Owasp top 10 web application security hazards part 2

TOP 10 WEB APPLICATION SECURITY
HAZARDS
{ PART - 2 }
@
by Abhinav Sejpal
Null - Humla Session

WHO AM I
I' m Next-Gen Exploratory Testy
Student of Information Security field
Researcher & Reader in free time
Member of
Crowd Tester (AKA. Bug bounty Hunter)
Proficient at Functional, Usability , Accessibility & Compatibility Testing
Love to develop nasty code & Hack it :)
Works as Quality Analyst at
AKA. Bug Wrangler
Null Open Security Co mmunity
passbrains.com

DISCLAIMER
This presentation is intended for educational purpose only and I cannot be held liable for
any kind of damages done, whatsoever to your machine, or any other damages.
Don't try this attack on any other system without having context knowledge or permission,
this may harm someone directly or indirectly.
Feel free to use this presentation for practice or education purpose.
^ I hope - You gotcha ^

AGENDA
No Revision of Part - 1
Understand New Attacks
Self exploratory exercise
Learn + Hack
Q & A

FOR SOCIAL MEDIA
Twitter handle
@ @null0x00 Abhinav_Sejpal
Hashtag for this session
# #Nullhumla nullblr

Owasp top 10 web application security hazards part 2

OBJECTIVES FOR THIS SESSION
BUILD SECURITY AWARENESS FOR WEB
APPLICATION
LEARN WAY TO DISCOVER SECURITY
VULNERABILITIES
LEARN BASIC OF SECURE WEB APPLICATION VIA
OWASP TOP 10

LET'S BEGIN OUR JOURNEY
OF
TOP 10 WEB APPLICATION SECURITY
HAZARDS
* We won't talk about Injection & XSS *

for:
Setup the Test Lab
Install XAMPP
Acronym
X (to be read as "cross", meaning )cross-platform
Apache HTTP Server
MySQL
PHP
Perl

TARGETED APPLICATION
Client Side language : HTML & Javascript
Server side Language: PHP
DB : MYSQL
Why PHP ? - Any answer Here?
Why MySQL? MySQL is Girlfriend of PHP <3

PHP IS USED BY 82.2% OF ALL THE WEBSITES AS SERVER-SIDE
PROGRAMMING LANGUAGE.
http://w3techs.com/technologies/overview/programming_lang

PHP: 244M SITES
2.1M IP ADDRESSES

2013 Server-side Programming Language of the Year
Don't Mind Power of PHP > Facebook & yahoo
http://w3techs.com/blog/entry/web_technologies_of_the_year

It's a free, open source web application provided to allow
security enthusiast to pen-test and hack a web application.
V.2X developed by aka
PLAY GROUND
MUTILLIDAE
Jeremy Druin webpwnized.

OWASP A8 - CSRF
CROSS-SITE REQUEST FORGERY

CSRF AKA. XSRF
THE ATTACKER EXPLOITS THE TRUST A WEBSITE
HAS AGAINST A USER’S BROWSER.
Permission fakingstealing
Disruption of the normal sequence of the site

DEMO #1
Login ID - admin
password - adminpass
HTTP GET Request
http://127.0.0.1/xampp/mutillidae/index.php?do=logout

<a href=
>
: ANSWER DEMO 1:
<html>
<title> CSRF Demo 1 </title>
http://127.0.0.1/xampp/mutillidae/index.php?
do=logout
Click me </a>
</html>

UNDERSTANDING
Logout page was a simple HTTP GET that required no
confirmation
Every user who visited that page would immediately be
logged out - that's CSRF in action.
Yes it's not dangerous but annoying

SO WHAT DO YOU THINK,
IT'S ALL ABOUT CLICK ?
ssh, No!!
Would you like to write CSRF exploit without click ??

IMAGE TAG
<img style="display:none;" src="your Request">
Image tag does not require clicking the link compared Tag-
A requires clicking on the link to activate the HTTP request
Can we try Demo 1 with Image tag ?

<img src=
>
CSRF GET Request with Image Tag
<html>
do=logout
</html>

THE NATURE OF BROWSERS IS TO SEND HTTP REQUESTS TO VISUAL OBJECTS SUCH AS PICTURE OR REMOTE FILES (CSS, JS,
ETC.) EVEN WHILE LOADING THE PAGE WITHOUT THE USER'S PERMISSIONS.
Iframe tag
<iframe src="your Request"></iframe>
Java Script code
               <script> var X= new Image();
                                   X.src = "URL";
                </script>
                        Can we try Demo 1 with Iframe & JS ?

HTTP REQUEST
<iframe src="
do=logout"></iframe>
         <script> var X= new Image();
                                   X.src= "
http://127.0.0.1/xampp/mutillidae/index.php?do=logout
";
</script>

:: SOLUTION #1 ::
<html>
<a href = http://127.0.0.1/xampp/mutillidae/index.php?
page=user-poll.php&csrf-
token=&choice=nmap&initials=n&user-poll-php-submit-
button=Submit+Vote>
Click me </a>
</html>

CHALLENGE #2
{ Post HTTP Request }

: Solution Available :
http://127.0.0.1/xampp/CSRF Attack/Add New Blog Entry -
CSRF POST.html

DOES IT EASY TO CREATE CSRF HTTP REQUEST ?
No - you should try out
~ ~CSRF Finder Firefox add-on
* One Click POC *
* Hybrid automation *
Thank you - Piyush Pattanayak

LIVE CHALLENGE
* SIGNUP DISABLED *
PLEASE USE THE USERNAME TEST AND THE
PASSWORD TEST
CSRF & XSRF
Update the user info. without their knowledge
http://testphp.vulnweb.com/userinfo.php
Copyright © 2014, Acunetix Ltd

You've been CSRF'd with static token!
Can we exploit this with Level #2 ?

