SlideShare ist ein Scribd-Unternehmen logo

OWASP Europe Summit Portugal 2008. Web Application Assessments

Internet Security Auditors
Internet Security Auditors

Seminario ofrecido en el marco de las sesiones de formación de la OWASP Summit Portugal 2008 que tuvo lugar en Algarbe (Portugal). En esta conferencia se presentó como se realiza una auditoría de seguridad de aplicaciones y los pasos que deben desarrollarse siguiendo las directrices que definen las guías de la propia OWASP.

Technologie
1 von 61
Downloaden Sie, um offline zu lesen
Web Application Assesments: Reconnaisance and Profiling November 6th, 2008 Faro (Portugal)‫‏‬ Vicente Aguilera Díaz OWASP Spain Chapter Leader CISA,CISSP,ITIL,CEH|I,OPST,OPSA vicente.aguilera@owasp.org Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org
About the instructor Vicente Aguilera Díaz CISA, CISSP, ITIL, CEH Instructor, OPST, OPSA Co-founder of Internet Security Auditors OWASP Spain Chapter Leader Contributor at OWASP Testing Guide v2, WASC Threat Classification v2, WASC Articles and OISSG ISSAF projects. Technical council member of the spanish magazine RedSeguridad Rewarded in 2008 by the spanish magazine SIC Publication of vulnerabilities (Oracle,Squirrelmail, ...) and speaker at security conferences (OWASP, RedIRIS, HackMeeting, FIST, IGC) about WebAppSec OWASP 2
Easy to remember... Cristina Vicente Aguilera Cameron Díaz OWASP 3
Agenda 1. Introduction 2. Web Application Discovery 3. Information Gathering 4. Attack Vectors Analysis 5. Examples in the real world 6. References OWASP 4
Agenda 1. Introduction 2. Web Application Discovery 3. Information Gathering 4. Attack Vectors Analysis 5. Examples in the real world 6. References OWASP 5
1. Introduction Reconnaissance is the initial phase of any application pentest Requires the most time of an attack process Involves manual and automated techniques More information = attacks with more success Any information is useful It's necessary to understand the application Before executing an attack is necessary to develop a methodically plan OWASP 6
1. Introduction Scope of this presentation Pentester I want to attack a webapp Application Discovery Information Gathering Attack Vectors Analysis Target Identification Reconnaisance and Profiling Specific Testing Design Exploit! Hacker OWASP 7
1. Introduction Physical world example: “The terrible event of New York of September 11, 2001” 1996: a terrorist presented the idea to Osama bin Laden.(*) [I want to attack a webapp] 1999: target selections and arrange travel for the hijackers.(*) [Application Discovery] 2000: terrorists took flying lessons. (*) [Information Gathering] The terrorists carried out maps, photos and videos, as well as analysis. (*) [Attack Vectors Analysis] 2001: The attack is running in a few hours. (*) [Exploit] Years of preparation to carry out an attack within hours!(*)http://en.wikipedia.org/wiki/September_11_attacks OWASP 8
1. Introduction Key stages: Stage I: Web Application Discovery Stage II: Information Gathering Stage III: Attack Vectors Analysis OWASP 9
Agenda 1. Introduction 2. Web Application Discovery 3. Information Gathering 4. Attack Vectors Analysis 5. Examples in the real world 6. References OWASP 10
2. Stage I: Web Application Discovery For a pentest is necessary to test all web applications accessibles through the target A web server can hide different applications. How? 1. Different base URL 2. Non-standard ports 3. Virtual hosts OWASP 11
2. Stage I: Web Application Discovery Hidden applications based on different base URL Suppose that http[s]://www.example.com return: "No web server configured at this address" (or a similar message). But there may be accessible applications: http[s]://www.example.com/app1 http[s]://www.example.com/somepath/app2 http[s]://www.example.com/some-strange-URL OWASP 12
2. Stage I: Web Application Discovery Hidden applications based on different base URL How to discovery these applications? Taking advantage of directory browsing References from other(s) web page(s)‫‏‬ Analyzing the application code Probing for URLs candidates. For example: – /admin/ – /downloads/ – /partners/ Resources enumeration/discovery tools: – DirBuster OWASP 13
2. Stage I: Web Application Discovery Hidden applications based on non-standard ports The application can not be in the 80 or 443 ports For example: http[s]://www.example.com:35000 OWASP 14
2. Stage I: Web Application Discovery Hidden applications based on non-standard ports How to discovery these applications? Require a full scan of the whole 64k TCP port address space Example: nmap –PN –sT –sV –p0-65535 <ip> Observe the response to a request (using a HTTP method) on the port detected will allow confirm the discovery OWASP 15
2. Stage I: Web Application Discovery Hidden applications based on virtual hosts A single IP address can have associate one or more symbolic names. For example, the IP address 192.168.1.61 might be associated to DNS names: www.example.com webmail.example.com intranet.example.com OWASP 16
2. Stage I: Web Application Discovery Hidden applications based on virtual hosts How to discovery these applications? DNS zone transfers dig @dns domain -t AXFR DNS inverse queries dig @dns -x <IP> Web-based DNS searches http://searchdns.netcraft.com/?host=microsoft.com http://whois.webhosting.info/x.x.x.x http://search.msn.com (syntax: "ip:x.x.x.x")‫‏‬ Googling OWASP 17
2. Stage I: Web Application Discovery A penetration test or an application-focused assessment must identify all the applications available, and select those that are part of scope to analyze Each application discovered can have known vulnerabilities and known attack strategies that can be exploited in order to gain remote control or data exploitation Security through obscurity is a weak security control It is necessary to implement additional security layers at different levels As result of this stage, we have a list of webapp targets: IP(s), domain(s), URL(s)‫‏‬ OWASP 18
Agenda 1. Introduction 2. Web Application Discovery 3. Information Gathering 4. Attack Vectors Analysis 5. Examples in the real world 6. References OWASP 19
3. Stage II: Gathering Information Main purpose: To create a base of knowledge useful in later stages (attacks?)‫‏‬ The information should be as accurate as possible The information obtained will allow drive the attacks The questions are... Which issues should be reviewed? How obtain useful information? OWASP 20
3. Stage II: Gathering Information Which issues should be reviewed? Relatives to: Platform Application Users Attack surface How to obtain useful infomation? Through: Search engines Information repositories (including people!)‫‏‬ – http://www.nettrace.com.au/resource/search/people.html‫‏‬ The target application OWASP 21
3. Stage II: Gathering Information Platform Technologies Web/Application servers Authentication type and resources Database fingerprinting OS fingerprinting Third-party components OWASP 22
3. Stage II: Gathering Information Platform : Technologies Technologies analysis For example: ASP.NET, JSP, PHP, Javascript, CGIs How? File extension – .aspx : .NET application Error messages – .NET errors : .NET application – Stack Traces : Java – Source code revelation Code Analysis – public code (and private downloaded code!)‫‏‬ Cookies: JSPSESSIONID, PHPSESSIONID OWASP 23
3. Stage II: Gathering Information Platform : Web/Application servers Web/Application servers analysis For example: IIS/6.0, Tomcat, WebLogic Server 10 How? HTTP Headers analysis – Headers specifics – Response codes and code messages Error pages Tools: – netcat – HTTPrint OWASP 24
3. Stage II: Gathering Information Platform : Authentication type and resources Authentication type and resources analysis For example: form based, HTTP basic, NTLM Which information is used? Resources: For example: – /admin/ – /intranet/login.jsp How? Application browsing Resources discovery HTTP Headers analysis OWASP 25
3. Stage II: Gathering Information Platform : Database fingerprinting Database usage/type analysis For example: SQL Server, Oracle, MySQL How? Error messages Probing different SQL injections – Database specifics Public documentation about the webapp? Database fingerprinting tools OWASP 26
3. Stage II: Gathering Information Platform : OS Fingerprinting OS Fingerprinting analysis For example: Windows 2000 SP2, Linux, CISCO IOS How? Simple: forcing the system to display the banner TCP-based techniques Tools – www.netcraft.com – p0f – nmap OWASP 27
3. Stage II: Gathering Information Platform / Third-party components Third-party components analysis For example: banners, embedded code How? Browsing the application OWASP 28
3. Stage II: Gathering Information Application Standard software Purpose Web based administration Client/Server side validation Features related to authentication Session state Anti-automation systems Error handling OWASP 29
3. Stage II: Gathering Information Application : Standard software Standard software analysis For example: Drupal, Wordpress, phpBB How? Search for known resources at known locations Error messages pages Client code analysis OWASP 30
3. Stage II: Gathering Information Application : Purpose Purpose analysis For example: Web Banking, Ticket Sales, CRM How? Browsing the application Client code analysis Resources enumeration/discovery OWASP 31
3. Stage II: Gathering Information Application : Web based administration Web based administration analysis For example: /backdoor, /admin How? Browsing the application Evade access restrictions Creating an account in the application robots.txt OWASP 32
3. Stage II: Gathering Information Application : Client/Server side validation Client/Server side validation analysis For example: only client side validation How? Removing restrictions on the client side Forcing entry parameters to certain values OWASP 33
3. Stage II: Gathering Information Application : Features related to authentication Features related to authentication analysis For example: password recovery, user registration How? Browsing the application Creating an account in the application Analyzing which funcionalities allow to auth a user OWASP 34
3. Stage II: Gathering Information Application : Session state Session state analysis For example: session cookie, hidden field, URL How? Analyzing requests in authenticated mode Reviewing application cookies Client code analysis OWASP 35
3. Stage II: Gathering Information Application : Anti-automation systems Anti-automation systems analysis For example: captchas, lock account How? Identify which features can be executed by an automated process Identify the mechanism(s) that not allow an automated process OWASP 36
3. Stage II: Gathering Information Application : Error handling Error handling analysis For example: customized error pages, display controlled/not controlled error messages, How? Analyzing error scenarios Provoking error situations that may not be controlled by the application OWASP 37
3. Stage II: Gathering Information Users Roles Application users typology OWASP 38
3. Stage II: Gathering Information Users : Roles Roles analysis For example: administrator, manager, demo, standard user How? Analyzing client code Spoofing users Evade access restrictions OWASP 39
3. Stage II: Gathering Information Users : Application users typology Application users typology analysis For example: internal users, partners, public How? Browsing the application Analyzing client code OWASP 40
3. Stage II: Gathering Information Attack Surface Analysis Elements: Code Entry points Services Protocols OWASP 41
3. Stage II: Gathering Information Attack Surface Analysis : Code Always will find vulnerabilities in the code More code = more vulnerabilities The aim of this stage is to identify/enumerate all the accessible code The public code and the code accessible by remote users is particularly sensitive OWASP 42
3. Stage II: Gathering Information Attack Surface Analysis : Entry points It's necessary to identify all the entry points to the application More entry points = more attack vectors Some examples of entry points: URL parameter Hidden field Cookie OWASP 43
3. Stage II: Gathering Information Attack Surface Analysis : Services The excess of services increases the exposure area It's interesting to detect the privileges level with which you access these services The aim of this stage is to identify/enumerate all the services availables and their privilege level OWASP 44
3. Stage II: Gathering Information Attack Surface Analysis : Protocols The most importants: TCP / UDP UPD increases the attack surface The aim of this stage is to identify/enumerate all the protocols availables OWASP 45
Agenda 1. Introduction 2. Web Application Discovery 3. Information Gathering 4. Attack Vectors Analysis 5. Examples in the real world 6. References OWASP 46
4. Stage III: Attack Vectors Analysis On the basis of information gathered in previous phases, it is possible to identify the attack vectors most likely to succeed Standard software? Disk access? Database access? Which information is used to authenticate a user? Anti-automation systems? Third-party components? Relationships with other systems? Critical operations? OWASP 47
Agenda 1. Introduction 2. Web Application Discovery 3. Information Gathering 4. Attack Vectors Analysis 5. Examples in the real world 6. References OWASP 48
5. Examples in the real world Exploiting real vulnerabilities in real applications from the Real Santa Eulália Hotel: IMAP/SMTP Injection in Squirrelmail CSRF in Gmail ??? in Oracle OWASP 49
5. Examples in the real world IMAP/SMTP Injection in Squirrelmail Suppose that we have obtained the next information from the previous stages: Application Discovery: http://x.x.x.x/sm/login.php Information Gathering: Squirrelmail 1.4.4 Attack Vectors Analysis: IMAP/SMTP Injection OWASP 50
5. Examples in the real world IMAP/SMTP Injection in Squirrelmail Remember... IMAP/SMTP Injection: allows for arbitrary injection of IMAP or SMTP commands to the mail servers through a web application improperly validating user supplied data. OWASP 51
5. Examples in the real world IMAP/SMTP Injection in Squirrelmail Some examples of attacks: Exploitation of vulnerabilities in the IMAP/SMTP protocol Application restrictions evasion Anti-automation process evasion Information leaks Relay/SPAM The attack process: Identify vulnerable parameters Understanding the parameter and the context IMAP/SMTP command injection OWASP 52
5. Examples in the real world IMAP/SMTP Injection in Squirrelmail Detection and exploit! DEMO Executing arbitrary IMAP commands (blind injection?)‫‏‬ Evading restrictions (CAPTCHA)‫‏‬ Port scanning internal systems OWASP 53
5. Examples in the real world CSRF in Gmail Suppose that we have obtained the next information from the previous stages: Application Discovery: https://www.google.com/accounts/ServiceLogin Information Gathering: Google webmail Attack Vectors Analysis: CSRF (Cross-site Request Forgery)‫‏‬ OWASP 54
5. Examples in the real world CSRF in Gmail Remember... CSRF (Cross-site Request Forgery): forces a logged-on victim’s browser to send a request to a vulnerable web application, which then performs the chosen action on behalf of the victim. OWASP 55
5. Examples in the real world CSRF in Gmail Detection and exploit! DEMO What has happened to your Gmail password? OWASP 56
5. Examples in the real world ??? in Oracle I can not reveal details of this vulnerability because it's an UNPUBLISHED vulnerability What allow the exploitation of this vulnerability? Access to the target file system Possible execution of arbitrary operating system commands OWASP 57
5. Examples in the real world ??? in Oracle Downloading the /etc/passwd and /etc/hosts files: OWASP 58
Agenda 1. Introduction 2. Web Application Discovery 3. Information Gathering 4. Attack Vectors Analysis 5. Examples in the real world 6. References OWASP 59
6. References Professional Pen Testing for Web Applications Andres Andreu The Security Development Lifecycle Michael Howard and Steve Lipner MX Injection: Capturing and Exploiting Hidden Mail Servers http://www.webappsec.org/projects/articles/121106.shtml OWASP Development Guide http://www.owasp.org/index.php/Category:OWASP_Guide_Project OWASP Testing Guide http://www.owasp.org/index.php/Category:OWASP_Testing_Project and ALL the OWASP Projects! http://www.owasp.org OWASP 60
Thank's! Any question? All your comments will be appreciated vicente.aguilera@owasp.org vaguilera@isecauditors.com OWASP 61

