Upgrade to Pro — share decks privately, control downloads, hide ads and more …

OWASP Top 10, Owasp Lagos

ShehuAwwal
September 15, 2017
Programming
1
110

OWASP Top 10, Owasp Lagos

Discussing on the Owasp A1 injection, But mainly focus on the SQL Injection, Types, And also how to exploit such a vulnerability if exist on a web application.

ShehuAwwal

September 15, 2017
Tweet

More Decks by ShehuAwwal

See All by ShehuAwwal
Building A Distributed Systems To Scale Your Python App On Premise DataCenter or In The Cloud
shehuawwal
0
50
Ethical Hacking 1.0 Slide By Shehu Awwal
shehuawwal
0
200
Python For Security Enthusiast And Ethical Hackers
shehuawwal
1
730

Other Decks in Programming

See All in Programming
使ってみよう Azure AI Document Intelligence
kosmosebi
2
310
PostmanでAPIの動作確認が楽になった話
h455h1
0
170
Random\Randomizer クラスで日常のあれこれを解決しよう! / Random\Randomizer class solves familiar trouble
cocoeyes02
0
240
Amazon SQSコンシューマー疎結合への旅 - 出張! #DevelopersIO IT技術ブログの中の人が語る勉強会 #3
quiver
0
270
AWS CDKコントリビュートTIPS / aws-cdk-contribution-tips
gotok365
2
190
Elm 0.19.0 Changes
bkuhlmann
0
490
Git Rebase
bkuhlmann
11
1.6k
TCAとKMPを用いた新規動画配信アプリ 「ABEMA Live」の設計
tomu28
1
110
Hanami and htmx
bkuhlmann
0
210
単体テストを書かない技術 #phpcon_odawara
o0h
PRO
27
8.3k
Fast JSX: Don't clone props object #28768
yossydev
1
100
冗長なエラーログを削減し、スタックトレースを手に入れる / Reducing Verbose Error Logs and Obtaining Stack Traces
upamune
0
740

Featured

See All Featured
What's new in Ruby 2.0
geeforr
337
31k
Building an army of robots
kneath
300
41k
Building Flexible Design Systems
yeseniaperezcruz
319
37k
The Straight Up "How To Draw Better" Workshop
denniskardys
227
130k
Adopting Sorbet at Scale
ufuk
68
8.6k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
19
1.7k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
226
51k
Building Applications with DynamoDB
mza
88
5.6k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
25
2.3k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
40
4.4k
The Language of Interfaces
destraynor
151
23k
RailsConf 2023
tenderlove
4
540

Transcript

  1. Exploring OWASP Top 10 A1 Shehu Awwal Independent Ethical Hacker

    http://techmedia.com.ng @ShehuAwwal [email protected]

  2. DISCLAIMER! • I am speaking for myself.

  3. Agenda • A1 - Injection • Demos with OWASP Mutillidae

    • Practical with SQLi Master For Mastering Different Types Of SQL Injection Types Or Bwapp etc

  4. A1 – Depending - Easy to find and also difficult

    to find

  5. A1 – What is SQL Injection?

  6. A1 – SQL Injection(SQLi) • Some possible effects? – Allows

    tampering/stealing of data – Leading To Remote Code Execution (RCE) That allows overtaken of the Server. – And so on. …

  7. A1 – SQL Injection • And what’s the big deal?

    • Has affected many prominent vendors that you might think of.

  8. A1 – Types of SQLi • Error Based • Union

    Based • Blind SQLi Which includes time etc

  9. Testing For SQL Injection? • Break the injection point using

    ‘ or “ • Look for parameters using id=1 and so on. • And have a look at the type of SQL Message Error to identify what type. • Example: http://www.example.com/product?id=1’ OR http://www.example.com/download?id=1”

  10. A1 – Also Test For SQLi Basic Authentication What Is

    It? Let’s Have A Look At OWASP Mutillidae And Test with ‘ OR ‘1’ =‘1 And so on! To Get The Cheat Sheet Search: SQLi Basic Authentication Cheat Sheet.

  11. A1 – Can you spot the SQL Injection type? 1

    - You have an error in your SQL Syntax. 2 – Quoted String not properly terminated 3 – Msg 150: Unclosed Quotation Mark And so on!

  12. A1 – Are We Still Vulnerable To SQL Injection Attack

    Despite New Frameworks and so on? The Answer Is Yes, Not Necessary The SQLi, But other Injection Attack types Under the OWASP A1 Like LDAP, Xpath Injection, LDAP Injection etc

  13. A1 – Preventing SQL Injection

  14. A1 – Output Encoding • Sanitize All User Input Queries

    • Enforce Least Privileges • See https://www.owasp.org/index.php/SQL_Injection_Prevention_Chea t_Sheet

  15. Demo – OWASP Mutillidae • https://www.owasp.org/index.php/OWASP_Mutillidae_2_Project

  16. A3 – Use Tools & Libraries • Testing And Exploitation

    Tools: Testing Tools -Acunetix, Vega, Or Manual Testing Explotiation Tools SQLMap, Hajiv, etc

  17. A10 – Unvalidated Redirects/Forwards Use these only if you must:

    • http://www.good.com/redirect.jsp?url=evil.com  Phisher’s heaven! • http://www.example.com/default.jsp?fwd=admin.jsp  ACL into dustbin! VALIDATE AUTHORIZATION! WHITELIST!

  18. Practical – OWASP Mutillidae • https://github.com/Audi-1/sqli-labs

  19. References • https://www.owasp.org/index.php/SQL_Inject ion • https://www.owasp.org/index.php/SQL_Inject ion_Prevention_Cheat_Sheet • https://www.owasp.org/index.php/Testing_fo r_SQL_Injection_(OTG-INPVAL-005)

  20. Questions? • [email protected] • http://techmedia.com.ng • @ShehuAwwal