OWASP Top 10 2013 x CTF Fun and Profit
-
Upload
anthony-lai -
Category
Technology
-
view
1.038 -
download
2
Transcript of OWASP Top 10 2013 x CTF Fun and Profit
![Page 1: OWASP Top 10 2013 x CTF Fun and Profit](https://reader033.fdocuments.in/reader033/viewer/2022052821/5549d0f0b4c9051c778b4c89/html5/thumbnails/1.jpg)
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation
OWASP
http://www.owasp.org
OWASP Half-Day Event (Hong Kong Chapter)
Anthony LAIChapter Leader
{Alan HO, Zetta KE}Chapter Researcher
OWASP (Hong Kong Chapter)July 2013
![Page 2: OWASP Top 10 2013 x CTF Fun and Profit](https://reader033.fdocuments.in/reader033/viewer/2022052821/5549d0f0b4c9051c778b4c89/html5/thumbnails/2.jpg)
2OWASP
OWASP Standard
Web application security and awarenessTop 10, coding guidelines and toolsWell-known industry standard set up for nearly
10 years.Good reference for web application developer,
security officer, penetration tester, IT security management, compliance officer and auditor.
![Page 3: OWASP Top 10 2013 x CTF Fun and Profit](https://reader033.fdocuments.in/reader033/viewer/2022052821/5549d0f0b4c9051c778b4c89/html5/thumbnails/3.jpg)
3OWASP
OWASP Membership and Our Approach
Membership launchedAPAC Chapters 20 USD per year for individual
member (抵到爛 !)Corporate member is welcomed (5000 USD per
year)We commit to give 3-4 half-day events per yearFrom next seminar, only paid member could join
the event.No bullshit, no sales talk, no starch, practical
work and research. :-)
![Page 4: OWASP Top 10 2013 x CTF Fun and Profit](https://reader033.fdocuments.in/reader033/viewer/2022052821/5549d0f0b4c9051c778b4c89/html5/thumbnails/4.jpg)
4OWASP
RIP. He passed away in SF before Blackhat (disclosing hack against heart pacemaker)
![Page 5: OWASP Top 10 2013 x CTF Fun and Profit](https://reader033.fdocuments.in/reader033/viewer/2022052821/5549d0f0b4c9051c778b4c89/html5/thumbnails/5.jpg)
5OWASP
Speaker Profiles
![Page 6: OWASP Top 10 2013 x CTF Fun and Profit](https://reader033.fdocuments.in/reader033/viewer/2022052821/5549d0f0b4c9051c778b4c89/html5/thumbnails/6.jpg)
6OWASP
Speaker Biography and Introduction
Alan HOWorked as Application Security specialistExperienced developerPassionate over Android and Web hackingVXRL security researcher and CTF crew member SANS GWAPT (Gold paper) holder
![Page 7: OWASP Top 10 2013 x CTF Fun and Profit](https://reader033.fdocuments.in/reader033/viewer/2022052821/5549d0f0b4c9051c778b4c89/html5/thumbnails/7.jpg)
7OWASP
Speaker Biography and Introduction
Zetta KEPhD Student in Information System in HKUSTVXRL Researcher and CTF MVP (Most Valuable Player)Passionate over Web hack, Crypto and PHPLeading web hack and penetration workshops in
Polytechnic university and HKPC with Anthony Lai.
![Page 8: OWASP Top 10 2013 x CTF Fun and Profit](https://reader033.fdocuments.in/reader033/viewer/2022052821/5549d0f0b4c9051c778b4c89/html5/thumbnails/8.jpg)
8OWASP
Speaker Biography and Introduction
Anthony LAIChapter Leader, OWASP HK ChapterFounder and Researcher, VXRLFocus on penetration test, reverse engineering,
malware analysis and incident response.Passionate over CTF wargameSpeaking at DEFCON 18-20, Blackhat USA 2010,
AVTokyo 2011-2012, HITCON 2010-2011, Codegate 2012 and HTCIA APAC Conference 2012
SANS GWAPT, GREM and GCFA mentor
![Page 9: OWASP Top 10 2013 x CTF Fun and Profit](https://reader033.fdocuments.in/reader033/viewer/2022052821/5549d0f0b4c9051c778b4c89/html5/thumbnails/9.jpg)
9OWASP
Agenda
Introduction (10 minutes)
OWASP Top 10 2013 Update (Anthony) (15-20 minutes)
XSS flaws in mobile phone browser (Alan) (30-40 minutes)
15 minutes breakLength Extension Attack (Zetta)
30-40 minutes
CTF for fun and profit (Anthony)15 - 20 minutes
![Page 10: OWASP Top 10 2013 x CTF Fun and Profit](https://reader033.fdocuments.in/reader033/viewer/2022052821/5549d0f0b4c9051c778b4c89/html5/thumbnails/10.jpg)
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation
OWASP
http://www.owasp.org
OWASP Top 10 2013 Update
Anthony LAIChapter LeaderOWASP (Hong Kong Chapter)[email protected]<phone>
July 2013
![Page 11: OWASP Top 10 2013 x CTF Fun and Profit](https://reader033.fdocuments.in/reader033/viewer/2022052821/5549d0f0b4c9051c778b4c89/html5/thumbnails/11.jpg)
11OWASP
We have got an update this year
![Page 12: OWASP Top 10 2013 x CTF Fun and Profit](https://reader033.fdocuments.in/reader033/viewer/2022052821/5549d0f0b4c9051c778b4c89/html5/thumbnails/12.jpg)
12OWASP
OWASP Top 10: 2010 Vs 2013
![Page 13: OWASP Top 10 2013 x CTF Fun and Profit](https://reader033.fdocuments.in/reader033/viewer/2022052821/5549d0f0b4c9051c778b4c89/html5/thumbnails/13.jpg)
13OWASP
OWASP Top 10: 2010 Vs 2013
![Page 14: OWASP Top 10 2013 x CTF Fun and Profit](https://reader033.fdocuments.in/reader033/viewer/2022052821/5549d0f0b4c9051c778b4c89/html5/thumbnails/14.jpg)
14OWASP
How to interpret each Top 10 item?
