Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Similar presentations


Presentation on theme: "Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP."— Presentation transcript:

1 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP Application Security Reviews David Byrne, CISSP, MCSE Security Architect EchoStar Satellite, LLC November 15, 2006

2 OWASP 2 Testing Steps  Planning  Reconnaissance  Infrastructure  Input validation  Denial of Service (DoS)  Authentication & Authorization  Information Disclosure  Code Review  Reporting

3 OWASP 3 OWASP Testing Guide  Version 2 is being completed  on_Penetration_Testing_AoC

4 OWASP 4 1.Unvalidated Input 2.Broken Access Control 3.Broken Authentication and Session Management 4.Cross Site Scripting 5.Buffer Overflow 6.Injection Flaws 7.Improper Error Handling 8.Insecure Storage 9.Application Denial of Service 10.Insecure Configuration Management OWASP Top 10 1.Unvalidated Input 2.Broken Access Control 3.Broken Authentication and Session Management 4.Cross Site Scripting 5.Buffer Overflow 6.Injection Flaws 7.Improper Error Handling 8.Insecure Storage 9.Application Denial of Service 10.Insecure Configuration Management 1.Unvalidated Input 2.Broken Access Control 3.Broken Authentication and Session Management 4.Infrastructure Vulnerabilities 5.Information Disclosure 6.Insecure Storage 7.Improper Error Handling 8.Application Denial of Service 9.Buffer Overflow 10.Insecure Configuration Management

5 OWASP 5 Planning  Change Management  Don’t get fired  Communicate fully  Get approvals in writing  Clearly defined scope  Test or production  Which web servers will be targeted  Can vulnerabilities be exploited  Can modifications be made via exploits  Will Denial of Service be tested  Are brute force attacks allowed  White box vs. black box

6 OWASP 6 Planning - Tools  Presenter's favorites  WebScarab – Testing proxy, fuzzer, spider, more  Nessus – General vulnerability scanner  Wikto – Signature-based web scanning, Google reconnaissance  Nmap – Port scanner & fingerprinting  WireShark (Ethereal) – Packet capture  Other free tools  Nikto – Signature-based web scanning  Pantera – New tool from OWASP, automated scanning  Paros – Testing proxy, spider  BurpSuite – Testing proxy, more  Commercial tools  Acunetix Web Vulnerability Scanner  Cenzic Hailstorm  N-Stealth  Sensepost Suru  SPI Dynamics WebInspect  Watchfire AppScan

7 OWASP 7 WebScarab  Proxy  Records all HTTP sessions  Allows requests & responses to be intercepted and modified  Displays HTTP sessions in parsed or raw formats  Reveals hidden fields  Manual requests  Web Services tools  Session ID Analysis  Fuzzer  Automated extensions checking (.bak, etc)

8 OWASP 8 Reconnaissance & Automated Scanning  Google (Wikto) – Can find some vulnerabilities, pages difficult to navigate to  Spider (WebScarab)  Specialized Web scanners (Wikto, commercial) – Known web-app vulnerabilities; simple cases of XSS, SQL injection, etc.  Try to identify what off-the-shelf software is being used, then research vulnerabilities (securityfocus.com)  Source code  Look on open file shares  Look for unsecured code repositories

9 OWASP 9 Infrastructure  Port scan (nmap)  General vulnerability scan (Nessus)  Unsecured HTTP management ports  Web Server attacks  Application framework attacks: WebMethods, WebLogic, other J2EE, ColdFusion, etc  Miscellaneous vulnerable services; NetBIOS, RPC, etc.

