SlideShare a Scribd company logo

Hacking 101 (Session 2)

Download as PPTX, PDF
Nitroxis Sprl, profile picture
Nitroxis Sprl

The document covers web application security, presenting a schedule that includes the importance of web application security, real-life hacking examples, and the OWASP Top 10 vulnerabilities from 2013. It details various security flaws like injection attacks, broken authentication, and cross-site scripting, providing examples and best practices for addressing these issues, along with tools and resources for education. The presentation emphasizes the need for a layered defense strategy in protecting sensitive data and applications.

Presentations & Public Speaking
1 of 47
Downloaded 20 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
HACKING 101 Henallux, 28th November 2014 Olivier Houyoux Technology Security Architect @ Nitroxis Sprl
SCHEDULE FOR THE DAY 1. Why are we here? 2. Real Life Examples 3. Owasp – Top 10 (2013) 4. Demo Web Hacking Simulation Walkthrough 5. Summary 6. Questions
DO WE NEED WEB APP. SECURITY?  Well managed infrastructure  Important data on web applications  Malware spreading
EXAMPLES 1. Barack Obama
EXAMPLES 1. Barack Obama 2. Maria Sharapova
EXAMPLES 1. Barack Obama 2. Maria Sharapova 3. Samy Kamkar
EXAMPLES 1. Barack Obama 2. Maria Sharapova 3. Samy Kamkar 4. Kevin Poulsen
EXAMPLES 1. Barack Obama 2. Maria Sharapova 3. Samy Kamkar 4. Kevin Poulsen 5. …
OPEN WEB APPLICATION SECURITY PROJECT Make software security visible  Cheat Sheets, Tutorials, Testing guides…  Tools (WebGoat, WebScarab, …)  Library (ESAPI)  …
OWASP TOP 10 Broad consensus about what the most critical web application security flaws are.
OWASP TOP 10 OWASP Top 10 - 2013 A1 - Injection A2 - Broken Authentication and Session Management A3 - Cross-Site Scripting (XSS) A4 - Insecure Direct Object References A5 - Security Misconfiguration A6 - Sensitive Data Exposure A7 - Missing Function Level Access Control A8 - Cross-Site Request Forgery (CSRF) A9 - Using Known Vulnerable Components A10 - Unvalidatde Redirects and Forwards
WEBGOAT is a deliberately insecure web application designed to teach web application security lessons.
A1 – INJECTION User input injected without checking  SQL  LDAP  Command  XPATH  …
A1 – SQL INJECTION EXAMPLE 1 Connection conn = pool.getConnection(); String sql = "select * from user where username=‘" + username + "’ and password=‘" + password + "’"; Statement stmt = conn.createStatement(); ResultSet rs = stmt.executeQuery(sql);
A1 – SQL INJECTION EXAMPLE 1 Connection conn = pool.getConnection(); String sql = "select * from user where username=‘" + username + "’ and password=‘" + password + "’"; Statement stmt = conn.createStatement(); ResultSet rs = stmt.executeQuery(sql);
A2 – BROKEN AUTHENTICATION  User / Password Brute force attack  Birthday paradox  Weak management functions Change or recover password
A2 – SESSION MANAGEMENT 1. Session Hijacking  Stealing authenticated user’s session ID 2. Session Fixation  Forcing user’s session ID
A2 – SESSION HIJACKING EXAMPLE
A2 – SESSION HIJACKING EXAMPLE
A2 – SESSION FIXATION EXAMPLE public class LoginServlet extends HttpServlet { … public void doPost(HttpServletRequest request, HttpServletResponse response) { String user = request.getParameter("user"); String pass = request.getParameter("password"); … HttpSession session = request.getSession(true); … } … }
A2 – SESSION FIXATION EXAMPLE public class LoginServlet extends HttpServlet { … public void doPost(HttpServletRequest request, HttpServletResponse response) { String user = request.getParameter("user"); String pass = request.getParameter("password"); … HttpSession session = request.getSession(true); … } … }
A3 – CROSS-SITE SCRIPTING (XSS) Untrusted data sent to victim without validation and / or escaping XSS allows attackers to execute script in browsers to:  hijacking users’ sessions,  redirecting user to malicious site,  … 1. Reflected XSS 2. Stored XSS
A3 – XSS EXAMPLE <form name="update" method="post" action="..."> <input type="text" value="<%=userBean.getName()%>"/> </form>
A3 – XSS EXAMPLE <form name="update" method="post" action="..."> <input type="text" value="<%=userBean.getName()%>"/> </form>
