SlideShare a Scribd company logo

Become a Security Ninja

Paul Gilzow
Paul Gilzow

Insecure software undermines our infrastructure and puts our organizations at risk. Whether you’re a new developer, a designer who is beginning to experiment with programming, or a seasoned developer looking for a refresher, join us as we discuss why attacks happen, go over the most common vulnerabilities and techniques you can use to code defensively. This hands-on workshop will feature real-world hacking exercises that correspond to each of the Open Web Application Security Project (OWASP) top 10 vulnerabilities, helping to hone your skills as a security ninja!

Technology
1 of 84
Download to read offline
BECOME A SECURITY NINJA Don’t let your code be low-hanging fruit Paul Gilzow
 gilzow@missouri.edu
 Twitter: @gilzow
 Facebook: /gilzow
 https://www.linkedin.com/in/gilzow
What we will talk about Get our example files up and running What is OWASP What is the OWASP Top 10 The Current Top 10 Web Security Risks ATTACK!
Set Up Our Exercise files Log into your Digital Ocean account
 https://cloud.digitalocean.com/login
 
 
 
 
 
 
 

Set Up Our Exercise files Click on “Create Droplet”
 
 
 
 
 
 
 
 
 
 

Set Up Our Exercise files Choose a size Click on “One-click apps”
 
 
 
 
 
 
 
 
 
 
 

Set Up Our Excersice files Click on Docker
 
 
 
 
 
 
 
 
 
 
 

Set Up Our Excersice files Scroll to the bottom of the page Click the “Create” button
 
 
 
 
 
 
 
 
 
 
 

Set Up Our Excersice files Once the instance is created, check your email for the credentials In your ssh client, log into your new instance
 
 
 
 
 
 
 
 
 
 
 

Set Up Our Excersice files You’ll need to change your password the first time you login
 
 
 
 
 
 
 
 
 
 
 

Set Up Our Excersice files At the prompt type in
 
 docker run -d -p 8899:80 opendns/security-ninjas Docker will download and install the security-ninjas container
 
 
 
 
 
 
 
 
 

Set Up Our Excersice files Open your browser and go to your droplet ip address, port 8899
 e.g. http://45.55.167.245:8899
 
 
 
 
 
 
 
 
 

What is OWASP Open Web Application Security Project Worldwide non-project organization focused on improving software security by raising awareness Started in 2001 Hundreds of local chapters throughout the world, with over a hundred in the U.S.
Current State of Web App security 160% increase in websites hosting malware between 2015 and 20161 55% of web apps have at least one high-severity vulnerability, up 9% from 2015 to 20162 84% are suscptible to at least one medium-serverity vulnerability2 Average of 15 vulnerabilities per site3 1 - Google Transparency Report, 2016 2 - Acunetix Web Application Vulnerability report 2016 3 - White Hat Security Web Applications Security Statistics Report 2016
Education, 49% of sites had at least one vulnerability every day of the year1 Education, average of 28 vulnerabilities per site, 15 of those serious1 Education, took an average of 4 months to remediate issues1 1 - White Hat Security Web Applications Security Statistics Report 2016 Education Industry Current State of Web App security
Why Education is an attractive target Network capacity and availability Rich in hardware infrastructure Poor in human resources Resistant to blacklisting SEO reputation Personally Identifiable Information (PII) / Sensitive Personal Information (SPI) Confidential Research Data / Proprietary Intellectual Property
What is the OWASP Top 10 Not a standard, but an awareness document 10 Most Critical Web Application Security Risks For each risk, it includes Description Example vulnerabilities Example Attacks Guidance on how to avoid First released in 2003, refreshed every 3 years Current version is from 2013, next version due out late this year, early 2017
Current Top 10 (as of 2013) 1. Injection 2. Broken Authentication and Session Management 3. Cross-Site Scripting (XSS) 4. Insecure Direct Object Reference 5. Security Misconfiguration 6. Sensitive Data Exposure 7. Missing Function Level Access Control 8. Cross-Site Request Forgery (CSRF) 9. Using Components with Known Vulnerabilities 10. Unvalidated Redirects and Forwards
A1. Injection • Untrusted/tainted data is sent to an interpreter as part of a command or query. • Interpreter is tricked into executing unintended commands What is it?
A1. Injection • HTML/Javascript • SQL • LDAP • Xpath/Xquery • Anything that accepts input and executes What is susceptible?
A1. Injection
A1. Injection • Failure to separate untrusted data with commands sent to an interpreter • Lack of input validation and/or input sanitation • Attacker is able to change execution context Why does it happen?
A1. Injection • SQL Injection
 
