SlideShare a Scribd company logo

Hacking 101 3

Download as PPTX, PDF
Nitroxis Sprl
Nitroxis Sprl

3ème bachelier en Sciences Informatique 1ère et 2ème Master en Sciences Informatiques Master en Sciences Informatiques en 1 an 1ère ET 2ème Master ingénieur Civil en Informatique de gestion Séminaire d’informatique

1 of 49
HACKING 101 Umons 3ème bachelier en Sciences Informatique 1ère et 2ème Master en Sciences Informatiques Master en Sciences Informatiques en 1 an 1ère ET 2ème Master ingénieur Civil en Informatique de gestion Séminaire d’informatique 25 février 2015 Olivier Houyoux Technology Security Architect @ Nitroxis Sprl
SCHEDULE FOR THE DAY 1. Why are we here? 2. Real Life Examples 3. Owasp – Top 10 (2013) 4. Demo Web Hacking Simulation Walkthrough 5. Summary 6. Questions
DO WE NEED WEB APP. SECURITY?  Well managed infrastructure  Important data on web applications  Malware spreading
EXAMPLES 1. Barack Obama
EXAMPLES 1. Barack Obama 2. Maria Sharapova
EXAMPLES 1. Barack Obama 2. Maria Sharapova 3. Samy Kamkar
EXAMPLES 1. Barack Obama 2. Maria Sharapova 3. Samy Kamkar 4. Kevin Poulsen
EXAMPLES 1. Barack Obama 2. Maria Sharapova 3. Samy Kamkar 4. Kevin Poulsen 5. …
OPEN WEB APPLICATION SECURITY PROJECT Make software security visible  Cheat Sheets, Tutorials, Testing guides…  Tools (WebGoat, WebScarab, …)  Library (ESAPI)  …
OWASP TOP 10 Broad consensus about what the most critical web application security flaws are.
OWASP TOP 10 OWASP Top 10 - 2013 A1 - Injection A2 - Broken Authentication and Session Management A3 - Cross-Site Scripting (XSS) A4 - Insecure Direct Object References A5 - Security Misconfiguration A6 - Sensitive Data Exposure A7 - Missing Function Level Access Control A8 - Cross-Site Request Forgery (CSRF) A9 - Using Known Vulnerable Components A10 - Unvalidated Redirects and Forwards
A1 – INJECTION User input injected without checking  SQL  LDAP  Command  XPath  …
A1 – SQL INJECTION EXAMPLE Connection conn = pool.getConnection(); String sql = "select * from user where username=‘" + username + "’ and password=‘" + password + "’"; Statement stmt = conn.createStatement(); ResultSet rs = stmt.executeQuery(sql);
A1 – SQL INJECTION EXAMPLE Connection conn = pool.getConnection(); String sql = "select * from user where username=‘" + username + "’ and password=‘" + password + "’"; Statement stmt = conn.createStatement(); ResultSet rs = stmt.executeQuery(sql);
A2 – BROKEN AUTHENTICATION  User / Password Brute force attack  Birthday paradox  Weak management functions Change or recover password
A2 – SESSION MANAGEMENT 1. Session Hijacking  Stealing authenticated user’s session ID 2. Session Fixation  Forcing user’s session ID
A2 – SESSION HIJACKING EXAMPLE
A2 – SESSION HIJACKING EXAMPLE
A2 – SESSION FIXATION EXAMPLE public class LoginServlet extends HttpServlet { … public void doPost(HttpServletRequest request, HttpServletResponse response) { String user = request.getParameter("user"); String pass = request.getParameter("password"); … HttpSession session = request.getSession(true); … } … }
A2 – SESSION FIXATION EXAMPLE public class LoginServlet extends HttpServlet { … public void doPost(HttpServletRequest request, HttpServletResponse response) { String user = request.getParameter("user"); String pass = request.getParameter("password"); … HttpSession session = request.getSession(true); … } … }
A3 – CROSS-SITE SCRIPTING (XSS) Untrusted data sent to victim without validation and / or escaping XSS allows attackers to execute script in browsers to:  hijacking users’ sessions,  redirecting user to malicious site,  … 1. Reflected XSS 2. Stored XSS
A3 – XSS EXAMPLE 1 - JSTL <form name="update" method="post" action="..."> <input type="text" value="<%=userBean.getName()%>"/> </form>
A3 – XSS EXAMPLE 1 - JSTL <form name="update" method="post" action="..."> <input type="text" value="<%=userBean.getName()%>"/> </form>
A3 – XSS EXAMPLE 2 - FREEMARKER <form name="update" method="post" action="..."> <input type="text" value="${userBean.name}"/> </form>
A3 – XSS EXAMPLE - ESCAPING JSTL <form name="update" method="post" action="..."> <input type="text" value="<%=userBean.getName()%>"/> </form> Freemarker <form name="update" method="post" action="..."> <input type="text" value="${userBean.name}"/> </form> Browser <input type="text" value=""/><script>...</script>"/>
A4 – INSECURE DIRECT OBJECT REF. Reference to internal object like  file,  directory,  database key without  access control check,  other protection.
