hacking web sites owasp top 10
play

Hacking Web Sites OWASP Top 10 Emmanuel Benoist Fall Term - PowerPoint PPT Presentation

Mar 11, 2023 •593 likes •1.25k views

Hacking Web Sites OWASP Top 10 Emmanuel Benoist Fall Term 2020/2021 Berner Fachhochschule | Haute ecole sp ecialis ee bernoise | Berne University of Applied Sciences 1 Web Security: Overview of other security risks OWASP Top 10

  1. Hacking Web Sites OWASP Top 10 Emmanuel Benoist Fall Term 2020/2021 Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 1

  2. Web Security: Overview of other security risks OWASP Top 10 � Top 10 Web Security Risks � A4 XML External Entities � A6 - Security Misconfiguration � A8 Insecure Deserialization � A9 - Using components with known vulnerabilities � A10 Insufficient Logging and Monitoring � Cross Site Request Forgery CSRF � Widespead vulnerability Vulnerability? Attacks using CSRF Protection CSRF prevention without a synchronizer token Conclusion � Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 2

  3. OWASP Top 10 Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 3

  4. OWASP Top 10 10 most critical security risks for web applications Goal Raise awareness of people about application security Based on real examples 8 datasets from 7 firms specialized in application security 500’000 vulnerabilities, thousands of applications Sorted on the prevalence of data in combination with risks (exploitability, detectability and impact estimation) Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 4

  5. What are application security risks? Attackers can use many different paths to do harm Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 5

  6. Top 10 Web Security Risks Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 6

  7. OWASP Top 10 Presents the 10 most critical web application security risks Produced by the Open Web Application Security Project (OWASP) Available on line www.owasp.org Updated in 2017 Not Exhaustive hundreds of other issues occure in Web Security But it is foccused on the most critical ones Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 7

  8. OWASP Top 10 Version 2017 A1:2017 - Injection Seen A2:2017 - Broken Authentication Seen A3:2017 - Sensitive Data Exposure Seen A4:2017 - XML External Entities (XXE) A5:2017 - Broken Access Control Seen A6:2017 - Security Misconfiguration A7:2017 - Cross-Site Scripting (XSS) Seen A8:2017 - Insecure Deserialization A9:2017 - Using components with known vulnerabilities A10:2017 - Insufficient Logging and Monitoring Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 8

  9. A4 XML External Entities Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 9

  10. A4:2017 XML External Entities (XXE) Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks. XML processors Older and poorly configured evaluate external entity references within XML documents. External entities used to: disclose internal files using the file URI handler disclose internal file shares, internal port scanning, remote code execution, and denial of service attacks. Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 10

  11. Attack Vector Vulnerable XML Processor Attacker can upload XML include hostile content in an XML document Exploits vulnerable code, dependencies, integrations. Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 11

  12. Security Weakness Older XML-Processors allow specification of an external entity External Entity = URI that is dereferenced and evaluated in XML processing Source Code Analysis Tools Static Application Security Testing (SAST) Analyse source to find flaws Search for dependencies and configuration Vulnerability Scanning Tools Dynamic Application Security Testing Test the web site from the outside require additional manual steps to detect this issue Detectability is difficult Manual testers need to be trained how to test for XXE Not commonly tested as of 2017 Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 12

  13. Example 1 The attacker uploads a XML file on the server The parsing may occur anywhere in the code, very deeply. The easiest way is to upload a file and see. Upload file: <?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE foo[ <!ELEMENT foo ANY> <!ENTITY xxe SYSTEM "file:///etc/passwd">]> <foo>&xxe;</foo> Parser accesses the file /etc/passwd and includes it inside the document. Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 13

  14. Example 2 Suppose we change the ENTITY definition <!ENTITY xxe SYSTEM "https://192.168.1.1/private">]> The attacker can test if a resource exists on a local server Can be used to scan the internal network Can open access to some resources Allow to send requests to servers Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 14

  15. Example 3 Can be used for denial-of-service Access a endless file <!ENTITY xxe SYSTEM "file:///dev/random">]> Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 15

  16. Your application is vulnerable If the application accepts XML directly or XML uploads If XML processor has DTDs enabled DTD = Document Type Definition Can be in an application or a SOAP based web service Disabling DTD is different for each system If your application uses SAML (for SSO or federated security) SAML uses XML for identity assertions, it may be vulnerable. The application uses SOAP prior to version 1.2 susceptible to XXE attacks if XML entities are being passed to the SOAP framework. Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 16

