Securing the Web @DevDay Da Nang 2018

Securing the Web
4.14.2018
Sumanth Damarla
Tech Speaker, Mozilla

CEOs
worrying
about
security’s
impact on
company
growth
Source: Global State of Information Security Survey
61%
1400 CEOs
83 Countries

OWASP TOP 10 2017
Source: Imperva blog.

Example
The application uses untrusted data in the construction of the following vulnerable
SQL call:
String query = "SELECT * FROM accounts WHERE custID='" +
request.getParameter("id") + "'";
In this case, the attacker modifies the ‘id’ parameter value in her browser to send: ' or
'1'='1. For example:
http://example.com/app/accountView?id=' or '1'='1
This changes the meaning of query to return all the records from the accounts table.
More dangerous attacks could modify data or even invoke stored procedures.

• Information leakage
• Disclosure of data
• Manipulation of stored data
• Bypassing authorisation controls
Hacker Goals

Example
Scenario #1: Airline reservations application supports URL rewriting, putting session IDs in
the URL:
http://example.com/sale/saleitems?sessionid=268544541&dest=Hawaii
An authenticated user of the site wants to let his friends know about the sale. He emails the
above link without knowing he is also giving away his session ID. When his friends use the
link they will use his session and credit card.
Scenario #2: Application’s timeouts aren’t set properly. User uses a public computer to access
site. Instead of selecting “logout” the user simply closes the browser tab and walks away.
Attacker uses the same browser an hour later, and that browser is still authenticated.

• Undermined authorization and accountability controls.
• Cause privacy violation.
• Identity theft.
Hacker Goals
Source: Placeholder text. Delete this box if source is not needed

Example
Scenario #1:
A site simply doesn’t use SSL for all authenticated pages. Attacker simply monitors network
traffic (like an open wireless network), and steals the user’s session cookie. Attacker then
replays this cookie and hijacks the user’s session, accessing the user’s private data.

Example
Scenario #1:
An attacker probes the server's private network by changing the above ENTITY line to:
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "http://192.168.0.1/secret.txt">]>
<foo>&xxe;</foo>
Response:
HTTP/1.0 200 OK
Hello, I'm a file on the local network (behind the firewall)

Scenario #2:
An attacker attempts a denial-of-service attack by including a potentially endless file:
POST http://example.com/xml HTTP/1.1
<!DOCTYPE foo [
<!ELEMENT foo ANY>
<!ENTITY bar "World ">
<!ENTITY t1 "&bar;&bar;">
<!ENTITY t2 "&t1;&t1;&t1;&t1;">
<!ENTITY t3 "&t2;&t2;&t2;&t2;&t2;"> ]>
<foo> Hello &t3; </foo>

Response:
HTTP/1.0 200 OK
Hello World World World World World World
World World World World World World World
World World World World World World

Example
Scenario #1:
An attacker simply force browses to target URLs. Admin rights are required for access to the
admin page.
http://example.com/app/getappInfo
http://example.com/app/admin_getappInfo

Example
Scenario #1:
The app server admin console is automatically installed and not removed. Default accounts
aren’t changed. Attacker discovers the standard admin pages are on your server, logs in with
default passwords, and takes over.

• Cookie stealing
• Alert pop-up on page
• Redirecting to another website/page/phishing site
• Executing browser exploits
Hacker Goals
Source: Placeholder text. Delete this box if source is not needed

Example
Scenario #1:
A PHP forum uses PHP object serialization to save a "super" cookie, containing the user's user
ID, role, password hash, and other state:
a:4:{i:0;i:132;i:1;s:7:"Mallory";i:2;s:4:"user";
i:3;s:32:"b6a8b3bea87fe0e05022f8f3c88bc960";}
An attacker changes the serialized object to give themselves admin privileges:
a:4:{i:0;i:1;i:1;s:5:"Alice";i:2;s:5:"admin";
i:3;s:32:"b6a8b3bea87fe0e05022f8f3c88bc960";}

Using Components with Known
Vulnerabilities

Insufficient
Logging&Monitoring

Example
Scenario #1:
An open source project forum software run by a small team was hacked using a flaw in its
software. The attackers managed to wipe out the internal source code repository containing
the next version, and all of the forum contents. Although source could be recovered, the lack
of monitoring, logging or alerting led to a far worse breach. The forum software project is no
longer active as a result of this issue.

• Cross Site Scripting (XSS)
• SQL Injection
• Directory Traversal
• URL Injection
• Error Detection
• File Uploads
• Sensitive Data Discovery
Modules used in VEGA

Open Vulnerability Assessment System
(OpenVAS)

ZAP Features
• Open source Cross platform
• Easy to install (just requires java 1.7)
• Completely free (no paid for 'Pro' version)
• Ease of use a priority
• Comprehensive help pages
• Fully internationalized Translated into a dozen languages
• Community based, with involvement actively encouraged
• Under active development by an international team of
volunteers

ZAP Functionality
• Intercepting Proxy
• Traditional and AJAX spiders
• Automated scanner
• Passive scanner
• Forced browsing
• Fuzzer
• Dynamic SSL certificates
• Smartcard and Client Digital Certificates support

• Web sockets support
• Support for a wide range of scripting languages
• Plug-n-Hack support
• Authentication and session support
• Powerful REST based API
• Automatic updating option
• Integrated and growing marketplace of add-ons

Securing the Web @DevDay Da Nang 2018

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Securing the Web @DevDay Da Nang 2018

Similar to Securing the Web @DevDay Da Nang 2018 (20)

Recently uploaded

Recently uploaded (20)

Securing the Web @DevDay Da Nang 2018