O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.

Breaching a Web Application - Common Issues and Mitigating Steps

It seems like every day that another company's logo is plastered across the media and they have lost thousands, if not millions of customer records. This kind of data loss is damaging to a company's reputation and their customers have little control of their private information. Attackers often want this data for financial gain or to embarrass that company. There are several methods a malicious attacker will use to gain access to this data. Injection-based attacks leverage an application's lack of input validation to extract information and allow for unauthorized data access. In addition, the platform on which the application resides can be leveraged to gain unauthorized admin access and ultimately, data access. Both scenarios will be discussed and demonstrated in this talk. Finally, mitigating steps will be discussed at every level of the attack. The approach will be a defense in depth model that will proactively protect a web application. While there is no silver bullet against a determined attacker, these mitigations will make their lives more difficult.

  • Entre para ver os comentários

  • Seja a primeira pessoa a gostar disto

Breaching a Web Application - Common Issues and Mitigating Steps

  1. 1. Breaching a Web Application Common Issues and Mitigating Steps
  2. 2. My Name is Jason Frank Director of Veris Group’s Adaptive Threat Division Trainer for Black Hat You can find me at @jasonjfrank Hello!
  3. 3. Agenda ◉An Attacker’s View ◉Injection Attacks 101 ◉Misconfigurations ◉Remediation and Mitigations
  4. 4. An Attacker’s View1
  5. 5. Testing Process Discovery ExploitationPost Exploitation Pre- Assessment Activities Post- Assessment Activities
  6. 6. http://tutorials.jenkov.com/images/software-architecture/n-tier-architecture-2.png
  7. 7. http://tutorials.jenkov.com/images/software-architecture/n-tier-architecture-2.png
  8. 8. http://tutorials.jenkov.com/images/software-architecture/n-tier-architecture-2.png DMZ Protected Enclave Internet
  9. 9. https://www.w3.org/2005/03/Demos/insurance.png
  10. 10. https://www.w3.org/2005/03/Demos/insurance.png
  11. 11. ◉Provides free documentation on offensive and defensive application measures ◉Curated “OWASP Top Ten” Vulnerabilities ◉OWASP Web Testing Guide ◉Contains material for: Web Applications Mobile Software Development Tools
  12. 12. https://www.owasp.org/images/thumb/7/7e/WebTT_thumb.png/400px-WebTT_thumb.png
  13. 13. https://www.owasp.org/images/thumb/7/7e/WebTT_thumb.png/400px-WebTT_thumb.png
  14. 14. Injection Attacks 1012
  15. 15. Injection Attacks ◉Occurs when unintended data is sent to an application ◉Proper input validation / server-side validation is not being performed ◉A dynamically built query can be altered to execute arbitrary calls or requests ◉Common Types of Injection SQL XML OS Command
  16. 16. https://itswadesh.files.wordpress.com/2011/11/sql-injection.jpg
  17. 17. Users Posts Comments Themes Wordpress Server WPDB User WP Table
  18. 18. Users Posts Comments Themes Wordpress Server DBA WP Table Names SSNs Salaries Addresses HR App
  19. 19. “ Quotations are commonly printed as a means of inspiration and to invoke philosophical thoughts from the reader.
  20. 20. SQL Injection Tools ◉Burp Suite Pro Scanner(Identification) ◉SQLMap ◉SQLNinja
  21. 21. Misconfigurations3
  22. 22. Misconfigurations ◉Serves as a catchup for many facets of the implementation ◉Can occur at all levels of the technology stack ◉Identifies both technical and procedural weaknesses
  23. 23. Operating System Web Servers Applications Add-ons
  24. 24. http://www.rvrsh3ll.net/blog/offensive/leveraging-adobe-livecycle/
  25. 25. http://www.rvrsh3ll.net/blog/offensive/leveraging-adobe-livecycle/
  26. 26. http://www.rvrsh3ll.net/blog/offensive/leveraging-adobe-livecycle/
  27. 27. DMZ Protected Enclave Internet Internal Systems
  28. 28. DMZ Protected Enclave Internet Internal Systems
  29. 29. DMZ Protected Enclave Internet Internal Systems
  30. 30. DMZ Protected Enclave Internet Internal Systems
  31. 31. DMZ Protected Enclave Internet Internal Systems
  32. 32. DMZ Protected Enclave Internet Internal Systems
  33. 33. Tools ◉Nikto ◉Web Scanners Acunetix NTOSpider Burp Suite Pro ◉Vulnerability Scanners Nessus NeXpose
  34. 34. Remediation and Mitigation4
  35. 35. OWASP SAMM ◉Software Assurance Maturity Model ◉Integrating Assessment and Review Activities throughout your SDLC ◉Based on your organization’s security drivers ◉https://www.owasp.org/index.php/Category:Softw are_Assurance_Maturity_Model
  36. 36. Static Reviews Source code reviews that are incorporated throughout the development cycle. A Note About Testing Types Dynamic Testing Assessment of the final solution in an operational context.
  37. 37. SQL Injection Prevention ◉OWASP has language specific recommendations ◉Parameterized Queries ◉Input Validation – White Listing ◉Escaping User Input ◉https://www.owasp.org/index.php/SQL_Injection_ Prevention_Cheat_Sheet#Defense_Option_1:_Pr epared_Statements_.28Parameterized_Queries. 29
  38. 38. Misconfiguration Prevention ◉Review of all technologies in the stack ◉Implement available hardening guides ◉Have your solution dynamically tested periodically
  39. 39. Any questions ? You can find me at ◉ @jasonjfrank ◉ Slides posted at: http://www.slideshare.net/jasonjfrank Thanks!