OWASP Daniel Brzozowski daniel@brzozowski.biz Agenda 1. Few words - - PowerPoint PPT Presentation

OWASP

Daniel Brzozowski daniel@brzozowski.biz

Agenda

• 1. Few words about OWASP
• 2. Owasp resources
• 3. Setting up workstations
• 4. OWASP WebScarab/OWASP

WebScarab-NG

• 5. O2 Platform

About me…

In London since October 2010 Before that MCPD, MCTS, MCP OWASP WebScarab-NG & OWASP .NET Project Leader

3

Introduction – Web security

Growing popularity of this subject… What is a security bug? Why we have such bugs? What about statistics?

4

Penetration test

What is a penetration test? Types

5

Research Mapping application Attack Raport

Passive Active

OWASP

6

What is OWASP?

7

The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software.

OPEN INNOVATION GLOBAL INTEGRITY

OWASP local chapters

8

OWASP London Chapter

Led by Justin Clarke Meetings Visit page: https://www.owasp.org/index.php/London And subscribe to mailing list!

9

OWASP Resources you can use today!

• Guides (Testing, Development, Code Review)
• SAMM
• ASVS

SDLC

• Mailing lists
• Chapters
• Conferences

Community

• WebGoat
• WebScarab/WebScarab-NG
• ESAPI
• O2 Platform
• OWASP Live CD
• …

Tools

10

OWASP Live CD

https://www.owasp.org/index.php/Category:OWASP_Live_ CD_Project

OWASP TOP 10

12

OWASP Top 10

A1: Injection A2: XSS A3: Broken Authentication and Session Management A4: Insecure Direct Object References A5: CSRF A6: Security Misconfiguration A7: Insecure Cryptographic Storage A8: Failure to Restrict URL Access A9: Insufficient Transport Layer Protection A10: Unvalidated Redirects and Forwards

13

A1: Injection

14

• Tricking an application into including unintended commands in the data sent to an

interpreter Injection means…

• Take strings and interpret them as commands
• SQL, OS Shell, LDAP, XPath, Hibernate, etc…

Interpreters…

• Many applications still susceptible (really don‟t know why)
• Even though it‟s usually very simple to avoid

SQL injection is still quite common

• Usually severe. Entire database can usually be read or modified
• May also allow full database schema, or account access, or even OS level access

Typical Impact

Attack example – OWASP TOP10 A1: Injection: SQL INJECTION

15

String userInput = s.getParser().getRawParameter(USERNAME, ""); String SELECT_ST = "select * from employee where userid="+ userInput;

User Hacker

A1: Injection

16

December 2009

• a hacker used SQL Injection techniques

to hack the database of RockYou

• RockYou creates applications for

MySpace, Facebook, ...

Result

• data of 32.603.388 users and

administrative accounts was compromised (credentials + clear text passwords)

• the data also contained email-addresses and passwords for 3rd party sites

Question: how many of those users use the same password for

• ther sites too?

A2: XSS

17

• Raw data from attacker is sent to an innocent user‟s browser

Occurs any time…

• Stored in database
• Reflected from web input (form field, hidden field, URL, etc…)
• Sent directly into rich JavaScript client

Raw data…

• Steal user‟s session, steal sensitive data, rewrite web page, redirect user

to phishing or malware site

• Most Severe: Install XSS proxy which allows attacker to observe and

direct all user‟s behavior on vulnerable site and force user to other sites Typical Impact

A2: XSS

„A new cross-site scripting (XSS) weakness identified

• n Twitter and can be leveraged by attackers to

hijack users' sessions and post on their behalf.”

18

Posted on xssed.com

http://www.xssed.com/mirr

• r/68655/

A3: Broken Authentication and Session Management

19

• Means credentials have to go with every request
• Should use SSL for everything requiring authentication

HTTP is a “stateless” protocol

• SESSION ID used to track state since HTTP doesn‟t
• and it is just as good as credentials to an attacker
• SESSION ID is typically exposed on the network, in browser, in logs, …

Session management flaws

• Change my password, remember my password, forgot my password, secret question,

logout, email address, etc… Beware the side-doors

• User accounts compromised or user sessions hijacked

Typical Impact

A4: Insecure Direct Object References

20

• This is part of enforcing proper “Authorization”, along with

A7 – Failure to Restrict URL Access How do you protect access to your data?

