SlideShare una empresa de Scribd logo

Getting Inside Common Web Security Threats

A
Andy Longshaw

Slides from the SPA2015 session of the same name delivered with Eoin Woods and Nick Rozanski.

Tecnología
1 de 34
Descargar para leer sin conexión
Getting Inside Common Web Security Threats ANDY LONGSHAW AND EOIN WOODS SPA2015, JUNE 2015
Introductions u  Andy Longshaw u  Solution Architect at Advanced Legal u  Inveterate worrier about system qualities like availability and… security u  Responsible for a public-facing, cloud-based web system u  Eoin Woods u  CTO at Endava u  Long time security dabbler u  Increasingly concerned at level of cyber threat for “normal” systems
Goals u  Introduce OWASP and the Top 10 Vulnerabilities List u  Illustrate some of the Top 10 by exploiting them ourselves u  Show how real attacks combine vulnerabilities u  Introduce some useful tools u  Mutillidae, BurpSuite, SQLMap
Content u  The OWASP Top 10 u  The Tools We’ll Use u  Exercises u  Reviewing Defences u  Summary
The OWASP Top 10
OWASP u  The Open Web Application Security Project u  Largely volunteer organisation, largely online u  Exists to improve the state of software security u  Performs research u  Develops tools u  Publishes guidance and informal standards u  Runs local chapters for face to face meetings (a dozen in the UK alone) u  “OWASP Top 10” project lists the top application security risks u  Referenced widely by MITRE, PCI DSS and similar u  Updated every few years (2003, 2004, 2007, 2010, 2013)
OWASP Top 10 u  #1 Injection Attacks u  #2 Authentication and Session Management u  #3 Cross Site Scripting (XSS) u  #4 Direct Object Reference u  #5 Security Misconfiguration u  #6 Sensitive Data Exposure u  #7 Function Level Access Control u  #8 Cross Site Request Forgery (CSRF) u  #9 Component Vulnerabilities u  #10 Unvalidated Redirects and Forwards These may look “obvious” but appear on the list year after year, based on real vulnerability databases!
#1 Injection Attacks u  Unvalidated input passed to an interpreter u  Operating system and SQL are most common u  Defences include “escaping” inputs, using bind variables, using white lists, … SELECT * from table1 where name = ’%1’ Set ‘%1’ to ‘ OR 1=1 -- Result => SELECT * FROM table1 WHERE name = ’ ’ OR 1=1 --
#2 Broken Authentication or Session Management u  HTTP is stateless => some sort of credential sent every time u  Credential sent over non-TLS connection can be tampered with u  Session ID often displayed yet often as good as login details u  Defences based on strong authentication and session management controls a5f3dd56ff32 a5f3dd56ee33
#3 Cross Site Scripting u  Slightly misleading name – occurs any time script is injected into a user’s web page u  Reflected attack – crafted link in email, on a forum, … u  Persistent attack - database records, site’s postings, activity listings u  Allows redirection, session data stealing, page corruption, … u  Defences include validation and escaping on the server-side
#4 Insecure Direct Object Refs u  Directly referencing filenames, object IDs and similar in requests u  Not authenticating access to each on the server u  e.g. relying on limited list of options returned to client u  Allows client to modify request and gain access to other objects u  Defences include using pseudo references on client and authenticating all object accesses http://mysite.com/view?id=file1.txt … how about http://mysite.com/view?id=../robots.txt ??
#5 Security Misconfiguration u  Security configuration is often complicated u  Many different places to put it, complex semantics u  Layers from OS up to application all need to be consistent u  It is easy to accidentally miss an important part u  OS file permissions? u  .htaccess files? u  Shared credentials in test and production? u  Allows accidental access to resources or even site modification u  Mitigation via scanning, standardisation, simplicity and automation
#6 Sensitive Data Exposure u  Is sensitive data secured in transit? u  TLS, message encryption u  Is sensitive data secured at rest? u  Encryption, tokenisation, separation u  Loss of data (e.g. credit card numbers) or spoofing attacks u  Mitigation via threat analysis, limiting scope of data, standardisation
#7 Function Level Access Control u  Relying on information sent to the client for access control u  e.g. page menu omitting “update” and “delete” option for a record u  Not checking the action (function) being performed on the server u  Client can guess or infer the right request form for the other actions u  Bypassed security model - also see #4 Insecure Object References u  Never trust the client - check authorisation for every request http://www.example.com/gettxn?txnid=4567 à http://www.example.com/updttxn?txnid=4567&value=1000.00
