Monday, July 13, 2009
OWASP NZ: Vulnerabilities in Action: Brett Moore, Insomnia Security

If you don't own the 3 OWASP books, you've failed.

We're still facing the same vulnerabilities we already have, because we are doing something wrong. Maybe it's security professionals that are doing something wrong, by not educating developers properly.

Big security companies still having problems with their websites.

Most vulnerabilities are well known.

Security people don't write code. developers do. They don't "get" security:

  • Don't fix the root cause
  • Don't understand the threat
  • Most have never seen a vulnerability exploited

Sitting down with developers and stepping them through a vulnerability helps show them the light and they understand and think about vulnerabilities.

Talk today designed to show developers exploits in action.

Tools showed:

  • Burp - proxy tool for intercepting requests
  • A custom sitemap tool that Insomnia uses
  • An MS-SQL Enumeration tool that takes a vulnerable url and pulls out all the DB info using the master db to enumerate tables
  • ASPX Spy - if you can get this ASP.NET file up on to a server and run, it provides a UI for playing around with the OS.
  • SQL Map - an automatic SQL injection tool - can enumerate the DB, even if the data is not displayed by inferring the state of the db based on the page output.

Problems shown:

  • Robots.txt is not a place to list parts of your site that you don't want people to know about :)
  • Buying -1 quantity of a $1000 book leads to the users credit on the shopping site increasing by $1000 :)
  • XML parsing vulnerability that allows external entities to be referenced in the XML provided to a web service - which can pull the contents of a file off the server.
  • Query string parameters passed to the command interpreter, and used for file names.
  • PHP include let's you include PHP source from another web server (looks like you need to disable URL fopen wrappers).
  • Only securing GET requests to an admin directory.
  • Showed a fake version of the CCIP website with multiple problems.
  • Admin interface for a website is exposed to the internet.

Open questions:

  • Who owns server configuration? Architects, developers, system administrators? If server or framework config changes, then we're insecure.
  • Is it security professionals job to make sure problems are corrected?
 |  | 
posted on Monday, July 13, 2009 10:37:46 AM (New Zealand Standard Time, UTC+12:00)  #    Comments [0]
Related posts:
Syntax support for HTML Encoding in ASP.NET 4
Code Camp Auckland 2009 - Development | SQL | Security
OWASP NZ: PCI-DSS for OWASP Practitioners: Dean Carter, security-assessment.com
OWASP NZ: Application Bug Chaining: Mark Piper, Catalyst IT
OWASP NZ: Exploiting Firefox Extensions: Roberto Suggi Liverani & Nick Freeman, Security-Assessment.com
OWASP NZ: Testing Web Services: Nick van Dadelszen, Lateral Security
Comments are closed.
Navigation
Home
About
Code Camp
Wellington Groups

 RSS 2.0 | Send mail to the author(s)

Categories
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
Blogroll

Archive
<July 2009>
SunMonTueWedThuFriSat
2829301234
567891011
12131415161718
19202122232425
2627282930311
2345678


February, 2010 (1)
January, 2010 (1)
December, 2009 (1)
October, 2009 (3)
September, 2009 (3)
August, 2009 (6)
July, 2009 (6)
June, 2009 (2)
May, 2009 (4)
April, 2009 (1)
March, 2009 (3)
February, 2009 (8)
January, 2009 (3)
December, 2008 (10)
November, 2008 (10)
October, 2008 (21)
September, 2008 (16)
August, 2008 (7)
July, 2008 (1)
June, 2008 (7)
May, 2008 (3)
April, 2008 (8)
February, 2008 (4)
January, 2008 (1)
December, 2007 (1)
November, 2007 (8)
September, 2007 (10)
August, 2007 (5)
July, 2007 (9)
June, 2007 (25)

Month View

Disclaimer
The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.

© Copyright 2010 Kirk Jackson

Theme design by Jacob Hodges with newtelligence dasBlog 1.9.6264.0

Sign In
Pick a theme: