Testing the OWASP Top 10

Agenda •

Introductions

•

Introduction to OWASP Top 10 2013

•

Resources to help you

•

Quick review/intro to HTTP Proxies

•

Tools You Can Use

•

Q&A

confidential - securitycompass.com

Who Am I? •

Senior Security Consultant @ Security Compass

•

Application Pen Tester for ~7 years

•

Previously spent time as a dev, security researcher, and technical writer

•

Email me at Opheliar at securitycompass.com

confidential - securitycompass.com

About Security Compass We guide your team in building a customized security blueprint based on your industry, software development lifecycle, and business needs to cost-effectively mitigate risks.

How I 'stole' $14 million from a bank

Failing to test your DDoS Defenses can backfire

Video: Adobe uses SD Elements in the SPLC

Security Compass named as a Gartner Cool Vendor in Application and Endpoint Security 2014 bit.ly/securitycompass

`Quantum Dawn 2' Is a Cyber-Attack Bank Drill

How Banking Trojans empty your bank accounts

OWASP Top 10 https://www.owasp.org/index.php/Top_10_2013-Top_10

confidential - securitycompass.com

OWASP Top 10 List •

Injection

•

Broken authentication and session management

•

Cross-Site Scripting (XSS)

•

Insecure Direct Object References

•

Security Misconfiguration

•

Sensitive Data Exposure

•

Missing Function Level Access Control

•

Cross-Site Request Forgery

•

Using Components with Known Vulnerabilities

•

Unvalidated Redirects and Forwards confidential - securitycompass.com

Injection •

Problem: Application sends untrusted data directly to an interpreter (SQL, command line, script engine, parser, etc)

–

Addendum: Interpreters are terrible at knowing what is an instruction and what is data, so putting user-supplied data directly into instructions is bad.

– •

Types: SQL, LDAP, OS, XML, etc.

Implications: attacker can send instructions to the interpreter and access/do anything the interpreter can do

confidential - securitycompass.com

SQL Injection Example String query = "SELECT account_balance FROM user_data WHERE user_name = " + request.getParameter("customerName"); try { Statement statement = connection.createStatement( … ); ResultSet results = statement.executeQuery( query ); } Get me the account balance for user with name SecurityCompass http://www.examplesite.com/accountView?name=SecurityCompass confidential - securitycompass.com

http://xkcd.com/327/ by Randall Monroe confidential - securitycompass.com

OS Injection Example

Get the file specified by the email parameter (bob.msg) and delete it. http://www.examplesite.com/deleteMessage.php?email=bob.msg confidential - securitycompass.com

LDAP Injection Example

String ldapSearchQuery = "(cn=" + $friend+ ")";

Search for the directory entry with name Security Compass. http://www.examplesite.com/app/friendLookup.aspx?friend=SecurityCompass confidential - securitycompass.com

Broken Authentication & Session Management •

Authentication: verifying the person is who they say they are Types: What you know, what you have, what you are

•

Implications: attackers can impersonate users and access user accounts

confidential - securitycompass.com

confidential - securitycompass.com

www.networkworld.com

confidential - securitycompass.com

Urbantabloid.com

confidential - securitycompass.com

confidential - securitycompass.com

confidential - securitycompass.com

Broken Authentication & Session Management •

•

Authentication: verifying the person is who they say they are Types:

What You Know

What You Have

What You Are

Problems:

Guessed Eavesdropping Can be found

Can be lost or stolen

Expensive Hard to replace False positives/negatives

Implications: attackers can impersonate users and access user accounts

confidential - securitycompass.com

Broken Authentication & Session Management •

•

Session: a series of web application transactions associated with the same user –

Usually tracked via a token that represent the user (e.g. cookies)

–

Problems: stored/transmitted insecurely, easily guessed, easily stolen, valid for too long

Implications: attackers can steal or fake session information to impersonate users and access user accounts

confidential - securitycompass.com

Found on catholicnewslive.com confidential - securitycompass.com

Session Cookie

E-Ticket confidential - securitycompass.com

This is how cookies are normally sent. This is an HTTP request. Can you see why it might be easy to replicate the information? People talk about sessionid length and randomness a lot, because long, random sequences are hard to guess.

confidential - securitycompass.com

Cross -Site Scripting •

•

Problem: Application uses, stores, and/or displays untrusted data directly on a web page –