 
 SELECT UserId, Name, Password FROM Users WHERE UserId = $input;
 
 Becomes
 
 SELECT UserId, Name, Password FROM Users WHERE UserId = 105 or 1=1;
 
 
 Examples
A1. Injection ATTACK!
A1. Injection • Use APIs that provide parameterized/sanitized interfaces • Validate input against a whitelist (do NOT use a blacklist) • Escape any special characters that you whitelist
 
 
 Prevention
A2. Broken Authentication and Session Management • Failure to protect credentials and session tokens throughout the lifecycle of the session • Weak authentication logic • Imperfect implementation What is it?
A2. Broken Authentication and Session Management • Passing the session ID as a parameter in the URL • Using a predictable value for the session ID • User credentials passed unencrypted • Poor username and password recovery functions Why does it happen?
A2. Broken Authentication and Session Management ATTACK!
A2. Broken Authentication and Session Management • Never send credentials/sensitive data in the clear; use SSL • Protect secrets throughout their lifecycle • Don’t expose credentials (including session IDs) in the URL or logs • Use centralized authentication and session management APIs, if available • Implement strong account management functions (e.g., account creation, change password, recover password, etc.) • Use strong algorithms to generate (random) secrets • Do not rely on untrustworthy information for authentication (e.g. IP address, referrer, etc.) Prevention
A2. Broken Authentication and Session Management • Use a different session ID after authentication or whenever authorization/permission levels change • Destroy/invalidate the session ID completely after the log out method has completed • Enforce session timeouts • Protect against Cross-Site Scripting (XSS) Prevention
A3. Cross-Site Scripting (XSS) • Similar to injection, but the intended target is a user’s browser: the user’s browser is tricked into executing unintended commands • Usually in the form of HTML code or client-side scripts • Occurs when an application takes unstrusted data from the user and sends it back to the browser without validation or encoding • Exploits the trust the user has for a site What is it?
If an attacker controls your browser, it is no longer your browser
A3. Cross-Site Scripting • Failure to separate untrusted data with commands • Lack of input validation and/or input sanitation • Attacker is able to change execution context Why does it happen?
A3. Cross-Site Scripting • Reflected • Stored (aka persistent) • Dom based Types
A3. Cross-Site Scripting • Data from the URL is used in the creation of the page • Attacker tricks/entices user to click the exploited URL • Web application reflects the payload back to the user’s browser where it is executed as if it came from the originating site Types: Reflected
A3. Cross-Site Scripting Types: Reflected Example
A3. Cross-Site Scripting • Injected script is stored on the target server • The injection script is then sent to visitors of the site • Vicitim’s browser then executes the injected script as it believes it came from the originating site • Delayed (aka “Blind”) refers to the payload being executed at a later time, possibly in a completely different system (e.g. Log viewers, customer service apps, etc.) Types: Stored/Persistent
A3. Cross-Site Scripting • Similar to reflected but instead of tricking the user’s browser to exectute script, tricks legitimate client side script into executing the payload • The attack payload is executed as a result of modifying the DOM environment in the victim’s browser used by the original client side script, so that the client side code runs in an unexpected manner • More prevalent now than in the past due to the increase use in javascript and vulnerable javascript libraries (almost 200% increase between 2015 and 20161 ) Types: Dom-based (aka Client Side) 1 - Acunetix web application vulnerability report 2016, pg 5
A3. Cross-Site Scripting Types: Dom-based Example
A3. Cross-Site Scripting Types: Dom-based Example, cont.
A3. Cross-Site Scripting ATTACK!
A3. Cross-Site Scripting • Implicitly deny • Validate all input, regardless of where it comes from • Context-based output encoding Prevention
A3. Cross-Site Scripting • HTML Element Content
 <div>DATA</div> • HTML Attribute Values
 <input name=“DATA” type=“text” value=“DATA” /> • Javascript Data
 <script>someFunc(‘DATA’);</script> • CSS Property Values
 .foo a:hover{ color: DATA } • URI Attribute VAlues
 <a href=“/search/?q=DATA”> Prevention - Context-based output encoding • ( &, <, >, “) —> &entity; 
 ( ‘, / ) —> &#DDD; or &#xHH; (UTF-8 encode) • All non-alphanumeric —> &#xHH; • All non-alphanumeric —> xHH • All non-alphanumeric —> HH • All non-alphanumeric —> %HH
A3. Cross-Site Scripting • Implicitly deny • Validate all input, regardless of where it comes from • Context-based output encoding • Content-Security-Policy headers Prevention
A3. Cross-Site Scripting Set of HTTP Response headers (or can be implemented via meta element) that defines where resources can be loaded from, preventing users’ browser from loading data from any other locations.
 
