SlideShare una empresa de Scribd logo

Hacking 101 (Session 2)

Descargar como PPTX, PDF
Nitroxis Sprl
Nitroxis Sprl

For this second session, we continue with awareness on web application security (OWASP). A deep dive into the code

Presentaciones y charlas públicas
1 de 47
HACKING 101 Henallux, 28th November 2014 Olivier Houyoux Technology Security Architect @ Nitroxis Sprl
SCHEDULE FOR THE DAY 1. Why are we here? 2. Real Life Examples 3. Owasp – Top 10 (2013) 4. Demo Web Hacking Simulation Walkthrough 5. Summary 6. Questions
DO WE NEED WEB APP. SECURITY?  Well managed infrastructure  Important data on web applications  Malware spreading
EXAMPLES 1. Barack Obama
EXAMPLES 1. Barack Obama 2. Maria Sharapova
EXAMPLES 1. Barack Obama 2. Maria Sharapova 3. Samy Kamkar
EXAMPLES 1. Barack Obama 2. Maria Sharapova 3. Samy Kamkar 4. Kevin Poulsen
EXAMPLES 1. Barack Obama 2. Maria Sharapova 3. Samy Kamkar 4. Kevin Poulsen 5. …
OPEN WEB APPLICATION SECURITY PROJECT Make software security visible  Cheat Sheets, Tutorials, Testing guides…  Tools (WebGoat, WebScarab, …)  Library (ESAPI)  …
OWASP TOP 10 Broad consensus about what the most critical web application security flaws are.
OWASP TOP 10 OWASP Top 10 - 2013 A1 - Injection A2 - Broken Authentication and Session Management A3 - Cross-Site Scripting (XSS) A4 - Insecure Direct Object References A5 - Security Misconfiguration A6 - Sensitive Data Exposure A7 - Missing Function Level Access Control A8 - Cross-Site Request Forgery (CSRF) A9 - Using Known Vulnerable Components A10 - Unvalidatde Redirects and Forwards
WEBGOAT is a deliberately insecure web application designed to teach web application security lessons.
A1 – INJECTION User input injected without checking  SQL  LDAP  Command  XPATH  …
A1 – SQL INJECTION EXAMPLE 1 Connection conn = pool.getConnection(); String sql = "select * from user where username=‘" + username + "’ and password=‘" + password + "’"; Statement stmt = conn.createStatement(); ResultSet rs = stmt.executeQuery(sql);
A1 – SQL INJECTION EXAMPLE 1 Connection conn = pool.getConnection(); String sql = "select * from user where username=‘" + username + "’ and password=‘" + password + "’"; Statement stmt = conn.createStatement(); ResultSet rs = stmt.executeQuery(sql);
A2 – BROKEN AUTHENTICATION  User / Password Brute force attack  Birthday paradox  Weak management functions Change or recover password
A2 – SESSION MANAGEMENT 1. Session Hijacking  Stealing authenticated user’s session ID 2. Session Fixation  Forcing user’s session ID
A2 – SESSION HIJACKING EXAMPLE
A2 – SESSION HIJACKING EXAMPLE
A2 – SESSION FIXATION EXAMPLE public class LoginServlet extends HttpServlet { … public void doPost(HttpServletRequest request, HttpServletResponse response) { String user = request.getParameter("user"); String pass = request.getParameter("password"); … HttpSession session = request.getSession(true); … } … }
A2 – SESSION FIXATION EXAMPLE public class LoginServlet extends HttpServlet { … public void doPost(HttpServletRequest request, HttpServletResponse response) { String user = request.getParameter("user"); String pass = request.getParameter("password"); … HttpSession session = request.getSession(true); … } … }
A3 – CROSS-SITE SCRIPTING (XSS) Untrusted data sent to victim without validation and / or escaping XSS allows attackers to execute script in browsers to:  hijacking users’ sessions,  redirecting user to malicious site,  … 1. Reflected XSS 2. Stored XSS
A3 – XSS EXAMPLE <form name="update" method="post" action="..."> <input type="text" value="<%=userBean.getName()%>"/> </form>
A3 – XSS EXAMPLE <form name="update" method="post" action="..."> <input type="text" value="<%=userBean.getName()%>"/> </form>
A3 – XSS EXAMPLE <form name="update" method="post" action="..."> <input type="text" value="<%=userBean.getName()%>"/> </form> <input type="text" value="who_cares"/><script>...</script>"/>
A4 – INSECURE DIRECT OBJECT REF. Reference to internal object like  file,  directory,  database key without  access control check,  other protection.
