Advanced Web Technology 10) XSS, CSRF and SQL Injection 2

Save this PDF as:
Size: px
Start display at page:

Download "Advanced Web Technology 10) XSS, CSRF and SQL Injection 2"

Transcription

1 Berner Fachhochschule, Technik und Informatik Advanced Web Technology 10) XSS, CSRF and SQL Injection Dr. E. Benoist Fall Semester 2010/2011 Table of Contents Cross Site Request Forgery - CSRF Presentation Vulnerability CSRF allows to access the intranet Protection Conclusion Injection Flows Presentation Vulnerability Protection Examples Conclusion 1 2 Cross Site Request Forgery Sending a request without the consent of the victim? Insert an image in a HTML file Not a new attack, but simple and devastating <img src= > CSRF attack forces a logged-on victim s browser to send a request to a vulnerable web application Target: Perform the chosen action on behalf of the victim Browser: Downloads an image GET /image/test.gif HTTP/ An image can be generated by a PHP program (or any program) <img src= > Browser: Downloads an image Cross Site Request Forgery - CSRF 3 Cross Site Request Forgery - CSRF: Presentation 4

2 Sending a request? (Cont.) An image can be generated according to some parameters <img src= /barcode.php?number= > Browser: Downloads an image An image tag can contain something else <img src= logout > Browser????? Very widespread vulnerability Touches any web application that has no authorization checks for vulnerable actions will process an action if a default login is able to be given in the request <img src= pwd=123 > Authorizes requests based only on credentials that are automatically submitted cookies if currently logged into the application or Remember me functionality if not logged into the application or a Kerberos token if part of an Intranet participating in integrated logon with Active Directory. Cross Site Request Forgery - CSRF: Presentation 5 State of the art Most of web applications rely solely on automatically submitted credentials cookies basic authentication credentials source IP addresses SSL certificates or windows domain credentials Vulnerability also known as Session Riding, One-Click Attacks, Cross Site Reference Forgery, Hostile Linking, and Automation Attack Acronym XSRF is also used together with CSRF Cross Site Request Forgery - CSRF: Presentation 7 Cross Site Request Forgery - CSRF: Presentation 6 Vulnerability A typical CSRF attack directs the user to invoke some function for instance application s logout page The following tag can be inserted in any page viewed by the victim <img src= > it generates the same request as clicking on a link containing this address! Example: Online banking transfer <img src= frmacct=document.form.frmacct&toacct= &amt = > Could transfer the money from the account of the user, to a given account. Cross Site Request Forgery - CSRF: Vulnerability 8

3 Vulnerability (Cont.) Jeremiah Grossman 1 Succeeded in making changes in victims DSL routers Even if the user doesn t know that he can configure his router ;-) He used the router s default account name to perform his attack Example <img src= > Then you just have to reconfigure the system <img src= = > How such a link could reach a victim Web-site Owner embedded JavaScript malware Web page defaced with embedded JavaScript malware JavaScript Malware injected into a public area of a website. (persistent XSS) Clicked on, a specially-crafted link causing the website to echo JavaScript malware. (non-persistent XSS) Once DNS changed, user will never be able to access a site securely! 1 Talk in Blackhat 2006 : Hacking Intranet Sites from the outside Cross Site Request Forgery - CSRF: Vulnerability 9 CSRF allows to access the intranet Cross Site Request Forgery - CSRF: Vulnerability 10 Internet is protected, but Intranet? The attacker sends requests from inside the Intranet Doesn t have to go throw the firewall, the victim is already CSRF combined with javascript allows to send many requests sequentially javascript adds an image in the DOM (possibly invisible). when the request is sent, another image is added and so on You would never dare doing this on Internet! But what about Intranet? Leaving hosts unpatched Servers are always patched regularly, but local PC s? Using default passwords What the use of changing the password, the IP address can only be reached from inside my network x.y Do not putting a firewall in front of a host Everything seams OK because the perimeter firewalls black external access So CSRF attacks can be very fruitful Cross Site Request Forgery - CSRF: CSRF allows to access the intranet 11 Cross Site Request Forgery - CSRF: CSRF allows to access the intranet 12

4 Why do CSRF attacks work? CSRF and XSS User authorization credential is automatically included in any request by the browse Typical: Session Cookie The Attacker doesn t need to supply that credential It belongs to the victim s browser Success of CSRF belongs on the probability that the victim is logged in the attacked system Idea: attack the site the victim visits Mean : XSS Combine CSRF and XSS The tag is already posted inside the vulnerable application Risk is increased by that combination Probability to find a logged in user is higher CSRF does not require XSS One can attack a site from another one Any application with XSS flaws is susceptible to CSRF CSRF attacks can exploit the XSS flaw to steal any non-automatically submitted credential When building defenses against CSRF attacks, you must eliminate XSS vulnerabilities Cross Site Request Forgery - CSRF: CSRF allows to access the intranet 13 Protection Application must ensure that they are not only relying on credentials or tokens that are automatically submitted by browsers Session Cookies Certificates Remember me... Application should use a custom token that the browser will not Remember So it can not be included in the Requests sent automatically Cross Site Request Forgery - CSRF: Protection 15 Cross Site Request Forgery - CSRF: CSRF allows to access the intranet 14 Strategies Ensure that there are no XSS vulnerabilities in your application Otherwise, any protection is useless, since javascript could access the hidden data. Insert custom random tokens into every form and URL It will not be automatically submitted by the browser Example: <form action= /transfer.do method= POST > <input type= hidden name= value= >... </form> Then you have to verify that token Token can be unique for a session or even for each page The more focused the token is, the higher the security is, but the application is then much more complicated to write Cross Site Request Forgery - CSRF: Protection 16

