OWASP Top 10 Vulnerabilities Lets exploit Injection and XSS Kim Carter – ANZTB Monday 2013-08-26 Meetup 

OWASP is coming to Christchurch OWASP Day 2013 https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2013 OWASP Resources ● Top 10 ● Cheat Sheets ● Tutorials ● Guides ● Projects, Tools and Code Libraries 

Most common security vulnerabilities found in web apps in 2013 

Kali Linux ● Free and open source (GNU Linux) OS ● Targets professional security auditors and penetration testers ● All tools shipped are free and open source ● No profit involved ● Many of the over 300 security tools have been provided as free versions that do the same job as the paid for versions Up and Running with Kali Linux 

Discuss tools I use very frequently FireFox Add-Ons ● Tamper Data. Very simple proxy, but very easy to use ● Foxy proxy : a real time saver ● HackBar ● XSS Me ● SQL Inject Me Chrome extensions ● FoxyProxy ● Cookies ● Edit this Cookie Burp suite 

There are a large number of training apps and intentionally vulnerable web apps freely available I've organised three to work through to wet your appetite I'd encourage you to take them further 

What is Injection 1.Attacker Injects (generally malicious) code into website. 2.Change the course of execution on related system/s. Gain information. Privilege escalation. Manipulate / destroy stored data. Destroy system/s. Varieties ● Command, SQL, Xpath, Query String ● Lots of derivatives of these 

Workshop WebGoat Start here: http://owaspbwa/WebGoat/attack Injection Command Injection 

Workshop DVWA Start here: http://owaspbwa/dvwa Injection SQL String Injection 

Injection Mitigation techniques ● Similar techniques to XSS + ● Avoid accessing external interpreters ● Use well structured parameters ● Least privilege ● OWASP Prevention Cheat Sheets ● Break it! Further details found here: https://www.owasp.org/index.php/Top_10_2013-A1-Injection 

What is XSS 1.Attacker Injects (generally malicious) code into website. 2.When victim requests website code, attackers code is executed. Varieties ● File Upload ● Reflected (non-persistent) ● Stored ● Lots of derivatives of these 

Workshop Gruyere Start here: http://google-gruyere.appspot.com/ XSS: http://google-gruyere.appspot.com/part2 File Upload XSS 

Workshop Gruyere Start here: http://google-gruyere.appspot.com/ XSS: http://google-gruyere.appspot.com/part2 Reflected XSS Handy Links: URL Encodings: http://www.w3schools.com/tags/ref_urlencode.asp ASCII: http://asciitable.com XSS Strings: https://owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet 

Workshop Gruyere Start here: http://google-gruyere.appspot.com/ XSS: http://google-gruyere.appspot.com/part2 Stored XSS 

Workshop Gruyere Start here: http://google-gruyere.appspot.com/ XSS: http://google-gruyere.appspot.com/part2 Stored XSS via HTML Attribute 

Workshop Gruyere Start here: http://google-gruyere.appspot.com/ XSS: http://google-gruyere.appspot.com/part2 Stored XSS via AJAX 

When the user clicks refresh button, response looks like In the mark-up the snippet looks like: 

Workshop Gruyere Start here: http://google-gruyere.appspot.com/ XSS: http://google-gruyere.appspot.com/part2 Reflected XSS via AJAX 

XSS Mitigation techniques ● Constrain all input fields to well structured data ● White-lists for each type of structured data ● Sanitise ● OWASP Prevention Cheat Sheets ● Break it! Further details found here: https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XS S) 

No content

Extra Resources Sanitising User Input http://blog.binarymist.net/2012/11/04/sanitising-user-input-from-browser-p art-1/ http://blog.binarymist.net/2012/11/16/sanitising-user-input-from-browser-p art-2/ Write-up on Kali Linux http://pentestmag.com/ Tool junky? Check out this collection http://www.softwareqatest.com/qatweb1.html 

Deliberate Insecure Targets and Training Platforms that I've screened. ● Hacking Lab: https://www.hacking-lab.com/ ● Nebula: http://exploit-exercises.com/ ● gruyere: http://google-gruyere.appspot.com/ Can run locally, but best to run from web ● Web Security Dojo: https://www.mavensecurity.com/web_security_dojo/ - VMware and Virtual Box versions. Looks like quite a bit of documentation. Actively maintained. - Vulnerable targets: WebGoat Gruyere Damn Vulnerable Web App. http://sourceforge.net/p/websecuritydojo/bugs/ says database setup is broken 

Deliberate Insecure Targets and Training Platforms that I've screened. w3af test website: https://github.com/andresriancho/w3af-moth VMware image http://www.bonsai-sec.com/en/research/moth.php Various other unmaintained websites ● Dam Vulnerable Web Application (DVWA) http://dvwa.co.uk/ Not sure where the documentation is? Maybe embedded in the download? ● Acunetix 1: http://testphp.vulnweb.com/ These three are online. ● Acunetix 2: http://testasp.vulnweb.com/ ● Acunetix 3: http://testaspnet.vulnweb.com/ ● Mutillidae: http://www.irongeek.com/i.php?page=mutillidae/mutillidae-delibe rately-vulnerable-php-owasp-top-10 Easy to follow. Geared towards Classroom Environment. 

Deliberate Insecure Targets and Training Platforms that I've screened. ● WebGoat -Platform: J2EE web application -Install: Self contained Tomcat server you can run from a directory under Windows or Linux -Notes: Love the fact it's so self contained and easy to run. By default it only listens on the loop-back address, so you can run it from your workstation a production network with little worries. -Howto's: http://webappsecmovies.sourceforge.net/webgoat/ -Setting up on non localhost: https://code.google.com/p/webgoat/wiki/FAQ OWASP Broken Web Applications project: -https://code.google.com/p/owaspbwa/wiki/UserGuide This has a great selection of training apps along with intentionally vulnerable apps. -It contains a lot of the apps already discussed.