A4 –DIRECT OBJECT REF. EXAMPLE String query = "select * from accounts where account = ?"; PreparedStatement stmt = conn.prepareStatement(query); stmt.setString(1, request.getParameter("account")); ResultSet rs = stmt.executeQuery();
A4 –DIRECT OBJECT REF. EXAMPLE String query = "select * from accounts where account = ?"; PreparedStatement stmt = conn.prepareStatement(query); stmt.setString(1, request.getParameter("account")); ResultSet rs = stmt.executeQuery(); http://foo.com/app/accountInfo?account=notmyaccount
A5 – SECURITY MISCONFIGURATION  Secure configuration defined and deployed for the:  application,  frameworks,  application server,  web server,  database server,  platform.
A5 – MISCONFIGURATION EXAMPLE
A5 – MISCONFIGURATION EXAMPLE <?xml version='1.0' encoding='utf-8'?> <Server port="8005" shutdown="SHUTDOWN"> <GlobalNamingResources> <Resource name="UserDatabase" auth="Container" … /> </GlobalNamingResources> <Service name="Catalina »> <Connector port="80" protocol="HTTP/1.1" … /> <Connector port="443" protocol="org.apache. … .Http11Protocol" … /> </Service> </Server>
A5 – MISCONFIGURATION EXAMPLE <?xml version='1.0' encoding='utf-8'?> <Server port="8005" shutdown="SHUTDOWN"> <GlobalNamingResources> <Resource name="UserDatabase" auth="Container" … /> </GlobalNamingResources> <Service name="Catalina »> <Connector port="80" protocol="HTTP/1.1" … /> <Connector port="443" protocol="org.apache. … .Http11Protocol" … /> </Service> </Server>
A6 – SENSITIVE DATA EXPOSURE Protect sensitive data such as  credit cards,  authentication credentials  … Apply extra protection (encryption at rest or in transit) and precautions when exchanged with browser.
A6 – DATA EXPOSURE EXAMPLE 1 An application encrypts credit card numbers in a database using automatic database encryption. However, this means it also decrypts this data automatically when retrieved, allowing an SQL injection flaw to retrieve credit card numbers in clear text.
A6 – DATA EXPOSURE EXAMPLE 2 A site simply doesn’t use SSL for all authenticated pages. Attacker simply monitors network traffic (like an open wireless network), and steals the user’s session cookie.
A7 – MISSING ACCESS CONTROL Verify function level acces:  before making functionality visible in GUI ✓  when each function is accessed ✗
A7 – ACCESS CONTROL EXAMPLE @Stateless public class OrderBean implements Order { public String getDetail(String id) { … } public String approve(String id) { … } … }
A7 – ACCESS CONTROL EXAMPLE @Stateless public class OrderBean implements Order { public String getDetail(String id) { … } public String approve(String id) { … } … }
A8 – CROSS-SITE REQUEST FORGERY 2. User visits forum.com 1. User authenticates to bank.com 3. Page contains tag <img src=bank.com/transfer.jsp?account=atta cker&amount=300000> 4. User’s browser makes GET request bank.com/transfer.jsp?account=attacker& amount=300000 without user knowing
A8 – CSRF EXAMPLE Nearly everything is susceptible to CSRF, so no need to hunt the bug …
A9 – USING VULNERABLE COMPONENTS Common Vulnerabilities and Exposures database (https://cve.mitre.org)
A10 – UNVALIDATED REDIRECT 1. Lure the user into clicking a redirect link http://www.trusted.com/redirector?to=http://www.evil.com 2. Code does not perform any validation String location = (String) request.getParameter(« to »); response.sendRedirect(location); 3. User thinks (s)he’s accessing trusted.com but is in fact at evil.com
SUMMARY LAYERS OF DEFENSE IN DEPTH Policies, Procedures, Awareness Physical Perimeter Internal Network Host App Data
AND NOW …  bWAPP  OWASP Top 10  CWE 25  Mitigations (SANS, OWASP Cheat Sheets, …)  Web Services (SOAP & REST)  Mobile  And more …
QUESTIONS ?
FOLLOW US ON … nitroxis Nitroxis.BE @Nitroxis_sprl Nitroxis sprl Training and Certification for information Security Professionals
ADD DEPTH TO YOUR INFORMATION SYSTEM Olivier Houyoux Technology Security Architect Version 1.1 Date 28/11/2014 Mail Contact (at) nitroxis.be Website www.nitroxis.be

Recomendados

Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo)
Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo) Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo)
Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo) Nitroxis Sprl
 