A3 – XSS EXAMPLE <form name="update" method="post" action="..."> <input type="text" value="<%=userBean.getName()%>"/> </form> <input type="text" value="who_cares"/><script>...</script>"/>
A4 – INSECURE DIRECT OBJECT REF. Reference to internal object like  file,  directory,  database key without  access control check,  other protection.
A4 –DIRECT OBJECT REF. EXAMPLE String query = "select * from accounts where account = ?"; PreparedStatement stmt = conn.prepareStatement(query); stmt.setString(1, request.getParameter("account")); ResultSet rs = stmt.executeQuery();
A4 –DIRECT OBJECT REF. EXAMPLE String query = "select * from accounts where account = ?"; PreparedStatement stmt = conn.prepareStatement(query); stmt.setString(1, request.getParameter("account")); ResultSet rs = stmt.executeQuery(); http://foo.com/app/accountInfo?account=notmyaccount
A5 – SECURITY MISCONFIGURATION  Secure configuration defined and deployed for the:  application,  frameworks,  application server,  web server,  database server,  platform.
A5 – MISCONFIGURATION EXAMPLE
A5 – MISCONFIGURATION EXAMPLE <?xml version='1.0' encoding='utf-8'?> <Server port="8005" shutdown="SHUTDOWN"> <GlobalNamingResources> <Resource name="UserDatabase" auth="Container" … /> </GlobalNamingResources> <Service name="Catalina »> <Connector port="80" protocol="HTTP/1.1" … /> <Connector port="443" protocol="org.apache. … .Http11Protocol" … /> </Service> </Server>
A5 – MISCONFIGURATION EXAMPLE <?xml version='1.0' encoding='utf-8'?> <Server port="8005" shutdown="SHUTDOWN"> <GlobalNamingResources> <Resource name="UserDatabase" auth="Container" … /> </GlobalNamingResources> <Service name="Catalina »> <Connector port="80" protocol="HTTP/1.1" … /> <Connector port="443" protocol="org.apache. … .Http11Protocol" … /> </Service> </Server>
A6 – SENSITIVE DATA EXPOSURE Protect sensitive data such as  credit cards,  authentication credentials  … Apply extra protection (encryption at rest or in transit) and precautions when exchanged with browser.
A6 – DATA EXPOSURE EXAMPLE 1 An application encrypts credit card numbers in a database using automatic database encryption. However, this means it also decrypts this data automatically when retrieved, allowing an SQL injection flaw to retrieve credit card numbers in clear text.
A6 – DATA EXPOSURE EXAMPLE 2 A site simply doesn’t use SSL for all authenticated pages. Attacker simply monitors network traffic (like an open wireless network), and steals the user’s session cookie.
A7 – MISSING ACCESS CONTROL Verify function level acces:  before making functionality visible in GUI ✓  when each function is accessed ✗
A7 – ACCESS CONTROL EXAMPLE @Stateless public class OrderBean implements Order { public String getDetail(String id) { … } public String approve(String id) { … } … }
A7 – ACCESS CONTROL EXAMPLE @Stateless public class OrderBean implements Order { public String getDetail(String id) { … } public String approve(String id) { … } … }
A8 – CROSS-SITE REQUEST FORGERY 2. User visits forum.com 1. User authenticates to bank.com 3. Page contains tag <img src=bank.com/transfer.jsp?account=atta cker&amount=300000> 4. User’s browser makes GET request bank.com/transfer.jsp?account=attacker& amount=300000 without user knowing
A8 – CSRF EXAMPLE Nearly everything is susceptible to CSRF, so no need to hunt the bug …
A9 – USING VULNERABLE COMPONENTS Common Vulnerabilities and Exposures database (https://cve.mitre.org)
A10 – UNVALIDATED REDIRECT 1. Lure the user into clicking a redirect link http://www.trusted.com/redirector?to=http://www.evil.com 2. Code does not perform any validation String location = (String) request.getParameter(« to »); response.sendRedirect(location); 3. User thinks (s)he’s accessing trusted.com but is in fact at evil.com
SUMMARY LAYERS OF DEFENSE IN DEPTH Policies, Procedures, Awareness Physical Perimeter Internal Network Host App Data
AND NOW …  bWAPP  OWASP Top 10  CWE 25  Mitigations (SANS, OWASP Cheat Sheets, …)  Web Services (SOAP & REST)  Mobile  And more …
QUESTIONS ?
FOLLOW US ON … nitroxis Nitroxis.BE @Nitroxis_sprl Nitroxis sprl Training and Certification for information Security Professionals
ADD DEPTH TO YOUR INFORMATION SYSTEM Olivier Houyoux Technology Security Architect Version 1.1 Date 28/11/2014 Mail Contact (at) nitroxis.be Website www.nitroxis.be

