INTRODUCTION TO SECURITY VULNERABILITIES

Shirish Padalkar VodQA, Hyderabad, December 2015

1

ABOUT ME

2

AGENDA

▫︎ Some vocabulary

▫︎ Introduction to OWASP

▫︎OWASP top 10

▫︎ Some demos

▫︎ Tools

▫︎ References

3

4

VOCABULARY

5

VULNERABILITY

Vulnerability refers to the inability of a system to withstand the effects of a

hostile environment.

6

In computer security:

A vulnerability is a weakness which allows an attacker to reduce a system's

information assurance.

7

8

EXPLOIT

Exploit means to take advantage of something for one's own end, especially

unethically or unjustifiably.

9

An exploit is a piece of software that takes advantage of a bug or

vulnerability in order to cause unintended behaviour to occur on computer software or hardware

10

11

OWASP

▫︎Open Web Application Security Project

▫︎Not-for-profit charitable organisation

▫︎ Focused on improving the security of software

▫︎All materials are available under a FOSS license

▫︎Currently has over 142 active projects

12

13

https://www.owasp.org

OWASP TOP 10

▫︎ List of the 10 most critical web application security risks

▫︎A powerful awareness document

▫︎ Reference document for project security analysis

▫︎ Published at regular intervals

▫︎Approximately once in 3 years

▫︎ Last published in 2013

14

OWASP TOP 10, 2013

1. Injection

2. Broken authentication and session management

3. Cross site scripting (XSS)

4. Insecure direct object references

5. Security misconfiguration

6. Sensitive data exposure

7. Missing function level access control

8. Cross site request forgery (CSRF)

9. Using components with known vulnerability

10.Unvalidated redirects and forwards15

OWASP TOP 10, 2013

1. Injection

2. Broken authentication and session management

3. Cross site scripting (XSS)

4. Insecure direct object references

5. Security misconfiguration

6. Sensitive data exposure

7. Missing function level access control

8. Cross site request forgery (CSRF)

9. Using components with known vulnerability

10.Unvalidated redirects and forwards16

17INJECTION

INJECTION

▫︎ SQL Injection

▫︎Most prevalent

▫︎Databases like Oracle, MySQL

▫︎NoSQL Injection

▫︎Comparatively recent

▫︎Databases like MongoDB

▫︎Command Injection

▫︎ LDAP Injection

18

19

DEMO

INJECTION

20

INJECTION

21

22BROKEN AUTHENTICATION

BROKEN AUTHENTICATION

▫︎ Session ID in URL or in the referrer header

▫︎ PHPSESSID

▫︎ JSESSIONID

▫︎Unencrypted passwords in storage or transit

▫︎ Login over HTTP

▫︎ Email password in plain text (BSNL?)

▫︎ Predictable session IDs

▫︎ Reusing same session IDs

23

24CROSS SITE SCRIPTING

CROSS SITE SCRIPTING (XSS)

▫︎ Inject client-side script into pages viewed by other users

▫︎No HTML or Javascript escaping

▫︎Can steal cookies, change page location, etc.

▫︎ Script executes with same permission as current page

25

XSS TYPES

▫︎Reflected

▫︎Non-persistent

▫︎ The most common type

▫︎ Is typically delivered via email or a neutral web site

▫︎Display a page of results for a user, without properly sanitising the request.

▫︎ Ex. Search result with search term without sanitisation

26

XSS TYPES

▫︎ Stored

▫︎ Persistent

▫︎A more devastating variant

▫︎ Permanently displayed on "normal" pages returned to other users

▫︎ Example: Online message boards / Forums, Post on Facebook wall

27

28

DEMO

CROSS SITE SCRIPTING (XSS)

29

CROSS SITE SCRIPTING (XSS)

30

31INSECURE DIRECT OBJECT REFERENCES

INSECURE DIRECT OBJECT REFERENCES

▫︎Actual name or key of an object when generating web pages

▫︎Don’t verify the user is authorised for the target object

▫︎Attackers can easily manipulate parameter values to access another object

▫︎ http://photos.com/download.php?file=personal.jpg

▫︎ http://mybank.com/accountInfo?accNumber=123456

32

33SECURITY MISCONFIGURATION

SECURITY MISCONFIGURATION

▫︎ Running the application with debug enabled in production.

▫︎Directory listing enabled on the server

▫︎ Running outdated software

▫︎Unnecessary services running on the machine

▫︎Not changing default keys and passwords

▫︎ Revealing error handling information to the attackers, such as stack traces.

34

OWASP TOP 10, 2013

1. Injection

2. Broken authentication and session management

3. Cross site scripting (XSS)

4. Insecure direct object references

5. Security misconfiguration

6. Sensitive data exposure

7. Missing function level access control

8. Cross site request forgery (CSRF)

9. Using components with known vulnerability

10.Unvalidated redirects and forwards35

TOOLS

36

VULNERABILITY SCANNING

37

SECURITY TESTING - ZAP

38

SECURITY TESTING - ZAP

39https://blog.codecentric.de/files/2013/10/zap-screenshot.png

CONTINUOUS SECURITY TESTING

40

ANY QUESTIONS?

41

@_Garbage_ shirishp@thoughtworks.com

RESOURCES

▫︎ https://www.owasp.org/index.php

▫︎ https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project

▫︎ https://en.wikipedia.org/wiki/Cross-site_scripting

▫︎ http://www.toptal.com/security/10-most-common-web-security-vulnerabilities

42

ThoughtWorks is hiring.

http://www.thoughtworks.com/join

THANK YOU!