Hacking 101 3
Hacking 101 3Hacking 101 3
Hacking 101 3Nitroxis Sprl
 
Owasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesMarco Morana
 
OWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesOWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesMarco Morana
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelinesZakaria SMAHI
 
OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013tmd800
 
Owasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionOwasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionMichael Hendrickx
 
XSS And SQL Injection Vulnerabilities
XSS And SQL Injection VulnerabilitiesXSS And SQL Injection Vulnerabilities
XSS And SQL Injection VulnerabilitiesMindfire Solutions
 

Recomendados

Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo)
Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo) Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo)
Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo) Nitroxis Sprl
 
Hacking 101 3
Hacking 101 3Hacking 101 3
Hacking 101 3Nitroxis Sprl
 
Owasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesMarco Morana
 
OWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesOWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesMarco Morana
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelinesZakaria SMAHI
 
OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013tmd800
 
Owasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionOwasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionMichael Hendrickx
 
XSS And SQL Injection Vulnerabilities
XSS And SQL Injection VulnerabilitiesXSS And SQL Injection Vulnerabilities
XSS And SQL Injection VulnerabilitiesMindfire Solutions
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Owasp top 10 web application security hazards - Part 1
Owasp top 10 web application security hazards - Part 1Owasp top 10 web application security hazards - Part 1
Owasp top 10 web application security hazards - Part 1Abhinav Sejpal
 
Web Insecurity And Browser Exploitation
Web Insecurity And Browser ExploitationWeb Insecurity And Browser Exploitation
Web Insecurity And Browser ExploitationMichele Orru'
 
t r
t rt r
t relectronicmingle01
 
OWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session managementOWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session managementNikola Milosevic
 
Attques web
Attques webAttques web
Attques webTarek MOHAMED
 
Hacking the Web
Hacking the WebHacking the Web
Hacking the WebMike Crabb
 
OWASP TOP 10 & .NET
OWASP TOP 10 & .NETOWASP TOP 10 & .NET
OWASP TOP 10 & .NETDaniel Krasnokucki
 
Vulners: Google for hackers
Vulners: Google for hackersVulners: Google for hackers
Vulners: Google for hackersKirill Ermakov
 
Securing the Web @RivieraDev2016
Securing the Web @RivieraDev2016Securing the Web @RivieraDev2016
Securing the Web @RivieraDev2016Sumanth Damarla
 
OWASP Top 10 Vulnerabilities 2017- AppTrana
OWASP Top 10 Vulnerabilities 2017- AppTranaOWASP Top 10 Vulnerabilities 2017- AppTrana
OWASP Top 10 Vulnerabilities 2017- AppTranaIshan Mathur
 
Web application Security tools
Web application Security toolsWeb application Security tools
Web application Security toolsNico Penaredondo
 
Owasp top 10 security threats
Owasp top 10 security threatsOwasp top 10 security threats
Owasp top 10 security threatsVishal Kumar
 
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011Samvel Gevorgyan
 
BEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYAN
BEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYANBEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYAN
BEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYANSamvel Gevorgyan
 
Security In .Net Framework
Security In .Net FrameworkSecurity In .Net Framework
Security In .Net FrameworkRamakanta Behera
 
Vulnerability Funalitics with vulners.com
Vulnerability Funalitics with vulners.comVulnerability Funalitics with vulners.com
Vulnerability Funalitics with vulners.comKirill Ermakov
 
Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...
Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...
Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...Marco Morana
 
Widespread security flaws in web application development 2015
Widespread security flaws in web application development 2015Widespread security flaws in web application development 2015
Widespread security flaws in web application development 2015mahchiev
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...Noppadol Songsakaew
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applicationsDevnology
 
ASP.NET Web Security
ASP.NET Web SecurityASP.NET Web Security
ASP.NET Web SecuritySharePointRadi
 

Más contenido relacionado

La actualidad más candente

Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Owasp top 10 web application security hazards - Part 1
Owasp top 10 web application security hazards - Part 1Owasp top 10 web application security hazards - Part 1
Owasp top 10 web application security hazards - Part 1Abhinav Sejpal
 
Web Insecurity And Browser Exploitation
Web Insecurity And Browser ExploitationWeb Insecurity And Browser Exploitation
Web Insecurity And Browser ExploitationMichele Orru'
 
OWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session managementOWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session managementNikola Milosevic
 
Hacking the Web
Hacking the WebHacking the Web
Hacking the WebMike Crabb
 
Vulners: Google for hackers
Vulners: Google for hackersVulners: Google for hackers
Vulners: Google for hackersKirill Ermakov
 