5 Strategies (Cont.) Verifying Security For sensitive data or value transactions, re-authenticate or use transaction signing to ensure that the request is genuine. Set up external mechanism to verify requests (phone, ) Notify the user of the request using an Do not use GET requests for sensitive data or to perform value transactions Use only POST methods when processing sensitive data from the user. However the URL may contain the random token as this creates a unique URL, which makes CSRF almost impossible to perform POST alone is an insufficient protection You must also combine it with random tokens Goal: Verify that the application generates and requires some authorization token that is not resent automatically by the browser Automated approaches: Automated approach: few automated scanners can detect CSRF vulnerabilities. Manual Approach: Penetration testing and verification of the code Cross Site Request Forgery - CSRF: Protection 17 Conclusion - CSRF Cross Site Request Forgery - CSRF: Protection 18 Injection Flows Cross Site Scripting - XSS Exploits the trust a user has in a website Cross Site Request Forgery - CSRF Exploits the trust the site has in a user by forging the enactor and making a request appear to come from a trusted user 2 Principle: Occurs when user supplied data is sent to an interpreter as part of a command or a query. Injection Flows may be done on: SQL (most common) LDAP XPath XSLT HTML OS Command injection... This vulnerability is very common on Web Application 2 wikipedia Cross Site Request Forgery - CSRF: Conclusion 19 Injection Flows: Presentation 20

6 How does it work? Attacker tricks the interpreter into executing unintended command Attacker supplies unexpected content to a site Data is especially designed to fool the site Attacker may take control of the interpreter, for instance SQL: Read data (unintended, of course) update, delete or create any arbitrary data For the Operating System interpreter Attacker may have the opportunity to execute any command Injection Flows: Presentation 21 Protection Vulnerability Environments affected Any framework using an interpreter or invoke process SQL Command line... System is vulnerable when user input is passed without tests PHP $query = select from guestbook ; $query.= where title like.$ REQUEST[ search ]; $result = mysql query($query, $conn); Java String query = select from user where username= ; query += req.getparameter( userid ); query += and password = +req.getparameter( pwd ) + ; Injection Flows: Vulnerability 22 Take Extra Care when using interpreters Avoid the use of interpreter if possible Otherwise: Use safe APIs Strongly typed parameterized queries Object Relational Mapping (ORM) They handle data escaping Validation is still recommended in order to detect attacks Input Validation Validate all input data: length, type, syntax, business rules validation is done before displaying or storing any data Validation must be done server-side Javascript validation doesn t bring any security Use strongly typed parameterized query APIs with placeholder substitution markers, Enforce least privilege Configure your DB such that the web account can t do more than what is expected restrict the rights of your user when executing an OS command Injection Flows: Protection 23 Injection Flows: Protection 24

7 Take Extra Care (Cont.) Take Extra Care (Cont.) Avoid detailed error messages Give access to versions numbers Give access to parts of the code Give access to configurations Use stored procedures They are generally safe from SQL injection Can however be injected (for instance using exec()) Do not use dynamic query interfaces (such as mysql query()) Do not use simple escaping functions such as addslashes() in PHP str replace(" "," ") it is weak and has been successfully exploited Prefer following methods use mysql real escape string() or preferably PDO which does not require escaping Injection Flows: Protection 25 Language Specific recommendations Java EE use strongly typed PreparedStatement or use an ORM (Object Relational Manager) such as Hibernate or Spring PHP Use PDO with strongly typed parameterized queries (using bindparam()). Injection Flows: Protection 27 Injection Flows: Protection 26 Which site is subject to SQL injection? Such a site must access a DB The parameter should be given by the user This parameter is then used to select data in the DB Example Means there exists a request for the page number 100 If the site does not test its input You can test it by typing something like: If the site lets the user see error messages Test the output of your input Examples Search form (SELECT with LIKE) Login form (SELECT with two =) Insertion of new entries... Injection Flows: Examples 28

8 Example: Presentation Suppose we have the following HTML Form <form method= POST > <input type= text name= username ><br> <input type= password name= password ><br> <input type= submit value= Login > </form> and the following PHP line defining a SQL command: $query = SELECT FROM user WHERE username= $user ; $query.= AND password= $pwd ; For our examples, we disable a security feature from the php.ini file (normally this option is on, and it quotes all GET, POST and COOKIES parameters, means chars like: and are escaped and Advanced become Web\ Technology and 10) \ ): XSS, magic_quotes_gpc CSRF and SQL Injection = off Injection Flows: Examples 29 Example: Select user and password (Cont.) So we do not need a valid username and password if $user=" OR a = a" and $password remains empty then the previous expression becomes: SELECT FROM user WHERE username= OR a = a AND \ password= ; Returns the list of all users So we are logged in with the first provided Example: Select user and password We want the select to work in any case Following expressions are always true SELECT FROM table WHERE 1=1; SELECT FROM table WHERE 1; SELECT FROM table WHERE ISNULL(NULL) SELECT FROM table WHERE 1 IS NOT NULL SELECT FROM table WHERE NULL IS NULL... Injection Flows: Examples 30 Login on a specific account We can specify the right username and change the password If we give $user="emmanuel" And $password=" OR b BETWEEN a AND c" The previous SQL statement becomes SELECT FROM user WHERE username= Emmanuel AND \ password= OR b BETWEEN a AND c ; So username is OK, but password is not checked! Injection Flows: Examples 31 Injection Flows: Examples 32

