didzis balodis - web application security – war stories from real penetration testing engagements

Web application security – war

stories from real penetration

testing engagements

Didzis Balodis, CISSP, GPEN

Lead of security and infrastrucure division

Contents

Didzis Balodis

• Lead of DPA Securituy and Infrastructure division

• More than 10 years in IT (from year 1999)

• System administration, development, security

• Last 5 years – IT consulting, audits, security, penetration testing (more

than 50 engagements)

• Hobby - wifi hacking

• Certifications:

• CISSP- Certified Information System Security Professional

• GPEN – GIAC Certified Penetration Tester

DPA security portfolio

IT audit and security testing:

Network pentests

Wireless network assessment

Web application security testing

Social engineering

Compliance

Security awareness trainings

Statistics

of web aplications contain at least

High risk vulnerability

Injections on the rise

ENISA Threat Landscape 2013 report:

«....Cross-Site Scripting (XSS), Directory Traversal, SQL injection

(SQLi) and Cross-Site Request Forgery (CSRF).

... injection attacks are on sharp rise.»

It`s easy...

Statistics:

OWASP TOP 10

A1- Injection (SQL, LDAP, SMTP, XML...) A2-Broken Authentication and Session Management

A3-Cross-Site Scripting (XSS) A4-Insecure Direct Object References

A5-Security Misconfiguration A6-Sensitive Data Exposure

A7-Missing Function Level Access Control A8-Cross-Site Request Forgery (CSRF)

A9-Using Components with Known Vulnerabilities A10-Unvalidated Redirects and Forwards

Consequences..

Stolen or

published client

data

Leakage of internal

company

information

Loss of reputation

Compliance and

legal issues

(Personal data

protection)

System downtime Financial losses

Example 1

Example 2

Example 3

Example 4

DEMO TIME

SQLi

http://somesystem.lv/ gettextLang=0&usr_login=loginKWgn&usr_password=aaa&sendpost=PieslÄgties sistÄmai' AND (SELECT 4747 FROM

(SELECT COUNT(*),CONCAT(0x3a76796a3a,

(SELECT (CASE WHEN (4747=4747) THEN 1 ELSE 0 END)),

0x3a787a693a,FLOOR(RAND(0)*2))x FROM

INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)

AND 'KWgn'='KWgn&usr_password=aaa&sendpost=PieslÄgties sistÄmai

Insecure upload

Be proactive

To avoid unpleasnt surprise-

before someone else will do

How it is done

• Network layer

• App layer

Identification/ automated tests

• Injections

• Sessions

• Business logic, etc

Manual testing

• DoS

• Report

• Re-tests

Finalizing

Questions?

didzis balodis - web application security – war stories from real penetration testing engagements

Software

gpen lead of security

dpa security portfolio

crosssite scripting

manual testing dos

sql injection sqli

site request forgery

system administration

a1 injection sql