TDIS 2014 - Dealing with the risks: web applications
-
Upload
malik-mesellem -
Category
Presentations & Public Speaking
-
view
666 -
download
2
Transcript of TDIS 2014 - Dealing with the risks: web applications
![Page 1: TDIS 2014 - Dealing with the risks: web applications](https://reader035.fdocuments.net/reader035/viewer/2022070603/554dd974b4c905d10e8b4f7f/html5/thumbnails/1.jpg)
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved.
Dealing with the risksweb applications
Malik Mesellem
![Page 2: TDIS 2014 - Dealing with the risks: web applications](https://reader035.fdocuments.net/reader035/viewer/2022070603/554dd974b4c905d10e8b4f7f/html5/thumbnails/2.jpg)
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved.
About me Malik Mesellem, Ethical Hacker
MME BVBA, founded in 2010
Specialized in audits & training
Objective approach, independent
Focus to advise and to educate
@MME_IT
#bWAPP
| IT Audits & SecurityMME
![Page 3: TDIS 2014 - Dealing with the risks: web applications](https://reader035.fdocuments.net/reader035/viewer/2022070603/554dd974b4c905d10e8b4f7f/html5/thumbnails/3.jpg)
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved.
Dealing with the risks Contents
Defense needed
Security framework
Attack scenarios
Superbees wanted
![Page 4: TDIS 2014 - Dealing with the risks: web applications](https://reader035.fdocuments.net/reader035/viewer/2022070603/554dd974b4c905d10e8b4f7f/html5/thumbnails/4.jpg)
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved.
Dealing with the risks Contents
Defense needed
Security framework
Attack scenarios
Superbees wanted
![Page 5: TDIS 2014 - Dealing with the risks: web applications](https://reader035.fdocuments.net/reader035/viewer/2022070603/554dd974b4c905d10e8b4f7f/html5/thumbnails/5.jpg)
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved.
Defense needed Web application security is today's most overlooked
aspect of securing the enterprise
Hackers are concentrating their efforts on websites and web applications
Web apps are an attractive target for cyber criminality, cyber warfare and hacktivism
![Page 6: TDIS 2014 - Dealing with the risks: web applications](https://reader035.fdocuments.net/reader035/viewer/2022070603/554dd974b4c905d10e8b4f7f/html5/thumbnails/6.jpg)
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved.
Defense needed Why are web applications an attractive target?
Easily available via the Internet (24/7)
Mission-critical business applications with sensitive data
Often direct access to backend data
Traditional firewalls and SSL provide no protection
Many applications are custom-made == vulnerable
![Page 7: TDIS 2014 - Dealing with the risks: web applications](https://reader035.fdocuments.net/reader035/viewer/2022070603/554dd974b4c905d10e8b4f7f/html5/thumbnails/7.jpg)
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved.
Defense needed Why are web applications an attractive target?
Easily available via the Internet (24/7)
Mission-critical business applications with sensitive data
Often direct access to backend data
Traditional firewalls and SSL provide no protection
Many applications are custom-made == vulnerable
![Page 8: TDIS 2014 - Dealing with the risks: web applications](https://reader035.fdocuments.net/reader035/viewer/2022070603/554dd974b4c905d10e8b4f7f/html5/thumbnails/8.jpg)
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved.
DEFENSEis needed !
![Page 9: TDIS 2014 - Dealing with the risks: web applications](https://reader035.fdocuments.net/reader035/viewer/2022070603/554dd974b4c905d10e8b4f7f/html5/thumbnails/9.jpg)
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved.
Dealing with the risks Contents
Defense needed
Security framework
Attack scenarios
Superbees wanted
![Page 10: TDIS 2014 - Dealing with the risks: web applications](https://reader035.fdocuments.net/reader035/viewer/2022070603/554dd974b4c905d10e8b4f7f/html5/thumbnails/10.jpg)
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved.
Security framework bWAPP, or a buggy Web APPlication
Deliberately insecure web application, includes allmajor known web vulnerabilities
Helps security enthusiasts, developers and studentsto discover and to prevent issues
Prepares one for successful penetration testing and ethical hacking projects
![Page 11: TDIS 2014 - Dealing with the risks: web applications](https://reader035.fdocuments.net/reader035/viewer/2022070603/554dd974b4c905d10e8b4f7f/html5/thumbnails/11.jpg)
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved.
