Security Testing with Kim Carter - Lets Exploit Injection and XSS

Transcript

1. OWASP Top 10 Vulnerabilities Lets exploit Injection and XSS Kim

   Carter – ANZTB Monday 2013-08-26 Meetup

2. OWASP is coming to Christchurch OWASP Day 2013 https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2013 OWASP

   Resources • Top 10 • Cheat Sheets • Tutorials • Guides • Projects, Tools and Code Libraries

3. Most common security vulnerabilities found in web apps in 2013

4. Kali Linux • Free and open source (GNU Linux) OS

   • Targets professional security auditors and penetration testers • All tools shipped are free and open source • No profit involved • Many of the over 300 security tools have been provided as free versions that do the same job as the paid for versions Up and Running with Kali Linux

5. Discuss tools I use very frequently FireFox Add-Ons • Tamper

   Data. Very simple proxy, but very easy to use • Foxy proxy : a real time saver • HackBar • XSS Me • SQL Inject Me Chrome extensions • FoxyProxy • Cookies • Edit this Cookie Burp suite

6. There are a large number of training apps and intentionally

   vulnerable web apps freely available I've organised three to work through to wet your appetite I'd encourage you to take them further

7. What is Injection 1.Attacker Injects (generally malicious) code into website.

   2.Change the course of execution on related system/s. Gain information. Privilege escalation. Manipulate / destroy stored data. Destroy system/s. Varieties • Command, SQL, Xpath, Query String • Lots of derivatives of these

8. Workshop WebGoat Start here: http://owaspbwa/WebGoat/attack Injection Command Injection

9. Workshop DVWA Start here: http://owaspbwa/dvwa Injection SQL String Injection

10. Injection Mitigation techniques • Similar techniques to XSS + •

    Avoid accessing external interpreters • Use well structured parameters • Least privilege • OWASP Prevention Cheat Sheets • Break it! Further details found here: https://www.owasp.org/index.php/Top_10_2013-A1-Injection

11. What is XSS 1.Attacker Injects (generally malicious) code into website.

    2.When victim requests website code, attackers code is executed. Varieties • File Upload • Reflected (non-persistent) • Stored • Lots of derivatives of these

12. Workshop Gruyere Start here: http://google-gruyere.appspot.com/ XSS: http://google-gruyere.appspot.com/part2 File Upload XSS

13. Workshop Gruyere Start here: http://google-gruyere.appspot.com/ XSS: http://google-gruyere.appspot.com/part2 Reflected XSS Handy

    Links: URL Encodings: http://www.w3schools.com/tags/ref_urlencode.asp ASCII: http://asciitable.com XSS Strings: https://owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet

14. Workshop Gruyere Start here: http://google-gruyere.appspot.com/ XSS: http://google-gruyere.appspot.com/part2 Stored XSS

15. Workshop Gruyere Start here: http://google-gruyere.appspot.com/ XSS: http://google-gruyere.appspot.com/part2 Stored XSS via

    HTML Attribute

16. Workshop Gruyere Start here: http://google-gruyere.appspot.com/ XSS: http://google-gruyere.appspot.com/part2 Stored XSS via

    AJAX

17. When the user clicks refresh button, response looks like In

    the mark-up the snippet looks like:

18. Workshop Gruyere Start here: http://google-gruyere.appspot.com/ XSS: http://google-gruyere.appspot.com/part2 Reflected XSS via

    AJAX

19. XSS Mitigation techniques • Constrain all input fields to well

    structured data • White-lists for each type of structured data • Sanitise • OWASP Prevention Cheat Sheets • Break it! Further details found here: https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XS S)
20. None

21. Extra Resources Sanitising User Input http://blog.binarymist.net/2012/11/04/sanitising-user-input-from-browser-p art-1/ http://blog.binarymist.net/2012/11/16/sanitising-user-input-from-browser-p art-2/ Write-up

    on Kali Linux http://pentestmag.com/ Tool junky? Check out this collection http://www.softwareqatest.com/qatweb1.html

22. Deliberate Insecure Targets and Training Platforms that I've screened. •

    Hacking Lab: https://www.hacking-lab.com/ • Nebula: http://exploit-exercises.com/ • gruyere: http://google-gruyere.appspot.com/ Can run locally, but best to run from web • Web Security Dojo: https://www.mavensecurity.com/web_security_dojo/ - VMware and Virtual Box versions. Looks like quite a bit of documentation. Actively maintained. - Vulnerable targets: WebGoat Gruyere Damn Vulnerable Web App. http://sourceforge.net/p/websecuritydojo/bugs/ says database setup is broken

23. Deliberate Insecure Targets and Training Platforms that I've screened. w3af

    test website: https://github.com/andresriancho/w3af-moth VMware image http://www.bonsai-sec.com/en/research/moth.php Various other unmaintained websites • Dam Vulnerable Web Application (DVWA) http://dvwa.co.uk/ Not sure where the documentation is? Maybe embedded in the download? • Acunetix 1: http://testphp.vulnweb.com/ These three are online. • Acunetix 2: http://testasp.vulnweb.com/ • Acunetix 3: http://testaspnet.vulnweb.com/ • Mutillidae: http://www.irongeek.com/i.php?page=mutillidae/mutillidae-delibe rately-vulnerable-php-owasp-top-10 Easy to follow. Geared towards Classroom Environment.

24. Deliberate Insecure Targets and Training Platforms that I've screened. •

    WebGoat -Platform: J2EE web application -Install: Self contained Tomcat server you can run from a directory under Windows or Linux -Notes: Love the fact it's so self contained and easy to run. By default it only listens on the loop-back address, so you can run it from your workstation a production network with little worries. -Howto's: http://webappsecmovies.sourceforge.net/webgoat/ -Setting up on non localhost: https://code.google.com/p/webgoat/wiki/FAQ OWASP Broken Web Applications project: -https://code.google.com/p/owaspbwa/wiki/UserGuide This has a great selection of training apps along with intentionally vulnerable apps. -It contains a lot of the apps already discussed.