• Only listing the „authorized‟ objects for the current user, or
• Hiding the object references in hidden fields
• … and then not enforcing these restrictions on the server side
• This is called presentation layer access control, and doesn‟t work
• Attacker simply tampers with parameter value

A common mistake …

• Users are able to access unauthorized files or data

Typical Impact

A4: Insecure Direct Object References

21

A5: CSRF

22

• An attack where the victim‟s browser is tricked into issuing a command to a

vulnerable web application

• Vulnerability is caused by browsers automatically including user authentication

data (session ID, IP address, Windows domain credentials, …) with each request Cross Site Request Forgery

• What if a hacker could steer your mouse and get you to click on links in your
• nline banking application?
• What could they make you do?

Imagine…

• Initiate transactions (transfer funds, logout user, close account)
• Access sensitive data
• Change account details

Typical Impact

A5: CSRF

23

<img src="http://bank.com/withdraw?fromId=12314 &amount=1000000&toID=12312"> Can be injected by XSS From phishing site

A5: CSRF

24

April 2010 No specific details „the victim‟s transaction details will be sent to the attacker‟s Website”

A6: Security Misconfiguration

25

• All through the network and platform
• Don‟t forget the development environment

Web applications rely on a secure foundation

• Think of all the places your source code goes
• Security should not require secret source code

Is your source code a secret?

• All credentials should change in production

Configuration Management must extend to all parts of the application

• Install backdoor through missing network or server patch
• XSS flaw exploits due to missing application framework patches
• Unauthorized access to default accounts, application functionality or data, or unused but

accessible functionality due to poor server configuration Typical Impact

A7: Insecure Cryptographic Storage

26

• Failure to identify all sensitive data
• Failure to identify all the places that this sensitive data gets stored
• Databases, files, directories, log files, backups, etc.
• Failure to properly protect this data in every location

Storing sensitive data insecurely

• Attackers access or modify confidential or private information
• e.g, credit cards, health care records, financial data (yours or your

customers)

• Attackers extract secrets to use in additional attacks
• Company embarrassment, customer dissatisfaction, and loss of trust
• Expense of cleaning up the incident, such as forensics, sending apology

letters, reissuing thousands of credit cards, providing identity theft insurance

• Business gets sued and/or fined

Typical Impact

A7: Insecure Cryptographic Storage

27

A8: Failure to Restrict URL Access

28

• This is part of enforcing proper “authorization”, along with

A4 – Insecure Direct Object References How do you protect access to URLs (pages)?

• Displaying only authorized links and menu choices
• This is called presentation layer access control, and doesn‟t work
• Attacker simply forges direct access to „unauthorized‟ pages

A common mistake …

• Attackers invoke functions and services they‟re not authorized for
• Access other user‟s accounts and data
• Perform privileged actions

Typical Impact

A8: Failure to Restrict URL Access

29

Date published: 13/02/2010 Wordpress Version 2.9 Ability to view deleted messages by other users

A9: Insufficient Transport Layer Protection

30

• Failure to identify all sensitive data
• Failure to identify all the places that this sensitive data is sent
• On the web, to backend databases, to business partners, internal

communications

• Failure to properly protect this data in every location

Transmitting sensitive data insecurely

• Attackers access or modify confidential or private information
• e.g, credit cards, health care records, financial data (yours or your customers)
• Attackers extract secrets to use in additional attacks
• Company embarrassment, customer dissatisfaction, and loss of trust
• Expense of cleaning up the incident
• Business gets sued and/or fined

Typical Impact

A9: Insufficient Transport Layer Protection

31

A10: Unvalidated Redirects and Forwards

32

• And frequently include user supplied parameters in the destination URL
• If they aren‟t validated, attacker can send victim to a site of their choice

Web application redirects are very common

• They internally send the request to a new page in the same application
• Sometimes parameters define the target page
• If not validated, attacker may be able to use unvalidated forward to bypass

authentication or authorization checks

Forwards (aka Transfer in .NET) are common too

• Redirect victim to phishing or malware site
• Attacker‟s request is forwarded past security checks, allowing unauthorized

function or data access Typical Impact

A10: Unvalidated Redirects and Forwards

33

Discover time: 4/30/2010 http://secworm.net/forums/showthread.php?tid=1080 http://www.facebook.com/l.php?u=http://www.wik ipedia.com&h=725b6

Testing Guide v3: Index

• 1. Frontispiece
• 2. Introduction
• 3. The OWASP Testing Framework
• 4. Web Application Penetration Testing
• 5. Writing Reports: value the real risk

Appendix A: Testing Tools Appendix B: Suggested Reading Appendix C: Fuzz Vectors Appendix D: Encoded Injection

35

Want to support OWASP?