Addendum: browsers are terrible at knowing what is an instruction and what is data

–

Types: Reflected, Stored, Document Object Model

Implication: attackers can get the browser to do anything the browser is capable of doing, and

access/steal anything the browser currently has, including user/web site info.

confidential - securitycompass.com

Hello HTML Hello World! Text and other fun things here!



confidential - securitycompass.com

Hello HTML + Script Hello World! alert(“what’s this?”)

alert(“what’s this take 2?”)

confidential - securitycompass.com

The Gaping Hole in Secure JavaScript @ Comicjk.com confidential - securitycompass.com

Insecure Direct Object References •

Problem: a)

Application uses the actual name or reference number to refer to/track/retrieve data

b)

At some point, this reference is user-controlled

c)

Application assumes that if the user knows the correct reference or name, they are

authorized to view the corresponding information – •

Types: parameter manipulation, file and directory traversal

Implications: attackers can specify the reference, and access data they don’t own

confidential - securitycompass.com

Parameter Reference GET /updateprofile?newName= HTTP/1.1 Host: ec2-54-87-45-109.compute-1.amazonaws.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://ec2-54-87-45-109.compute-1.amazonaws.com/profile Cookie: sessionID=2015224202 Authorization: Basic dXNlcjozU0VPTTJGSEMzMkc= Connection: keep-alive

confidential - securitycompass.com

Parameter Reference

POST /moneytransfer HTTP/1.1 Host: ec2-54-87-45-109.compute-1.amazonaws.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://ec2-54-87-45-109.compute1.amazonaws.com/transfer Cookie: sessionID=2015224202 Authorization: Basic dXNlcjozU0VPTTJGSEMzMkc= Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 68

from=111111111&to=222222222&amount=1&imageField.x=43&image Field.y=24 confidential - securitycompass.com

Security Misconfiguration •

Problem: settings are insecure on the platform, web server, application server, database, framework, and/or code-level. Unnecessary features are included.

–

Examples: default passwords, unsafe services enabled (like TELNET), sample code available on production environment, unprotected management consoles, SSL misconfigurations, etc

•

Implications: attacker can gain access to information, services, and hosts they would not be allowed to were configurations set securely. Most severe case, all data and the host itself is

compromised. confidential - securitycompass.com

confidential - securitycompass.com

confidential - securitycompass.com

confidential - securitycompass.com

Sensitive Data Exposure •

Problem: sensitive data is insecurely stored/transmitted, exposed in error messages or HTTP responses, or is included in application pages unnecessarily

•

–

Types: sensitive user data, sensitive environment data, application business logic exposure

–

In errors, in comments, unnecessary data exposure, in URLs, etc.

Implications: attackers get sensitive user information, exposed data helps tailor attacks and make them more effective.

confidential - securitycompass.com

Sensitive system information exposed

confidential - securitycompass.com

Sensitive user data exposed

confidential - securitycompass.com

Sensitive user data like credentials in comments

confidential - securitycompass.com

confidential - securitycompass.com

Missing Function Level Access Control •

Problem: Application restricts what the user sees, assuming that will restrict what the user can access

–

Addendum: Often, privileged functions are named predictably, are in predictable locations, or are not directly shown, but can be found.

•

Implications: If I know how to ask, I can do anything

confidential - securitycompass.com

Cross -Site Request Forgery •

Problem: a)

Application treats any request with a valid cookie attached as legitimate

b)

If you’re logged into a site, the browser will automatically send your cookies along with any request to the site.

•

Implications: An attacker can get your browser to do something on a site without you knowing about it, and the server will assume it’s what you wanted

confidential - securitycompass.com

A URL that does something…

http://hackmebankURL/updateprofile?newName=Bob Smith

confidential - securitycompass.com

Same URL that does something…

http://hackmebankURL/%75%70%64%61%74%65%70%72%6f%66%6 9%6c%65%3f%6e%65%77%4e%61%6d%65%3d%42%6f%62%20%5 3%6d%69%74%68

confidential - securitycompass.com

U s i n g C o m p o n e n t s w i t h K n o w n Vu l n e r a b i l i t i e s •

Problem: a)

Many software vulnerabilities are published along with details and version numbers to let

people know how/when to patch b)