#8 Cross Site Request Forgery u  User triggers malicious code that submits fraudulent request using browser security context u  e.g. clicking a link => run JavaScript => change Github password u  Various subtle variations on this make defence quite difficult u  How you do you know it is the user? u  Primary defence is the “challenge value” in pages u  Expect the challenge value from the latest page in any request u  More authentication steps for sensitive operations u  Short sessions with real logout process
#9 Known Vulnerable Components u  Many commonly used components have vulnerabilities u  See weekly US-CERT list for a frightening reality check! u  Many open source libraries don’t have well researched vulnerabilities u  Few teams consider the security of their 3rd party components u  And keeping everything up to date is disruptive u  Consider automated scanning of 3rd party components, actively review vulnerability lists, keep components patched
#10 Unvalidated Redirects and Forwards u  Redirecting or forwarding to targets based on parameters u  Avoid using parameters where redirect or forward is needed. Where parameter is needed use a key and map to URL on server http://www.mysite.com/selectpage?pageid=emea_home.html -> http://www.mysite.com/selectpage?pageid=pishinghome.com (Without careful validation this redirects user to malicious page)
Summary of Attack Vector Types u  Interpreter injections – OS, SQL, … u  Page injections – HTML, XSS (JavaScript) u  Lack of Validation – trusting client side restrictions, allowing session IDs and cookies to be reused, not checking input fields thoroughly, using parameter values directly in pages and links u  Not protecting valuable data – data loss, spoofing, man in the middle, … u  Underlying Platform – configuration mistakes, vulnerabilities, complexity
Tools We’ll Use
Mutillidae u  Deliberately insecure LAMP web application u  We have provided it in a VirtualBox VM u  Provides examples of the OWASP Top 10 in action u  We will use it to illustrate exploiting the vulnerabilities www.irongeek.com http://sourceforge.net/projects/mutillidae/
BurpSuite u  Commercial proxy, scanning, pentest tool u  Very capable free version available u  Inspect traffic, manipulate headers and content, … u  Made in Knutsford! http://portswigger.net/burp
Browser and Proxy Switcher u  Chrome and SwitchySharp or other similar pairing u  Allows easy switching of proxy server to BurpSuite
SQLMap (optional) u  Automated SQL injection and database pentest tool u  Open source Python based command line tool u  Frighteningly effective!
Exercises
Structure of the Exercises u  Scout out the system u  SQL injection attacks u  Insecure direct object reference attack for a file u  Get access to the operating system u  OS injection attack u  Unvalidated file upload attack and inject PHP file into the web site u  Get access to a user’s account u  Write a blog post on behalf of someone else (session token attack) u  Steal login credentials u  XSS attack using a crafted HTML form, JavaScript and a blog post
Getting Started Mutillidae BurpSuite (proxy)Browser with proxy plugin •  Start Mutillidae in a VirtualBox VM •  Start BurpSuite and enable the proxy •  Configure browser to use BurpSuite proxy (localhost:9000)
Working with the Exercises u  Self paced exercises by yourself or in pairs u  Self contained on your machine u  We provide: u  Overview and instructions u  Solutions if you want them u  As you go, reflect on what you’re learning – we’ll share at the end
Demonstrations u  SQL injection to list all users u  BurpSuite request interception u  JavaScript alertbox injection
Exercises •  35 minutes setup and initial exercise •  15 minute break •  45 minutes further exercises •  Mutillidae URL •  http://YOUR-VM-IP-ADDRESS/mutillidae
Reviewing Defences
Key Web Vulnerability Defences u  Don’t trust clients (browsers) u  Validate inputs, confirm authorisations, validate object references, … u  Identify “interpreters”, escape their inputs, use bind variables, … u  Operating system execution, SQL queries, JavaScript, … u  Web page dynamic content (escape, validate, placeholders) u  Protect valuable information at rest and in transit u  Simplicity u  Verify configuration and correctness u  Standardise and Automate u  Force consistency, avoid configuration errors
Summary
Summary u  Much of the technology we use is inherently insecure u  Mitigation needs to be part of application development u  Attacking systems is becoming industrialised u  Digital transformation is providing more valuable, less secure targets u  Fundamental attack vectors appear again and again u  Injection, interception, web page manipulation, missing validation, poor configuration, … u  Most real attacks exploit a series of vulnerabilities u  Each vulnerability may not look serious, the combination is u  Most mitigations are not difficult but need to be applied consistently u  … and may conflict with other desirable qualities
Andy Longshaw andy@blueskyline.com www.blueskyline.com @andylongshaw Eoin Woods eoin.woods@artechra.com www.artechra.com @eoinwoods