Threat, vulnerability and risk
![Page 15: OWASP Top 10 2013 x CTF Fun and Profit](https://reader033.fdocuments.in/reader033/viewer/2022052821/5549d0f0b4c9051c778b4c89/html5/thumbnails/15.jpg)
15OWASP
How to interpret each Top 10 item?
Threat, vulnerability and risk
![Page 16: OWASP Top 10 2013 x CTF Fun and Profit](https://reader033.fdocuments.in/reader033/viewer/2022052821/5549d0f0b4c9051c778b4c89/html5/thumbnails/16.jpg)
16OWASP
How to interpret each Top 10 item?
Exposure, vulnerable scenario, fix and references
![Page 17: OWASP Top 10 2013 x CTF Fun and Profit](https://reader033.fdocuments.in/reader033/viewer/2022052821/5549d0f0b4c9051c778b4c89/html5/thumbnails/17.jpg)
17OWASP
OWASP Top 10 Details and follow up
Left to you to read overIt is a process you must walk throughIdentify the top items on your managed or
owned web applications.Implement guidelines and policy with reference
to OWASP standard.
![Page 18: OWASP Top 10 2013 x CTF Fun and Profit](https://reader033.fdocuments.in/reader033/viewer/2022052821/5549d0f0b4c9051c778b4c89/html5/thumbnails/18.jpg)
18OWASP
Alan's show time: Mobile Phone's Browser XSS (SANS gold paper published)
![Page 19: OWASP Top 10 2013 x CTF Fun and Profit](https://reader033.fdocuments.in/reader033/viewer/2022052821/5549d0f0b4c9051c778b4c89/html5/thumbnails/19.jpg)
19OWASP
Break Time: 15 minutes
Relax a bit … :)
![Page 20: OWASP Top 10 2013 x CTF Fun and Profit](https://reader033.fdocuments.in/reader033/viewer/2022052821/5549d0f0b4c9051c778b4c89/html5/thumbnails/20.jpg)
20OWASP
Zetta's show time: Length Extension Attack (LEA)
![Page 21: OWASP Top 10 2013 x CTF Fun and Profit](https://reader033.fdocuments.in/reader033/viewer/2022052821/5549d0f0b4c9051c778b4c89/html5/thumbnails/21.jpg)
21OWASP
CTF (Capture The Flag for Fun and Profit)
![Page 22: OWASP Top 10 2013 x CTF Fun and Profit](https://reader033.fdocuments.in/reader033/viewer/2022052821/5549d0f0b4c9051c778b4c89/html5/thumbnails/22.jpg)
22OWASP
What is CTF game?
You need to get the key for pointsChallenges include crypto, network, forensics,
binary/reverse engineering/exploitation, web hack and miscellaneous.
Top teams could enter final round of contestDEFCON, Plaid CTF, Codegate, Secuinside are
famous CTFs in the planet and we join every year.
![Page 23: OWASP Top 10 2013 x CTF Fun and Profit](https://reader033.fdocuments.in/reader033/viewer/2022052821/5549d0f0b4c9051c778b4c89/html5/thumbnails/23.jpg)
23OWASP
Why do we enjoy to play?
Challenges are practicalNeed your knowledgeNeed your skillsUnderstanding vulnerabilitiesThinking like an attackerTrain you up to manipulate proper tools
![Page 24: OWASP Top 10 2013 x CTF Fun and Profit](https://reader033.fdocuments.in/reader033/viewer/2022052821/5549d0f0b4c9051c778b4c89/html5/thumbnails/24.jpg)
24OWASP
Our rank? Any rewards?