Securing the Web @RivieraDev2016
Securing the Web @RivieraDev2016Securing the Web @RivieraDev2016
Securing the Web @RivieraDev2016Sumanth Damarla
 
OWASP Top 10 Vulnerabilities 2017- AppTrana
OWASP Top 10 Vulnerabilities 2017- AppTranaOWASP Top 10 Vulnerabilities 2017- AppTrana
OWASP Top 10 Vulnerabilities 2017- AppTranaIshan Mathur
 
Web application Security tools
Web application Security toolsWeb application Security tools
Web application Security toolsNico Penaredondo
 
Owasp top 10 security threats
Owasp top 10 security threatsOwasp top 10 security threats
Owasp top 10 security threatsVishal Kumar
 
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011Samvel Gevorgyan
 
BEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYAN
BEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYANBEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYAN
BEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYANSamvel Gevorgyan
 
Security In .Net Framework
Security In .Net FrameworkSecurity In .Net Framework
Security In .Net FrameworkRamakanta Behera
 
Vulnerability Funalitics with vulners.com
Vulnerability Funalitics with vulners.comVulnerability Funalitics with vulners.com
Vulnerability Funalitics with vulners.comKirill Ermakov
 
Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...
Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...
Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...Marco Morana
 
Widespread security flaws in web application development 2015
Widespread security flaws in web application development 2015Widespread security flaws in web application development 2015
Widespread security flaws in web application development 2015mahchiev
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...Noppadol Songsakaew
 

La actualidad más candente (20)

Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
 
Owasp top 10 web application security hazards - Part 1
Owasp top 10 web application security hazards - Part 1Owasp top 10 web application security hazards - Part 1
Owasp top 10 web application security hazards - Part 1
 
Web Insecurity And Browser Exploitation
Web Insecurity And Browser ExploitationWeb Insecurity And Browser Exploitation
Web Insecurity And Browser Exploitation
 
t r
t rt r
t r
 
OWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session managementOWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session management
 
Attques web
Attques webAttques web
Attques web
 
Hacking the Web
Hacking the WebHacking the Web
Hacking the Web
 
OWASP TOP 10 & .NET
OWASP TOP 10 & .NETOWASP TOP 10 & .NET
OWASP TOP 10 & .NET
 
Vulners: Google for hackers
Vulners: Google for hackersVulners: Google for hackers
Vulners: Google for hackers
 
Securing the Web @RivieraDev2016
Securing the Web @RivieraDev2016Securing the Web @RivieraDev2016
Securing the Web @RivieraDev2016
 
OWASP Top 10 Vulnerabilities 2017- AppTrana
OWASP Top 10 Vulnerabilities 2017- AppTranaOWASP Top 10 Vulnerabilities 2017- AppTrana
OWASP Top 10 Vulnerabilities 2017- AppTrana
 
Web application Security tools
Web application Security toolsWeb application Security tools
Web application Security tools
 
Owasp top 10 security threats
Owasp top 10 security threatsOwasp top 10 security threats
Owasp top 10 security threats
 
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
 
BEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYAN
BEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYANBEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYAN
BEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYAN
 
Security In .Net Framework
Security In .Net FrameworkSecurity In .Net Framework
Security In .Net Framework
 
Vulnerability Funalitics with vulners.com
Vulnerability Funalitics with vulners.comVulnerability Funalitics with vulners.com
Vulnerability Funalitics with vulners.com
 
Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...
Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...
Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...
 
Widespread security flaws in web application development 2015
Widespread security flaws in web application development 2015Widespread security flaws in web application development 2015
Widespread security flaws in web application development 2015
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...
 

Similar a Hacking 101 (Session 2)

The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applicationsDevnology
 
Web Application Security in Rails
Web Application Security in RailsWeb Application Security in Rails
Web Application Security in RailsUri Nativ
 
Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009mirahman
 
PCI Security Requirements - secure coding
PCI Security Requirements - secure codingPCI Security Requirements - secure coding
PCI Security Requirements - secure codingHaitham Raik
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by defaultSlawomir Jasek
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by defaultSecuRing
 
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web InterfacesThey Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfacesmichelemanzotti
 
Security: Odoo Code Hardening
Security: Odoo Code HardeningSecurity: Odoo Code Hardening
Security: Odoo Code HardeningOdoo
 
Application and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental EditionApplication and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental EditionDaniel Owens
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008abhijitapatil
 
