We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byEliza Divine
Modified over 2 years ago
© 2008 Security Compass inc. 1 Firefox Plug-ins for Application Penetration Testing Exploit-Me
© 2008 Security Compass inc. Tom Aratyn –Software Developer at Security Compass –Developed the Exploit Me tools Who are we? 2
© 2008 Security Compass inc. Jamie –Security Consultant for Security Compass –Background in security research, penetration testing, and software development Who are we? 3
© 2008 Security Compass inc. Cross-site scripting, really a danger? State of web application security XSS-Me SQL Inject-Me Access Me Agenda 4
© 2008 Security Compass inc. We know XSS can be dangerous, but can we use it to rob a bank? –AJAX + CSRF + XSS = Major problem XSS – Really a Danger? 5
© 2008 Security Compass inc. Reflected –Spit back as soon as it goes in –XSS-Me helps here Stored –Saving it for someone else –XSS-Me future version Two Exciting Flavours 6
© 2008 Security Compass inc. AJAX is adding a new element into these attacks –AJAX was used in the IBDBank attack Attacker can play with data as if the victim is doing it –Send –Receive –Parse Someone Changed my App 8
© 2008 Security Compass inc. State of Web App Insecurity 9 Web app exploits outnumber buffer overflows in CVE Large portion of web apps suffer from XSS or SQL Injection
© 2008 Security Compass inc. Various tools exist –OWASP tools, commercial, Open Source Work very well –For what they were built to do Testing Tools 10
© 2008 Security Compass inc. Most tools not for developers or QA Developers and QA must be checking for security vulnerabilities Need lightweight tools The Missing Piece 11
© 2008 Security Compass inc. Firefox extension to test for cross-site scripting XSS-Me 0.4 to the Rescue 12
© 2008 Security Compass inc. Pick forms & fields to test Firefox 3 Import/export/add/remove XSS strings Test & Surf Heuristics to limit tests XSS-Me Features 13
© 2008 Security Compass inc. Checking all attacks against all fields is slow. –No, trust me, it’s slow Heuristic tests limit the fields we have to check by determining if we can inject them –Passes set of characters and checks if they’re returned (;\/<>=‘”) Heuristics? 14
© 2008 Security Compass inc. Attempts to set document.vulnerable=true into the DOM If property set, attack worked Also checks for plain text string, a potential vulnerability –OnMouseOver injection Behind the Magic 15
© 2008 Security Compass inc. Everyone says use Struts to protect yourself –Sure, just don’t follow the supplied examples Thank $deity for Struts 16
© 2008 Security Compass inc. Being Bobby 17 sql = “SELECT * FROM users WHERE username = ‘” & Request(“username”) & “’ AND password = '" & Request(“password”) & "'" User Input: username = jimmy password = blah’ OR ‘1’=‘1 SELECT * FROM users WHERE username = ‘jimmy’ AND password = ‘blah’ OR ‘1’=‘1’ Since “WHERE 1=1” is true for all records the entire table is returned! Courtesy XKCD.com
© 2008 Security Compass inc. Defence is well known and faster than what you’re doing now –Prepared Statements –Stored Procedure Ok, if you use exec in your procedure this is also vulnerable, but, you’re not doing that right? No Excuse 18
© 2008 Security Compass inc. Firefox extension to check for SQL injection SQL Inject-Me
© 2008 Security Compass inc. Pick what you test Configure attack and success strings Large default string set Firefox 3 Test & Surf SQL Inject-Me Features 20
© 2008 Security Compass inc. Web/application servers maybe vulnerable to HTTP Verb Tampering attacks Bypasses common authorization configurations What’s your method 21
© 2008 Security Compass inc. Access Me Firefox extension to check for authentication issues
© 2008 Security Compass inc. Checks for unauthenticated access vulnerabilities Checks for HTTP verb vulnerabilities Regular expression based parameter detection Automatic test as you surf Access Me Features 23
© 2008 Security Compass inc. Detecting Access Vulnerabilities 24 Failed if response status is 200 and response too similar Warning if response status is 200 or response too similar
© 2008 Security Compass inc. Available off of our website –www.securitycompass.comwww.securitycompass.com Extra XSS-Me attack strings also available from site Open sourced under GPL v3 Where can you get ‘em 25
© 2008 Security Compass inc. May include –Spidering Stored attacks The Future... 26
© 2008 Security Compass inc. Lets have ‘em 27
Web Security Nick Feamster CS 6262 Spring Cross-Site Scripting Overview 2 Attack Server Server Victim User Victim visit web site receive malicious.
Introduction Purpose of Session: - Provide Overview Web Application Security Threats and Defense Using the Open Web Application Security Project (OWASP)
Session Management in Web Applications Author: EUROSEC GmbH Chiffriertechnik & Sicherheit Tel: / 60850, © EUROSEC GmbH Chiffriertechnik.
Session ID: Session Classification: Romain Gaucher Coverity ASEC-F42 Intermediate Why Haven’t We Stamped Out SQL Injection and XSS Yet?
Cross Site Scripting (XSS) David Wharton Intrusion Detection & Prevention Regions Financial Corp.
Cross-site Request Forgery (CSRF) Attacks Vijay Ganesh University of Waterloo Winter 2013.
Insecurity and the Internet OWASP DAY #1 / 2009 – Auckland New Zealand.
1 Copyright © 2002 Pearson Education, Inc.. 2 Chapter 8 Managing End-User Sessions.
Ethical Hacking Module XII Web Application Vulnerabilities.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Web Security Never, ever, trust user inputs Supankar.
A framework to 0wn the Web Copyright 2008 CYBSEC. All rights reserved. Andrés Riancho OWASP Poland
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Doc.: IEEE /1247r0 Submission November 2008 Adrian Stephens, Intel CorporationSlide nd Vice Chairs Report Nov 2008 Date:
1 Copyright © 2002 Pearson Education, Inc.. 2 Chapter 4 Working with the Web.
Closing the Gap: Analyzing the Limitations of Web Application Vulnerability Scanners David Shelly Randy Marchany Joseph Tront Virginia Polytechnic Institute.
A Practical Guide To Unit Testing John E. Boal TestDrivenDeveloper.com.
HTTP Reading: Section and COS 461: Computer Networks Spring
1 Introduction to ASP.NET. 2 Static and Dynamic Web Applications HTML is used to create static content Browser software interprets HTML tags and formats.
1 NatQuery 3/05 An End-User Perspective On Using NatQuery To Extract Data From ADABAS Presented by Treehouse Software, Inc.
Copyright © 2003 Pearson Education, Inc. Slide 9-1.
2 Welcome To Defect Management Training Objective: The objective of this course is to learn about standards that emphasize a best practice approach for.
23-Aug-14 HTML/XHTML Forms. 2 What are forms? is just another kind of XHTML/HTML tag Forms are used to create (rather primitive) GUIs on Web pages Usually.
Pennsylvania Banner Users Group 2008 Fall Conference Application Express Security BOF.
Contents Client-data script It refers to class of computer programs on the web that are executed client-side, by the user`s web browser, instead of server.
February 2012 Top Ten Controls v1 Eoin Keary and Jim Manico Page 1 OWASP Foundation – Los Angeles Chapter
Web Application Security. Agenda Attacks Types Web applications and Google What can be done?
Doc.: IEEE /0018r1 Submission January 2009 Adrian Stephens, Intel CorporationSlide Vice Chairs Report - Jan 2009 Date: Authors:
© 2016 SlidePlayer.com Inc. All rights reserved.