TOP 10 WEB APPLICATION SECURITY

HAZARDS{ PART - 2 }

@   by Abhinav Sejpal

Null - Humla Session

FLIPKART - BANGALORE

       WHO AM I

I' m Next-Gen Exploratory Testy 

Student of Information Security field

Researcher & Reader in free time

Member of

Crowd Tester (AKA. Bug bounty Hunter)  

Proficient at Functional, Usability , Accessibility & Compatibility Testing

Love to develop nasty code  & Hack it :)

Works as Quality Analyst at

AKA. Bug Wrangler

Null Open Security Co mmunity

passbrains.com

DISCLAIMER

This presentation is intended for educational purpose only and I cannot be held liable for

any kind of damages done, whatsoever to your machine, or any other damages.  Don't try this attack on any other system without having context knowledge or permission,

this may harm someone directly or indirectly.

Feel free to use this presentation for practice or education purpose.

^ I hope - You gotcha ^

AGENDA

No Revision of Part - 1 Understand New Attacks Self exploratory exercise Learn + Hack   Q  &  A

   FOR SOCIAL MEDIA Twitter handle 

 @  @ null0x00 Abhinav_Sejpal

Hashtag for this session

     # # Nullhumla nullblr

HUMLA

MEANS 'ATTACK' IN HINDI

                        

 

   

OBJECTIVES FOR THIS SESSION

BUILD SECURITY AWARENESS FOR WEBAPPLICATIONLEARN WAY TO DISCOVER SECURITYVULNERABILITIESLEARN BASIC OF SECURE WEB APPLICATION VIAOWASP TOP 10

LET'S BEGIN OUR JOURNEY OF 

TOP 10 WEB APPLICATION SECURITYHAZARDS

 * We won't talk about Injection & XSS *

for:

Setup the Test Lab

Install XAMPP

AcronymX (to be read as "cross", meaning )cross-platformApache HTTP ServerMySQLPHPPerl

TARGETED APPLICATION

Client Side language : HTML & Javascript Server side Language: PHP

DB : MYSQL 

Why PHP ?  - Any answer Here?

Why MySQL?  MySQL is  Girlfriend of PHP <3 

PHP IS USED BY 82.2% OF ALL THE WEBSITES AS SERVER-SIDE

PROGRAMMING LANGUAGE.

http://w3techs.com/technologies/overview/programming_language/all

PHP: 244M SITES

2.1M IP ADDRESSES

2013 Server-side Programming Language of the Year

Don't Mind Power of PHP > Facebook & yahoo 

http://w3techs.com/blog/entry/web_technologies_of_the_year_2013

It's a free, open source web application provided to allowsecurity enthusiast to pen-test and hack a web application.

V.2X developed by  aka

PLAY GROUND

 MUTILLIDAE

Jeremy Druin webpwnized.

ALL SET WITH MULTILLIDAE ?

AM I VULNERABLE TO 'CSRF' ?

OWASP A8 - CSRF

CROSS-SITE REQUEST FORGERY

CSRF ATTACK CYCLE

CSRF AKA. XSRF

  THE ATTACKER EXPLOITS THE TRUST A WEBSITE

HAS AGAINST A USER’S BROWSER.

 Permission faking\stealing Disruption of the normal sequence of the site

DEMO #1Login ID - admin

password - adminpass

HTTP GET Request

http://127.0.0.1/xampp/mutillidae/index.php?do=logout

<a href= >

: ANSWER  DEMO 1:

<html>

<title> CSRF Demo 1 </title>

http://127.0.0.1/xampp/mutillidae/index.php?do=logout

Click me </a>

</html>

UNDERSTANDING

Logout page was a simple HTTP GET that required noconfirmation

Every user who visited that page would immediately belogged out - that's CSRF in action.

Yes it's not dangerous but annoying

SO WHAT DO YOU THINK,IT'S ALL ABOUT CLICK ?

ssh, No!!

Would you like to write CSRF exploit without click ??