Uniface Lectures Webinar - Application & Infrastructure Security - Hardening ...
Uniface Lectures Webinar - Application & Infrastructure Security - Hardening ...Uniface Lectures Webinar - Application & Infrastructure Security - Hardening ...
Uniface Lectures Webinar - Application & Infrastructure Security - Hardening ...Uniface
 
Intro to Web Application Security
Intro to Web Application SecurityIntro to Web Application Security
Intro to Web Application SecurityRob Ragan
 
Pentesting RESTful webservices
Pentesting RESTful webservicesPentesting RESTful webservices
Pentesting RESTful webservicesMohammed A. Imran
 
Magento Security from Developer's and Tester's Points of View
Magento Security from Developer's and Tester's Points of ViewMagento Security from Developer's and Tester's Points of View
Magento Security from Developer's and Tester's Points of ViewAmasty
 
Web Attacks - Top threats - 2010
Web Attacks - Top threats - 2010Web Attacks - Top threats - 2010
Web Attacks - Top threats - 2010Shreeraj Shah
 
Hacking identity: A Pen Tester's Guide to IAM
Hacking identity: A Pen Tester's Guide to IAMHacking identity: A Pen Tester's Guide to IAM
Hacking identity: A Pen Tester's Guide to IAMJerod Brennen
 
Defending Against Attacks With Rails
Defending Against Attacks With RailsDefending Against Attacks With Rails
Defending Against Attacks With RailsTony Amoyal
 

Similar a Hacking 101 (Session 2) (20)

The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applications
 
ASP.NET Web Security
ASP.NET Web SecurityASP.NET Web Security
ASP.NET Web Security
 
Web Application Security in Rails
Web Application Security in RailsWeb Application Security in Rails
Web Application Security in Rails
 
Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009
 
PCI Security Requirements - secure coding
PCI Security Requirements - secure codingPCI Security Requirements - secure coding
PCI Security Requirements - secure coding
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
 
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web InterfacesThey Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
 
Security: Odoo Code Hardening
Security: Odoo Code HardeningSecurity: Odoo Code Hardening
Security: Odoo Code Hardening
 
Application and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental EditionApplication and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental Edition
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008
 
Uniface Lectures Webinar - Application & Infrastructure Security - Hardening ...
Uniface Lectures Webinar - Application & Infrastructure Security - Hardening ...Uniface Lectures Webinar - Application & Infrastructure Security - Hardening ...
Uniface Lectures Webinar - Application & Infrastructure Security - Hardening ...
 
Intro to Web Application Security
Intro to Web Application SecurityIntro to Web Application Security
Intro to Web Application Security
 
Pentesting RESTful webservices
Pentesting RESTful webservicesPentesting RESTful webservices
Pentesting RESTful webservices
 
Magento Security from Developer's and Tester's Points of View
Magento Security from Developer's and Tester's Points of ViewMagento Security from Developer's and Tester's Points of View
Magento Security from Developer's and Tester's Points of View
 
Web Attacks - Top threats - 2010
Web Attacks - Top threats - 2010Web Attacks - Top threats - 2010
Web Attacks - Top threats - 2010
 
Security in NodeJS applications
Security in NodeJS applicationsSecurity in NodeJS applications
Security in NodeJS applications
 
Hacking identity: A Pen Tester's Guide to IAM
Hacking identity: A Pen Tester's Guide to IAMHacking identity: A Pen Tester's Guide to IAM
Hacking identity: A Pen Tester's Guide to IAM
 
Owasp top 10_-_2010 presentation
Owasp top 10_-_2010 presentationOwasp top 10_-_2010 presentation
Owasp top 10_-_2010 presentation
 
Defending Against Attacks With Rails
Defending Against Attacks With RailsDefending Against Attacks With Rails
Defending Against Attacks With Rails
 

Último

Presentation on Engagement in Book Clubs
Presentation on Engagement in Book ClubsPresentation on Engagement in Book Clubs
Presentation on Engagement in Book Clubssamaasim06
 
George Lever - eCommerce Day Chile 2024
George Lever - eCommerce Day Chile 2024George Lever - eCommerce Day Chile 2024
George Lever - eCommerce Day Chile 2024eCommerce Institute
 
If this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New NigeriaIf this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New NigeriaKayode Fayemi
 
Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024
Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024
Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024eCommerce Institute
 
Introduction to Prompt Engineering (Focusing on ChatGPT)
Introduction to Prompt Engineering (Focusing on ChatGPT)Introduction to Prompt Engineering (Focusing on ChatGPT)
Introduction to Prompt Engineering (Focusing on ChatGPT)Chameera Dedduwage
 
