OWASP Denver Nov 06 presentation

50 %
50 %
Information about OWASP Denver Nov 06 presentation

Published on August 30, 2007

Author: Clown

Source: authorstream.com

Application Security Reviews:  Application Security Reviews David Byrne, CISSP, MCSE Security Architect EchoStar Satellite, LLC David.Byrne@EchoStar.com November 15, 2006 Testing Steps:  Testing Steps Planning Reconnaissance Infrastructure Input validation Denial of Service (DoS) Authentication andamp; Authorization Information Disclosure Code Review Reporting OWASP Testing Guide:  OWASP Testing Guide Version 2 is being completed http://www.owasp.org/index.php/Web_Application_Penetration_Testing_AoC OWASP Top 10:  Unvalidated Input Broken Access Control Broken Authentication and Session Management Cross Site Scripting Buffer Overflow Injection Flaws Improper Error Handling Insecure Storage Application Denial of Service Insecure Configuration Management OWASP Top 10 Unvalidated Input Broken Access Control Broken Authentication and Session Management Infrastructure Vulnerabilities Information Disclosure Insecure Storage Improper Error Handling Application Denial of Service Buffer Overflow Insecure Configuration Management Planning:  Planning Change Management Don’t get fired Communicate fully Get approvals in writing Clearly defined scope Test or production Which web servers will be targeted Can vulnerabilities be exploited Can modifications be made via exploits Will Denial of Service be tested Are brute force attacks allowed White box vs. black box Planning - Tools:  Planning - Tools Presenter's favorites WebScarab – Testing proxy, fuzzer, spider, more Nessus – General vulnerability scanner Wikto – Signature-based web scanning, Google reconnaissance Nmap – Port scanner andamp; fingerprinting WireShark (Ethereal) – Packet capture Other free tools Nikto – Signature-based web scanning Pantera – New tool from OWASP, automated scanning Paros – Testing proxy, spider BurpSuite – Testing proxy, more Commercial tools Acunetix Web Vulnerability Scanner Cenzic Hailstorm N-Stealth Sensepost Suru SPI Dynamics WebInspect Watchfire AppScan WebScarab:  WebScarab Proxy Records all HTTP sessions Allows requests andamp; responses to be intercepted and modified Displays HTTP sessions in parsed or raw formats Reveals hidden fields Manual requests Web Services tools Session ID Analysis Fuzzer Automated extensions checking (.bak, etc) Reconnaissance & Automated Scanning:  Reconnaissance andamp; Automated Scanning Google (Wikto) – Can find some vulnerabilities, pages difficult to navigate to Spider (WebScarab) Specialized Web scanners (Wikto, commercial) – Known web-app vulnerabilities; simple cases of XSS, SQL injection, etc. Try to identify what off-the-shelf software is being used, then research vulnerabilities (securityfocus.com) Source code Look on open file shares Look for unsecured code repositories Infrastructure:  Infrastructure Port scan (nmap) General vulnerability scan (Nessus) Unsecured HTTP management ports Web Server attacks Application framework attacks: WebMethods, WebLogic, other J2EE, ColdFusion, etc Miscellaneous vulnerable services; NetBIOS, RPC, etc. Input Validation:  Input Validation SQL Injection Cross Site Scripting (XSS) Buffer Overflows SQL Injection:  SQL Injection Caused by failure to properly validate user-provided input Allows arbitrary commands to be executed in the database Example for a login: Username = byrned Password = very_secure SQL Injection:  SQL Injection SELECT count(userID) FROM users WHERE username = 'byrned' AND password = 'very_secure' SQL Injection:  SQL Injection Username: byrned' OR 1=1 -- SELECT count(userID) FROM users WHERE username = 'byrned' OR 1=1 -- ' AND password = 'very_secure' SQL Injection:  SQL Injection Test by inserting string delimiting characters such as a single quote Look for error messages SQL Injection:  SQL Injection Customer Search Tool Zip Code: query = 'SELECT name, address, city, state, zip' + 'FROM customers' + 'WHERE zip = ' ' + zipcode + ' ' '; SQL Injection:  SQL Injection This information is updated every Thursday SQL Injection:  SQL Injection zip: 80202' OR 1=1 -- SELECT name, address, city, state, zip FROM customers WHERE zip = '80202' OR 1=1 -- ' SQL Injection:  SQL Injection zip: 80202' OR 1=1 -- SQL Injection:  SQL Injection zip: 80202' UNION SELECT username, password, null, null, null FROM users -- SELECT name, address, city, state, zip FROM customers WHERE zip = '80202' UNION SELECT username, password, null, null, null FROM users -- ' SQL Injection:  SQL Injection SQL Injection:  SQL Injection Resources: http://www.owasp.org/index.php/SQL_Injection http://www.unixwiz.net/techtips/sql-injection.html http://www.imperva.com/application_defense_center/white_papers/blind_sql_server_injection.html http://www.ngssoftware.com/papers/advanced_sql_injection.pdf http://www.nextgenss.com/papers/more_advanced_sql_injection.pdf Cross Site Scripting (XSS):  Cross Site Scripting (XSS) Allows an attacker to imbed arbitrary HTML inside a web page Can be persistent (e.g. a bulletin board) or dynamic (e.g. a URL) JavaScript can Redirect the browser to an attack site Monitor and report browsing activity using frames Launch attacks against browser vulnerabilities Steal cookies Perform actions while impersonating user (MySpace worm) Cross Site Scripting (XSS):  Cross Site Scripting (XSS) Look for any content in a web page that was based on user-provided input Check the source: The content might be in the HTML, but not displayed Input isn’t limited to visible form fields. Look at cookies, HTTP headers, URL query strings, hidden fields Standard pages aren’t the only source of XSS; error pages (even 404s) are frequently vulnerable Cross Site Scripting (XSS):  Cross Site Scripting (XSS) No results were found for zip code '00000' Cross Site Scripting:  Cross Site Scripting andlt;scriptandgt;alert('XSS')andlt;/scriptandgt; Cross Site Scripting (XSS):  Cross Site Scripting (XSS) Resources: http://ha.ckers.org/xss.html http://www.cgisecurity.com/articles/xss-faq.shtml http://www.owasp.org/index.php/XSS Buffer Overflows:  Buffer Overflows Not common with modern web environments With black box, send long strings for different parameters, andgt;1024 bytes; might have to switch to POST White box techniques beyond presentation’s scope Denial of Service (DoS):  Denial of Service (DoS) Locking Customer Accounts Buffer Overflows User Specified Object Allocation User Input as a Loop Counter Writing User Provided Data to Disk Failure to Release Resources Storing too Much Data in Session http://www.owasp.org/index.php/Testing_for_application_layer_Denial_of_Service_%28DoS%29_attacks Authentication & Authorization:  Authentication andamp; Authorization Session IDs Authentication Authorization Session IDs:  Session IDs Session IDs best stored in a cookie, not in the URL Should be randomly generated Should be from a large data set (andgt;= 128 bits recommended) Use WebScarab’s Session ID analyzer WebScarab Session ID Analysis:  WebScarab Session ID Analysis Cookie Analysis – Data Formats:  Cookie Analysis – Data Formats Plain text This is a test string with some odd characters !