Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security Testing with Kim Carter - Lets Exploit...

Kim Carter
August 26, 2013

Security Testing with Kim Carter - Lets Exploit Injection and XSS

Join Kim Carter in a hands-on insight into security testing. Kim will discuss some of the more common security vulnerabilities being found in today’s software implementations, and will demonstrate ways of testing them. He would like to encourage anyone interested to join him in working through the “hacks” used when doing security testing. To enable participation in this session, he will use an open source security testing toolkit – Kali Linux. Anyone interested in working through the security tests with Kim is welcome to create a Kali Linux USB boot disk (instructions are on their website), and bring it with them on the night, along their own laptop/device.

Kim Carter

August 26, 2013
Tweet

More Decks by Kim Carter

Other Decks in Technology

Transcript

  1. OWASP Top 10 Vulnerabilities Lets exploit Injection and XSS Kim

    Carter – ANZTB Monday 2013-08-26 Meetup
  2. OWASP is coming to Christchurch OWASP Day 2013 https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2013 OWASP

    Resources • Top 10 • Cheat Sheets • Tutorials • Guides • Projects, Tools and Code Libraries
  3. Kali Linux • Free and open source (GNU Linux) OS

    • Targets professional security auditors and penetration testers • All tools shipped are free and open source • No profit involved • Many of the over 300 security tools have been provided as free versions that do the same job as the paid for versions Up and Running with Kali Linux
  4. Discuss tools I use very frequently FireFox Add-Ons • Tamper

    Data. Very simple proxy, but very easy to use • Foxy proxy : a real time saver • HackBar • XSS Me • SQL Inject Me Chrome extensions • FoxyProxy • Cookies • Edit this Cookie Burp suite
  5. There are a large number of training apps and intentionally

    vulnerable web apps freely available I've organised three to work through to wet your appetite I'd encourage you to take them further
  6. What is Injection 1.Attacker Injects (generally malicious) code into website.

    2.Change the course of execution on related system/s. Gain information. Privilege escalation. Manipulate / destroy stored data. Destroy system/s. Varieties • Command, SQL, Xpath, Query String • Lots of derivatives of these
  7. Injection Mitigation techniques • Similar techniques to XSS + •

    Avoid accessing external interpreters • Use well structured parameters • Least privilege • OWASP Prevention Cheat Sheets • Break it! Further details found here: https://www.owasp.org/index.php/Top_10_2013-A1-Injection
  8. What is XSS 1.Attacker Injects (generally malicious) code into website.

    2.When victim requests website code, attackers code is executed. Varieties • File Upload • Reflected (non-persistent) • Stored • Lots of derivatives of these
  9. Workshop Gruyere Start here: http://google-gruyere.appspot.com/ XSS: http://google-gruyere.appspot.com/part2 Reflected XSS Handy

    Links: URL Encodings: http://www.w3schools.com/tags/ref_urlencode.asp ASCII: http://asciitable.com XSS Strings: https://owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
  10. XSS Mitigation techniques • Constrain all input fields to well

    structured data • White-lists for each type of structured data • Sanitise • OWASP Prevention Cheat Sheets • Break it! Further details found here: https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XS S)
  11. Deliberate Insecure Targets and Training Platforms that I've screened. •

    Hacking Lab: https://www.hacking-lab.com/ • Nebula: http://exploit-exercises.com/ • gruyere: http://google-gruyere.appspot.com/ Can run locally, but best to run from web • Web Security Dojo: https://www.mavensecurity.com/web_security_dojo/ - VMware and Virtual Box versions. Looks like quite a bit of documentation. Actively maintained. - Vulnerable targets: WebGoat Gruyere Damn Vulnerable Web App. http://sourceforge.net/p/websecuritydojo/bugs/ says database setup is broken
  12. Deliberate Insecure Targets and Training Platforms that I've screened. w3af

    test website: https://github.com/andresriancho/w3af-moth VMware image http://www.bonsai-sec.com/en/research/moth.php Various other unmaintained websites • Dam Vulnerable Web Application (DVWA) http://dvwa.co.uk/ Not sure where the documentation is? Maybe embedded in the download? • Acunetix 1: http://testphp.vulnweb.com/ These three are online. • Acunetix 2: http://testasp.vulnweb.com/ • Acunetix 3: http://testaspnet.vulnweb.com/ • Mutillidae: http://www.irongeek.com/i.php?page=mutillidae/mutillidae-delibe rately-vulnerable-php-owasp-top-10 Easy to follow. Geared towards Classroom Environment.
  13. Deliberate Insecure Targets and Training Platforms that I've screened. •

    WebGoat -Platform: J2EE web application -Install: Self contained Tomcat server you can run from a directory under Windows or Linux -Notes: Love the fact it's so self contained and easy to run. By default it only listens on the loop-back address, so you can run it from your workstation a production network with little worries. -Howto's: http://webappsecmovies.sourceforge.net/webgoat/ -Setting up on non localhost: https://code.google.com/p/webgoat/wiki/FAQ OWASP Broken Web Applications project: -https://code.google.com/p/owaspbwa/wiki/UserGuide This has a great selection of training apps along with intentionally vulnerable apps. -It contains a lot of the apps already discussed.