That Guy always ahead us – OWASP Top 10 Vs Web Hacking Techniques

OWASP – Open Web Application Security Project, is the leading open source platform for Application Security. Beginners can find more on here :

They have released a special project called “OWASP Top 10” in Year 2003 which consisted most critical web vulnerabilities by that time. So far OWASP has published several versions of Top 10 vulnerabilities based on their statistics. Now it is a mature project in OWASP.

OWASP Top 10 :

Most organizations, developers and penetration testers use this project as a baseline for their software security, which is good and appreciable. As per the processes following in software companies, they develop secure codes, verify their business logics and test for security aspects before major releases. It’s like we are coming closer to hack proof web applications. Really?

Those days we couldn’t find trustful accessible place to get knowledge about application security. Then OWASP appeared. So people tend to build their web applications more securely and it’s still continuing.

So far we are talking about good side of these concepts. What’s the end result? We are secured!

Not at all.

When one party defending all the holes, other party should be looking for new holes. That’s what exactly happen in cyber security world. IT security professionals stop the bleeding in one edge, Hackers attack to another edge with different techniques.

We said to world that we are OWASP compliance, SANS compliance. But our applications are still hacked by others. We show the world that we have put guards on all the identified entry points. Are you still believe that they try with the same entry points?

Better you may not. Every year WhiteHat security published Top 10 web hacking techniques. Most of the time Top hacking techniques are not targeting the top web vulnerabilities. If you need examples, here are some,

Keep in mind that OWASP Top 10 list which we are currently using published in 2013. Now it’s 2016 and we are screaming attackers are one step ahead us.

Few nominated hacking techniques for 2015

• Abusing CDN’s with SSRF Flash and DNS
• Abusing XLST for Practical Attacks
• Hunting Asynchronous vulnerabilities
• Logjam and Magic Hashes

Better you google the meaning of those attacks. So where are we now?

Here are some top hacking techniques in year 2014,

• Heartbleed, ShellShock, Poodle, Rosetta Flash…

 

Am I telling OWASP, SANS are bad? Sorry you misunderstood. I’m telling that it’s not enough in this game. You can clearly see a gap between top 10 vulnerabilities and top 10 attacks. So we need be creative here, not only applying theoretical security practices to our applications and systems.

This is not a problem with OWASP or SANS, they have done enough and don’t expect everything from them. We all have limitations. Do your own home works and try to be handsome.

 

 

Hacking Sri Lankan websites – think like a thief

Past recent days was not auspicious for the community of srilankan cyber security. Several government websites, media websites, banking and financial websites hit in spate of cyber attacks. Some sites were defaced and DB information published online. There might be numerous reasons behind those cyber attacks, but this is kind of alarm for us.

catch a thief

Huge numbers of websites get attacked every day around the world. Unsecured websites as well as well secured websites include into this. So, there is no big deal in attacking SL websites. Problem is if there are no basic level security implementations, can we handle massive cyber threats?

Script kiddies are everywhere. Exploiting websites vulnerabilities, defacing, dumping databases is not a rocket science with hacking tools. Even if some attacked websites have high profile status, they didn’t put enough concern on information security. That’s where we all went wrong so far. We are always worried about actions not quality.

Well, most attacked websites are at top of the Google dorks results, if you are looking for certain vulnerabilities.

This graph shows the most popular web attacking techniques in year 2012.

web hacking techniques

 

It is cleared that, most SL websites hacked through sql injections. Developers usually lock down their application/site on login portal. But login is not the only place where application interacts with the database. Forums, comments, user profiles, news and search areas all link with DB. XSS, remote file inclusions, CMS issues and IM level vulnerabilities would be the next top methods.

When I was at interview in university, there were software professionals from industry. When they got to know that I am keen in security stuffs, said “we have experienced CISSP guys and network security engineers, so nothing to worry about security”. But they are software vendors.

Website or application can be hacked in two different scenarios. One is the lack of security implementation in infrastructure level and other is poor security standards in application level. So, breached in SL sites could happen because of hosting company or site developers. But most sites were hacked through sql injections, this directly focus on application developers and testers.

I know, explaining something is easy than implementing. But still I can rarely see that developers/software firms concern on their products’ security. This is very same for government sector.

We develop…develop…and someone breaks

Okay, whoever attacked those sites might get their self-satisfaction. Some organizations may lose their privacy and dignity. I think government will much focus on cyber security than finding whose IP was that. Prominently, we should wake up on this alarm.

Most script kiddies are likely to be insiders.

 

“To catch a thief, we must think like a thief”

 

Web Application Security Lab with OWASP-bwa

OWASP

Here are some requirements,

• learning about web application security
• testing manual assessment techniques
• testing automated tools
• testing source code analysis tools
• observing web attacks
• testing WAFs and similar code technologies

To test all about, we need to have vulnerable web application which contains multiple vulnerabilities. Year 2010 Chuck Willis presented his vulnerable testing framework called “OWASP Broken Web Application”

Open Web Application Security Project (OWASP) Broken Web Applications Project, a collection of vulnerable web applications that is distributed on a Virtual Machine. This article will show you how to configure OWASP-bwa on your oracle virtualbox.

• Download OWASP-bwa vm from here : http://sourceforge.net/projects/owaspbwa/files/
• Unzip files into folder

unzip folder

 

 

 

 

 

 

 

• In virtualbox select OS “Linux” and Version “Ubuntu”

• Keep 512MB memory

• In Virtual hard disk select “Use existing hard disk” and browse to unzipped OWASP-bwa folder

Use existing hard disk

 

 

 

 

 

 

 

 

Select “OWASP Broken Web Apps.cl1” and create the VM

OWASP Broken Web Apps.cl1

 

 

 

 

 

In VM setting Change “Attached to:” from “NAT: to “Host-Only Adapter”

Virtualbox settings

 

 

 

 

 

 

 

VM is ready now and click on Start

OWASP-BWA

 

 

 

 

 

 

 

After boot, VM will show you IP address of web apps and login details

Web apps URL

 

 

 

 

 

 

 

 

Now you can access web apps through you browser(not in VM) without login into virtual machine

Web Apps

 

 

 

Using OWASP-bwa VM you can access training applications like WebGoat, Damn vulnerable web application, WordPress, Joomla old versions and some testing tools like OWSAP-ZAP

OWASP-BWA

 

 

 

 

 

 

 

 

 

 

 

 

 

Well, Lets check how to test our requirements later.