1.www.realdolmen.com SECURITY TESTING FOR DEVELOPERSAPRIL 10, 2013 | SLIDE 1

2. ABOUT US Sam Theys Software engineer & CEH Security, hacking sam.theys@realdolmen.com Tim Vaes Software engineer Breaking stuff tim.vaes@realdolmen.comAPRIL 10, 2013 | SLIDE 2 3. AGENDA Web application security What should we test for How should we test Tools Distros Frameworks Q&AAPRIL 10, 2013 | SLIDE 3 4. You dont have to switch off yoursmartphone. Just mute it and use #realdolmenAPRIL 10, 2013 | SLIDE 4 5. Why is it important? Really..WEB APPLICATION SECURITYAPRIL 10, 2013 | SLIDE 5 6. ICT IN OUR DAILY LIFE Dinner reservations Bank transactions Book hotels Grocery shopping ....APRIL 10, 2013 | SLIDE 6 7. ICT IN OUR DAILY LIFEAPRIL 10, 2013 | SLIDE 7 8. ICT IN OUR DAILY LIFEAPRIL 10, 2013 | SLIDE 8 9. ATTACKS IN OUR DAILY LIFEAPRIL 10, 2013 | SLIDE 9 10. WHY DO THEY DO IT Disgruntled employee Gain competitive advantage Sponsored by government Malicious deed, wreck stuff For the kicks, Shiny treasure, because they can APRIL 10, 2013 | SLIDE 10 11. So, why is it important???WEB APPLICATION SECURITYAPRIL 10, 2013 | SLIDE 11 12. MYTH We are secure because we have a firewall75% of Internet Vulnerabilities are atWeb Application LayerAPRIL 10, 2013 | SLIDE 12 13. APRIL 10, 2013 | SLIDE 13 14. What should we test for?OWASP TOP 10!APRIL 10, 2013 | SLIDE 14 15. Open web application security project Non profit Advocates appsec in different dimensions People Process Technology Community Corporations Education organizations Individuals from around the worldAPRIL 10, 2013 | SLIDE 15 16. OWASP TOP 10 Based on risk data 4 consulting companies 4 tool vendors Data spans 500 000 vulnerabilities Organisations Applications Data is prioritized Exploitability Detectability Impact estimatesAPRIL 10, 2013 | SLIDE 16 17. OWASP TOP 10APRIL 10, 2013 | SLIDE 17 18. OWASP Top 10A1 - InjectionA2 Broken Authentication and Session ManagementA3 Cross-Site Scripting (XSS)A4 Insecure Direct Object ReferencesA5 Security MisconfigurationA6 Sensitive Data ExposureA7 Missing Function Level Access ControlA8 Cross-Site Request Forgery (CSRF)A9 Using Known Vulnerable ComponentsA10 Unvalidated Redirects and ForwardsAPRIL 10, 2013 | SLIDE 18 19. A1 SQL INJECTION HALL OF SHAME Sony Pictures (2011) 1 Million User credentials FBI/NASA (2012) 1.6 Million User credentials Yahoo (2012) 450 000 plain text passwords LinkedIn (2012) 6.5 Million password hashesAPRIL 10, 2013 | SLIDE 19 20. A1 - INJECTIONAPRIL 10, 2013 | SLIDE 20 21. A1 INJECTION DEMOAPRIL 10, 2013 | SLIDE 21 22. A1 - WHAT DID WE LEARN Avoid String Concatenation Use Parameterized Queries Perform Input validation (white listing) Use the Least Privilege Principle Install a Web application firewall Install a Database firewallAPRIL 10, 2013 | SLIDE 22 23. OWASP Top 10A1 - InjectionA2 Broken Authentication and Session ManagementA3 Cross-Site Scripting (XSS)A4 Insecure Direct Object ReferencesA5 Security MisconfigurationA6 Sensitive Data ExposureA7 Missing Function Level Access ControlA8 Cross-Site Request Forgery (CSRF)A9 Using Known Vulnerable ComponentsA10 Unvalidated Redirects and ForwardsAPRIL 10, 2013 | SLIDE 23 24. A2 - BROKEN AUTHENTICATION AND SESSION MANAGEMENTAPRIL 10, 2013 | SLIDE 24 25. A2 - BROKEN AUTHENTICATION AND SESSION MANAGEMENT DEMOAPRIL 10, 2013 | SLIDE 25 26. A2 - WHAT DID WE LEARN Session IDs must be Strong and Unique Rotated Expire Protected Review complex authentication mechanisms 2-factor authentication Protect credentials with strong hashing Protect session cookies secure