 Header Set Content-Security-Policy: script-src 'self' https://apis.google.com
 
 <meta http-equiv="Content-Security-Policy" content="default-src 'self'"> Prevention - Content-Security-Policy headers
A3. Cross-Site Scripting Prevention - Content-Security-Policy headers
A3. Cross-Site Scripting Prevention - Content-Security-Policy headers http://caniuse.com/#feat=contentsecuritypolicy
A4. Insecure Direct Object References • Occurs when a reference to an internal implementation object (file, directory, database record/key) is exposed as a URL or form parameter • Without subsequent authorization checks, an attacker can manipulate these parameters to access unauthorized data What is it?
A4. Insecure Direct Object References Examples
A4. Insecure Direct Object References Examples http://foo.bar.edu/file.php?file=report.txt http://foo.bar.edu/file.php?file=../../app/config/database
A4. Insecure Direct Object References ATTACK!
A4. Insecure Direct Object References • Do not expose internal keys or identifiers for objects • Use object references that are difficult to guess • Perform server-side authorization checks for object access Prevention
A5. Security Misconfiguration • Security issues anywhere in the stack • Framework • Application Server • Web Server • Database Server • Operating System • 3rd party contols/modules What is it?
A5. Security Misconfiguration • Application dumps stack trace or reveals other debugging information • Default passwords not changed • Out-of-date software • Directory listings enabled Examples
A5. Security Misconfiguration ATTACK!
A5. Security Misconfiguration • Security hardening throughout the entire application stack • Change default passwords • Disable/remove debugging message and overly informative error messages in production • Remove unnecessary/unused features/modules/ components Prevention
A6. Sensitive Data Exposure • Storing and transmitting sensitive data insecurely, due to: • Failure to identify all sensitive data • Failure to identify all locations where sensitive data is stored (database, files, logs, backups, etc) • Failure to identify all locations sensitive data is sent (web, databases, internal communications, external business partners) What is it?
A6. Sensitive Data Exposure • Debugging information in comments of ouput sent to the browser • Application that stores sensitive data (correctly) encoutners an error and logs that data insecurely Examples
A6. Sensitive Data Exposure ATTACK!
A6. Sensitive Data Exposure Prevention
Someone can’t steal it if you don’t have it
A6. Sensitive Data Exposure • Don’t store sensitive data if you don’t need it • Catalog all sensitive data and where it is used • Disable caching of pages that contains sensitive data • Encrypt all sensitive data at rest and in transit • Use strong standard algorithms and strong keys Prevention
A7. Missing Function Level Access Controls • Enforcing proper authorization for requests
 
 
 
 
 What is it?
A7. Missing Function Level Access Controls Examples
A7. Missing Function Level Access Controls • Attacker notices the URL structure indicates his role
 https://example.com/user/getAccount • Attacker modifies it to another role
 https://example.com/admin/getAccount • The application fails to do a server-side check to verify the request is coming from a user with the proper authorization and the attacker now has access to data on any account Examples
A7. Missing Function Level Access Controls ATTACK!
A7. Missing Function Level Access Controls • Deny by default • Perform server-side checks for every function/action that requires authorization • Server-side checks should not rely soley on information provided by the client Prevention
A8. Cross-Site Request Forgery • Victim’s browser is tricked into issuing commands to a vulnerable web application, to perform an unwanted action on a trusted site for which the user is currently authenticated. • Web browsers automatically include credentials (cookies, sessions, basic authentication headers) with each request, even for requests initiated by a form, script or image on another site • Server-side code processes requests as if they came from the authenticated user • Often combined with Cross-Site Scripting What is it?
A8. Cross-Site Request Forgery • Application is built to allow a state change via URL parameters
 
 http://bankx.com/app?action=transfer&amount=3500&destinationAccount=4673243243 • Attacker constructs a request that will transfer funds to to their account and embeds the requests on sites he controls. He then tricks the victim into visiting the site
 
