Secure your application against dependencies which might steal your user' data.

1. Securing against Data theft by vulnerable
dependencies in your App
- @JagdshLK

2. Content
● Workshop
○ Build a page which leaks sensitive information.
○ Find out how the data breach occurred.
● What just happened?
● How to find these type of vulnerability?
● Prevention Measures

3. Workshop:
Let’s build a Login and a Payment page!!!

4. Workshop - Steps
Software Prerequisites:
● Git
● Node 10.4.1 or above
● npm 6.1.0 or above
Steps:
1. Github search for “VodQA Securing Data theft demo” and clone it.
2. Follow the Readme.Md
3. Develop a login page
4. Develop a payment page which accepts Credit card

5. README.md
Getting Started
Prerequisites
Make sure you have Node v10.4.1 or above and npm 6.1.0 or above.
Installing
Clone the repo and run the following inside the cloned directory.
npm install
Running the application
run the following command to run the application
npm start

6. What just happened?
Package Manager
Vulner
Packa
UI Code
Username:
Password:
https://www.vulnerabledependency.com
Production
Vulner
Packa
app.bundle.js
Vulnerable
Package
package.json

7. ● Collect logs and analyse cross domain calls triggered.
● Beware and decode every information send out of the website and verify the content.
● Analysing the dependency package before using it.
How to find this type of vulnerable?

8. Prevention measures
● Try not to load 3rd party libraries in sensitive information pages.
● Check your dependencies is listed in OWASP Common Vulnerabilities and Exposures
(CVE).
○ Making sure CI build fails if a vulnerable dependency is found in frameworks
package manager using OWASP tools.
● Ensure your Dependencies is up to date with latest security patches, if any.
● Always use Vulnerability Scanning tools to check for any vulnerables.
● Report a vulnerability found.
● [DEV SPECIFIC] Overwrite the HttpRequest in UI to make sure all requests go through the
overwritten HTTPRequest.

9. How to read a CVE?
Major Terms:
● VSS Score
● Confidentiality Impact
● Integrity Impact
● Availability Impact
● Access Complexity
● Authentication
● Vulnerability Type(s)
● CWE ID

10. Reference
■ https://www.owasp.org/index.php/OWASP_Dependency_Check
■ https://blog.rapid7.com/2016/04/05/client-side-logging-in-javascript/
■ https://jeremylong.github.io/DependencyCheck/
■ https://nvd.nist.gov/vuln/search
■ https://www.owasp.org/index.php/Category:Vulnerability_Scanning_Tools
■ https://www.cvedetails.com/
■ https://www.first.org/cvss/specification-document
■ https://github.com/Jagdsh/VodQA_Securing_Data_theft-demo_reciever
■ https://github.com/Jagdsh/VodQA_Securing_Data_theft-demo