Web Applica+on Security: Be Offensive! About Me

Transcription

1 Web Applica+on Security: Be Offensive! Eric Johnson Cypress Data Defense 1 About Me Eric Johnson Senior Security Consultant SANS AppSec Curriculum Product Manger CerLfied SANS Instructor & Course Author CerLficaLons CISSP, GWAPT, GSSP-.NET, GSSP- Java 2 1

2 Be Offensive! A good offense creates a business case for spending 3me and money on defense! 3 A<ack Techniques OWASP Top 10 ( A1: InjecLon A3: Cross- Site ScripLng A4: Insecure Direct Object Reference 4 2

3 Disclaimer DemonstraLons of real a<ack tools Illegal to a<ack targets without wri<en contractual consent Obey your federal laws We assume no liability 5 A1 InjecLon SQL InjecLon, LDAP InjecLon, Command InjecLon 6 3

4 A1 InjecLon: In The News (1) May 2015 Gaana Music Service 12.5 million records Name, , MD5 password hash, DoB, social media handles 7 A1 InjecLon: In The News (2) October ,000 accounts Name, address, DOB, phone numbers, passwords 8 4

5 A1 InjecLon: In The News (3) June million password hashes extracted from the database 4+ million SHA1 hashes reversed within a few days 9 A1 InjecLon: In The News (4) August million credit card numbers $200 million loss 10 5

6 A1 InjecLon: ExploitaLon sqlmap DEMO h<p://sqlmap.org/ Wri<en in Python 11 A1 InjecLon: Defenses OWASP SQL InjecLon PrevenLon Cheat Sheet h<ps:// SQL_InjecLon_PrevenLon_Cheat_Sheet 12 6

7 A3 Cross- Site ScripLng (XSS) XSS flaws occur whenever an applicalon takes untrusted data and sends it to a web browser without proper encoding. Execute scripts in the viclm s browser Hijack user sessions Deface web sites Redirect the user to malicious sites. 13 A3 XSS: In The News (1) August

8 A3 XSS: In The News (2) March 2008 Site defaced to contain flashing images designed to cause seizures Some viclms required hospital care 15 A3 XSS: In The News (3) June 2009 Offered $10,000 reward to anyone that broke into the CEO s account interface vulnerable to XSS and session hijacking 16 8

9 A3 XSS: ExploitaLon Browser ExploitaLon Framework (BeEF) h<p://beefproject.com/ Wri<en in Ruby 17 A3 XSS: Defenses OWASP XSS PrevenLon Cheat Sheet h<ps:// XSS_(Cross_Site_ScripLng)_PrevenLon_Cheat_Sheet 18 9

10 A4 Insecure Direct Object Reference Accessing backend data using un- trusted request parameters data a<ackers can manipulate. File Directory Database key 19 A4: In The News (1) April 2015 Site allowed any user to delete any video Event_id request parameter Bug bounty paid $5,

11 A4: In The News (2) October 2013 Site allowed users to download other customer s SMS message history Phone number in the query string 21 A4: In The News (3) September 2013 Site allowed users to delete another user s photos Profile id and photo id request parameters Bug bounty paid $12,

12 A4: ExploitaLon Burp Suite Intruder Plugin Free & Professional Version h<p://portswigger.net Wri<en in Java 23 A4: MiLgaLons OWASP Access Control Cheat Sheet h<ps:// Access_Control_Cheat_Sheet 24 12

13 Who is at risk? Does your company store sensilve informalon? Are you storing payment card informalon? Does your company store health care records? Are you compliant with federal and state laws? Do you work with companies or third party vendors that store this type of informalon? Open Lmes, it comes down to one main issue. WE DON T KNOW. And if there is uncertainty with our own company, the risk only increases as you work with vendors and third parles. 25 Security Training Security Reviews Help me, Obi- Wan Kenobi. You re my only hope

14 27 Security Assessment OpLons Features Sta+c Review Manual Review Hybrid Review StaLc ApplicaLon Security TesLng (SAST) Manual Code Review Manual Dynamic TesLng Dynamic ApplicaLon Security TesLng (DAST) Results ValidaLon ApplicaLon Security Assessment Report RemediaLon Training & ConsulLng Our team can conduct the assessment remotely in a safe and secure environment, or we can come directly to the facility and conduct the review on site

15 Thank You! 29 15