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptxChiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptxraffaeleoman
 
Thirunelveli call girls Tamil escorts 7877702510
Thirunelveli call girls Tamil escorts 7877702510Thirunelveli call girls Tamil escorts 7877702510
Thirunelveli call girls Tamil escorts 7877702510Vipesco
 
Microsoft Copilot AI for Everyone - created by AI
Microsoft Copilot AI for Everyone - created by AIMicrosoft Copilot AI for Everyone - created by AI
Microsoft Copilot AI for Everyone - created by AITatiana Gurgel
 
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara ServicesVVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara ServicesPooja Nehwal
 
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdfThe workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdfSenaatti-kiinteistöt
 
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort ServiceDelhi Call girls
 
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...Hasting Chen
 
Mathematics of Finance Presentation.pptx
Mathematics of Finance Presentation.pptxMathematics of Finance Presentation.pptx
Mathematics of Finance Presentation.pptxMoumonDas2
 
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort ServiceDelhi Call girls
 
ANCHORING SCRIPT FOR A CULTURAL EVENT.docx
ANCHORING SCRIPT FOR A CULTURAL EVENT.docxANCHORING SCRIPT FOR A CULTURAL EVENT.docx
ANCHORING SCRIPT FOR A CULTURAL EVENT.docxNikitaBankoti2
 
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptx
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptxMohammad_Alnahdi_Oral_Presentation_Assignment.pptx
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptxmohammadalnahdi22
 
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...Sheetaleventcompany
 
Report Writing Webinar Training
Report Writing Webinar TrainingReport Writing Webinar Training
Report Writing Webinar TrainingKylaCullinane
 
Air breathing and respiratory adaptations in diver animals
Air breathing and respiratory adaptations in diver animalsAir breathing and respiratory adaptations in diver animals
Air breathing and respiratory adaptations in diver animalsaqsarehman5055
 
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779Night 7k Call Girls Noida Sector 128 Call Me: 8448380779
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779Delhi Call girls
 

Último (20)

Presentation on Engagement in Book Clubs
Presentation on Engagement in Book ClubsPresentation on Engagement in Book Clubs
Presentation on Engagement in Book Clubs
 
George Lever - eCommerce Day Chile 2024
George Lever - eCommerce Day Chile 2024George Lever - eCommerce Day Chile 2024
George Lever - eCommerce Day Chile 2024
 
If this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New NigeriaIf this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New Nigeria
 
Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024
Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024
Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024
 
Introduction to Prompt Engineering (Focusing on ChatGPT)
Introduction to Prompt Engineering (Focusing on ChatGPT)Introduction to Prompt Engineering (Focusing on ChatGPT)
Introduction to Prompt Engineering (Focusing on ChatGPT)
 
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptxChiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
 
Thirunelveli call girls Tamil escorts 7877702510
Thirunelveli call girls Tamil escorts 7877702510Thirunelveli call girls Tamil escorts 7877702510
Thirunelveli call girls Tamil escorts 7877702510
 
Microsoft Copilot AI for Everyone - created by AI
Microsoft Copilot AI for Everyone - created by AIMicrosoft Copilot AI for Everyone - created by AI
Microsoft Copilot AI for Everyone - created by AI
 
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara ServicesVVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
 
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdfThe workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
 
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
 
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
 
Mathematics of Finance Presentation.pptx
Mathematics of Finance Presentation.pptxMathematics of Finance Presentation.pptx
Mathematics of Finance Presentation.pptx
 
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
 
ANCHORING SCRIPT FOR A CULTURAL EVENT.docx
ANCHORING SCRIPT FOR A CULTURAL EVENT.docxANCHORING SCRIPT FOR A CULTURAL EVENT.docx
ANCHORING SCRIPT FOR A CULTURAL EVENT.docx
 
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptx
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptxMohammad_Alnahdi_Oral_Presentation_Assignment.pptx
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptx
 
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
 
Report Writing Webinar Training
Report Writing Webinar TrainingReport Writing Webinar Training
Report Writing Webinar Training
 
Air breathing and respiratory adaptations in diver animals
Air breathing and respiratory adaptations in diver animalsAir breathing and respiratory adaptations in diver animals
Air breathing and respiratory adaptations in diver animals
 
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779Night 7k Call Girls Noida Sector 128 Call Me: 8448380779
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779
 

Hacking 101 (Session 2)

