Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Hacker, you shall not pass!

1,350 views

Published on

Web applications secure development. Tips for securing your web applications.

Credits to the cover artwork: http://stickeesbiz.deviantart.com/art/You-Shall-Not-Pass-Gandalf-lotr-389220701

Published in: Technology
  • Be the first to comment

Hacker, you shall not pass!

  1. 1. Hacker, you shall not pass! Web application secure development Cláudio André | claudioandre (at) gmail.com | @clviper
  2. 2. whoami ● 10+ years working in Information Systems ● Penetration Tester @ ● Web applications, Mobile applications and Infrastructure ● Blog: security.claudio.pt
  3. 3. SPECIALLY T
  4. 4. SQL Injection ● SQL query manipulation via input data from client; https://www.owasp.org/index.php/SQL_Injection
  5. 5. SQL Injection ● SQL query manipulation via input data from client; ● String concatenation; https://www.owasp.org/index.php/SQL_Injection
  6. 6. SQL Injection select name from users where user = ‘admin’ and password = ‘ubberpa$$w0rd’ https://www.owasp.org/index.php/SQL_Injection
  7. 7. SQL Injection select name from users where user = ‘admin’ and password = ‘ubberpa$$w0rd’ select name from users where user = ‘admin’ and password = ‘xpto’ or 1=1--’ https://www.owasp.org/index.php/SQL_Injection
  8. 8. SQL Injection Demo
  9. 9. Fixing SQL Injection ● Use of prepared statements (Parameterized Queries) https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
  10. 10. Fixing SQL Injection ● Use of prepared statements (Parameterized Queries) https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
  11. 11. Cross Site Scripting (XSS) ● Injection of malicious scripts via input data from the client; https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29
  12. 12. Cross Site Scripting (XSS) ● Injection of malicious scripts via input data from the client; ● Script reflection on the page; https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29
  13. 13. Cross Site Scripting (XSS) ● Injection of malicious scripts via input data from the client; ● Script reflection on the page; ● Reflected, Stored and DOM based; https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29
  14. 14. Cross Site Scripting (XSS) Request: http://vulnerablesite.local/index?name=Guest Response: <html> <body> <div> Hello Guest </div> </body> </html> https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29
  15. 15. Cross Site Scripting (XSS) Request: http://vulnerablesite.local/index?name=<script>alert(“xss”)</script> Response: <html> <body> <div> Hello <script>alert(“xss”)</script> </div> </body> </html> https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29
  16. 16. Cross Site Scripting (XSS) Request: http://vulnerablesite.local/index?name=<script>alert(“xss”)</script> Response: <html> <body> <div> Hello <script>alert(“xss”)</script> </div> </body> </html> https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29
  17. 17. Cross Site Scripting (XSS) Demo
  18. 18. Fixing XSS ● Not straightforward; ● Start with HTML Escape and Attribute Escape. https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
  19. 19. Cross Site Request Forgery (CSRF) ● Force user to execute unwanted actions on a web application; https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28
  20. 20. Cross Site Request Forgery (CSRF) ● Force user to execute unwanted actions on a web application; ● Session Riding; https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28
  21. 21. Cross Site Request Forgery (CSRF) ● Force user to execute unwanted actions on a web application; ● Session Riding; ● Phishing Attacks https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28
  22. 22. Cross Site Request Forgery (CSRF) Request: http://vulnerablesite.local/changepassword?newpwd=MyS3cr3tPa$$word https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28
  23. 23. Cross Site Request Forgery (CSRF) Request: http://vulnerablesite.local/changepassword?newpwd=MyS3cr3tPa$$word Attack: <img src=”http://vulnerablesite.local/changepassword?newpwd=owned”> https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28
  24. 24. Cross Site Request Forgery (CSRF) Demo
  25. 25. Fixing CSRF ● Synchronizer Token Pattern https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet
  26. 26. Fixing CSRF ● Synchronizer Token Pattern https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet
  27. 27. Triple A ● Authentication ● Authorization ● Access Control
  28. 28. Some best practices on Authentication ● NO PLAIN TEXT!!! Use of strong cryptographic algorithms; https://www.owasp.org/index.php/Authentication_Cheat_Sheet
  29. 29. Some best practices on Authentication ● NO PLAIN TEXT!!! Use of strong cryptographic algorithms; ● No limit for character set and max lengths; https://www.owasp.org/index.php/Authentication_Cheat_Sheet
  30. 30. Some best practices on Authentication ● NO PLAIN TEXT!!! Use of strong cryptographic algorithms; ● No limit for character set and max lengths; ● Enforce strong password policy; https://www.owasp.org/index.php/Authentication_Cheat_Sheet
  31. 31. Some best practices on Authentication ● Prevent Brute-Force Attacks. Implement Captcha. https://www.owasp.org/index.php/Authentication_Cheat_Sheet
  32. 32. Some best practices on Authentication ● Prevent Brute-Force Attacks. Implement Captcha. ● Normalize error messages; https://www.owasp.org/index.php/Authentication_Cheat_Sheet
  33. 33. Access Control ● Vertical Access Control Attack https://www.owasp.org/index.php/Access_Control_Cheat_Sheet
  34. 34. Access Control ● Vertical Access Control Attack https://www.owasp.org/index.php/Access_Control_Cheat_Sheet Request: http://vulnerablesite.local/mainPage
  35. 35. Access Control ● Vertical Access Control Attack https://www.owasp.org/index.php/Access_Control_Cheat_Sheet Request: http://vulnerablesite.local/mainPage Request: http://vulnerablesite.local/adminPage
  36. 36. Access Control ● Horizontal Access Control Attack https://www.owasp.org/index.php/Access_Control_Cheat_Sheet
  37. 37. Access Control ● Horizontal Access Control Attack https://www.owasp.org/index.php/Access_Control_Cheat_Sheet Request: http://vulnerablesite.local/getUserProfile?id=1337
  38. 38. Access Control ● Horizontal Access Control Attack https://www.owasp.org/index.php/Access_Control_Cheat_Sheet Request: http://vulnerablesite.local/getUserProfile?id=1337 Request: http://vulnerablesite.local/getUserProfile?id=1338
  39. 39. Access Control ● Business Logic Access Control Attack https://www.owasp.org/index.php/Access_Control_Cheat_Sheet
  40. 40. Access Control ● Business Logic Access Control Attack https://www.owasp.org/index.php/Access_Control_Cheat_Sheet http://vulnerablesite.local/shop?action=chooseFormat http://vulnerablesite.local/shop?action=makePayment http://vulnerablesite.local/shop?action=downloadMovie
  41. 41. Some best practices on Access Control ● Implement roles and permissions https://www.owasp.org/index.php/Access_Control_Cheat_Sheet
  42. 42. Some best practices on Access Control ● Implement roles and permissions ● Perform authorization validation on all pages. https://www.owasp.org/index.php/Access_Control_Cheat_Sheet
  43. 43. Some best practices on Access Control ● Implement roles and permissions ● Perform authorization validation on all pages. ● Data-Context access controls https://www.owasp.org/index.php/Access_Control_Cheat_Sheet
  44. 44. Open Web Application Security Project (OWASP) ● Not-for-profit charitable organization focused on improving the security of software;
  45. 45. Open Web Application Security Project (OWASP) ● Not-for-profit charitable organization focused on improving the security of software; ● Best practices;
  46. 46. Open Web Application Security Project (OWASP) ● Not-for-profit charitable organization focused on improving the security of software; ● Best practices; ● OWASP Top 10;
  47. 47. OWASP TOP 10 https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
  48. 48. OWASP Vulnerable Web Applications Directory ● Vulnerable web applications for web dev, security auditors and pentesters. ● Offline, Online, Virtual Machines and ISOs. https://www.owasp.org/index.php/OWASP_Vulnerable_Web_Applications_Directory_Project#tab=Main
  49. 49. Portswigger Burp Suite ● Integrated platform for web application security tests.
  50. 50. Portswigger Burp Suite ● Integrated platform for web application security tests. ● Has free version and is cross platform.
  51. 51. Portswigger Burp Suite ● Integrated platform for web application security tests. ● Has free version and is cross platform. ● Not only for infosec guys. Devs should use it.

×