More Related Content

PPTX
Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo)
Nitroxis Sprl
 
PPTX
Hacking 101 3
Nitroxis Sprl
 
PPT
Owasp Top 10 And Security Flaw Root Causes
Marco Morana
 
PPT
OWASP Top 10 And Insecure Software Root Causes
Marco Morana
 
PDF
Secure coding guidelines
Zakaria SMAHI
 
PPTX
OWASP top 10-2013
tmd800
 
PPTX
Owasp Top 10 A1: Injection
Michael Hendrickx
 
PDF
XSS And SQL Injection Vulnerabilities
Mindfire Solutions
 
Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo)
Nitroxis Sprl
 
Hacking 101 3
Nitroxis Sprl
 
Owasp Top 10 And Security Flaw Root Causes
Marco Morana
 
OWASP Top 10 And Insecure Software Root Causes
Marco Morana
 
Secure coding guidelines
Zakaria SMAHI
 
OWASP top 10-2013
tmd800
 
Owasp Top 10 A1: Injection
Michael Hendrickx
 
XSS And SQL Injection Vulnerabilities
Mindfire Solutions
 

What's hot (20)

PPT
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Brian Huff
 
PDF
Owasp top 10 web application security hazards - Part 1
Abhinav Sejpal
 
PPTX
Web Insecurity And Browser Exploitation
Michele Orru'
 
PDF
t r
electronicmingle01
 
PPT
OWASP Serbia - A3 broken authentication and session management
Nikola Milosevic
 
PDF
Attques web
Tarek MOHAMED
 
PDF
Hacking the Web
Mike Crabb
 
PDF
OWASP TOP 10 & .NET
Daniel Krasnokucki
 
PDF
Vulners: Google for hackers
Kirill Ermakov
 
PPTX
Securing the Web @RivieraDev2016
Sumanth Damarla
 
PPTX
OWASP Top 10 Vulnerabilities 2017- AppTrana
Ishan Mathur
 
PPTX
Web application Security tools
Nico Penaredondo
 
PPTX
Owasp top 10 security threats
Vishal Kumar
 
DOCX
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
Samvel Gevorgyan
 
PPTX
BEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYAN
Samvel Gevorgyan
 
PPS
Security In .Net Framework
Ramakanta Behera
 
PDF
Vulnerability Funalitics with vulners.com
Kirill Ermakov
 
PDF
Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...
Marco Morana
 
PPTX
Widespread security flaws in web application development 2015
mahchiev
 
PPTX
A2 - broken authentication and session management(OWASP thailand chapter Apri...
Noppadol Songsakaew
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Brian Huff
 
