Embed Size (px)
Citation preview
Breaching a Web Application
Common Issues and Mitigating Steps
My Name is Jason Frank Director of Veris Group’s Adaptive Threat Division Trainer for Black HatYou can find me at @jasonjfrank
PS: IANAD – I am not a developer!
Hello!
Agenda◉An Attacker’s View◉Injection Attacks 101◉Misconfigurations◉Remediation and Mitigations
An Attacker’s View1
Testing ProcessDiscovery
ExploitationPost Exploitation
Pre-Assessmen
tActivities
Post-Assessment
Activities
http://tutorials.jenkov.com/images/software-architecture/n-tier-architecture-2.png
http://tutorials.jenkov.com/images/software-architecture/n-tier-architecture-2.png
http://tutorials.jenkov.com/images/software-architecture/n-tier-architecture-2.png
DMZ Protected EnclaveInternet
https://www.w3.org/2005/03/Demos/insurance.png
https://www.w3.org/2005/03/Demos/insurance.png
◉Provides free documentation on offensive and defensive application measures
◉Curated “OWASP Top Ten” Vulnerabilities◉OWASP Web Testing Guide◉Contains material for:
Web ApplicationsMobileSoftware DevelopmentTools
https://www.owasp.org/images/thumb/7/7e/WebTT_thumb.png/400px-WebTT_thumb.png
https://www.owasp.org/images/thumb/7/7e/WebTT_thumb.png/400px-WebTT_thumb.png
Injection Attacks 1012
Injection Attacks
◉Occurs when unintended data is sent to an application
◉Proper input validation / server-side validation is not being performed
◉A dynamically built query can be altered to execute arbitrary calls or requests
◉Common Types of InjectionSQLXMLOS Command
https://itswadesh.files.wordpress.com/2011/11/sql-injection.jpg
Users
Posts
Comments
Themes
Wordpress Server
WPDBUser
WP Table
Users
Posts
Comments
Themes
Wordpress Server
DBA WP Table
Names
SSNs
Salaries
Addresses
HR App
“
Quotations are commonly printed as a means of
inspiration and to invoke philosophical thoughts from
the reader.
SQL Injection Tools
◉Burp Suite Pro Scanner(Identification)◉SQLMap ◉SQLNinja
Misconfigurations3
Misconfigurations
◉Serves as a catchup for many facets of the implementation
◉Can occur at all levels of the technology stack
◉Identifies both technical and procedural weaknesses
Operating System
Web Servers
Applications
Add-ons
http://www.rvrsh3ll.net/blog/offensive/leveraging-adobe-livecycle/
http://www.rvrsh3ll.net/blog/offensive/leveraging-adobe-livecycle/
http://www.rvrsh3ll.net/blog/offensive/leveraging-adobe-livecycle/
DMZ Protected EnclaveInternet Internal
Systems
DMZ Protected EnclaveInternet Internal
Systems
DMZ Protected EnclaveInternet Internal
Systems
DMZ Protected EnclaveInternet Internal
Systems
DMZ Protected EnclaveInternet Internal
Systems
DMZ Protected EnclaveInternet Internal
Systems
Tools◉Nikto◉Web Scanners
AcunetixNTOSpiderBurp Suite Pro
◉Vulnerability ScannersNessusNeXpose
Remediation and Mitigation4
OWASP SAMM◉Software Assurance Maturity Model◉Integrating Assessment and Review
Activities throughout your SDLC◉Based on your organization’s security
drivers◉https://www.owasp.org/index.php/
Category:Software_Assurance_Maturity_Model
Static ReviewsSource code reviews that are incorporated throughout the development cycle.
A Note About Testing Types
Dynamic TestingAssessment of the final solution in an operational context.
SQL Injection Prevention
◉OWASP has language specific recommendations
◉Parameterized Queries◉Input Validation – White Listing◉Escaping User Input◉https://www.owasp.org/index.php
/SQL_Injection_Prevention_Cheat_Sheet#Defense_Option_1:_Prepared_Statements_.28Parameterized_Queries.29
Misconfiguration Prevention
◉Review of all technologies in the stack◉Implement available hardening guides◉Have your solution dynamically tested
periodically
Any questions ?You can find me at◉ @jasonjfrank◉ Slides posted at:
http://www.slideshare.net/jasonjfrank
Thanks!