Security framework Web application security is not just installing a firewall,
or scanning a site for ‘potential’ issues
Black-box penetration testing, simulating real attack scenarios, is still needed! Confirms potential vulnerabilities, and excludes false positives
Guarantees that your defense measures are working effectively
bWAPP helps to improve your security-testing skills…
![Page 12: TDIS 2014 - Dealing with the risks: web applications](https://reader035.fdocuments.net/reader035/viewer/2022070603/554dd974b4c905d10e8b4f7f/html5/thumbnails/12.jpg)
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved.
![Page 13: TDIS 2014 - Dealing with the risks: web applications](https://reader035.fdocuments.net/reader035/viewer/2022070603/554dd974b4c905d10e8b4f7f/html5/thumbnails/13.jpg)
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved.
Security framework What makes bWAPP so unique?
Well, it has over 100 web vulnerabilities
Covering all major known web bugs
Including all risks from the OWASP Top 10
Focus is not on one specific issue!
![Page 14: TDIS 2014 - Dealing with the risks: web applications](https://reader035.fdocuments.net/reader035/viewer/2022070603/554dd974b4c905d10e8b4f7f/html5/thumbnails/14.jpg)
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved.
Commercial Web Scanners
![Page 15: TDIS 2014 - Dealing with the risks: web applications](https://reader035.fdocuments.net/reader035/viewer/2022070603/554dd974b4c905d10e8b4f7f/html5/thumbnails/15.jpg)
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved.
Security framework Which bug do you want to hack today? (1)
SQL, HTML, SSI, OS Command, XML, XPath, LDAP, PHP Code,Host Header and SMTP injections
Authentication, authorization and session management issues
Malicious, unrestricted file uploads and backdoor files
Arbitrary file access and directory traversals
Heartbleed vulnerability (OpenSSL)
Local and remote file inclusions (LFI/RFI)
Server Side Request Forgery (SSRF)
![Page 16: TDIS 2014 - Dealing with the risks: web applications](https://reader035.fdocuments.net/reader035/viewer/2022070603/554dd974b4c905d10e8b4f7f/html5/thumbnails/16.jpg)
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved.
Security framework Which bug do you want to hack today? (2)
Configuration issues: Man-in-the-Middle, Cross-Domain policy file, FTP, SNMP, WebDAV, information disclosures,...
HTTP parameter pollution and HTTP response splitting
XML External Entity attacks (XXE)
HTML5 ClickJacking, Cross-Origin Resource Sharing (CORS) andweb storage issues
Unvalidated redirects and forwards
Denial-of-Service (DoS) attacks
![Page 17: TDIS 2014 - Dealing with the risks: web applications](https://reader035.fdocuments.net/reader035/viewer/2022070603/554dd974b4c905d10e8b4f7f/html5/thumbnails/17.jpg)
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved.
Security framework Which bug do you want to hack today? (3)
Cross-Site Scripting (XSS), Cross-Site Tracing (XST) and Cross-Site Request Forgery (CSRF)
AJAX and Web Services issues (JSON/XML/SOAP)
Parameter tampering and cookie poisoning
HTTP verb tampering
PHP-CGI remote code execution
Local privilege escalations
And much more
![Page 18: TDIS 2014 - Dealing with the risks: web applications](https://reader035.fdocuments.net/reader035/viewer/2022070603/554dd974b4c905d10e8b4f7f/html5/thumbnails/18.jpg)
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved.
Security framework Which bug do you want to hack today?
![Page 19: TDIS 2014 - Dealing with the risks: web applications](https://reader035.fdocuments.net/reader035/viewer/2022070603/554dd974b4c905d10e8b4f7f/html5/thumbnails/19.jpg)
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved.
Security framework
![Page 20: TDIS 2014 - Dealing with the risks: web applications](https://reader035.fdocuments.net/reader035/viewer/2022070603/554dd974b4c905d10e8b4f7f/html5/thumbnails/20.jpg)
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved.
Security framework External links
Home page - www.itsecgames.com
Download location - sourceforge.net/projects/bwapp
Blog - itsecgames.blogspot.com
![Page 21: TDIS 2014 - Dealing with the risks: web applications](https://reader035.fdocuments.net/reader035/viewer/2022070603/554dd974b4c905d10e8b4f7f/html5/thumbnails/21.jpg)
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved.
Dealing with the risks Contents
Defense needed
Security framework
Attack scenarios
Superbees wanted
![Page 22: TDIS 2014 - Dealing with the risks: web applications](https://reader035.fdocuments.net/reader035/viewer/2022070603/554dd974b4c905d10e8b4f7f/html5/thumbnails/22.jpg)
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved.
