Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.

The OWASP Foundation

OWASP

http://www.owasp.org

OWASP Half-Day Event (Hong Kong Chapter)

Anthony LAIChapter Leader

{Alan HO, Zetta KE}Chapter Researcher

OWASP (Hong Kong Chapter)July 2013

2OWASP

OWASP Standard

Web application security and awarenessTop 10, coding guidelines and toolsWell-known industry standard set up for nearly

10 years.Good reference for web application developer,

security officer, penetration tester, IT security management, compliance officer and auditor.

3OWASP

OWASP Membership and Our Approach

Membership launchedAPAC Chapters 20 USD per year for individual

member (抵到爛 !)Corporate member is welcomed (5000 USD per

year)We commit to give 3-4 half-day events per yearFrom next seminar, only paid member could join

the event.No bullshit, no sales talk, no starch, practical

work and research. :-)

4OWASP

RIP. He passed away in SF before Blackhat (disclosing hack against heart pacemaker)

5OWASP

Speaker Profiles

6OWASP

Speaker Biography and Introduction

Alan HOWorked as Application Security specialistExperienced developerPassionate over Android and Web hackingVXRL security researcher and CTF crew member SANS GWAPT (Gold paper) holder

7OWASP

Speaker Biography and Introduction

Zetta KEPhD Student in Information System in HKUSTVXRL Researcher and CTF MVP (Most Valuable Player)Passionate over Web hack, Crypto and PHPLeading web hack and penetration workshops in

Polytechnic university and HKPC with Anthony Lai.

8OWASP

Speaker Biography and Introduction

Anthony LAIChapter Leader, OWASP HK ChapterFounder and Researcher, VXRLFocus on penetration test, reverse engineering,

malware analysis and incident response.Passionate over CTF wargameSpeaking at DEFCON 18-20, Blackhat USA 2010,

AVTokyo 2011-2012, HITCON 2010-2011, Codegate 2012 and HTCIA APAC Conference 2012

SANS GWAPT, GREM and GCFA mentor

9OWASP

Agenda

Introduction (10 minutes)

OWASP Top 10 2013 Update (Anthony) (15-20 minutes)

XSS flaws in mobile phone browser (Alan) (30-40 minutes)

15 minutes breakLength Extension Attack (Zetta)

30-40 minutes

CTF for fun and profit (Anthony)15 - 20 minutes

Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.

The OWASP Foundation

OWASP

http://www.owasp.org

OWASP Top 10 2013 Update

Anthony LAIChapter LeaderOWASP (Hong Kong Chapter)anthonylai@owasp.org<phone>

July 2013

11OWASP

We have got an update this year

12OWASP

OWASP Top 10: 2010 Vs 2013

13OWASP

OWASP Top 10: 2010 Vs 2013

14OWASP

How to interpret each Top 10 item?

Threat, vulnerability and risk

15OWASP

How to interpret each Top 10 item?

Threat, vulnerability and risk

16OWASP

How to interpret each Top 10 item?

Exposure, vulnerable scenario, fix and references

17OWASP

OWASP Top 10 Details and follow up

Left to you to read overIt is a process you must walk throughIdentify the top items on your managed or

owned web applications.Implement guidelines and policy with reference

to OWASP standard.

18OWASP

Alan's show time: Mobile Phone's Browser XSS (SANS gold paper published)

19OWASP

Break Time: 15 minutes

Relax a bit … :)

20OWASP

Zetta's show time: Length Extension Attack (LEA)

21OWASP

CTF (Capture The Flag for Fun and Profit)

22OWASP

What is CTF game?

You need to get the key for pointsChallenges include crypto, network, forensics,

binary/reverse engineering/exploitation, web hack and miscellaneous.

Top teams could enter final round of contestDEFCON, Plaid CTF, Codegate, Secuinside are

famous CTFs in the planet and we join every year.

23OWASP

Why do we enjoy to play?

Challenges are practicalNeed your knowledgeNeed your skillsUnderstanding vulnerabilitiesThinking like an attackerTrain you up to manipulate proper tools

24OWASP

Our rank? Any rewards?

Www.ctftime.org4th prize in HITCON CTF 2013 (19-20 July,

Taipei)

25OWASP

Our world ranking

26OWASP

Sample Question (1)

Please read the following code, how can you solve it?

27OWASP

Sample Question (1)

Please read the following code, how can you solve it?

28OWASP

Question 1

There are a couple of things to note:

We must do the operations in reverse order since this is the inverse function.

The hex2bin function is only available in PHP >= 5.4.0. Had to resort to the documentation to find the alternative: pack ("H*", $str)

29OWASP

Sample Question (2)

How about this? Let us do it together:http://natas14.natas.labs.overthewire.org/

30OWASP

Sample Question (2)

Remember the basic :)

31OWASP

Question (3) – Django RCE Vulnerability

HITCON 2013 Pwn500 question

Django Remote Code Execution (RCE) vulnerability

In Django, there is a library called Pickle to serialize the Django object into a string and put cookie is signed with key. The reverse action is called “Unpickle”.

However, “Pickle” library has always trusted the data which is passed in without validation

Discovered in Y2011.

32OWASP

A Vulnerable Django

https://github.com/OrangeTW/Vulnerable-Django/

33OWASP

If the key leaks

We could generate our own cookie and sign it over.

34OWASP

We even could include command execution1. Generate and sign the new cookie with command execution

2. Replace the original cookie with our generated one.

35OWASP

Pwned :) (Simply input Guest, type in some text in box and submit)

36OWASP

More than that, we could get the key from the server to change our command to read file instead ...

37OWASP

CTF fun and profit

The fun is to practice our security and “kungfu”

The profit is to earning knowledge, building trust and friendship.

Sometimes, we could get reward :)

38OWASP

Thank you for your listening

anthonylai@owasp.orgalanh0@vxrl.orgOzetta@vxrl.org

P.S: Non-members cannot get the slide for sure, it depends on the willingness of speakers to share the slide or not