Web Security

September 16th, 2015

Up ahead
● owasp top 10 vulnerabilities (with examples)
● security testing tools
○ whitebox
○ blackbox
■ proxies (spidering concept, ajax)
● useful plugins
○ browser developer tools
○ http headers
○ post-man
○ tamper-data
○ fake mail
OWASP
● Open Web Application Security Project
● Open source
● Security Wiki
● One of it’s projects Top 10
● Vulnerability & Resolution
1 Injection
● Application Sends untrusted data to the interpreter
● SQL, LDAP, XPATH or NOSQL queries; OS Commands, XML Parsers,
Program Arguments
● Testing: Scanners, Fuzzers
● Never trust user input, always sanitize
● Example -> OWASP
2 Broken Authentication and Session Management
● Attacker manipulates authentication flow
● Session Hijacking
○ Man in the middle attack with no HTTPS
○ Exposed session ID
● Hard to test (no tools)
● Prevention
○ use authentication flow standards
○ Avoid XSS
3 Cross Site Scripting XSS
● Application includes user supplied data in a page sent to the browser without
properly validating or escaping that content
● Main types
○ Stored
○ Reflected
● Automated tools can find it IF it can reach it’s url (Ajax, Flash, ….)
● DEMO!!!
4 Insecure Direct Object Reference
● Attacker change change a parameter value that directly referes to a system
object to another object the user isn’t authorized for
● Unintentional disclosure of info
7 Missing Functional Level Access Control
● Client side Vs Server Side permissions
● Example !!!
5 Security Misconfiguration
● Can happen at any level; web server, application server, database,
framework, custom code, ….
● Default accounts
● Missing patches
● Unnecessary services
● Open ports
● Error stacktraces
6 Sensitive Data Exposure
● Not encrypting sensitive data
○ Passwords
○ Credit cards
● Man in the middle attack
● Prevention
○ Encryption
○ Don’t store data you don’t need
○ Disable auto-complete sensitive data
8 Cross Site Request Forgery CSRF
● Attacker creates forged HTTP requests and tricks victim into submitting them
● Automated tools can detect it
● Prevention
○ Using an un-predictable token per request
○ Using captcha
● Example -> OWASP
9 Using Components with known vulnerabilities
● ‫ ﺧﺎﯾب اﻟرﺟﺎ‬,‫اﻟﻣﺗﻌوس‬
10 Unvalidated Redirects and Forwards
● Internal Application Redirects
● Example -> OWASP
Totally Recommended!!
● Technology specific
● Vulnerability specific

https://www.owasp.org/index.php/Cheat_Sheets
Testing
● Whitebox
○ Code Review
○ Code Analysis tools
Testing
● Blackbox
○ Proxies (point and shoot)
■ ZAP (Zed Attack Proxy)
■ Burp Suite
■ others
Useful Plugins
● Browser Developer Tools
● HTTP Headers
● Post-man
● Tamper-data