A4 –DIRECT OBJECT REF. EXAMPLE String query = "select * from accounts where account = ?"; PreparedStatement stmt = conn.prepareStatement(query); stmt.setString(1, request.getParameter("account")); ResultSet rs = stmt.executeQuery();
A4 –DIRECT OBJECT REF. EXAMPLE String query = "select * from accounts where account = ?"; PreparedStatement stmt = conn.prepareStatement(query); stmt.setString(1, request.getParameter("account")); ResultSet rs = stmt.executeQuery(); http://foo.com/app/accountInfo?account=notmyaccount
A5 – SECURITY MISCONFIGURATION  Secure configuration defined and deployed for the:  application,  frameworks,  application server,  web server,  database server,  platform.
A5 – MISCONFIGURATION EXAMPLE
A5 – MISCONFIGURATION EXAMPLE <?xml version='1.0' encoding='utf-8'?> <Server port="8005" shutdown="SHUTDOWN"> <GlobalNamingResources> <Resource name="UserDatabase" auth="Container" … /> </GlobalNamingResources> <Service name="Catalina »> <Connector port="80" protocol="HTTP/1.1" … /> <Connector port="443" protocol="org.apache. … .Http11Protocol" … /> </Service> </Server>
A5 – MISCONFIGURATION EXAMPLE <?xml version='1.0' encoding='utf-8'?> <Server port="8005" shutdown="SHUTDOWN"> <GlobalNamingResources> <Resource name="UserDatabase" auth="Container" … /> </GlobalNamingResources> <Service name="Catalina »> <Connector port="80" protocol="HTTP/1.1" … /> <Connector port="443" protocol="org.apache. … .Http11Protocol" … /> </Service> </Server>
A6 – SENSITIVE DATA EXPOSURE Protect sensitive data such as  credit cards,  authentication credentials  … Apply extra protection (encryption at rest or in transit) and precautions when exchanged with browser.
A6 – DATA EXPOSURE EXAMPLE 1 An application encrypts credit card numbers in a database using automatic database encryption. However, this means it also decrypts this data automatically when retrieved, allowing an SQL injection flaw to retrieve credit card numbers in clear text.
A6 – DATA EXPOSURE EXAMPLE 2 A site simply doesn’t use SSL for all authenticated pages. Attacker simply monitors network traffic (like an open wireless network), and steals the user’s session cookie.
A7 – MISSING ACCESS CONTROL Verify function level acces:  before making functionality visible in GUI ✓  when each function is accessed ✗
A7 – ACCESS CONTROL EXAMPLE @Stateless public class OrderBean implements Order { public String getDetail(String id) { … } public String approve(String id) { … } … }
A7 – ACCESS CONTROL EXAMPLE @Stateless public class OrderBean implements Order { public String getDetail(String id) { … } public String approve(String id) { … } … }
A8 – CROSS-SITE REQUEST FORGERY 1. User authenticates to bank.com2. User visits forum.com 3. Page contains tag <img src=bank.com/transfer.jsp?account=atta cker&amount=300000> 4. User’s browser makes GET request bank.com/transfer.jsp?account=attacker& amount=300000 without user knowing
A8 – CSRF EXAMPLE Nearly everything is susceptible to CSRF, so no need to hunt the bug …
A9 – USING VULNERABLE COMPONENTS Common Vulnerabilities and Exposures database (https://cve.mitre.org)
A10 – UNVALIDATED REDIRECT 1. Lure the user into clicking a redirect link http://www.trusted.com/redirector?to=http://www.evil.com 2. Code does not perform any validation String location = (String) request.getParameter(« to »); response.sendRedirect(location); 3. User thinks (s)he’s accessing trusted.com but is in fact at evil.com
OWASP TOP 10 OWASP Top 10 - 2013 A1 - Injection A2 - Broken Authentication and Session Management A3 - Cross-Site Scripting (XSS) A4 - Insecure Direct Object References A5 - Security Misconfiguration A6 - Sensitive Data Exposure A7 - Missing Function Level Access Control A8 - Cross-Site Request Forgery (CSRF) A9 - Using Known Vulnerable Components A10 - Unvalidated Redirects and Forwards
WEBGOAT is a deliberately insecure web application designed to teach web application security lessons.
SUMMARY LAYERS OF DEFENSE IN DEPTH Policies, Procedures, Awareness Physical Perimeter Internal Network Host App Data
AND NOW …  bWAPP  OWASP Top 10  CWE 25  Mitigations (SANS, OWASP Cheat Sheets, …)  Web Services (SOAP & REST)  Mobile  And more …
QUESTIONS ?
FOLLOW US ON … @Nitroxis_sprl nitroxis Nitroxis.BE Training and Certification for information Security Professionals Nitroxis sprl
ADD DEPTH TO YOUR INFORMATION SYSTEM Olivier Houyoux Technology Security Architect Version 1.2 Date 25/02/2015 Mail Contact (at) nitroxis.be Website www.nitroxis.be