 Examples <img src="http://bankx.com/app?action=transfer&amount=14000&destinationAccount=attackersAcct#" width="0" height="0" />
A8. Cross-Site Request Forgery ATTACK!
A8. Cross-Site Request Forgery • Eliminate all XSS vulnerabilities in your application • Never allow changes to data via a GET request • Check Origin and Referer headers as a first step • Include a per-request, cryptographically strong or random token to all forms, where the verification token is not provided by the browser • Require reauthentication for sensitive transactions Prevention
A9. Using Components with Known Vulnerabilities • Using third-party controls/modules/frameworks with known vulnerabilities anywhere in the stack can be discovered and exploited by automated tools • Third-party libraries/frameworks in an application typically run with the same privileges as the application • Those vulnerabilities can undermine other defenses What is it?
A9. Using Components with Known Vulnerabilities ATTACK!
A9. Using Components with Known Vulnerabilities • Identify all third-party components in your applications, and potentially throughout the entire stack • Uninstall/disable all third-party components that are not being used • Monitor the security of these components in public databases (CVE, NVD, etc.), security mailing lists • Keep third-party components up-to-date religiously • Develop a security policy on third-party component use Prevention
A10. Unvalidated Redirects and Forwards • Application takes input from an external source that is then used to formulate a redirection or forward location without validation • Attacker links to an unvalidated redirect and tricks victims into clicking it. Victims are more likely to click on it, since the link is to a valid site
 
 https://www.irs.gov/taxrefund/claim.jsp? year=2015&dest=ev.il/sDfX4 What is it?
A10. Unvalidated Redirects and Forwards • Application uses forwards to route requests between different parts of the site. Pages use a parameter to indicate where the user should be sent if a transaction is successful. • Attacker crafts a URL that will pass the application’s access control check (or is missing control checks) and then forwards the attacker to administrative functionality for which the attacker isn’t authorized. What is it?
A10. Unvalidated Redirects and Forwards ATTACK!
A10. Unvalidated Redirects and Forwards • Don’t use them unless you absolutely have to • Avoid using user input to detemine destination URL • Whitelist allowed pages or external sites • Ensure URL is valid and authorized for the user Prevention
Developer Take-aways
Security is a process, not an event.
Developer Take-aways • Security is a process, not an event • Build security into the software development life-cycle
 
 
 
 
 

Be paranoid; be skeptical
Developer Take-aways • Security is a process, not an event • Build security into the software development life-cycle • Be paranoid; be skeptical • Treat all data as tainted • Validate data first (whitelist), then filter (blacklist) • Validate/clean as early in the process as possible • Encode data appropriately before sending to the client • Never rely on client-side checks
Developer Take-aways • Defense-in-depth • Principle of Least Privilege • Limit access to everything • Enforce strong passwords • Don’t harcode secrets in source code • Keep third-party components up-to-date • Error handling and Debug information Continued
Questions? Contact gilzow@missouri.edu @gilzow on twitter Example Files: https://github.com/opendns/ Security_Ninjas_AppSec_Training Slidedeck: https://github.com/gilzow/security-ninja/

Recommended

OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013tmd800
 
AJAX Security - LAC2016
AJAX Security - LAC2016AJAX Security - LAC2016
AJAX Security - LAC2016Julia Logan a.k.a. IrishWonder
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesCarol McDonald
 
Dzhengis 93098 ajax - security
Dzhengis 93098 ajax - securityDzhengis 93098 ajax - security
Dzhengis 93098 ajax - securitydzhengo44
 
AJAX: How to Divert Threats
AJAX: How to Divert ThreatsAJAX: How to Divert Threats
AJAX: How to Divert ThreatsCenzic
 
Ajax Security
Ajax SecurityAjax Security
Ajax SecurityRoberto Suggi Liverani
 
Owasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesMarco Morana
 

Recommended

OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013tmd800
 
AJAX Security - LAC2016
AJAX Security - LAC2016AJAX Security - LAC2016
AJAX Security - LAC2016Julia Logan a.k.a. IrishWonder
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesCarol McDonald
 
Dzhengis 93098 ajax - security
Dzhengis 93098 ajax - securityDzhengis 93098 ajax - security
Dzhengis 93098 ajax - securitydzhengo44
 
