OWASP Denver Nov 06 presentation

Information about OWASP Denver Nov 06 presentation

Published on August 30, 2007

Author: Clown

Source: authorstream.com

Content

Application Security Reviews:  Application Security Reviews David Byrne, CISSP, MCSE Security Architect EchoStar Satellite, LLC [email protected] November 15, 2006 Testing Steps:  Testing Steps Planning Reconnaissance Infrastructure Input validation Denial of Service (DoS) Authentication andamp; Authorization Information Disclosure Code Review Reporting OWASP Testing Guide:  OWASP Testing Guide Version 2 is being completed http://www.owasp.org/index.php/Web_Application_Penetration_Testing_AoC OWASP Top 10:  Unvalidated Input Broken Access Control Broken Authentication and Session Management Cross Site Scripting Buffer Overflow Injection Flaws Improper Error Handling Insecure Storage Application Denial of Service Insecure Configuration Management OWASP Top 10 Unvalidated Input Broken Access Control Broken Authentication and Session Management Infrastructure Vulnerabilities Information Disclosure Insecure Storage Improper Error Handling Application Denial of Service Buffer Overflow Insecure Configuration Management Planning:  Planning Change Management Don’t get fired Communicate fully Get approvals in writing Clearly defined scope Test or production Which web servers will be targeted Can vulnerabilities be exploited Can modifications be made via exploits Will Denial of Service be tested Are brute force attacks allowed White box vs. black box Planning - Tools:  Planning - Tools Presenter's favorites WebScarab – Testing proxy, fuzzer, spider, more Nessus – General vulnerability scanner Wikto – Signature-based web scanning, Google reconnaissance Nmap – Port scanner andamp; fingerprinting WireShark (Ethereal) – Packet capture Other free tools Nikto – Signature-based web scanning Pantera – New tool from OWASP, automated scanning Paros – Testing proxy, spider BurpSuite – Testing proxy, more Commercial tools Acunetix Web Vulnerability Scanner Cenzic Hailstorm N-Stealth Sensepost Suru SPI Dynamics WebInspect Watchfire AppScan WebScarab:  WebScarab Proxy Records all HTTP sessions Allows requests andamp; responses to be intercepted and modified Displays HTTP sessions in parsed or raw formats Reveals hidden fields Manual requests Web Services tools Session ID Analysis Fuzzer Automated extensions checking (.bak, etc) Reconnaissance & Automated Scanning:  Reconnaissance andamp; Automated Scanning Google (Wikto) – Can find some vulnerabilities, pages difficult to navigate to Spider (WebScarab) Specialized Web scanners (Wikto, commercial) – Known web-app vulnerabilities; simple cases of XSS, SQL injection, etc. Try to identify what off-the-shelf software is being used, then research vulnerabilities (securityfocus.com) Source code Look on open file shares Look for unsecured code repositories Infrastructure:  Infrastructure Port scan (nmap) General vulnerability scan (Nessus) Unsecured HTTP management ports Web Server attacks Application framework attacks: WebMethods, WebLogic, other J2EE, ColdFusion, etc Miscellaneous vulnerable services; NetBIOS, RPC, etc. Input Validation:  Input Validation SQL Injection Cross Site Scripting (XSS) Buffer Overflows SQL Injection:  SQL Injection Caused by failure to properly validate user-provided input Allows arbitrary commands to be executed in the database Example for a login: Username = byrned Password = very_secure SQL Injection:  SQL Injection SELECT count(userID) FROM users WHERE username = 'byrned' AND password = 'very_secure' SQL Injection:  SQL Injection Username: byrned' OR 1=1 -- SELECT count(userID) FROM users WHERE username = 'byrned' OR 1=1 -- ' AND password = 'very_secure' SQL Injection:  SQL Injection Test by inserting string delimiting characters such as a single quote Look for error messages SQL Injection:  SQL Injection Customer Search Tool Zip Code: query = 'SELECT name, address, city, state, zip' + 'FROM customers' + 'WHERE zip = ' ' + zipcode + ' ' '; SQL Injection:  SQL Injection This information is updated every Thursday SQL Injection:  SQL Injection zip: 80202' OR 1=1 -- SELECT name, address, city, state, zip FROM customers WHERE zip = '80202' OR 1=1 -- ' SQL Injection:  SQL Injection zip: 80202' OR 1=1 -- SQL Injection:  SQL Injection zip: 