OWASP 2017 Top 10

Web Application Security7 H 7 M

  • OWASP Top 10 - 2017
    • A1 Injection: Exploit
    • A1 Injection: Mitigate
    • A1 Injection: Breakdown
    • A2 Broken Auth: Exploit
    • A2 Broken Auth: Mitigate
    • A2 Broken Auth: Breakdown
    • A3 Sensitive Data Exposure: Exploit
    • A3 Sensitive Data Exposure: Mitigate
    • A3 Sensitive Data Exposure: Breakdown
    • A4 XML External Entities: Exploit
    • A4 XML External Entities: Mitigate
    • A4 XML External Entities: Breakdown
    • A5 Broken Access Control: Exploit
    • A5 Broken Access Control: Mitigate
    • A5 Broken Access Control: Breakdown
    • A6 Security Misconfiguration: Exploit
    • A6 Security Misconfiguration: Mitigate
    • A6 Security Misconfiguration: Breakdown
    • A7 Cross-Site Scripting (XSS): Exploit
    • A7 Cross-Site Scripting (XSS): Mitigate
    • A7 Cross-Site Scripting: Breakdown
    • A8 Insecure Deserialization: Exploit
    • A8 Insecure Deserialization: Mitigate
    • A8 Insecure Deserialization: Breakdown
    • A9 Components w/ Known Vulnerabilities: Exploit
    • A9 Components w/ Known Vulnerabilities: Mitigate
    • A9 Using Components Known Vulnerability Breakdown
    • A10 Insufficient Logging and Monitoring

A1 Injection: Exploit

14 M

  • Episode Description
  • Transcript

In this episode, Daniel demonstrates exploiting Justin's web application through SQL Injection.

