An introduction about security vulnerabilities in software. According to this presentation, you can know 2 popular vulnerabilities nowadays such as Session hijacking and Middle Attack. Moreover, you can know how to use the tool to explores and the best practices to apply
5. Sensitive data
What is type of information that an
attacker want to get?
The personal information
Money
Documents
What is type of information that
normal use should not be seen?
CPR number on other side
Fee on other side
5
6. Secure data
Replace a valid data by an invalid
Data protected (in third services) have
not allowed to change
6
7. Redundant data
Rubbish data
Browser send data to Service
Browser receive data from
Service
Repeatable
An information is repeated
many times
7
11. Demo - Session hijacking
Scenario: As an attacker, I want to send GET
and POST request to the system even
though I have been logged out
Steps:
1. User logs in
2. Use Postman tool to make a copy the
cookie
3. User logs out
4. Use Postman tool keeps on accessing the
system using the cookie
11
log in
log out
User
Browser
Attacker
12. Demo - Middle Attack
Scenario: As an attacker, I want to
change sender a document by another
one
Steps:
1. User A add a document
2. Use fiddler to catch request
3. Replace sender from user A to user B
4. Send request to Service
12
Browser
Attacker
send
Service
send
13. How to explore efficiency
Understanding clearly the logic of system
Observation how the system work
F12
See the API work between Browser and Service
Think the possible situations that can happen
Based on the problems that customer reported in the specification
Try to reproduce it
Ask developer about the confused with the behavior of system
What if question
What expected outcome
13
The personal information
CPR number or CVR number
Money => Claim, Fee
Document => Type of document, Sender, receiver
Replace a valid data by an invalid
Replace sender document by another sender
Data protected ( in third services) had been changed
In creation case, there is a function called Adding lawyer to part. However, as an attacker, I can able to change information of that lawyer from Browser and send to Services
What is type of information that normal use should not be seen?
CPR number on other side
Fee on other side
Browser send data to Service => Sending data is redundant information or not
Example: When creating a part, the information about 'Postnummer' and 'By' (Postal code,Town) are sending the whole address of Danmark to Services
Browser receive data from Service => Should just receive enough information to display
Example: A meeting should use name and exchange ID for showing
Disable field
An information show to user (disbale file - only see ) - ensure that user could not change when submit from Portal
Break rule for validation
Have to at least 5 characters
Why use tool?
Fake information of user and able to send to server
Interact a request between Browser and Servers and able to change information