breaching a web application - common issues and mitigating steps

Breaching a Web Application

Common Issues and Mitigating Steps

My Name is Jason Frank Director of Veris Group’s Adaptive Threat Division Trainer for Black HatYou can find me at @jasonjfrank

PS: IANAD – I am not a developer!

Hello!

Agenda◉An Attacker’s View◉Injection Attacks 101◉Misconfigurations◉Remediation and Mitigations

An Attacker’s View1

Testing ProcessDiscovery

ExploitationPost Exploitation

Pre-Assessmen

tActivities

Post-Assessment

Activities

http://tutorials.jenkov.com/images/software-architecture/n-tier-architecture-2.png

http://tutorials.jenkov.com/images/software-architecture/n-tier-architecture-2.png

http://tutorials.jenkov.com/images/software-architecture/n-tier-architecture-2.png

DMZ Protected EnclaveInternet

https://www.w3.org/2005/03/Demos/insurance.png

https://www.w3.org/2005/03/Demos/insurance.png

◉Provides free documentation on offensive and defensive application measures

◉Curated “OWASP Top Ten” Vulnerabilities◉OWASP Web Testing Guide◉Contains material for:

Web ApplicationsMobileSoftware DevelopmentTools

https://www.owasp.org/images/thumb/7/7e/WebTT_thumb.png/400px-WebTT_thumb.png

https://www.owasp.org/images/thumb/7/7e/WebTT_thumb.png/400px-WebTT_thumb.png

Injection Attacks 1012

Injection Attacks

◉Occurs when unintended data is sent to an application

◉Proper input validation / server-side validation is not being performed

◉A dynamically built query can be altered to execute arbitrary calls or requests

◉Common Types of InjectionSQLXMLOS Command

https://itswadesh.files.wordpress.com/2011/11/sql-injection.jpg

Users

Posts

Comments

Themes

Wordpress Server

WPDBUser

WP Table

Users

Posts

Comments

Themes

Wordpress Server

DBA WP Table

Names

SSNs

Salaries

Addresses

HR App

“

Quotations are commonly printed as a means of

inspiration and to invoke philosophical thoughts from

the reader.

SQL Injection Tools

◉Burp Suite Pro Scanner(Identification)◉SQLMap ◉SQLNinja

Misconfigurations3

Misconfigurations

◉Serves as a catchup for many facets of the implementation

◉Can occur at all levels of the technology stack

◉Identifies both technical and procedural weaknesses

Operating System

Web Servers

Applications

Add-ons

http://www.rvrsh3ll.net/blog/offensive/leveraging-adobe-livecycle/

http://www.rvrsh3ll.net/blog/offensive/leveraging-adobe-livecycle/

http://www.rvrsh3ll.net/blog/offensive/leveraging-adobe-livecycle/

DMZ Protected EnclaveInternet Internal

Systems

DMZ Protected EnclaveInternet Internal

Systems

DMZ Protected EnclaveInternet Internal

Systems

DMZ Protected EnclaveInternet Internal

Systems

DMZ Protected EnclaveInternet Internal

Systems

DMZ Protected EnclaveInternet Internal

Systems

Tools◉Nikto◉Web Scanners

AcunetixNTOSpiderBurp Suite Pro

◉Vulnerability ScannersNessusNeXpose

Remediation and Mitigation4

OWASP SAMM◉Software Assurance Maturity Model◉Integrating Assessment and Review

Activities throughout your SDLC◉Based on your organization’s security

drivers◉https://www.owasp.org/index.php/

Category:Software_Assurance_Maturity_Model

Static ReviewsSource code reviews that are incorporated throughout the development cycle.

A Note About Testing Types

Dynamic TestingAssessment of the final solution in an operational context.

SQL Injection Prevention

◉OWASP has language specific recommendations

◉Parameterized Queries◉Input Validation – White Listing◉Escaping User Input◉https://www.owasp.org/index.php

/SQL_Injection_Prevention_Cheat_Sheet#Defense_Option_1:_Prepared_Statements_.28Parameterized_Queries.29

Misconfiguration Prevention

◉Review of all technologies in the stack◉Implement available hardening guides◉Have your solution dynamically tested

periodically

Any questions ?You can find me at◉ @jasonjfrank◉ Slides posted at:

http://www.slideshare.net/jasonjfrank

Thanks!