Empfohlen

Kl 031.30 eng_class_setup_guide_1.2
Kl 031.30 eng_class_setup_guide_1.2Kl 031.30 eng_class_setup_guide_1.2
Kl 031.30 eng_class_setup_guide_1.2Freddy Ortiz
 
Wtf is happening_inside_my_android_phone_public
Wtf is happening_inside_my_android_phone_publicWtf is happening_inside_my_android_phone_public
Wtf is happening_inside_my_android_phone_publicJaime Blasco
 
The Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secureThe Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secureKaspersky
 
THOR Apt Scanner
THOR Apt ScannerTHOR Apt Scanner
THOR Apt ScannerFlorian Roth
 
Securing your web applications a pragmatic approach
Securing your web applications a pragmatic approachSecuring your web applications a pragmatic approach
Securing your web applications a pragmatic approachAntonio Parata
 
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-mining
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-miningOWASP Poland Day 2018 - Amir Shladovsky - Crypto-mining
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-miningOWASP
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASPMarco Morana
 
Using Splunk for Information Security
Using Splunk for Information SecurityUsing Splunk for Information Security
Using Splunk for Information SecurityShannon Cuthbertson
 

Empfohlen

Kl 031.30 eng_class_setup_guide_1.2
Kl 031.30 eng_class_setup_guide_1.2Kl 031.30 eng_class_setup_guide_1.2
Kl 031.30 eng_class_setup_guide_1.2Freddy Ortiz
 