httpOnlyAPRIL 10, 2013 | SLIDE 26 27. OWASP Top 10A1 - InjectionA2 Broken Authentication and Session ManagementA3 Cross-Site Scripting (XSS)A4 Insecure Direct Object ReferencesA5 Security MisconfigurationA6 Sensitive Data ExposureA7 Missing Function Level Access ControlA8 Cross-Site Request Forgery (CSRF)A9 Using Known Vulnerable ComponentsA10 Unvalidated Redirects and ForwardsAPRIL 10, 2013 | SLIDE 27 28. A3 - CROSS SITE SCRIPTING (XSS)APRIL 10, 2013 | SLIDE 28 29. A3 - CROSS SITE SCRIPTING (XSS)APRIL 10, 2013 | SLIDE 29 30. A3 - CROSS SITE SCRIPTING (XSS) DEMOAPRIL 10, 2013 | SLIDE 30 31. A3 - WHAT DID WE LEARN Use Input validation Always validate on the server side Use whitelists instead of blacklists Perform output encoding Use 1 character set Sandbox 3th party contentAPRIL 10, 2013 | SLIDE 31 32. A3 - WHAT DID WE LEARNAPRIL 10, 2013 | SLIDE 32 33. A3 - WHAT DID WE LEARNAPRIL 10, 2013 | SLIDE 33 34. OWASP Top 10A1 - InjectionA2 Broken Authentication and Session ManagementA3 Cross-Site Scripting (XSS)A4 Insecure Direct Object ReferencesA5 Security MisconfigurationA6 Sensitive Data ExposureA7 Missing Function Level Access ControlA8 Cross-Site Request Forgery (CSRF)A9 Using Known Vulnerable ComponentsA10 Unvalidated Redirects and ForwardsAPRIL 10, 2013 | SLIDE 34 35. A4 - INSECURE DIRECT OBJECT REFERENCESAPRIL 10, 2013 | SLIDE 35 36. A4 - INSECURE DIRECT OBJECT REFERENCESAPRIL 10, 2013 | SLIDE 36 37. A4 - WHAT DID WE LEARNACCESS CONTROLAPRIL 10, 2013 | SLIDE 37 38. OWASP Top 10A1 - InjectionA2 Broken Authentication and Session ManagementA3 Cross-Site Scripting (XSS)A4 Insecure Direct Object ReferencesA5 Security MisconfigurationA6 Sensitive Data ExposureA7 Missing Function Level Access ControlA8 Cross-Site Request Forgery (CSRF)A9 Using Known Vulnerable ComponentsA10 Unvalidated Redirects and ForwardsAPRIL 10, 2013 | SLIDE 38 39. A5 - SECURITY MISCONFIGURATIONSAPRIL 10, 2013 | SLIDE 39 40. A5 - WHAT DID WE LEARN Hide information about your stack Disable Default credentials Disable Directory listing enabled Understand Security configuration and libraries Delete unused pages Dont show stacktraces ...APRIL 10, 2013 | SLIDE 40 41. APRIL 10, 2013 | SLIDE 41 42. OWASP Top 10A1 - InjectionA2 Broken Authentication and Session ManagementA3 Cross-Site Scripting (XSS)A4 Insecure Direct Object ReferencesA5 Security MisconfigurationA6 Sensitive Data ExposureA7 Missing Function Level Access ControlA8 Cross-Site Request Forgery (CSRF)A9 Using Known Vulnerable ComponentsA10 Unvalidated Redirects and ForwardsAPRIL 10, 2013 | SLIDE 42 43. A6 - SENSITIVE DATA EXPOSUREAPRIL 10, 2013 | SLIDE 43 44. A6 - SENSITIVE DATA EXPOSURE DEMOAPRIL 10, 2013 | SLIDE 44 45. A6 - WHAT DID WE LEARN Remove developer comments Database info User/login info Customize error pages to hide information about Application server Web server Stack traces Any user information Credit card numbers Passwords Social security numbersAPRIL 10, 2013 | SLIDE 45 46. OWASP Top 10A1 - InjectionA2 Broken Authentication and Session ManagementA3 Cross-Site Scripting (XSS)A4 Insecure Direct Object ReferencesA5 Security MisconfigurationA6 Sensitive Data ExposureA7 Missing Function Level Access ControlA8 Cross-Site Request Forgery (CSRF)A9 Using Known Vulnerable ComponentsA10 Unvalidated Redirects and ForwardsAPRIL 10, 2013 | SLIDE 46 47. A7 - MISSING FUNCTIONAL LEVEL ACCESS CONTROLAPRIL 10, 2013 | SLIDE 47 48. A7 - MISSING FUNCTIONAL LEVEL ACCESS CONTROL DEMOAPRIL 10, 2013 | SLIDE 48 49. A7 - MISSING FUNCTIONAL LEVEL ACCESS CONTROLAPRIL 10, 2013 | SLIDE 