POPULAR COOL FINDINGS
by AmolFacebook CSRF worth USD 5000
GOOGLE GROUPS PROFILE CSRF
Google Account display pic deletion
Facebook Account deactivation
Advance Leanings - CSRF Token Validation Fail
http://haiderm.com/csrf-token-protection-bypass-methods/

Am I Vulnerable To 'Broken Authentication &
Session Management'?
A2 - OWASP TOP 10

LETS' BYPASS THE MUTILLIDAE
Can we do it ?
Part -1 Learning with SQL Injection

APPLY BRUTE FORCE ATTACK
/xampp/mutillidae/index.php?page=login.php
Account Lock Policy & Captcha missing :P

IN-SECURED SESSION-ID
Cookies Flag HTTP ONLY
Secure flag would be complimentary

XSS SESSION HIJACKING
PHPSESSID=0ebmp37g8v8stqsjpf1ln40c20
JSESSIONID
ASP Session.SessionID
Let's Try out Part 1 learning and exploit the session

So, Let's Learn about Web App DB structure
Passwords are stored in plain text.
oh really -- ':(
OWASP #A6

Password is protected, when stored using encryption
algorithm. Are you sure?
http://www.md5online.org/

YOU MAY ALSO TRY OUT HASH BUT PASSWORD SALT IS A
RECOMMENDED SOLUTION SO FAR.
P ASSWORD POLICY SHOULD BE APPLIED NICELY AND SHOULD NOT BE WEAKER.
-- * --
SECURITY & BUSINESS LOGIC SHOULD BE APPLIED FOR CHANGING PASSWORD.
CHANGE PASSWORD DOESN'T ASK FOR CURRENT PASSWORD - LOL

Robots.txt
All Sensitive data expose

AVOIDING INSECURE DIRECT OBJECT REFERENCES
OWASP #A4

Demo #1
Tamper the ID parameter
http://127.0.0.1/xampp/sqli/secondorder_changepass.php

ENUMERATION USING PARAMETER
LIVE
https://profile.utest.com/ 67797
https://profile.utest.com/200 -- N

https://99tests.com/testers/ 3298

Secret PHP Server Configuration Page
page=phpinfo.php

MISSING FUNCTION LEVEL ACCESS CONTROL
OWASP #A7

LIVE
HTTP://STEPINFORUM.ORG/MAILERS2014/
http://demo.testfire.net/pr/

OWASP #A9
USING KNOWN VULNERABLE
COMPONENTS

Source: https://www.aspectsecurity.com/uploads/downloads/2012/03/Aspect-Security-The-Unfortunate-Reality-of-Insecure-
Libraries.pdf

COOL WORDPRESS PROJECTS
Code Vigilant
Latest buzzing known vulnerabilities
#Heartbleed
# BashBug

Can you verify that - your website SSL Cert isn't vulnerable
to Heart bleed attack?
Google - SSL Heart bleed Fix verification script
https://lastpass.com/heartbleed/

A6 – Sensitive Data Exposure

SECURITY
MISCONFIGURATION
OWASP -#A5

CLICK JACKING
Code: – <iframe src= http://www.testingcircus.com>
</iframe>
Live Demo: – http://goo.gl/6gEq2I
Click jacking Testing tool: – http://goo.gl/27VgQb

IF YOU ARE PLANNING TO HOST YOUR OWN
SERVER
this talk matters for you
"SECURING A LINUX WEB SERVER IN 10 STEP S"
BY A KASH MAHAJAN
https://www.youtube.com/watch?v=ort9qxzu3h0

ELMAH.AXD ERROR LOGS
GOOGLE SEARCH

https://www.owasp.org/index.php/Top_10_2013- A10-
Unvalidated_Redirects_and_Forwards

Vulnerable Redirection
page=redirectandlog.php&
forwardurl=http://www.owasp.org
I don't think so, i need to explain you what you can do here
:D

YES - I'M DONE!
Feel free to write me at bug.wrangler at outlook.com

WE NEED YOU!
Attend Null Meets-up & give presentations.
Share your ideas & leanings.
Talk to our community champions & gain from leanings.
Your feedback helps us to build a good community.
Looking forward to your ongoing support.
HTTP://NULL.CO.IN/
Say 'Hello' @null0x00

- Twitter Folks -

@ , @ , @
#Nullblr Leads & Champions
Big thank you to @ ,@ & you All.
CREDITS
TroyHunt yog3sharma @ Lavakumark HaiderMQ
null0x00 ru94mb

INDIAN HACKERS/INFOSEC GUYS & GROUPS YOU
SHOULD BE FOLLOWING IN TWITTER
Thank-you http://garage4hackers.com/ community

THANK YOU!
KEEP THE SECURITY ANTE UP.

https://slides.com/abhinavsejpal/top-10-web-application-
security-hazards--2
LICENSE AND COPYRIGHTS
Copyrights 2013-2014 Abhinav Sejpal
-----
( CC BY-NC-ND 3.0)
Attribution-NonCommercial-NoDerivs 3.0 Unported
Dedicated to my lovely daddy

Owasp top 10 web application security hazards part 2

More Related Content

What's hot (20)

Viewers also liked (8)

Similar to Owasp top 10 web application security hazards part 2 (20)

Recently uploaded (20)

Owasp top 10 web application security hazards part 2