1. OWASP Top 10 Vulnerabilities Lets exploit Injection and XSS Kim Carter ANZTB Monday 2013-08-26 Meetup

2. OWASP is coming to Christchurch OWASP Day 2013 https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2013 OWASP Resources Top 10 Cheat Sheets Tutorials Guides Projects, Tools and Code Libraries 3. Most common security vulnerabilities found in web apps in 2013 4. Kali Linux Free and open source (GNU Linux) OS Targets professional security auditors and penetration testers All tools shipped are free and open source No profit involved Many of the over 300 security tools have been provided as free versions that do the same job as the paid for versions Up and Running with Kali Linux 5. Discuss tools I use very frequently FireFox Add-Ons Tamper Data. Very simple proxy, but very easy to use Foxy proxy : a real time saver HackBar XSS Me SQL Inject Me Chrome extensions FoxyProxy Cookies Edit this Cookie Burp suite 6. There are a large number of training apps and intentionally vulnerable web apps freely available I've organised three to work through to wet your appetite I'd encourage you to take them further 7. What is Injection 1.Attacker Injects (generally malicious) code into website. 2.Change the course of execution on related system/s. Gain information. Privilege escalation. Manipulate / destroy stored data. Destroy system/s. Varieties Command, SQL, Xpath, Query String Lots of derivatives of these 8. Workshop WebGoat Start here: http://owaspbwa/WebGoat/attack Injection Command Injection 9. Workshop DVWA Start here: http://owaspbwa/dvwa Injection SQL String Injection 10. Injection Mitigation techniques Similar techniques to XSS + Avoid accessing external interpreters Use well structured parameters Least privilege OWASP Prevention Cheat Sheets Break it! Further details found here: https://www.owasp.org/index.php/Top_10_2013-A1-Injection 11. What is XSS 1.Attacker Injects (generally malicious) code into website. 2.When victim requests website code, attackers code is executed. Varieties File Upload Reflected (non-persistent) Stored Lots of derivatives of these 12. Workshop Gruyere Start here: http://google-gruyere.appspot.com/ XSS: http://google-gruyere.appspot.com/part2 File Upload XSS 13. Workshop Gruyere Start here: http://google-gruyere.appspot.com/ XSS: http://google-gruyere.appspot.com/part2 Reflected XSS Handy Links: URL Encodings: http://www.w3schools.com/tags/ref_urlencode.asp ASCII: http://asciitable.com XSS Strings: https://owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet 14. Workshop Gruyere Start here: http://google-gruyere.appspot.com/ XSS: http://google-gruyere.appspot.com/part2 Stored XSS 15. Workshop Gruyere Start here: http://google-gruyere.appspot.com/ XSS: http://google-gruyere.appspot.com/part2 Stored XSS via HTML Attribute 16. Workshop Gruyere Start here: http://google-gruyere.appspot.com/ XSS: http://google-gruyere.appspot.com/part2 Stored XSS via AJAX 17. When the user clicks refresh button, response looks like In the mark-up the snippet looks like: 18. Workshop Gruyere Start here: http://google-gruyere.appspot.com/ XSS: http://google-gruyere.appspot.com/part2 Reflected XSS via AJAX 19. XSS Mitigation techniques Constrain all input fields to well structured data White-lists for each type of structured data Sanitise OWASP Prevention Cheat Sheets Break it! Further details found here: https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS) 20. Extra Resources Sanitising User Input http://blog.binarymist.net/2012/11/04/sanitising-user-input-from-browser-p http://blog.binarymist.net/2012/11/16/sanitising-user-input-from-browser-p Write-up on Kali Linux http://pentestmag.com/ Tool junky? Check out this collection http://www.softwareqatest.com/qatweb1.html 21. Deliberate Insecure Targets and Training Platforms that I've screened. Hacking Lab: https://www.hacking-lab.com/ Nebula: http://exploit-exercises.com/ gruyere: http://google-gruyere.appspot.com/ Can run locally, but best to run from web Web Security Dojo: https://www.mavensecurity.com/web_security_dojo/ - VMware and Virtual Box versions. Looks like quite a bit of documentation. Actively maintained. - Vulnerable targets: WebGoat Gruyere Damn Vulnerable Web App. http://sourceforge.net/p/websecuritydojo/bugs/ says database setup is broken 22. Deliberate Insecure Targets and Training Platforms that I've screened. w3af test website: https://github.com/andresriancho/w3af-moth VMware image http://www.bonsai-sec.com/en/research/moth.php Various other unmaintained websites Dam Vulnerable Web Application (DVWA) http://dvwa.co.uk/ Not sure where the documentation is? Maybe embedded in the download? Acunetix 1: http://testphp.vulnweb.com/ These three are online. Acunetix 2: http://testasp.vulnweb.com/ Acunetix 3: http://testaspnet.vulnweb.com/ Mutillidae: http://www.irongeek.com/i.php?page=mutillidae/mutillidae-delibera Easy to follow. Geared towards Classroom Environment. 23. Deliberate Insecure Targets and Training Platforms that I've screened. WebGoat -Platform: J2EE web application -Install: Self contained Tomcat server you can run from a directory under Windows or Linux -Notes: Love the fact it's so self contained and easy to run. By default it only listens on the loop-back address, so you can run it from your workstation a production network with little worries. -Howto's: http://webappsecmovies.sourceforge.net/webgoat/ -Setting up on non localhost: https://code.google.com/p/webgoat/wiki/FAQ OWASP Broken Web Applications project: -https://code.google.com/p/owaspbwa/wiki/UserGuide This has a great selection of training apps along with intentionally vulnerable apps. -It contains a lot of the apps already discussed.