10 OWASP 10 Input Validation  SQL Injection  Cross Site Scripting (XSS)  Buffer Overflows

11 OWASP 11 SQL Injection  Caused by failure to properly validate user- provided input  Allows arbitrary commands to be executed in the database  Example for a login:  Username = byrned  Password = very_secure

12 OWASP 12 SQL Injection SELECT count(userID) FROM users WHERE username = 'byrned' AND password = 'very_secure'

13 OWASP 13 SQL Injection Username: byrned' OR 1=1 -- SELECT count(userID) FROM users WHERE username = 'byrned' OR 1=1 -- ' AND password = 'very_secure'

14 OWASP 14 SQL Injection  Test by inserting string delimiting characters such as a single quote  Look for error messages

15 OWASP 15 SQL Injection Customer Search Tool Zip Code: query = "SELECT name, address, city, state, zip" + "FROM customers" + "WHERE zip = ' " + zipcode + " ' ";

16 OWASP 16 SQL Injection This information is updated every Thursday NameAddressCityStateZip David Byrne123 Main StDenverCO80202 John Doe345 17th StDenverCO80202

17 OWASP 17 SQL Injection zip: 80202' OR 1=1 -- SELECT name, address, city, state, zip FROM customers WHERE zip = '80202' OR 1=1 -- '

18 OWASP 18 SQL Injection NameAddressCityStateZip David Byrne123 Main StDenverCO80202 John Doe345 17th StDenverCO80202 Peter Smith678 Main StSometownCA90332 Jane Peterson445 6 AveLakesideID12345 Sue Brown421 Evergreen StSpringfieldMD13512 zip: 80202' OR 1=1 --

19 OWASP 19 SQL Injection zip: 80202' UNION SELECT username, password, null, null, null FROM users -- SELECT name, address, city, state, zip FROM customers WHERE zip = '80202' UNION SELECT username, password, null, null, null FROM users -- '

20 OWASP 20 SQL Injection NameAddressCityStateZip David Byrne123 Main StDenverCO80202 John Doe345 17th StDenverCO80202 Peter Smith678 Main StSometownCA90332 Jane Peterson445 6 AveLakesideID12345 Sue Brown421 Evergreen StSpringfieldMD13512 byrnedvery_secure jdoeasdf smithpmary jpeterjane123 brownsf35.0=(Gd

21 OWASP 21 SQL Injection  Resources:    /white_papers/blind_sql_server_injection.html  njection.pdf  ql_injection.pdf

22 OWASP 22 Cross Site Scripting (XSS)  Allows an attacker to imbed arbitrary HTML inside a web page  Can be persistent (e.g. a bulletin board) or dynamic (e.g. a URL)  JavaScript can  Redirect the browser to an attack site  Monitor and report browsing activity using frames  Launch attacks against browser vulnerabilities  Steal cookies  Perform actions while impersonating user (MySpace worm)

23 OWASP 23 Cross Site Scripting (XSS)  Look for any content in a web page that was based on user-provided input  Check the source: The content might be in the HTML, but not displayed  Input isn’t limited to visible form fields. Look at cookies, HTTP headers, URL query strings, hidden fields  Standard pages aren’t the only source of XSS; error pages (even 404s) are frequently vulnerable

24 OWASP 24 Cross Site Scripting (XSS) Customer Search Tool Zip Code: No results were found for zip code '00000'

25 OWASP 25 Cross Site Scripting alert("XSS")

26 OWASP 26 Cross Site Scripting (XSS)  Resources:   

27 OWASP 27 Buffer Overflows  Not common with modern web environments  With black box, send long strings for different parameters, >1024 bytes; might have to switch to POST  White box techniques beyond presentation’s scope

28 OWASP 28 Denial of Service (DoS)  Locking Customer Accounts  Buffer Overflows  User Specified Object Allocation  User Input as a Loop Counter  Writing User Provided Data to Disk  Failure to Release Resources  Storing too Much Data in Session  application_layer_Denial_of_Service_%28DoS %29_attacks

29 OWASP 29 Authentication & Authorization  Session IDs  Authentication  Authorization

30 OWASP 30 Session IDs  Session IDs best stored in a cookie, not in the URL  Should be randomly generated  Should be from a large data set (>= 128 bits recommended)  Use WebScarab’s Session ID analyzer

31 OWASP 31 WebScarab Session ID Analysis

32 OWASP 32 Cookie Analysis – Data Formats  Plain text This is a test string with some odd characters  Hexadecimal: Base 16 representation of the ASCII character numbers. Characters 0-9,a-f e f6d65206f e262a28295f202d3d  Base64: Complicated. See Characters A-Z,a-z,0-9,/,+, and equal (=) for suffix padding VGhpcyBpcyBhIHRlc3Qgc3RyaW5nIHdpdGggc29tZSBvZGQgY2hhcmFjdGVycyAhQCMkJV4m KigpXyAtPQ==  HTML encoding: HTML escaped characters using the character numbers. Uses this format: ampersand (&), pound (#), character number in decimal (0-9), semicolon (;) This is a tes ;t string wit& #104; some odd ch ;aracters !@#$& #37;^&*()_ -=