SQL injection SQL injection is very common in web applications
Occurs when user input is sent to a SQL interpreteras part of a query
The attacker tricks the interpreter into executing unintended SQL queries
![Page 23: TDIS 2014 - Dealing with the risks: web applications](https://reader035.fdocuments.net/reader035/viewer/2022070603/554dd974b4c905d10e8b4f7f/html5/thumbnails/23.jpg)
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved.
SQL injection Injection in the OWASP Top 10
![Page 24: TDIS 2014 - Dealing with the risks: web applications](https://reader035.fdocuments.net/reader035/viewer/2022070603/554dd974b4c905d10e8b4f7f/html5/thumbnails/24.jpg)
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved.
SQL injection Normal operation
DATABASESQL interpreter
WEB APPHTML | SQL
BROWSERHTML (GET/POST)
loginpassword
SELECT * FROM table WHERE login = ‘login’ AND
password = ‘password’result
HTML SQL
![Page 25: TDIS 2014 - Dealing with the risks: web applications](https://reader035.fdocuments.net/reader035/viewer/2022070603/554dd974b4c905d10e8b4f7f/html5/thumbnails/25.jpg)
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved.
DATABASESQL interpreter
WEB APPHTML | SQL
BROWSERHTML (GET/POST)
login’ or 1=1--
SELECT * FROM table WHERE login = ‘login’ AND
password = ‘’ or 1=1-- ’result
HTML SQL
SQL injection Abnormal operation
![Page 26: TDIS 2014 - Dealing with the risks: web applications](https://reader035.fdocuments.net/reader035/viewer/2022070603/554dd974b4c905d10e8b4f7f/html5/thumbnails/26.jpg)
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved.
SQL injection Simple injections
'--
' or 'a'='a
' or 'a'='a'--
' or '1'='1
' or 1=1--
![Page 27: TDIS 2014 - Dealing with the risks: web applications](https://reader035.fdocuments.net/reader035/viewer/2022070603/554dd974b4c905d10e8b4f7f/html5/thumbnails/27.jpg)
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved.
SQL injection Union injections
' UNION SELECT field1, field2 FROM table--
' UNION SELECT table_name FROM INFORMATION_SCHEMA.TABLES
WHERE table_schema=database()--
Stacked queries '; DROP TABLE table;--
![Page 28: TDIS 2014 - Dealing with the risks: web applications](https://reader035.fdocuments.net/reader035/viewer/2022070603/554dd974b4c905d10e8b4f7f/html5/thumbnails/28.jpg)
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved.
SQL Injection
![Page 29: TDIS 2014 - Dealing with the risks: web applications](https://reader035.fdocuments.net/reader035/viewer/2022070603/554dd974b4c905d10e8b4f7f/html5/thumbnails/29.jpg)
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved.
Don’t try @ home! SQL injection
Bypassing login forms
Manually extracting data
Automated SQL injection
Website defacement
![Page 30: TDIS 2014 - Dealing with the risks: web applications](https://reader035.fdocuments.net/reader035/viewer/2022070603/554dd974b4c905d10e8b4f7f/html5/thumbnails/30.jpg)
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved.
![Page 31: TDIS 2014 - Dealing with the risks: web applications](https://reader035.fdocuments.net/reader035/viewer/2022070603/554dd974b4c905d10e8b4f7f/html5/thumbnails/31.jpg)
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved.
![Page 32: TDIS 2014 - Dealing with the risks: web applications](https://reader035.fdocuments.net/reader035/viewer/2022070603/554dd974b4c905d10e8b4f7f/html5/thumbnails/32.jpg)
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved.
Cross-Site Scripting Cross-Site Scripting, or XSS, occurs when an attacker
injects a browser script into a web application
Insufficient validation of user-supplied data
Dangerous when it is stored permanently!
XSS can lead to Website defacements
Phishing / session hijacking
Client-side exploitation
![Page 33: TDIS 2014 - Dealing with the risks: web applications](https://reader035.fdocuments.net/reader035/viewer/2022070603/554dd974b4c905d10e8b4f7f/html5/thumbnails/33.jpg)
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved.
Cross-Site Scripting XSS in the OWASP Top 10
![Page 34: TDIS 2014 - Dealing with the risks: web applications](https://reader035.fdocuments.net/reader035/viewer/2022070603/554dd974b4c905d10e8b4f7f/html5/thumbnails/34.jpg)
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved.