Wtf is happening_inside_my_android_phone_public
Wtf is happening_inside_my_android_phone_publicWtf is happening_inside_my_android_phone_public
Wtf is happening_inside_my_android_phone_publicJaime Blasco
 
The Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secureThe Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secureKaspersky
 
THOR Apt Scanner
THOR Apt ScannerTHOR Apt Scanner
THOR Apt ScannerFlorian Roth
 
Securing your web applications a pragmatic approach
Securing your web applications a pragmatic approachSecuring your web applications a pragmatic approach
Securing your web applications a pragmatic approachAntonio Parata
 
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-mining
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-miningOWASP Poland Day 2018 - Amir Shladovsky - Crypto-mining
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-miningOWASP
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASPMarco Morana
 
Using Splunk for Information Security
Using Splunk for Information SecurityUsing Splunk for Information Security
Using Splunk for Information SecurityShannon Cuthbertson
 
OWASP TOP 10
OWASP TOP 10OWASP TOP 10
OWASP TOP 10Robert MacLean
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera SoftwareOWASP
 
OISC 2019 - The OWASP Top 10 & AppSec Primer
OISC 2019 - The OWASP Top 10 & AppSec PrimerOISC 2019 - The OWASP Top 10 & AppSec Primer
OISC 2019 - The OWASP Top 10 & AppSec PrimerCiNPA Security SIG
 
MITRE ATT&CKcon 2018: From Technique to Detection, Paul Ewing and Ross Wolf, ...
MITRE ATT&CKcon 2018: From Technique to Detection, Paul Ewing and Ross Wolf, ...MITRE ATT&CKcon 2018: From Technique to Detection, Paul Ewing and Ross Wolf, ...
MITRE ATT&CKcon 2018: From Technique to Detection, Paul Ewing and Ross Wolf, ...MITRE - ATT&CKcon
 
Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021
Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021
Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021Florian Roth
 
OWASP Top 10 2017 - New Vulnerabilities
OWASP Top 10 2017 - New VulnerabilitiesOWASP Top 10 2017 - New Vulnerabilities
OWASP Top 10 2017 - New VulnerabilitiesDilum Bandara
 
Recon for the Defender: You Know Nothing (about Your Assets), Jon Snow
Recon for the Defender: You Know Nothing (about Your Assets), Jon SnowRecon for the Defender: You Know Nothing (about Your Assets), Jon Snow
Recon for the Defender: You Know Nothing (about Your Assets), Jon SnowPriyanka Aash
 
RSA 2018: Recon For the Defender - You know nothing (about your assets)
RSA 2018: Recon For the Defender - You know nothing (about your assets)RSA 2018: Recon For the Defender - You know nothing (about your assets)
RSA 2018: Recon For the Defender - You know nothing (about your assets)Jonathan Cran
 
The Unexpected Attack Vector: Software Updaters
The Unexpected Attack Vector: Software UpdatersThe Unexpected Attack Vector: Software Updaters
The Unexpected Attack Vector: Software UpdatersPriyanka Aash
 
Security Analyst Workshop - 20200212
Security Analyst Workshop - 20200212Security Analyst Workshop - 20200212
Security Analyst Workshop - 20200212Florian Roth
 
Top 10 Web Vulnerability Scanners
Top 10 Web Vulnerability ScannersTop 10 Web Vulnerability Scanners
Top 10 Web Vulnerability Scannerswensheng wei
 
Subgraph vega countermeasure2012
Subgraph vega countermeasure2012Subgraph vega countermeasure2012
Subgraph vega countermeasure2012David Mirza
 
OWASP Overview of Projects You Can Use Today - DefCamp 2012
OWASP Overview of Projects You Can Use Today - DefCamp 2012OWASP Overview of Projects You Can Use Today - DefCamp 2012
OWASP Overview of Projects You Can Use Today - DefCamp 2012DefCamp
 
Security Analyst Workshop - 20190314
Security Analyst Workshop - 20190314Security Analyst Workshop - 20190314
Security Analyst Workshop - 20190314Florian Roth
 
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...Denim Group
 
Fortify dev ops (002)
Fortify dev ops (002)Fortify dev ops (002)
Fortify dev ops (002)Madhavan Marimuthu
 
[OPD 2019] Side-Channels on the Web:
Attacks and Defenses
[OPD 2019] Side-Channels on the Web:
Attacks and Defenses[OPD 2019] Side-Channels on the Web:
Attacks and Defenses
[OPD 2019] Side-Channels on the Web:
Attacks and DefensesOWASP
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101Cybersecurity Education and Research Centre
 
Modern Exploitation: Owning All of the Things
Modern Exploitation: Owning All of the ThingsModern Exploitation: Owning All of the Things
Modern Exploitation: Owning All of the ThingsPriyanka Aash
 
Application Security Program Management with Vulnerability Manager
Application Security Program Management with Vulnerability ManagerApplication Security Program Management with Vulnerability Manager
Application Security Program Management with Vulnerability ManagerDenim Group
 
Presentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationPresentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationMd Mahfuzur Rahman
 
A new web application vulnerability assessment framework
A new web application vulnerability assessment frameworkA new web application vulnerability assessment framework
A new web application vulnerability assessment frameworkMark Jayson Fuentes
 

Weitere ähnliche Inhalte

Was ist angesagt?

[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera SoftwareOWASP
 
OISC 2019 - The OWASP Top 10 & AppSec Primer
OISC 2019 - The OWASP Top 10 & AppSec PrimerOISC 2019 - The OWASP Top 10 & AppSec Primer
OISC 2019 - The OWASP Top 10 & AppSec PrimerCiNPA Security SIG
 
MITRE ATT&CKcon 2018: From Technique to Detection, Paul Ewing and Ross Wolf, ...
MITRE ATT&CKcon 2018: From Technique to Detection, Paul Ewing and Ross Wolf, ...MITRE ATT&CKcon 2018: From Technique to Detection, Paul Ewing and Ross Wolf, ...
MITRE ATT&CKcon 2018: From Technique to Detection, Paul Ewing and Ross Wolf, ...MITRE - ATT&CKcon
 
Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021
Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021
Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021Florian Roth
 
OWASP Top 10 2017 - New Vulnerabilities
OWASP Top 10 2017 - New VulnerabilitiesOWASP Top 10 2017 - New Vulnerabilities
OWASP Top 10 2017 - New VulnerabilitiesDilum Bandara
 
Recon for the Defender: You Know Nothing (about Your Assets), Jon Snow
Recon for the Defender: You Know Nothing (about Your Assets), Jon SnowRecon for the Defender: You Know Nothing (about Your Assets), Jon Snow
Recon for the Defender: You Know Nothing (about Your Assets), Jon SnowPriyanka Aash
 
RSA 2018: Recon For the Defender - You know nothing (about your assets)
RSA 2018: Recon For the Defender - You know nothing (about your assets)RSA 2018: Recon For the Defender - You know nothing (about your assets)
RSA 2018: Recon For the Defender - You know nothing (about your assets)Jonathan Cran
 
The Unexpected Attack Vector: Software Updaters
The Unexpected Attack Vector: Software UpdatersThe Unexpected Attack Vector: Software Updaters
The Unexpected Attack Vector: Software UpdatersPriyanka Aash
 
Security Analyst Workshop - 20200212
Security Analyst Workshop - 20200212Security Analyst Workshop - 20200212
Security Analyst Workshop - 20200212Florian Roth
 
Top 10 Web Vulnerability Scanners
Top 10 Web Vulnerability ScannersTop 10 Web Vulnerability Scanners
Top 10 Web Vulnerability Scannerswensheng wei
 
Subgraph vega countermeasure2012
Subgraph vega countermeasure2012Subgraph vega countermeasure2012
Subgraph vega countermeasure2012David Mirza
 
OWASP Overview of Projects You Can Use Today - DefCamp 2012
OWASP Overview of Projects You Can Use Today - DefCamp 2012OWASP Overview of Projects You Can Use Today - DefCamp 2012
OWASP Overview of Projects You Can Use Today - DefCamp 2012DefCamp
 
Security Analyst Workshop - 20190314
Security Analyst Workshop - 20190314Security Analyst Workshop - 20190314
Security Analyst Workshop - 20190314Florian Roth
 
