Upload
devconfu
View
79
Download
1
Tags:
Embed Size (px)
DESCRIPTION
The talk will cover some of the most common mistakes which are identified during recent web application security assessments. Those include but are not limited to various types of injections (SQLi, XSS, etc.), local file access and business logic flaws. During the talk practical examples will be demonstrated along with the mitigation tools and techniques.
Citation preview
Web application security – war
stories from real penetration
testing engagements
Didzis Balodis, CISSP, GPEN
Lead of security and infrastrucure division
Contents
Didzis Balodis
• Lead of DPA Securituy and Infrastructure division
• More than 10 years in IT (from year 1999)
• System administration, development, security
• Last 5 years – IT consulting, audits, security, penetration testing (more
than 50 engagements)
• Hobby - wifi hacking
• Certifications:
• CISSP- Certified Information System Security Professional
• GPEN – GIAC Certified Penetration Tester
DPA security portfolio
IT audit and security testing:
Network pentests
Wireless network assessment
Web application security testing
Social engineering
Compliance
Security awareness trainings
Statistics
of web aplications contain at least
High risk vulnerability
Injections on the rise
ENISA Threat Landscape 2013 report:
«....Cross-Site Scripting (XSS), Directory Traversal, SQL injection
(SQLi) and Cross-Site Request Forgery (CSRF).
... injection attacks are on sharp rise.»
It`s easy...
Statistics:
OWASP TOP 10
A1- Injection (SQL, LDAP, SMTP, XML...) A2-Broken Authentication and Session Management
A3-Cross-Site Scripting (XSS) A4-Insecure Direct Object References
A5-Security Misconfiguration A6-Sensitive Data Exposure
A7-Missing Function Level Access Control A8-Cross-Site Request Forgery (CSRF)
A9-Using Components with Known Vulnerabilities A10-Unvalidated Redirects and Forwards
Consequences..
Stolen or
published client
data
Leakage of internal
company
information
Loss of reputation
Compliance and
legal issues
(Personal data
protection)
System downtime Financial losses
Example 1
Example 2
Example 3
Example 4
DEMO TIME
SQLi
http://somesystem.lv/ gettextLang=0&usr_login=loginKWgn&usr_password=aaa&sendpost=PieslÄgties sistÄmai' AND (SELECT 4747 FROM
(SELECT COUNT(*),CONCAT(0x3a76796a3a,
(SELECT (CASE WHEN (4747=4747) THEN 1 ELSE 0 END)),
0x3a787a693a,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
AND 'KWgn'='KWgn&usr_password=aaa&sendpost=PieslÄgties sistÄmai
Insecure upload
Be proactive
To avoid unpleasnt surprise-
before someone else will do
How it is done
• Network layer
• App layer
Identification/ automated tests
• Injections
• Sessions
• Business logic, etc
Manual testing
• DoS
• Report
• Re-tests
Finalizing
Recap
Questions?