SlideShare a Scribd company logo

Vulnerabilities in new_web_applications-slides

OWASP (Open Web Application Security Project)
OWASP (Open Web Application Security Project)
Technology
1 of 15
Download to read offline
Security vulnerabilities in new web applications Ing. Pavol Lupták, CISSP, CEH Lead Security Consultant          www.nethemba.com             www.nethemba.com      
Introduction $whoami Pavol Lupták  10+ years of practical experience in security and seeking vulnerabilities with a strong theoretical background (CISSP, CEH)  OWASP Slovakia Chapter Leader  co-author of the OWASP Testing Guide v3.0  owner of security company Nethemba s.r.o. focused on penetration tests and web   application security audits        www.nethemba.com       
The goal of this presentation  To show security vulnerabilities common in new  web applications (Internet banking, e­shops,  online casinos, ..) during the period 2008­2009  “Real data” from plenty of new web applications  developed by Czech/Slovak companies was  used   To ensure their privacy, the used data was    aggregated        www.nethemba.com       
SQL injection downtrend, risk of  second­order injection vulnerabilities  Most new applications use prepared  statements/parametrized queries  Complex architecture with multiple different  applications can increase the likelihood of  second­order injection vulnerabilities  New fully­automatized SQL injection tools are  available (sqlmap, Power SQL injector)          www.nethemba.com       
Increased complexity of XSS  vulnerabilities, AJAX security ● Due to a huge number of XSS variations,  “blacklisting” simply does not work ● Importance of the “output validation” (inevitable  if the stored data is contaminated with injected  code) ● It is still a problem to automatically reveal  persistent XSS / AJAX vulnerabilities ● New XSS demo tools (Browser Rider, Beef)          www.nethemba.com       
Vulnerabilities in session  management  Many new applications use own session  management that is almost always bad  implemented  If it is possible, use language underlying  session management instead  At this moment, there is no automated way to  fully test session management security          www.nethemba.com       
Session Fixation Attacks  If the attacker can inject an arbitrary value in  anonymous session tokens and the application  accepts this value and uses it for authenticated  login, session fixation attacks are feasible  Can be used to hijack user sessions using  social engineering, XSS vulnerabilities, ..  The application should not accept injected  session token, should regenerate it after login,    invalidate after logout        www.nethemba.com       
Absence of “secure” and  “HttpOnly” flag for cookies  Secure flag prevents the browser to send a  cookie through unencrypted connection  HttpOnly flag prevents the injected javascript  code to steal cookies using the  document.cookie parameter  HttpOnly is effective only when TRACE/TRACK  HTTP methods are disabled on web server           www.nethemba.com       
Simultaneous sessions  In normal circumstances there is no need for  simultaneous sessions for one user in the  application  User should be informed if another user with  the same credentials is logged to the  application  Bind the user session with its IP address/subnet  Session logging is very important          www.nethemba.com       
Brute force attack against  session management  Feasible when session token is shorter than  128 bits or it is easily determinable  Almost no application can detect this attack  because session token is not associated with  an existing user  The application should detect increased  number of session tokens from one IP address    in a short time and blocks it for a defined period        www.nethemba.com       
CSRF vulnerabilities  GET requests are still used for sensitive  operations  Many ways how to protect against CSRF:  Requiring special non­determinable parameters  in GET/POST requests (hidden fields)  AJAX “double submit” cookies  Using other verification channels (email,  SMS, ..)          www.nethemba.com       
Weak and broken CAPTCHA ● We successfully break all our tested  CAPTCHAs with CAPTCHA killer ● It is really difficult to create strong CAPTCHA ● Many CAPTCHA implementations are  vulnerable to replay attacks ● Is still using CAPTCHA a good idea?          www.nethemba.com       
Business Logic Security Flaws  Still prevailed because of complexity to detect  them automatically  Common problems:  Permanent user's account locking  Using negative numbers to gain a lot of money  Enumeration of users using “forgotten  password” or “registration” form          www.nethemba.com       
Vulnerable SSL protocol, weak  ciphers, hashes and passwords  SSLv2 is still massively used  Weak (less than 56­bits) SSL ciphers are used  MD5 is still massively used  DES ECB is still used (in a bank environment!)  Applications have password complexity restrictions  that drastically decrease all possible combinations  Short complicated passwords are still used   Hashes are not salted (risk of rainbow table attacks)        www.nethemba.com       
Any questions? Thank you for listening Ing. Pavol Lupták, CISSP CEH          www.nethemba.com       

Recommended

Sms ticket-hack4
Sms ticket-hack4Sms ticket-hack4
Sms ticket-hack4OWASP (Open Web Application Security Project)
 
New web attacks-nethemba
New web attacks-nethembaNew web attacks-nethemba
New web attacks-nethembaOWASP (Open Web Application Security Project)
 