  17. How to prevent? Prefere JSON to XML (less complex) Update SOAP to SOAP 1.2 or higher Disable external entity and DTD Validate input prefere “white listing” against “black listing” Validate uploaded XML and XSL files with XSD validation Code review necessary SAST tools may help Do not replace manual code review Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 17

  18. A6 - Security Misconfiguration Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 18

  19. A6 - Security Misconfiguration Process for keeping software up-to-date OS Web /App Server DBMS Is everything unnecessary disabled? ports, services, pages, accounts, priviledges Have been default account passwords changed or disabled? Before the first connection to the net Is your error handling set to prevent informative messages? Stack traces SQL errors Are the security settings in your development frameworks understood and configured properly Struts, JSF, Spring, ASP.NET Libraries Repeatable process is required Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 19

  20. Security Misconfiguration (Cont.) Application relies on a framework (JSF, Struts, Spring) A flow is found in the framework An update is released You don’t install the update (sometimes you can’t) Attackers will use the known vulnerability The application has a default admin page with default pwd You forget to remove the tool and to change the pwd Attack logs in using default value Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 20

  21. Security Misconfiguration (Cont.) Directory listing is not disabled Attackers can browse directories and find any file. They download Java .class files and uncompile them, then know your code. Access to “configuration” files not properly restricted Config files inside the DocumentRoot . Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 21

  22. How to determine if you are vulnerable If you did nothing: you are vulnerable Almost no application is secure “out of the box” Secure configuration of the server should be documented Regularly updated You should check if the actual configuration is still conform regularly Scanner can check for known vulnerabilities Nessus or Nikito for instance You should run them on a regular basis Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 22

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

New Privacy in Android 11 and OWASP Mobile Security Albert Hsieh OWASP 200

New Privacy in Android 11 and OWASP Mobile Security Albert Hsieh OWASP 200

New Privacy in Android 11 and OWASP Mobile Security Albert Hsieh OWASP 200 OWASP Flagship Projects Tool Projects OWASP Amass OWASP CSRFGuard OWASP Defectdojo OWASP Dependency-Check OWASP Dependency-Track

751 views • 55 slides
OWASP Daniel Brzozowski daniel@brzozowski.biz Agenda 1. Few words about OWASP 2. Owasp resources

OWASP Daniel Brzozowski daniel@brzozowski.biz Agenda 1. Few words about OWASP 2. Owasp resources

OWASP Daniel Brzozowski daniel@brzozowski.biz Agenda 1. Few words about OWASP 2. Owasp resources 3. Setting up workstations 4. OWASP WebScarab/OWASP WebScarab-NG 5. O2 Platform About me In London since October 2010 Before that MCPD, MCTS,

747 views • 58 slides
OWASP Top Ten Kirk Jackson OWASP NZ RedShield https://www.meetup.com/ kirk@pageofwords.com

OWASP Top Ten Kirk Jackson OWASP NZ RedShield https://www.meetup.com/ kirk@pageofwords.com

Introduction to the OWASP Top Ten Kirk Jackson OWASP NZ RedShield https://www.meetup.com/ kirk@pageofwords.com OWASP-Wellington/ http://hack-ed.com www.owasp.org.nz Recordings: @kirkj @owaspnz https://goo.gl/a2VSG2 What is OWASP? Open

880 views • 45 slides
OpenSAMM Software Assurance Maturity Model Seba Deleersnyder seba@owasp.org OWASP Foundation

OpenSAMM Software Assurance Maturity Model Seba Deleersnyder seba@owasp.org OWASP Foundation

The OWASP Foundation Libre Software Meeting Brussels 10-July-2013 http://www.owasp.org OpenSAMM Software Assurance Maturity Model Seba Deleersnyder seba@owasp.org OWASP Foundation Board Member OWASP Belgium Chapter Leader SAMM project

682 views • 43 slides
Table of Contents Introduction Hacking Web Sites Examples of Attacks Broken

Table of Contents Introduction Hacking Web Sites Examples of Attacks Broken

Table of Contents Introduction Hacking Web Sites Examples of Attacks Broken Authentication Brute Force Session Spotting Emmanuel Benoist Session Fixation Attack Session Hijacking Fall Term 2020/2021 Session Expiration

638 views • 10 slides
ETHICAL HACKING Daniel Cloherty CAN HACKING BE ETHICAL? What makes hacking ethical?

ETHICAL HACKING Daniel Cloherty CAN HACKING BE ETHICAL? What makes hacking ethical?