@#$%^andamp;*()_+-=\ Hexadecimal: Base 16 representation of the ASCII character numbers. Characters 0-9,a-f 546869732069732061207465737420737472696e67207769746820736f6d65206f646420636861726163746572732021402324255e262a28295f202d3d Base64: Complicated. See http://en.wikipedia.org/wiki/Base64. Characters A-Z,a-z,0-9,/,+, and equal (=) for suffix padding VGhpcyBpcyBhIHRlc3Qgc3RyaW5nIHdpdGggc29tZSBvZGQgY2hhcmFjdGVycyAhQCMkJV4mKigpXyAtPQ== HTML encoding: HTML escaped characters using the character numbers. Uses this format: ampersand (andamp;), pound (#), character number in decimal (0-9), semicolon (;) andamp;#84;andamp;#104;andamp;#105;andamp;#115;andamp;#32;andamp;#105;andamp;#115;andamp;#32;andamp;#97;andamp;#32;andamp;#116;andamp;#101;andamp;#115;andamp;#116;andamp;#32;andamp;#115;andamp;#116;andamp;#114;andamp;#105;andamp;#110;andamp;#103;andamp;#32;andamp;#119;andamp;#105;andamp;#116;andamp;#104;andamp;#32;andamp;#115;andamp;#111;andamp;#109;andamp;#101;andamp;#32;andamp;#111;andamp;#100;andamp;#100;andamp;#32;andamp;#99;andamp;#104;andamp;#97;andamp;#114;andamp;#97;andamp;#99;andamp;#116;andamp;#101;andamp;#114;andamp;#115;andamp;#32;andamp;#33;andamp;#64;andamp;#35;andamp;#36;andamp;#37;andamp;#94;andamp;#38;andamp;#42;andamp;#40;andamp;#41;andamp;#95;andamp;#32;andamp;#45;andamp;#61; Cookie Analysis – Data Formats:  Cookie Analysis – Data Formats HTTP URL encoding: spaces turned to plus (+), non alphanumeric characters encoded with percent (%), then the hexadecimal character number (0-9,a-f) This+is+a+test+string+with+some+odd+characters+%21%40%23%24%25%5E%26%2A%28%29_+-%3D HTTP URL encoding – all hex: In addition to the standard URL encoding described above, all characters, including alphanumeric, can be hex encoded %54%68%69%73%20%69%73%20%61%20%74%65%73%74%20%73%74%72%69%6e%67%20%77%69%74%68%20%73%6f%6d%65%20%6f%64%64%20%63%68%61%72%61%63%74%65%72%73%20%21%40%23%24%25%5e%26%2a%28%29%5f%20%2d%3d IP Address formatting Octet, most common: Hex, obtained by converting each octet into a two digit hexadecimal number: 0A017C03 Decimal, obtained by converting the hex format into a base 10 number: 167869443 Authentication:  Authentication SQL Injection LDAP Injection Session Hijacking Theft of cookies/session IDs through XSS Guessing valid session IDs Theft of session IDs stored in URLs via browser history High or missing timeout values Brute force password attacks (THC-Hydra) Field changes: http://www.site.com/page.asp?authenticated=no http://www.site.com/page.asp?authenticated=yes Password reset facilities New passwords emailed Process flow for question response Authorization Bypassing:  Authorization Bypassing Manually browse to known URLs without authentication Obtain admin andamp; user credentials, try to access admin pages with user login Directory traversals andamp; listing Original: http://www.example.com/app/auth/login.php Request: http://www.example.com/app/auth/ Request: http://www.example.com/app/ Request: http://www.example.com/../ http://www.owasp.org/index.php/Bypassing_Authentication_Schema_AoC Information Disclosure:  Information Disclosure Directory traversal andamp; listing HTML andamp; JavaScript comments Error messages can divulge: Operating System environmental parameters Web Server settings Database drivers in use SQL queries run on a page Software versions Code Review:  Code Review SQL queries Stored procedures User-supplied input as part of output Operating System / shell commands Error handling routines Source code storage andamp; access Authentication andamp; authorization mechanisms http://www.owasp.org/index.php/OWASP_Code_Review_Guide_Table_of_Contents Reporting:  Reporting Severity Category (OWASP Top 10) Location (e.g. line 23 of /search/main.php) Example exploit Impact of exploit (e.g. theft of credit card data) Recommended remediation Third party documentation (vendor or OWASP) Reporting - Categorize severity:  Reporting - Categorize severity PCI severity levels: https://pcisecuritystandards.org/pdfs/pci_scanning_procedures_v1-1.pdf 5 Urgent Trojan Horses; file read and writes exploit; remotecommand execution 4 Critical Potential Trojan Horses; file read exploit 3 High Limited exploit of read; directory browsing; DoS 2 Medium Sensitive configuration information can be obtained by hackers 1 Low Information can be obtained by hackers on configuration Common Vulnerability Scoring System (CVSS) http://www.first.org/cvss/ http://nvd.nist.gov/cvss.cfm?calculator Remote vs. local expliot Attack complexity Authentication required Availability of exploit Type of fix available C/A/I impact Impact value rating Organization specific potential for loss Percentage of vulnerable systems Level of vulnerability confirmation Example Finding:  Example Finding 11. Improper use of varchar data types Severity: Critical Category: Injection Flaws Exploitation prerequisites: Internet access; authentication may not be required for all pages Description Some pages handle numeric data types as 'varchars' (character string). This makes SQL injection possible, despite the 'cfqueryparam' tag; since there is no quote to break out of, escaping quote characters won’t help. This occurs in many pages. Example \dsg\createNewPage.cfm; line 54 andlt;CFQUERY name='tied' DATASOURCE = '#APPLICATION.DATASOURCE#'andgt; select user_name from users (nolock) where user_number = andlt;cfqueryparam value='#url.usernumber#' cfsqltype='CF_SQL_VARCHAR'andgt; andlt;/CFQUERYandgt; Recommendation Every file should be reviewed for how each SQL query or stored procedure is called. Change all numeric SQL parameters to use CF_SQL_INTEGER. References http://www.adobe.com/devnet/coldfusion/articles/cfqueryparam.html http://www.owasp.org/index.php/Data_Validation Questions:  Questions