IMAGE TAG

<img style="display:none;" src="your Request">

  Image tag does not require clicking the link compared Tag-A requires clicking on the link to activate the HTTP request

Can we try Demo 1 with Image tag ?

<img src= >

CSRF GET Request with Image Tag

<html>

<title> CSRF Demo 1 </title>

http://127.0.0.1/xampp/mutillidae/index.php?do=logout

</html>

THE NATURE OF BROWSERS IS TO SEND HTTP REQUESTS TO VISUAL OBJECTS SUCH AS PICTURE OR REMOTE FILES (CSS, JS,

ETC.) EVEN WHILE LOADING THE PAGE WITHOUT THE USER'S PERMISSIONS.

Iframe tag

<iframe src="your Request"></iframe>

Java Script code

                 <script> var X= new Image();                                                X.src = "URL";                </script>

                        Can we try Demo 1 with Iframe & JS ?

HTTP REQUEST

<iframe src="http://127.0.0.1/xampp/mutillidae/index.php?

do=logout"></iframe>

           <script> var X= new Image();                                                X.src= "

http://127.0.0.1/xampp/mutillidae/index.php?do=logout";                

</script>

CHALLENGE  #1

:: SOLUTION #1 :: <html>

<title> CSRF Demo 1 </title>

<a href = http://127.0.0.1/xampp/mutillidae/index.php?page=user-poll.php&csrf-

token=&choice=nmap&initials=n&user-poll-php-submit-button=Submit+Vote>

Click me </a>

</html>

CHALLENGE  #2

{ Post HTTP Request }

: Solution Available :

http://127.0.0.1/xampp/CSRF Attack/Add New Blog Entry -CSRF POST.html

DOES IT EASY TO CREATE CSRF HTTP REQUEST ?

No - you should try out  

~   ~CSRF Finder Firefox add-on

* One Click POC *

* Hybrid automation *

Thank you -  Piyush Pattanayak

CSRF FINDER DEMO

LIVE CHALLENGE

* SIGNUP DISABLED * PLEASE USE THE USERNAME TEST AND THE

PASSWORD TEST

CSRF & XSRFUpdate the user info. without their knowledge

http://testphp.vulnweb.com/userinfo.php

Copyright © 2014, Acunetix Ltd

Copyright © 2014, Acunetix Ltd

You've been CSRF'd with static token! 

Can we exploit this with Level #2 ?

POPULAR COOL FINDINGS

by Amol Facebook CSRF worth USD 5000

GOOGLE GROUPS PROFILE CSRFGoogle Account display pic deletion

Facebook Account deactivation

Advance Leanings -  CSRF Token Validation Fail

http://haiderm.com/csrf-token-protection-bypass-methods/

 

Am I Vulnerable To 'Broken Authentication   &

Session Management'?

A2 - OWASP TOP 10

LETS' BYPASS THE MUTILLIDAE 

Can we do it  ?

Part -1 Learning with SQL Injection

APPLY BRUTE FORCE ATTACK/xampp/mutillidae/index.php?page=login.php

Account Lock Policy & Captcha missing :P

IN-SECURED SESSION-ID

Cookies Flag HTTP ONLY 

Secure flag would be complimentary

XSS SESSION HIJACKING 

PHPSESSID=0ebmp37g8v8stqsjpf1ln40c20

JSESSIONID ASP Session.SessionID

Let's Try out Part 1 learning and exploit   the session

So, Let's Learn about Web App DB structure

Passwords are stored in plain text.

oh really  -- ':(

OWASP #A6

Password is protected, when stored using encryption

algorithm.   Are you sure? 

http://www.md5online.org/

YOU MAY ALSO TRY OUT HASH BUT PASSWORD SALT IS A

RECOMMENDED SOLUTION SO FAR.

P ASSWORD POLICY SHOULD BE APPLIED NICELY AND SHOULD NOT BE WEAKER. -- * --

SECURITY & BUSINESS LOGIC SHOULD BE APPLIED FOR CHANGING PASSWORD. 