ETHICAL HACKING Daniel Cloherty CAN HACKING BE ETHICAL? What makes hacking ethical? Legality VS Ethics State Sanctioned hacking BLACK HAT - Stereotypical Hacker -Stealing data for personal gain -Obviously not ethical -Using

1.17k views • 10 slides
Introduction to Malicious Web Sites Ktcl Web Sitelerine Bir lk Bak Ali Ikinci

Introduction to Malicious Web Sites Ktcl Web Sitelerine Bir lk Bak Ali Ikinci

OWASP T urkey - Uygulama Gvenlii Gn Introduction to Malicious Web Sites Ktcl Web Sitelerine Bir lk Bak Ali Ikinci Siber Gvenlik Dernei ali@ikinci.info 9 June 2012 Turkey About Me Working on Malicious Web Sites

505 views • 31 slides
OWASP Foundation OWASP does not endorse or recommend commercial products or services , allowing our

OWASP Foundation OWASP does not endorse or recommend commercial products or services , allowing our

OWASP Foundation OWASP does not endorse or recommend commercial products or services , allowing our community to remain vendor neutral with the collective wisdom of the best minds in software security worldwide. OWASP Foundation, NYC Chapter

382 views • 23 slides
Hacking Web Sites Cross Site Scripting Emmanuel Benoist Fall Term 2020/2021 Berner

Hacking Web Sites Cross Site Scripting Emmanuel Benoist Fall Term 2020/2021 Berner

Hacking Web Sites Cross Site Scripting Emmanuel Benoist Fall Term 2020/2021 Berner Fachhochschule | Haute ecole sp ecialis ee bernoise | Berne University of Applied Sciences 1 Table of Contents Presentation Stored XSS Reflected

792 views • 50 slides
Welcome to the OWASP Toronto Meetup Hello, and happy 2018! Announcement: OWASP Top 10 2017

Welcome to the OWASP Toronto Meetup Hello, and happy 2018! Announcement: OWASP Top 10 2017

Welcome to the OWASP Toronto Meetup Hello, and happy 2018! Announcement: OWASP Top 10 2017 Changes between 2013 and 2017 Hi, I am X. How do I get into AppSec/Security? OWASP Toronto Chapter January 17, 2018 Topics Overviews, Career Paths,

372 views • 36 slides
Hacking Web Sites Insecure Direct Object Reference Emmanuel Benoist Fall Term 2020/2021 Berner

Hacking Web Sites Insecure Direct Object Reference Emmanuel Benoist Fall Term 2020/2021 Berner

Hacking Web Sites Insecure Direct Object Reference Emmanuel Benoist Fall Term 2020/2021 Berner Fachhochschule | Haute ecole sp ecialis ee bernoise | Berne University of Applied Sciences 1 Table of Contents Introduction

890 views • 35 slides
Cyber@UC Meeting 31 Hardware Hacking If Youre New! Join our Slack ucyber.slack.com Follow

Cyber@UC Meeting 31 Hardware Hacking If Youre New! Join our Slack ucyber.slack.com Follow

Cyber@UC Meeting 31 Hardware Hacking If Youre New! Join our Slack ucyber.slack.com Follow us on Twitter @UCyb3r and Facebook UC.yber; University of Cincinnati OWASP Chapter Feel free to get involved with one of our committees:

506 views • 12 slides
Broken Authentication: What it means, and what you can do hassan.abudu@owasp.org OWASP Top 10

Broken Authentication: What it means, and what you can do hassan.abudu@owasp.org OWASP Top 10

Broken Authentication: What it means, and what you can do hassan.abudu@owasp.org OWASP Top 10 Vulnerabilities - 2017 Rank Name 1 Injection 2 Broken Authentication 3 Sensitive Data Exposure 4 XML External Entities 5 Broken Access

207 views • 6 slides
OWASP BELGIUM APPSEC 2008 CONFERENCE pdp information security researcher, hacker, founder of

OWASP BELGIUM APPSEC 2008 CONFERENCE pdp information security researcher, hacker, founder of

OWASP BELGIUM APPSEC 2008 CONFERENCE pdp information security researcher, hacker, founder of GNUCITIZEN SALES PITCH Cutting-edge Think Tank THERE ISN'T ANY! CLIENT-SIDE SECURITY Overview of various Client-Side Hacking Tricks and

766 views • 64 slides
Hacking the Drones Aatif Khan Aatif Khan Full Time PenTester | Part time Trainer Over a

Hacking the Drones Aatif Khan Aatif Khan Full Time PenTester | Part time Trainer Over a

Hacking the Drones Aatif Khan Aatif Khan Full Time PenTester | Part time Trainer Over a decade of experience in Information Security. Previously presented talks at OWASP Netherlands, Singapore, Malaysia, India and Dubai.