Recomendados

Help AG spot light - social engineering
Help AG spot light - social engineeringHelp AG spot light - social engineering
Help AG spot light - social engineeringMichael Hendrickx
 
ECrime presentation - A few bits about malware
ECrime presentation - A few bits about malwareECrime presentation - A few bits about malware
ECrime presentation - A few bits about malwareMichael Hendrickx
 
Abusing Target
Abusing Target Abusing Target
Abusing Target nullowaspmumbai
 
How to identify and prevent SQL injection
How to identify and prevent SQL injection How to identify and prevent SQL injection
How to identify and prevent SQL injection Eguardian Global Services
 
Common WebApp Vulnerabilities and What to Do About Them
Common WebApp Vulnerabilities and What to Do About ThemCommon WebApp Vulnerabilities and What to Do About Them
Common WebApp Vulnerabilities and What to Do About ThemEoin Woods
 
Web Application Defences
Web Application DefencesWeb Application Defences
Web Application DefencesDamilola Longe, CISSP, CCSP, MSc
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013Edouard de Lansalut
 
Become a Security Ninja
Become a Security NinjaBecome a Security Ninja
Become a Security NinjaPaul Gilzow
 

Recomendados

Help AG spot light - social engineering
Help AG spot light - social engineeringHelp AG spot light - social engineering
Help AG spot light - social engineeringMichael Hendrickx
 
ECrime presentation - A few bits about malware
ECrime presentation - A few bits about malwareECrime presentation - A few bits about malware
ECrime presentation - A few bits about malwareMichael Hendrickx
 
Abusing Target
Abusing Target Abusing Target
Abusing Target nullowaspmumbai
 
How to identify and prevent SQL injection
How to identify and prevent SQL injection How to identify and prevent SQL injection
How to identify and prevent SQL injection Eguardian Global Services
 
Common WebApp Vulnerabilities and What to Do About Them
Common WebApp Vulnerabilities and What to Do About ThemCommon WebApp Vulnerabilities and What to Do About Them
Common WebApp Vulnerabilities and What to Do About ThemEoin Woods
 
Web Application Defences
Web Application DefencesWeb Application Defences
Web Application DefencesDamilola Longe, CISSP, CCSP, MSc
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013Edouard de Lansalut
 
Become a Security Ninja
Become a Security NinjaBecome a Security Ninja
Become a Security NinjaPaul Gilzow
 
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Michael Pirnat
 
Owasp Top 10 2017
Owasp Top 10 2017Owasp Top 10 2017
Owasp Top 10 2017SamsonMuoki
 
Owasp top 10_-_2010 presentation
Owasp top 10_-_2010 presentationOwasp top 10_-_2010 presentation
Owasp top 10_-_2010 presentationIslam Azeddine Mennouchi
 