CHANGE PASSWORD DOESN'T ASK FOR CURRENT PASSWORD - LOL 

Robots.txt 

All Sensitive data expose

TAKE AWAY 

AVOIDING INSECURE DIRECT OBJECT REFERENCES

OWASP #A4  

 URLS' PATTERN

Demo  #1

Tamper the ID parameter

http://127.0.0.1/xampp/sqli/secondorder_changepass.php

ENUMERATION USING PARAMETERLIVE

https://profile.utest.com/ 67797

https://profile.utest.com/200 -- N

https://99tests.com/testers/

3298

Secret PHP Server Configuration Page

http://127.0.0.1/xampp/mutillidae/index.php?page=phpinfo.php

MISSING FUNCTION LEVEL ACCESS CONTROL

OWASP #A7

CONCEPT

LIVEHTTP://STEPINFORUM.ORG/MAILERS2014/

http://demo.testfire.net/pr/

OWASP #A9

USING KNOWN VULNERABLECOMPONENTS

Source: https://www.aspectsecurity.com/uploads/downloads/2012/03/Aspect-Security-The-Unfortunate-Reality-of-Insecure-

Libraries.pdf

COOL WORDPRESS PROJECTS

Code Vigilant

Latest buzzing known vulnerabilities

#Heartbleed

# BashBug

Can you verify that -  your website SSL  Cert isn't vulnerableto Heart bleed attack?

Google - SSL Heart bleed Fix verification script

https://lastpass.com/heartbleed/

HISTORY ATTACK !!!

A6 – Sensitive Data Exposure

SECURITYMISCONFIGURATION

OWASP -#A5

CLICK JACKING

Code: – <iframe src= http://www.testingcircus.com></iframe>

Live Demo: – http://goo.gl/6gEq2I Click jacking Testing tool: – http://goo.gl/27VgQb

     IF YOU ARE PLANNING TO HOST YOUR OWN

SERVER 

this talk matters for you 

"SECURING A LINUX WEB SERVER IN 10 STEP S"

BY   A KASH MAHAJAN 

https://www.youtube.com/watch?v=ort9qxzu3h0

ELMAH.AXD ERROR LOGS  GOOGLE SEARCH

https://www.owasp.org/index.php/Top_10_2013- A10-Unvalidated_Redirects_and_Forwards

Vulnerable  Redirection

http://127.0.0.1/xampp/mutillidae/index.php?page=redirectandlog.php&

forwardurl=http://www.owasp.org

I don't think so, i need to explain you what you can do here:D

Would like to do more practice ? Here is your Playground

Copyright © 2014, IBM Corporation

http://demo.testfire.net/

YES - I'M DONE!

Feel free to write me at bug.wrangler at outlook.com

WE NEED YOU!

Attend Null Meets-up & give presentations.Share your ideas & leanings.Talk to our community champions & gain from leanings. Your feedback helps us to build a good community.Looking forward to your ongoing support.

HTTP://NULL.CO.IN/Say 'Hello' @null0x00

- Twitter Folks -

  @ , @ ,   @

 #Nullblr Leads & Champions

Big thank you to @ ,@   & you All.

CREDITS

TroyHunt yog3sharma @ Lavakumark HaiderMQ

null0x00 ru94mb

INDIAN HACKERS/INFOSEC GUYS & GROUPS YOU

SHOULD BE FOLLOWING IN TWITTER

Thank-you http://garage4hackers.com/ community

THANK YOU! 

KEEP THE SECURITY ANTE UP.

https://slides.com/abhinavsejpal/top-10-web-application-security-hazards--2

LICENSE AND COPYRIGHTS

Copyrights 2013-2014 Abhinav Sejpal

-----

  ( CC BY-NC-ND 3.0)

Attribution-NonCommercial-NoDerivs 3.0 Unported

 Dedicated to my lovely daddy