Intro to Ethical Hacking - community.mis.temple.edu

Intro to Ethical Hacking - community.mis.temple.edu

INTRO TO ETHICAL HACKING MIS 5211.001 Week 10 Site: http://community.mis.temple.edu/itacs5211f all16/ Tonight's Plan Web Application Security MIS 5211.001

2 Web Application Security First (and nearly only) Rule Never Trust User Input MIS 5211.001 3 Where Do We Start

For web application security and web application penetration testing Owasp.org MIS 5211.001 4 OWASP

OWASP stands for the Open Web Application Security Project Founded in 2001 as a charitable organization dedicated to improving Web Application Security Creators and publishers of the OWASP top 10 Hosts numerous Web App tools and projects

MIS 5211.001 5 The OWASP Top 10 OWASP Top 10 2013 2013-A1 Injection 2013-A2 Broken Authentication and Session Management 2013-A3 Cross Site Scripting (XSS) 2013-A4 Insecure Direct Object References 2013-A5 Security Misconfiguration 2013-A6 Sensitive Data Exposure 2013-A7 Missing Function Level Access Control

2013-A8 Cross-Site Request Forgery (CSRF) 2013-A9 Using Known Vulnerable Components (NEW) Source: 2013-A10 Unvalidated Redirects and Forwards http://owasptop10.googlecode.com/files/O WASP_Top-10_2013%20-% 20Presentation.pptx MIS 5211.001 6

New Top Ten Coming Soon OWASP is working on an update for 2016 https:// www.owasp.org/index.php/Category:OWASP _Top_Ten_Project MIS 5211.001 7 Injection

Attacker sends simple text-based attacks that exploit the syntax of the targeted interpreter. Almost any source of data can be an injection vector, including internal sources. https:// www.owasp.org/index.php/Top_1 0_2013-A1-Injection MIS 5211.001

8 Injection Finding a way to send text to a web application or browser that is interpreted as a command or code Tricks systems or browsers in to taking action MIS 5211.001

9 Broken Authentication and Session Management Attacker uses leaks or flaws in the authentication or session management functions (e.g., exposed accounts, passwords, session IDs) to impersonate users. https://

www.owasp.org/index.php/Top_10_2013-A 2-Broken_Authentication_and_Session_Ma nagement MIS 5211.001 10 Broken Authentication and Session Management Steal an identity, and use it.

MIS 5211.001 11 Cross Site Scripting (XSS) Attacker sends text-based attack scripts that exploit the interpreter in the browser. Almost any source of data can be an attack vector, including internal sources such as data from the database. https://www.owasp.org/index.php/Top_10

_2013-A3-Cross-Site_Scripting_(XSS MIS 5211.001 ) 12 Cross Site Scripting (XSS) Can be as simple as MIS 5211.001

13 Insecure Direct Object References Attacker, who is an authorized system user, simply changes a parameter value that directly refers to a system object to another object the user isnt authorized for. Is access granted? https:// www.owasp.org/index.php

/Top_10_2013-A4-Insecure _Direct_Object_References MIS 5211.001 14 Insecure Direct Object References Keep in mind, Authorized User does not necessarily mean Admin. Just a user that is allowed on the web site. If public,

that means everyone. MIS 5211.001 15 Security Misconfiguration Attacker accesses default accounts, unused pages, unpatched flaws, unprotected files and directories, etc. to gain unauthorized access to or knowledge of the system.

https:// www.owasp.org/index.php/Top_10 _2013-A5-Security_Misconfigurati on MIS 5211.001 16 Security Misconfiguration Remember those Google searches from Reconnaissance? For instance: intitle:"Test Page

for Apache" MIS 5211.001 17 Sensitive Data Exposure Attackers typically dont break crypto directly. They break something else, such as steal keys, do man-in-the-middle attacks, or steal clear text data off the server, while in transit, or from the users

browser. https:// www.owasp.org/index.php/Top_10_201 MIS 5211.001 18 Sensitive Data Exposure Example: A site simply doesnt use SSL for all authenticated pages. Attacker

simply monitors network traffic (like an open wireless network), and steals the users session cookie. MIS 5211.001 19 Missing Function Level Access Control Attacker, who is an authorized system user, simply changes the URL or a

parameter to a privileged function. Is access granted? Anonymous users could access private functions that arent protected. https:// www.owasp.org/index.php/Top_10_2013-A7MIS 5211.001 20 Missing Function Level Access Control