Andrews whitakrer lecture18-security.ppt
Andrews whitakrer lecture18-security.pptAndrews whitakrer lecture18-security.ppt
Andrews whitakrer lecture18-security.pptSilverGold16
 
Web security
Web securityWeb security
Web securitykareem zock
 
Phpnw security-20111009
Phpnw security-20111009Phpnw security-20111009
Phpnw security-20111009Paul Lemon
 
Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Sean Jackson
 
Owasp top10salesforce
Owasp top10salesforceOwasp top10salesforce
Owasp top10salesforcegbreavin
 
Web application security (eng)
Web application security (eng)Web application security (eng)
Web application security (eng)Anatoliy Okhotnikov
 
DMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal TricksDMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal TricksThreatReel Podcast
 
OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013tmd800
 
OWASP Top10 2010
OWASP Top10 2010OWASP Top10 2010
OWASP Top10 2010Tommy Tracx Xaypanya
 
Security Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramSecurity Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramOpenDNS
 
Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009mirahman
 
Web Security
Web SecurityWeb Security
Web SecurityGerald Villorente
 
Owasp first5 presentation
Owasp first5 presentationOwasp first5 presentation
Owasp first5 presentationAshwini Paranjpe
 
Owasp first5 presentation
Owasp first5 presentationOwasp first5 presentation
Owasp first5 presentationowasp-pune
 
OAuth2 and IdentityServer3
OAuth2 and IdentityServer3OAuth2 and IdentityServer3
OAuth2 and IdentityServer3Paul Glavich
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008abhijitapatil
 
Daniel billing exploring the security testers toolbox
Daniel billing exploring the security testers toolboxDaniel billing exploring the security testers toolbox
Daniel billing exploring the security testers toolboxRomania Testing
 
Xpm nov 17 morals and ethics in technology
Xpm nov 17 morals and ethics in technologyXpm nov 17 morals and ethics in technology
Xpm nov 17 morals and ethics in technologyAndy Longshaw
 
Are projects agile?
Are projects agile?Are projects agile?
Are projects agile?Andy Longshaw
 

Más contenido relacionado

Similar a Getting Inside Common Web Security Threats

Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Michael Pirnat
 
Owasp Top 10 2017
Owasp Top 10 2017Owasp Top 10 2017
Owasp Top 10 2017SamsonMuoki
 
Andrews whitakrer lecture18-security.ppt
Andrews whitakrer lecture18-security.pptAndrews whitakrer lecture18-security.ppt
Andrews whitakrer lecture18-security.pptSilverGold16
 
Phpnw security-20111009
Phpnw security-20111009Phpnw security-20111009
Phpnw security-20111009Paul Lemon
 
Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Sean Jackson
 
Owasp top10salesforce
Owasp top10salesforceOwasp top10salesforce
Owasp top10salesforcegbreavin
 
DMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal TricksDMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal TricksThreatReel Podcast
 
OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013tmd800
 
Security Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramSecurity Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramOpenDNS
 
Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009mirahman
 
Owasp first5 presentation
Owasp first5 presentationOwasp first5 presentation
Owasp first5 presentationowasp-pune
 
OAuth2 and IdentityServer3
OAuth2 and IdentityServer3OAuth2 and IdentityServer3
OAuth2 and IdentityServer3Paul Glavich
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008abhijitapatil
 
Daniel billing exploring the security testers toolbox
Daniel billing exploring the security testers toolboxDaniel billing exploring the security testers toolbox
Daniel billing exploring the security testers toolboxRomania Testing
 

Similar a Getting Inside Common Web Security Threats (20)

Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
 
Owasp Top 10 2017
Owasp Top 10 2017Owasp Top 10 2017
Owasp Top 10 2017
 
Owasp top 10_-_2010 presentation
Owasp top 10_-_2010 presentationOwasp top 10_-_2010 presentation
Owasp top 10_-_2010 presentation
 
Andrews whitakrer lecture18-security.ppt
Andrews whitakrer lecture18-security.pptAndrews whitakrer lecture18-security.ppt
Andrews whitakrer lecture18-security.ppt
 
Web security
Web securityWeb security
Web security
 
Phpnw security-20111009
Phpnw security-20111009Phpnw security-20111009
Phpnw security-20111009
 
Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Owasp top 10_openwest_2019
Owasp top 10_openwest_2019
 
Owasp top10salesforce
Owasp top10salesforceOwasp top10salesforce
Owasp top10salesforce
 
Web application security (eng)
Web application security (eng)Web application security (eng)
Web application security (eng)
 
DMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal TricksDMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal Tricks
 
OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013
 
OWASP Top10 2010
OWASP Top10 2010OWASP Top10 2010
OWASP Top10 2010
 
Security Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramSecurity Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training Program
 
Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009
 
Web Security
Web SecurityWeb Security
Web Security
 
Owasp first5 presentation
Owasp first5 presentationOwasp first5 presentation
Owasp first5 presentation
 
Owasp first5 presentation
Owasp first5 presentationOwasp first5 presentation
Owasp first5 presentation
 
OAuth2 and IdentityServer3
OAuth2 and IdentityServer3OAuth2 and IdentityServer3
OAuth2 and IdentityServer3
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008
 
Daniel billing exploring the security testers toolbox
Daniel billing exploring the security testers toolboxDaniel billing exploring the security testers toolbox
Daniel billing exploring the security testers toolbox
 

Más de Andy Longshaw

Xpm nov 17 morals and ethics in technology
Xpm nov 17 morals and ethics in technologyXpm nov 17 morals and ethics in technology
Xpm nov 17 morals and ethics in technologyAndy Longshaw
 
Trying to build learning into team life
Trying to build learning into team lifeTrying to build learning into team life
Trying to build learning into team lifeAndy Longshaw
 
Why you need more documentation
Why you need more documentationWhy you need more documentation
Why you need more documentationAndy Longshaw
 
We said it was simple
We said it was simpleWe said it was simple
We said it was simpleAndy Longshaw
 
When will we ever learn?
When will we ever learn?When will we ever learn?
When will we ever learn?Andy Longshaw
 

Más de Andy Longshaw (6)

Xpm nov 17 morals and ethics in technology
Xpm nov 17 morals and ethics in technologyXpm nov 17 morals and ethics in technology
Xpm nov 17 morals and ethics in technology
 
Are projects agile?
Are projects agile?Are projects agile?
Are projects agile?
 
Trying to build learning into team life
Trying to build learning into team lifeTrying to build learning into team life
Trying to build learning into team life
 
Why you need more documentation
Why you need more documentationWhy you need more documentation
Why you need more documentation
 
We said it was simple
We said it was simpleWe said it was simple
We said it was simple
 
When will we ever learn?
When will we ever learn?When will we ever learn?
When will we ever learn?
 

Último

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Orbitshub
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Bhuvaneswari Subramani
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontologyjohnbeverley2021
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...apidays
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 

Último (20)

