owasp top 10 2013 x ctf fun and profit
TRANSCRIPT
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation
OWASP
http://www.owasp.org
OWASP Half-Day Event (Hong Kong Chapter)
Anthony LAIChapter Leader
{Alan HO, Zetta KE}Chapter Researcher
OWASP (Hong Kong Chapter)July 2013
2OWASP
OWASP Standard
Web application security and awarenessTop 10, coding guidelines and toolsWell-known industry standard set up for nearly
10 years.Good reference for web application developer,
security officer, penetration tester, IT security management, compliance officer and auditor.
3OWASP
OWASP Membership and Our Approach
Membership launchedAPAC Chapters 20 USD per year for individual
member (抵到爛 !)Corporate member is welcomed (5000 USD per
year)We commit to give 3-4 half-day events per yearFrom next seminar, only paid member could join
the event.No bullshit, no sales talk, no starch, practical
work and research. :-)
4OWASP
RIP. He passed away in SF before Blackhat (disclosing hack against heart pacemaker)
5OWASP
Speaker Profiles
6OWASP
Speaker Biography and Introduction
Alan HOWorked as Application Security specialistExperienced developerPassionate over Android and Web hackingVXRL security researcher and CTF crew member SANS GWAPT (Gold paper) holder
7OWASP
Speaker Biography and Introduction
Zetta KEPhD Student in Information System in HKUSTVXRL Researcher and CTF MVP (Most Valuable Player)Passionate over Web hack, Crypto and PHPLeading web hack and penetration workshops in
Polytechnic university and HKPC with Anthony Lai.
8OWASP
Speaker Biography and Introduction
Anthony LAIChapter Leader, OWASP HK ChapterFounder and Researcher, VXRLFocus on penetration test, reverse engineering,
malware analysis and incident response.Passionate over CTF wargameSpeaking at DEFCON 18-20, Blackhat USA 2010,
AVTokyo 2011-2012, HITCON 2010-2011, Codegate 2012 and HTCIA APAC Conference 2012
SANS GWAPT, GREM and GCFA mentor
9OWASP
Agenda
Introduction (10 minutes)
OWASP Top 10 2013 Update (Anthony) (15-20 minutes)
XSS flaws in mobile phone browser (Alan) (30-40 minutes)
15 minutes breakLength Extension Attack (Zetta)
30-40 minutes
CTF for fun and profit (Anthony)15 - 20 minutes
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation
OWASP
http://www.owasp.org
OWASP Top 10 2013 Update
Anthony LAIChapter LeaderOWASP (Hong Kong Chapter)[email protected]<phone>
July 2013
11OWASP
We have got an update this year
12OWASP
OWASP Top 10: 2010 Vs 2013
13OWASP
OWASP Top 10: 2010 Vs 2013
14OWASP
How to interpret each Top 10 item?
Threat, vulnerability and risk
15OWASP
How to interpret each Top 10 item?
Threat, vulnerability and risk
16OWASP
How to interpret each Top 10 item?
Exposure, vulnerable scenario, fix and references
17OWASP
OWASP Top 10 Details and follow up
Left to you to read overIt is a process you must walk throughIdentify the top items on your managed or
owned web applications.Implement guidelines and policy with reference
to OWASP standard.
18OWASP
Alan's show time: Mobile Phone's Browser XSS (SANS gold paper published)
19OWASP
Break Time: 15 minutes
Relax a bit … :)
20OWASP
Zetta's show time: Length Extension Attack (LEA)
21OWASP
CTF (Capture The Flag for Fun and Profit)
22OWASP
What is CTF game?
You need to get the key for pointsChallenges include crypto, network, forensics,
binary/reverse engineering/exploitation, web hack and miscellaneous.
Top teams could enter final round of contestDEFCON, Plaid CTF, Codegate, Secuinside are
famous CTFs in the planet and we join every year.
23OWASP
Why do we enjoy to play?
Challenges are practicalNeed your knowledgeNeed your skillsUnderstanding vulnerabilitiesThinking like an attackerTrain you up to manipulate proper tools
24OWASP
Our rank? Any rewards?
Www.ctftime.org4th prize in HITCON CTF 2013 (19-20 July,
Taipei)
25OWASP
Our world ranking
26OWASP
Sample Question (1)
Please read the following code, how can you solve it?
27OWASP
Sample Question (1)
Please read the following code, how can you solve it?
28OWASP
Question 1
There are a couple of things to note:
We must do the operations in reverse order since this is the inverse function.
The hex2bin function is only available in PHP >= 5.4.0. Had to resort to the documentation to find the alternative: pack ("H*", $str)
29OWASP
Sample Question (2)
How about this? Let us do it together:http://natas14.natas.labs.overthewire.org/
30OWASP
Sample Question (2)
Remember the basic :)
31OWASP
Question (3) – Django RCE Vulnerability
HITCON 2013 Pwn500 question
Django Remote Code Execution (RCE) vulnerability
In Django, there is a library called Pickle to serialize the Django object into a string and put cookie is signed with key. The reverse action is called “Unpickle”.
However, “Pickle” library has always trusted the data which is passed in without validation
Discovered in Y2011.
32OWASP
A Vulnerable Django
https://github.com/OrangeTW/Vulnerable-Django/
33OWASP
If the key leaks
We could generate our own cookie and sign it over.
34OWASP
We even could include command execution1. Generate and sign the new cookie with command execution
2. Replace the original cookie with our generated one.
35OWASP
Pwned :) (Simply input Guest, type in some text in box and submit)
36OWASP
More than that, we could get the key from the server to change our command to read file instead ...
37OWASP
CTF fun and profit
The fun is to practice our security and “kungfu”
The profit is to earning knowledge, building trust and friendship.
Sometimes, we could get reward :)
38OWASP
Thank you for your listening
[email protected]@[email protected]
P.S: Non-members cannot get the slide for sure, it depends on the willingness of speakers to share the slide or not