Title: Web Application Security: OWASP Top 10 by Brian Johnson
Abstract: In this session we will learn how to find, demonstrate how to exploit and discuss how to prevent the OWASP Top 10 Security Issues. We will also discuss how these issues are exploited in the real world. Students will have the opportunity to have hands on experience testing for and exploiting these issues.
Requirements: All attendees interested in participating in the labs will need to bring their own laptop. Laptops should have a wired Ethernet port in order to participate in labs.
8. The Top 10
Injection
Broken Authentication and Session Management
Cross-Site Scripting (XSS)
Insecure Direct Object References
Security Misconfiguration
8
8
9. The Top 10 (continued)
Sensitive Data Exposure
Missing Function Level Access Control
Cross-Site Request Forgery
Using Known Vulnerable Components
Unvalidated Redirects and Forwards
9
9
10. Scope of Attacks
Client Side
Attack the end user and end user network
Server Side
Attack the infrastructure
10
10
12. Injection
Result from improper input sanitization
Multiple types
SQL
LDAP
XPATH
OS
...
12
12
13. SQL Injection
Two types
Vanilla (or “normal” or “first order”)
Blind
Results from directly inserting user supplied
data into a SQL Query
13
13
14. SQL Queries
SELECT * FROM events WHERE id='$id'
Developer expects $id to be an integer like 3
What if $id is 3' or '1'='1
Or 3' union select name, password, role from
users; --
14
14
15. How to find
Check all inputs to see if you can create an
error message
Single quote '
Double quote “
SQL comments
SQL verbs
15
15
16. How to find
If errors are trapped you have to look for
differences between query results
Unbalanced vs balanced quotes
SQL errors
...
16
16
19. Broken Authentication and Session
Management
Logic, programming or configuration errors
Exposes password or tokens
Allows users to act as another user
Horizontal
Vertical
19
19
20. Cause
Logic errors
Security through obscurity
Enforcing permissions on the wrong portion of
the application
20
20
21. How to find
Try to access functionality that your user
shouldn't have access to
Modify user identifying information
21
21
23. Cross-Site Scripting (XSS)
Results from improper input sanitization
Client side attack
Two types
Reflected
Stored
23
23
24. Cause
Direct use of user supplied input:
echo(“Hello $_POST['name']”);
24
24
25. How to find
Check all inputs to see if dangerous characters
are properly escaped or deleted
Text fields
Hidden variables
Cookies
etc
Proper escaping varies depending on your
context
25
25
28. Insecure Direct Object References
Results from improper input validation
Directly refer to variables used in business logic
Account numbers
Prices
File names
etc
28
28
29. How to find
Check for parameter names that reference
business logic
Modify parameters to see how they affect what
data is presented to you or calculated values
29
29
33. Sensitive Data Exposure
Improper storage of sensitive data
Authentication data
Credit card data
SSNs
Fail to encrypt sensitive data in transit
No SSL/TLS
More than just web traffic
Unnecessary data returned to the client
33
33
34. How to find
Improper storage of sensitive data
Look at data you retrieved from other attacks
Audits of the systems are more effective
Fail to encrypt sensitive data in transit
Look at the URL
Capture traffic
Man in the middle if necessary
34
34
35. Missing Function Level Access
Control
Logic error on protecting links/functions
Often vertical access control
35
35
36. How to find
If you have multiple accounts at different
privilege levels try to access content for a
higher privilege level as a lower privilege user
Guess common page names
Admin.[php|asp|html|...]
Console.[php|asp|html|...]
36
36
40. How to find
Look for actions that only depend on cookie
values and well-known or public data
Even if you have to guess a value, make sure
the value is actually non-predictable
40
40
45. Unvalidated Redirects and Forwards
Improper validation of forwarding or redirect
links
Useful in phishing or drive by attacks
Betrays a user's trust in a site
45
45
46. How to find
Look for URLs or URL fragments in parameters
and modify these
46
46
49. In the news
SQL Injection
Anonymous and Lulzsec
Sony et al
Insecure Direct Object Access
Citibank
49
49
50. What next
Vulnerable web applications
• Damn Vulnerable Web Application
• Bad Store
• Hacme Bank|Casino|Books|Travel|...
• Webmaven
• Buggy Bank
• ...
50
50