Testing the OWASP Top 10
Agenda •
Introductions
•
Introduction to OWASP Top 10 2013
•
Resources to help you
•
Quick review/intro to HTTP Proxies
•
Tools You Can Use
•
Q&A
confidential - securitycompass.com
Who Am I? •
Senior Security Consultant @ Security Compass
•
Application Pen Tester for ~7 years
•
Previously spent time as a dev, security researcher, and technical writer
•
Email me at Opheliar at securitycompass.com
confidential - securitycompass.com
About Security Compass We guide your team in building a customized security blueprint based on your industry, software development lifecycle, and business needs to cost-effectively mitigate risks.
How I 'stole' $14 million from a bank
Failing to test your DDoS Defenses can backfire
Video: Adobe uses SD Elements in the SPLC
Security Compass named as a Gartner Cool Vendor in Application and Endpoint Security 2014 bit.ly/securitycompass
`Quantum Dawn 2' Is a Cyber-Attack Bank Drill
How Banking Trojans empty your bank accounts
OWASP Top 10 https://www.owasp.org/index.php/Top_10_2013-Top_10
confidential - securitycompass.com
OWASP Top 10 List •
Injection
•
Broken authentication and session management
•
Cross-Site Scripting (XSS)
•
Insecure Direct Object References
•
Security Misconfiguration
•
Sensitive Data Exposure
•
Missing Function Level Access Control
•
Cross-Site Request Forgery
•
Using Components with Known Vulnerabilities
•
Unvalidated Redirects and Forwards confidential - securitycompass.com
Injection •
Problem: Application sends untrusted data directly to an interpreter (SQL, command line, script engine, parser, etc)
–
Addendum: Interpreters are terrible at knowing what is an instruction and what is data, so putting user-supplied data directly into instructions is bad.
– •
Types: SQL, LDAP, OS, XML, etc.
Implications: attacker can send instructions to the interpreter and access/do anything the interpreter can do
confidential - securitycompass.com
SQL Injection Example String query = "SELECT account_balance FROM user_data WHERE user_name = " + request.getParameter("customerName"); try { Statement statement = connection.createStatement( … ); ResultSet results = statement.executeQuery( query ); } Get me the account balance for user with name SecurityCompass http://www.examplesite.com/accountView?name=SecurityCompass confidential - securitycompass.com
http://xkcd.com/327/ by Randall Monroe confidential - securitycompass.com
OS Injection Example
Get the file specified by the email parameter (bob.msg) and delete it. http://www.examplesite.com/deleteMessage.php?email=bob.msg confidential - securitycompass.com
LDAP Injection Example
String ldapSearchQuery = "(cn=" + $friend+ ")";
Search for the directory entry with name Security Compass. http://www.examplesite.com/app/friendLookup.aspx?friend=SecurityCompass confidential - securitycompass.com
Broken Authentication & Session Management •
Authentication: verifying the person is who they say they are Types: What you know, what you have, what you are
•
Implications: attackers can impersonate users and access user accounts
confidential - securitycompass.com
confidential - securitycompass.com
www.networkworld.com
confidential - securitycompass.com
Urbantabloid.com
confidential - securitycompass.com
confidential - securitycompass.com
confidential - securitycompass.com
Broken Authentication & Session Management •
•
Authentication: verifying the person is who they say they are Types:
What You Know
What You Have
What You Are
Problems:
Guessed Eavesdropping Can be found
Can be lost or stolen
Expensive Hard to replace False positives/negatives
Implications: attackers can impersonate users and access user accounts
confidential - securitycompass.com
Broken Authentication & Session Management •
•
Session: a series of web application transactions associated with the same user –
Usually tracked via a token that represent the user (e.g. cookies)
–
Problems: stored/transmitted insecurely, easily guessed, easily stolen, valid for too long
Implications: attackers can steal or fake session information to impersonate users and access user accounts
confidential - securitycompass.com
Found on catholicnewslive.com confidential - securitycompass.com
Session Cookie
E-Ticket confidential - securitycompass.com
This is how cookies are normally sent. This is an HTTP request. Can you see why it might be easy to replicate the information? People talk about sessionid length and randomness a lot, because long, random sequences are hard to guess.