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...Denim Group
 
[OPD 2019] Side-Channels on the Web:
Attacks and Defenses
[OPD 2019] Side-Channels on the Web:
Attacks and Defenses[OPD 2019] Side-Channels on the Web:
Attacks and Defenses
[OPD 2019] Side-Channels on the Web:
Attacks and DefensesOWASP
 
Modern Exploitation: Owning All of the Things
Modern Exploitation: Owning All of the ThingsModern Exploitation: Owning All of the Things
Modern Exploitation: Owning All of the ThingsPriyanka Aash
 

Was ist angesagt? (19)

OWASP TOP 10
OWASP TOP 10OWASP TOP 10
OWASP TOP 10
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software
 
OISC 2019 - The OWASP Top 10 & AppSec Primer
OISC 2019 - The OWASP Top 10 & AppSec PrimerOISC 2019 - The OWASP Top 10 & AppSec Primer
OISC 2019 - The OWASP Top 10 & AppSec Primer
 
MITRE ATT&CKcon 2018: From Technique to Detection, Paul Ewing and Ross Wolf, ...
MITRE ATT&CKcon 2018: From Technique to Detection, Paul Ewing and Ross Wolf, ...MITRE ATT&CKcon 2018: From Technique to Detection, Paul Ewing and Ross Wolf, ...
MITRE ATT&CKcon 2018: From Technique to Detection, Paul Ewing and Ross Wolf, ...
 
Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021
Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021
Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021
 
OWASP Top 10 2017 - New Vulnerabilities
OWASP Top 10 2017 - New VulnerabilitiesOWASP Top 10 2017 - New Vulnerabilities
OWASP Top 10 2017 - New Vulnerabilities
 
Recon for the Defender: You Know Nothing (about Your Assets), Jon Snow
Recon for the Defender: You Know Nothing (about Your Assets), Jon SnowRecon for the Defender: You Know Nothing (about Your Assets), Jon Snow
Recon for the Defender: You Know Nothing (about Your Assets), Jon Snow
 
RSA 2018: Recon For the Defender - You know nothing (about your assets)
RSA 2018: Recon For the Defender - You know nothing (about your assets)RSA 2018: Recon For the Defender - You know nothing (about your assets)
RSA 2018: Recon For the Defender - You know nothing (about your assets)
 
The Unexpected Attack Vector: Software Updaters
The Unexpected Attack Vector: Software UpdatersThe Unexpected Attack Vector: Software Updaters
The Unexpected Attack Vector: Software Updaters
 
Security Analyst Workshop - 20200212
Security Analyst Workshop - 20200212Security Analyst Workshop - 20200212
Security Analyst Workshop - 20200212
 
Top 10 Web Vulnerability Scanners
Top 10 Web Vulnerability ScannersTop 10 Web Vulnerability Scanners
Top 10 Web Vulnerability Scanners
 
Subgraph vega countermeasure2012
Subgraph vega countermeasure2012Subgraph vega countermeasure2012
Subgraph vega countermeasure2012
 
OWASP Overview of Projects You Can Use Today - DefCamp 2012
OWASP Overview of Projects You Can Use Today - DefCamp 2012OWASP Overview of Projects You Can Use Today - DefCamp 2012
OWASP Overview of Projects You Can Use Today - DefCamp 2012
 
Security Analyst Workshop - 20190314
Security Analyst Workshop - 20190314Security Analyst Workshop - 20190314
Security Analyst Workshop - 20190314
 
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
 
Fortify dev ops (002)
Fortify dev ops (002)Fortify dev ops (002)
Fortify dev ops (002)
 
[OPD 2019] Side-Channels on the Web:
Attacks and Defenses
[OPD 2019] Side-Channels on the Web:
Attacks and Defenses[OPD 2019] Side-Channels on the Web:
Attacks and Defenses
[OPD 2019] Side-Channels on the Web:
Attacks and Defenses
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101
 
Modern Exploitation: Owning All of the Things
Modern Exploitation: Owning All of the ThingsModern Exploitation: Owning All of the Things
Modern Exploitation: Owning All of the Things
 

Andere mochten auch

Application Security Program Management with Vulnerability Manager
Application Security Program Management with Vulnerability ManagerApplication Security Program Management with Vulnerability Manager
Application Security Program Management with Vulnerability ManagerDenim Group
 
Presentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationPresentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationMd Mahfuzur Rahman
 
A new web application vulnerability assessment framework
A new web application vulnerability assessment frameworkA new web application vulnerability assessment framework
A new web application vulnerability assessment frameworkMark Jayson Fuentes
 
Vulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCVulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCDenim Group
 
Roadmap to security operations excellence
Roadmap to security operations excellenceRoadmap to security operations excellence
Roadmap to security operations excellenceErik Taavila
 
Webcast Presentation: Accelerate Continuous Delivery with Development Testing...
Webcast Presentation: Accelerate Continuous Delivery with Development Testing...Webcast Presentation: Accelerate Continuous Delivery with Development Testing...
Webcast Presentation: Accelerate Continuous Delivery with Development Testing...GRUC
 
Vulnerability Management In An Application Security World
Vulnerability Management In An Application Security WorldVulnerability Management In An Application Security World
Vulnerability Management In An Application Security WorldDenim Group
 
Running a Comprehensive Application Security Program with Checkmarx and Threa...
Running a Comprehensive Application Security Program with Checkmarx and Threa...Running a Comprehensive Application Security Program with Checkmarx and Threa...
Running a Comprehensive Application Security Program with Checkmarx and Threa...Denim Group
 
Security Maturity Assessment
Security Maturity AssessmentSecurity Maturity Assessment
Security Maturity AssessmentClaude Baudoin
 
Optimizing Your Application Security Program with Netsparker and ThreadFix
Optimizing Your Application Security Program with Netsparker and ThreadFixOptimizing Your Application Security Program with Netsparker and ThreadFix
Optimizing Your Application Security Program with Netsparker and ThreadFixDenim Group
 
Information Security Benchmarking 2015
Information Security Benchmarking 2015Information Security Benchmarking 2015
Information Security Benchmarking 2015Capgemini
 
Global Cyber Security Outlook - Deloitte (Hotel_Digital_Security_Seminar_Sept...
Global Cyber Security Outlook - Deloitte (Hotel_Digital_Security_Seminar_Sept...Global Cyber Security Outlook - Deloitte (Hotel_Digital_Security_Seminar_Sept...
Global Cyber Security Outlook - Deloitte (Hotel_Digital_Security_Seminar_Sept...XEventsHospitality
 
Roadmap to IT Security Best Practices
Roadmap to IT Security Best PracticesRoadmap to IT Security Best Practices
Roadmap to IT Security Best PracticesGreenway Health
 
Build an Information Security Strategy
Build an Information Security StrategyBuild an Information Security Strategy
Build an Information Security StrategyAndrew Byers
 
Building an effective Information Security Roadmap
Building an effective Information Security RoadmapBuilding an effective Information Security Roadmap
Building an effective Information Security RoadmapElliott Franklin
 

Andere mochten auch (15)

Application Security Program Management with Vulnerability Manager
Application Security Program Management with Vulnerability ManagerApplication Security Program Management with Vulnerability Manager
Application Security Program Management with Vulnerability Manager
 
Presentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationPresentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web Application
 
A new web application vulnerability assessment framework
A new web application vulnerability assessment frameworkA new web application vulnerability assessment framework
A new web application vulnerability assessment framework
 
Vulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCVulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDC
 
Roadmap to security operations excellence
Roadmap to security operations excellenceRoadmap to security operations excellence
Roadmap to security operations excellence
 
Webcast Presentation: Accelerate Continuous Delivery with Development Testing...
Webcast Presentation: Accelerate Continuous Delivery with Development Testing...Webcast Presentation: Accelerate Continuous Delivery with Development Testing...
Webcast Presentation: Accelerate Continuous Delivery with Development Testing...
 
Vulnerability Management In An Application Security World
Vulnerability Management In An Application Security WorldVulnerability Management In An Application Security World
Vulnerability Management In An Application Security World
 
Running a Comprehensive Application Security Program with Checkmarx and Threa...
Running a Comprehensive Application Security Program with Checkmarx and Threa...Running a Comprehensive Application Security Program with Checkmarx and Threa...
Running a Comprehensive Application Security Program with Checkmarx and Threa...
 