Www.ctftime.org4th prize in HITCON CTF 2013 (19-20 July,
Taipei)
![Page 25: OWASP Top 10 2013 x CTF Fun and Profit](https://reader033.fdocuments.in/reader033/viewer/2022052821/5549d0f0b4c9051c778b4c89/html5/thumbnails/25.jpg)
25OWASP
Our world ranking
![Page 26: OWASP Top 10 2013 x CTF Fun and Profit](https://reader033.fdocuments.in/reader033/viewer/2022052821/5549d0f0b4c9051c778b4c89/html5/thumbnails/26.jpg)
26OWASP
Sample Question (1)
Please read the following code, how can you solve it?
![Page 27: OWASP Top 10 2013 x CTF Fun and Profit](https://reader033.fdocuments.in/reader033/viewer/2022052821/5549d0f0b4c9051c778b4c89/html5/thumbnails/27.jpg)
27OWASP
Sample Question (1)
Please read the following code, how can you solve it?
![Page 28: OWASP Top 10 2013 x CTF Fun and Profit](https://reader033.fdocuments.in/reader033/viewer/2022052821/5549d0f0b4c9051c778b4c89/html5/thumbnails/28.jpg)
28OWASP
Question 1
There are a couple of things to note:
We must do the operations in reverse order since this is the inverse function.
The hex2bin function is only available in PHP >= 5.4.0. Had to resort to the documentation to find the alternative: pack ("H*", $str)
![Page 29: OWASP Top 10 2013 x CTF Fun and Profit](https://reader033.fdocuments.in/reader033/viewer/2022052821/5549d0f0b4c9051c778b4c89/html5/thumbnails/29.jpg)
29OWASP
Sample Question (2)
How about this? Let us do it together:http://natas14.natas.labs.overthewire.org/
![Page 30: OWASP Top 10 2013 x CTF Fun and Profit](https://reader033.fdocuments.in/reader033/viewer/2022052821/5549d0f0b4c9051c778b4c89/html5/thumbnails/30.jpg)
30OWASP
Sample Question (2)
Remember the basic :)
![Page 31: OWASP Top 10 2013 x CTF Fun and Profit](https://reader033.fdocuments.in/reader033/viewer/2022052821/5549d0f0b4c9051c778b4c89/html5/thumbnails/31.jpg)
31OWASP
Question (3) – Django RCE Vulnerability
HITCON 2013 Pwn500 question
Django Remote Code Execution (RCE) vulnerability
In Django, there is a library called Pickle to serialize the Django object into a string and put cookie is signed with key. The reverse action is called “Unpickle”.
However, “Pickle” library has always trusted the data which is passed in without validation
Discovered in Y2011.
![Page 32: OWASP Top 10 2013 x CTF Fun and Profit](https://reader033.fdocuments.in/reader033/viewer/2022052821/5549d0f0b4c9051c778b4c89/html5/thumbnails/32.jpg)
32OWASP
A Vulnerable Django
https://github.com/OrangeTW/Vulnerable-Django/
![Page 33: OWASP Top 10 2013 x CTF Fun and Profit](https://reader033.fdocuments.in/reader033/viewer/2022052821/5549d0f0b4c9051c778b4c89/html5/thumbnails/33.jpg)
33OWASP
If the key leaks
We could generate our own cookie and sign it over.
![Page 34: OWASP Top 10 2013 x CTF Fun and Profit](https://reader033.fdocuments.in/reader033/viewer/2022052821/5549d0f0b4c9051c778b4c89/html5/thumbnails/34.jpg)
34OWASP
We even could include command execution1. Generate and sign the new cookie with command execution
2. Replace the original cookie with our generated one.
![Page 35: OWASP Top 10 2013 x CTF Fun and Profit](https://reader033.fdocuments.in/reader033/viewer/2022052821/5549d0f0b4c9051c778b4c89/html5/thumbnails/35.jpg)
35OWASP
Pwned :) (Simply input Guest, type in some text in box and submit)
![Page 36: OWASP Top 10 2013 x CTF Fun and Profit](https://reader033.fdocuments.in/reader033/viewer/2022052821/5549d0f0b4c9051c778b4c89/html5/thumbnails/36.jpg)
36OWASP
More than that, we could get the key from the server to change our command to read file instead ...
![Page 37: OWASP Top 10 2013 x CTF Fun and Profit](https://reader033.fdocuments.in/reader033/viewer/2022052821/5549d0f0b4c9051c778b4c89/html5/thumbnails/37.jpg)
37OWASP
CTF fun and profit
The fun is to practice our security and “kungfu”
The profit is to earning knowledge, building trust and friendship.
Sometimes, we could get reward :)
![Page 38: OWASP Top 10 2013 x CTF Fun and Profit](https://reader033.fdocuments.in/reader033/viewer/2022052821/5549d0f0b4c9051c778b4c89/html5/thumbnails/38.jpg)
38OWASP
Thank you for your listening
[email protected]@[email protected]
P.S: Non-members cannot get the slide for sure, it depends on the willingness of speakers to share the slide or not