Nethemba metasploit
Nethemba metasploitNethemba metasploit
Nethemba metasploitOWASP (Open Web Application Security Project)
 
Real web-attack-scenario
Real web-attack-scenarioReal web-attack-scenario
Real web-attack-scenarioOWASP (Open Web Application Security Project)
 
Mifare classic-slides
Mifare classic-slidesMifare classic-slides
Mifare classic-slidesOWASP (Open Web Application Security Project)
 
Php sec
Php secPhp sec
Php secOWASP (Open Web Application Security Project)
 
Practical web-attacks2
Practical web-attacks2Practical web-attacks2
Practical web-attacks2OWASP (Open Web Application Security Project)
 
Se linux course1
Se linux course1Se linux course1
Se linux course1OWASP (Open Web Application Security Project)
 

Recommended

Sms ticket-hack4
Sms ticket-hack4Sms ticket-hack4
Sms ticket-hack4OWASP (Open Web Application Security Project)
 
New web attacks-nethemba
New web attacks-nethembaNew web attacks-nethemba
New web attacks-nethembaOWASP (Open Web Application Security Project)
 
Nethemba metasploit
Nethemba metasploitNethemba metasploit
Nethemba metasploitOWASP (Open Web Application Security Project)
 
Real web-attack-scenario
Real web-attack-scenarioReal web-attack-scenario
Real web-attack-scenarioOWASP (Open Web Application Security Project)
 
Mifare classic-slides
Mifare classic-slidesMifare classic-slides
Mifare classic-slidesOWASP (Open Web Application Security Project)
 
Php sec
Php secPhp sec
Php secOWASP (Open Web Application Security Project)
 
Practical web-attacks2
Practical web-attacks2Practical web-attacks2
Practical web-attacks2OWASP (Open Web Application Security Project)
 
Se linux course1
Se linux course1Se linux course1
Se linux course1OWASP (Open Web Application Security Project)
 
Paralelni polisweb
Paralelni poliswebParalelni polisweb
Paralelni poliswebOWASP (Open Web Application Security Project)
 
Nethemba - Writing exploits
Nethemba - Writing exploitsNethemba - Writing exploits
Nethemba - Writing exploitsOWASP (Open Web Application Security Project)
 
Preco sa rozhodnut pre spolocnost Nethemba
Preco sa rozhodnut pre spolocnost NethembaPreco sa rozhodnut pre spolocnost Nethemba
Preco sa rozhodnut pre spolocnost NethembaOWASP (Open Web Application Security Project)
 
Planning the OWASP Testing Guide v4
Planning the OWASP Testing Guide v4Planning the OWASP Testing Guide v4
Planning the OWASP Testing Guide v4OWASP (Open Web Application Security Project)
 
Bypassing Web Application Firewalls
Bypassing Web Application FirewallsBypassing Web Application Firewalls
Bypassing Web Application FirewallsOWASP (Open Web Application Security Project)
 
Nove trendy-zranitelnosti
Nove trendy-zranitelnostiNove trendy-zranitelnosti
Nove trendy-zranitelnostiOWASP (Open Web Application Security Project)
 
Nethemba profil
Nethemba profilNethemba profil
Nethemba profilOWASP (Open Web Application Security Project)
 
1.nove trendy-zranitelnosti luptak
1.nove trendy-zranitelnosti luptak1.nove trendy-zranitelnosti luptak
1.nove trendy-zranitelnosti luptakOWASP (Open Web Application Security Project)
 
Nethemba profil
Nethemba profilNethemba profil
Nethemba profilOWASP (Open Web Application Security Project)
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 

More Related Content

More from OWASP (Open Web Application Security Project)

More from OWASP (Open Web Application Security Project) (9)

Paralelni polisweb
Paralelni poliswebParalelni polisweb
Paralelni polisweb
 
Nethemba - Writing exploits
Nethemba - Writing exploitsNethemba - Writing exploits
Nethemba - Writing exploits
 
Preco sa rozhodnut pre spolocnost Nethemba
Preco sa rozhodnut pre spolocnost NethembaPreco sa rozhodnut pre spolocnost Nethemba
Preco sa rozhodnut pre spolocnost Nethemba
 
Planning the OWASP Testing Guide v4
Planning the OWASP Testing Guide v4Planning the OWASP Testing Guide v4
Planning the OWASP Testing Guide v4
 
Bypassing Web Application Firewalls
Bypassing Web Application FirewallsBypassing Web Application Firewalls
Bypassing Web Application Firewalls
 
Nove trendy-zranitelnosti
Nove trendy-zranitelnostiNove trendy-zranitelnosti
Nove trendy-zranitelnosti
 
Nethemba profil
Nethemba profilNethemba profil
Nethemba profil
 
1.nove trendy-zranitelnosti luptak
1.nove trendy-zranitelnosti luptak1.nove trendy-zranitelnosti luptak
1.nove trendy-zranitelnosti luptak
 