1.14k views • 72 slides
Insecurity in Informaton Technology Tanya Janca Tanya.Janca@owasp.org OWASP Otawa Chapter

Insecurity in Informaton Technology Tanya Janca Tanya.Janca@owasp.org OWASP Otawa Chapter

Insecurity in Informaton Technology Tanya Janca Tanya.Janca@owasp.org OWASP Otawa Chapter Leader OWASP DevSlop Project Leader @SheHacksPurple About Me The Im Qualifed Slide Tanya Janca: Applicaton security evangelist, web

1k views • 82 slides
Introduction to the Phone System Session Objectives Logging on/ofg fg Using the handset

Introduction to the Phone System Session Objectives Logging on/ofg fg Using the handset

Introduction to the Phone System Session Objectives Logging on/ofg fg Using the handset (T21 &amp; T27) Receiving, holding, transferring calls Making internal/external calls Using the Soft Phone Colleague availability on

878 views • 52 slides
802.1X &amp; EAP &amp; Keying State Machines and Interfaces Jim Burns Paul Congdon Nick

802.1X &amp; EAP &amp; Keying State Machines and Interfaces Jim Burns Paul Congdon Nick

802.1X &amp; EAP &amp; Keying State Machines and Interfaces Jim Burns Paul Congdon Nick Petroni John Vollbrecht March 2003 IEEE 802 Plenary, Dallas TX 1 The Working Groups Several specifications MUST align to enable a working

436 views • 21 slides
Profiles with OpenAFS Lars Schimmer European OpenAFS Conference August 10, 2010 Why at all?

Profiles with OpenAFS Lars Schimmer European OpenAFS Conference August 10, 2010 Why at all?

Windows Roaming Profiles with OpenAFS Lars Schimmer European OpenAFS Conference August 10, 2010 Why at all? Central management Central backup Central templates No data on workstations Users get their own setup on every

354 views • 10 slides
Software Engineering I (02161) Additional Informaton for Programming Assignment 5 Assoc. Prof.

Software Engineering I (02161) Additional Informaton for Programming Assignment 5 Assoc. Prof.

Software Engineering I (02161) Additional Informaton for Programming Assignment 5 Assoc. Prof. Hubert Baumeister Spring 2016 Contents 1 Adding a Command Line Interface to the Library Application 1 1 Adding a Command Line Interface to the

338 views • 6 slides
Creating an Amendment in 2 Start the Amendment in webIRB 1. When creating an amendment in

Creating an Amendment in 2 Start the Amendment in webIRB 1. When creating an amendment in

Creating an Amendment in 2 Start the Amendment in webIRB 1. When creating an amendment in webIRB, indicate if any radiation procedures will be added or changed. If Yes is indicated, a radiation review will be required. 2. When the webIRB

463 views • 10 slides
External Identity and Authentication Providers For Apache HTTP Server Jan Pazdziora Principal

External Identity and Authentication Providers For Apache HTTP Server Jan Pazdziora Principal

External Identity and Authentication Providers For Apache HTTP Server Jan Pazdziora Principal Software Engineer Identity Management Engineering, Red Hat 17 th November 2014 Basic Authentication The only authentication option in 1996 when

393 views • 21 slides
Reconfigurable and Homepage: http://ces.itec.kit.edu/teaching/ you can also find the slides

Reconfigurable and Homepage: http://ces.itec.kit.edu/teaching/ you can also find the slides

Organisation Institut fr Technische Informatik Chair for Embedded Systems - Prof. Dr. J. Henkel Lecture time: Mi., 15.45 - 17.15 Vorlesung im SS 2014 Bld. 50.34, HS -102 Reconfigurable and Homepage: http://ces.itec.kit.edu/teaching/

418 views • 8 slides
Shibboleth &amp; Grid Integration STFC and University of Oxford (and University of Manchester)

Shibboleth &amp; Grid Integration STFC and University of Oxford (and University of Manchester)

Shibboleth &amp; Grid Integration STFC and University of Oxford (and University of Manchester) Acknowledgements Slides by David Spence ShibGrid (University of Oxford + STFC) SARoNGS (STFC, University of Oxford, University of

652 views • 23 slides

More recommend