2. About Me
⢠Application Developer originally
⢠Contributor to Learn CF In a Week
⢠OWASP Individual Member
⢠OWASP Zed Attack Proxy (ZAP)
Evangelist
⢠Security Certifications - CEH, GWAPT
3. About the Session
⢠What will NOT be covered
⢠How to fix your code
⢠How to secure your OS, Web Server,
Database Server, or Application Server
4. About the Session
⢠What will be covered
⢠Recent events in security and hacking
⢠Demonstration of various penetration
testing tools used against web
applications
⢠Quick overview of Web Application
Firewalls and Web Vulnerability
Scanners
5. About the Demos
⢠Virtual Machines, not live servers
⢠BackTrack/Kali Linux
⢠OWASP Broken Web Apps
⢠Windows 7 & Server 2008 R2â¨
DO NOT perform any activities shown on
any network/system or network connected
device without proper permission!
6. 205Average number of days a network is
compromised by a hacker before discoveryâ¨
Down from 229 days in 2014 as reported by
Mandiant M-Trends Report
8. Heartbleed
⢠At disclosure 615,268 of the Internet's
secure web servers were vulnerable
⢠May 8, 2014 - 318,239
⢠June 21, 2014 - 309,197
⢠Contributed to Community Health
Systems theft of 4.5 million patient
records
14. OWASP Top Ten (2013)
A1: Injection
A6: Sensitive Data
Exposure
A3: Cross-Site
Scripting (XSS)
A2: Broken
Authentication
and Session
Management
A4: Insecure
Direct Object
References
A8: Cross Site
Request Forgery
(CSRF)
A5: Security
Misconfiguration
A7: Missing
Function Level
Access Controls
A9: Using
Components with
Known
Vulnerabilities
A10: Unvalidated
Redirects and
Forwards
16. Things youâll never
see in logs
⢠Internet search engines used for passive
reconnaissance
⢠Google Hacks
⢠Internet Archive
⢠Netcraft
⢠Alexa
⢠Shodan
⢠Not quite passive but can be hard to spot
⢠Web Crawler/Spider/Mirroring
17. OWASP Top Ten (2013)
A1: Injection
A6: Sensitive Data
Exposure
A3: Cross-Site
Scripting (XSS)
A2: Broken
Authentication
and Session
Management
A4: Insecure
Direct Object
References
A8: Cross Site
Request Forgery
(CSRF)
A5: Security
Misconfiguration
A7: Missing
Function Level
Access Controls
A9: Using
Components with
Known
Vulnerabilities
A10: Unvalidated
Redirects and
Forwards
18. OWASP Top Ten (2013)
A1: Injection
A6: Sensitive Data
Exposure
A3: Cross-Site
Scripting (XSS)
A2: Broken
Authentication
and Session
Management
A4: Insecure
Direct Object
References
A8: Cross Site
Request Forgery
(CSRF)
A5: Security
Misconfiguration
A7: Missing
Function Level
Access Controls
A9: Using
Components with
Known
Vulnerabilities
A10: Unvalidated
Redirects and
Forwards
29. Reported Benchmarks of
25 GPU HPC cluster
MD5
SHA1
BCrypt (05)
Attempts per Second
0 100,000,000,000 200,000,000,000
71,000
63,000,000,000
180,000,000,000
30. Gosney vs
LinkedIn Password Hashes
PercentCracked
0%
20%
40%
60%
80%
100%
30 seconds 2 hours 1 day 6 days
90%
64%
53%
21%
31.
32. OWASP Top Ten (2013)
A3: Cross-Site
Scripting (XSS)
A1: Injection
A6: Sensitive Data
Exposure
A2: Broken
Authentication
and Session
Management
A4: Insecure
Direct Object
References
A8: Cross Site
Request Forgery
(CSRF)
A5: Security
Misconfiguration
A7: Missing
Function Level
Access Controls
A9: Using
Components with
Known
Vulnerabilities
A10: Unvalidated
Redirects and
Forwards
33. OWASP Top Ten (2013)
A3: Cross-Site
Scripting (XSS)
A1: Injection
A6: Sensitive Data
Exposure
A2: Broken
Authentication
and Session
Management
A4: Insecure
Direct Object
References
A8: Cross Site
Request Forgery
(CSRF)
A5: Security
Misconfiguration
A7: Missing
Function Level
Access Controls
A9: Using
Components with
Known
Vulnerabilities
A10: Unvalidated
Redirects and
Forwards
34. ⢠Stored
⢠Attackerâs script is stored on the server
(e.g. blog comments, forums) and later
displayed in HTML pages, without proper
filtering
⢠Reflected
⢠HTML page reflects user input data back to
the browser, without sanitizing the response
⢠DOM Based
Cross-Site Scripting (XSS)
38. OWASP Top Ten (2013)
A5: Security
Misconfiguration
A4: Insecure
Direct Object
References
A2: Broken
Authentication
and Session
Management
A1: Injection
A6: Sensitive Data
Exposure
A3: Cross-Site
Scripting (XSS)
A8: Cross Site
Request Forgery
(CSRF)
A7: Missing
Function Level
Access Controls
A9: Using
Components with
Known
Vulnerabilities
A10: Unvalidated
Redirects and
Forwards
39. OWASP Top Ten (2013)
A5: Security
Misconfiguration
A4: Insecure
Direct Object
References
A2: Broken
Authentication
and Session
Management
A1: Injection
A6: Sensitive Data
Exposure
A3: Cross-Site
Scripting (XSS)
A8: Cross Site
Request Forgery
(CSRF)
A7: Missing
Function Level
Access Controls
A9: Using
Components with
Known
Vulnerabilities
A10: Unvalidated
Redirects and
Forwards
40. ⢠Stolen Data Headers from the Federal Reserve Hack
(Feb 2013)
⢠Downed US vuln catalog infected for at least TWO
MONTHS (March 2013)
⢠Web host Linode, hackers clash over credit-card raid
claim (April 2013)
⢠Washington Court Data Breach Exposes 160K SSNs
(May 2013)
⢠Alleged Hacker Indicted In New Jersey For Data
Breach Conspiracy Targeting Government Agency
Networks (Oct 2013)
Notable ColdFusion
Hacks in 2013
41.
