OWASP 3 OWASP Testing Guide Version 2 is being completed http://www.owasp.org/index.php/Web_Applicati on_Penetration_Testing_AoC
OWASP 4 1.Unvalidated Input 2.Broken Access Control 3.Broken Authentication and Session Management 4.Cross Site Scripting 5.Buffer Overflow 6.Injection Flaws 7.Improper Error Handling 8.Insecure Storage 9.Application Denial of Service 10.Insecure Configuration Management OWASP Top 10 1.Unvalidated Input 2.Broken Access Control 3.Broken Authentication and Session Management 4.Cross Site Scripting 5.Buffer Overflow 6.Injection Flaws 7.Improper Error Handling 8.Insecure Storage 9.Application Denial of Service 10.Insecure Configuration Management 1.Unvalidated Input 2.Broken Access Control 3.Broken Authentication and Session Management 4.Infrastructure Vulnerabilities 5.Information Disclosure 6.Insecure Storage 7.Improper Error Handling 8.Application Denial of Service 9.Buffer Overflow 10.Insecure Configuration Management
OWASP 5 Planning Change Management Don’t get fired Communicate fully Get approvals in writing Clearly defined scope Test or production Which web servers will be targeted Can vulnerabilities be exploited Can modifications be made via exploits Will Denial of Service be tested Are brute force attacks allowed White box vs. black box
OWASP 6 Planning - Tools Presenter's favorites WebScarab – Testing proxy, fuzzer, spider, more Nessus – General vulnerability scanner Wikto – Signature-based web scanning, Google reconnaissance Nmap – Port scanner & fingerprinting WireShark (Ethereal) – Packet capture Other free tools Nikto – Signature-based web scanning Pantera – New tool from OWASP, automated scanning Paros – Testing proxy, spider BurpSuite – Testing proxy, more Commercial tools Acunetix Web Vulnerability Scanner Cenzic Hailstorm N-Stealth Sensepost Suru SPI Dynamics WebInspect Watchfire AppScan
OWASP 7 WebScarab Proxy Records all HTTP sessions Allows requests & responses to be intercepted and modified Displays HTTP sessions in parsed or raw formats Reveals hidden fields Manual requests Web Services tools Session ID Analysis Fuzzer Automated extensions checking (.bak, etc)
OWASP 8 Reconnaissance & Automated Scanning Google (Wikto) – Can find some vulnerabilities, pages difficult to navigate to Spider (WebScarab) Specialized Web scanners (Wikto, commercial) – Known web-app vulnerabilities; simple cases of XSS, SQL injection, etc. Try to identify what off-the-shelf software is being used, then research vulnerabilities (securityfocus.com) Source code Look on open file shares Look for unsecured code repositories
OWASP 9 Infrastructure Port scan (nmap) General vulnerability scan (Nessus) Unsecured HTTP management ports Web Server attacks Application framework attacks: WebMethods, WebLogic, other J2EE, ColdFusion, etc Miscellaneous vulnerable services; NetBIOS, RPC, etc.
OWASP 11 SQL Injection Caused by failure to properly validate user- provided input Allows arbitrary commands to be executed in the database Example for a login: Username = byrned Password = very_secure
OWASP 12 SQL Injection SELECT count(userID) FROM users WHERE username = 'byrned' AND password = 'very_secure'
OWASP 13 SQL Injection Username: byrned' OR 1=1 -- SELECT count(userID) FROM users WHERE username = 'byrned' OR 1=1 -- ' AND password = 'very_secure'
OWASP 14 SQL Injection Test by inserting string delimiting characters such as a single quote Look for error messages
OWASP 16 SQL Injection This information is updated every Thursday NameAddressCityStateZip David Byrne123 Main StDenverCO80202 John Doe345 17th StDenverCO80202
OWASP 17 SQL Injection zip: 80202' OR 1=1 -- SELECT name, address, city, state, zip FROM customers WHERE zip = '80202' OR 1=1 -- '
OWASP 18 SQL Injection NameAddressCityStateZip David Byrne123 Main StDenverCO80202 John Doe345 17th StDenverCO80202 Peter Smith678 Main StSometownCA90332 Jane Peterson445 6 AveLakesideID12345 Sue Brown421 Evergreen StSpringfieldMD13512 zip: 80202' OR 1=1 --
OWASP 19 SQL Injection zip: 80202' UNION SELECT username, password, null, null, null FROM users -- SELECT name, address, city, state, zip FROM customers WHERE zip = '80202' UNION SELECT username, password, null, null, null FROM users -- '
OWASP 20 SQL Injection NameAddressCityStateZip David Byrne123 Main StDenverCO80202 John Doe345 17th StDenverCO80202 Peter Smith678 Main StSometownCA90332 Jane Peterson445 6 AveLakesideID12345 Sue Brown421 Evergreen StSpringfieldMD13512 byrnedvery_secure jdoeasdf smithpmary jpeterjane123 brownsf35.0=(Gd
OWASP 23 Cross Site Scripting (XSS) Look for any content in a web page that was based on user-provided input Check the source: The content might be in the HTML, but not displayed Input isn’t limited to visible form fields. Look at cookies, HTTP headers, URL query strings, hidden fields Standard pages aren’t the only source of XSS; error pages (even 404s) are frequently vulnerable
OWASP 24 Cross Site Scripting (XSS) Customer Search Tool Zip Code: No results were found for zip code '00000'
