Transcript Insert title here - Young Professionals Information Security Group

Supported by
Web Applications Testing
By Jamie Rougvie
Disclaimer
• All information presented here is for
educational use only.
• Please only practice in a controlled
environment that you own or that you have
written permission to use!
Jamie Rougvie
2
Why test web application ??
• Tesco web security 'flaw' probed by UK data
watchdog.
• 6.5 Million LinkedIn passwords leaked by hackers.
• GoDaddy hacked, millions of sites go down in
registrar outage.
• Yahoo hacked, 450,000 passwords posted online.
• IEEE exposed 100k plaintext usernames and
passwords on their FTP server.
Jamie Rougvie
3
Common tools
• Web Browser
• Burpsuit / ZAP
there are loads of others tools and plugins to aid us when testing but the
most common ones are:
• Sqlmap
• Nikto
• Nessus
• Dir Buster
• BEEF
• Automated scanners Netsparker, Acunetix and W3af
Jamie Rougvie
4
What is a Proxy?
Jamie Rougvie
5
Demo Burp Suite
Jamie Rougvie
6
Getting Started
• Browse the website
• Identify functional pages
• List possible attacks for functional pages
• Try to implement attacks
• Documentation screen shots
Jamie Rougvie
7
Owasp Top 10
• A1: Injection
• A2: Cross-Site Scripting (XSS)
• A3: Broken Authentication and Session Management
• A4: Insecure Direct Object References
• A5: Cross-Site Request Forgery (CSRF)
• A6: Security Misconfiguration
• A7: Insecure Cryptographic Storage
• A8: Failure to Restrict URL Access
• A9: Insufficient Transport Layer Protection
• A10: Unvalidated Redirects and Forwards
Jamie Rougvie
8
A1 Injection
SQL Injection
About SQL
• SQL Injection attacks are the process
of injecting SQL commands into SQL
queries to manipulate the database
which the application relies on.
• Two types of SQL injection error based
and blind.
Jamie Rougvie
10
Demo of SQL Injection
Jamie Rougvie
11
SQL Explained
• We can assume the SQL statement is
Select * FROM users WHERE username= ' ' AND password= ' '
• The Code we Injected
' or ' '= '
• The Query that’s gets submitted is
Select * FROM users WHERE username= ' ' AND password= ' ' or ' '
=''
• This Result is a true statement so data from the database gets returned.
Jamie Rougvie
12
Power of SQL Injection
• Bypass login pages
• Dump entire databases using a tool like Sqlmap.
This will allow you to get usernames and
passwords which you could then crack unless they
were hashed.
• People like using the same username and
password on many sites so you can now try to
access other sites with the login details.
Jamie Rougvie
13
A3 XSS
Cross Site Scripting
About XSS
• Injecting HTML or running code (Javascript)
in a user web browser
• Three Types of XSS they are stored,
reflected and DOM.
• XSS can be found in any user supplied input
COOKIES,GET,POST,HTTP HEADERS
Jamie Rougvie
15
XSS Demo
Jamie Rougvie
16
What can you do with an XSS attack
• Steal Cookies
• Redirect users
• Deface website
• Use BEEF
Jamie Rougvie
17
BEEF Demo
Jamie Rougvie
18
The Solution
Always validate any input from the user
on the server side!
Jamie Rougvie
19
Common Vulnerabilities
Low hanging fruit
Default Login Details
• Many People make the mistake of installing
applications and leaving the default settings setup
on it.
Example:
root: password - MYSQL
root: blank – PHPMyAdmin
• This may vary between versions but a quick
Google search can find the correct default login.
Jamie Rougvie
21
Weak Password
• This is really common and yet so simple to fix!
123456
Password
123456789
abc123
111111
There are loads more default and silly passwords!
• Other bad ideas.
Any Dictionary word
Website Name
Organisation Details
Jamie Rougvie
22
Old Version Running
• Companies don’t upgrade web servers or CMS
(Content Management System) in case they break
it.
• This may make it easier to exploit as they would
not have known security bugs fixed.
Jamie Rougvie
23
Information Leakage
• Information leaked from the site can give vital
information to the attack. Information leakage can
come in many forms.
Example:
.
Jamie Rougvie
24
PRATICE RESOURCES
• jamierougive.co.uk – My Blog
• ypisg.bcs.org – Young Professional Information Security Group
• http://vulnhub.com Great for all testing
• hack.me - Working progress as seen in demos
• www.owasp.org – Great for web app testing
• www.trustedsec.com – Social Engineer Toolkit
• www.dvwa.co.uk – Damn Vulnerable Web App
• www.kioptrix.com – Demo Example
• g0tmi1k.blogspot.co.uk BOOT 2 ROOT
• http://beefproject.com/ Beef Project
Jamie Rougvie
25
Questions!!
ANY QUESTIONS ?
Jamie Rougvie
26