33 OWASP 33 Cookie Analysis – Data Formats  HTTP URL encoding: spaces turned to plus (+), non alphanumeric characters encoded with percent (%), then the hexadecimal character number (0-9,a-f) This+is+a+test+string+with+some+odd+characters+%21%40%23%24%25%5E%26%2A% 28%29_+-%3D  HTTP URL encoding – all hex: In addition to the standard URL encoding described above, all characters, including alphanumeric, can be hex encoded %54%68%69%73%20%69%73%20%61%20%74%65%73%74%20%73%74%72%69%6e%67%20%77%69 %74%68%20%73%6f%6d%65%20%6f%64%64%20%63%68%61%72%61%63%74%65%72%73%20%21 %40%23%24%25%5e%26%2a%28%29%5f%20%2d%3d IP Address formatting Octet, most common: Hex, obtained by converting each octet into a two digit hexadecimal number: 0A017C03 Decimal, obtained by converting the hex format into a base 10 number:

34 OWASP 34 Authentication  SQL Injection  LDAP Injection  Session Hijacking  Theft of cookies/session IDs through XSS  Guessing valid session IDs  Theft of session IDs stored in URLs via browser history  High or missing timeout values  Brute force password attacks (THC-Hydra)  Field changes:    Password reset facilities  New passwords ed  Process flow for question response

35 OWASP 35 Authorization Bypassing  Manually browse to known URLs without authentication  Obtain admin & user credentials, try to access admin pages with user login  Directory traversals & listing  Original:  Request:  Request:  Request:  on_Schema_AoC

36 OWASP 36 Information Disclosure  Directory traversal & listing  HTML & JavaScript comments  Error messages can divulge:  Operating System environmental parameters  Web Server settings  Database drivers in use  SQL queries run on a page  Software versions

37 OWASP 37 Code Review  SQL queries  Stored procedures  User-supplied input as part of output  Operating System / shell commands  Error handling routines  Source code storage & access  Authentication & authorization mechanisms  ontents

38 OWASP 38 Reporting  Severity  Category (OWASP Top 10)  Location (e.g. line 23 of /search/main.php)  Example exploit  Impact of exploit (e.g. theft of credit card data)  Recommended remediation  Third party documentation (vendor or OWASP)

39 OWASP 39 Reporting - Categorize severity  PCI severity levels: https://pcisecuritystandards.org/pdfs/pci_scanning_procedures_v1-1.pdf 5UrgentTrojan Horses; file read and writes exploit; remotecommand execution 4CriticalPotential Trojan Horses; file read exploit 3HighLimited exploit of read; directory browsing; DoS 2MediumSensitive configuration information can be obtained by hackers 1LowInformation can be obtained by hackers on configuration  Common Vulnerability Scoring System (CVSS)  Remote vs. local expliot  Attack complexity  Authentication required  Availability of exploit  Type of fix available  C/A/I impact  Impact value rating  Organization specific potential for loss  Percentage of vulnerable systems  Level of vulnerability confirmation

40 OWASP 40 Example Finding 11. Improper use of varchar data types Severity: Critical Category: Injection Flaws Exploitation prerequisites: Internet access; authentication may not be required for all pages Description Some pages handle numeric data types as “varchars” (character string). This makes SQL injection possible, despite the “cfqueryparam” tag; since there is no quote to break out of, escaping quote characters won’t help. This occurs in many pages. Example \dsg\createNewPage.cfm; line 54 select user_name from users (nolock) where user_number = Recommendation Every file should be reviewed for how each SQL query or stored procedure is called. Change all numeric SQL parameters to use CF_SQL_INTEGER. References

41 OWASP 41 Questions


Download ppt "Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP."

Similar presentations


Ads by Google