Example from OWASP: http://example.com/app/getappInfo http://example.com/app/admin_getappInfo MIS 5211.001 21 Cross-Site Request Forgery (CSRF) Attacker creates forged HTTP requests

and tricks a victim into submitting them via image tags, XSS, or numerous other techniques. If the user is authenticated, the attack succeeds. https://www.owasp.org/index.php/Top_10_2 013-A8-Cross-Site_Request_Forgery_(CSRF ) MIS 5211.001 22 Cross-Site Request Forgery

(CSRF) Example from OWASP http://example.com/app/transferFunds? amount=1500&destinationAccount=4673243243 MIS 5211.001

23 Using Components with Known Vulnerabilities Attacker identifies a weak component through scanning or manual analysis. He customizes the exploit as needed and executes the attack. It gets more difficult if the used component is deep in the application.

https:// www.owasp.org/index.php/Top_10_2013-A9-Usi MIS 5211.001 ng_Components_with_Known_Vulnerabilities 24 Using Components with Known Vulnerabilities Example from OWASP

Spring Remote Code Execution Abuse of the Expression Language implementation in Spring allowed attackers to execute arbitrary code, effectively taking over the server. MIS 5211.001 25 Unvalidated Redirects and Forwards Attacker links to unvalidated redirect and

tricks victims into clicking it. Victims are more likely to click on it, since the link is to a valid site. Attacker targets unsafe forward to bypass security checks. https:// www.owasp.org/index.php/Top_10_2013-A10Unvalidated_Redirects_and_Forwards MIS 5211.001 26 Unvalidated Redirects and Forwards

Example from OWASP http:// www.example.com/redirect.jsp?url=evil.com MIS 5211.001 27 Now What

So, all of this is interesting, but does that have to do with penetration testing Or, to put it another way. How de we exploit these issues? First step: Intercepting Proxies MIS 5211.001

28 Whats an Intercepting Proxy In this instance, an intercepting proxy is software that acts as a server and sits between the web browser and your internet connection Examples Burp Suite

Webscarab Paros MIS 5211.001 29 Some Rules for Our Use of Intercepting Proxies

For this course Monitor and record ONLY Do not inject or alter any traffic unless you personally own the web site. Well save changing traffic in the next course MIS 5211.001 30 Burp Suite

Start Burp Suite by logging in to Kali and selecting Burp Suite from: Kali Linux>Web Applications>Web Application Proxies>burpsuite MIS 5211.001 31 Burp Suite

MIS 5211.001 32 Getting Started Once burpsuite is running, you will need

to start and configure a browser Kalis web browser is Iceweasel, an adaptation of Firefox After starting Iceweasel, navigate to preferences And select it MIS 5211.001 33 Configuring the Network Proxy

Navigate to the Network Tab and select settings for Connection MIS 5211.001 34 Configuring the Network Proxy

Change selection from Use system proxy settings to Manual proxy configuration and enter 127.0.0.1 for HTTP Proxy and 8080 for Port Also, select check box for Use this proxy server for all protocols Select OK when done Browser is now setup to use burpsuite See next slide for example

MIS 5211.001 35 Configuring the Network Proxy MIS 5211.001 36 Should Look Like This MIS 5211.001

37 Now We Can Test In browser, navigate to google.com Browser will hang and look busy Select the Proxy tab in burpsuite Burpsuite is waiting for you, select forward

MIS 5211.001 38 Browser Knows Something is Up Select I understand the Risks and follow prompts to add an exception MIS 5211.001 39

Browser Knows Something is Up MIS 5211.001 40 Continuing

You may have to hit forward a number of times You may want to click Intercept is on to turn it off and save hitting the forward button Eventually, all traffic is forwarded. Now, select HTTP history and see what you have MIS 5211.001 41 Results

Your traffic MIS 5211.001 42 More Results MIS 5211.001 43

More Results MIS 5211.001 44 Saving Our Results Under Repeater, select Action, then select Save Entire History