Recommended

Hacking 101 (Session 2)
Hacking 101 (Session 2)Hacking 101 (Session 2)
Hacking 101 (Session 2)
Nitroxis Sprl
 
Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo)
Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo) Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo)
Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo)
Nitroxis Sprl
 
Owasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root Causes
Marco Morana
 
OWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesOWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root Causes
Marco Morana
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013
Edouard de Lansalut
 
OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013
tmd800
 
RSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingRSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP Training
Jim Manico
 
Owasp top 10 web application security hazards - Part 1
Owasp top 10 web application security hazards - Part 1Owasp top 10 web application security hazards - Part 1
Owasp top 10 web application security hazards - Part 1
Abhinav Sejpal
 

Recommended

Hacking 101 (Session 2)
Hacking 101 (Session 2)Hacking 101 (Session 2)
Hacking 101 (Session 2)
Nitroxis Sprl
 
Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo)
Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo) Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo)
Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo)
Nitroxis Sprl
 
Owasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root Causes
Marco Morana
 
OWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesOWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root Causes
Marco Morana
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013
Edouard de Lansalut
 
OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013
tmd800
 
RSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingRSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP Training
Jim Manico
 
Owasp top 10 web application security hazards - Part 1
Owasp top 10 web application security hazards - Part 1Owasp top 10 web application security hazards - Part 1
Owasp top 10 web application security hazards - Part 1
Abhinav Sejpal
 
Web Insecurity And Browser Exploitation
Web Insecurity And Browser ExploitationWeb Insecurity And Browser Exploitation
Web Insecurity And Browser Exploitation
Michele Orru'
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Brian Huff
 
XSS And SQL Injection Vulnerabilities
XSS And SQL Injection VulnerabilitiesXSS And SQL Injection Vulnerabilities
XSS And SQL Injection Vulnerabilities
Mindfire Solutions
 
Owasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionOwasp Top 10 A1: Injection
Owasp Top 10 A1: Injection
Michael Hendrickx
 
Securing the Web @RivieraDev2016
Securing the Web @RivieraDev2016Securing the Web @RivieraDev2016
Securing the Web @RivieraDev2016
Sumanth Damarla
 
Hacking the Web
Hacking the WebHacking the Web
Hacking the Web
Mike Crabb
 
Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...
Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...
Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...
Marco Morana
 
Widespread security flaws in web application development 2015
Widespread security flaws in web application development 2015Widespread security flaws in web application development 2015
Widespread security flaws in web application development 2015
mahchiev
 
BEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYAN
BEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYANBEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYAN
BEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYAN
Samvel Gevorgyan
 
The bare minimum that you should know about web application security testing ...
The bare minimum that you should know about web application security testing ...The bare minimum that you should know about web application security testing ...
The bare minimum that you should know about web application security testing ...
Ken DeSouza
 
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
Samvel Gevorgyan
 
What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...
What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...
What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...
Edureka!
 