Become member, annual donation of:

• $50 Individual
• $5000 Corporate

enables the support of OWASP projects, mailing lists, conferences, podcasts, grants and global steering activities…

OWASP WEBSCARAB

36

What is WebScarab?

A tool for anyone involved with HTTP-based applications (e.g. web applications) Key features

• Full visibility into the HTTP protocol
• Ability to modify HTTP requests in any way
• Also supports HTTPS (incl client certs)
• Persistent audit trail can easily be reviewed

Primary uses

• Security analysis, Web Application debugging

37

WebScarab Spider

Comparing responses

Comparing responses

You can also view the changes in a single window, rather than side by side Pressing Ctrl-L in the compare window. This is a toggle key.

Searching history

Searching history

Search expression is a BeanShell snippet BeanShell is just interpreted Java, with some leniencies Two predefined variables, request and response If the expression returns true, the conversation is shown Exceptions are counted as “false” Very powerful, but not terribly friendly

What is wrong with WebScarab?

“Plainly put - WebScarab‟s UI is a disaster!” –

Rogan Dawes – Author of WebScarab

OWASP WEBSCARAB-NG

44

WebScarab-NG

• Complete rewrite of WebScarab
• Platform independent
• More intuitive and „nice” interface
• Work in progress…

45

WebScarab-NG

46

So why use the old WebScarab?

Reliability – extensive testing over 6 years More features

• Transcoder (An encoder / decoder)
• Include/Exclude Filters
• Reverse proxy
• XSS/CRLF injection tests
• Session ID Analysis
• Scripting engine
• Advanced Search
• SSL Client certificate support

OWASP O2 PLATFORM

48

OWASP O2 Platfom

What is o2 platform? „Open platform for automating application security knowledge and workflows”

49

OWASP O2 Platfom

• Scripting Engine and development environment
• Black-Box/Browser-automation environment
• Source Code analysis environment
• Data Consumption and API Generation
• Powerful search engine, Graphical Engines,

multiple APIs for popular tools/websites and tons of utilities

50

EXERCISES

51

Hacme Bank

.NET Application with a lot of vulnerabilities

Hacme Bank™ simulates a “real-world”

• nline banking application

Designed to teach security knowledge

52

Environment setup

• 1. Download and install ultidev cassini
• 2. Download and unzip hacme bank
• 3. Deploy hacme bank and WS
• 4. Download WebScarab/WebScarab-NG
• 5. Download and install o2

53

Setting up browser

• Internet Explorer: Internet Options -> Lan Settings -> Check Use

Proxy… -> Enter address „localhost” and port 8008

• FireFox: FireFox menu -> Options -> Advanced -> Network ->

Settings -> Manual configuration… -> Proxy server „localhost” with port 8008 -> Check „Use the same…”

• Chrome: Customize and Control Google Chrome -> Options -> Under

the Bonnet -> Change proxy settings… -> Lan Settings -> Check Use Proxy… -> Enter address „localhost” and port 8008

• Opera: Menu -> Settings -> Preferences -> Advanced -> Network ->

Proxy Servers -> Check http and https to use localhost with port 8008

• Safari: Preferences -> Advanced -> Proxies + Change Settings ->

Enable Web Proxy and Secure Web Proxy -> Server localhost + port 8008 for both

54

WebScarab

Exercise 1: Overview of WebScarab Exercise 2: Proxying bank Exercise 3: Fuzzing Exercise 4: Session ID analysis Exercise 5: XSS Exercise 6: WebScarab-NG

55

O2 Platform exercises

• 1. Overview of O2
• 2. Black box testing / test automation
• 3. Static analysis
• 4. Coupling with WebScarab
• 5. XSS PoC Builder
• 6. Other tools

http://www.o2-ounceopen.com/wiki/Download

56

Useful resources

• https://www.owasp.org/index.php/Main_Page
• http://www.o2-platform.com/wiki/Main_Page
• https://www.owasp.org/images/8/84/OWASP_O2_Platform

_-_London_Chapter_-_3rd_Sep_2009.pdf

• http://www.wired.com/threatlevel/2009/12/facebook-app-

data-breach/

• http://www.mcafee.com/us/downloads/free-tools/hacme-

bank.aspx

• http://www.xssed.com/
• https://www.owasp.org/index.php/Category:OWASP_Prese

ntations

57

Thank You for Your attention!

daniel@brzozowski.biz

58