All right, so let's run it slowly. Have you installed anything that might, or at least recently that might cost us. >> I did actually. >> All right, yeah, a lot of times, they'll bundle. >> Hey Daniel, just finished that e-commerce app for our new client, can you check it out? >> Yeah, I'll totally take a look at that, just give me one. >> Like right now. >> Okay, so yeah, I hope there's, and [INAUDIBLE] there are no manner, so i guess. All right, so let's see what was so important. All right, e-commerce site, some of these links look. I do keep seeing ID equals one in your URLs, which can lead to SQL injection from time to time. So let me just play around with that, and I am dumping database data to the front end of this app all day. Where did you say you were before you came here? >> At. >> All right, they had a huge data breach using sequence X, all right. >> I don't remember, but the seventh package is nice. >> Welcome ITPRO.TV, I'm your host on the trend live from San Francisco's. [MUSIC] >> You're watching ITPRO TV. >> Greetings everyone, and welcome back to another exciting episode of ITPRO TV. I'm your host, Justin Dennison, and as you've seen, we're gonna be playing around with OWASP, hopefully, you'll enjoy that, and also set the scene, so to speak. And here to help us understand this exploit about for injection attacks, is none other than Mr. Daniel Lowrie. How are you doing today, Daniel? >> Doing great, Justin, glad to be here. This is an exciting show, we're really looking forward to getting into going through this. We're gonna be playing a little bit of tennis here. You'll see us swap roles as we progress through these episodes, where he's gonna help up with mitigations. I'll obviously be doing the attack phases, so you can see why they're dangerous, and then, how we can fix them. And then, we'll probably have another show where it's all about, kind of a retrospective. What else can we do? Things we need to know, other ways, in which we can see these things. So that's kind of the format of the show. It's gonna be a lot of fun. Hopefully, you guys are ready to rock with this. But here were are talking about A1 Injections, the first item on the list, has been the first item on the list for quite some time now. It seems to be very, very popular. Why? Because of the devastation, in which you can wreak on your targets. So as an attacker, as a red-teamer, or however you wanna look at it, that's kinda what I'm concerned with this, what kind of damage can I do? What kind of compromises can be pleated using injection type of attacks. And I think a good place to start with this is, let's use the OWASP's top ten's PDF, as our kind of like our show notes, or our template for how we're gonna proceed. So let's jump into my computer. I got Google up, and I'll just, in the search field, as you do, right, OWASP top, and you it's starting to show up. And as of the filming of this episode, the 2017 version is the latest one out. And you can see we've already been there, because I spend a lot of time looking at this document. It's important thing. So it's just the first link, and I'm, there we go. It's hitting it. You'll notice it kinda looks like a wiki page. OWASP, not just their top ten, has tons and tons of resources. Definitely, if you're only familiar with top ten, that's a great gateway drug into OWASP, it's got a lot of stuff you're probably wanna take a look at. Whether you're a red team or blue team, or any kind of IT information security, you're gonna wanna be familiar with this organization. So it can be a little tricky to find, the first thing you'll tend to see is down here, we see 2013 and 2010, but that's not where it is, it's right here at the top, OWASP Top 10 2017 is released, and here is available, you just click on the link, and that should open the PDF, that's right here. I will make a little zoom action happen, and let's start scrolling down, now, to give you a table of contents, great, great stuff, I'll leave that to you. Here's a foreword trying to tell you about the organization, why they do this, right? Welcome to the lost top ten, but really where we want to get into, is right here, start showing you the differences between 2013 and 2017 how things have changed. So if you're moving from that 2013 to 2017 you're gonna wanna do that. Take a look at how that's worked itself out, kinda giving you an idea of how this works out. But here we go, a short little blurb from OWASP injection floss. This is where we're at, A1, right? Injection, injection floss, it's a SQL, no-SQL, OS, LDAP, so on, and so forth, occur when untrusted data is sent to an interpreter as part of the command or query. Attack hostile data can trick the interpreter and executing onto the commands, accessing data without proper authorization. That's exactly what we're gonna show you today, the sequence map, we´re gonna do the sequence injection, tried and true, works great, and man, can you get a lot of good stuff out of a good old fashioned sequence injection. Okay, so that´s what we're gonna take a look at, you wanna break this down a little further. They do that for you, kinda giving you more specifics. This is gonna help you understand each one of these types of attacks as you work your way through them. So if you're coming from the attack perspective, such as I am right now, I'm gonna wanna pay attention to, is the application vulnerable, and kinda gives me some ideas as far as that. You can go down to these references over here on the right hand side, we'll give you more. Here, you guys to go into this Prevention's, how do you get command injection, they have a lot of great stuff to help you once you get through this. And here's some attack scenarios. Specifically with sequel here, right? Lot of great stuff, so this should be looking familiar if you're doing any kind of red stuff. Now that we know what an attack and how we can find it, cuz it's all right here, great, great stuff. Dynamic queries, non-parameterized calls without context, we're escaping, or used directly by the interpreter. Now, you can do this manually, but for time-sensitive purposes, we're just gonna automate this. Like I said, we're gonna use SQL map. So Justin has, he's got an application, as we saw in the vignette. He's created an application, and I wasn't very thrilled with it, as the resident security person at that company. We had a lot of fun making this helpful, you guys liked that. Give you a little bit of funny, but also some context from the show. Because, as, we were trying to have some fun, but the scenario's probably not too far gone from what you might see in reality, as these things work themselves out. Somebody creates an application, their security person goes, let me test that, I've found an injection flow. And here we have his site right here, so what I need from this, is just, is URL. So I'm gonna grab that copy, and I'm gonna start doing some new originals. Let me bring up my Terminal, Terminal is up, and we'll use SQL map, and throw