Didzis Balodis - Web application security – war stories from real penetration testing engagements
0 likes512 views
The document discusses the importance of web application security, highlighting the increase in vulnerability to injection attacks such as SQL injection and cross-site scripting. It includes insights from the author's extensive experience in IT security, particularly in penetration testing and security audits over a decade. The document emphasizes proactive security measures and provides examples of vulnerabilities, consequences of security breaches, and the necessity of proper testing and reporting practices.
Didzis Balodis - Web application security – war stories from real penetration testing engagements
- 1. Web application security – war stories from real penetration testing engagements Didzis Balodis, CISSP, GPEN Lead of security and infrastrucure division
- 2. Contents
- 3. Didzis Balodis • Lead of DPA Securituy and Infrastructure division • More than 10 years in IT (from year 1999) • System administration, development, security • Last 5 years – IT consulting, audits, security, penetration testing (more than 50 engagements) • Hobby - wifi hacking • Certifications: • CISSP- Certified Information System Security Professional • GPEN – GIAC Certified Penetration Tester
- 4. DPA security portfolio IT audit and security testing: Network pentests Wireless network assessment Web application security testing Social engineering Compliance Security awareness trainings
- 5. Statistics of web aplications contain at least High risk vulnerability
- 6. Injections on the rise ENISA Threat Landscape 2013 report: «....Cross-Site Scripting (XSS), Directory Traversal, SQL injection (SQLi) and Cross-Site Request Forgery (CSRF). ... injection attacks are on sharp rise.»
- 8. OWASP TOP 10 A1- Injection (SQL, LDAP, SMTP, XML...) A2-Broken Authentication and Session Management A3-Cross-Site Scripting (XSS) A4-Insecure Direct Object References A5-Security Misconfiguration A6-Sensitive Data Exposure A7-Missing Function Level Access Control A8-Cross-Site Request Forgery (CSRF) A9-Using Components with Known Vulnerabilities A10-Unvalidated Redirects and Forwards
- 9. Consequences.. Stolen or published client data Leakage of internal company information Loss of reputation Compliance and legal issues (Personal data protection) System downtime Financial losses
- 10. Example 1
- 11. Example 2
- 12. Example 3
- 13. Example 4
- 14. DEMO TIME
- 15. SQLi http://somesystem.lv/ gettextLang=0&usr_login=login KWgn&usr_password=aaa&sendpost=PieslÄgties sistÄmai ' AND (SELECT 4747 FROM (SELECT COUNT(*),CONCAT(0x3a76796a3a, (SELECT (CASE WHEN (4747=4747) THEN 1 ELSE 0 END)), 0x3a787a693a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'KWgn'='KWgn&usr_password=aaa&sendpost=PieslÄgties sistÄmai
- 16. Insecure upload
- 17. Be proactive To avoid unpleasnt surprise- before someone else will do
- 18. How it is done • Network layer • App layer Identification/ automated tests • Injections • Sessions • Business logic, etc Manual testing • DoS • Report • Re-tests Finalizing
- 19. Recap
- 20. Questions?