AJAX: How to Divert Threats
AJAX: How to Divert ThreatsAJAX: How to Divert Threats
AJAX: How to Divert ThreatsCenzic
 
Ajax Security
Ajax SecurityAjax Security
Ajax SecurityRoberto Suggi Liverani
 
Owasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesMarco Morana
 
Ajax Security Dangers
Ajax Security DangersAjax Security Dangers
Ajax Security Dangersdrkimsky
 
RSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingRSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingJim Manico
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultMohammed ALDOUB
 
Owasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionOwasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionMichael Hendrickx
 
Web Hacking
Web HackingWeb Hacking
Web HackingInformation Technology
 
Starwest 2008
Starwest 2008Starwest 2008
Starwest 2008Caleb Sima
 
Web application Security tools
Web application Security toolsWeb application Security tools
Web application Security toolsNico Penaredondo
 
A7 Missing Function Level Access Control
A7 Missing Function Level Access ControlA7 Missing Function Level Access Control
A7 Missing Function Level Access Controlstevil1224
 
Web application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresWeb application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresAung Thu Rha Hein
 
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFOWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFBrian Huff
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & TestingDeepu S Nath
 
Web hackingtools cf-summit2014
Web hackingtools cf-summit2014Web hackingtools cf-summit2014
Web hackingtools cf-summit2014ColdFusionConference
 
Cross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaCross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaJim Manico
 
Owasp top 10 web application security hazards - Part 1
Owasp top 10 web application security hazards - Part 1Owasp top 10 web application security hazards - Part 1
Owasp top 10 web application security hazards - Part 1Abhinav Sejpal
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...Noppadol Songsakaew
 
Avoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might thinkAvoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might thinkErlend Oftedal
 
Owasp top 10 web application security hazards part 2
Owasp top 10 web application security hazards part 2Owasp top 10 web application security hazards part 2
Owasp top 10 web application security hazards part 2Abhinav Sejpal
 
Web application attacks
Web application attacksWeb application attacks
Web application attackshruth
 
Common Web Application Attacks
Common Web Application Attacks Common Web Application Attacks
Common Web Application Attacks Ahmed Sherif
 
Reliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan GandhiReliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan Gandhibhumika2108
 
Developing Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common AttacksDeveloping Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common AttacksPayPalX Developer Network
 
Spa Secure Coding Guide
Spa Secure Coding GuideSpa Secure Coding Guide
Spa Secure Coding GuideGeoffrey Vandiest
 

More Related Content

What's hot

Ajax Security Dangers
Ajax Security DangersAjax Security Dangers
Ajax Security Dangersdrkimsky
 
RSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingRSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingJim Manico
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultMohammed ALDOUB
 
Web application Security tools
Web application Security toolsWeb application Security tools
Web application Security toolsNico Penaredondo
 
A7 Missing Function Level Access Control
A7 Missing Function Level Access ControlA7 Missing Function Level Access Control
A7 Missing Function Level Access Controlstevil1224
 
Web application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresWeb application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresAung Thu Rha Hein
 
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFOWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFBrian Huff
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & TestingDeepu S Nath
 
Cross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaCross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaJim Manico
 
Owasp top 10 web application security hazards - Part 1
Owasp top 10 web application security hazards - Part 1Owasp top 10 web application security hazards - Part 1
Owasp top 10 web application security hazards - Part 1Abhinav Sejpal
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...Noppadol Songsakaew
 
Avoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might thinkAvoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might thinkErlend Oftedal
 
Owasp top 10 web application security hazards part 2
Owasp top 10 web application security hazards part 2Owasp top 10 web application security hazards part 2
Owasp top 10 web application security hazards part 2Abhinav Sejpal
 
Web application attacks
Web application attacksWeb application attacks
Web application attackshruth
 
Common Web Application Attacks
Common Web Application Attacks Common Web Application Attacks
Common Web Application Attacks Ahmed Sherif
 
Reliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan GandhiReliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan Gandhibhumika2108
 

What's hot (20)

Ajax Security Dangers
Ajax Security DangersAjax Security Dangers
Ajax Security Dangers
 
RSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingRSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP Training
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by Default
 
Owasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionOwasp Top 10 A1: Injection
Owasp Top 10 A1: Injection
 
Web Hacking
Web HackingWeb Hacking
Web Hacking
 
Starwest 2008
Starwest 2008Starwest 2008
Starwest 2008
 
Web application Security tools
Web application Security toolsWeb application Security tools
Web application Security tools
 