Nethemba profil
Nethemba profilNethemba profil
Nethemba profil
 

Recently uploaded

The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfhans926745
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdfChristopherTHyatt
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 

Recently uploaded (20)

The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 

Vulnerabilities in new_web_applications-slides

  • 1. Security vulnerabilities in new web applications Ing. Pavol Lupták, CISSP, CEH Lead Security Consultant          www.nethemba.com             www.nethemba.com      
  • 2. Introduction $whoami Pavol Lupták  10+ years of practical experience in security and seeking vulnerabilities with a strong theoretical background (CISSP, CEH)  OWASP Slovakia Chapter Leader  co-author of the OWASP Testing Guide v3.0  owner of security company Nethemba s.r.o. focused on penetration tests and web   application security audits        www.nethemba.com       
  • 3. The goal of this presentation  To show security vulnerabilities common in new  web applications (Internet banking, e­shops,  online casinos, ..) during the period 2008­2009  “Real data” from plenty of new web applications  developed by Czech/Slovak companies was  used   To ensure their privacy, the used data was    aggregated        www.nethemba.com       
  • 4. SQL injection downtrend, risk of  second­order injection vulnerabilities  Most new applications use prepared  statements/parametrized queries  Complex architecture with multiple different  applications can increase the likelihood of  second­order injection vulnerabilities  New fully­automatized SQL injection tools are  available (sqlmap, Power SQL injector)          www.nethemba.com       
  • 5. Increased complexity of XSS  vulnerabilities, AJAX security ● Due to a huge number of XSS variations,  “blacklisting” simply does not work ● Importance of the “output validation” (inevitable  if the stored data is contaminated with injected  code) ● It is still a problem to automatically reveal  persistent XSS / AJAX vulnerabilities ● New XSS demo tools (Browser Rider, Beef)          www.nethemba.com       
  • 6. Vulnerabilities in session  management  Many new applications use own session  management that is almost always bad  implemented  If it is possible, use language underlying  session management instead  At this moment, there is no automated way to  fully test session management security          www.nethemba.com       
  • 7. Session Fixation Attacks  If the attacker can inject an arbitrary value in  anonymous session tokens and the application  accepts this value and uses it for authenticated  login, session fixation attacks are feasible  Can be used to hijack user sessions using  social engineering, XSS vulnerabilities, ..  The application should not accept injected  session token, should regenerate it after login,    invalidate after logout        www.nethemba.com       
  • 8. Absence of “secure” and  “HttpOnly” flag for cookies  Secure flag prevents the browser to send a  cookie through unencrypted connection  HttpOnly flag prevents the injected javascript  code to steal cookies using the  document.cookie parameter  HttpOnly is effective only when TRACE/TRACK  HTTP methods are disabled on web server           www.nethemba.com       
  • 9. Simultaneous sessions  In normal circumstances there is no need for  simultaneous sessions for one user in the  application  User should be informed if another user with  the same credentials is logged to the  application  Bind the user session with its IP address/subnet  Session logging is very important          www.nethemba.com       
  • 10. Brute force attack against  session management  Feasible when session token is shorter than  128 bits or it is easily determinable  Almost no application can detect this attack  because session token is not associated with  an existing user  The application should detect increased  number of session tokens from one IP address    in a short time and blocks it for a defined period        www.nethemba.com       
  • 11. CSRF vulnerabilities  GET requests are still used for sensitive  operations  Many ways how to protect against CSRF:  Requiring special non­determinable parameters  in GET/POST requests (hidden fields)  AJAX “double submit” cookies  Using other verification channels (email,  SMS, ..)          www.nethemba.com       
  • 12. Weak and broken CAPTCHA ● We successfully break all our tested  CAPTCHAs with CAPTCHA killer ● It is really difficult to create strong CAPTCHA ● Many CAPTCHA implementations are  vulnerable to replay attacks ● Is still using CAPTCHA a good idea?          www.nethemba.com       
  • 13. Business Logic Security Flaws  Still prevailed because of complexity to detect  them automatically  Common problems:  Permanent user's account locking  Using negative numbers to gain a lot of money  Enumeration of users using “forgotten  password” or “registration” form          www.nethemba.com       
  • 14. Vulnerable SSL protocol, weak  ciphers, hashes and passwords  SSLv2 is still massively used  Weak (less than 56­bits) SSL ciphers are used  MD5 is still massively used  DES ECB is still used (in a bank environment!)  Applications have password complexity restrictions  that drastically decrease all possible combinations  Short complicated passwords are still used   Hashes are not salted (risk of rainbow table attacks)        www.nethemba.com       
  • 15. Any questions? Thank you for listening Ing. Pavol Lupták, CISSP CEH          www.nethemba.com