OWASP Serbia - A5 cross-site request forgery
OWASP Serbia - A5 cross-site request forgeryOWASP Serbia - A5 cross-site request forgery
OWASP Serbia - A5 cross-site request forgery
Nikola Milosevic
 
SeanRobertsThesis
SeanRobertsThesisSeanRobertsThesis
SeanRobertsThesis
Sean Roberts
 
Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.
n|u - The Open Security Community
 
Spring security4.x
Spring security4.xSpring security4.x
Spring security4.x
Zeeshan Khan
 
React security vulnerabilities
React security vulnerabilitiesReact security vulnerabilities
React security vulnerabilities
AngelinaJasper
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...
Noppadol Songsakaew
 
Content Management System Security
Content Management System SecurityContent Management System Security
Content Management System Security
Samvel Gevorgyan
 
Attackers Vs Programmers
Attackers Vs ProgrammersAttackers Vs Programmers
Attackers Vs Programmers
robin_bene
 
ASP.NET Web Security
ASP.NET Web SecurityASP.NET Web Security
ASP.NET Web Security
SharePointRadi
 
Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009
mirahman
 

More Related Content

What's hot

The bare minimum that you should know about web application security testing ...
The bare minimum that you should know about web application security testing ...The bare minimum that you should know about web application security testing ...
The bare minimum that you should know about web application security testing ...
Ken DeSouza
 
What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...
What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...
What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...
Edureka!
 
OWASP Serbia - A5 cross-site request forgery
OWASP Serbia - A5 cross-site request forgeryOWASP Serbia - A5 cross-site request forgery
OWASP Serbia - A5 cross-site request forgery
Nikola Milosevic
 

What's hot (20)

Web Insecurity And Browser Exploitation
Web Insecurity And Browser ExploitationWeb Insecurity And Browser Exploitation
Web Insecurity And Browser Exploitation
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
 
XSS And SQL Injection Vulnerabilities
XSS And SQL Injection VulnerabilitiesXSS And SQL Injection Vulnerabilities
XSS And SQL Injection Vulnerabilities
 
Owasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionOwasp Top 10 A1: Injection
Owasp Top 10 A1: Injection
 
Securing the Web @RivieraDev2016
Securing the Web @RivieraDev2016Securing the Web @RivieraDev2016
Securing the Web @RivieraDev2016
 
Hacking the Web
Hacking the WebHacking the Web
Hacking the Web
 
Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...
Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...
Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...
 
Widespread security flaws in web application development 2015
Widespread security flaws in web application development 2015Widespread security flaws in web application development 2015
Widespread security flaws in web application development 2015
 
BEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYAN
BEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYANBEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYAN
BEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYAN
 
The bare minimum that you should know about web application security testing ...
The bare minimum that you should know about web application security testing ...The bare minimum that you should know about web application security testing ...
The bare minimum that you should know about web application security testing ...
 
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
 
What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...
What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...
What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...
 
OWASP Serbia - A5 cross-site request forgery
OWASP Serbia - A5 cross-site request forgeryOWASP Serbia - A5 cross-site request forgery
OWASP Serbia - A5 cross-site request forgery
 
SeanRobertsThesis
SeanRobertsThesisSeanRobertsThesis
SeanRobertsThesis
 
Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.
 
Spring security4.x
Spring security4.xSpring security4.x
Spring security4.x
 
React security vulnerabilities
React security vulnerabilitiesReact security vulnerabilities
React security vulnerabilities
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...
 
Content Management System Security
Content Management System SecurityContent Management System Security
Content Management System Security
 
Attackers Vs Programmers
Attackers Vs ProgrammersAttackers Vs Programmers
Attackers Vs Programmers
 

Similar to Hacking 101 3

Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009
mirahman
 
Integrating Security Roles into Microsoft Silverlight Applications
Integrating Security Roles into Microsoft Silverlight ApplicationsIntegrating Security Roles into Microsoft Silverlight Applications
Integrating Security Roles into Microsoft Silverlight Applications
Dan Wahlin
 
Positive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-raysPositive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-rays
qqlan
 
Java EE Web Security By Example: Frank Kim
Java EE Web Security By Example: Frank KimJava EE Web Security By Example: Frank Kim
Java EE Web Security By Example: Frank Kim
jaxconf
 