Don’t try @ home! Cross-Site Scripting
Detecting XSS
Phishing attack
Client-side exploitation
![Page 35: TDIS 2014 - Dealing with the risks: web applications](https://reader035.fdocuments.net/reader035/viewer/2022070603/554dd974b4c905d10e8b4f7f/html5/thumbnails/35.jpg)
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved.
Heartbleed bug Vulnerability in the popular OpenSSL cryptographic
software library, discovered in April 2014 (!)
Allows stealing information protected by SSL/TLS…just by sending a simple heartbeat request!
Sensitive data that might be stolen Logon credentials
Session data
Private keys
![Page 36: TDIS 2014 - Dealing with the risks: web applications](https://reader035.fdocuments.net/reader035/viewer/2022070603/554dd974b4c905d10e8b4f7f/html5/thumbnails/36.jpg)
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved.
Don’t try @ home! Heartbleed bug
Stealing credentials
![Page 37: TDIS 2014 - Dealing with the risks: web applications](https://reader035.fdocuments.net/reader035/viewer/2022070603/554dd974b4c905d10e8b4f7f/html5/thumbnails/37.jpg)
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved.
Denial-of-Service Denial-of-Service attack, or DoS attack
Attacker attempts to prevent legitimate users from accessing the application, server or network
Consumes bandwidth, server sockets, or CPU resources
Distributed Denial-of-Service attack, or DDoS
Popular techniques used by hacktivists
![Page 38: TDIS 2014 - Dealing with the risks: web applications](https://reader035.fdocuments.net/reader035/viewer/2022070603/554dd974b4c905d10e8b4f7f/html5/thumbnails/38.jpg)
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved.
Denial-of-Service Newer layer 7 DoS attacks are more powerful!
“Low-bandwidth application layer DoS”
Advantages of layer 7 DoS Legitimate TCP/UDP connections, difficult to differentiate
from normal traffic
Requires lesser number of connections, possibility to stopa web server from a single attack
Reach resource limits of services, regardless of thehardware capabilities of the server
![Page 39: TDIS 2014 - Dealing with the risks: web applications](https://reader035.fdocuments.net/reader035/viewer/2022070603/554dd974b4c905d10e8b4f7f/html5/thumbnails/39.jpg)
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved.
Denial-of-Service Layer 7 DoS methods
HTTP Slow Headers
HTTP Slow POST
HTTP Slow Reading
Apache Range Header
SSL/TLS Renegotiation
XML Bombs
![Page 40: TDIS 2014 - Dealing with the risks: web applications](https://reader035.fdocuments.net/reader035/viewer/2022070603/554dd974b4c905d10e8b4f7f/html5/thumbnails/40.jpg)
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved.
Don’t try @ home! Denial-of-Service
HTTP Slow POST
![Page 41: TDIS 2014 - Dealing with the risks: web applications](https://reader035.fdocuments.net/reader035/viewer/2022070603/554dd974b4c905d10e8b4f7f/html5/thumbnails/41.jpg)
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved.
Dealing with the risks Contents
Defense needed
Security framework
Attack scenarios
Superbees wanted
![Page 42: TDIS 2014 - Dealing with the risks: web applications](https://reader035.fdocuments.net/reader035/viewer/2022070603/554dd974b4c905d10e8b4f7f/html5/thumbnails/42.jpg)
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved.
Superbees wanted Hi little bees, during this talk we
Defaced the website
Compromised the server
Compromised a client
Made the server unreachable
Hijacked a session
Stole credentials…
![Page 43: TDIS 2014 - Dealing with the risks: web applications](https://reader035.fdocuments.net/reader035/viewer/2022070603/554dd974b4c905d10e8b4f7f/html5/thumbnails/43.jpg)
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved.
And we have so much more bugs to exploit…
Definitely time to improve your web security
Defense is needed, security-testing is required!
Downloading bWAPP is a first start
Remember: every bee needs a superbee
Are you that superbee?
Superbees wanted
@MME_IT
#bWAPP
![Page 44: TDIS 2014 - Dealing with the risks: web applications](https://reader035.fdocuments.net/reader035/viewer/2022070603/554dd974b4c905d10e8b4f7f/html5/thumbnails/44.jpg)
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved.
About me Malik Mesellem
Email | [email protected]
LinkedIn | be.linkedin.com/in/malikmesellem
Twitter | twitter.com/MME_IT
Blog | itsecgames.blogspot.com