Security Maturity Assessment
Security Maturity AssessmentSecurity Maturity Assessment
Security Maturity Assessment
 
Optimizing Your Application Security Program with Netsparker and ThreadFix
Optimizing Your Application Security Program with Netsparker and ThreadFixOptimizing Your Application Security Program with Netsparker and ThreadFix
Optimizing Your Application Security Program with Netsparker and ThreadFix
 
Information Security Benchmarking 2015
Information Security Benchmarking 2015Information Security Benchmarking 2015
Information Security Benchmarking 2015
 
Global Cyber Security Outlook - Deloitte (Hotel_Digital_Security_Seminar_Sept...
Global Cyber Security Outlook - Deloitte (Hotel_Digital_Security_Seminar_Sept...Global Cyber Security Outlook - Deloitte (Hotel_Digital_Security_Seminar_Sept...
Global Cyber Security Outlook - Deloitte (Hotel_Digital_Security_Seminar_Sept...
 
Roadmap to IT Security Best Practices
Roadmap to IT Security Best PracticesRoadmap to IT Security Best Practices
Roadmap to IT Security Best Practices
 
Build an Information Security Strategy
Build an Information Security StrategyBuild an Information Security Strategy
Build an Information Security Strategy
 
Building an effective Information Security Roadmap
Building an effective Information Security RoadmapBuilding an effective Information Security Roadmap
Building an effective Information Security Roadmap
 

Ähnlich wie OWASP Europe Summit Portugal 2008. Web Application Assessments

Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingRana Khalil
 
AnitaB-Atlanta-CyberSecurity-Weekend-Rana-Khalil.pdf
AnitaB-Atlanta-CyberSecurity-Weekend-Rana-Khalil.pdfAnitaB-Atlanta-CyberSecurity-Weekend-Rana-Khalil.pdf
AnitaB-Atlanta-CyberSecurity-Weekend-Rana-Khalil.pdfsk0894308
 
Catching Multilayered Zero-Day Attacks on MS Office
Catching Multilayered Zero-Day Attacks on MS OfficeCatching Multilayered Zero-Day Attacks on MS Office
Catching Multilayered Zero-Day Attacks on MS OfficeKaspersky
 
Threats, Threat Modeling and Analysis
Threats, Threat Modeling and AnalysisThreats, Threat Modeling and Analysis
Threats, Threat Modeling and AnalysisIan G
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxFernandoVizer
 
2009: Securing Applications With Web Application Firewalls and Vulnerability ...
2009: Securing Applications With Web Application Firewalls and Vulnerability ...2009: Securing Applications With Web Application Firewalls and Vulnerability ...
2009: Securing Applications With Web Application Firewalls and Vulnerability ...Neil Matatall
 
OSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainOSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainInfosecTrain
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Moataz Kamel
 
Web application penetration testing lab setup guide
Web application penetration testing lab setup guideWeb application penetration testing lab setup guide
Web application penetration testing lab setup guideSudhanshu Chauhan
 
technical-information-gathering-slides.pdf
technical-information-gathering-slides.pdftechnical-information-gathering-slides.pdf
technical-information-gathering-slides.pdfMarceloCunha571649
 
Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]
Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]
Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]Websec México, S.C.
 
Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Yassine Aboukir
 
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-...
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-...Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-...
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-...Rana Khalil
 
Using Splunk for Information Security
Using Splunk for Information SecurityUsing Splunk for Information Security
Using Splunk for Information SecuritySplunk
 
Web application vulnerability assessment
Web application vulnerability assessmentWeb application vulnerability assessment
Web application vulnerability assessmentRavikumar Paghdal
 
FBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopFBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopErnest Staats
 
Security in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsSecurity in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsCenzic
 

Ähnlich wie OWASP Europe Summit Portugal 2008. Web Application Assessments (20)

Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
 
AnitaB-Atlanta-CyberSecurity-Weekend-Rana-Khalil.pdf
AnitaB-Atlanta-CyberSecurity-Weekend-Rana-Khalil.pdfAnitaB-Atlanta-CyberSecurity-Weekend-Rana-Khalil.pdf
AnitaB-Atlanta-CyberSecurity-Weekend-Rana-Khalil.pdf
 
OWASP an Introduction
OWASP an Introduction OWASP an Introduction
OWASP an Introduction
 
Catching Multilayered Zero-Day Attacks on MS Office
Catching Multilayered Zero-Day Attacks on MS OfficeCatching Multilayered Zero-Day Attacks on MS Office
Catching Multilayered Zero-Day Attacks on MS Office
 
Threats, Threat Modeling and Analysis
Threats, Threat Modeling and AnalysisThreats, Threat Modeling and Analysis
Threats, Threat Modeling and Analysis
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
2009: Securing Applications With Web Application Firewalls and Vulnerability ...
2009: Securing Applications With Web Application Firewalls and Vulnerability ...2009: Securing Applications With Web Application Firewalls and Vulnerability ...
2009: Securing Applications With Web Application Firewalls and Vulnerability ...
 
OSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainOSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ Infosectrain
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
 
Web application penetration testing lab setup guide
Web application penetration testing lab setup guideWeb application penetration testing lab setup guide
Web application penetration testing lab setup guide
 
technical-information-gathering-slides.pdf
technical-information-gathering-slides.pdftechnical-information-gathering-slides.pdf
technical-information-gathering-slides.pdf
 
Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]
Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]
Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]
 
Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?
 
Owasp masvs spain 17
Owasp masvs spain 17Owasp masvs spain 17
Owasp masvs spain 17
 
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-...
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-...Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-...
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-...
 
Using Splunk for Information Security
Using Splunk for Information SecurityUsing Splunk for Information Security
Using Splunk for Information Security
 
Computer security
Computer securityComputer security
Computer security
 
Web application vulnerability assessment
Web application vulnerability assessmentWeb application vulnerability assessment
Web application vulnerability assessment
 
FBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopFBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise Workshop
 
Security in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsSecurity in the cloud protecting your cloud apps
Security in the cloud protecting your cloud apps
 

Mehr von Internet Security Auditors

Explotando los datos como materia prima del conocimiento
Explotando los datos como materia prima del conocimientoExplotando los datos como materia prima del conocimiento
Explotando los datos como materia prima del conocimientoInternet Security Auditors
 
XIII Jornadas STIC CCN-CERT. OSINT de la información a la inteligencia
XIII Jornadas STIC CCN-CERT. OSINT de la información a la inteligenciaXIII Jornadas STIC CCN-CERT. OSINT de la información a la inteligencia
XIII Jornadas STIC CCN-CERT. OSINT de la información a la inteligenciaInternet Security Auditors
 
Proceso de implementación de los sistemas de gestión ISO 27001 e ISO 22301
Proceso de implementación de los sistemas de gestión ISO 27001 e ISO 22301Proceso de implementación de los sistemas de gestión ISO 27001 e ISO 22301
Proceso de implementación de los sistemas de gestión ISO 27001 e ISO 22301Internet Security Auditors
 
Problemática de implementación de un SGSI o un SGCN en contact centers y BPOs
Problemática de implementación de un SGSI o un SGCN en contact centers y BPOsProblemática de implementación de un SGSI o un SGCN en contact centers y BPOs
Problemática de implementación de un SGSI o un SGCN en contact centers y BPOsInternet Security Auditors
 
PCI DSS en el Cloud: Transferencia Internacional Datos
PCI DSS en el Cloud: Transferencia Internacional DatosPCI DSS en el Cloud: Transferencia Internacional Datos
PCI DSS en el Cloud: Transferencia Internacional DatosInternet Security Auditors
 
Problematicas de PCI DSS en Contact Centers & BPO
Problematicas de PCI DSS en Contact Centers & BPOProblematicas de PCI DSS en Contact Centers & BPO
Problematicas de PCI DSS en Contact Centers & BPOInternet Security Auditors
 
Proteccion de Datos Personales: Conceptos, Sanciones, Metodologia
Proteccion de Datos Personales: Conceptos, Sanciones, MetodologiaProteccion de Datos Personales: Conceptos, Sanciones, Metodologia
Proteccion de Datos Personales: Conceptos, Sanciones, MetodologiaInternet Security Auditors
 
GigaTIC 2017 - Más allá del futuro: Negocio, tecnología y robótica. (Abril 2017)
GigaTIC 2017 - Más allá del futuro: Negocio, tecnología y robótica. (Abril 2017)GigaTIC 2017 - Más allá del futuro: Negocio, tecnología y robótica. (Abril 2017)
GigaTIC 2017 - Más allá del futuro: Negocio, tecnología y robótica. (Abril 2017)Internet Security Auditors
 
