OWASP Top 10 Vulnerabilities

Lets exploit Injection and XSS

Kim Carter ANZTB Monday 2013-08-26 Meetup

OWASP is coming to Christchurch

OWASP Day 2013https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2013

OWASP ResourcesTop 10

Cheat Sheets

Tutorials

Guides

Projects, Tools and Code Libraries

Most common security vulnerabilitiesfound in web apps in 2013

Kali Linux

Free and open source (GNU Linux) OS

Targets professional security auditors and penetration testers

All tools shipped are free and open source

No profit involved

Many of the over 300 security tools have been provided as free versions that do the same job as the paid for versions

Up and Running with Kali Linux

Discuss tools I use very frequently

FireFox Add-OnsTamper Data. Very simple proxy, but very easy to use

Foxy proxy : a real time saver

HackBar

XSS Me

SQL Inject Me

Chrome extensionsFoxyProxy

Cookies

Edit this Cookie

Burp suite

There are a large number of training apps and intentionally vulnerable web apps freely available

I've organised three to work through to wet your appetite

I'd encourage you to take them further

What is Injection

Attacker Injects (generally malicious) code into website.

Change the course of execution on related system/s. Gain information. Privilege escalation. Manipulate / destroy stored data. Destroy system/s.

Varieties

Command, SQL, Xpath, Query String

Lots of derivatives of these

Workshop WebGoat

Start here: http://owaspbwa/WebGoat/attack

Injection

Command Injection

Workshop DVWA

Start here: http://owaspbwa/dvwa

Injection

SQL String Injection

Injection Mitigation techniques

Similar techniques to XSS +

Avoid accessing external interpreters

Use well structured parameters

Least privilege

OWASP Prevention Cheat Sheets

Break it!

Further details found here:https://www.owasp.org/index.php/Top_10_2013-A1-Injection

What is XSS

Attacker Injects (generally malicious) code into website.

When victim requests website code, attackers code is executed.

Varieties

File Upload

Reflected (non-persistent)

Stored

Lots of derivatives of these

Workshop Gruyere

Start here: http://google-gruyere.appspot.com/

XSS: http://google-gruyere.appspot.com/part2

File Upload XSS

Workshop Gruyere

Start here: http://google-gruyere.appspot.com/

XSS: http://google-gruyere.appspot.com/part2

Reflected XSS

Handy Links:URL Encodings: http://www.w3schools.com/tags/ref_urlencode.aspASCII: http://asciitable.comXSS Strings: https://owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet

Workshop Gruyere

Start here: http://google-gruyere.appspot.com/

XSS: http://google-gruyere.appspot.com/part2

Stored XSS

Workshop Gruyere

Start here: http://google-gruyere.appspot.com/

XSS: http://google-gruyere.appspot.com/part2

Stored XSS via HTML Attribute

Workshop Gruyere

Start here: http://google-gruyere.appspot.com/

XSS: http://google-gruyere.appspot.com/part2

Stored XSS via AJAX

When the user clicks refresh button,response looks like

In the mark-up the snippet looks like:

Workshop Gruyere

Start here: http://google-gruyere.appspot.com/

XSS: http://google-gruyere.appspot.com/part2

Reflected XSS via AJAX

XSS Mitigation techniques

Constrain all input fields to well structured data

White-lists for each type of structured data

Sanitise

OWASP Prevention Cheat Sheets

Break it!

Further details found here:https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS)

Extra Resources

Sanitising User Inputhttp://blog.binarymist.net/2012/11/04/sanitising-user-input-from-browser-part-1/http://blog.binarymist.net/2012/11/16/sanitising-user-input-from-browser-part-2/

Write-up on Kali Linuxhttp://pentestmag.com/

Tool junky? Check out this collectionhttp://www.softwareqatest.com/qatweb1.html

Deliberate Insecure Targets and Training Platforms that I've screened.

Hacking Lab: https://www.hacking-lab.com/

Nebula: http://exploit-exercises.com/

gruyere: http://google-gruyere.appspot.com/ Can run locally, but best to run from web

Web Security Dojo: https://www.mavensecurity.com/web_security_dojo/
- VMware and Virtual Box versions. Looks like quite a bit of documentation. Actively maintained.
- Vulnerable targets:
WebGoat
Gruyere
Damn Vulnerable Web App. http://sourceforge.net/p/websecuritydojo/bugs/ says database setup is broken

Deliberate Insecure Targets and Training Platforms that I've screened.

w3af test website:
https://github.com/andresriancho/w3af-moth
VMware image
http://www.bonsai-sec.com/en/research/moth.php
Various other unmaintained websitesDam Vulnerable Web Application (DVWA)
http://dvwa.co.uk/
Not sure where the documentation is? Maybe embedded in the download?

Acunetix 1: http://testphp.vulnweb.com/ These three are online.

Acunetix 2: http://testasp.vulnweb.com/

Acunetix 3: http://testaspnet.vulnweb.com/

Mutillidae: http://www.irongeek.com/i.php?page=mutillidae/mutillidae-deliberately-vulnerable-php-owasp-top-10 Easy to follow. Geared towards Classroom Environment.

Deliberate Insecure Targets and Training Platforms that I've screened.

WebGoat

-Platform: J2EE web application -Install: Self contained Tomcat server you can run from a
directory under Windows or Linux -Notes: Love the fact it's so self contained and easy to run. By default it only listens on the loop-back address, so you can run it from your workstation a production network with little worries. -Howto's: http://webappsecmovies.sourceforge.net/webgoat/ -Setting up on non localhost: https://code.google.com/p/webgoat/wiki/FAQOWASP Broken Web Applications project:
-https://code.google.com/p/owaspbwa/wiki/UserGuide This has a great selection of training apps along with
intentionally vulnerable apps. -It contains a lot of the apps already discussed.