9 Example, using Comments Another great principle in SQL injection is Comments It is also very common in all the other injections If we inject a #, the rest of the SQL expression is not evaluated if $user="john #" the request becomes SELECT FROM user WHERE username= John # AND password= which is equal to SELECT FROM user WHERE username= John If we use the comments /* comments */ we may escape some tests Injection Flows: Examples 33 Attacks compatible with magic quotes Since most of the server have magic quotes gpc = on Attackers can not use or Use MySQL char() function Returns the character denoted by the number, For instance char(104,111,112) returns the string hop Previous attack becomes The following query is used to count one vote: UPDATE news SET votes=votes+1, score=score+$note WHERE\ newsid= $id, We have the following attack $note= 3, title=char(104,111,112) More injection in SELECT Suppose we have the following query, for displaying the content of one single comment in our guestbook: $query = select from guestbook where guestbookid= $number ; We can copy the content in a file suppose we define $number="11 or 1=1 INTO OUTFILE /tmp/test.security.txt " The total content of the table is sent to a file. Suppose the Attacker has an account on the system (e.g. foobar). It is possible to change the password of foobar If we can write the following query: SELECT password FROM user WHERE login= foobar INTO OUTFILE\ /opt/lampp/htdocs/test.php Injection Flows: Examples 34 Attacker could create any php file inside the system!! How to protect yourself From SQL injection in PHP Configure PHP such that and are automatically escaped magic quotes gpc = on Always quote input before sending query to an interpreter mysql real escape string() Do not use any interpreter at all Use PDO Injection Flows: Examples 35 Injection Flows: Examples 36

10 Conclusion (Injection Flows) SQL Injection allows attacker to Read data: Access passwords, data stored Change Data : Access security level Delete data SQL injection Vulnerabilities opens the door to: Privacy breach : Data can be accessed without consent Identity theft : idem + failure in authentication Compromission of the system : write of new files (maybe PHP)... Easy protection are already exploited Adding one (or more) layers between presentation and database layer is a must (also from the point of view of Design) Even this has also been successfully exploited. Solution? test your inputs! Conclusion (Web Security) Infrastructure Security is Vital Good Network Architecture (Firewals, DMZ,... ) Application Security must not be forgotten Test Inputs Encode Outputs Teach your users No security is efficient is users aren t included for instance if they never log-out Security is expensive in Development time or in Usability Injection Flows: Conclusion 37 References Injection Flows: Conclusion 38 OWASP Top A Guide for Building Secure Web Applications and Web Services Advanced SQL Injection in SQL Server Applications - Chris Anley injection.pdf L injection (My)SQL via PHP - leseulfrog Advanced version: SQLMAP (a SQL Injection Tool) Injection Flows: Conclusion 39

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY www.alliancetechpartners.com WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY More than 70% of all websites have vulnerabilities

More information

Web applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh

Web applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh Web applications Web security: web basics Myrto Arapinis School of Informatics University of Edinburgh HTTP March 19, 2015 Client Server Database (HTML, JavaScript) (PHP) (SQL) 1 / 24 2 / 24 URLs HTTP

More information

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security Presented 2009-05-29 by David Strauss Thinking Securely Security is a process, not

More information

Cracking the Perimeter via Web Application Hacking. Zach Grace, CISSP, CEH zgrace@403labs.com January 17, 2014 2014 Mega Conference

Cracking the Perimeter via Web Application Hacking. Zach Grace, CISSP, CEH zgrace@403labs.com January 17, 2014 2014 Mega Conference Cracking the Perimeter via Web Application Hacking Zach Grace, CISSP, CEH zgrace@403labs.com January 17, 2014 2014 Mega Conference About 403 Labs 403 Labs is a full-service information security and compliance

More information

Web application security

Web application security Web application security Sebastian Lopienski CERN Computer Security Team openlab and summer lectures 2010 (non-web question) Is this OK? int set_non_root_uid(int uid) { // making sure that uid is not 0

More information

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering How to break in Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering Time Agenda Agenda Item 9:30 10:00 Introduction 10:00 10:45 Web Application Penetration

More information

Where every interaction matters.

Where every interaction matters. Where every interaction matters. Peer 1 Vigilant Web Application Firewall Powered by Alert Logic The Open Web Application Security Project (OWASP) Top Ten Web Security Risks and Countermeasures White Paper

More information

FINAL DoIT 11.03.2015 - v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

FINAL DoIT 11.03.2015 - v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES Purpose: The Department of Information Technology (DoIT) is committed to developing secure applications. DoIT s System Development Methodology (SDM) and Application Development requirements ensure that

More information

Project 2: Web Security Pitfalls

Project 2: Web Security Pitfalls EECS 388 September 19, 2014 Intro to Computer Security Project 2: Web Security Pitfalls Project 2: Web Security Pitfalls This project is due on Thursday, October 9 at 6 p.m. and counts for 8% of your course

More information

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats WHITE PAPER FortiWeb and the OWASP Top 10 PAGE 2 Introduction The Open Web Application Security project (OWASP) Top Ten provides a powerful awareness document for web application security. The OWASP Top

More information

The Top Web Application Attacks: Are you vulnerable?