PCI Security Requirements - secure coding
PCI Security Requirements - secure codingPCI Security Requirements - secure coding
PCI Security Requirements - secure coding
Haitham Raik
 
How "·$% developers defeat the web vulnerability scanners
How "·$% developers defeat the web vulnerability scannersHow "·$% developers defeat the web vulnerability scanners
How "·$% developers defeat the web vulnerability scanners
Chema Alonso
 
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web InterfacesThey Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
michelemanzotti
 
WSO2 SOA with C and C++
WSO2 SOA with C and C++WSO2 SOA with C and C++
WSO2 SOA with C and C++
WSO2
 

Similar to Hacking 101 3 (20)

ASP.NET Web Security
ASP.NET Web SecurityASP.NET Web Security
ASP.NET Web Security
 
Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009
 
General Principles of Web Security
General Principles of Web SecurityGeneral Principles of Web Security
General Principles of Web Security
 
Web Application Security in Rails
Web Application Security in RailsWeb Application Security in Rails
Web Application Security in Rails
 
Integrating Security Roles into Microsoft Silverlight Applications
Integrating Security Roles into Microsoft Silverlight ApplicationsIntegrating Security Roles into Microsoft Silverlight Applications
Integrating Security Roles into Microsoft Silverlight Applications
 
Application and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental EditionApplication and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental Edition
 
Positive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-raysPositive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-rays
 
PHP Secure Programming
PHP Secure ProgrammingPHP Secure Programming
PHP Secure Programming
 
Java EE Web Security By Example: Frank Kim
Java EE Web Security By Example: Frank KimJava EE Web Security By Example: Frank Kim
Java EE Web Security By Example: Frank Kim
 
PCI Security Requirements - secure coding
PCI Security Requirements - secure codingPCI Security Requirements - secure coding
PCI Security Requirements - secure coding
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
 
Defending Against Attacks With Rails
Defending Against Attacks With RailsDefending Against Attacks With Rails
Defending Against Attacks With Rails
 
How "·$% developers defeat the web vulnerability scanners
How "·$% developers defeat the web vulnerability scannersHow "·$% developers defeat the web vulnerability scanners
How "·$% developers defeat the web vulnerability scanners
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security Vulnerabilities
 
Security in NodeJS applications
Security in NodeJS applicationsSecurity in NodeJS applications
Security in NodeJS applications
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applications
 
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web InterfacesThey Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
 
Hacking identity: A Pen Tester's Guide to IAM
Hacking identity: A Pen Tester's Guide to IAMHacking identity: A Pen Tester's Guide to IAM
Hacking identity: A Pen Tester's Guide to IAM
 
WSO2 SOA with C and C++
WSO2 SOA with C and C++WSO2 SOA with C and C++
WSO2 SOA with C and C++
 
Securing Your BBC Identity
Securing Your BBC IdentitySecuring Your BBC Identity
Securing Your BBC Identity
 