80202' UNION SELECT username, password, null, null, null FROM users -- SELECT name, address, city, state, zip FROM customers WHERE zip = '80202' UNION SELECT username, password, null, null, null FROM users -- ' SQL Injection:  SQL Injection SQL Injection:  SQL Injection Resources: http://www.owasp.org/index.php/SQL_Injection http://www.unixwiz.net/techtips/sql-injection.html http://www.imperva.com/application_defense_center/white_papers/blind_sql_server_injection.html http://www.ngssoftware.com/papers/advanced_sql_injection.pdf http://www.nextgenss.com/papers/more_advanced_sql_injection.pdf Cross Site Scripting (XSS):  Cross Site Scripting (XSS) Allows an attacker to imbed arbitrary HTML inside a web page Can be persistent (e.g. a bulletin board) or dynamic (e.g. a URL) JavaScript can Redirect the browser to an attack site Monitor and report browsing activity using frames Launch attacks against browser vulnerabilities Steal cookies Perform actions while impersonating user (MySpace worm) Cross Site Scripting (XSS):  Cross Site Scripting (XSS) Look for any content in a web page that was based on user-provided input Check the source: The content might be in the HTML, but not displayed Input isn’t limited to visible form fields. Look at cookies, HTTP headers, URL query strings, hidden fields Standard pages aren’t the only source of XSS; error pages (even 404s) are frequently vulnerable Cross Site Scripting (XSS):  Cross Site Scripting (XSS) No results were found for zip code '00000' Cross Site Scripting:  Cross Site Scripting andlt;scriptandgt;alert('XSS')andlt;/scriptandgt; Cross Site Scripting (XSS):  Cross Site Scripting (XSS) Resources: http://ha.ckers.org/xss.html http://www.cgisecurity.com/articles/xss-faq.shtml http://www.owasp.org/index.php/XSS Buffer Overflows:  Buffer Overflows Not common with modern web environments With black box, send long strings for different parameters, andgt;1024 bytes; might have to switch to POST White box techniques beyond presentation’s scope Denial of Service (DoS):  Denial of Service (DoS) Locking Customer Accounts Buffer Overflows User Specified Object Allocation User Input as a Loop Counter Writing User Provided Data to Disk Failure to Release Resources Storing too Much Data in Session http://www.owasp.org/index.php/Testing_for_application_layer_Denial_of_Service_%28DoS%29_attacks Authentication & Authorization:  Authentication andamp; Authorization Session IDs Authentication Authorization Session IDs:  Session IDs Session IDs best stored in a cookie, not in the URL Should be randomly generated Should be from a large data set (andgt;= 128 bits recommended) Use WebScarab’s Session ID analyzer WebScarab Session ID Analysis:  WebScarab Session ID Analysis Cookie Analysis – Data Formats:  Cookie Analysis – Data Formats Plain text This is a test string with some odd characters [email protected]#$%^andamp;*()_+-=\ Hexadecimal: Base 16 representation of the ASCII character numbers. Characters 0-9,a-f 546869732069732061207465737420737472696e67207769746820736f6d65206f646420636861726163746572732021402324255e262a28295f202d3d Base64: Complicated. See http://en.wikipedia.org/wiki/Base64. Characters A-Z,a-z,0-9,/,+, and equal (=) for suffix padding VGhpcyBpcyBhIHRlc3Qgc3RyaW5nIHdpdGggc29tZSBvZGQgY2hhcmFjdGVycyAhQCMkJV4mKigpXyAtPQ== HTML encoding: HTML escaped characters using the character numbers. Uses this format: ampersand (andamp;), pound (#), character number in decimal (0-9), semicolon (;) andamp;#84;andamp;#104;andamp;#105;andamp;#115;andamp;#32;andamp;#105;andamp;#115;andamp;#32;andamp;#97;andamp;#32;andamp;#116;andamp;#101;andamp;#115;andamp;#116;andamp;#32;andamp;#115;andamp;#116;andamp;#114;andamp;#105;andamp;#110;andamp;#103;andamp;#32;andamp;#119;andamp;#105;andamp;#116;andamp;#104;andamp;#32;andamp;#115;andamp;#111;andamp;#109;andamp;#101;andamp;#32;andamp;#111;andamp;#100;andamp;#100;andamp;#32;andamp;#99;andamp;#104;andamp;#97;andamp;#114;andamp;#97;andamp;#99;andamp;#116;andamp;#101;andamp;#114;andamp;#115;andamp;#32;andamp;#33;andamp;#64;andamp;#35;andamp;#36;andamp;#37;andamp;#94;andamp;#38;andamp;#42;andamp;#40;andamp;#41;andamp;#95;andamp;#32;andamp;#45;andamp;#61; Cookie Analysis – Data Formats:  Cookie Analysis – Data Formats HTTP URL encoding: spaces turned to plus (+), non alphanumeric characters