  • 1. HACKING 101 Henallux, 28th November 2014 Olivier Houyoux Technology Security Architect @ Nitroxis Sprl
  • 2. SCHEDULE FOR THE DAY 1. Why are we here? 2. Real Life Examples 3. Owasp – Top 10 (2013) 4. Demo Web Hacking Simulation Walkthrough 5. Summary 6. Questions
  • 3. DO WE NEED WEB APP. SECURITY?  Well managed infrastructure  Important data on web applications  Malware spreading
  • 5. EXAMPLES 1. Barack Obama 2. Maria Sharapova
  • 6. EXAMPLES 1. Barack Obama 2. Maria Sharapova 3. Samy Kamkar
  • 7. EXAMPLES 1. Barack Obama 2. Maria Sharapova 3. Samy Kamkar 4. Kevin Poulsen
  • 8. EXAMPLES 1. Barack Obama 2. Maria Sharapova 3. Samy Kamkar 4. Kevin Poulsen 5. …
  • 9. OPEN WEB APPLICATION SECURITY PROJECT Make software security visible  Cheat Sheets, Tutorials, Testing guides…  Tools (WebGoat, WebScarab, …)  Library (ESAPI)  …
  • 10. OWASP TOP 10 Broad consensus about what the most critical web application security flaws are.
  • 11. OWASP TOP 10 OWASP Top 10 - 2013 A1 - Injection A2 - Broken Authentication and Session Management A3 - Cross-Site Scripting (XSS) A4 - Insecure Direct Object References A5 - Security Misconfiguration A6 - Sensitive Data Exposure A7 - Missing Function Level Access Control A8 - Cross-Site Request Forgery (CSRF) A9 - Using Known Vulnerable Components A10 - Unvalidatde Redirects and Forwards
  • 12. WEBGOAT is a deliberately insecure web application designed to teach web application security lessons.
  • 13. A1 – INJECTION User input injected without checking  SQL  LDAP  Command  XPATH  …
  • 14. A1 – SQL INJECTION EXAMPLE 1 Connection conn = pool.getConnection(); String sql = "select * from user where username=‘" + username + "’ and password=‘" + password + "’"; Statement stmt = conn.createStatement(); ResultSet rs = stmt.executeQuery(sql);
  • 15. A1 – SQL INJECTION EXAMPLE 1 Connection conn = pool.getConnection(); String sql = "select * from user where username=‘" + username + "’ and password=‘" + password + "’"; Statement stmt = conn.createStatement(); ResultSet rs = stmt.executeQuery(sql);
  • 16. A2 – BROKEN AUTHENTICATION  User / Password Brute force attack  Birthday paradox  Weak management functions Change or recover password
  • 17. A2 – SESSION MANAGEMENT 1. Session Hijacking  Stealing authenticated user’s session ID 2. Session Fixation  Forcing user’s session ID
  • 18. A2 – SESSION HIJACKING EXAMPLE
  • 19. A2 – SESSION HIJACKING EXAMPLE
  • 20. A2 – SESSION FIXATION EXAMPLE public class LoginServlet extends HttpServlet { … public void doPost(HttpServletRequest request, HttpServletResponse response) { String user = request.getParameter("user"); String pass = request.getParameter("password"); … HttpSession session = request.getSession(true); … } … }
  • 21. A2 – SESSION FIXATION EXAMPLE public class LoginServlet extends HttpServlet { … public void doPost(HttpServletRequest request, HttpServletResponse response) { String user = request.getParameter("user"); String pass = request.getParameter("password"); … HttpSession session = request.getSession(true); … } … }
  • 22. A3 – CROSS-SITE SCRIPTING (XSS) Untrusted data sent to victim without validation and / or escaping XSS allows attackers to execute script in browsers to:  hijacking users’ sessions,  redirecting user to malicious site,  … 1. Reflected XSS 2. Stored XSS
  • 23. A3 – XSS EXAMPLE <form name="update" method="post" action="..."> <input type="text" value="<%=userBean.getName()%>"/> </form>
  • 24. A3 – XSS EXAMPLE <form name="update" method="post" action="..."> <input type="text" value="<%=userBean.getName()%>"/> </form>
  • 25. A3 – XSS EXAMPLE <form name="update" method="post" action="..."> <input type="text" value="<%=userBean.getName()%>"/> </form> <input type="text" value="who_cares"/><script>...</script>"/>
  • 26. A4 – INSECURE DIRECT OBJECT REF. Reference to internal object like  file,  directory,  database key without  access control check,  other protection.