Owasp top 10 web application security hazards - Part 1
Abhinav Sejpal
 
Web Insecurity And Browser Exploitation
Michele Orru'
 
t r
electronicmingle01
 
OWASP Serbia - A3 broken authentication and session management
Nikola Milosevic
 
Attques web
Tarek MOHAMED
 
Hacking the Web
Mike Crabb
 
OWASP TOP 10 & .NET
Daniel Krasnokucki
 
Vulners: Google for hackers
Kirill Ermakov
 
Securing the Web @RivieraDev2016
Sumanth Damarla
 
OWASP Top 10 Vulnerabilities 2017- AppTrana
Ishan Mathur
 
Web application Security tools
Nico Penaredondo
 
Owasp top 10 security threats
Vishal Kumar
 
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
Samvel Gevorgyan
 
BEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYAN
Samvel Gevorgyan
 
Security In .Net Framework
Ramakanta Behera
 
Vulnerability Funalitics with vulners.com
Kirill Ermakov
 
Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...
Marco Morana
 
Widespread security flaws in web application development 2015
mahchiev
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
Noppadol Songsakaew
 

Similar to Hacking 101 (Session 2) (20)

PDF
The top 10 security issues in web applications
Devnology
 
PPTX
ASP.NET Web Security
SharePointRadi
 
PDF
Web Application Security in Rails
Uri Nativ
 
PPT
Php & Web Security - PHPXperts 2009
mirahman
 
PPTX
PCI Security Requirements - secure coding
Haitham Raik
 
PDF
Applications secure by default
Slawomir Jasek
 
PDF
Applications secure by default
SecuRing
 
PDF
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
michelemanzotti
 
PPTX
Security: Odoo Code Hardening
Odoo
 
PPTX
Application and Website Security -- Fundamental Edition
Daniel Owens
 
PPT
Owasp Top 10 - Owasp Pune Chapter - January 2008
abhijitapatil
 
PPTX
Uniface Lectures Webinar - Application & Infrastructure Security - Hardening ...
Uniface
 
PPT
Intro to Web Application Security
Rob Ragan
 
PDF
Pentesting RESTful webservices
Mohammed A. Imran
 
PDF
Magento Security from Developer's and Tester's Points of View
Amasty
 
PPT
Web Attacks - Top threats - 2010
Shreeraj Shah
 
PPTX
Security in NodeJS applications
Daniel Garcia (a.k.a cr0hn)
 
PDF
Hacking identity: A Pen Tester's Guide to IAM
Jerod Brennen
 
PPTX
Owasp top 10_-_2010 presentation
Islam Azeddine Mennouchi
 
PPT
Defending Against Attacks With Rails
Tony Amoyal
 
The top 10 security issues in web applications
Devnology
 
ASP.NET Web Security
SharePointRadi
 
Web Application Security in Rails
Uri Nativ
 
Php & Web Security - PHPXperts 2009
mirahman
 
PCI Security Requirements - secure coding
Haitham Raik
 
Applications secure by default
Slawomir Jasek
 
Applications secure by default
SecuRing
 
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
michelemanzotti
 
Security: Odoo Code Hardening
Odoo
 
Application and Website Security -- Fundamental Edition
Daniel Owens
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
abhijitapatil
 
Uniface Lectures Webinar - Application & Infrastructure Security - Hardening ...
Uniface
 
Intro to Web Application Security
Rob Ragan
 
Pentesting RESTful webservices
Mohammed A. Imran
 
Magento Security from Developer's and Tester's Points of View
Amasty
 
Web Attacks - Top threats - 2010
Shreeraj Shah
 
Security in NodeJS applications
Daniel Garcia (a.k.a cr0hn)
 
Hacking identity: A Pen Tester's Guide to IAM
Jerod Brennen
 
Owasp top 10_-_2010 presentation
Islam Azeddine Mennouchi
 
Defending Against Attacks With Rails
Tony Amoyal
 

Recently uploaded (20)

PDF
Why Top Brands Trust Enuncia Global for Language Solutions.pdf
enuncia-global
 
PPTX
Emphasizing It's Not The End 08 06 2025.pptx
FamilyWorshipCenterD
 
PPTX
Project and change Managment: short video sequences for IBA
safwanhossain11
 
PPTX
Understanding-Communication-Berlos-S-M-C-R-Model.pptx
JommelVienne
 
PPTX
Self management and self evaluation presentation
NikkySharma5
 
PPTX
2025-08-10 Joseph 02 (shared slides).pptx
Dale Wells
 
PPTX
The spiral of silence is a theory in communication and political science that...
MrSam30
 