42. Demo
⢠Tool
⢠Published Exploit Script
⢠Target
⢠Windows Server 2008 R2
⢠IIS 7.5 + ColdFusion 10 w/ Update 9
⢠Secure Profile Enabled
44. If you donât secure your stuff, you are just making it easy for hackers â¨
and they DONâT mostly come at night.
45. So should you just turn
everything off and unplug it?
46. ⢠Web application firewall (WAF) are used to
protect web applications without the need to
modify them
⢠Can be an appliance, server plugin, or filter
⢠Provide an additional layer of security
⢠Can react faster than changing application
code
⢠More common in front of legacy
applications
Web Application Firewall
47. ⢠Open source, free web application firewall
⢠Apache, IIS 7, Nginx, reverse proxy
⢠Security Models
⢠Negative Security Model
⢠Positive Security Model
⢠Virtual Patching
⢠Extrusion Detection Model
⢠OWASP ModSecurity Core Rule Set Project
ModSecurity
48. ⢠Provide automated way to test web
application for vulnerabilities
⢠Static vs Dynamic Analysis
⢠Can be challenging to setup
authentication and session management
⢠Canât improvise, every web application is
unique
⢠Usually integrated as part of Secure
Software Development Life Cycle (SSDLC)
Web Vulnerability Scanners
49. Book
The Web Application Hacker's
Handbook: Finding and Exploiting
Security Flaws, Second Edition
by Dafydd Stuttard and Marcus Pinto"
John Wiley & Sons Š 2012 (912 pages)"
ISBN: 9781118026472"
51. ⢠Tools
⢠sqlmap
⢠BeEF
⢠Metasploit
!
⢠Virtual Machines/Live CDs
⢠Kali Linux
⢠Samurai Web Testing Framework
⢠OWASP Broken Web Apps
Resources
52. ⢠Security Benchmarks/Guides
⢠CIS Benchmarks
⢠DISA STIG
⢠Microsoft Security Compliance Manager
!
⢠Securing/Patching ColdFusion
⢠ColdFusion 9 Server Lockdown Guide (pdf)
⢠ColdFusion 10 Server Lockdown Guide (pdf)
⢠ColdFusion 11 Server Lockdown Guide (pdf)
⢠Unofficial Updater 2
Resources
53. ⢠OWASP Top Ten 2013
⢠Shodan: The scariest search engine on
the Internet
⢠Report: Crematoriums To Caterpillars
Shodan Reveals Internet Of Things
⢠Google Hacking Database (GHDB)
Resources
55. ⢠Web Vulnerability Scanners
⢠Dynamic Scanner
⢠Cenzic Hailstorm
⢠HP WebInspect
⢠IBM Security AppScan
⢠Static Scanner
⢠HP Fortify Static Code Analyzer
⢠VeraCode Static
⢠Intercepting Proxies
⢠Burp Suite
⢠OWASP Zed Attack Proxy (ZAP)
Resources
56. Books
SQL Injection Attacks and Defense,
Second Edition
by Justin Clarke"
Syngress Publishing Š 2012 (576 pages) "
ISBN: 9781597499637
Web Application Obfuscation: '-/
WAFs..dEvasion..dFilters//alert (/
Obfuscation/)-'
by Mario Heiderich, Eduardo AlbertoVela
Nava, Gareth Heyes and David Lindsay"
Syngress Publishing Š 2011 (290 pages)"
ISBN: 9781597496049
XSS Attacks: Cross Site Scripting
Exploits and Defense
by Jeremiah Grossman, Robert âRSnakeâ
Hansen, Petko âpdpâ D. Petkov and Anton
Rager"
Syngress Publishing Š 2007 (479 pages)"
ISBN: 9781597491549"
Penetration Tester's Open Source
Toolkit, Third Edition
by Jeremy Faircloth"
Syngress Publishing Š 2011 (465 pages)
ISBN: 9781597496278
57. ⢠Free Commercial Reports
⢠Mandiant
⢠M-Trends 2015 (April 2015)
⢠APT1: Exposing One of Chinaâs Cyber
Espionage Units (Feb 2013)
!