confidential - securitycompass.com
Cross -Site Scripting •
•
Problem: Application uses, stores, and/or displays untrusted data directly on a web page –
Addendum: browsers are terrible at knowing what is an instruction and what is data
–
Types: Reflected, Stored, Document Object Model
Implication: attackers can get the browser to do anything the browser is capable of doing, and
access/steal anything the browser currently has, including user/web site info.
confidential - securitycompass.com
Hello HTML Hello World! Text and other fun things here!
confidential - securitycompass.com
Hello HTML + Script Hello World! alert(“what’s this?”)
alert(“what’s this take 2?”)
confidential - securitycompass.com
The Gaping Hole in Secure JavaScript @ Comicjk.com confidential - securitycompass.com
Insecure Direct Object References •
Problem: a)
Application uses the actual name or reference number to refer to/track/retrieve data
b)
At some point, this reference is user-controlled
c)
Application assumes that if the user knows the correct reference or name, they are
authorized to view the corresponding information – •
Types: parameter manipulation, file and directory traversal
Implications: attackers can specify the reference, and access data they don’t own
confidential - securitycompass.com
Parameter Reference GET /updateprofile?newName= HTTP/1.1 Host: ec2-54-87-45-109.compute-1.amazonaws.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://ec2-54-87-45-109.compute-1.amazonaws.com/profile Cookie: sessionID=2015224202 Authorization: Basic dXNlcjozU0VPTTJGSEMzMkc= Connection: keep-alive
confidential - securitycompass.com
Parameter Reference
POST /moneytransfer HTTP/1.1 Host: ec2-54-87-45-109.compute-1.amazonaws.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://ec2-54-87-45-109.compute1.amazonaws.com/transfer Cookie: sessionID=2015224202 Authorization: Basic dXNlcjozU0VPTTJGSEMzMkc= Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 68
from=111111111&to=222222222&amount=1&imageField.x=43&image Field.y=24 confidential - securitycompass.com
Security Misconfiguration •
Problem: settings are insecure on the platform, web server, application server, database, framework, and/or code-level. Unnecessary features are included.
–
Examples: default passwords, unsafe services enabled (like TELNET), sample code available on production environment, unprotected management consoles, SSL misconfigurations, etc
•
Implications: attacker can gain access to information, services, and hosts they would not be allowed to were configurations set securely. Most severe case, all data and the host itself is
compromised. confidential - securitycompass.com
confidential - securitycompass.com
confidential - securitycompass.com
confidential - securitycompass.com
Sensitive Data Exposure •
Problem: sensitive data is insecurely stored/transmitted, exposed in error messages or HTTP responses, or is included in application pages unnecessarily
•
–
Types: sensitive user data, sensitive environment data, application business logic exposure
–
In errors, in comments, unnecessary data exposure, in URLs, etc.
Implications: attackers get sensitive user information, exposed data helps tailor attacks and make them more effective.
confidential - securitycompass.com
Sensitive system information exposed
confidential - securitycompass.com
Sensitive user data exposed
confidential - securitycompass.com
Sensitive user data like credentials in comments
confidential - securitycompass.com
confidential - securitycompass.com
Missing Function Level Access Control •
Problem: Application restricts what the user sees, assuming that will restrict what the user can access
–
Addendum: Often, privileged functions are named predictably, are in predictable locations, or are not directly shown, but can be found.
•
Implications: If I know how to ask, I can do anything
confidential - securitycompass.com
Cross -Site Request Forgery •
Problem: a)
Application treats any request with a valid cookie attached as legitimate
b)
If you’re logged into a site, the browser will automatically send your cookies along with any request to the site.
•
Implications: An attacker can get your browser to do something on a site without you knowing about it, and the server will assume it’s what you wanted
confidential - securitycompass.com
A URL that does something…
http://hackmebankURL/updateprofile?newName=Bob Smith
confidential - securitycompass.com
Same URL that does something…
http://hackmebankURL/%75%70%64%61%74%65%70%72%6f%66%6 9%6c%65%3f%6e%65%77%4e%61%6d%65%3d%42%6f%62%20%5 3%6d%69%74%68
confidential - securitycompass.com
U s i n g C o m p o n e n t s w i t h K n o w n Vu l n e r a b i l i t i e s •
Problem: a)
Many software vulnerabilities are published along with details and version numbers to let
people know how/when to patch b)
•
Many web sites use components that are not fully patched
Implications: attackers can find out what software is running on the application, and possibly what versions, and go looking for published vulnerabilities that affect you.