PPTX
Intro to ISO 9001 2015.pptx wareness raising
nadianisar5
 
PPTX
Impressionism_PostImpressionism_Presentation.pptx
PrincessJazminAligan
 
PPTX
Tablets And Capsule Preformulation Of Paracetamol
sgsayan31
 
PDF
Nykaa-Strategy-Case-Fixing-Retention-UX-and-D2C-Engagement (1).pdf
VaibhavBansal926958
 
PDF
Parts of Speech Prepositions Presentation in Colorful Cute Style_20250724_230...
ShomailahRashid
 
PPTX
The Effect of Human Resource Management Practice on Organizational Performanc...
wemasterconstruction
 
PPTX
BIOLOGY TISSUE PPT CLASS 9 PROJECT PUBLIC
iamsrinjandatta
 
DOCX
ENGLISH PROJECT FOR BINOD BIHARI MAHTO KOYLANCHAL UNIVERSITY
NewGautamInternateHu
 
PPTX
Relationship Management Presentation In Banking.pptx
ssuser1d0512
 
PPTX
Introduction to Effective Communication.pptx
AnithaT18
 
DOC
学位双硕士UTAS毕业证,墨尔本理工学院毕业证留学硕士毕业证
enmytc
 
PPTX
worship songs, in any order, compilation
wilmalenetoledo
 
PPTX
fundraisepro pitch deck elegant and modern
aishanmims
 
Why Top Brands Trust Enuncia Global for Language Solutions.pdf
enuncia-global
 
Emphasizing It's Not The End 08 06 2025.pptx
FamilyWorshipCenterD
 
Project and change Managment: short video sequences for IBA
safwanhossain11
 
Understanding-Communication-Berlos-S-M-C-R-Model.pptx
JommelVienne
 
Self management and self evaluation presentation
NikkySharma5
 
2025-08-10 Joseph 02 (shared slides).pptx
Dale Wells
 
The spiral of silence is a theory in communication and political science that...
MrSam30
 
Intro to ISO 9001 2015.pptx wareness raising
nadianisar5
 
Impressionism_PostImpressionism_Presentation.pptx
PrincessJazminAligan
 
Tablets And Capsule Preformulation Of Paracetamol
sgsayan31
 
Nykaa-Strategy-Case-Fixing-Retention-UX-and-D2C-Engagement (1).pdf
VaibhavBansal926958
 
Parts of Speech Prepositions Presentation in Colorful Cute Style_20250724_230...
ShomailahRashid
 
The Effect of Human Resource Management Practice on Organizational Performanc...
wemasterconstruction
 
BIOLOGY TISSUE PPT CLASS 9 PROJECT PUBLIC
iamsrinjandatta
 
ENGLISH PROJECT FOR BINOD BIHARI MAHTO KOYLANCHAL UNIVERSITY
NewGautamInternateHu
 
Relationship Management Presentation In Banking.pptx
ssuser1d0512
 
Introduction to Effective Communication.pptx
AnithaT18
 
学位双硕士UTAS毕业证,墨尔本理工学院毕业证留学硕士毕业证
enmytc
 
worship songs, in any order, compilation
wilmalenetoledo
 
fundraisepro pitch deck elegant and modern
aishanmims
 

Hacking 101 (Session 2)