A7 Missing Function Level Access Control
A7 Missing Function Level Access ControlA7 Missing Function Level Access Control
A7 Missing Function Level Access Control
 
Web application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresWeb application security: Threats & Countermeasures
Web application security: Threats & Countermeasures
 
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFOWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & Testing
 
Web hackingtools cf-summit2014
Web hackingtools cf-summit2014Web hackingtools cf-summit2014
Web hackingtools cf-summit2014
 
Cross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaCross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with Java
 
Owasp top 10 web application security hazards - Part 1
Owasp top 10 web application security hazards - Part 1Owasp top 10 web application security hazards - Part 1
Owasp top 10 web application security hazards - Part 1
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...
 
Avoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might thinkAvoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might think
 
Owasp top 10 web application security hazards part 2
Owasp top 10 web application security hazards part 2Owasp top 10 web application security hazards part 2
Owasp top 10 web application security hazards part 2
 
Web application attacks
Web application attacksWeb application attacks
Web application attacks
 
Common Web Application Attacks
Common Web Application Attacks Common Web Application Attacks
Common Web Application Attacks
 
Reliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan GandhiReliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan Gandhi
 

Similar to Become a Security Ninja

Developing Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common AttacksDeveloping Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common AttacksPayPalX Developer Network
 
Scalable threat modelling with risk patterns
Scalable threat modelling with risk patternsScalable threat modelling with risk patterns
Scalable threat modelling with risk patternsStephen de Vries
 
Django (Web Applications that are Secure by Default)
Django �(Web Applications that are Secure by Default�)Django �(Web Applications that are Secure by Default�)
Django (Web Applications that are Secure by Default)Kishor Kumar
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top TenSecurity Innovation
 
Owasp top10salesforce
Owasp top10salesforceOwasp top10salesforce
Owasp top10salesforcegbreavin
 
Threat modeling with architectural risk patterns
Threat modeling with architectural risk patternsThreat modeling with architectural risk patterns
Threat modeling with architectural risk patternsStephen de Vries
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10bilcorry
 
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...nooralmousa
 
Securing Your .NET Application
Securing Your .NET ApplicationSecuring Your .NET Application
Securing Your .NET ApplicationIron Speed
 
香港六合彩
香港六合彩香港六合彩
香港六合彩baoyin
 
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017Philippe Gamache
 

Similar to Become a Security Ninja (20)

Developing Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common AttacksDeveloping Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common Attacks
 
Spa Secure Coding Guide
Spa Secure Coding GuideSpa Secure Coding Guide
Spa Secure Coding Guide
 
Scalable threat modelling with risk patterns
Scalable threat modelling with risk patternsScalable threat modelling with risk patterns
Scalable threat modelling with risk patterns
 
Django (Web Applications that are Secure by Default)
Django �(Web Applications that are Secure by Default�)Django �(Web Applications that are Secure by Default�)
Django (Web Applications that are Secure by Default)
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
 
Owasp top10salesforce
Owasp top10salesforceOwasp top10salesforce
Owasp top10salesforce
 
Threat modeling with architectural risk patterns
Threat modeling with architectural risk patternsThreat modeling with architectural risk patterns
Threat modeling with architectural risk patterns
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10
 
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
 
Owasp web security
Owasp web securityOwasp web security
Owasp web security
 
Web application security (eng)
Web application security (eng)Web application security (eng)
Web application security (eng)
 
Cyber ppt
Cyber pptCyber ppt
Cyber ppt
 
Securing Your .NET Application
Securing Your .NET ApplicationSecuring Your .NET Application
Securing Your .NET Application
 
Security testing
Security testingSecurity testing
Security testing
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013
 
Web security
Web securityWeb security
Web security
 
Owasp top 10 2017
Owasp top 10 2017Owasp top 10 2017
Owasp top 10 2017
 
香港六合彩
香港六合彩香港六合彩
香港六合彩
 
Security testautomation
Security testautomationSecurity testautomation
Security testautomation
 
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
 

Recently uploaded

Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 

Recently uploaded (20)

Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 

Become a Security Ninja

  • 1. BECOME A SECURITY NINJA Don’t let your code be low-hanging fruit Paul Gilzow
 gilzow@missouri.edu
 Twitter: @gilzow
 Facebook: /gilzow
 https://www.linkedin.com/in/gilzow
  • 2. What we will talk about Get our example files up and running What is OWASP What is the OWASP Top 10 The Current Top 10 Web Security Risks ATTACK!
  • 3. Set Up Our Exercise files Log into your Digital Ocean account
 https://cloud.digitalocean.com/login
 
 
 
 
 
 
 

  • 4. Set Up Our Exercise files Click on “Create Droplet”
 
 
 
 
 
 
 
 
 
 

  • 5. Set Up Our Exercise files Choose a size Click on “One-click apps”
 
 
 
 
 
 
 
 
 
 
 

  • 6. Set Up Our Excersice files Click on Docker
 
 
 
 
 
 
 
 
 
 
 

  • 7. Set Up Our Excersice files Scroll to the bottom of the page Click the “Create” button
 
 
 
 
 
 
 
 
 
 
 

  • 8. Set Up Our Excersice files Once the instance is created, check your email for the credentials In your ssh client, log into your new instance
 
 
 
 
 
 
 
 
 
 
 

  • 9. Set Up Our Excersice files You’ll need to change your password the first time you login
 
 
 
 
 
 
 
 
 
 
 

  • 10. Set Up Our Excersice files At the prompt type in
 
 docker run -d -p 8899:80 opendns/security-ninjas Docker will download and install the security-ninjas container
 
 
 
 
 
 
 
 
 

  • 11. Set Up Our Excersice files Open your browser and go to your droplet ip address, port 8899
 e.g. http://45.55.167.245:8899
 
 
 
 
 
 
 
 
 

  • 12. What is OWASP Open Web Application Security Project Worldwide non-project organization focused on improving software security by raising awareness Started in 2001 Hundreds of local chapters throughout the world, with over a hundred in the U.S.
  • 13. Current State of Web App security 160% increase in websites hosting malware between 2015 and 20161 55% of web apps have at least one high-severity vulnerability, up 9% from 2015 to 20162 84% are suscptible to at least one medium-serverity vulnerability2 Average of 15 vulnerabilities per site3 1 - Google Transparency Report, 2016 2 - Acunetix Web Application Vulnerability report 2016 3 - White Hat Security Web Applications Security Statistics Report 2016
  • 14. Education, 49% of sites had at least one vulnerability every day of the year1 Education, average of 28 vulnerabilities per site, 15 of those serious1 Education, took an average of 4 months to remediate issues1 1 - White Hat Security Web Applications Security Statistics Report 2016 Education Industry Current State of Web App security
  • 15. Why Education is an attractive target Network capacity and availability Rich in hardware infrastructure Poor in human resources Resistant to blacklisting SEO reputation Personally Identifiable Information (PII) / Sensitive Personal Information (SPI) Confidential Research Data / Proprietary Intellectual Property
  • 16. What is the OWASP Top 10 Not a standard, but an awareness document 10 Most Critical Web Application Security Risks For each risk, it includes Description Example vulnerabilities Example Attacks Guidance on how to avoid First released in 2003, refreshed every 3 years Current version is from 2013, next version due out late this year, early 2017
  • 17. Current Top 10 (as of 2013) 1. Injection 2. Broken Authentication and Session Management 3. Cross-Site Scripting (XSS) 4. Insecure Direct Object Reference 5. Security Misconfiguration 6. Sensitive Data Exposure 7. Missing Function Level Access Control 8. Cross-Site Request Forgery (CSRF) 9. Using Components with Known Vulnerabilities 10. Unvalidated Redirects and Forwards
  • 18. A1. Injection • Untrusted/tainted data is sent to an interpreter as part of a command or query. • Interpreter is tricked into executing unintended commands What is it?
  • 19. A1. Injection • HTML/Javascript • SQL • LDAP • Xpath/Xquery • Anything that accepts input and executes What is susceptible?
  • 21. A1. Injection • Failure to separate untrusted data with commands sent to an interpreter • Lack of input validation and/or input sanitation • Attacker is able to change execution context Why does it happen?
  • 22. A1. Injection • SQL Injection
 
 
 SELECT UserId, Name, Password FROM Users WHERE UserId = $input;
 
 Becomes
 
 SELECT UserId, Name, Password FROM Users WHERE UserId = 105 or 1=1;
 
 
 Examples
  • 24. A1. Injection • Use APIs that provide parameterized/sanitized interfaces • Validate input against a whitelist (do NOT use a blacklist) • Escape any special characters that you whitelist
 
