "Fight Club" : In pursuit of APPiness -- null Humla Delhi ChapterAndroid "Fight Club" : In pursuit of APPiness -- null Humla Delhi Chapter
Android "Fight Club" : In pursuit of APPiness -- null Humla Delhi Chapter
 
The art of android hacking
The art of android hackingThe art of android hacking
The art of android hacking
 
Android Security Basics
Android Security BasicsAndroid Security Basics
Android Security Basics
 
Anatomizing online payment systems: hack to shop
Anatomizing online payment systems: hack to shopAnatomizing online payment systems: hack to shop
Anatomizing online payment systems: hack to shop
 

Último

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 

Último (20)

Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 

How not to make a hacker friendly application

  • 1. www.tothenew.com How not to make a Hacker friendly application
  • 2. www.tothenew.com Table of Contents: 1. User input validation: a. Sql Injection Diagram Vulnerable Code & Common Mistakes b. Cross Site Scripting Type of XSS Common Mistakes c. Unrestricted File uploads Attack Scenario Common Mistakes What fields can be considered as user input? d. Client Side checks and reliability 2. Privacy model: a. IDOR (Insecure direct object reference) b. Privilege escalation Types of Privilege escalation c. Authorization bypass 3. Infrastructural weaknesses: a. Open ports, really, that's so old school b. Credentials are the jackpot… c. Insecure implementations
  • 3. www.tothenew.com Why security??? Who will attack me? Are hackers really so much out of work…? Why will someone attack me? I have nothing to offer…. What the data is actually worth? No one is interested to read my emails, or fb chats…. IMAGE What all can be hacked? Network, laptops, web apps, mobile apps, routers, DNS….. uffff Cloud hosting and security? My hosting provider is the GOD OF SECURITY and he has my back…. “I earn so less… I hardly make a living…. why would anyone hack me??”
  • 4. www.tothenew.com 1. User input: So, what fields can be considered as user input? The image above shows a sample POST request.
  • 5. www.tothenew.com 1. User input validation: a. Sql injection ● SQL injection is a technique where malicious users can inject SQL commands into an SQL statement, via web page input. ● Injected SQL commands can alter SQL statement and compromise the security of a web application. ● The magic string: ’ or 1=1 ● A classic example: SELECT * FROM Users WHERE UserId = ‘105’ or 1=1 --------------------------------------------------------------------------------------------------- Quick Question: SQL injection will not leak any data in case the DB is encrypted. Agree or not? Why?
  • 6. www.tothenew.com 1. User input validation: a. Sql injection Source: ibm.com
  • 7. www.tothenew.com 1. User input validation: a. Sql injection Vulnerable Code Common Mistakes ● Lack of Input Sanitisation ● Absence of Parameterised queries and Stored Procedures ● Dependance upon database or libraries
  • 8. www.tothenew.com 1. User input validation: b. Cross Site scripting ● Cross-site scripting (XSS) is a code injection attack that allows an attacker to execute malicious JavaScript in another user's browser. ● The attacker does not directly target his victim. Instead, he exploits a vulnerability in a website that the victim visits, in order to get the website to deliver the malicious JavaScript for him. ● To the victim's browser, the malicious JavaScript appears to be a legitimate part of the website, and the website has thus acted as an unintentional accomplice to the attacker. -------------------------------------------------------------------------------------------- -- https://www.xssexample.com/search?q= >’>”><img src=x onerror=alert(1)> Quick Question: How is XSS a threat? What can someone do with this?
  • 9. www.tothenew.com 1. User input validation: Types of XSS ● Reflected or Non- Persistent XSS ● Stored or Persistent XSS ● DOM Based XSS --------------------------------------------------------------------------------------------------------------- Quick Question: What is DOM? How can DOM be exploited? How does it affect the application? And how to fix it?
  • 10. www.tothenew.com 1. User input validation: Common Mistakes causing Cross Site scripting ● No Input Sanitisation: The application does not check whether the value entered by a user is of the type what it is intended to be. ● No Output Encoding: If a user input is reflected back in the output, and it is not being encoded, then a malicious user can take advantage of it. ● No Context based Encoding: Sometimes, the application accepts inputs from the user that finally become a part of a script or HTML attribute. If no encoding mechanism has been incorporated, a user may inject script or HTML. ------------------------------------------------------------------------------------------------- Quick Question: What is a context? How many can you name….?