encoded with percent (%), then the hexadecimal character number (0-9,a-f) This+is+a+test+string+with+some+odd+characters+%21%40%23%24%25%5E%26%2A%28%29_+-%3D HTTP URL encoding – all hex: In addition to the standard URL encoding described above, all characters, including alphanumeric, can be hex encoded %54%68%69%73%20%69%73%20%61%20%74%65%73%74%20%73%74%72%69%6e%67%20%77%69%74%68%20%73%6f%6d%65%20%6f%64%64%20%63%68%61%72%61%63%74%65%72%73%20%21%40%23%24%25%5e%26%2a%28%29%5f%20%2d%3d IP Address formatting Octet, most common: 10.1.124.3 Hex, obtained by converting each octet into a two digit hexadecimal number: 0A017C03 Decimal, obtained by converting the hex format into a base 10 number: 167869443 Authentication:  Authentication SQL Injection LDAP Injection Session Hijacking Theft of cookies/session IDs through XSS Guessing valid session IDs Theft of session IDs stored in URLs via browser history High or missing timeout values Brute force password attacks (THC-Hydra) Field changes: http://www.site.com/page.asp?authenticated=no http://www.site.com/page.asp?authenticated=yes Password reset facilities New passwords emailed Process flow for question response Authorization Bypassing:  Authorization Bypassing Manually browse to known URLs without authentication Obtain admin andamp; user credentials, try to access admin pages with user login Directory traversals andamp; listing Original: http://www.example.com/app/auth/login.php Request: http://www.example.com/app/auth/ Request: http://www.example.com/app/ Request: http://www.example.com/../ http://www.owasp.org/index.php/Bypassing_Authentication_Schema_AoC Information Disclosure:  Information Disclosure Directory traversal andamp; listing HTML andamp; JavaScript comments Error messages can divulge: Operating System environmental parameters Web Server settings Database drivers in use SQL queries run on a page Software versions Code Review:  Code Review SQL queries Stored procedures User-supplied input as part of output Operating System / shell commands Error handling routines Source code storage andamp; access Authentication andamp; authorization mechanisms http://www.owasp.org/index.php/OWASP_Code_Review_Guide_Table_of_Contents Reporting:  Reporting Severity Category (OWASP Top 10) Location (e.g. line 23 of /search/main.php) Example exploit Impact of exploit (e.g. theft of credit card data) Recommended remediation Third party documentation (vendor or OWASP) Reporting - Categorize severity:  Reporting - Categorize severity PCI severity levels: https://pcisecuritystandards.org/pdfs/pci_scanning_procedures_v1-1.pdf 5 Urgent Trojan Horses; file read and writes exploit; remotecommand execution 4 Critical Potential Trojan Horses; file read exploit 3 High Limited exploit of read; directory browsing; DoS 2 Medium Sensitive configuration information can be obtained by hackers 1 Low Information can be obtained by hackers on configuration Common Vulnerability Scoring System (CVSS) http://www.first.org/cvss/ http://nvd.nist.gov/cvss.cfm?calculator Remote vs. local expliot Attack complexity Authentication required Availability of exploit Type of fix available C/A/I impact Impact value rating Organization specific potential for loss Percentage of vulnerable systems Level of vulnerability confirmation Example Finding:  Example Finding 11. Improper use of varchar data types Severity: Critical Category: Injection Flaws Exploitation prerequisites: Internet access; authentication may not be required for all pages Description Some pages handle numeric data types as 'varchars' (character string). This makes SQL injection possible, despite the 'cfqueryparam' tag; since there is no quote to break out of, escaping quote characters won’t help. This occurs in many pages. Example \dsg\createNewPage.cfm; line 54 andlt;CFQUERY name='tied' DATASOURCE = '#APPLICATION.DATASOURCE#'andgt; select user_name from users (nolock) where user_number = andlt;cfqueryparam value='#url.usernumber#' cfsqltype='CF_SQL_VARCHAR'andgt; andlt;/CFQUERYandgt; Recommendation Every file should be reviewed for how each SQL query or stored procedure is called. Change all numeric SQL parameters to use CF_SQL_INTEGER. References http://www.adobe.com/devnet/coldfusion/articles/cfqueryparam.html http://www.owasp.org/index.php/Data_Validation Questions:  Questions