that in there. [INAUDIBLE], and let's see here. That's, well, you probably have. I think, there's your search feature that I found to be most interesting. Let me get into there. >> Yeah, this actually hits the very first point in that list dynamic query. >> Right. >> And a lot of times searches, if you're not careful, searches are great ways to take user input, and then, construct a query against some kind of portion of your database, I mean, not necessarily SQL. Some kind of system that may have a command. >> Right, or interpreter. >> Whatever takes that user input. >> Yep, like that's the problem. And you'll start seeing, you'll notice that the URL log is just changed, we're in the search feature. And I can just type in something and hit search. And you'll see this has changed a bit. You have search equals, sometimes, you'll see ID = 1 or whatever. Something equals something, that starts to let me know that this might be. Especially, since it's reaching from a database. It's looking into a database, trying to search into it. That's what I'm looking for SQL type injection. So us command injection is different. L.commandinjection is different. So just depends on what kind of app you're looking at. This is obviously SQL, so that's what we're going for. So this is the search string I wanna look for. I need this whole Gary here. Let me copy that out. Scroll back, don't go back here. Me just wants to race this, and put that, there we go. All right, from there, I'm gonna do --DBS, cuz I need to enumerate the database. So we're gonna fire it off, and it did not like I'm missing something, and, yeah, the -URL, that does help. And -URL, like so. Is it --URL? I can't remember. We'll see. Think I can just do- U. There we go, now it's working. So this is gonna crank through. It's probably gonna take a few minutes, because even though it's automation, we can't predict the timing on it. I'm not gonna make you sit here and watch this go through. I'm just gonna select any kind of defaults that it comes up with. Like this one right here, it looks like the back end is MySQL. So discover that, so I'm gonna hit yes. And I'm just gonna go with that. For the remaining test, we'll wanna include all tests for MySQL, since that's what we're working with, I'm gonna go with the defaults, which is yes. And again, any of the defaults are gonna come up, I'm just gonna stick with those. So let's take a time out, let this thing crank out, find some stuff, or if it does, and when we come back, we'll take a look at those results, and see what we've found. Okay, it didn't take too long, we're right back into it. I already see that I have enumerated a database inside of this lovely app that Justin's got for us. And we see that here are the available databases, as I took [INAUDIBLE] would see information schema, and then, things and stuff, great name for a database, I know that, it's phenomenal, I like that. So now, I wanna further enumerate the database, so I'm just gonna bring up my old command, and this time, I'm going to do a, let's see here, I'll do a -d4, the database which is things_and_stuff. And then, I'm gonna do --tables. So I wanna see what kind of table data is in there, so fire that off. Single dash, yes, thank you, sir. I love when they have two dash options of single dash options. I totally always screw this up, but, there we go, again, it's gonna run, and then, it's gonna find is, let's see, is there anything in this database? And if so, what is that stuff, and as you can see, I found two tables right here, items and users. So this is where Justin, as a user are me, as the security guys already starting to go, no, this is bad, right, because it is injectable. If I wanted to enumerate those columns, I could, I can do -T for was it, what was that called again? >> After users, like just to -t users. >> Yeah, is that the table, yeah. Yeah, yeah, users. >> And then, I ended Ashley's columns like that. And then, it's gonna tell me, these are the different columns in there. I wonder if there's any kind of interesting column that I might wanna take a look at as an attacker. That's what I'm hoping anyway, columns have come back, let's see, we've got six columns, that's great. One of them is called credit card, that's probably no good for that, right? We got users, we got passwords, so yeah, this has gotten bad real quick. I think if I do -c reddit_card. Let's see if it comes back with anything. I might have to do a --dump, sometimes, you've got to dump these things. But, yeah, I might be looking at credit cards here, just momentarily. I'm getting real nervous. Okay, so I probably had to do the dump. Does it show anything? No, it just shows [INAUDIBLE]. And it'll actually dump that data. These SQL commands [INAUDIBLE] a SQL map. >> And this actually draws attention. Some of these tools, which are great at automating, they still have a fair amount of complexity to them. >> Yeah. >> However, this is something that you would normally be constructing, just trial and error, yeah, I think I can do this. And I can escape this with this comment. And the comments are dependent on the database type. But it looks like you just got a bunch of credit card information from- >> Yeah, I'm looking at creds, man. This is where I am now, losing my mind as a security professional in our fictitious little company that we were having fun with. This is why I'm aggravated with him, because if I'm seeing stuff like this, we've really given up the ghost. Now, you can kinda understand the danger behind injection. We can go all the way too even gaining remote access to the host, right? This is just the tip of the iceberg, but, if I had slapped this in pastebin or sold it on the dark web, I'm having a good day as a real bad actor. As a security professional, I've gotta have a talk with my boy here, and we gotta figure out a way to make this not this way. So that's what we're gonna discuss when we go into the next episode, and we look at mitigations for these things. But, hopefully now, you're starting to understand, well, how, why have injection and how dangerous they can be if someone is able to warm them. So Justin, I think I can work it up for you. >> Well, Daniel, I'll be honest with you, that query was meant to be searching for item types. Didn't really foresee dumping user information. >> [LAUGH] >> But, as you brought up, this is where all the devastation occurs. And when all else fails, just remember Little Bobby Tables. But we're gonna have to come back, and see how I mitigate that hopefully. But the only way you're gonna see, if is if you join us on but go ahead and signing out for ITPRO TV, I've been your host, Justin Dennison. >> I'm Daniel Lowrie. >> And we'll see you next time. [MUSIC] >> Thank you for watching ITPRO.TV.

Just you? Training a whole team? There's an ITProTV plan that fits.

With more than 4,000 hours of engaging video training for IT professionals, you'll find the courses you and your team need to stay current and get the latest certifications.