The Top Web Application Attacks: Are you vulnerable? QM07 The Top Web Application Attacks: Are you vulnerable? John Burroughs, CISSP Sr Security Architect, Watchfire Solutions jburroughs@uk.ibm.com Agenda Current State of Web Application Security Understanding

More information

CSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities

CSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities CSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities Thomas Moyer Spring 2010 1 Web Applications What has changed with web applications? Traditional applications

More information

Magento Security and Vulnerabilities. Roman Stepanov

Magento Security and Vulnerabilities. Roman Stepanov Magento Security and Vulnerabilities Roman Stepanov http://ice.eltrino.com/ Table of contents Introduction Open Web Application Security Project OWASP TOP 10 List Common issues in Magento A1 Injection

More information

ArcGIS Server Security Threats & Best Practices 2014. David Cordes Michael Young

ArcGIS Server Security Threats & Best Practices 2014. David Cordes Michael Young ArcGIS Server Security Threats & Best Practices 2014 David Cordes Michael Young Agenda Introduction Threats Best practice - ArcGIS Server settings - Infrastructure settings - Processes Summary Introduction

More information

Web Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure

Web Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure Vulnerabilities, Weakness and Countermeasures Massimo Cotelli CISSP Secure : Goal of This Talk Security awareness purpose Know the Web Application vulnerabilities Understand the impacts and consequences

More information

Check list for web developers

Check list for web developers Check list for web developers Requirement Yes No Remarks 1. Input Validation 1.1) Have you done input validation for all the user inputs using white listing and/or sanitization? 1.2) Does the input validation

More information

OWASP and OWASP Top 10 (2007 Update) OWASP. The OWASP Foundation. Dave Wichers. The OWASP Foundation. OWASP Conferences Chair dave.wichers@owasp.

OWASP and OWASP Top 10 (2007 Update) OWASP. The OWASP Foundation. Dave Wichers. The OWASP Foundation. OWASP Conferences Chair dave.wichers@owasp. and Top 10 (2007 Update) Dave Wichers The Foundation Conferences Chair dave.wichers@owasp.org COO, Aspect Security dave.wichers@aspectsecurity.com Copyright 2007 - The Foundation This work is available

More information

Sitefinity Security and Best Practices

Sitefinity Security and Best Practices Sitefinity Security and Best Practices Table of Contents Overview The Ten Most Critical Web Application Security Risks Injection Cross-Site-Scripting (XSS) Broken Authentication and Session Management

More information

FINAL DoIT 04.01.2013- v.8 APPLICATION SECURITY PROCEDURE

FINAL DoIT 04.01.2013- v.8 APPLICATION SECURITY PROCEDURE Purpose: This procedure identifies what is required to ensure the development of a secure application. Procedure: The five basic areas covered by this document include: Standards for Privacy and Security

More information

Criteria for web application security check. Version 2015.1

Criteria for web application security check. Version 2015.1 Criteria for web application security check Version 2015.1 i Content Introduction... iii ISC- P- 001 ISC- P- 001.1 ISC- P- 001.2 ISC- P- 001.3 ISC- P- 001.4 ISC- P- 001.5 ISC- P- 001.6 ISC- P- 001.7 ISC-

More information

Web Application Penetration Testing

Web Application Penetration Testing Web Application Penetration Testing 2010 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. Will Bechtel William.Bechtel@att.com

More information

(WAPT) Web Application Penetration Testing

(WAPT) Web Application Penetration Testing (WAPT) Web Application Penetration Testing Module 0: Introduction 1. Introduction to the course. 2. How to get most out of the course 3. Resources you will need for the course 4. What is WAPT? Module 1:

More information

Sichere Software- Entwicklung für Java Entwickler

Sichere Software- Entwicklung für Java Entwickler Sichere Software- Entwicklung für Java Entwickler Dominik Schadow Senior Consultant Trivadis GmbH 05/09/2012 BASEL BERN LAUSANNE ZÜRICH DÜSSELDORF FRANKFURT A.M. FREIBURG I.BR. HAMBURG MÜNCHEN STUTTGART

More information

WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL. Ensuring Compliance for PCI DSS 6.5 and 6.6

WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL. Ensuring Compliance for PCI DSS 6.5 and 6.6 WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL Ensuring Compliance for PCI DSS 6.5 and 6.6 CONTENTS 04 04 06 08 11 12 13 Overview Payment Card Industry Data Security Standard PCI Compliance for Web Applications

More information

WHITE PAPER. FortiWeb Web Application Firewall Ensuring Compliance for PCI DSS 6.5 and 6.6

WHITE PAPER. FortiWeb Web Application Firewall Ensuring Compliance for PCI DSS 6.5 and 6.6 WHITE PAPER FortiWeb Web Application Firewall Ensuring Compliance for PCI DSS 6.5 and 6.6 Ensuring compliance for PCI DSS 6.5 and 6.6 Page 2 Overview Web applications and the elements surrounding them

More information

Web Application Guidelines

Web Application Guidelines Web Application Guidelines Web applications have become one of the most important topics in the security field. This is for several reasons: It can be simple for anyone to create working code without security

More information

Exploits: XSS, SQLI, Buffer Overflow

Exploits: XSS, SQLI, Buffer Overflow Exploits: XSS, SQLI, Buffer Overflow These vulnerabilities continue to result in many active exploits. XSS Cross Site Scripting, comparable to XSRF, Cross Site Request Forgery. These vulnerabilities are

More information

Nuclear Regulatory Commission Computer Security Office Computer Security Standard

Nuclear Regulatory Commission Computer Security Office Computer Security Standard Nuclear Regulatory Commission Computer Security Office Computer Security Standard Office Instruction: Office Instruction Title: CSO-STD-1108 Web Application Standard Revision Number: 1.0 Effective Date:

More information

Adobe Systems Incorporated

Adobe Systems Incorporated Adobe Connect 9.2 Page 1 of 8 Adobe Systems Incorporated Adobe Connect 9.2 Hosted Solution June 20 th 2014 Adobe Connect 9.2 Page 2 of 8 Table of Contents Engagement Overview... 3 About Connect 9.2...