Related presentations


Other presentations created by Clown

nano technology presentation
30. 08. 2007
0 views

nano technology presentation

TC2000 Presentation AAII
22. 04. 2008
0 views

TC2000 Presentation AAII

chapter 28 notes
17. 04. 2008
0 views

chapter 28 notes

dacorogna
13. 04. 2008
0 views

dacorogna

CH6Slides
09. 04. 2008
0 views

CH6Slides

WHERE DOES WEATHER COME FROM
07. 04. 2008
0 views

WHERE DOES WEATHER COME FROM

ISSJS
30. 03. 2008
0 views

ISSJS

PeakOil
27. 03. 2008
0 views

PeakOil

Scales and Questionnaire Tips
05. 11. 2007
0 views

Scales and Questionnaire Tips

sasaki
17. 06. 2007
0 views

sasaki

Political Cartoons
17. 06. 2007
0 views

Political Cartoons

principles of restoration
17. 06. 2007
0 views

principles of restoration

Revolutionary War Powerpoint
28. 02. 2008
0 views

Revolutionary War Powerpoint

4 How to never get sick again
13. 12. 2007
0 views

4 How to never get sick again

03 RFID
29. 02. 2008
0 views

03 RFID

ch 08 international issues
27. 09. 2007
0 views

ch 08 international issues

MHP in Germany sto v1
12. 10. 2007
0 views

MHP in Germany sto v1

Wireless Broadband Korea Kim
11. 09. 2007
0 views

Wireless Broadband Korea Kim

JimBasney
11. 09. 2007
0 views

JimBasney

Grade 105 Presentation
02. 10. 2007
0 views

Grade 105 Presentation

Dongxian He APAN 2004
11. 10. 2007
0 views

Dongxian He APAN 2004

2004 religion Killen Shibley
30. 08. 2007
0 views

2004 religion Killen Shibley

allied partnerships 170505051319
30. 08. 2007
0 views

allied partnerships 170505051319

Satellite Broadcast
30. 08. 2007
0 views

Satellite Broadcast

vslive2005 keynote
28. 11. 2007
0 views

vslive2005 keynote

ADSL QoS
29. 11. 2007
0 views

ADSL QoS

RestaurantsKitchens
07. 12. 2007
0 views

RestaurantsKitchens

Othello 1
01. 11. 2007
0 views

Othello 1

LITERACY CENTERS FOR COACHES
05. 11. 2007
0 views

LITERACY CENTERS FOR COACHES

TKaM jeopardy
05. 11. 2007
0 views

TKaM jeopardy

HR XML Seminaire 16 11 2005
30. 08. 2007
0 views

HR XML Seminaire 16 11 2005

Mangenot1 2
02. 11. 2007
0 views

Mangenot1 2

PDC Review Jay 041118
26. 11. 2007
0 views

PDC Review Jay 041118

ks4 where energy
18. 12. 2007
0 views

ks4 where energy

aula voip
28. 12. 2007
0 views

aula voip

Chapter 7
28. 11. 2007
0 views

Chapter 7

Web CT Student Orient
10. 12. 2007
0 views

Web CT Student Orient

ch7S07govt2302
01. 01. 2008
0 views

ch7S07govt2302

Philadelphia FryODiesel
07. 01. 2008
0 views

Philadelphia FryODiesel

Hafner Eco Eng pres1
03. 01. 2008
0 views

Hafner Eco Eng pres1

psy203s authoritarian
30. 08. 2007
0 views

psy203s authoritarian

MMS Spoofing
30. 08. 2007
0 views

MMS Spoofing

WTFD New
01. 10. 2007
0 views

WTFD New

Presentación Cilca 2005
14. 11. 2007
0 views

Presentación Cilca 2005

rtbbntalk
15. 11. 2007
0 views

rtbbntalk

Chapter32
24. 12. 2007
0 views

Chapter32

Homeland Security Congressional
05. 01. 2008
0 views

Homeland Security Congressional

Recursion
07. 01. 2008
0 views

Recursion

CNOMMeetingICC2006
21. 11. 2007
0 views

CNOMMeetingICC2006

airforce camp brief 1