RootedCon 2017 - Workshop: IoT Insecurity of Things?
RootedCon 2017 - Workshop: IoT Insecurity of Things?RootedCon 2017 - Workshop: IoT Insecurity of Things?
RootedCon 2017 - Workshop: IoT Insecurity of Things?Internet Security Auditors
 
Cambios de las versiones 3.2, Cuestionarios y Ecosistema de Normas PCI
Cambios de las versiones 3.2, Cuestionarios y Ecosistema de Normas PCICambios de las versiones 3.2, Cuestionarios y Ecosistema de Normas PCI
Cambios de las versiones 3.2, Cuestionarios y Ecosistema de Normas PCIInternet Security Auditors
 
Overdrive Hacking Conference 2016 - Riesgos en el uso de las Redes Sociales (...
Overdrive Hacking Conference 2016 - Riesgos en el uso de las Redes Sociales (...Overdrive Hacking Conference 2016 - Riesgos en el uso de las Redes Sociales (...
Overdrive Hacking Conference 2016 - Riesgos en el uso de las Redes Sociales (...Internet Security Auditors
 
Conferencia sobre Protección de Datos (Bogotá): Errores comunes en la identif...
Conferencia sobre Protección de Datos (Bogotá): Errores comunes en la identif...Conferencia sobre Protección de Datos (Bogotá): Errores comunes en la identif...
Conferencia sobre Protección de Datos (Bogotá): Errores comunes en la identif...Internet Security Auditors
 
Conferencia sobre Protección de Datos (Bogotá): Aprendiendo de las Sanciones
Conferencia sobre Protección de Datos (Bogotá): Aprendiendo de las SancionesConferencia sobre Protección de Datos (Bogotá): Aprendiendo de las Sanciones
Conferencia sobre Protección de Datos (Bogotá): Aprendiendo de las SancionesInternet Security Auditors
 
Catosfera 2016: Anàlisi de xarxes socials amb finalitats d'investigació: ris...
Catosfera 2016: Anàlisi de xarxes socials amb finalitats d'investigació: ris...Catosfera 2016: Anàlisi de xarxes socials amb finalitats d'investigació: ris...
Catosfera 2016: Anàlisi de xarxes socials amb finalitats d'investigació: ris...Internet Security Auditors
 
VI Foro Evidencias Electrónicas en la Investigación Policial. Análisis forens...
VI Foro Evidencias Electrónicas en la Investigación Policial. Análisis forens...VI Foro Evidencias Electrónicas en la Investigación Policial. Análisis forens...
VI Foro Evidencias Electrónicas en la Investigación Policial. Análisis forens...Internet Security Auditors
 
CIBERSEG '15 - Taller: Ingeniería inversa en aplicaciones Android
CIBERSEG '15 - Taller: Ingeniería inversa en aplicaciones AndroidCIBERSEG '15 - Taller: Ingeniería inversa en aplicaciones Android
CIBERSEG '15 - Taller: Ingeniería inversa en aplicaciones AndroidInternet Security Auditors
 
(ISC)2 Security Congress EMEA. You are being watched.
(ISC)2 Security Congress EMEA. You are being watched.(ISC)2 Security Congress EMEA. You are being watched.
(ISC)2 Security Congress EMEA. You are being watched.Internet Security Auditors
 

Mehr von Internet Security Auditors (20)

Explotando los datos como materia prima del conocimiento
Explotando los datos como materia prima del conocimientoExplotando los datos como materia prima del conocimiento
Explotando los datos como materia prima del conocimiento
 
XIII Jornadas STIC CCN-CERT. OSINT de la información a la inteligencia
XIII Jornadas STIC CCN-CERT. OSINT de la información a la inteligenciaXIII Jornadas STIC CCN-CERT. OSINT de la información a la inteligencia
XIII Jornadas STIC CCN-CERT. OSINT de la información a la inteligencia
 
Proceso de implementación de los sistemas de gestión ISO 27001 e ISO 22301
Proceso de implementación de los sistemas de gestión ISO 27001 e ISO 22301Proceso de implementación de los sistemas de gestión ISO 27001 e ISO 22301
Proceso de implementación de los sistemas de gestión ISO 27001 e ISO 22301
 
Problemática de implementación de un SGSI o un SGCN en contact centers y BPOs
Problemática de implementación de un SGSI o un SGCN en contact centers y BPOsProblemática de implementación de un SGSI o un SGCN en contact centers y BPOs
Problemática de implementación de un SGSI o un SGCN en contact centers y BPOs
 
PCI DSS en el Cloud: Transferencia Internacional Datos
PCI DSS en el Cloud: Transferencia Internacional DatosPCI DSS en el Cloud: Transferencia Internacional Datos
PCI DSS en el Cloud: Transferencia Internacional Datos
 
Problematicas de PCI DSS en Contact Centers & BPO
Problematicas de PCI DSS en Contact Centers & BPOProblematicas de PCI DSS en Contact Centers & BPO
Problematicas de PCI DSS en Contact Centers & BPO
 
PCI DSS: Justificacion del Cumplimiento
PCI DSS: Justificacion del CumplimientoPCI DSS: Justificacion del Cumplimiento
PCI DSS: Justificacion del Cumplimiento
 
Proteccion de Datos Personales: Conceptos, Sanciones, Metodologia
Proteccion de Datos Personales: Conceptos, Sanciones, MetodologiaProteccion de Datos Personales: Conceptos, Sanciones, Metodologia
Proteccion de Datos Personales: Conceptos, Sanciones, Metodologia
 
GigaTIC 2017 - Más allá del futuro: Negocio, tecnología y robótica. (Abril 2017)
GigaTIC 2017 - Más allá del futuro: Negocio, tecnología y robótica. (Abril 2017)GigaTIC 2017 - Más allá del futuro: Negocio, tecnología y robótica. (Abril 2017)
GigaTIC 2017 - Más allá del futuro: Negocio, tecnología y robótica. (Abril 2017)
 
RootedCon 2017 - Workshop: IoT Insecurity of Things?
RootedCon 2017 - Workshop: IoT Insecurity of Things?RootedCon 2017 - Workshop: IoT Insecurity of Things?
RootedCon 2017 - Workshop: IoT Insecurity of Things?
 
PCI DSS en la Nube
PCI DSS en la NubePCI DSS en la Nube
PCI DSS en la Nube
 
Cambios de las versiones 3.2, Cuestionarios y Ecosistema de Normas PCI
Cambios de las versiones 3.2, Cuestionarios y Ecosistema de Normas PCICambios de las versiones 3.2, Cuestionarios y Ecosistema de Normas PCI
Cambios de las versiones 3.2, Cuestionarios y Ecosistema de Normas PCI
 
Overdrive Hacking Conference 2016 - Riesgos en el uso de las Redes Sociales (...
Overdrive Hacking Conference 2016 - Riesgos en el uso de las Redes Sociales (...Overdrive Hacking Conference 2016 - Riesgos en el uso de las Redes Sociales (...
Overdrive Hacking Conference 2016 - Riesgos en el uso de las Redes Sociales (...
 
Conferencia sobre Protección de Datos (Bogotá): Errores comunes en la identif...
Conferencia sobre Protección de Datos (Bogotá): Errores comunes en la identif...Conferencia sobre Protección de Datos (Bogotá): Errores comunes en la identif...
Conferencia sobre Protección de Datos (Bogotá): Errores comunes en la identif...
 
Conferencia sobre Protección de Datos (Bogotá): Aprendiendo de las Sanciones
Conferencia sobre Protección de Datos (Bogotá): Aprendiendo de las SancionesConferencia sobre Protección de Datos (Bogotá): Aprendiendo de las Sanciones
Conferencia sobre Protección de Datos (Bogotá): Aprendiendo de las Sanciones
 
Catosfera 2016: Anàlisi de xarxes socials amb finalitats d'investigació: ris...
Catosfera 2016: Anàlisi de xarxes socials amb finalitats d'investigació: ris...Catosfera 2016: Anàlisi de xarxes socials amb finalitats d'investigació: ris...
Catosfera 2016: Anàlisi de xarxes socials amb finalitats d'investigació: ris...
 