49 50. A7 - WHAT DID WE LEARN Use Server Side validation Use the Least Privilege Principle Deny all access by default Access Controls should fail safelyAPRIL 10, 2013 | SLIDE 50 51. OWASP Top 10A1 - InjectionA2 Broken Authentication and Session ManagementA3 Cross-Site Scripting (XSS)A4 Insecure Direct Object ReferencesA5 Security MisconfigurationA6 Sensitive Data ExposureA7 Missing Function Level Access ControlA8 Cross-Site Request Forgery (CSRF)A9 Using Known Vulnerable ComponentsA10 Unvalidated Redirects and ForwardsAPRIL 10, 2013 | SLIDE 51 52. A8 - CROSS SITE REQUEST FORGERYAPRIL 10, 2013 | SLIDE 52 53. A8 - CROSS SITE REQUEST FORGERY DEMOAPRIL 10, 2013 | SLIDE 53 54. A8 - WHAT DID WE LEARNAPRIL 10, 2013 | SLIDE 54 55. A8 - WHAT DID WE LEARNAPRIL 10, 2013 | SLIDE 55 56. A8 - WHAT DID WE LEARNAPRIL 10, 2013 | SLIDE 56 57. QUICKY - WHAT IS THIS CLICKJACKING ?APRIL 10, 2013 | SLIDE 57 58. OWASP Top 10A1 - InjectionA2 Broken Authentication and Session ManagementA3 Cross-Site Scripting (XSS)A4 Insecure Direct Object ReferencesA5 Security MisconfigurationA6 Sensitive Data ExposureA7 Missing Function Level Access ControlA8 Cross-Site Request Forgery (CSRF)A9 Using Known Vulnerable ComponentsA10 Unvalidated Redirects and ForwardsAPRIL 10, 2013 | SLIDE 58 59. A9 - USING COMPONENTS WITH KNOWN VULNERABILITIESAPRIL 10, 2013 | SLIDE 59 60. A9 - USING COMPONENTS WITH KNOWN VULNERABILITIESAPRIL 10, 2013 | SLIDE 60 61. A9 - WHAT DID WE LEARN Review CVE/exploit database http://nvd.nist.gov/ http://www.cvedetails.com/ http://www.exploit-db.com/ Subscribe to Mailing lists RSS feedsAPRIL 10, 2013 | SLIDE 61 62. OWASP Top 10A1 - InjectionA2 Broken Authentication and Session ManagementA3 Cross-Site Scripting (XSS)A4 Insecure Direct Object ReferencesA5 Security MisconfigurationA6 Sensitive Data ExposureA7 Missing Function Level Access ControlA8 Cross-Site Request Forgery (CSRF)A9 Using Known Vulnerable ComponentsA10 Unvalidated Redirects and ForwardsAPRIL 10, 2013 | SLIDE 62 63. A10 - UNVALIDATED REDIRECTS AND FORWARDSAPRIL 10, 2013 | SLIDE 63 64. A10 - UNVALIDATED REDIRECTS AND FORWARDSAPRIL 10, 2013 | SLIDE 64 65. A10 - UNVALIDATED REDIRECTS AND FORWARDS http://www.evil.com http://ebay.com/ws/eBayISAPI.dll?Mf cISAPICommand=RedirectToDomain &DomainUrl=http://www.evil.comAPRIL 10, 2013 | SLIDE 65 66. A10 - UNVALIDATED REDIRECTS AND FORWARDS DEMOAPRIL 10, 2013 | SLIDE 66 67. A10 - WHAT DID WE LEARN Avoid redirects and forwards Avoid user parameters for redirection Validate forwards and redirects Respect application boundaries Use whitelistsAPRIL 10, 2013 | SLIDE 67 68. How could you test your security?HOW SHOULD WE TEST ?APRIL 10, 2013 | SLIDE 68 69. TOOLS Operating System Shell scripts Python Scripts Browser Chrome Developer Tools Firefox extensions FireBug FoxyProxy Tamper Data Cookies Manager+ HackbarAPRIL 10, 2013 | SLIDE 69 70. DISTRIBUTIONS Backtrack Network Testing Web application Testing Hardware Testing Password Cracking Reverse Engineering Santoku Mobile Testing Mobile Forensics Android and IOS SamuraiWTF Web Application TestingAPRIL 10, 2013 | SLIDE 70 71. SAMURAIWTFAPRIL 10, 2013 | SLIDE 71 72. SAMURAIWTF Live testing environment Based on Ubuntu Packed with tools, extensions and scripts: Port scanners Web Application Scanners Exploitation tools ...APRIL 10, 2013 | SLIDE 72 73. SAMURAIWTF: METHODOLOGY Recon Gain external information Mapping Learn about the application Determine attack vectors Discovery Find vulnerabilities Exploitation Get in Take controlAPRIL 10, 2013 | SLIDE 73 74. SAMURAIWTF: METHODOLOGY 5 minutes Easy tests Little setup time 5 attempts Complex tests Long setup time 5 minutes or 5 attemptsAPRIL 10, 2013 | SLIDE 74 75. FRAMEWORKS Burp Suite Commercial Free edition available Made for professional pentesters Owasp ZAProxy Open Source (Java) Active Community Made for developers w3af Open Source (Python) New Stable Version Easy to use and extendAPRIL 10, 2013 | SLIDE 75 76. SAMURAIWTF: BURP SUITE Features Configure Scope Scan actively and passively Perform fuzzing attacks Perform brute-force attacks Test randomness of session tokersAPRIL 10, 2013 | SLIDE 76 77. SAMURAIWTF: ZAPROXY Features Modify request/response Scan actively and passively Spider applications Perform fuzzing attacks Perform DirBuster attacks Supports HTTP Sessions Websockets SmartCards AjaxAPRIL 10, 2013 | SLIDE 77 78. SAMURAIWTF - ZED ATTACK PROXYAPRIL 10, 2013 | SLIDE 78 79. SAMURAIWTF: W3AFAPRIL 10, 2013 | SLIDE 79 80. SAMURAIWTF: W3AF Features Easy to extend Written in Python Targets specific vulnerabilities Contains more than 130 pluginsAPRIL 10, 2013 | SLIDE 80 81. SAMURAIWTF: W3AF How it works Identify all links, forms, query string parameters Send specially crafted input Analyze output Generate reportAPRIL 10, 2013 | SLIDE 81 82. W3AFAPRIL 10, 2013 | SLIDE 82 83. SAMURAIWTF: W3AFAPRIL 10, 2013 | SLIDE 83 84. SAMURAIWTF: W3AFAPRIL 10, 2013 | SLIDE 84 85. SAMURAIWTF: W3AFAPRIL 10, 2013 | SLIDE 85 86. SAMURAIWTF: W3AFAPRIL 10, 2013 | SLIDE 86 87. SAMURAIWTF: W3AFAPRIL 10, 2013 | SLIDE 87 88. SECURE SOCKETS LAYER (SSL)APRIL 10, 2013 | SLIDE 88 89. SECURE SOCKETS LAYER (SSL)APRIL 10, 2013 | SLIDE 89 90. SSL == SECURE ? Avoid Insecure protocols Disable Weak ciphers Prevent Man In the Middle AttacksAPRIL 10, 2013 | SLIDE 90 91. TESTING SSLAPRIL 10, 2013 | SLIDE 91 92. WHAT YOU SHOULD KNOW Defending is hard Attacking is not hard Dont trust any data All users are EvilAPRIL 10, 2013 | SLIDE 92 93. SUMMARY Lots of free tools available Only scratched the surface Tooling is where it begins Knowledge expands tools Educate your developersAPRIL 10, 2013 | SLIDE 93 94. HIRE US! Security audit Security consultancy & advise Security trainingAPRIL 10, 2013 | SLIDE 94 95. QUESTIONS NOW? SHOOT!APRIL 10, 2013 | SLIDE 95 96. QUESTIONS LATER:facebook.com/realdolmentwitter.com/realdolmentweetyoutube.com/realdolmenlinkedin.com/realdolmenblogs.realdolmen.comblogs.realdolmen.com/expertsAPRIL 10, 2013 | SLIDE 96 97. For more information: visit our website WWW.REALDOLMEN.COM Follow us on: Selected presentations are available on: THANK YOUOr scan this QR code with your Smartphone to immediately go to the websiteAPRIL 10, 2013 | SLIDE 97 98. EXTRA: SAMURAIWTF INSTALLATION Prerequisites Virtualbox (or any other hypervisor) https://www.virtualbox.org/wiki/Downloads SamuraiWTF live CD http://sourceforge.net/projects/samurai/ VM recommendations 1 CPU 2048 MB ram 20 GB hd Installation Boot live CD Install by using the file on the desktop Reboot & eject the live CDAPRIL 10, 2013 | SLIDE 98 99. EXTRA: SAMURAIWTF INSTALLATION Update SamuraiWTF before using Open terminal sudo su mkdir svn cd svn svn co http://svn.code.sf.net/p/samurai/code/trunk samurai cd samurai ./fix.shAPRIL 10, 2013 | SLIDE 99 100. EXTRA: BEEF Browser Exploitation Framework XSS Exploitation On Steroids Features Keylogging Information Gathering on clients Exploiting Internal Services Man In The Browser AttacksAPRIL 10, 2013 | SLIDE 100 101. EXTRA: BEEFSource:http://securitybyte.org/resources/2011/presentations/beef-presentation.pdfAPRIL 10, 2013 | SLIDE 101