  • 1. HACKING 101 Henallux, 28th November 2014 Olivier Houyoux Technology Security Architect @ Nitroxis Sprl
  • 2. SCHEDULE FOR THE DAY 1. Why are we here? 2. Real Life Examples 3. Owasp – Top 10 (2013) 4. Demo Web Hacking Simulation Walkthrough 5. Summary 6. Questions
  • 3. DO WE NEED WEB APP. SECURITY?  Well managed infrastructure  Important data on web applications  Malware spreading
  • 5. EXAMPLES 1. Barack Obama 2. Maria Sharapova
  • 6. EXAMPLES 1. Barack Obama 2. Maria Sharapova 3. Samy Kamkar
  • 7. EXAMPLES 1. Barack Obama 2. Maria Sharapova 3. Samy Kamkar 4. Kevin Poulsen
  • 8. EXAMPLES 1. Barack Obama 2. Maria Sharapova 3. Samy Kamkar 4. Kevin Poulsen 5. …
  • 9. OPEN WEB APPLICATION SECURITY PROJECT Make software security visible  Cheat Sheets, Tutorials, Testing guides…  Tools (WebGoat, WebScarab, …)  Library (ESAPI)  …
  • 10. OWASP TOP 10 Broad consensus about what the most critical web application security flaws are.
  • 11. OWASP TOP 10 OWASP Top 10 - 2013 A1 - Injection A2 - Broken Authentication and Session Management A3 - Cross-Site Scripting (XSS) A4 - Insecure Direct Object References A5 - Security Misconfiguration A6 - Sensitive Data Exposure A7 - Missing Function Level Access Control A8 - Cross-Site Request Forgery (CSRF) A9 - Using Known Vulnerable Components A10 - Unvalidatde Redirects and Forwards
  • 12. WEBGOAT is a deliberately insecure web application designed to teach web application security lessons.
  • 13. A1 – INJECTION User input injected without checking  SQL  LDAP  Command  XPATH  …
  • 14. A1 – SQL INJECTION EXAMPLE 1 Connection conn = pool.getConnection(); String sql = "select * from user where username=‘" + username + "’ and password=‘" + password + "’"; Statement stmt = conn.createStatement(); ResultSet rs = stmt.executeQuery(sql);
  • 15. A1 – SQL INJECTION EXAMPLE 1 Connection conn = pool.getConnection(); String sql = "select * from user where username=‘" + username + "’ and password=‘" + password + "’"; Statement stmt = conn.createStatement(); ResultSet rs = stmt.executeQuery(sql);
  • 16. A2 – BROKEN AUTHENTICATION  User / Password Brute force attack  Birthday paradox  Weak management functions Change or recover password
  • 17. A2 – SESSION MANAGEMENT 1. Session Hijacking  Stealing authenticated user’s session ID 2. Session Fixation  Forcing user’s session ID
  • 18. A2 – SESSION HIJACKING EXAMPLE
  • 19. A2 – SESSION HIJACKING EXAMPLE
  • 20. A2 – SESSION FIXATION EXAMPLE public class LoginServlet extends HttpServlet { … public void doPost(HttpServletRequest request, HttpServletResponse response) { String user = request.getParameter("user"); String pass = request.getParameter("password"); … HttpSession session = request.getSession(true); … } … }
  • 21. A2 – SESSION FIXATION EXAMPLE public class LoginServlet extends HttpServlet { … public void doPost(HttpServletRequest request, HttpServletResponse response) { String user = request.getParameter("user"); String pass = request.getParameter("password"); … HttpSession session = request.getSession(true); … } … }
  • 22. A3 – CROSS-SITE SCRIPTING (XSS) Untrusted data sent to victim without validation and / or escaping XSS allows attackers to execute script in browsers to:  hijacking users’ sessions,  redirecting user to malicious site,  … 1. Reflected XSS 2. Stored XSS
  • 23. A3 – XSS EXAMPLE <form name="update" method="post" action="..."> <input type="text" value="<%=userBean.getName()%>"/> </form>
  • 24. A3 – XSS EXAMPLE <form name="update" method="post" action="..."> <input type="text" value="<%=userBean.getName()%>"/> </form>
  • 25. A3 – XSS EXAMPLE <form name="update" method="post" action="..."> <input type="text" value="<%=userBean.getName()%>"/> </form> <input type="text" value="who_cares"/><script>...</script>"/>
  • 26. A4 – INSECURE DIRECT OBJECT REF. Reference to internal object like  file,  directory,  database key without  access control check,  other protection.
