didzis balodis - web application security – war stories from real penetration testing engagements
DESCRIPTION
The talk will cover some of the most common mistakes which are identified during recent web application security assessments. Those include but are not limited to various types of injections (SQLi, XSS, etc.), local file access and business logic flaws. During the talk practical examples will be demonstrated along with the mitigation tools and techniques.TRANSCRIPT
![Page 1: Didzis Balodis - Web application security – war stories from real penetration testing engagements](https://reader035.vdocuments.site/reader035/viewer/2022062513/5552a2dab4c905e8128b5398/html5/thumbnails/1.jpg)
Web application security – war
stories from real penetration
testing engagements
Didzis Balodis, CISSP, GPEN
Lead of security and infrastrucure division
![Page 2: Didzis Balodis - Web application security – war stories from real penetration testing engagements](https://reader035.vdocuments.site/reader035/viewer/2022062513/5552a2dab4c905e8128b5398/html5/thumbnails/2.jpg)
Contents
![Page 3: Didzis Balodis - Web application security – war stories from real penetration testing engagements](https://reader035.vdocuments.site/reader035/viewer/2022062513/5552a2dab4c905e8128b5398/html5/thumbnails/3.jpg)
Didzis Balodis
• Lead of DPA Securituy and Infrastructure division
• More than 10 years in IT (from year 1999)
• System administration, development, security
• Last 5 years – IT consulting, audits, security, penetration testing (more
than 50 engagements)
• Hobby - wifi hacking
• Certifications:
• CISSP- Certified Information System Security Professional
• GPEN – GIAC Certified Penetration Tester
![Page 4: Didzis Balodis - Web application security – war stories from real penetration testing engagements](https://reader035.vdocuments.site/reader035/viewer/2022062513/5552a2dab4c905e8128b5398/html5/thumbnails/4.jpg)
DPA security portfolio
IT audit and security testing:
Network pentests
Wireless network assessment
Web application security testing
Social engineering
Compliance
Security awareness trainings
![Page 5: Didzis Balodis - Web application security – war stories from real penetration testing engagements](https://reader035.vdocuments.site/reader035/viewer/2022062513/5552a2dab4c905e8128b5398/html5/thumbnails/5.jpg)
Statistics
of web aplications contain at least
High risk vulnerability
![Page 6: Didzis Balodis - Web application security – war stories from real penetration testing engagements](https://reader035.vdocuments.site/reader035/viewer/2022062513/5552a2dab4c905e8128b5398/html5/thumbnails/6.jpg)
Injections on the rise
ENISA Threat Landscape 2013 report:
«....Cross-Site Scripting (XSS), Directory Traversal, SQL injection
(SQLi) and Cross-Site Request Forgery (CSRF).
... injection attacks are on sharp rise.»
![Page 7: Didzis Balodis - Web application security – war stories from real penetration testing engagements](https://reader035.vdocuments.site/reader035/viewer/2022062513/5552a2dab4c905e8128b5398/html5/thumbnails/7.jpg)
It`s easy...
Statistics:
![Page 8: Didzis Balodis - Web application security – war stories from real penetration testing engagements](https://reader035.vdocuments.site/reader035/viewer/2022062513/5552a2dab4c905e8128b5398/html5/thumbnails/8.jpg)
OWASP TOP 10
A1- Injection (SQL, LDAP, SMTP, XML...) A2-Broken Authentication and Session Management
A3-Cross-Site Scripting (XSS) A4-Insecure Direct Object References
A5-Security Misconfiguration A6-Sensitive Data Exposure
A7-Missing Function Level Access Control A8-Cross-Site Request Forgery (CSRF)
A9-Using Components with Known Vulnerabilities A10-Unvalidated Redirects and Forwards
![Page 9: Didzis Balodis - Web application security – war stories from real penetration testing engagements](https://reader035.vdocuments.site/reader035/viewer/2022062513/5552a2dab4c905e8128b5398/html5/thumbnails/9.jpg)
Consequences..
Stolen or
published client
data
Leakage of internal
company
information
Loss of reputation
Compliance and
legal issues
(Personal data
protection)
System downtime Financial losses
![Page 10: Didzis Balodis - Web application security – war stories from real penetration testing engagements](https://reader035.vdocuments.site/reader035/viewer/2022062513/5552a2dab4c905e8128b5398/html5/thumbnails/10.jpg)
Example 1
![Page 11: Didzis Balodis - Web application security – war stories from real penetration testing engagements](https://reader035.vdocuments.site/reader035/viewer/2022062513/5552a2dab4c905e8128b5398/html5/thumbnails/11.jpg)
Example 2
![Page 12: Didzis Balodis - Web application security – war stories from real penetration testing engagements](https://reader035.vdocuments.site/reader035/viewer/2022062513/5552a2dab4c905e8128b5398/html5/thumbnails/12.jpg)
Example 3
![Page 13: Didzis Balodis - Web application security – war stories from real penetration testing engagements](https://reader035.vdocuments.site/reader035/viewer/2022062513/5552a2dab4c905e8128b5398/html5/thumbnails/13.jpg)
Example 4
![Page 14: Didzis Balodis - Web application security – war stories from real penetration testing engagements](https://reader035.vdocuments.site/reader035/viewer/2022062513/5552a2dab4c905e8128b5398/html5/thumbnails/14.jpg)
DEMO TIME
![Page 15: Didzis Balodis - Web application security – war stories from real penetration testing engagements](https://reader035.vdocuments.site/reader035/viewer/2022062513/5552a2dab4c905e8128b5398/html5/thumbnails/15.jpg)
SQLi
http://somesystem.lv/ gettextLang=0&usr_login=loginKWgn&usr_password=aaa&sendpost=PieslÄgties sistÄmai' AND (SELECT 4747 FROM
(SELECT COUNT(*),CONCAT(0x3a76796a3a,
(SELECT (CASE WHEN (4747=4747) THEN 1 ELSE 0 END)),
0x3a787a693a,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
AND 'KWgn'='KWgn&usr_password=aaa&sendpost=PieslÄgties sistÄmai
![Page 16: Didzis Balodis - Web application security – war stories from real penetration testing engagements](https://reader035.vdocuments.site/reader035/viewer/2022062513/5552a2dab4c905e8128b5398/html5/thumbnails/16.jpg)
Insecure upload
![Page 17: Didzis Balodis - Web application security – war stories from real penetration testing engagements](https://reader035.vdocuments.site/reader035/viewer/2022062513/5552a2dab4c905e8128b5398/html5/thumbnails/17.jpg)
Be proactive
To avoid unpleasnt surprise-
before someone else will do
![Page 18: Didzis Balodis - Web application security – war stories from real penetration testing engagements](https://reader035.vdocuments.site/reader035/viewer/2022062513/5552a2dab4c905e8128b5398/html5/thumbnails/18.jpg)
How it is done
• Network layer
• App layer
Identification/ automated tests
• Injections
• Sessions
• Business logic, etc
Manual testing
• DoS
• Report
• Re-tests
Finalizing
![Page 19: Didzis Balodis - Web application security – war stories from real penetration testing engagements](https://reader035.vdocuments.site/reader035/viewer/2022062513/5552a2dab4c905e8128b5398/html5/thumbnails/19.jpg)
Recap
![Page 20: Didzis Balodis - Web application security – war stories from real penetration testing engagements](https://reader035.vdocuments.site/reader035/viewer/2022062513/5552a2dab4c905e8128b5398/html5/thumbnails/20.jpg)
Questions?