CIBERSEG'16. Técnicas #OSINT
CIBERSEG'16. Técnicas #OSINTCIBERSEG'16. Técnicas #OSINT
CIBERSEG'16. Técnicas #OSINT
 
VI Foro Evidencias Electrónicas en la Investigación Policial. Análisis forens...
VI Foro Evidencias Electrónicas en la Investigación Policial. Análisis forens...VI Foro Evidencias Electrónicas en la Investigación Policial. Análisis forens...
VI Foro Evidencias Electrónicas en la Investigación Policial. Análisis forens...
 
CIBERSEG '15 - Taller: Ingeniería inversa en aplicaciones Android
CIBERSEG '15 - Taller: Ingeniería inversa en aplicaciones AndroidCIBERSEG '15 - Taller: Ingeniería inversa en aplicaciones Android
CIBERSEG '15 - Taller: Ingeniería inversa en aplicaciones Android
 
(ISC)2 Security Congress EMEA. You are being watched.
(ISC)2 Security Congress EMEA. You are being watched.(ISC)2 Security Congress EMEA. You are being watched.
(ISC)2 Security Congress EMEA. You are being watched.
 

Kürzlich hochgeladen

My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 

Kürzlich hochgeladen (20)

My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 

OWASP Europe Summit Portugal 2008. Web Application Assessments

  • 1. Web Application Assesments: Reconnaisance and Profiling November 6th, 2008 Faro (Portugal)‫‏‬ Vicente Aguilera Díaz OWASP Spain Chapter Leader CISA,CISSP,ITIL,CEH|I,OPST,OPSA vicente.aguilera@owasp.org Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org
  • 2. About the instructor Vicente Aguilera Díaz CISA, CISSP, ITIL, CEH Instructor, OPST, OPSA Co-founder of Internet Security Auditors OWASP Spain Chapter Leader Contributor at OWASP Testing Guide v2, WASC Threat Classification v2, WASC Articles and OISSG ISSAF projects. Technical council member of the spanish magazine RedSeguridad Rewarded in 2008 by the spanish magazine SIC Publication of vulnerabilities (Oracle,Squirrelmail, ...) and speaker at security conferences (OWASP, RedIRIS, HackMeeting, FIST, IGC) about WebAppSec OWASP 2
  • 4. Agenda 1. Introduction 2. Web Application Discovery 3. Information Gathering 4. Attack Vectors Analysis 5. Examples in the real world 6. References OWASP 4
  • 5. Agenda 1. Introduction 2. Web Application Discovery 3. Information Gathering 4. Attack Vectors Analysis 5. Examples in the real world 6. References OWASP 5
  • 6. 1. Introduction Reconnaissance is the initial phase of any application pentest Requires the most time of an attack process Involves manual and automated techniques More information = attacks with more success Any information is useful It's necessary to understand the application Before executing an attack is necessary to develop a methodically plan OWASP 6
  • 7. 1. Introduction Scope of this presentation Pentester I want to attack a webapp Application Discovery Information Gathering Attack Vectors Analysis Target Identification Reconnaisance and Profiling Specific Testing Design Exploit! Hacker OWASP 7
  • 8. 1. Introduction Physical world example: “The terrible event of New York of September 11, 2001” 1996: a terrorist presented the idea to Osama bin Laden.(*) [I want to attack a webapp] 1999: target selections and arrange travel for the hijackers.(*) [Application Discovery] 2000: terrorists took flying lessons. (*) [Information Gathering] The terrorists carried out maps, photos and videos, as well as analysis. (*) [Attack Vectors Analysis] 2001: The attack is running in a few hours. (*) [Exploit] Years of preparation to carry out an attack within hours!(*)http://en.wikipedia.org/wiki/September_11_attacks OWASP 8
  • 9. 1. Introduction Key stages: Stage I: Web Application Discovery Stage II: Information Gathering Stage III: Attack Vectors Analysis OWASP 9
  • 10. Agenda 1. Introduction 2. Web Application Discovery 3. Information Gathering 4. Attack Vectors Analysis 5. Examples in the real world 6. References OWASP 10
  • 11. 2. Stage I: Web Application Discovery For a pentest is necessary to test all web applications accessibles through the target A web server can hide different applications. How? 1. Different base URL 2. Non-standard ports 3. Virtual hosts OWASP 11
  • 12. 2. Stage I: Web Application Discovery Hidden applications based on different base URL Suppose that http[s]://www.example.com return: "No web server configured at this address" (or a similar message). But there may be accessible applications: http[s]://www.example.com/app1 http[s]://www.example.com/somepath/app2 http[s]://www.example.com/some-strange-URL OWASP 12
  • 13. 2. Stage I: Web Application Discovery Hidden applications based on different base URL How to discovery these applications? Taking advantage of directory browsing References from other(s) web page(s)‫‏‬ Analyzing the application code Probing for URLs candidates. For example: – /admin/ – /downloads/ – /partners/ Resources enumeration/discovery tools: – DirBuster OWASP 13
  • 14. 2. Stage I: Web Application Discovery Hidden applications based on non-standard ports The application can not be in the 80 or 443 ports For example: http[s]://www.example.com:35000 OWASP 14
  • 15. 2. Stage I: Web Application Discovery Hidden applications based on non-standard ports How to discovery these applications? Require a full scan of the whole 64k TCP port address space Example: nmap –PN –sT –sV –p0-65535 <ip> Observe the response to a request (using a HTTP method) on the port detected will allow confirm the discovery OWASP 15
  • 16. 2. Stage I: Web Application Discovery Hidden applications based on virtual hosts A single IP address can have associate one or more symbolic names. For example, the IP address 192.168.1.61 might be associated to DNS names: www.example.com webmail.example.com intranet.example.com OWASP 16
  • 17. 2. Stage I: Web Application Discovery Hidden applications based on virtual hosts How to discovery these applications? DNS zone transfers dig @dns domain -t AXFR DNS inverse queries dig @dns -x <IP> Web-based DNS searches http://searchdns.netcraft.com/?host=microsoft.com http://whois.webhosting.info/x.x.x.x http://search.msn.com (syntax: "ip:x.x.x.x")‫‏‬ Googling OWASP 17
  • 18. 2. Stage I: Web Application Discovery A penetration test or an application-focused assessment must identify all the applications available, and select those that are part of scope to analyze Each application discovered can have known vulnerabilities and known attack strategies that can be exploited in order to gain remote control or data exploitation Security through obscurity is a weak security control It is necessary to implement additional security layers at different levels As result of this stage, we have a list of webapp targets: IP(s), domain(s), URL(s)‫‏‬ OWASP 18
  • 19. Agenda 1. Introduction 2. Web Application Discovery 3. Information Gathering 4. Attack Vectors Analysis 5. Examples in the real world 6. References OWASP 19
  • 20. 3. Stage II: Gathering Information Main purpose: To create a base of knowledge useful in later stages (attacks?)‫‏‬ The information should be as accurate as possible The information obtained will allow drive the attacks The questions are... Which issues should be reviewed? How obtain useful information? OWASP 20
  • 21. 3. Stage II: Gathering Information Which issues should be reviewed? Relatives to: Platform Application Users Attack surface How to obtain useful infomation? Through: Search engines Information repositories (including people!)‫‏‬ – http://www.nettrace.com.au/resource/search/people.html‫‏‬ The target application OWASP 21
  • 22. 3. Stage II: Gathering Information Platform Technologies Web/Application servers Authentication type and resources Database fingerprinting OS fingerprinting Third-party components OWASP 22
  • 23. 3. Stage II: Gathering Information Platform : Technologies Technologies analysis For example: ASP.NET, JSP, PHP, Javascript, CGIs How? File extension – .aspx : .NET application Error messages – .NET errors : .NET application – Stack Traces : Java – Source code revelation Code Analysis – public code (and private downloaded code!)‫‏‬ Cookies: JSPSESSIONID, PHPSESSIONID OWASP 23
  • 24. 3. Stage II: Gathering Information Platform : Web/Application servers Web/Application servers analysis For example: IIS/6.0, Tomcat, WebLogic Server 10 How? HTTP Headers analysis – Headers specifics – Response codes and code messages Error pages Tools: – netcat – HTTPrint OWASP 24
  • 25. 3. Stage II: Gathering Information Platform : Authentication type and resources Authentication type and resources analysis For example: form based, HTTP basic, NTLM Which information is used? Resources: For example: – /admin/ – /intranet/login.jsp How? Application browsing Resources discovery HTTP Headers analysis OWASP 25
