Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

BSides Iowa 2017 Wanna break JavaScript and APIs in web apps?

204 views

Published on

Presentation for the BSides Iowa 2017 talk, "Wanna break JavaScript and APIs in web apps?"

Published in: Technology
  • Login to see the comments

  • Be the first to like this

BSides Iowa 2017 Wanna break JavaScript and APIs in web apps?

  1. 1. WANNA BREAK JAVASCRIPT AND ANDY FREEBORN
  2. 2. ME ▸Penetration Tester at Union Pacific ▸Previous jobs also tested security in all the things ▸Explorer of CPU architectures ▸Loves dank memes 2
  3. 3. AGENDA ▸Why ▸Tools to identify and break things ▸Thing to break ▸Demo of thing to break 3
  4. 4. WHY ▸There’s too many versions of JavaScript: http://www.zdnet.com/article/an-insecure-mess-how-flawed-javascript-is-turning-web-into-a-hackers-playground/ 4
  5. 5. WHAT DOES ALL OF THAT MEAN? ▸JavaScript is evil 5
  6. 6. WHAT DOES IT REALLY MEAN? ▸Many JavaScripts versions out there work, why update it? ▸Because security ▸Is it really a problem if so many other people use the same thing? ▸Just ask WordPress administrators ▸Unrelated low risk vulnerabilities can be exploited and chained to provide an easy way into your organization ▸ http://buer.haus/2017/03/08/airbnb-when-bypassing-json-encoding-xss-filter-waf-csp-and- auditor-turns-into-eight-vulnerabilities/ 6
  7. 7. NO REST FOR THE API’S ▸Rest APIs are becoming more available and used ▸Companies are querying data from APIs of various products to make their own aggregated view of data ▸APIs also have a myriad of challenges and can be insecure ▸http://www.zdnet.com/article/apis-examined/ ▸OWASP Top 10 for 2017 (RC1) ▸A10 - Under protected APIs 7
  8. 8. TOOLS TO BREAK THINGS ▸Chrome and Firefox developer tools ▸Retire.js ▸Node Security Platform and Snyk ▸Postman ▸Burp Suite 8
  9. 9. CHROME AND FIREFOX DEV TOOLS ▸Both are free, powerful, and easy to use ▸Many free resources available to help you use it ▸https://developers.google.com/web/tools/chrome-devtools/ ▸http://discover-devtools.codeschool.com/ ▸Why use it? ▸Easy to test for a variety of potential security issues 9
  10. 10. CHROME DEV TOOLS: SHOW ME YOUR SECRETS… OR SOURCE▸URL/route to the administrative page (dirbuster works too) ▸Commented out link to the score-board 10
  11. 11. CHROME DEV TOOLS: ALWAYS PRETTY- PRINT LUKE, ALWAYS ▸Click the {} symbol 11
  12. 12. RETIRE.JS ▸Retire.js detects vulnerable JavaScript libraries and/or Node.JS modules ▸Free ▸https://github.com/RetireJS/retire.js ▸Regularly updated as JavaScript and NPM packages age ▸Provides the exact vulnerability associated with a specific version and includes helpful URLs 12
  13. 13. RETIRE.JS ▸Retire.js can be used in a variety of situations: ▸Chrome extension ▸Firefox extension ▸Standalone to scan a website or file directory ▸Add-on for OWASP Zap (free) ▸Add-on for Burp Suite (requires Pro) in the BApp Store 13
  14. 14. RETIRE.JS: VULNERABILITIES FOUND WITH THE EXTENSION 14
  15. 15. RETIRE.JS: VULNERABILITIES FOUND WITH THE CLI ▸sequelize has known vulnerabilities such as SQLi 15
  16. 16. NODE SECURITY PLATFORM AND SNYK ▸Node Security Platform (project from ^Lift) ▸Free: https://github.com/nodesecurity/nsp ▸Scan a directory to identify issues with Node.JS packages ▸Snyk ▸Free tier available: https://snyk.io/ ▸Checks JavaScript, Ruby, and Java GitHub repositories, public NPM packages, and can scan directories as well 16
  17. 17. POSTMAN ▸Quickly probe/poke/destroy APIs ▸Free ▸https://www.getpostman.com/ ▸Why not SoapUI? curl? Python requests library? ▸SoapUI works great! Postman is just another option ▸Really why though: History, easily import/export tests to other formats, share tests among team members 17
  18. 18. POSTMAN DEMO ▸Bypass those silly restrictions in the UI. This could have been done in ZAP, Burp, etc. as well. 18
  19. 19. BURP SUITE ▸A great tool to proxy network traffic, change it to an unexpected value, and assess platforms like web, mobile, etc. ▸https://portswigger.net/burp/ ▸Does active and passive scanning and has great plugins ▸Specialized plugins require the paid version of Burp ▸$399, but worth it! ▸An excellent alternative is OWASP Zap 19
  20. 20. BURP SUITE DEMO ▸Get paid! 20
  21. 21. THING TO BREAK: OWASP JUICE SHOP ▸“OWASP Juice Shop is an intentionally insecure webapp for security trainings written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws.” ▸https://github.com/bkimminich/juice-shop ▸Has a CTF version based on CTFd!!!11! ▸https://github.com/bkimminich/juice-shop-ctf ▸Continually updated with new vulnerabilities, content, languages ▸Author recommends not cheating, but bad guys do! 21
  22. 22. OWASP JUICE SHOP: WHERE CAN IT RUN? ▸Heroku dyno (Run small web apps online for free) ▸Docker container ▸Someone else’s computer (Amazon Web Services) ▸Your VM or machine ▸Online right now! ▸ https://juice-shop.herokuapp.com/ 22
  23. 23. OWASP JUICE SHOP: DEMO MACHINE ▸1 VM running Ubuntu 16.04 LTS ▸Download the ISO, boot up, do all the regular updates ▸Install Docker with quick and clear Ubuntu instructions: ▸https://docs.docker.com/engine/installation/linux/ubuntu/ #install-using-the-repository ▸docker pull bkimminich/juice-shop ▸docker run -d -p 3000:3000 bkimminich/juice-shop 23
  24. 24. OWASP JUICE SHOP: VULNERABILITIES ▸Includes a book to introduce, tackle, and solve the challenges ▸https://www.gitbook.com/book/bkimminich/pwning-owasp-juice- shop/details ▸Examples of vulnerabilities ▸“Log in with the administrator's user credentials without previously changing them or applying SQL Injection.” ▸“XSS Tier 3: Perform a persisted XSS attack with <script>alert("XSS3")</script> without using the frontend application at all.” 24
  25. 25. OWASP JUICE SHOP: DEMO ▸Walkthrough of the application and see how it works ▸Vulnerabilities to tackle ▸Start with the score board ▸SQLi exploitation flaw in a JavaScript library ▸Insert a XSS payload with the API ▸Manipulate an order request 25
  26. 26. WHERE ELSE CAN YOU USE THESE SKILLS?▸Automated tools won’t help you here: https://www.offensive-security.com/information-security-training/cracking-the-perimeter/ 26
  27. 27. THANKS! ▸http://vivirytech.blogspot.com/ ▸@vivirytech ▸OWASP Juice Shop ▸https://github.com/bkimminich/juice-shop 27

×