Boy Baukema12th March, HZ, Vlissingen

Practical Hacking: OWASP Top 10

Wednesday, March 12, 14

So who’s this guy?

Boy BaukemaSecurity Specialist & Senior Engineer @ Ibuildings.nl

boy@ibuildings.nltwitter: @relaxnow

2

Wednesday, March 12, 14

By what company?

Ibuildings (not owned by Apple)

3

Wednesday, March 12, 14

A Security what?

Security Specialist:

Senior Software Engineer + R&D Security + Security Training+ Internal Consulting+ Internal Security Audits+ External Security Audits

4

Wednesday, March 12, 14

Okay, what’s he doing here?

‣ Introduction (10m)

‣Before We Dive In (10m)

‣OWASP TOP 11 2013 (+/- 15m per item)

‣Where To Next? (10m)

5

Wednesday, March 12, 14

Wednesday, March 12, 14

Wednesday, March 12, 14

Before we dive in...

8

Wednesday, March 12, 14

Ethical Hacking & The (Dutch) Law

9blog.iusmentis.com

Artikel 138ab & 138b

Wednesday, March 12, 14

Responsible Disclosure

10

Wednesday, March 12, 14

of 2013OWASP Top 11

11

Wednesday, March 12, 14

OWASP Top 10 2013 BONUS - Clickjacking

12http://www.youtube.com/watch?v=DRQ8oC2MWAgWednesday, March 12, 14

A10-Unvalidated Redirects and Forwards

13

Wednesday, March 12, 14

A10-Unvalidated Redirects and Forwards

http://goo.gl/Gmzqvhttps://www.bank.com:login.html@phisher.cn/http://www.bank.com:login.html@74.125.131.105http://www.bank.com:login.html@1249739625/http://www.bank.com:login.html@0x4a.0x7d.0x83.0x69/http://www.bank.com:login.html@0112.0175.0203.0151/http://pc-help.org/o%62s%63ur%65%2e%68t%6D

14

Wednesday, March 12, 14

A9-Using Components with Known Vulnerabilities174.34.252.13 – - [03/Feb/2014:01:01:08 -0500] “POST /index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a7981f4fe1f5ac65c1246b5f=cf6dd3cf1923c950586d0dd595c8e20b HTTP/1.1″ 500 885 “-” “BOT/0.1 (BOT for JCE)”

174.34.252.13 – - [03/Feb/2014:01:01:08 -0500] “POST /index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20 HTTP/1.1″ 404 5923 “-” “BOT/0.1 (BOT for JCE)”174.34.252.13 – - [03/Feb/2014:01:01:08 -0500] “POST /blog/2014/01/14/vulnerability-in-joomla-1-6-1-7-and-2-5-0-2-5-2-being-exploited-now/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a7981f4fe1f5ac65c1246b5f=cf6dd3cf1923c950586d0dd595c8e20b HTTP/1.1″ 500 885 “-” “BOT/0.1 (BOT for JCE)”174.34.252.13 – - [03/Feb/2014:01:01:08 -0500] “POST /blog/2014/01/14/vulnerability-in-joomla-1-6-1-7-and-2-5-0-2-5-2-being-exploited-now/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20 HTTP/1.1″ 404 6290 “-” “BOT/0.1 (BOT for JCE)”174.34.252.13 – - [03/Feb/2014:01:01:10 -0500] “POST /blog/2014/01/14/vulnerability-in-joomla-1-6-1-7-and-2-5-0-2-5-2-being-exploited-now/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a7981f4fe1f5ac65c1246b5f=cf6dd3cf1923c950586d0dd595c8e20b HTTP/1.1″ 500 885 “-” “BOT/0.1 (BOT for JCE)”174.34.252.13 – - [03/Feb/2014:01:01:10 -0500] “POST /blog/2014/01/14/vulnerability-in-joomla-1-6-1-7-and-2-5-0-2-5-2-being-exploited-now/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20 HTTP/1.1″ 404 6290 “-” “BOT/0.1 (BOT for JCE)”174.34.252.13 – - [03/Feb/2014:01:01:11 -0500] “GET /blog/2014/01/14/vulnerability-in-joomla-1-6-1-7-and-2-5-0-2-5-2-being-exploited-now/images/stories/food.php?rf HTTP/1.1″ 404 6237 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6″

15

Wednesday, March 12, 14

A8-Cross-Site Request Forgery (CSRF)

16http://www.youtube.com/watch?v=vRBihr41JToWednesday, March 12, 14

A7-Missing Function Level Access Control

17

Wednesday, March 12, 14

A6-Sensitive Data Exposure

18

Wednesday, March 12, 14

A6-Sensitive Data Exposure

19

Wednesday, March 12, 14

A5-Security Misconfiguration

http://www.exploit-db.com/google-dorks/20

Wednesday, March 12, 14

A4-Insecure Direct Object References

21

Wednesday, March 12, 14

A3-Cross-Site Scripting (XSS)

22

http://www.youtube.com/watch?v=a9WNy2ZSq8Y

Wednesday, March 12, 14

A3-Cross-Site Scripting (XSS)

23

Wednesday, March 12, 14

A2-Broken Authentication and Session Management

24

Wednesday, March 12, 14

A2-Broken Authentication and Session Management

‣ Session Fixation‣Missing Session Timeout‣ Login over HTTP‣Unprotected Password Reset

25

Wednesday, March 12, 14

HTTP Strict Transport Security

Strict-Transport-Security: ‣max-age=60000; ‣ includeSubDomains

26

Wednesday, March 12, 14

A1-Injection

27

Wednesday, March 12, 14

Now What?

28

Wednesday, March 12, 14

29

Wednesday, March 12, 14

Conferences, People & Resources

‣ Security.nl‣Owasp.org‣Hackvertor‣Webappsec.io‣ Chris Cornutt‣Bruce Schneider

‣OWASP BeNeLux‣OWASP EU‣Hack In The Box‣Black Hat Europe 30

Wednesday, March 12, 14

Companies

‣ Fox-IT‣Madison Ghurka‣ Pine‣ Ibuildings.nl

31

Wednesday, March 12, 14

QUESTIONS

32Slides @ http://www.slideshare.net/relaxnow/2014-guestlectureinfosec

Wednesday, March 12, 14