  • 11. www.tothenew.com 1. User input validation: c. Unrestricted File uploads ● Various web applications allow users to upload files. Uploaded files may pose a significant risk if not handled correctly. ● Attacks using file upload can happen if the Web application is not validating the file that is being uploaded. ● Attacker tries to upload the file with malicious path or filename so that the server can execute the file. ------------------------------------------------------------------------------------------ -- Quick Question: How much evil can you think, if you get to upload a php file to a server?
  • 12. www.tothenew.com 1. User input validation: c. Unrestricted File uploads ● After successful upload, the attacker tries to find a way to execute his code either on the server side or on the client side. ● Some of the file uploads exploits may happen as: ● Attacker may host malwares, illegal software on the web site. ● Attacker can exploit client side vulnerabilities like Cross-Site Scripting by hosting a script in an HTML file. ● Attacker can exploit the server’s integrity by uploading virus or malicious code that can be executed on the server side. --------------------------------------------------------------------------------------------- -- Quick Questions: How do you suggest to validate a file upload in your application? Or what else can we do about it? What all parameters to check?
  • 13. www.tothenew.com 1. User input validation: Common Mistakes ● Only Client side validation is used. ● Files are validated only using their extensions and not the content. ● The upload directory have execute permissions.
  • 14. www.tothenew.com 1. User input validation: d. Client Side checks and reliability ● Enforcing Client side validation is not reliable at all. ● It is common to see customized client-side input validation implemented within scripts. Client-side controls of this kind are usually easy to circumvent; it is possible to enter a benign value into the input field in the browser, intercept the validated submission with your proxy(For e.g., Burp Proxy), and modify the data to your desired value. ● Developers must make sure to never trust user input and validate the user entered values at the server side too.
  • 15. www.tothenew.com 1. User input validation: Example As you can see in the image alongside, the quantity of the first product is set to ‘-1’. This was done by bypassing the client side validation using a proxy tool. Note that this value was not being validated at the server end.
  • 16. www.tothenew.com 2. Privacy model: a. IDOR (Insecure direct object reference) ● Insecure Direct Object References occur when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability, attackers can bypass authorization and access resources in the system directly, for example database records or files. ● Insecure Direct Object References allow attackers to bypass authorization and access resources directly by modifying the value of a parameter used to directly point to an object. --------------------------------------------------------------------------------------------- -- Quick Question: Can you give me an example of IDOR? Sample URL: https://www.idorexample.com/userdata/doc/5e072i81nm0as/transaction.aspx Looks vulnerable?
  • 17. www.tothenew.com 2. Privacy model: a. IDOR (Insecure direct object reference) ● Applications frequently use the actual name or key of an object when generating web pages. Applications don’t always verify the user is authorized for the target object. ● Such flaws can compromise all the data that can be referenced by the parameter. Unless object references are unpredictable, it’s easy for an attacker to access all available data of that type. ● For example, Suppose a user can access his invoice as http://foo.bar/somepage?invoice=John Now, if the attacker changes the name in invoice parameter, such as http://foo.bar/somepage?invoice=Jane, he might me able to access the invoice of another user.
  • 18. www.tothenew.com 2. Privacy model: b. Privilege escalation ● Privilege escalation occurs when a user gets access to more resources or functionality than they are normally allowed, and such elevation or changes should have been prevented by the application. ● This is usually caused by a flaw in the application. The result is that the application performs actions with more privileges than those intended by the developer or system administrator.