Hacking 101 3

  • 1. HACKING 101 Umons 3ème bachelier en Sciences Informatique 1ère et 2ème Master en Sciences Informatiques Master en Sciences Informatiques en 1 an 1ère ET 2ème Master ingénieur Civil en Informatique de gestion Séminaire d’informatique 25 février 2015 Olivier Houyoux Technology Security Architect @ Nitroxis Sprl
  • 2. SCHEDULE FOR THE DAY 1. Why are we here? 2. Real Life Examples 3. Owasp – Top 10 (2013) 4. Demo Web Hacking Simulation Walkthrough 5. Summary 6. Questions
  • 3. DO WE NEED WEB APP. SECURITY?  Well managed infrastructure  Important data on web applications  Malware spreading
  • 5. EXAMPLES 1. Barack Obama 2. Maria Sharapova
  • 6. EXAMPLES 1. Barack Obama 2. Maria Sharapova 3. Samy Kamkar
  • 7. EXAMPLES 1. Barack Obama 2. Maria Sharapova 3. Samy Kamkar 4. Kevin Poulsen
  • 8. EXAMPLES 1. Barack Obama 2. Maria Sharapova 3. Samy Kamkar 4. Kevin Poulsen 5. …
  • 9. OPEN WEB APPLICATION SECURITY PROJECT Make software security visible  Cheat Sheets, Tutorials, Testing guides…  Tools (WebGoat, WebScarab, …)  Library (ESAPI)  …
  • 10. OWASP TOP 10 Broad consensus about what the most critical web application security flaws are.
  • 11. OWASP TOP 10 OWASP Top 10 - 2013 A1 - Injection A2 - Broken Authentication and Session Management A3 - Cross-Site Scripting (XSS) A4 - Insecure Direct Object References A5 - Security Misconfiguration A6 - Sensitive Data Exposure A7 - Missing Function Level Access Control A8 - Cross-Site Request Forgery (CSRF) A9 - Using Known Vulnerable Components A10 - Unvalidated Redirects and Forwards
  • 12. A1 – INJECTION User input injected without checking  SQL  LDAP  Command  XPath  …
  • 13. A1 – SQL INJECTION EXAMPLE Connection conn = pool.getConnection(); String sql = "select * from user where username=‘" + username + "’ and password=‘" + password + "’"; Statement stmt = conn.createStatement(); ResultSet rs = stmt.executeQuery(sql);
  • 14. A1 – SQL INJECTION EXAMPLE Connection conn = pool.getConnection(); String sql = "select * from user where username=‘" + username + "’ and password=‘" + password + "’"; Statement stmt = conn.createStatement(); ResultSet rs = stmt.executeQuery(sql);
  • 15. A2 – BROKEN AUTHENTICATION  User / Password Brute force attack  Birthday paradox  Weak management functions Change or recover password
  • 16. A2 – SESSION MANAGEMENT 1. Session Hijacking  Stealing authenticated user’s session ID 2. Session Fixation  Forcing user’s session ID
  • 17. A2 – SESSION HIJACKING EXAMPLE
  • 18. A2 – SESSION HIJACKING EXAMPLE
  • 19. A2 – SESSION FIXATION EXAMPLE public class LoginServlet extends HttpServlet { … public void doPost(HttpServletRequest request, HttpServletResponse response) { String user = request.getParameter("user"); String pass = request.getParameter("password"); … HttpSession session = request.getSession(true); … } … }
  • 20. A2 – SESSION FIXATION EXAMPLE public class LoginServlet extends HttpServlet { … public void doPost(HttpServletRequest request, HttpServletResponse response) { String user = request.getParameter("user"); String pass = request.getParameter("password"); … HttpSession session = request.getSession(true); … } … }
  • 21. A3 – CROSS-SITE SCRIPTING (XSS) Untrusted data sent to victim without validation and / or escaping XSS allows attackers to execute script in browsers to:  hijacking users’ sessions,  redirecting user to malicious site,  … 1. Reflected XSS 2. Stored XSS
  • 22. A3 – XSS EXAMPLE 1 - JSTL <form name="update" method="post" action="..."> <input type="text" value="<%=userBean.getName()%>"/> </form>
  • 23. A3 – XSS EXAMPLE 1 - JSTL <form name="update" method="post" action="..."> <input type="text" value="<%=userBean.getName()%>"/> </form>
  • 24. A3 – XSS EXAMPLE 2 - FREEMARKER <form name="update" method="post" action="..."> <input type="text" value="${userBean.name}"/> </form>
  • 25. A3 – XSS EXAMPLE - ESCAPING JSTL <form name="update" method="post" action="..."> <input type="text" value="<%=userBean.getName()%>"/> </form> Freemarker <form name="update" method="post" action="..."> <input type="text" value="${userBean.name}"/> </form> Browser <input type="text" value=""/><script>...</script>"/>
  • 26. A4 – INSECURE DIRECT OBJECT REF. Reference to internal object like  file,  directory,  database key without  access control check,  other protection.
  • 27. A4 –DIRECT OBJECT REF. EXAMPLE String query = "select * from accounts where account = ?"; PreparedStatement stmt = conn.prepareStatement(query); stmt.setString(1, request.getParameter("account")); ResultSet rs = stmt.executeQuery();
