Web Applica+on Security: Be Offensive! About Me

(1)

1

Web Applica+on Security:

Be Oﬀensive!

Eric Johnson

Cypress Data Defense

§

 

Eric Johnson (Twi<er: @emjohn20)

§

 

Senior Security Consultant

§

 

SANS AppSec Curriculum Product Manger

CerLﬁed SANS Instructor & Course Author

(2)

3

A good oﬀense creates a business case for

spending 3me and money on defense!

Be Oﬀensive!

OWASP Top 10 (www.owasp.org) § A1: InjecLon

§ A3: Cross-‐Site ScripLng

§ A4: Insecure Direct Object Reference

(3)

5

§  DemonstraLons of real a<ack tools §  Illegal to a<ack targets without wri<en

contractual consent §  Obey your federal laws §  We assume no liability

Disclaimer

SQL InjecLon, LDAP InjecLon, Command InjecLon

(4)

7

§  May 2015

§  Gaana Music Service §  12.5 million records §  Name, email, MD5

password hash, DoB, social media handles

A1 InjecLon: In The News (1)

§  October 2013 §  677,000 accounts §  Name, address, DOB,

phone numbers, passwords

(5)

9

§  June 2012

§  6.5 million password hashes extracted from the database §  4+ million SHA1 hashes reversed

within a few days

A1 InjecLon: In The News (3)

§  August 2009

§  130 million credit card numbers §  $200 million loss

(6)

11

§  sqlmap DEMO §  h<p://sqlmap.org/ §  Wri<en in Python

A1 InjecLon: ExploitaLon

OWASP SQL InjecLon PrevenLon Cheat Sheet

h<ps://www.owasp.org/index.php/

SQL_InjecLon_PrevenLon_Cheat_Sheet

(7)

13

XSS ﬂaws occur whenever an applicaLon takes

untrusted data and sends it to a web browser without

proper encoding.

§ Execute scripts in the vicLm’s browser § Hijack user sessions

§ Deface web sites

§ Redirect the user to malicious sites.

A3 Cross-‐Site ScripLng (XSS)

August 2009

(8)

15

§  March 2008

§  Site defaced to contain ﬂashing images designed to cause seizures

§  Some vicLms required hospital care

A3 XSS: In The News (2)

§  June 2009

§  Oﬀered $10,000 reward to anyone that broke into the CEO’s email account

§  Email interface vulnerable to XSS and session hijacking

(9)

17

§  Browser ExploitaLon Framework (BeEF) §  h<p://beefproject.com/

§  Wri<en in Ruby

A3 XSS: ExploitaLon

OWASP XSS PrevenLon Cheat Sheet

XSS_(Cross_Site_ScripLng)_PrevenLon_Cheat_Sheet

(10)

19

A

ccessing backend data using un-‐trusted request

parameters data a<ackers can manipulate.

§ File § Directory § Database key

A4 Insecure Direct Object Reference

§  April 2015

§  Site allowed any user to delete any video

§  Event_id request parameter §  Bug bounty paid $5,000

(11)

21

A4: In The News (2)

§  October 2013

§  Site allowed users to download other customer’s SMS message history

§  Phone number in the query string

§  September 2013

§  Site allowed users to delete another user’s photos

§  Proﬁle id and photo id request

(12)

23

§  Burp Suite §  Intruder Plugin

§  Free & Professional Version §  h<p://portswigger.net §  Wri<en in Java

A4: ExploitaLon

OWASP Access Control Cheat Sheet

Access_Control_Cheat_Sheet

(13)

25

Who is at risk?

§  Does your company store sensiLve informaLon?

§  Are you storing payment card informaLon?

§  Does your company store health care records?

§  Are you compliant with federal and state laws?

§  Do you work with companies or third party vendors that store this type

of informaLon?

Open Lmes, it comes down to one main issue. WE DON’T KNOW. And if there is uncertainty with our own company, the risk only increases as you work with vendors and third parLes.

Help me, Obi-‐Wan Kenobi.

You’re my only hope.

• Security Training

(14)

27

Security Assessment OpLons

Features Sta+c Review Manual Review Hybrid Review

StaLc ApplicaLon Security TesLng (SAST) Manual Code Review Manual Dynamic TesLng Dynamic ApplicaLon Security TesLng (DAST) Results ValidaLon

Web Applica+on Security: Be Offensive! About Me