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 

Getting Inside Common Web Security Threats

  • 1. Getting Inside Common Web Security Threats ANDY LONGSHAW AND EOIN WOODS SPA2015, JUNE 2015
  • 2. Introductions u  Andy Longshaw u  Solution Architect at Advanced Legal u  Inveterate worrier about system qualities like availability and… security u  Responsible for a public-facing, cloud-based web system u  Eoin Woods u  CTO at Endava u  Long time security dabbler u  Increasingly concerned at level of cyber threat for “normal” systems
  • 3. Goals u  Introduce OWASP and the Top 10 Vulnerabilities List u  Illustrate some of the Top 10 by exploiting them ourselves u  Show how real attacks combine vulnerabilities u  Introduce some useful tools u  Mutillidae, BurpSuite, SQLMap
  • 4. Content u  The OWASP Top 10 u  The Tools We’ll Use u  Exercises u  Reviewing Defences u  Summary
  • 6. OWASP u  The Open Web Application Security Project u  Largely volunteer organisation, largely online u  Exists to improve the state of software security u  Performs research u  Develops tools u  Publishes guidance and informal standards u  Runs local chapters for face to face meetings (a dozen in the UK alone) u  “OWASP Top 10” project lists the top application security risks u  Referenced widely by MITRE, PCI DSS and similar u  Updated every few years (2003, 2004, 2007, 2010, 2013)
  • 7. OWASP Top 10 u  #1 Injection Attacks u  #2 Authentication and Session Management u  #3 Cross Site Scripting (XSS) u  #4 Direct Object Reference u  #5 Security Misconfiguration u  #6 Sensitive Data Exposure u  #7 Function Level Access Control u  #8 Cross Site Request Forgery (CSRF) u  #9 Component Vulnerabilities u  #10 Unvalidated Redirects and Forwards These may look “obvious” but appear on the list year after year, based on real vulnerability databases!
  • 8. #1 Injection Attacks u  Unvalidated input passed to an interpreter u  Operating system and SQL are most common u  Defences include “escaping” inputs, using bind variables, using white lists, … SELECT * from table1 where name = ’%1’ Set ‘%1’ to ‘ OR 1=1 -- Result => SELECT * FROM table1 WHERE name = ’ ’ OR 1=1 --
  • 9. #2 Broken Authentication or Session Management u  HTTP is stateless => some sort of credential sent every time u  Credential sent over non-TLS connection can be tampered with u  Session ID often displayed yet often as good as login details u  Defences based on strong authentication and session management controls a5f3dd56ff32 a5f3dd56ee33
  • 10. #3 Cross Site Scripting u  Slightly misleading name – occurs any time script is injected into a user’s web page u  Reflected attack – crafted link in email, on a forum, … u  Persistent attack - database records, site’s postings, activity listings u  Allows redirection, session data stealing, page corruption, … u  Defences include validation and escaping on the server-side
  • 11. #4 Insecure Direct Object Refs u  Directly referencing filenames, object IDs and similar in requests u  Not authenticating access to each on the server u  e.g. relying on limited list of options returned to client u  Allows client to modify request and gain access to other objects u  Defences include using pseudo references on client and authenticating all object accesses http://mysite.com/view?id=file1.txt … how about http://mysite.com/view?id=../robots.txt ??
  • 12. #5 Security Misconfiguration u  Security configuration is often complicated u  Many different places to put it, complex semantics u  Layers from OS up to application all need to be consistent u  It is easy to accidentally miss an important part u  OS file permissions? u  .htaccess files? u  Shared credentials in test and production? u  Allows accidental access to resources or even site modification u  Mitigation via scanning, standardisation, simplicity and automation
  • 13. #6 Sensitive Data Exposure u  Is sensitive data secured in transit? u  TLS, message encryption u  Is sensitive data secured at rest? u  Encryption, tokenisation, separation u  Loss of data (e.g. credit card numbers) or spoofing attacks u  Mitigation via threat analysis, limiting scope of data, standardisation
  • 14. #7 Function Level Access Control u  Relying on information sent to the client for access control u  e.g. page menu omitting “update” and “delete” option for a record u  Not checking the action (function) being performed on the server u  Client can guess or infer the right request form for the other actions u  Bypassed security model - also see #4 Insecure Object References u  Never trust the client - check authorisation for every request http://www.example.com/gettxn?txnid=4567 à http://www.example.com/updttxn?txnid=4567&value=1000.00