More information

What is Web Security? Motivation

What is Web Security? Motivation brucker@inf.ethz.ch http://www.brucker.ch/ Information Security ETH Zürich Zürich, Switzerland Information Security Fundamentals March 23, 2004 The End Users View The Server Providers View What is Web

More information

External Network & Web Application Assessment. For The XXX Group LLC October 2012

External Network & Web Application Assessment. For The XXX Group LLC October 2012 External Network & Web Application Assessment For The XXX Group LLC October 2012 This report is solely for the use of client personal. No part of it may be circulated, quoted, or reproduced for distribution

More information

Essential IT Security Testing

Essential IT Security Testing Essential IT Security Testing Application Security Testing for System Testers By Andrew Muller Director of Ionize Who is this guy? IT Security consultant to the stars Member of OWASP Member of IT-012-04

More information

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management What is an? s Ten Most Critical Web Application Security Vulnerabilities Anthony LAI, CISSP, CISA Chapter Leader (Hong Kong) anthonylai@owasp.org Open Web Application Security Project http://www.owasp.org

More information

National Information Security Group The Top Web Application Hack Attacks. Danny Allan Director, Security Research

National Information Security Group The Top Web Application Hack Attacks. Danny Allan Director, Security Research National Information Security Group The Top Web Application Hack Attacks Danny Allan Director, Security Research 1 Agenda Web Application Security Background What are the Top 10 Web Application Attacks?

More information

Still Aren't Doing. Frank Kim

Still Aren't Doing. Frank Kim Ten Things Web Developers Still Aren't Doing Frank Kim Think Security Consulting Background Frank Kim Consultant, Think Security Consulting Security in the SDLC SANS Author & Instructor DEV541 Secure Coding

More information

Enterprise Application Security Workshop Series

Enterprise Application Security Workshop Series Enterprise Application Security Workshop Series Phone 877-697-2434 fax 877-697-2434 www.thesagegrp.com Defending JAVA Applications (3 Days) In The Sage Group s Defending JAVA Applications workshop, participants

More information

Web Application Security

Web Application Security Web Application Security John Zaharopoulos ITS - Security 10/9/2012 1 Web App Security Trends Web 2.0 Dynamic Webpages Growth of Ajax / Client side Javascript Hardening of OSes Secure by default Auto-patching

More information

Complete Cross-site Scripting Walkthrough

Complete Cross-site Scripting Walkthrough Complete Cross-site Scripting Walkthrough Author : Ahmed Elhady Mohamed Email : ahmed.elhady.mohamed@gmail.com website: www.infosec4all.tk blog : www.1nfosec4all.blogspot.com/ [+] Introduction wikipedia

More information

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008 Detecting Web Application Vulnerabilities Using Open Source Means OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008 Kostas Papapanagiotou Committee Member OWASP Greek Chapter conpap@owasp.gr

More information

Last update: February 23, 2004

Last update: February 23, 2004 Last update: February 23, 2004 Web Security Glossary The Web Security Glossary is an alphabetical index of terms and terminology relating to web application security. The purpose of the Glossary is to

More information

OWASP Top Ten Tools and Tactics

OWASP Top Ten Tools and Tactics OWASP Top Ten Tools and Tactics Russ McRee Copyright 2012 HolisticInfoSec.org SANSFIRE 2012 10 JULY Welcome Manager, Security Analytics for Microsoft Online Services Security & Compliance Writer (toolsmith),

More information

Application Security Vulnerabilities, Mitigation, and Consequences

Application Security Vulnerabilities, Mitigation, and Consequences Application Security Vulnerabilities, Mitigation, and Consequences Sean Malone, CISSP, CCNA, CEH, CHFI sean.malone@coalfiresystems.com Institute of Internal Auditors April 10, 2012 Overview Getting Technical

More information

Hacking de aplicaciones Web

Hacking de aplicaciones Web HACKING SCHOOL Hacking de aplicaciones Web Gabriel Maciá Fernández Fundamentos de la web CLIENTE SERVIDOR BROWSER HTTP WEB SERVER DATOS PRIVADOS BASE DE DATOS 1 Interacción con servidores web URLs http://gmacia:pass@www.ugr.es:80/descarga.php?file=prueba.txt

More information

Cyber Security Challenge Australia 2014

Cyber Security Challenge Australia 2014 Cyber Security Challenge Australia 2014 www.cyberchallenge.com.au CySCA2014 Web Penetration Testing Writeup Background: Pentest the web server that is hosted in the environment at www.fortcerts.cysca Web

More information

Introduction:... 1 Security in SDLC:... 2 Penetration Testing Methodology: Case Study... 3

Introduction:... 1 Security in SDLC:... 2 Penetration Testing Methodology: Case Study... 3 Table of Contents Introduction:... 1 Security in SDLC:... 2 Penetration Testing Methodology: Case Study... 3 Information Gathering... 3 Vulnerability Testing... 7 OWASP TOP 10 Vulnerabilities:... 8 Injection

More information

Application security testing: Protecting your application and data

Application security testing: Protecting your application and data E-Book Application security testing: Protecting your application and data Application security testing is critical in ensuring your data and application is safe from security attack. This ebook offers

More information

1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications

1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications 1. Introduction 2. Web Application 3. Components 4. Common Vulnerabilities 5. Improving security in Web applications 2 What does World Wide Web security mean? Webmasters=> confidence that their site won

More information

Web-Application Security

Web-Application Security Web-Application Security Kristian Beilke Arbeitsgruppe Sichere Identität Fachbereich Mathematik und Informatik Freie Universität Berlin 29. Juni 2011 Overview Web Applications SQL Injection XSS Bad Practice

More information

WEB APPLICATION SECURITY

WEB APPLICATION SECURITY WEB APPLICATION SECURITY February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part

