exploitation of injection and xss
TRANSCRIPT
OWASP Top 10 Vulnerabilities
Lets exploit Injection and XSS
Kim Carter ANZTB Monday 2013-08-26 Meetup
OWASP is coming to Christchurch
OWASP Day 2013https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2013
OWASP ResourcesTop 10
Cheat Sheets
Tutorials
Guides
Projects, Tools and Code Libraries
Most common security vulnerabilitiesfound in web apps in 2013
Kali Linux
Free and open source (GNU Linux) OS
Targets professional security auditors and penetration testers
All tools shipped are free and open source
No profit involved
Many of the over 300 security tools have been provided as free versions that do the same job as the paid for versions
Up and Running with Kali Linux
Discuss tools I use very frequently
FireFox Add-OnsTamper Data. Very simple proxy, but very easy to use
Foxy proxy : a real time saver
HackBar
XSS Me
SQL Inject Me
Chrome extensionsFoxyProxy
Cookies
Edit this Cookie
Burp suite
There are a large number of training apps and intentionally vulnerable web apps freely available
I've organised three to work through to wet your appetite
I'd encourage you to take them further
What is Injection
Attacker Injects (generally malicious) code into website.
Change the course of execution on related system/s. Gain information. Privilege escalation. Manipulate / destroy stored data. Destroy system/s.
Varieties
Command, SQL, Xpath, Query String
Lots of derivatives of these
Workshop WebGoat
Start here: http://owaspbwa/WebGoat/attack
Injection
Command Injection
Workshop DVWA
Start here: http://owaspbwa/dvwa
Injection
SQL String Injection
Injection Mitigation techniques
Similar techniques to XSS +
Avoid accessing external interpreters
Use well structured parameters
Least privilege
OWASP Prevention Cheat Sheets
Break it!
Further details found here:https://www.owasp.org/index.php/Top_10_2013-A1-Injection
What is XSS
Attacker Injects (generally malicious) code into website.
When victim requests website code, attackers code is executed.
Varieties
File Upload
Reflected (non-persistent)
Stored
Lots of derivatives of these
Workshop Gruyere
Start here: http://google-gruyere.appspot.com/
XSS: http://google-gruyere.appspot.com/part2
File Upload XSS
Workshop Gruyere
Start here: http://google-gruyere.appspot.com/
XSS: http://google-gruyere.appspot.com/part2
Reflected XSS
Handy Links:URL Encodings: http://www.w3schools.com/tags/ref_urlencode.aspASCII: http://asciitable.comXSS Strings: https://owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
Workshop Gruyere
Start here: http://google-gruyere.appspot.com/
XSS: http://google-gruyere.appspot.com/part2
Stored XSS
Workshop Gruyere
Start here: http://google-gruyere.appspot.com/
XSS: http://google-gruyere.appspot.com/part2
Stored XSS via HTML Attribute
Workshop Gruyere
Start here: http://google-gruyere.appspot.com/
XSS: http://google-gruyere.appspot.com/part2
Stored XSS via AJAX
When the user clicks refresh button,response looks like
In the mark-up the snippet looks like:
Workshop Gruyere
Start here: http://google-gruyere.appspot.com/
XSS: http://google-gruyere.appspot.com/part2
Reflected XSS via AJAX
XSS Mitigation techniques
Constrain all input fields to well structured data
White-lists for each type of structured data
Sanitise
OWASP Prevention Cheat Sheets
Break it!
Further details found here:https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS)
Extra Resources
Sanitising User Inputhttp://blog.binarymist.net/2012/11/04/sanitising-user-input-from-browser-part-1/http://blog.binarymist.net/2012/11/16/sanitising-user-input-from-browser-part-2/
Write-up on Kali Linuxhttp://pentestmag.com/
Tool junky? Check out this collectionhttp://www.softwareqatest.com/qatweb1.html
Deliberate Insecure Targets and Training Platforms that I've screened.
Hacking Lab: https://www.hacking-lab.com/
Nebula: http://exploit-exercises.com/
gruyere: http://google-gruyere.appspot.com/ Can run locally, but best to run from web
Web Security Dojo:
https://www.mavensecurity.com/web_security_dojo/
- VMware and Virtual Box versions. Looks like quite a bit of
documentation. Actively maintained.
- Vulnerable targets:
WebGoat
Gruyere
Damn Vulnerable Web App.
http://sourceforge.net/p/websecuritydojo/bugs/ says database setup
is broken
Deliberate Insecure Targets and Training Platforms that I've screened.
w3af test website:
https://github.com/andresriancho/w3af-moth
VMware image
http://www.bonsai-sec.com/en/research/moth.php
Various other unmaintained websitesDam Vulnerable Web Application
(DVWA)
http://dvwa.co.uk/
Not sure where the documentation is? Maybe embedded in the
download?
Acunetix 1: http://testphp.vulnweb.com/ These three are online.
Acunetix 2: http://testasp.vulnweb.com/
Acunetix 3: http://testaspnet.vulnweb.com/
Mutillidae: http://www.irongeek.com/i.php?page=mutillidae/mutillidae-deliberately-vulnerable-php-owasp-top-10 Easy to follow. Geared towards Classroom Environment.
Deliberate Insecure Targets and Training Platforms that I've screened.
WebGoat
-Platform: J2EE web application -Install: Self contained Tomcat
server you can run from a
directory under Windows or Linux -Notes: Love the fact it's so self
contained and easy to run. By default it only listens on the
loop-back address, so you can run it from your workstation a
production network with little worries. -Howto's:
http://webappsecmovies.sourceforge.net/webgoat/ -Setting up on non
localhost: https://code.google.com/p/webgoat/wiki/FAQOWASP Broken
Web Applications project:
-https://code.google.com/p/owaspbwa/wiki/UserGuide This has a great
selection of training apps along with
intentionally vulnerable apps. -It contains a lot of the apps
already discussed.