AppTrust Web Developer training

Matthew Flick

July 6-8, 2010

Data can be stored in cookies, hidden fields, drop down menus, radio buttons, url line, attributes in DOM, session id, cache.

Automated scanners ($$$)
  * AppScan
  * WebInspect
  * Cenzic Hailstorm
  * NTOSpider

Freeware-ish (-/$)
  * Burp Suite - http://portswigger.net/suite/
  * Paros Proxy
  * WebScarab

Classic SQL injection
  select * from tbl_users where uid = ' admin ' and pw= '' or 1=1 ' ';

http://ha.ckers.org/sqlinjection/

sites vulnerable to xss

http://www.xssed.com

[[http://nlog.codeplex.com|dotnet logging]]

[[http://struts.apache.org/1.2.4/userGuide/dev_validator.html]]

[[http://www.phpbuilder.com/manual/function.mb-convert-encoding.php]]

[[http://dev.mysql.com/doc/refman/5.4/en/encryption-functions.html#function_aes-encrypt]]

Dale Castle

OWASP Charlottesville

dale@virginia.edu

Remediation Plan Exercise

Order of addressing vulnerabilities
  * Immediate:
    * SQLi homepage, login
    * Passwords
    * Error handling
    * Backup copies of code
  * <1 month:
    * Access rules on paper -> admins follow
    * User ID cookie for access
    * site wide SQLi (other)
  * 1 - 12 months:
    * patching (?) or Nothing
  * > 1 year:
    * Rewrite