More information

OWASP AND APPLICATION SECURITY

OWASP AND APPLICATION SECURITY SECURING THE 3DEXPERIENCE PLATFORM OWASP AND APPLICATION SECURITY Milan Bruchter/Shutterstock.com WHITE PAPER EXECUTIVE SUMMARY As part of Dassault Systèmes efforts to counter threats of hacking, particularly

More information

Web Application Hacking (Penetration Testing) 5-day Hands-On Course

Web Application Hacking (Penetration Testing) 5-day Hands-On Course Web Application Hacking (Penetration Testing) 5-day Hands-On Course Web Application Hacking (Penetration Testing) 5-day Hands-On Course Course Description Our web sites are under attack on a daily basis

More information

Online Vulnerability Scanner Quick Start Guide

Online Vulnerability Scanner Quick Start Guide Online Vulnerability Scanner Quick Start Guide Information in this document is subject to change without notice. Companies, names, and data used in examples herein are fictitious unless otherwise noted.

More information

CTF Web Security Training. Engin Kirda ek@ccs.neu.edu

CTF Web Security Training. Engin Kirda ek@ccs.neu.edu CTF Web Security Training Engin Kirda ek@ccs.neu.edu Web Security Why It is Important Easiest way to compromise hosts, networks and users Widely deployed ( payload No Logs! (POST Request Difficult to defend

More information

Preparing for the Cross Site Request Forgery Defense

Preparing for the Cross Site Request Forgery Defense Preparing for the Cross Site Request Forgery Defense Chuck Willis chuck.willis@mandiant.com Black Hat DC 2008 February 20, 2008 About Me Principal Consultant with MANDIANT in Alexandria, VA Full spectrum

More information

OWASP TOP 10 ILIA ALSHANETSKY @ILIAA HTTPS://JOIND.IN/15741

OWASP TOP 10 ILIA ALSHANETSKY @ILIAA HTTPS://JOIND.IN/15741 OWASP TOP 10 ILIA ALSHANETSKY @ILIAA HTTPS://JOIND.IN/15741 ME, MYSELF & I PHP Core Developer Author of Guide to PHP Security Security Aficionado THE CONUNDRUM USABILITY SECURITY YOU CAN HAVE ONE ;-) OPEN

More information

A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications. Slides by Connor Schnaith

A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications. Slides by Connor Schnaith A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications Slides by Connor Schnaith Cross-Site Request Forgery One-click attack, session riding Recorded since 2001 Fourth out of top 25 most

More information

With so many web applications, universities have a huge attack surface often without the IT security budgets or influence to back it up.

With so many web applications, universities have a huge attack surface often without the IT security budgets or influence to back it up. 1 2 Why do we care about web application security? With so many web applications, universities have a huge attack surface often without the IT security budgets or influence to back it up. We constantly

More information

Testing the OWASP Top 10 Security Issues

Testing the OWASP Top 10 Security Issues Testing the OWASP Top 10 Security Issues Andy Tinkham & Zach Bergman, Magenic Technologies Contact Us 1600 Utica Avenue South, Suite 800 St. Louis Park, MN 55416 1 (877)-277-1044 info@magenic.com Who Are

More information

Columbia University Web Security Standards and Practices. Objective and Scope

Columbia University Web Security Standards and Practices. Objective and Scope Columbia University Web Security Standards and Practices Objective and Scope Effective Date: January 2011 This Web Security Standards and Practices document establishes a baseline of security related requirements

More information

SQL Injection Attack Lab

SQL Injection Attack Lab Laboratory for Computer Security Education 1 SQL Injection Attack Lab Copyright c 2006-2010 Wenliang Du, Syracuse University. The development of this document is funded by the National Science Foundation

More information

Bug Report. Date: March 19, 2011 Reporter: Chris Jarabek (cjjarabe@ucalgary.ca)

Bug Report. Date: March 19, 2011 Reporter: Chris Jarabek (cjjarabe@ucalgary.ca) Bug Report Date: March 19, 2011 Reporter: Chris Jarabek (cjjarabe@ucalgary.ca) Software: Kimai Version: 0.9.1.1205 Website: http://www.kimai.org Description: Kimai is a web based time-tracking application.

More information

Security features of ZK Framework

Security features of ZK Framework 1 Security features of ZK Framework This document provides a brief overview of security concerns related to JavaScript powered enterprise web application in general and how ZK built-in features secures

More information

Security vulnerabilities in new web applications. Ing. Pavol Lupták, CISSP, CEH Lead Security Consultant

Security vulnerabilities in new web applications. Ing. Pavol Lupták, CISSP, CEH Lead Security Consultant Security vulnerabilities in new web applications Ing. Pavol Lupták, CISSP, CEH Lead Security Consultant $whoami Introduction Pavol Lupták 10+ years of practical experience in security and seeking vulnerabilities

More information

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group Securing Your Web Application against security vulnerabilities Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group Agenda Security Landscape Vulnerability Analysis Automated Vulnerability

More information

SQL Injection for newbie

SQL Injection for newbie SQL Injection for newbie SQL injection is a security vulnerability that occurs in a database layer of an application. It is technique to inject SQL query/command as an input via web pages. Sometimes we

More information

Secure Web Application Coding Team Introductory Meeting December 1, 2005 1:00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

Secure Web Application Coding Team Introductory Meeting December 1, 2005 1:00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda Secure Web Application Coding Team Introductory Meeting December 1, 2005 1:00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda 1. Introductions for new members (5 minutes) 2. Name of group 3. Current