Add a comment

Related presentations

Related pages

OWASP Education Presentation - OWASP

2008-07-06 OWASP Top 10 Introduction and Remedies: ... OWASP Overview presentation covering OWASP, ... Nov 2006 : Denver:
Read more


The Open Web Application Security Project (OWASP) ... Our mission is to make software security visible, so that individuals ... Presentations ...
Read more

OWASP Zed Attack Proxy - Simon Bennetts - YouTube

OWASP Zed Attack Proxy - Simon Bennetts The Zed Attack Proxy (ZAP) is now one of the most popular OWASP projects. It is designed to be used by ...
Read more

Top 10 Web Hacking Techniques of 2013 - OWASP AppSecUSA ...

Recorded at AppSecUSA 2014 in Denver http://2014.appsecusa.org ... Managed by the official OWASP Media Project ... 57:06. by CernerEng ...
Read more

South Florida OWASP (@sfowasp) | Twitter

The latest Tweets from South Florida OWASP (@sfowasp). The official Twitter feed for the South Florida OWASP Chapter. Miami / Fort Lauderdale
Read more

Colorado floods now and then, a series of photographic ...

Posted Nov 06, 2013. Share This ... Denver Post photographers amassed ... Watch this presentation from former and current Denver Post ...
Read more

11 Scalability Concepts Every Architect Should Understand ...

OWASP Boston. 08 -October-2011. Boston ... http://blogs.westword.com/latestword/2009/10/denver_is_smarter ... From Jim O’Neil’s presentation ...
Read more