  • 26. 3. Stage II: Gathering Information Platform : Database fingerprinting Database usage/type analysis For example: SQL Server, Oracle, MySQL How? Error messages Probing different SQL injections – Database specifics Public documentation about the webapp? Database fingerprinting tools OWASP 26
  • 27. 3. Stage II: Gathering Information Platform : OS Fingerprinting OS Fingerprinting analysis For example: Windows 2000 SP2, Linux, CISCO IOS How? Simple: forcing the system to display the banner TCP-based techniques Tools – www.netcraft.com – p0f – nmap OWASP 27
  • 28. 3. Stage II: Gathering Information Platform / Third-party components Third-party components analysis For example: banners, embedded code How? Browsing the application OWASP 28
  • 29. 3. Stage II: Gathering Information Application Standard software Purpose Web based administration Client/Server side validation Features related to authentication Session state Anti-automation systems Error handling OWASP 29
  • 30. 3. Stage II: Gathering Information Application : Standard software Standard software analysis For example: Drupal, Wordpress, phpBB How? Search for known resources at known locations Error messages pages Client code analysis OWASP 30
  • 31. 3. Stage II: Gathering Information Application : Purpose Purpose analysis For example: Web Banking, Ticket Sales, CRM How? Browsing the application Client code analysis Resources enumeration/discovery OWASP 31
  • 32. 3. Stage II: Gathering Information Application : Web based administration Web based administration analysis For example: /backdoor, /admin How? Browsing the application Evade access restrictions Creating an account in the application robots.txt OWASP 32
  • 33. 3. Stage II: Gathering Information Application : Client/Server side validation Client/Server side validation analysis For example: only client side validation How? Removing restrictions on the client side Forcing entry parameters to certain values OWASP 33
  • 34. 3. Stage II: Gathering Information Application : Features related to authentication Features related to authentication analysis For example: password recovery, user registration How? Browsing the application Creating an account in the application Analyzing which funcionalities allow to auth a user OWASP 34
  • 35. 3. Stage II: Gathering Information Application : Session state Session state analysis For example: session cookie, hidden field, URL How? Analyzing requests in authenticated mode Reviewing application cookies Client code analysis OWASP 35
  • 36. 3. Stage II: Gathering Information Application : Anti-automation systems Anti-automation systems analysis For example: captchas, lock account How? Identify which features can be executed by an automated process Identify the mechanism(s) that not allow an automated process OWASP 36
  • 37. 3. Stage II: Gathering Information Application : Error handling Error handling analysis For example: customized error pages, display controlled/not controlled error messages, How? Analyzing error scenarios Provoking error situations that may not be controlled by the application OWASP 37
  • 38. 3. Stage II: Gathering Information Users Roles Application users typology OWASP 38
  • 39. 3. Stage II: Gathering Information Users : Roles Roles analysis For example: administrator, manager, demo, standard user How? Analyzing client code Spoofing users Evade access restrictions OWASP 39
  • 40. 3. Stage II: Gathering Information Users : Application users typology Application users typology analysis For example: internal users, partners, public How? Browsing the application Analyzing client code OWASP 40
  • 41. 3. Stage II: Gathering Information Attack Surface Analysis Elements: Code Entry points Services Protocols OWASP 41
  • 42. 3. Stage II: Gathering Information Attack Surface Analysis : Code Always will find vulnerabilities in the code More code = more vulnerabilities The aim of this stage is to identify/enumerate all the accessible code The public code and the code accessible by remote users is particularly sensitive OWASP 42
  • 43. 3. Stage II: Gathering Information Attack Surface Analysis : Entry points It's necessary to identify all the entry points to the application More entry points = more attack vectors Some examples of entry points: URL parameter Hidden field Cookie OWASP 43
  • 44. 3. Stage II: Gathering Information Attack Surface Analysis : Services The excess of services increases the exposure area It's interesting to detect the privileges level with which you access these services The aim of this stage is to identify/enumerate all the services availables and their privilege level OWASP 44
  • 45. 3. Stage II: Gathering Information Attack Surface Analysis : Protocols The most importants: TCP / UDP UPD increases the attack surface The aim of this stage is to identify/enumerate all the protocols availables OWASP 45
  • 46. Agenda 1. Introduction 2. Web Application Discovery 3. Information Gathering 4. Attack Vectors Analysis 5. Examples in the real world 6. References OWASP 46
  • 47. 4. Stage III: Attack Vectors Analysis On the basis of information gathered in previous phases, it is possible to identify the attack vectors most likely to succeed Standard software? Disk access? Database access? Which information is used to authenticate a user? Anti-automation systems? Third-party components? Relationships with other systems? Critical operations? OWASP 47
  • 48. Agenda 1. Introduction 2. Web Application Discovery 3. Information Gathering 4. Attack Vectors Analysis 5. Examples in the real world 6. References OWASP 48
  • 49. 5. Examples in the real world Exploiting real vulnerabilities in real applications from the Real Santa Eulália Hotel: IMAP/SMTP Injection in Squirrelmail CSRF in Gmail ??? in Oracle OWASP 49
  • 50. 5. Examples in the real world IMAP/SMTP Injection in Squirrelmail Suppose that we have obtained the next information from the previous stages: Application Discovery: http://x.x.x.x/sm/login.php Information Gathering: Squirrelmail 1.4.4 Attack Vectors Analysis: IMAP/SMTP Injection OWASP 50
  • 51. 5. Examples in the real world IMAP/SMTP Injection in Squirrelmail Remember... IMAP/SMTP Injection: allows for arbitrary injection of IMAP or SMTP commands to the mail servers through a web application improperly validating user supplied data. OWASP 51
  • 52. 5. Examples in the real world IMAP/SMTP Injection in Squirrelmail Some examples of attacks: Exploitation of vulnerabilities in the IMAP/SMTP protocol Application restrictions evasion Anti-automation process evasion Information leaks Relay/SPAM The attack process: Identify vulnerable parameters Understanding the parameter and the context IMAP/SMTP command injection OWASP 52
  • 53. 5. Examples in the real world IMAP/SMTP Injection in Squirrelmail Detection and exploit! DEMO Executing arbitrary IMAP commands (blind injection?)‫‏‬ Evading restrictions (CAPTCHA)‫‏‬ Port scanning internal systems OWASP 53
  • 54. 5. Examples in the real world CSRF in Gmail Suppose that we have obtained the next information from the previous stages: Application Discovery: https://www.google.com/accounts/ServiceLogin Information Gathering: Google webmail Attack Vectors Analysis: CSRF (Cross-site Request Forgery)‫‏‬ OWASP 54
  • 55. 5. Examples in the real world CSRF in Gmail Remember... CSRF (Cross-site Request Forgery): forces a logged-on victim’s browser to send a request to a vulnerable web application, which then performs the chosen action on behalf of the victim. OWASP 55
  • 56. 5. Examples in the real world CSRF in Gmail Detection and exploit! DEMO What has happened to your Gmail password? OWASP 56
  • 57. 5. Examples in the real world ??? in Oracle I can not reveal details of this vulnerability because it's an UNPUBLISHED vulnerability What allow the exploitation of this vulnerability? Access to the target file system Possible execution of arbitrary operating system commands OWASP 57
  • 58. 5. Examples in the real world ??? in Oracle Downloading the /etc/passwd and /etc/hosts files: OWASP 58
  • 59. Agenda 1. Introduction 2. Web Application Discovery 3. Information Gathering 4. Attack Vectors Analysis 5. Examples in the real world 6. References OWASP 59
  • 60. 6. References Professional Pen Testing for Web Applications Andres Andreu The Security Development Lifecycle Michael Howard and Steve Lipner MX Injection: Capturing and Exploiting Hidden Mail Servers http://www.webappsec.org/projects/articles/121106.shtml OWASP Development Guide http://www.owasp.org/index.php/Category:OWASP_Guide_Project OWASP Testing Guide http://www.owasp.org/index.php/Category:OWASP_Testing_Project and ALL the OWASP Projects! http://www.owasp.org OWASP 60
  • 61. Thank's! Any question? All your comments will be appreciated vicente.aguilera@owasp.org vaguilera@isecauditors.com OWASP 61