More information

Web Application Attacks and Countermeasures: Case Studies from Financial Systems

Web Application Attacks and Countermeasures: Case Studies from Financial Systems Web Application Attacks and Countermeasures: Case Studies from Financial Systems Dr. Michael Liu, CISSP, Senior Application Security Consultant, HSBC Inc Overview Information Security Briefing Web Applications

More information

Workday Mobile Security FAQ

Workday Mobile Security FAQ Workday Mobile Security FAQ Workday Mobile Security FAQ Contents The Workday Approach 2 Authentication 3 Session 3 Mobile Device Management (MDM) 3 Workday Applications 4 Web 4 Transport Security 5 Privacy

More information

Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability

Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability WWW Based upon HTTP and HTML Runs in TCP s application layer Runs on top of the Internet Used to exchange

More information

SQL Injection January 23, 2013

SQL Injection January 23, 2013 Web-based Attack: SQL Injection SQL Injection January 23, 2013 Authored By: Stephanie Reetz, SOC Analyst Contents Introduction Introduction...1 Web applications are everywhere on the Internet. Almost Overview...2

More information

Guidelines for Web applications protection with dedicated Web Application Firewall

Guidelines for Web applications protection with dedicated Web Application Firewall Guidelines for Web applications protection with dedicated Web Application Firewall Prepared by: dr inŝ. Mariusz Stawowski, CISSP Bartosz Kryński, Imperva Certified Security Engineer INTRODUCTION Security

More information

Chapter 1 Web Application (In)security 1

Chapter 1 Web Application (In)security 1 Introduction xxiii Chapter 1 Web Application (In)security 1 The Evolution of Web Applications 2 Common Web Application Functions 4 Benefits of Web Applications 5 Web Application Security 6 "This Site Is

More information

Attack and Penetration Testing 101

Attack and Penetration Testing 101 Attack and Penetration Testing 101 Presented by Paul Petefish PaulPetefish@Solutionary.com July 15, 2009 Copyright 2000-2009, Solutionary, Inc. All rights reserved. Version 2.2 Agenda Penetration Testing

More information

Introduction. Two levels of security vulnerabilities:

Introduction. Two levels of security vulnerabilities: Introduction Two levels of security vulnerabilities: Project level (cyphers, standard protocols, BAN logic, etc.) Implementation level (bugs, unhandled inputs, misconfigurations, etc.) There are two levels

More information

Implementation of Web Application Security Solution using Open Source Gaurav Gupta 1, B. K. Murthy 2, P. N. Barwal 3

Implementation of Web Application Security Solution using Open Source Gaurav Gupta 1, B. K. Murthy 2, P. N. Barwal 3 Implementation of Web Application Security Solution using Open Source Gaurav Gupta 1, B. K. Murthy 2, P. N. Barwal 3 ABSTRACT 1 Project Engineer, CDACC-56/1, Sector-62, Noida, 2 Executive Director, CDACC-56/1,

More information

MatriXay WEB Application Vulnerability Scanner V 5.0. 1. Overview. (DAS- WEBScan ) - - - - - The best WEB application assessment tool

MatriXay WEB Application Vulnerability Scanner V 5.0. 1. Overview. (DAS- WEBScan ) - - - - - The best WEB application assessment tool MatriXay DAS-WEBScan MatriXay WEB Application Vulnerability Scanner V 5.0 (DAS- WEBScan ) - - - - - The best WEB application assessment tool 1. Overview MatriXay DAS- Webscan is a specific application

More information

Advanced Web Security, Lab

Advanced Web Security, Lab Advanced Web Security, Lab Web Server Security: Attacking and Defending November 13, 2013 Read this earlier than one day before the lab! Note that you will not have any internet access during the lab,

More information

Architectural Design Patterns. Design and Use Cases for OWASP. Wei Zhang & Marco Morana OWASP Cincinnati, U.S.A. http://www.owasp.

Architectural Design Patterns. Design and Use Cases for OWASP. Wei Zhang & Marco Morana OWASP Cincinnati, U.S.A. http://www.owasp. Architectural Design Patterns for SSO (Single Sign On) Design and Use Cases for Financial i Web Applications Wei Zhang & Marco Morana OWASP Cincinnati, U.S.A. OWASP Copyright The OWASP Foundation Permission

More information

Intrusion detection for web applications

Intrusion detection for web applications Intrusion detection for web applications Intrusion detection for web applications Łukasz Pilorz Application Security Team, Allegro.pl Reasons for using IDS solutions known weaknesses and vulnerabilities

More information

WebCruiser Web Vulnerability Scanner User Guide

WebCruiser Web Vulnerability Scanner User Guide WebCruiser Web Vulnerability Scanner User Guide Content 1. Software Introduction...2 2. Key Features...3 2.1. POST Data Resend...3 2.2. Vulnerability Scanner...6 2.3. SQL Injection...8 2.3.1. POST SQL

More information

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked. This sample report is published with prior consent of our client in view of the fact that the current release of this web application is three major releases ahead in its life cycle. Issues pointed out

More information

OWASP Application Security Building and Breaking Applications

OWASP Application Security Building and Breaking Applications OWASP Application Security Building and Breaking Applications Rochester OWASP Chapter - Durkee Consulting, Inc. info@rd1.net Who's? Principal Security Consultant Durkee Consulting Inc. Founder of Rochester

More information

Overview of the Penetration Test Implementation and Service. Peter Kanters

Overview of the Penetration Test Implementation and Service. Peter Kanters Penetration Test Service @ ABN AMRO Overview of the Penetration Test Implementation and Service. Peter Kanters ABN AMRO / ISO April 2010 Contents 1. Introduction. 2. The history of Penetration Testing

