AppTrust Web Developer training

Matthew Flick

July 6-8, 2010

Data can be stored in cookies, hidden fields, drop down menus, radio buttons, url line, attributes in DOM, session id, cache.

Automated scanners ($$$)

• AppScan
• WebInspect
• Cenzic Hailstorm
• NTOSpider

Freeware-ish (-/$)

• Burp Suite - http://portswigger.net/suite/
• Paros Proxy
• WebScarab

Classic SQL injection

select * from tbl_users where uid = ' admin ' and pw= '' or 1=1 ' ';

http://ha.ckers.org/sqlinjection/

sites vulnerable to xss

http://www.xssed.com

dotnet logging

http://struts.apache.org/1.2.4/userGuide/dev_validator.html

http://www.phpbuilder.com/manual/function.mb-convert-encoding.php

http://dev.mysql.com/doc/refman/5.4/en/encryption-functions.html#function_aes-encrypt

Dale Castle

OWASP Charlottesville

dale@virginia.edu

Remediation Plan Exercise

Order of addressing vulnerabilities

• Immediate:
  • SQLi homepage, login
  • Passwords
  • Error handling
  • Backup copies of code
• <1 month:
  • Access rules on paper → admins follow
  • User ID cookie for access
  • site wide SQLi (other)
• 1 - 12 months:
  • patching (?) or Nothing
• > 1 year:
  • Rewrite