  • 15. #8 Cross Site Request Forgery u  User triggers malicious code that submits fraudulent request using browser security context u  e.g. clicking a link => run JavaScript => change Github password u  Various subtle variations on this make defence quite difficult u  How you do you know it is the user? u  Primary defence is the “challenge value” in pages u  Expect the challenge value from the latest page in any request u  More authentication steps for sensitive operations u  Short sessions with real logout process
  • 16. #9 Known Vulnerable Components u  Many commonly used components have vulnerabilities u  See weekly US-CERT list for a frightening reality check! u  Many open source libraries don’t have well researched vulnerabilities u  Few teams consider the security of their 3rd party components u  And keeping everything up to date is disruptive u  Consider automated scanning of 3rd party components, actively review vulnerability lists, keep components patched
  • 17. #10 Unvalidated Redirects and Forwards u  Redirecting or forwarding to targets based on parameters u  Avoid using parameters where redirect or forward is needed. Where parameter is needed use a key and map to URL on server http://www.mysite.com/selectpage?pageid=emea_home.html -> http://www.mysite.com/selectpage?pageid=pishinghome.com (Without careful validation this redirects user to malicious page)
  • 18. Summary of Attack Vector Types u  Interpreter injections – OS, SQL, … u  Page injections – HTML, XSS (JavaScript) u  Lack of Validation – trusting client side restrictions, allowing session IDs and cookies to be reused, not checking input fields thoroughly, using parameter values directly in pages and links u  Not protecting valuable data – data loss, spoofing, man in the middle, … u  Underlying Platform – configuration mistakes, vulnerabilities, complexity
  • 20. Mutillidae u  Deliberately insecure LAMP web application u  We have provided it in a VirtualBox VM u  Provides examples of the OWASP Top 10 in action u  We will use it to illustrate exploiting the vulnerabilities www.irongeek.com http://sourceforge.net/projects/mutillidae/
  • 21. BurpSuite u  Commercial proxy, scanning, pentest tool u  Very capable free version available u  Inspect traffic, manipulate headers and content, … u  Made in Knutsford! http://portswigger.net/burp
  • 22. Browser and Proxy Switcher u  Chrome and SwitchySharp or other similar pairing u  Allows easy switching of proxy server to BurpSuite
  • 23. SQLMap (optional) u  Automated SQL injection and database pentest tool u  Open source Python based command line tool u  Frighteningly effective!
  • 25. Structure of the Exercises u  Scout out the system u  SQL injection attacks u  Insecure direct object reference attack for a file u  Get access to the operating system u  OS injection attack u  Unvalidated file upload attack and inject PHP file into the web site u  Get access to a user’s account u  Write a blog post on behalf of someone else (session token attack) u  Steal login credentials u  XSS attack using a crafted HTML form, JavaScript and a blog post
  • 26. Getting Started Mutillidae BurpSuite (proxy)Browser with proxy plugin •  Start Mutillidae in a VirtualBox VM •  Start BurpSuite and enable the proxy •  Configure browser to use BurpSuite proxy (localhost:9000)
  • 27. Working with the Exercises u  Self paced exercises by yourself or in pairs u  Self contained on your machine u  We provide: u  Overview and instructions u  Solutions if you want them u  As you go, reflect on what you’re learning – we’ll share at the end
  • 28. Demonstrations u  SQL injection to list all users u  BurpSuite request interception u  JavaScript alertbox injection
  • 29. Exercises •  35 minutes setup and initial exercise •  15 minute break •  45 minutes further exercises •  Mutillidae URL •  http://YOUR-VM-IP-ADDRESS/mutillidae
  • 31. Key Web Vulnerability Defences u  Don’t trust clients (browsers) u  Validate inputs, confirm authorisations, validate object references, … u  Identify “interpreters”, escape their inputs, use bind variables, … u  Operating system execution, SQL queries, JavaScript, … u  Web page dynamic content (escape, validate, placeholders) u  Protect valuable information at rest and in transit u  Simplicity u  Verify configuration and correctness u  Standardise and Automate u  Force consistency, avoid configuration errors
  • 33. Summary u  Much of the technology we use is inherently insecure u  Mitigation needs to be part of application development u  Attacking systems is becoming industrialised u  Digital transformation is providing more valuable, less secure targets u  Fundamental attack vectors appear again and again u  Injection, interception, web page manipulation, missing validation, poor configuration, … u  Most real attacks exploit a series of vulnerabilities u  Each vulnerability may not look serious, the combination is u  Most mitigations are not difficult but need to be applied consistently u  … and may conflict with other desirable qualities