More information

Web Application Vulnerability Testing with Nessus

Web Application Vulnerability Testing with Nessus The OWASP Foundation http://www.owasp.org Web Application Vulnerability Testing with Nessus Rïk A. Jones, CISSP rikjones@computer.org Rïk A. Jones Web developer since 1995 (16+ years) Involved with information

More information

Top Ten Web Application Vulnerabilities in J2EE. Vincent Partington and Eelco Klaver Xebia

Top Ten Web Application Vulnerabilities in J2EE. Vincent Partington and Eelco Klaver Xebia Top Ten Web Application Vulnerabilities in J2EE Vincent Partington and Eelco Klaver Xebia Introduction Open Web Application Security Project is an open project aimed at identifying and preventing causes

More information

Cross-Site Scripting

Cross-Site Scripting Cross-Site Scripting (XSS) Computer and Network Security Seminar Fabrice Bodmer (fabrice.bodmer@unifr.ch) UNIFR - Winter Semester 2006-2007 XSS: Table of contents What is Cross-Site Scripting (XSS)? Some

More information

Web Application Security Guidelines for Hosting Dynamic Websites on NIC Servers

Web Application Security Guidelines for Hosting Dynamic Websites on NIC Servers Web Application Security Guidelines for Hosting Dynamic Websites on NIC Servers The Website can be developed under Windows or Linux Platform. Windows Development should be use: ASP, ASP.NET 1.1/ 2.0, and

More information

SQL Injection Attack Lab Using Collabtive

SQL Injection Attack Lab Using Collabtive Laboratory for Computer Security Education 1 SQL Injection Attack Lab Using Collabtive (Web Application: Collabtive) Copyright c 2006-2011 Wenliang Du, Syracuse University. The development of this document

More information

Six Essential Elements of Web Application Security. Cost Effective Strategies for Defending Your Business

Six Essential Elements of Web Application Security. Cost Effective Strategies for Defending Your Business 6 Six Essential Elements of Web Application Security Cost Effective Strategies for Defending Your Business An Introduction to Defending Your Business Against Today s Most Common Cyber Attacks When web

More information

Application Security Testing. Generic Test Strategy

Application Security Testing. Generic Test Strategy Application Security Testing Generic Test Strategy Page 2 of 8 Contents 1 Introduction 3 1.1 Purpose: 3 1.2 Application Security Testing: 3 2 Audience 3 3 Test Strategy guidelines 3 3.1 Authentication

More information

A Survey on Threats and Vulnerabilities of Web Services

A Survey on Threats and Vulnerabilities of Web Services A Survey on Threats and Vulnerabilities of Web Services A Thesis submitted in partial fulfillment of the requirements for the degree of Master of Computer Science and Engineering of Jadavpur University

More information

Web Application Security

Web Application Security E-SPIN PROFESSIONAL BOOK Vulnerability Management Web Application Security ALL THE PRACTICAL KNOW HOW AND HOW TO RELATED TO THE SUBJECT MATTERS. COMBATING THE WEB VULNERABILITY THREAT Editor s Summary

More information

VIDEO intypedia007en LESSON 7: WEB APPLICATION SECURITY - INTRODUCTION TO SQL INJECTION TECHNIQUES. AUTHOR: Chema Alonso

VIDEO intypedia007en LESSON 7: WEB APPLICATION SECURITY - INTRODUCTION TO SQL INJECTION TECHNIQUES. AUTHOR: Chema Alonso VIDEO intypedia007en LESSON 7: WEB APPLICATION SECURITY - INTRODUCTION TO SQL INJECTION TECHNIQUES AUTHOR: Chema Alonso Informática 64. Microsoft MVP Enterprise Security Hello and welcome to Intypedia.

More information

Common Security Vulnerabilities in Online Payment Systems

Common Security Vulnerabilities in Online Payment Systems Common Security Vulnerabilities in Online Payment Systems Author- Hitesh Malviya(Information Security analyst) Qualifications: C!EH, EC!SA, MCITP, CCNA, MCP Current Position: CEO at HCF Infosec Limited

More information

SQL Injection. By Artem Kazanstev, ITSO and Alex Beutel, Student

SQL Injection. By Artem Kazanstev, ITSO and Alex Beutel, Student SQL Injection By Artem Kazanstev, ITSO and Alex Beutel, Student SANS Priority No 2 As of September 2009, Web application vulnerabilities such as SQL injection and Cross-Site Scripting flaws in open-source

More information

Rational AppScan & Ounce Products

Rational AppScan & Ounce Products IBM Software Group Rational AppScan & Ounce Products Presenters Tony Sisson and Frank Sassano 2007 IBM Corporation IBM Software Group The Alarming Truth CheckFree warns 5 million customers after hack http://infosecurity.us/?p=5168

More information

External Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION

External Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION External Vulnerability Assessment -Technical Summary- Prepared for: ABC ORGANIZATI On March 9, 2008 Prepared by: AOS Security Solutions 1 of 13 Table of Contents Executive Summary... 3 Discovered Security

More information

Detecting and Exploiting XSS with Xenotix XSS Exploit Framework

Detecting and Exploiting XSS with Xenotix XSS Exploit Framework Detecting and Exploiting XSS with Xenotix XSS Exploit Framework ajin25@gmail.com keralacyberforce.in Introduction Cross Site Scripting or XSS vulnerabilities have been reported and exploited since 1990s.

More information

Penetration Test Report

Penetration Test Report Penetration Test Report Acme Test Company ACMEIT System 26 th November 2010 Executive Summary Info-Assure Ltd was engaged by Acme Test Company to perform an IT Health Check (ITHC) on the ACMEIT System

More information