MIS 5211.001 45 Now, Lets Go Somewhere More Interesting Restart burpsuite and turn intercept off Now navigate to temple.edu and look

around the sitetemple.edu Look over the results MIS 5211.001 46 Temple.edu MIS 5211.001 47 Some Basics

What can we tell from this? First we can see what we are telling temple about us Web Browser is Iceweasel, a derivative of Firefox What versions we are running Cookies What exactly is If-None-Match: 14144161881? MIS 5211.001

48 But Wait, Theres More As Darth Vader says Come to the Dark Side, Weve got Cookies Or worse Hex MIS 5211.001

49 Weve Got Both Sides Note: Theres both a request and a response tab. MIS 5211.001 50 A Few Interesting Things

Google Adds Other outside references MIS 5211.001 51 Check The Alerts

A few things to look at MIS 5211.001 52 What Now If this was a real Web App Test Navigate the web site recording everything Review looking for interesting leads to follow Set Proxy to crawl site

(DO NOT DO THIS FOR THIS COURSE) MIS 5211.001 53 If Few More Things This is the Free version of

burpsuite Some of the more interesting features are turned off or limited Scanner Intruder http:// portswigger.net/burp/downlo ad.html

MIS 5211.001 54 If Few More Things We covered just one proxy Different proxies have different strengths and weaknesses For instance, Webscarab will flag

potential XSS automatically MIS 5211.001 55 Poor Man's Substitute In Internet Explorer F12 Developer Tools Allows user to at least see the code loaded in browser Often worth looking at as developers

sometimes leave comments MIS 5211.001 56 Next Week Introduction to SQL Injection MIS 5211.001

57 Questions ? MIS 5211.001 58

Recently Viewed Presentations

  • Alaska Nurses Association

    Alaska Nurses Association

    ALASKA NURSES ASSOCIATION Celebrating 50 Years * AaNA was first organized in 1951 with 49 members. By 1957, there were 8 districts and 248 members. Admitted to ANA 1951 (the 52nd state nurses association) Prior to becoming an SNA, the...
  • Measuring the impact of RIS NÖ

    Measuring the impact of RIS NÖ

    Innovation assistant mid term results Duration: 2002 - 2004 within the Regional Program of Innovative Actions (RPIA) Lower Austria 2004 - 2006 within the standard funding programme of the department of economy and technology of the Lower Austrian Government Since...
  • Lecture 1: Course Introduction and Overview

    Lecture 1: Course Introduction and Overview

    Chunks of resources (CPUs, Memory Bandwidth, QoS to Services) ... If task A cannot even gain access to task B's data, no way for A to adversely affect B. ... Important measure: Average Access time = (Hit Rate x Hit...
  • School initiative

    School initiative

    The GOAL . To implement a model of residential group care that works with youth, their families and other community partners to prepare them for success after leaving placement.. It is designed for use
  • A növekedést megalapozó versenystratégiák választéka

    A növekedést megalapozó versenystratégiák választéka

    Ansoff-féle termék piaci mátrix JELENLEGI TERMÉK ÚJ TERMÉK JELENLEGI PIAC PIACI BEHATOLÁS (Fenntartás és visszavonulás) TERMÉK-FEJLESZTÉS ÚJ PIAC PIAC-FEJLESZTÉS DIVERZIFIKÁCIÓ Piaci behatolás stratégiája A vállalat meglevő termékeire támaszkodva, a már ismert piacon kíván működni, és piaci részarányának ...
  • www.goodtogreatschools.org.au

    www.goodtogreatschools.org.au

    Sentence. Question. The function of the prepositional phrase is to tell me about… 1. Gary ran on the track. When? How? Where
  • The french revolution begins

    The french revolution begins

    France was considered the most advanced country in all of Europe. Their culture was highly praised and often imitated. The appearance of success was deceiving- there was a great unrest in France because of bad harvests, high prices and taxes,...
  • Week of: November 18, 2019 Dates to Remember:

    Week of: November 18, 2019 Dates to Remember:

    We will discuss adages and proverbs. Going forward, Spelling Tests will count as a formative grade. Math: We will be working on chapter 3. This chapter focuses on multiplying two-digit by two-digit numbers. Science: Social Studies: Civics and Government.