23. 12. 2007
0 views

airforce camp brief 1

favourites
26. 06. 2007
0 views

favourites

Presentation Atelier Bangkok2
31. 12. 2007
0 views

Presentation Atelier Bangkok2

kerala piravi06
26. 06. 2007
0 views

kerala piravi06

jim quinn
26. 06. 2007
0 views

jim quinn

ioc report
26. 06. 2007
0 views

ioc report

Good Movies
26. 06. 2007
0 views

Good Movies

Generation Gap Trivia
26. 06. 2007
0 views

Generation Gap Trivia

gates
26. 06. 2007
0 views

gates

Fulbright Movies
26. 06. 2007
0 views

Fulbright Movies

food and menus
26. 06. 2007
0 views

food and menus

lecture32
07. 10. 2007
0 views

lecture32

Astra Sales Kit 3 1 06
03. 01. 2008
0 views

Astra Sales Kit 3 1 06

KALEB
26. 06. 2007
0 views

KALEB

milestone6 action
27. 11. 2007
0 views

milestone6 action

game consoles edit
26. 06. 2007
0 views

game consoles edit

303lec13
30. 08. 2007
0 views

303lec13

Fabric Spade Amalgam Chief
26. 06. 2007
0 views

Fabric Spade Amalgam Chief

FY2006 Tourism Media Plan
26. 06. 2007
0 views

FY2006 Tourism Media Plan

F303 Class 18
30. 08. 2007
0 views

F303 Class 18

political humor
17. 06. 2007
0 views

political humor

regional dialects
17. 06. 2007
0 views

regional dialects

Quantifying Quality MASTER
17. 06. 2007
0 views

Quantifying Quality MASTER

PS270Lect14
17. 06. 2007
0 views

PS270Lect14

prosestyles
17. 06. 2007
0 views

prosestyles

2091ppt
14. 12. 2007
0 views

2091ppt

rosary
17. 06. 2007
0 views

rosary

rhetorical devices
17. 06. 2007
0 views

rhetorical devices

Research Paper
17. 06. 2007
0 views

Research Paper

Relationships Presentation
17. 06. 2007
0 views

Relationships Presentation

relationships
17. 06. 2007
0 views

relationships

Polyamory 101class
17. 06. 2007
0 views

Polyamory 101class

Hobbes and Locke
30. 08. 2007
0 views

Hobbes and Locke

fastook no movies
26. 06. 2007
0 views

fastook no movies

En Jean Delion Stigma
02. 01. 2008
0 views

En Jean Delion Stigma

Forbrugeren 2008 1
26. 06. 2007
0 views

Forbrugeren 2008 1

FairTrade
16. 11. 2007
0 views

FairTrade

dyna202 5509
05. 11. 2007
0 views

dyna202 5509

recipes
05. 12. 2007
0 views

recipes

NatureAreaTrees
30. 08. 2007
0 views

NatureAreaTrees

CRAY
11. 09. 2007
0 views

CRAY

enum 6
11. 09. 2007
0 views

enum 6

05 ncs courses
12. 03. 2008
0 views

05 ncs courses

20020913 Moon Soo Kang
11. 09. 2007
0 views

20020913 Moon Soo Kang

epomodule
08. 11. 2007
0 views

epomodule

goetz vortragenergie2302
22. 11. 2007
0 views

goetz vortragenergie2302

The Black Power 000
30. 08. 2007
0 views

The Black Power 000

Security Engineering In Vista
30. 08. 2007
0 views

Security Engineering In Vista

FA05 cs294 5 lecture 6 final
20. 11. 2007
0 views

FA05 cs294 5 lecture 6 final

etherb
01. 01. 2008
0 views

etherb

SDE Presentation
30. 08. 2007
0 views

SDE Presentation

AFuelsCall1 032305
26. 02. 2008
0 views

AFuelsCall1 032305

11th meeting Shuji Shimizu
09. 10. 2007
0 views

11th meeting Shuji Shimizu

2 Fleet Manegement
23. 11. 2007
0 views

2 Fleet Manegement

Biophysics GYoon
04. 01. 2008
0 views

Biophysics GYoon