confidential - securitycompass.com
Unvalidated Redirects and Forwards •
Problem: application redirects users based on information a user can potentially control (e.g. information in a URL parameter, form field, or cookie)
– •
Types: external redirect, internal redirect, full URL, relative URLs
Implications: an attacker can redirect users to arbitrary locations. Does not necessarily affect the
application itself, but exploits the trust the user has in the application, and makes it easier for attackers to impersonate your site.
confidential - securitycompass.com
A URL that forwards…
http://www.examplesite.com/forward?url=/contact
confidential - securitycompass.com
HTML that forwards…
confidential - securitycompass.com
HTTP forwards… HTTP/1.1 302 FOUND Server: nginx/0.7.65 Date: Tue, 24 Feb 2015 21:29:25 GMT Content-Type: text/html; charset=utf-8 Connection: keep-alive Content-Length: 223 Location: http://example.server.com/location/file
confidential - securitycompass.com
Resources
confidential - securitycompass.com
OWASP Resources •
•
OWASP Application Security Verification Standard –
For when you don’t know what tests should be done
–
https://www.owasp.org/images/5/58/OWASP_ASVS_Version_2.pdf
OWASP Testing Guide (up to v4 currently)
–
For instructions on HOW to do tests, and where to find additional tools
–
https://www.owasp.org/images/5/52/OWASP_Testing_Guide_v4.pdf
confidential - securitycompass.com
Resources •
•
OWASP Web Testing Environment –
For a quick deploy of a web application testing environment
–
https://www.owasp.org/index.php/OWASP_Web_Testing_Environment_Project
Kali Linux: Pen Testing Environment
–
For a quick deploy of penetration testing tools, including application testing resources
–
https://www.kali.org
confidential - securitycompass.com
General Purpose Tools •
Google Fuzz DB –
https://code.google.com/p/fuzzdb/
–
Database of common crafted inputs that can be used to detect security vulnerabilities
confidential - securitycompass.com
HTTP Proxy Demo
confidential - securitycompass.com
BurpSuite Getting Started http://portswigger.net/burp/help/suite_gettingst arted.html
Download Free Edition http://portswigger.net/burp/downloadfree.html
confidential - securitycompass.com
O WA S P Z A P Getting Started https://www.owasp.org/index.php/OWASP_Ze d_Attack_Proxy_Project
Download https://code.google.com/p/zaproxy/wiki/Downl
oads?tm=2
confidential - securitycompass.com
Tools You Can Use
confidential - securitycompass.com
SQL Injection Tools •
•
SQL Map –
http://sqlmap.org/
–
http://pentestlab.org/sqlmap-101-automatic-sql-injection-pentest-tutorial/
Security Compass Exploit-Me suite, SQL Inject-Me
–
http://labs.securitycompass.com/exploit-me/
confidential - securitycompass.com
XSS Tools •
Chrome plugin XSS-Rays –
•
https://chrome.google.com/webstore/detail/xss-rays/kkopfbcgaebdaklghbnfmjeeonmabidj
Security Compass Exploit-Me suite, XSS-Me –
http://labs.securitycompass.com/exploit-me/
confidential - securitycompass.com
Function Level Access Control Tools •
Security Compass Exploit-Me suite, Access-Me –
http://labs.securitycompass.com/exploit-me/
confidential - securitycompass.com
Questions?
confidential - securitycompass.com
Thank You! Opheliar Chan Senior Security Consultant Opheliar at securitycompass.com
confidential - securitycompass.com
In the news •
eBay account hijacking with Cross-Site Request Forgery (2013) –
•
http://threatpost.com/ebay-vulnerable-to-account-hijacking-via-xsrf/103311
Twitter vulnerable to Cross-Site Scripting that allows attackers to post on a users behalf –
http://archive.news.softpedia.com/news/New-Dangerous-Twitter-XSS-Vulnerability-Identified-
155257.shtml •
Archive of SQL injection news @ http://news.softpedia.com/newsTag/SQL+injection –
Targets: government websites, travel sites, banks, game companies, etc
confidential - securitycompass.com
https://www.firehost.com/company/newsroom/web-application-attack-report-first-quarter-2013# confidential - securitycompass.com
Softpedia.com confidential - securitycompass.com