2014 guestlecture-infosec
-
Upload
boy-baukema -
Category
Education
-
view
339 -
download
2
description
Transcript of 2014 guestlecture-infosec
Boy Baukema12th March, HZ, Vlissingen
Practical Hacking: OWASP Top 10
Wednesday, March 12, 14
So who’s this guy?
Boy BaukemaSecurity Specialist & Senior Engineer @ Ibuildings.nl
[email protected]: @relaxnow
2
Wednesday, March 12, 14
By what company?
Ibuildings (not owned by Apple)
3
Wednesday, March 12, 14
A Security what?
Security Specialist:
Senior Software Engineer + R&D Security + Security Training+ Internal Consulting+ Internal Security Audits+ External Security Audits
4
Wednesday, March 12, 14
Okay, what’s he doing here?
‣ Introduction (10m)
‣Before We Dive In (10m)
‣OWASP TOP 11 2013 (+/- 15m per item)
‣Where To Next? (10m)
5
Wednesday, March 12, 14
Wednesday, March 12, 14
Wednesday, March 12, 14
Before we dive in...
8
Wednesday, March 12, 14
Ethical Hacking & The (Dutch) Law
9blog.iusmentis.com
Artikel 138ab & 138b
Wednesday, March 12, 14
Responsible Disclosure
10
Wednesday, March 12, 14
of 2013OWASP Top 11
11
Wednesday, March 12, 14
OWASP Top 10 2013 BONUS - Clickjacking
12http://www.youtube.com/watch?v=DRQ8oC2MWAgWednesday, March 12, 14
A10-Unvalidated Redirects and Forwards
13
Wednesday, March 12, 14
A10-Unvalidated Redirects and Forwards
http://goo.gl/Gmzqvhttps://www.bank.com:[email protected]/http://www.bank.com:[email protected]://www.bank.com:login.html@1249739625/http://www.bank.com:[email protected]/http://www.bank.com:[email protected]/http://pc-help.org/o%62s%63ur%65%2e%68t%6D
14
Wednesday, March 12, 14
A9-Using Components with Known Vulnerabilities174.34.252.13 – - [03/Feb/2014:01:01:08 -0500] “POST /index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a7981f4fe1f5ac65c1246b5f=cf6dd3cf1923c950586d0dd595c8e20b HTTP/1.1″ 500 885 “-” “BOT/0.1 (BOT for JCE)”
174.34.252.13 – - [03/Feb/2014:01:01:08 -0500] “POST /index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20 HTTP/1.1″ 404 5923 “-” “BOT/0.1 (BOT for JCE)”174.34.252.13 – - [03/Feb/2014:01:01:08 -0500] “POST /blog/2014/01/14/vulnerability-in-joomla-1-6-1-7-and-2-5-0-2-5-2-being-exploited-now/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a7981f4fe1f5ac65c1246b5f=cf6dd3cf1923c950586d0dd595c8e20b HTTP/1.1″ 500 885 “-” “BOT/0.1 (BOT for JCE)”174.34.252.13 – - [03/Feb/2014:01:01:08 -0500] “POST /blog/2014/01/14/vulnerability-in-joomla-1-6-1-7-and-2-5-0-2-5-2-being-exploited-now/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20 HTTP/1.1″ 404 6290 “-” “BOT/0.1 (BOT for JCE)”174.34.252.13 – - [03/Feb/2014:01:01:10 -0500] “POST /blog/2014/01/14/vulnerability-in-joomla-1-6-1-7-and-2-5-0-2-5-2-being-exploited-now/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a7981f4fe1f5ac65c1246b5f=cf6dd3cf1923c950586d0dd595c8e20b HTTP/1.1″ 500 885 “-” “BOT/0.1 (BOT for JCE)”174.34.252.13 – - [03/Feb/2014:01:01:10 -0500] “POST /blog/2014/01/14/vulnerability-in-joomla-1-6-1-7-and-2-5-0-2-5-2-being-exploited-now/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20 HTTP/1.1″ 404 6290 “-” “BOT/0.1 (BOT for JCE)”174.34.252.13 – - [03/Feb/2014:01:01:11 -0500] “GET /blog/2014/01/14/vulnerability-in-joomla-1-6-1-7-and-2-5-0-2-5-2-being-exploited-now/images/stories/food.php?rf HTTP/1.1″ 404 6237 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6″
15
Wednesday, March 12, 14
A8-Cross-Site Request Forgery (CSRF)
16http://www.youtube.com/watch?v=vRBihr41JToWednesday, March 12, 14
A7-Missing Function Level Access Control
17
Wednesday, March 12, 14
A6-Sensitive Data Exposure
18
Wednesday, March 12, 14
A6-Sensitive Data Exposure
19
Wednesday, March 12, 14
A5-Security Misconfiguration
http://www.exploit-db.com/google-dorks/20
Wednesday, March 12, 14
A4-Insecure Direct Object References
21
Wednesday, March 12, 14
A3-Cross-Site Scripting (XSS)
22
http://www.youtube.com/watch?v=a9WNy2ZSq8Y
Wednesday, March 12, 14
A3-Cross-Site Scripting (XSS)
23
Wednesday, March 12, 14
A2-Broken Authentication and Session Management
24
Wednesday, March 12, 14
A2-Broken Authentication and Session Management
‣ Session Fixation‣Missing Session Timeout‣ Login over HTTP‣Unprotected Password Reset
25
Wednesday, March 12, 14
HTTP Strict Transport Security
Strict-Transport-Security: ‣max-age=60000; ‣ includeSubDomains
26
Wednesday, March 12, 14
A1-Injection
27
Wednesday, March 12, 14
Now What?
28
Wednesday, March 12, 14
29
Wednesday, March 12, 14
Conferences, People & Resources
‣ Security.nl‣Owasp.org‣Hackvertor‣Webappsec.io‣ Chris Cornutt‣Bruce Schneider
‣OWASP BeNeLux‣OWASP EU‣Hack In The Box‣Black Hat Europe 30
Wednesday, March 12, 14
Companies
‣ Fox-IT‣Madison Ghurka‣ Pine‣ Ibuildings.nl
31
Wednesday, March 12, 14
QUESTIONS
32Slides @ http://www.slideshare.net/relaxnow/2014-guestlectureinfosec
Wednesday, March 12, 14