2014 guestlecture-infosec

Boy Baukema
12th March, HZ, Vlissingen
Practical Hacking: OWASP Top 10
Wednesday, March 12, 14

So who’s this guy?
Boy Baukema
Security Specialist & Senior Engineer
@ Ibuildings.nl
boy@ibuildings.nl
twitter: @relaxnow
2

By what company?
Ibuildings (not owned by Apple)
3

A Security what?
Security Specialist:
Senior Software Engineer
+ R&D Security
+ Security Training
+ Internal Consulting
+ Internal Security Audits
+ External Security Audits
4

Okay, what’s he doing here?
‣ Introduction
(10m)
‣ Before We Dive In
(10m)
‣ OWASP TOP 11 2013
(+/- 15m per item)
‣ Where To Next?
(10m)
5

Before we dive in...
8

Ethical Hacking & The (Dutch) Law
9
blog.iusmentis.com
Artikel 138ab &
138b

Responsible Disclosure
10

of 2013
OWASP Top 11
11

OWASP Top 10 2013 BONUS - Clickjacking
12http://www.youtube.com/watch?v=DRQ8oC2MWAg

A10-Unvalidated Redirects and Forwards
13

A10-Unvalidated Redirects and Forwards
http://goo.gl/Gmzqv
https://www.bank.com:login.html@phisher.cn/
http://www.bank.com:login.html@74.125.131.105
http://www.bank.com:login.html@1249739625/
http://www.bank.com:login.html@0x4a.0x7d.0x83.0x69/
http://www.bank.com:login.html@0112.0175.0203.0151/
http://pc-help.org/o%62s%63ur%65%2e%68t%6D
14

A9-Using Components with Known Vulnerabilities
174.34.252.13 – - [03/Feb/2014:01:01:08 -0500] “POST /index.php?
option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a7981f4f
e1f5ac65c1246b5f=cf6dd3cf1923c950586d0dd595c8e20b HTTP/1.1″ 500 885 “-” “BOT/0.1 (BOT for JCE)”
174.34.252.13 – - [03/Feb/2014:01:01:08 -0500] “POST /index.php?
option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20 HTTP/1.1″ 404 5923 “-”
“BOT/0.1 (BOT for JCE)”
174.34.252.13 – - [03/Feb/2014:01:01:08 -0500] “POST /blog/2014/01/14/vulnerability-in-joomla-1-6-1-7-
and-2-5-0-2-5-2-being-exploited-now/index.php?
option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a7981f4fe1f5a
c65c1246b5f=cf6dd3cf1923c950586d0dd595c8e20b HTTP/1.1″ 500 885 “-” “BOT/0.1 (BOT for JCE)”
option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a7981f4fe1f5a
c65c1246b5f=cf6dd3cf1923c950586d0dd595c8e20b HTTP/1.1″ 500 885 “-” “BOT/0.1 (BOT for JCE)”
174.34.252.13 – - [03/Feb/2014:01:01:11 -0500] “GET /blog/2014/01/14/vulnerability-in-joomla-1-6-1-7-
and-2-5-0-2-5-2-being-exploited-now/images/stories/food.php?rf HTTP/1.1″ 404 6237 “-” “Mozilla/5.0 (Windows; U;
Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6″
15

A8-Cross-Site Request Forgery (CSRF)
16http://www.youtube.com/watch?v=vRBihr41JTo

A7-Missing Function Level Access Control
17

A6-Sensitive Data Exposure
18

A6-Sensitive Data Exposure
19

A5-Security Misconfiguration
http://www.exploit-db.com/google-dorks/
20

A4-Insecure Direct Object References
21

A3-Cross-Site Scripting (XSS)
22
http://www.youtube.com/watch?v=a9WNy2ZSq8Y

A3-Cross-Site Scripting (XSS)
23

A2-Broken Authentication and Session Management
24

A2-Broken Authentication and Session Management
‣ Session Fixation
‣ Missing Session Timeout
‣ Login over HTTP
‣ Unprotected Password Reset
25

HTTP Strict Transport Security
Strict-Transport-Security:
‣ max-age=60000;
‣ includeSubDomains
26

A1-Injection
27

Now What?
28

Conferences, People & Resources
‣ Security.nl
‣ Owasp.org
‣ Hackvertor
‣ Webappsec.io
‣ Chris Cornutt
‣ Bruce Schneider
‣ OWASP BeNeLux
‣ OWASP EU
‣ Hack In The Box
‣ Black Hat Europe
30

Companies
‣ Fox-IT
‣ Madison Ghurka
‣ Pine
‣ Ibuildings.nl
31

QUESTIONS
32Slides @ http://www.slideshare.net/relaxnow/2014-guestlectureinfosec

2014 guestlecture-infosec

Recommended

Recommended

More Related Content

Viewers also liked

Viewers also liked (9)

Recently uploaded

Recently uploaded (20)

2014 guestlecture-infosec