Successfully reported this slideshow.
Your SlideShare is downloading. ×

DevSecCon Singapore 2019: Web Services aren’t as secure as we think

Ad

Singapore	|	28	Feb	-	01	Mar	2019
Web	Services	aren’t	as	secure	as	we	
think
Tilak.T

Ad

Singapore	|	28	Feb	-	01	Mar	2019
Yours	truly
• Senior	Solutions	Engineer	at	we45	
• Full	Stack	Developer	
• Developer	of	O...

Ad

Singapore	|	28	Feb	-	01	Mar	2019
Outline
• Why	security	is	important	
• Unique	Vulnerabilities	
• Demo	!	
• DevSecOps	Pipe...

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Check these out next

1 of 24 Ad
1 of 24 Ad

DevSecCon Singapore 2019: Web Services aren’t as secure as we think

Download to read offline

Tilak T

Web-Services are taking over the world. Rest-framework is accelerating this development, because of its ease and flexibility. Developers often use and develop REST-based applications because it's exciting to work with. But they forget about security which leads to compromised and exploited applications. For instance, in more recent security tests against Web Services that my team executed, we found that vulnerabilities like Insecure Deserialization, XML External Entities, Server-Side Template Injection and Authorization Flaws are quite prevalent. I have found some simple steps that engineering teams can take towards finding and fixing such vulnerabilities with Web Services. This talk is offering a holistic perspective on finding and fixing some uncommon flaws that will be replete with anecdotes and examples of secure and insecure code. I will also delve into automating SAST and DAST tools using Robot-Framework to identify such flaws in Web-Services.

Tilak T

Web-Services are taking over the world. Rest-framework is accelerating this development, because of its ease and flexibility. Developers often use and develop REST-based applications because it's exciting to work with. But they forget about security which leads to compromised and exploited applications. For instance, in more recent security tests against Web Services that my team executed, we found that vulnerabilities like Insecure Deserialization, XML External Entities, Server-Side Template Injection and Authorization Flaws are quite prevalent. I have found some simple steps that engineering teams can take towards finding and fixing such vulnerabilities with Web Services. This talk is offering a holistic perspective on finding and fixing some uncommon flaws that will be replete with anecdotes and examples of secure and insecure code. I will also delve into automating SAST and DAST tools using Robot-Framework to identify such flaws in Web-Services.

More Related Content

Slideshows for you (19)

More from DevSecCon (20)

DevSecCon Singapore 2019: Web Services aren’t as secure as we think

  1. 1. Singapore | 28 Feb - 01 Mar 2019 Web Services aren’t as secure as we think Tilak.T
  2. 2. Singapore | 28 Feb - 01 Mar 2019 Yours truly • Senior Solutions Engineer at we45 • Full Stack Developer • Developer of Open-Source • Trainer and Speaker • PSF Member • Part of multiple CTF @ti1akt
  3. 3. Singapore | 28 Feb - 01 Mar 2019 Outline • Why security is important • Unique Vulnerabilities • Demo ! • DevSecOps Pipeline @ti1akt
  4. 4. Singapore | 28 Feb - 01 Mar 2019 Why web services aren't secure @ti1akt
  5. 5. Singapore | 28 Feb - 01 Mar 2019 Ref: https://www.imperva.com/blog/the-state-of-web-application-vulnerabilities-in-2018/ @ti1akt
  6. 6. Singapore | 28 Feb - 01 Mar 2019 Unique Vulnerabilities • JWT Manipulation • Insecure Deserialization • Insecure Direct Object Reference • Etc … @ti1akt
  7. 7. Singapore | 28 Feb - 01 Mar 2019
  8. 8. Singapore | 28 Feb - 01 Mar 2019 @ti1akt
  9. 9. Singapore | 28 Feb - 01 Mar 2019 JWT Manipulation OWASP-2017 A5 Broken Access Control @ti1akt
  10. 10. Singapore | 28 Feb - 01 Mar 2019 Why JWT • Stateless Application • Authorization Mechanism • Transfers information between server and client • Scalable and decoupled @ti1akt
  11. 11. Singapore | 28 Feb - 01 Mar 2019 JSON Web Token(JWT) • The process is relatively simple (typically): • Once a user authenticates, the server generates some JSON payload (with some info) and signs the JSON payload with a key • This can be a HMAC Based Key (HS256) or a Asymmetric System (RS256) • The token is sent by the client (like a session cookie) • The server attempts to verify the token based on the signature and allows/disallows the user to perform actions @ti1akt
  12. 12. Singapore | 28 Feb - 01 Mar 2019 Lots of ways to get JWT wrong • Modify the algorithm to `none` • Leakage of sensitive information • Algorithm Confusion • Cracking Secret Keys @ti1akt
  13. 13. Singapore | 28 Feb - 01 Mar 2019 @ti1akt
  14. 14. Singapore | 28 Feb - 01 Mar 2019 @ti1akt
  15. 15. Singapore | 28 Feb - 01 Mar 2019 Insecure Deserialization OWASP-2017 A5 Broken Access Control @ti1akt
  16. 16. Singapore | 28 Feb - 01 Mar 2019
  17. 17. Singapore | 28 Feb - 01 Mar 2019 @ti1akt
  18. 18. Singapore | 28 Feb - 01 Mar 2019 @ti1akt
  19. 19. Singapore | 28 Feb - 01 Mar 2019
  20. 20. Singapore | 28 Feb - 01 Mar 2019 Basic Pipeline Demo @ti1akt
  21. 21. Singapore | 28 Feb - 01 Mar 2019 SecDevOps Jenkins pipeline @ti1akt
  22. 22. Singapore | 28 Feb - 01 Mar 2019 @ti1akt
  23. 23. Singapore | 28 Feb - 01 Mar 2019 Abhay Bhargav Rahul Raghavan Sandeep Patil Sharath Kumar Nithin Jois
  24. 24. Singapore | 28 Feb - 01 Mar 2019 Thank You https://github.com/we45/DevSecCon2019 @ti1akt

×