•

Many web sites use components that are not fully patched

Implications: attackers can find out what software is running on the application, and possibly what versions, and go looking for published vulnerabilities that affect you.

confidential - securitycompass.com

Unvalidated Redirects and Forwards •

Problem: application redirects users based on information a user can potentially control (e.g. information in a URL parameter, form field, or cookie)

– •

Types: external redirect, internal redirect, full URL, relative URLs

Implications: an attacker can redirect users to arbitrary locations. Does not necessarily affect the

application itself, but exploits the trust the user has in the application, and makes it easier for attackers to impersonate your site.

confidential - securitycompass.com

A URL that forwards…

http://www.examplesite.com/forward?url=/contact

confidential - securitycompass.com

HTML that forwards…



confidential - securitycompass.com

HTTP forwards… HTTP/1.1 302 FOUND Server: nginx/0.7.65 Date: Tue, 24 Feb 2015 21:29:25 GMT Content-Type: text/html; charset=utf-8 Connection: keep-alive Content-Length: 223 Location: http://example.server.com/location/file

confidential - securitycompass.com

Resources

confidential - securitycompass.com

OWASP Resources •

•

OWASP Application Security Verification Standard –

For when you don’t know what tests should be done

–

https://www.owasp.org/images/5/58/OWASP_ASVS_Version_2.pdf

OWASP Testing Guide (up to v4 currently)

–

For instructions on HOW to do tests, and where to find additional tools

–

https://www.owasp.org/images/5/52/OWASP_Testing_Guide_v4.pdf

confidential - securitycompass.com

Resources •

•

OWASP Web Testing Environment –

For a quick deploy of a web application testing environment

–

https://www.owasp.org/index.php/OWASP_Web_Testing_Environment_Project

Kali Linux: Pen Testing Environment

–

For a quick deploy of penetration testing tools, including application testing resources

–

https://www.kali.org

confidential - securitycompass.com

General Purpose Tools •

Google Fuzz DB –

https://code.google.com/p/fuzzdb/

–

Database of common crafted inputs that can be used to detect security vulnerabilities

confidential - securitycompass.com

HTTP Proxy Demo

confidential - securitycompass.com

BurpSuite Getting Started http://portswigger.net/burp/help/suite_gettingst arted.html

Download Free Edition http://portswigger.net/burp/downloadfree.html

confidential - securitycompass.com

O WA S P Z A P Getting Started https://www.owasp.org/index.php/OWASP_Ze d_Attack_Proxy_Project

Download https://code.google.com/p/zaproxy/wiki/Downl

oads?tm=2

confidential - securitycompass.com

Tools You Can Use

confidential - securitycompass.com

SQL Injection Tools •

•

SQL Map –

http://sqlmap.org/

–

http://pentestlab.org/sqlmap-101-automatic-sql-injection-pentest-tutorial/

Security Compass Exploit-Me suite, SQL Inject-Me

–

http://labs.securitycompass.com/exploit-me/

confidential - securitycompass.com

XSS Tools •

Chrome plugin XSS-Rays –

•

https://chrome.google.com/webstore/detail/xss-rays/kkopfbcgaebdaklghbnfmjeeonmabidj

Security Compass Exploit-Me suite, XSS-Me –

http://labs.securitycompass.com/exploit-me/

confidential - securitycompass.com

Function Level Access Control Tools •

Security Compass Exploit-Me suite, Access-Me –

http://labs.securitycompass.com/exploit-me/

confidential - securitycompass.com

Questions?

confidential - securitycompass.com

Thank You! Opheliar Chan Senior Security Consultant Opheliar at securitycompass.com

confidential - securitycompass.com

In the news •

eBay account hijacking with Cross-Site Request Forgery (2013) –

•

http://threatpost.com/ebay-vulnerable-to-account-hijacking-via-xsrf/103311

Twitter vulnerable to Cross-Site Scripting that allows attackers to post on a users behalf –

http://archive.news.softpedia.com/news/New-Dangerous-Twitter-XSS-Vulnerability-Identified-

155257.shtml •

Archive of SQL injection news @ http://news.softpedia.com/newsTag/SQL+injection –

Targets: government websites, travel sites, banks, game companies, etc

confidential - securitycompass.com

https://www.firehost.com/company/newsroom/web-application-attack-report-first-quarter-2013# confidential - securitycompass.com

Softpedia.com confidential - securitycompass.com