Hardware Security Attacks Security Architecture Hardware Security.
Web Security attacks and defense
-
Upload
jose-mato -
Category
Presentations & Public Speaking
-
view
596 -
download
3
Transcript of Web Security attacks and defense
![Page 1: Web Security attacks and defense](https://reader030.fdocuments.net/reader030/viewer/2022021500/58f2628e1a28abf9728b45ab/html5/thumbnails/1.jpg)
Web Security● Jose Mato Mariño
![Page 2: Web Security attacks and defense](https://reader030.fdocuments.net/reader030/viewer/2022021500/58f2628e1a28abf9728b45ab/html5/thumbnails/2.jpg)
3/5/15 - 12:52:45 AM
Who am I?
● Web Developer
● Web security as hobby
● http://josemato.name
● @security4dev
![Page 3: Web Security attacks and defense](https://reader030.fdocuments.net/reader030/viewer/2022021500/58f2628e1a28abf9728b45ab/html5/thumbnails/3.jpg)
3/5/15 - 12:52:46 AM
Is mandatory know web security to do a web?
● YES, If someone hacks your your server... you, developer, are screwed
– Read logs, …, a lot of logs
– Sometimes is difficult know what was happening
– Web security is easier than computer forensic● Your client
– Angry
– Lost branding and reputation
![Page 4: Web Security attacks and defense](https://reader030.fdocuments.net/reader030/viewer/2022021500/58f2628e1a28abf9728b45ab/html5/thumbnails/4.jpg)
3/5/15 - 12:52:46 AM
Why cybercriminals want my server ???
● SPAM
● BitCoins
● Phishing
● Botnet
● Ransomware
● Data theft
![Page 5: Web Security attacks and defense](https://reader030.fdocuments.net/reader030/viewer/2022021500/58f2628e1a28abf9728b45ab/html5/thumbnails/5.jpg)
3/5/15 - 12:52:46 AM
● Online community dedicated to web application security
● Guide practices and recommendations to be considered secure application development
● OWASP TOP 10
![Page 6: Web Security attacks and defense](https://reader030.fdocuments.net/reader030/viewer/2022021500/58f2628e1a28abf9728b45ab/html5/thumbnails/6.jpg)
3/5/15 - 12:52:46 AM
OWASP TOP 10 – From 2010 to 2013
![Page 7: Web Security attacks and defense](https://reader030.fdocuments.net/reader030/viewer/2022021500/58f2628e1a28abf9728b45ab/html5/thumbnails/7.jpg)
3/5/15 - 12:52:46 AM
A3 – Cross Site Scripting (XSS)
● Problem: User injects code ( ActiveX, Java, VBScript, Flash, HTML but typically javascript) into webpage
● Attacks:
– Access user session (session hijacking)
– Redirect user to exploit kit (blackhole)
– Defacement. Phishing.
– Network ip + ports scanner● We have 5 contexts to exploit XSS
● There are two types of XSS
![Page 8: Web Security attacks and defense](https://reader030.fdocuments.net/reader030/viewer/2022021500/58f2628e1a28abf9728b45ab/html5/thumbnails/8.jpg)
3/5/15 - 12:52:46 AM
A3 – XSS Context
● Context (by Ashar Javed @soaj1664ashar):
"Context is an environment where user supplied input or input from other application(s) eventually ends-up or start living"
● Type of contexts:
– HTML context (<title>XXS</title>)
– Attribute context (input value=”XSS”)
– Script context (<script>var a = “<?php echo XSS ?>”</script>)
– URL context (write server variable to src, href, data flash, etc)
– Style context (div style=”XSS” => custom editors)
![Page 9: Web Security attacks and defense](https://reader030.fdocuments.net/reader030/viewer/2022021500/58f2628e1a28abf9728b45ab/html5/thumbnails/9.jpg)
3/5/15 - 12:52:46 AM
● Reflective
– Code is not store on any database or database repo
– Payload must be on get parameter (discussion)
– User needs to click on a malicious link● Persistent
– Code is store on a persistent store (database)
– When user enter on a hacked page, he will exec the xploit
A3 – XSS Types
![Page 10: Web Security attacks and defense](https://reader030.fdocuments.net/reader030/viewer/2022021500/58f2628e1a28abf9728b45ab/html5/thumbnails/10.jpg)
3/5/15 - 12:52:46 AM
● http://www.elmundo.es/elmundo/2010/01/04/union_europea/1262610678.html
A3 – Famous XSS “Mr. Bean 'se cuela' en la web oficial de la presidencia española”
![Page 11: Web Security attacks and defense](https://reader030.fdocuments.net/reader030/viewer/2022021500/58f2628e1a28abf9728b45ab/html5/thumbnails/11.jpg)
3/5/15 - 12:52:47 AM
XSS DEMO I● Check if there is
some XSS
● Get access to user account
![Page 12: Web Security attacks and defense](https://reader030.fdocuments.net/reader030/viewer/2022021500/58f2628e1a28abf9728b45ab/html5/thumbnails/12.jpg)
3/5/15 - 12:52:47 AM
● Never trust on user input (inbound & outbound)
● Sanitize all inputs
● Enable flag httpOnly on cookies
● Content Security Policy (CSP)
A3 – XSS Mitigation
![Page 13: Web Security attacks and defense](https://reader030.fdocuments.net/reader030/viewer/2022021500/58f2628e1a28abf9728b45ab/html5/thumbnails/13.jpg)
3/5/15 - 12:52:47 AM
● Access to not allowed resources
● Application fail to check if user is authorized to access to the resource