  • 27. A4 –DIRECT OBJECT REF. EXAMPLE String query = "select * from accounts where account = ?"; PreparedStatement stmt = conn.prepareStatement(query); stmt.setString(1, request.getParameter("account")); ResultSet rs = stmt.executeQuery();
  • 28. A4 –DIRECT OBJECT REF. EXAMPLE String query = "select * from accounts where account = ?"; PreparedStatement stmt = conn.prepareStatement(query); stmt.setString(1, request.getParameter("account")); ResultSet rs = stmt.executeQuery(); http://foo.com/app/accountInfo?account=notmyaccount
  • 29. A5 – SECURITY MISCONFIGURATION  Secure configuration defined and deployed for the:  application,  frameworks,  application server,  web server,  database server,  platform.
  • 31. A5 – MISCONFIGURATION EXAMPLE <?xml version='1.0' encoding='utf-8'?> <Server port="8005" shutdown="SHUTDOWN"> <GlobalNamingResources> <Resource name="UserDatabase" auth="Container" … /> </GlobalNamingResources> <Service name="Catalina »> <Connector port="80" protocol="HTTP/1.1" … /> <Connector port="443" protocol="org.apache. … .Http11Protocol" … /> </Service> </Server>
  • 32. A5 – MISCONFIGURATION EXAMPLE <?xml version='1.0' encoding='utf-8'?> <Server port="8005" shutdown="SHUTDOWN"> <GlobalNamingResources> <Resource name="UserDatabase" auth="Container" … /> </GlobalNamingResources> <Service name="Catalina »> <Connector port="80" protocol="HTTP/1.1" … /> <Connector port="443" protocol="org.apache. … .Http11Protocol" … /> </Service> </Server>
  • 33. A6 – SENSITIVE DATA EXPOSURE Protect sensitive data such as  credit cards,  authentication credentials  … Apply extra protection (encryption at rest or in transit) and precautions when exchanged with browser.
  • 34. A6 – DATA EXPOSURE EXAMPLE 1 An application encrypts credit card numbers in a database using automatic database encryption. However, this means it also decrypts this data automatically when retrieved, allowing an SQL injection flaw to retrieve credit card numbers in clear text.
  • 35. A6 – DATA EXPOSURE EXAMPLE 2 A site simply doesn’t use SSL for all authenticated pages. Attacker simply monitors network traffic (like an open wireless network), and steals the user’s session cookie.
  • 36. A7 – MISSING ACCESS CONTROL Verify function level acces:  before making functionality visible in GUI ✓  when each function is accessed ✗
  • 37. A7 – ACCESS CONTROL EXAMPLE @Stateless public class OrderBean implements Order { public String getDetail(String id) { … } public String approve(String id) { … } … }
  • 38. A7 – ACCESS CONTROL EXAMPLE @Stateless public class OrderBean implements Order { public String getDetail(String id) { … } public String approve(String id) { … } … }
  • 39. A8 – CROSS-SITE REQUEST FORGERY 2. User visits forum.com 1. User authenticates to bank.com 3. Page contains tag <img src=bank.com/transfer.jsp?account=atta cker&amount=300000> 4. User’s browser makes GET request bank.com/transfer.jsp?account=attacker& amount=300000 without user knowing
  • 40. A8 – CSRF EXAMPLE Nearly everything is susceptible to CSRF, so no need to hunt the bug …
  • 41. A9 – USING VULNERABLE COMPONENTS Common Vulnerabilities and Exposures database (https://cve.mitre.org)
  • 42. A10 – UNVALIDATED REDIRECT 1. Lure the user into clicking a redirect link http://www.trusted.com/redirector?to=http://www.evil.com 2. Code does not perform any validation String location = (String) request.getParameter(« to »); response.sendRedirect(location); 3. User thinks (s)he’s accessing trusted.com but is in fact at evil.com
  • 43. SUMMARY LAYERS OF DEFENSE IN DEPTH Policies, Procedures, Awareness Physical Perimeter Internal Network Host App Data
  • 44. AND NOW …  bWAPP  OWASP Top 10  CWE 25  Mitigations (SANS, OWASP Cheat Sheets, …)  Web Services (SOAP & REST)  Mobile  And more …
  • 46. FOLLOW US ON … nitroxis Nitroxis.BE @Nitroxis_sprl Nitroxis sprl Training and Certification for information Security Professionals
  • 47. ADD DEPTH TO YOUR INFORMATION SYSTEM Olivier Houyoux Technology Security Architect Version 1.1 Date 28/11/2014 Mail Contact (at) nitroxis.be Website www.nitroxis.be