With the right skills, tools and software, you can protect yourself and remain secure. This session will take attendees from no knowledge of open source web security tools to a deep understanding of how to use them and their growing set of capabilities.
6. Example
The application uses untrusted data in the construction of the following vulnerable
SQL call:
String query = "SELECT * FROM accounts WHERE custID='" +
request.getParameter("id") + "'";
In this case, the attacker modifies the ‘id’ parameter value in her browser to send: ' or
'1'='1. For example:
http://example.com/app/accountView?id=' or '1'='1
This changes the meaning of query to return all the records from the accounts table.
More dangerous attacks could modify data or even invoke stored procedures.
7.
8. • Information leakage
• Disclosure of data
• Manipulation of stored data
• Bypassing authorisation controls
Hacker Goals
10. Example
Scenario #1: Airline reservations application supports URL rewriting, putting session IDs in
the URL:
http://example.com/sale/saleitems?sessionid=268544541&dest=Hawaii
An authenticated user of the site wants to let his friends know about the sale. He emails the
above link without knowing he is also giving away his session ID. When his friends use the
link they will use his session and credit card.
Scenario #2: Application’s timeouts aren’t set properly. User uses a public computer to access
site. Instead of selecting “logout” the user simply closes the browser tab and walks away.
Attacker uses the same browser an hour later, and that browser is still authenticated.
11.
12. • Undermined authorization and accountability controls.
• Cause privacy violation.
• Identity theft.
Hacker Goals
Source: Placeholder text. Delete this box if source is not needed
14. Example
Scenario #1:
A site simply doesn’t use SSL for all authenticated pages. Attacker simply monitors network
traffic (like an open wireless network), and steals the user’s session cookie. Attacker then
replays this cookie and hijacks the user’s session, accessing the user’s private data.
16. Example
Scenario #1:
An attacker probes the server's private network by changing the above ENTITY line to:
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "http://192.168.0.1/secret.txt">]>
<foo>&xxe;</foo>
Response:
HTTP/1.0 200 OK
Hello, I'm a file on the local network (behind the firewall)
17. Scenario #2:
An attacker attempts a denial-of-service attack by including a potentially endless file:
POST http://example.com/xml HTTP/1.1
<!DOCTYPE foo [
<!ELEMENT foo ANY>
<!ENTITY bar "World ">
<!ENTITY t1 "&bar;&bar;">
<!ENTITY t2 "&t1;&t1;&t1;&t1;">
<!ENTITY t3 "&t2;&t2;&t2;&t2;&t2;"> ]>
<foo> Hello &t3; </foo>
18. Response:
HTTP/1.0 200 OK
Hello World World World World World World
World World World World World World World
World World World World World World World
World World World World World World World
World World World World World World World
World World World World World World
20. Example
Scenario #1:
An attacker simply force browses to target URLs. Admin rights are required for access to the
admin page.
http://example.com/app/getappInfo
http://example.com/app/admin_getappInfo
22. Example
Scenario #1:
The app server admin console is automatically installed and not removed. Default accounts
aren’t changed. Attacker discovers the standard admin pages are on your server, logs in with
default passwords, and takes over.
25. • Cookie stealing
• Alert pop-up on page
• Redirecting to another website/page/phishing site
• Executing browser exploits
Hacker Goals
Source: Placeholder text. Delete this box if source is not needed
27. Example
Scenario #1:
A PHP forum uses PHP object serialization to save a "super" cookie, containing the user's user
ID, role, password hash, and other state:
a:4:{i:0;i:132;i:1;s:7:"Mallory";i:2;s:4:"user";
i:3;s:32:"b6a8b3bea87fe0e05022f8f3c88bc960";}
An attacker changes the serialized object to give themselves admin privileges:
a:4:{i:0;i:1;i:1;s:5:"Alice";i:2;s:5:"admin";
i:3;s:32:"b6a8b3bea87fe0e05022f8f3c88bc960";}
31. Example
Scenario #1:
An open source project forum software run by a small team was hacked using a flaw in its
software. The attackers managed to wipe out the internal source code repository containing
the next version, and all of the forum contents. Although source could be recovered, the lack
of monitoring, logging or alerting led to a far worse breach. The forum software project is no
longer active as a result of this issue.
37. ZAP Features
• Open source Cross platform
• Easy to install (just requires java 1.7)
• Completely free (no paid for 'Pro' version)
• Ease of use a priority
• Comprehensive help pages
• Fully internationalized Translated into a dozen languages
• Community based, with involvement actively encouraged
• Under active development by an international team of
volunteers
38. ZAP Functionality
• Intercepting Proxy
• Traditional and AJAX spiders
• Automated scanner
• Passive scanner
• Forced browsing
• Fuzzer
• Dynamic SSL certificates
• Smartcard and Client Digital Certificates support
39. • Web sockets support
• Support for a wide range of scripting languages
• Plug-n-Hack support
• Authentication and session support
• Powerful REST based API
• Automatic updating option
• Integrated and growing marketplace of add-ons