OWASP 27 Buffer Overflows Not common with modern web environments With black box, send long strings for different parameters, >1024 bytes; might have to switch to POST White box techniques beyond presentation’s scope
OWASP 28 Denial of Service (DoS) Locking Customer Accounts Buffer Overflows User Specified Object Allocation User Input as a Loop Counter Writing User Provided Data to Disk Failure to Release Resources Storing too Much Data in Session http://www.owasp.org/index.php/Testing_for_ application_layer_Denial_of_Service_%28DoS %29_attacks
OWASP 30 Session IDs Session IDs best stored in a cookie, not in the URL Should be randomly generated Should be from a large data set (>= 128 bits recommended) Use WebScarab’s Session ID analyzer
OWASP 32 Cookie Analysis – Data Formats Plain text This is a test string with some odd characters !@#$%^&*()_+-=\ Hexadecimal: Base 16 representation of the ASCII character numbers. Characters 0-9,a-f 546869732069732061207465737420737472696e67207769746820736f6d65206f646420 636861726163746572732021402324255e262a28295f202d3d Base64: Complicated. See http://en.wikipedia.org/wiki/Base64. Characters A-Z,a-z,0-9,/,+, and equal (=) for suffix padding VGhpcyBpcyBhIHRlc3Qgc3RyaW5nIHdpdGggc29tZSBvZGQgY2hhcmFjdGVycyAhQCMkJV4m KigpXyAtPQ== HTML encoding: HTML escaped characters using the character numbers. Uses this format: ampersand (&), pound (#), character number in decimal (0-9), semicolon (;) This is a tes ;t string wit& #104; some odd ch ;aracters !@#$& #37;^&*()_ -=
OWASP 33 Cookie Analysis – Data Formats HTTP URL encoding: spaces turned to plus (+), non alphanumeric characters encoded with percent (%), then the hexadecimal character number (0-9,a-f) This+is+a+test+string+with+some+odd+characters+%21%40%23%24%25%5E%26%2A% 28%29_+-%3D HTTP URL encoding – all hex: In addition to the standard URL encoding described above, all characters, including alphanumeric, can be hex encoded %54%68%69%73%20%69%73%20%61%20%74%65%73%74%20%73%74%72%69%6e%67%20%77%69 %74%68%20%73%6f%6d%65%20%6f%64%64%20%63%68%61%72%61%63%74%65%72%73%20%21 %40%23%24%25%5e%26%2a%28%29%5f%20%2d%3d IP Address formatting Octet, most common: 10.1.124.3 Hex, obtained by converting each octet into a two digit hexadecimal number: 0A017C03 Decimal, obtained by converting the hex format into a base 10 number: 167869443
OWASP 34 Authentication SQL Injection LDAP Injection Session Hijacking Theft of cookies/session IDs through XSS Guessing valid session IDs Theft of session IDs stored in URLs via browser history High or missing timeout values Brute force password attacks (THC-Hydra) Field changes: http://www.site.com/page.asp?authenticated=no http://www.site.com/page.asp?authenticated=yes Password reset facilities New passwords emailed Process flow for question response
OWASP 35 Authorization Bypassing Manually browse to known URLs without authentication Obtain admin & user credentials, try to access admin pages with user login Directory traversals & listing Original: http://www.example.com/app/auth/login.php Request: http://www.example.com/app/auth/ Request: http://www.example.com/app/ Request: http://www.example.com/../ http://www.owasp.org/index.php/Bypassing_Authenticati on_Schema_AoC
OWASP 38 Reporting Severity Category (OWASP Top 10) Location (e.g. line 23 of /search/main.php) Example exploit Impact of exploit (e.g. theft of credit card data) Recommended remediation Third party documentation (vendor or OWASP)
OWASP 39 Reporting - Categorize severity PCI severity levels: https://pcisecuritystandards.org/pdfs/pci_scanning_procedures_v1-1.pdf 5UrgentTrojan Horses; file read and writes exploit; remotecommand execution 4CriticalPotential Trojan Horses; file read exploit 3HighLimited exploit of read; directory browsing; DoS 2MediumSensitive configuration information can be obtained by hackers 1LowInformation can be obtained by hackers on configuration Common Vulnerability Scoring System (CVSS) http://www.first.org/cvss/ http://nvd.nist.gov/cvss.cfm?calculator Remote vs. local expliot Attack complexity Authentication required Availability of exploit Type of fix available C/A/I impact Impact value rating Organization specific potential for loss Percentage of vulnerable systems Level of vulnerability confirmation
OWASP 40 Example Finding 11. Improper use of varchar data types Severity: Critical Category: Injection Flaws Exploitation prerequisites: Internet access; authentication may not be required for all pages Description Some pages handle numeric data types as “varchars” (character string). This makes SQL injection possible, despite the “cfqueryparam” tag; since there is no quote to break out of, escaping quote characters won’t help. This occurs in many pages. Example \dsg\createNewPage.cfm; line 54 select user_name from users (nolock) where user_number = Recommendation Every file should be reviewed for how each SQL query or stored procedure is called. Change all numeric SQL parameters to use CF_SQL_INTEGER. References http://www.adobe.com/devnet/coldfusion/articles/cfqueryparam.html http://www.owasp.org/index.php/Data_Validation