  • 27. A4 –DIRECT OBJECT REF. EXAMPLE String query = "select * from accounts where account = ?"; PreparedStatement stmt = conn.prepareStatement(query); stmt.setString(1, request.getParameter("account")); ResultSet rs = stmt.executeQuery();
  • 28. A4 –DIRECT OBJECT REF. EXAMPLE String query = "select * from accounts where account = ?"; PreparedStatement stmt = conn.prepareStatement(query); stmt.setString(1, request.getParameter("account")); ResultSet rs = stmt.executeQuery(); http://foo.com/app/accountInfo?account=notmyaccount
  • 29. A5 – SECURITY MISCONFIGURATION  Secure configuration defined and deployed for the:  application,  frameworks,  application server,  web server,  database server,  platform.
  • 31. A5 – MISCONFIGURATION EXAMPLE <?xml version='1.0' encoding='utf-8'?> <Server port="8005" shutdown="SHUTDOWN"> <GlobalNamingResources> <Resource name="UserDatabase" auth="Container" … /> </GlobalNamingResources> <Service name="Catalina »> <Connector port="80" protocol="HTTP/1.1" … /> <Connector port="443" protocol="org.apache. … .Http11Protocol" … /> </Service> </Server>
  • 32. A5 – MISCONFIGURATION EXAMPLE <?xml version='1.0' encoding='utf-8'?> <Server port="8005" shutdown="SHUTDOWN"> <GlobalNamingResources> <Resource name="UserDatabase" auth="Container" … /> </GlobalNamingResources> <Service name="Catalina »> <Connector port="80" protocol="HTTP/1.1" … /> <Connector port="443" protocol="org.apache. … .Http11Protocol" … /> </Service> </Server>
  • 33. A6 – SENSITIVE DATA EXPOSURE Protect sensitive data such as  credit cards,  authentication credentials  … Apply extra protection (encryption at rest or in transit) and precautions when exchanged with browser.
  • 34. A6 – DATA EXPOSURE EXAMPLE 1 An application encrypts credit card numbers in a database using automatic database encryption. However, this means it also decrypts this data automatically when retrieved, allowing an SQL injection flaw to retrieve credit card numbers in clear text.
  • 35. A6 – DATA EXPOSURE EXAMPLE 2 A site simply doesn’t use SSL for all authenticated pages. Attacker simply monitors network traffic (like an open wireless network), and steals the user’s session cookie.
  • 36. A7 – MISSING ACCESS CONTROL Verify function level acces:  before making functionality visible in GUI ✓  when each function is accessed ✗
  • 37. A7 – ACCESS CONTROL EXAMPLE @Stateless public class OrderBean implements Order { public String getDetail(String id) { … } public String approve(String id) { … } … }
  • 38. A7 – ACCESS CONTROL EXAMPLE @Stateless public class OrderBean implements Order { public String getDetail(String id) { … } public String approve(String id) { … } … }
  • 39. A8 – CROSS-SITE REQUEST FORGERY 2. User visits forum.com 1. User authenticates to bank.com 3. Page contains tag <img src=bank.com/transfer.jsp?account=atta cker&amount=300000> 4. User’s browser makes GET request bank.com/transfer.jsp?account=attacker& amount=300000 without user knowing
  • 40. A8 – CSRF EXAMPLE Nearly everything is susceptible to CSRF, so no need to hunt the bug …
  • 41. A9 – USING VULNERABLE COMPONENTS Common Vulnerabilities and Exposures database (https://cve.mitre.org)
  • 42. A10 – UNVALIDATED REDIRECT 1. Lure the user into clicking a redirect link http://www.trusted.com/redirector?to=http://www.evil.com 2. Code does not perform any validation String location = (String) request.getParameter(« to »); response.sendRedirect(location); 3. User thinks (s)he’s accessing trusted.com but is in fact at evil.com
  • 43. SUMMARY LAYERS OF DEFENSE IN DEPTH Policies, Procedures, Awareness Physical Perimeter Internal Network Host App Data
  • 44. AND NOW …  bWAPP  OWASP Top 10  CWE 25  Mitigations (SANS, OWASP Cheat Sheets, …)  Web Services (SOAP & REST)  Mobile  And more …
  • 46. FOLLOW US ON … nitroxis Nitroxis.BE @Nitroxis_sprl Nitroxis sprl Training and Certification for information Security Professionals
  • 47. ADD DEPTH TO YOUR INFORMATION SYSTEM Olivier Houyoux Technology Security Architect Version 1.1 Date 28/11/2014 Mail Contact (at) nitroxis.be Website www.nitroxis.be