aoe:apptrust2010
AppTrust Web Developer training
Matthew Flick
July 6-8, 2010
Data can be stored in cookies, hidden fields, drop down menus, radio buttons, url line, attributes in DOM, session id, cache.
Automated scanners ($$$)
- AppScan
- WebInspect
- Cenzic Hailstorm
- NTOSpider
Freeware-ish (-/$)
- Burp Suite - http://portswigger.net/suite/
- Paros Proxy
- WebScarab
Classic SQL injection
select * from tbl_users where uid = ' admin ' and pw= '' or 1=1 ' ';
http://ha.ckers.org/sqlinjection/
sites vulnerable to xss
http://struts.apache.org/1.2.4/userGuide/dev_validator.html
http://www.phpbuilder.com/manual/function.mb-convert-encoding.php
http://dev.mysql.com/doc/refman/5.4/en/encryption-functions.html#function_aes-encrypt
Dale Castle
OWASP Charlottesville
dale@virginia.edu
Remediation Plan Exercise
Order of addressing vulnerabilities
- Immediate:
- SQLi homepage, login
- Passwords
- Error handling
- Backup copies of code
- <1 month:
- Access rules on paper → admins follow
- User ID cookie for access
- site wide SQLi (other)
- 1 - 12 months:
- patching (?) or Nothing
- > 1 year:
- Rewrite
aoe/apptrust2010.txt · Last modified: 1970/01/18 07:09 by 127.0.0.1