⢠VeraCode
⢠State of Software Security Report
Volume 5 (April 2013)
References
58. ⢠Heartbleed
⢠More than 300k systems 'still
vulnerable' to Heartbleed attacks
⢠Heartbleed Hack Still a Threat Six
Months After Discovery
References
59. ⢠Target
⢠Sources: Target Investigating Data
Breach
⢠Email Attack on Vendor Set Up Breach
at Target
⢠Data breach hits Targetâs profits, but
thatâs only the tip of the iceberg
References
60. ⢠Home Depot
⢠Home Depot Hit By Same Malware as
Target
⢠Home Depot: 56M Cards Impacted,
Malware Contained
References
61. ⢠Adobe Password Hack
⢠Adobe Breach Impacted At Least 38
Million Users
⢠How an epic blunder by Adobe could
strengthen hand of password crackers
⢠Anatomy of a password disaster -
Adobe's giant-sized cryptographic blunder
⢠Top 100 Adobe Passwords
⢠XKCD Crossword Puzzle
References
62. ⢠Password Cracking
⢠Jeremi Gosney - Password Cracking HPC - Passwords^12 Presentation
(pdf)
⢠Jens Steube - Exploiting a SHA1 Weakness in Password Cracking -
Passwords^12 Presentation (pdf)
⢠New 25 GPU Monster Devours Passwords In Seconds
⢠Oh great: New attack makes some password cracking faster, easier than
ever
⢠Why passwords have never been weakerâand crackers have never
been stronger
⢠The Final Word on the LinkedIn Leak
⢠How I became a password cracker
⢠Project Erebus v2.5
⢠SHA-1 crypto protocol cracked using Amazon cloud computing resources
References
63. ⢠Recent Hacks
⢠SQL Injection Flaw Haunts All Ruby on Rails Versions (Jan 2013)
⢠Critics: Substandard crypto needlessly puts Evernote accounts at
risk (March 2013)
⢠Huge attack on WordPress sites could spawn never-before-seen
super botnet (April 2013)
⢠Why LivingSocialâs 50-million password breach is graver than you
may think (April 2013)
⢠Yahoo! Blind SQL Injection could lead to data leakage (April 2013)
⢠Common Web Vulnerabilities Plague Top WordPress Plug-Ins
(June 2013)
⢠WordPress Fixes Remote Code Execution Flaw With 3.6.1
Release (Sept 2013)
References
64. ⢠Recent Hacks
⢠New York Times Hacked Again, This Time Allegedly by Chinese (Jan
2013)
⢠AP Twitter feed hacked; no attack at White House (April 2013)
⢠Dev site behind Apple, Facebook hacks didnât know it was booby-
trapped (Feb 2013)
⢠IE 8 Zero Day Found as DoL Watering Hole Attack Spreads to Nine
Other Sites (May 2013)
⢠Hackers exploit critical IE bug; Microsoft promises patch (Sept 2013)
⢠Many Flash, Java Users Running Older, Vulnerable Versions (Sept
2013)
⢠Adobe To Announce Source Code, Customer Data Breach (Oct
2013)
⢠Thousands of Sites Hacked Via vBulletin Hole (Oct 2013)
References
65. ⢠XSS Attacks
⢠Persistent XSS Vulnerability Plagues WordPress Plugin (April
2015)
⢠Researcher Gets $5,000 for XSS Flaw in Google Apps Admin
Console (Jan 2015)
⢠Drupal Patches XSS Vulnerability in Spam Module (Sept 2014)
⢠Details on Patched Microsoft Office 365 XSS Vulnerability
Disclosed (Jan 2014)
⢠Security company says Nasdaq waited two weeks to fix XSS
flaw (Sept 2013)
⢠Apple Store Vulnerable to XSS (June 2013)
⢠PayPal Site Vulnerable to XSS Attack (May 2013)
References
66. Shellshock
⢠Series of vulnerabilities in how Bash
processes environment variables
⢠CVE-2014-6271, CVE-2014-6277,
CVE-2014-6278, CVE-2014-7169,
CVE-2014-7186, CVE-2014-7187
⢠Allows for remote code execution
67. ⢠Shellshock
⢠What is #shellshock?
⢠RedHat: Mitigating the shellshock
vulnerability (CVE-2014-6271 and
CVE-2014-7169)
⢠How do I secure Apache against the
Bash Shellshock vulnerability?
⢠Shellshock Exploits Spreading Mayhem
Botnet Malware
References