  • 28. A4 –DIRECT OBJECT REF. EXAMPLE String query = "select * from accounts where account = ?"; PreparedStatement stmt = conn.prepareStatement(query); stmt.setString(1, request.getParameter("account")); ResultSet rs = stmt.executeQuery(); http://foo.com/app/accountInfo?account=notmyaccount
  • 29. A5 – SECURITY MISCONFIGURATION  Secure configuration defined and deployed for the:  application,  frameworks,  application server,  web server,  database server,  platform.
  • 31. A5 – MISCONFIGURATION EXAMPLE <?xml version='1.0' encoding='utf-8'?> <Server port="8005" shutdown="SHUTDOWN"> <GlobalNamingResources> <Resource name="UserDatabase" auth="Container" … /> </GlobalNamingResources> <Service name="Catalina »> <Connector port="80" protocol="HTTP/1.1" … /> <Connector port="443" protocol="org.apache. … .Http11Protocol" … /> </Service> </Server>
  • 32. A5 – MISCONFIGURATION EXAMPLE <?xml version='1.0' encoding='utf-8'?> <Server port="8005" shutdown="SHUTDOWN"> <GlobalNamingResources> <Resource name="UserDatabase" auth="Container" … /> </GlobalNamingResources> <Service name="Catalina »> <Connector port="80" protocol="HTTP/1.1" … /> <Connector port="443" protocol="org.apache. … .Http11Protocol" … /> </Service> </Server>
  • 33. A6 – SENSITIVE DATA EXPOSURE Protect sensitive data such as  credit cards,  authentication credentials  … Apply extra protection (encryption at rest or in transit) and precautions when exchanged with browser.
  • 34. A6 – DATA EXPOSURE EXAMPLE 1 An application encrypts credit card numbers in a database using automatic database encryption. However, this means it also decrypts this data automatically when retrieved, allowing an SQL injection flaw to retrieve credit card numbers in clear text.
  • 35. A6 – DATA EXPOSURE EXAMPLE 2 A site simply doesn’t use SSL for all authenticated pages. Attacker simply monitors network traffic (like an open wireless network), and steals the user’s session cookie.
  • 36. A7 – MISSING ACCESS CONTROL Verify function level acces:  before making functionality visible in GUI ✓  when each function is accessed ✗
  • 37. A7 – ACCESS CONTROL EXAMPLE @Stateless public class OrderBean implements Order { public String getDetail(String id) { … } public String approve(String id) { … } … }
  • 38. A7 – ACCESS CONTROL EXAMPLE @Stateless public class OrderBean implements Order { public String getDetail(String id) { … } public String approve(String id) { … } … }
  • 39. A8 – CROSS-SITE REQUEST FORGERY 1. User authenticates to bank.com2. User visits forum.com 3. Page contains tag <img src=bank.com/transfer.jsp?account=atta cker&amount=300000> 4. User’s browser makes GET request bank.com/transfer.jsp?account=attacker& amount=300000 without user knowing
  • 40. A8 – CSRF EXAMPLE Nearly everything is susceptible to CSRF, so no need to hunt the bug …
  • 41. A9 – USING VULNERABLE COMPONENTS Common Vulnerabilities and Exposures database (https://cve.mitre.org)
  • 42. A10 – UNVALIDATED REDIRECT 1. Lure the user into clicking a redirect link http://www.trusted.com/redirector?to=http://www.evil.com 2. Code does not perform any validation String location = (String) request.getParameter(« to »); response.sendRedirect(location); 3. User thinks (s)he’s accessing trusted.com but is in fact at evil.com
  • 43. OWASP TOP 10 OWASP Top 10 - 2013 A1 - Injection A2 - Broken Authentication and Session Management A3 - Cross-Site Scripting (XSS) A4 - Insecure Direct Object References A5 - Security Misconfiguration A6 - Sensitive Data Exposure A7 - Missing Function Level Access Control A8 - Cross-Site Request Forgery (CSRF) A9 - Using Known Vulnerable Components A10 - Unvalidated Redirects and Forwards
  • 44. WEBGOAT is a deliberately insecure web application designed to teach web application security lessons.
  • 45. SUMMARY LAYERS OF DEFENSE IN DEPTH Policies, Procedures, Awareness Physical Perimeter Internal Network Host App Data
  • 46. AND NOW …  bWAPP  OWASP Top 10  CWE 25  Mitigations (SANS, OWASP Cheat Sheets, …)  Web Services (SOAP & REST)  Mobile  And more …
  • 48. FOLLOW US ON … @Nitroxis_sprl nitroxis Nitroxis.BE Training and Certification for information Security Professionals Nitroxis sprl
  • 49. ADD DEPTH TO YOUR INFORMATION SYSTEM Olivier Houyoux Technology Security Architect Version 1.2 Date 25/02/2015 Mail Contact (at) nitroxis.be Website www.nitroxis.be