● Common scenario:
– http://websecurity-demo.local/transcript.php?student=1536
● Attacker see a parameter and know that “1536” is his student id
● Attacker change this student id and get the content of another student
● This parameter could be anywhere (get, post, cookie, …)
A4 – Insecure Direct Object References
![Page 14: Web Security attacks and defense](https://reader030.fdocuments.net/reader030/viewer/2022021500/58f2628e1a28abf9728b45ab/html5/thumbnails/14.jpg)
3/5/15 - 12:52:47 AM
● Technique to alter queries into engine store through vulnerable application
● Mysql, MSQL, Postgres, LDAP, Access, Oracle, …
● We are going to focus on SQLi in this talk
● Many kind of SQLi
A1 – Injection
![Page 15: Web Security attacks and defense](https://reader030.fdocuments.net/reader030/viewer/2022021500/58f2628e1a28abf9728b45ab/html5/thumbnails/15.jpg)
3/5/15 - 12:52:47 AM
● Access personal data. Dump database
● Dump local users (/etc/passwd)
● Access organization CMS
● Site infection
– malware propagation
– Click abuse
A1 – SQL Injection Goals
![Page 16: Web Security attacks and defense](https://reader030.fdocuments.net/reader030/viewer/2022021500/58f2628e1a28abf9728b45ab/html5/thumbnails/16.jpg)
3/5/15 - 12:52:47 AM
● Lilupophilupop SQL Injection Attack Tops 1 Million Infected URLs
– Search SQL Injection on ASP or ColdFusion pages with Microsoft SQL Server
– More than one million url infected
– the attackers used XSS Persistent to redirect users to pages showing fake computer issues to buy a fake AV
● http://threatpost.com/lilupophilupop-sql-injection-attack-tops-1-million-infected-urls-010412/76054
A1 – Famous SQL Injection I
![Page 17: Web Security attacks and defense](https://reader030.fdocuments.net/reader030/viewer/2022021500/58f2628e1a28abf9728b45ab/html5/thumbnails/17.jpg)
3/5/15 - 12:52:47 AM
● Barr’s claims that he would unmask and extinguish Anonymous proved to be the proverbial last straw on the camel’s back.
● Anonymous find a SQL Injection:
– http://www.hbgaryfederal.com/pages.php?pageNav=2&page=27
● Passwords were hashed but Aaron just used lower case and numbers.
● Access CMS. Social engineer to reset email password and access SSH. (Aaron used same password for many services!)
● http://arstechnica.com/tech-policy/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack/
A1 – Famous SQL Injection II
![Page 18: Web Security attacks and defense](https://reader030.fdocuments.net/reader030/viewer/2022021500/58f2628e1a28abf9728b45ab/html5/thumbnails/18.jpg)
3/5/15 - 12:52:47 AM
● SQL Injection
● Blind SQLi
– We only can use queries that retrieve a boolean value (true or false).
– It's very slow
– Binary search to enhance performance● Time based SQLi
– Based on heavy queries (sleep)
– Very slow
A1 – SQL Injection Types
![Page 19: Web Security attacks and defense](https://reader030.fdocuments.net/reader030/viewer/2022021500/58f2628e1a28abf9728b45ab/html5/thumbnails/19.jpg)
3/5/15 - 12:52:47 AM
● Database engine has a metadata, catalog, schema or something like that
● This catalog stores all database metainformation (table relations, database exists, columns names with length + datatype, …)
● Is mandatory know the catalog of the vulnerable app to perform a pentesting
A1 – SQL Injection Walkthrough I
![Page 20: Web Security attacks and defense](https://reader030.fdocuments.net/reader030/viewer/2022021500/58f2628e1a28abf9728b45ab/html5/thumbnails/20.jpg)
3/5/15 - 12:52:47 AM
● Search vulnerability (test app request and check params)
– Number of columns
– Database names● table names
– Column names● Dump or insert data
● Download files
● Upload webshell
A1 – SQL Injection Walkthrough II
![Page 21: Web Security attacks and defense](https://reader030.fdocuments.net/reader030/viewer/2022021500/58f2628e1a28abf9728b45ab/html5/thumbnails/21.jpg)
3/5/15 - 12:52:47 AM
● MySQL Catalog
– Retrieve databases: SELECT schema_name FROM information_schema.SCHEMATA;
– Retrieve tables from specific database: SELECT table_schema, table_name FROM information_schema.TABLES WHERE table_schema = 'DATABASE';
– Retrieve columns from specific table: SELECT column_name, column_type FROM information_schema.columns WHERE table_name = 'TABLE' AND table_schema = 'DATABASE';
A1 – SQL Injection Walkthrough III
![Page 22: Web Security attacks and defense](https://reader030.fdocuments.net/reader030/viewer/2022021500/58f2628e1a28abf9728b45ab/html5/thumbnails/22.jpg)
3/5/15 - 12:52:47 AM
A1 – SQL Injection Hacking Time :)
![Page 23: Web Security attacks and defense](https://reader030.fdocuments.net/reader030/viewer/2022021500/58f2628e1a28abf9728b45ab/html5/thumbnails/23.jpg)
3/5/15 - 12:52:47 AM
Some Question?? THANKS!!
● Jose Mato
– http://josemato.name
– @security4dev
– https://github.com/josemato/
– https://www.linkedin.com/in/josematomarino