  • 19. www.tothenew.com 2. Privacy model: ● Privilege Escalation can be of two types: Vertical Privilege Escalation - when it is possible to access resources granted to more privileged accounts (e.g.,acquiring administrative privileges for the application). Horizontal Privilege Escalation - when it is possible to access resources granted to a similarly configured account (e.g., in an online banking application, accessing information related to a different user).
  • 20. www.tothenew.com 2. Privacy model: c. Authorization bypass Authorization Bypass occurs when an unauthorised user is able to access what he cannot normally. ● How do you ensure the session and login? JSESSIONID=absgcfrtena8829n userid=10983311 ● How do you ensure authorization…. ○ Random Paths …??? Really is that it? ● Let’s design a foolproof method of authorization...
  • 21. www.tothenew.com 3. Infrastructural weaknesses: ● Publicly accessible console (such as Grails) ---------------------------------------------------------------------------------------------------------- Quick Question: What all ports do you block and why? What else do you care to block?
  • 22. www.tothenew.com 3. Infrastructural weaknesses: ● Publicly accessible Jenkins (or any other CI Tool)
  • 23. www.tothenew.com 3. Infrastructural weaknesses: b. Credentials are the jackpot… ● How complex is the credential i.e. password, private key etc. ○ What about password policy to administrators? ○ How do you create the admin accounts? Or how many does your application has? ● Where are the credentials stored ? i.e. dropbox folder, confluence etc. ○ searching GitHub for access key and code ● Let’s guess some passwords.. ○ Ummm….. ● How one access key can make you loose all the money?
  • 24. www.tothenew.com 3. Infrastructural weaknesses: c. Insecure implementations: ● Directory listing: logs, backup files, older version of application
  • 25. www.tothenew.com 3. Infrastructural weaknesses: c. Insecure implementations: ● Directory listing vulnerability in IBM InfoSphere Data Replication Dashboard (CVE-2012-4861)
  • 26. www.tothenew.com 3. Infrastructural weaknesses: c. Insecure implementations: ● admin portals: Bruteforcing The admin portal should only be accessible from certain IP Address (say only from the organization).Publicly accessible admin portal pose a serious threat to the complete infrastructure and all the applications associated with it. Admin portals may be open to brute force attack as it might not have any mechanism to restrict the number of unsuccessful login attempts. “There is currently a significant attack being launched at a large number of WordPress blogs across the Internet. The attacker is brute force attacking the WordPress administrative portals, using the username “admin” and trying thousands of passwords. It appears a botnet is being used to launch the attack and more than tens of thousands of unique IP addresses have been recorded attempting to hack WordPress installs.” Source: www.mnxsolutions.com
  • 27. www.tothenew.com 3. Infrastructural weaknesses: c. Insecure implementations: ● Unprotected/vulnerable sub domains Domains such as cms.domain.com or cpanel.domain.com A Salesforce subdomain “admin.salesforce.com” used for blogging was affected by a reflected cross-site scripting (XSS) vulnerability that could have been exploited by attackers to distribute malware and carry out phishing attacks. http://www.scmagazine.com/xxs-vulnerability-in-salesforce-subdomain-could- have-been-used-for-malware-distribution/article/432654/ ------------------------------------------------------------------------------------------------------------ Quick Question: How do you make sure that no one (out of your team/company) knows about a sub-domain “console. mydomain.com”? Google search?
  • 28. www.tothenew.com 3. Infrastructural weaknesses: c. Insecure implementations: ● Missing headers CORS X-Frame-Options X-XSS-Protection Strict Transport Security Content Security Policy Origin Header
  • 29. www.tothenew.com 3. Infrastructural weaknesses: c. Insecure implementations: Vulnerabilities in SSH Vulnerability : CVE-2015-5600 We have servers that use OpenSSH for authentication. Such servers can be exploited to carry out a brute force attack on OpenSSH protocol, making repetitive attempts to login with random passwords. Preventing Brute Force attacks due to OpenSSH Vulnerability (MaxAuthTries bypass) http://www.tothenew.com/blog/preventing-brute-force-attacks-due-to-openssh-vulnerability- maxauthtries-bypass/
  • 30. www.tothenew.com 3. Infrastructural weaknesses: ● An auth bypass web vulnerability has been discovered in the official WebComIndia Content Management System 2015Q4. The vulnerability allows remote attackers to bypass the login mechanism of the web-application to compromise the service. For more details, visit: http://www.securityfocus.com/archive/1/5366484
  • 31. www.tothenew.com “Judge a man by his questions rather than by his answers.” ― Voltaire