This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
• In your host machine1. Install Zed Attack Proxy (ZAP)
https://github.com/zaproxy/zaproxy/wiki/Downloads2. Make sure that ZAP listens @ 127.0.0.1:8080
http://pralab.diee.unica.it 4
Practical session - setup
• In your host machine1. Go to Settings->Dynamic SSL certificates2. Save the ZAP root CA within a folder of your choice
owasp_zap_root_ca.cer
http://pralab.diee.unica.it 5
Practical session - setup
• From your host machine1. Open your browser (Firefox)
Preferences->Security&Privacy->Certificates->Authorities2. Open owasp_zap_root_ca.cer3. Trust the ZAP CA for web sites
http://pralab.diee.unica.it 6
Practical session - setup
• From your host machine1. Install Firefox - Web Browser
https://www.mozilla.org/it/firefox/new/2. Open your browser (Firefox)3. Settings->General>Proxy server->Settings
http://pralab.diee.unica.it 7
Practical session - setup
• From your host machine1. Open your browser (Firefox)2. Settings->Advanced->Network->Settings
http://pralab.diee.unica.it 8
Practical session - setup
• From your host machine1. Open your browser (Firefox)2. Go to a HTTPS enabled site (e.g. Google)
http://pralab.diee.unica.it
Main Security Goals
– Confidentiality• ensure that (sensitive) information is disclosed to authorized parties
only
– Integrity• prevent unauthorized modification of data (data integrity), including
system code and (ab)use of system functionalities (system integrity)
– Availability• guarantee that data and services can be accessed (in a reasonable
time) by authorized parties when requested
9
Information System Security
NOTE: Violations in one category may enable violations in any other category! Examples:• Password theft (confidentiality violation) may allow attackers to perform unhauthorized
modifications of user data (data integrity violation)• A buffer overflow attack (system integrity violation) may allow attackers to gather private data
– Once abuse is detected, attack protection is typicallyachieved by service providers adding security checks to better describe how legitimate inputsare
– Take away: think about how the intendedfunctionalities of your web applications can be abused, even if inputs are legitimate!
http://pralab.diee.unica.it
OWASP Broken Web Applications Project
1. Install Virtualbox https://www.virtualbox.org/2. Download the OVA archive
https://sourceforge.net/projects/owaspbwa/files/1.2/3. Import the OVA archive into VirtualBox
17
Pratical session with OWASP BWA
http://pralab.diee.unica.it 18
Practical session
• Vulnerable services setup– Setup NAT (port forwarding) rule. Make sure that
Guest IP is correct, it should be displayed in the OWASP BWA shell at startup
http://pralab.diee.unica.it 19
Practical session
• From your host machine1. Open your browser (Firefox)2. Go to http://127.0.0.1:8888
The following is a successful (authorized) request on the web server.
What about its confidentiality?It is not handled! The underlying protocol is HTTP and all data istransferred in clear text through TCP.
What about its authentication?It is handled through the Authorization header (Basic Authentication).
Confidentiality
http://pralab.diee.unica.it 23
Confidentiality
Authorization: Basic cm9vdDpvd2FzcGJ3YQ==
Exercise: what are the credentials associated to the previous header?
Basic authentication transfers username and passwords in clear text!The Authorization field is constructed as follows:• The username and password are combined with a single colon. (:)• The resulting string is encoded into an octet sequence• The resulting string is encoded using a variant of Base64The authorization method and a space is then prepended to the encodedstring, separated with a space (e.g. "Basic ").
• Data should be exchanged using:– HTTPS with strong ciphers and additional headers
for security https://cipherli.st– SSL certificate with trusted Certificate Authorities
• No excuses! You can get them for free usinghttps://letsencrypt.org
– HTTPS must be enforced
• However, preserving data confidentiality is notjust matter of data transport– How it is stored and how it can be accessed (including
backups)?– Authentication and access control
25
How do I protect against Confidentialityviolations?
http://pralab.diee.unica.it
• From the left menu– Malicious Execution->Malicious File Execution– The page allows one to upload/display (read) an
image
26
OWASP WebGoat
http://pralab.diee.unica.it
• Let’s check out request and responses in ZAP– To understand what is the backend web application
interpreter
27
OWASP WebGoat
Our first guess is that there is aJavaServer Pages (JSP) interpreter
http://pralab.diee.unica.it
• In JSP (like PHP), programs are written withinfiles that are read and interpreted at runtime– Any file with a name which ends with a specific
extension (e.g., .jsp) is executed by the interpreter– Key security question:
• does the application checks the extension and content of the uploaded files?
• Let’s try to upload a file browser program written in JSP…
• http://www.vonloesch.de/files/browser.zip
28
OWASP WebGoat
http://pralab.diee.unica.it
• Oh… we were able to upload the JSP file... – Let’s execute it (right click, view image)
29
OWASP WebGoat
http://pralab.diee.unica.it
• Oh... The JSP file is actually executed and give us a full-featured file browser – with read/write permissions on the filesystem!
30
OWASP WebGoat
http://pralab.diee.unica.it
Targets: file (up)load routine of the web applicationInterpreter: web application server (typically)An insecure handling of external/uploaded files, allows the attacker to convert input data into (arbitrary) application code
31
A6:2010 Malicious File Execution
HTTP(S) serverHTTP(S) Client
HTML Application DatabaseCSSImages
JavaScript
Flash Silverlight PDF ReaderExternal file
(up)load routine
http://pralab.diee.unica.it
• Let’s play with Wordpress
32
Wordpress
http://pralab.diee.unica.it
• OK, it appears that we are in front of WP 2.0– Plugin Spreadsheet v0.6 as well as MyGallery 1.2.1
installed
33
Wordpress
http://pralab.diee.unica.it
• Let’s find a suitable exploit
34
Wordpress
http://pralab.diee.unica.it
• OWASP TOP A1-2013– Found SQL Injection exploit for plugin spreadsheet
v.0.6• https://www.exploit-db.com/exploits/5486/
35
Wordpress
http://pralab.diee.unica.it
• You may launch the exploit using your browser– http://localhost:8888/wordpress/wp-
password hash NOTE: no errors on the DB side. Why?
Because we injected the SQL query so that it generates one more row,- containing exactly the expected number of columns (4 in this case)- putting in the string field (n. 2) the char-separated (0x3a) concatenation of desired
info (user_login, user_pass, user_email)
http://pralab.diee.unica.it
• Let’s find out the password through bruteforce– We can use an online webservice https://crackstation.net– In a more realistic case, attackers may use “offline” tools such a
John The Ripper http://www.openwall.com/john/
37
Wordpress
http://pralab.diee.unica.it
• Now that we have both username and password– The login URL for wordpress is at /wp-login.php
38
Wordpress
http://pralab.diee.unica.it
• We are in (with administrative privileges)– The website is now 0wned by us (the end)
39
Wordpress
http://pralab.diee.unica.it
Targets: insecure API between web application and databaseInterpreter: DataBase backendAn insecure API between Application and Database allows the attacker to convert input data into (arbitrary) DB Queries