 
 Prevention
  • 25. A2. Broken Authentication and Session Management • Failure to protect credentials and session tokens throughout the lifecycle of the session • Weak authentication logic • Imperfect implementation What is it?
  • 26. A2. Broken Authentication and Session Management • Passing the session ID as a parameter in the URL • Using a predictable value for the session ID • User credentials passed unencrypted • Poor username and password recovery functions Why does it happen?
  • 27. A2. Broken Authentication and Session Management ATTACK!
  • 28. A2. Broken Authentication and Session Management • Never send credentials/sensitive data in the clear; use SSL • Protect secrets throughout their lifecycle • Don’t expose credentials (including session IDs) in the URL or logs • Use centralized authentication and session management APIs, if available • Implement strong account management functions (e.g., account creation, change password, recover password, etc.) • Use strong algorithms to generate (random) secrets • Do not rely on untrustworthy information for authentication (e.g. IP address, referrer, etc.) Prevention
  • 29. A2. Broken Authentication and Session Management • Use a different session ID after authentication or whenever authorization/permission levels change • Destroy/invalidate the session ID completely after the log out method has completed • Enforce session timeouts • Protect against Cross-Site Scripting (XSS) Prevention
  • 30. A3. Cross-Site Scripting (XSS) • Similar to injection, but the intended target is a user’s browser: the user’s browser is tricked into executing unintended commands • Usually in the form of HTML code or client-side scripts • Occurs when an application takes unstrusted data from the user and sends it back to the browser without validation or encoding • Exploits the trust the user has for a site What is it?
  • 31. If an attacker controls your browser, it is no longer your browser
  • 32. A3. Cross-Site Scripting • Failure to separate untrusted data with commands • Lack of input validation and/or input sanitation • Attacker is able to change execution context Why does it happen?
  • 33. A3. Cross-Site Scripting • Reflected • Stored (aka persistent) • Dom based Types
  • 34. A3. Cross-Site Scripting • Data from the URL is used in the creation of the page • Attacker tricks/entices user to click the exploited URL • Web application reflects the payload back to the user’s browser where it is executed as if it came from the originating site Types: Reflected
  • 35. A3. Cross-Site Scripting Types: Reflected Example
  • 36. A3. Cross-Site Scripting • Injected script is stored on the target server • The injection script is then sent to visitors of the site • Vicitim’s browser then executes the injected script as it believes it came from the originating site • Delayed (aka “Blind”) refers to the payload being executed at a later time, possibly in a completely different system (e.g. Log viewers, customer service apps, etc.) Types: Stored/Persistent
  • 37. A3. Cross-Site Scripting • Similar to reflected but instead of tricking the user’s browser to exectute script, tricks legitimate client side script into executing the payload • The attack payload is executed as a result of modifying the DOM environment in the victim’s browser used by the original client side script, so that the client side code runs in an unexpected manner • More prevalent now than in the past due to the increase use in javascript and vulnerable javascript libraries (almost 200% increase between 2015 and 20161 ) Types: Dom-based (aka Client Side) 1 - Acunetix web application vulnerability report 2016, pg 5
  • 38. A3. Cross-Site Scripting Types: Dom-based Example
  • 39. A3. Cross-Site Scripting Types: Dom-based Example, cont.
  • 41. A3. Cross-Site Scripting • Implicitly deny • Validate all input, regardless of where it comes from • Context-based output encoding Prevention
  • 42. A3. Cross-Site Scripting • HTML Element Content
 <div>DATA</div> • HTML Attribute Values
 <input name=“DATA” type=“text” value=“DATA” /> • Javascript Data
 <script>someFunc(‘DATA’);</script> • CSS Property Values
 .foo a:hover{ color: DATA } • URI Attribute VAlues
 <a href=“/search/?q=DATA”> Prevention - Context-based output encoding • ( &, <, >, “) —> &entity; 
 ( ‘, / ) —> &#DDD; or &#xHH; (UTF-8 encode) • All non-alphanumeric —> &#xHH; • All non-alphanumeric —> xHH • All non-alphanumeric —> HH • All non-alphanumeric —> %HH
  • 43. A3. Cross-Site Scripting • Implicitly deny • Validate all input, regardless of where it comes from • Context-based output encoding • Content-Security-Policy headers Prevention
  • 44. A3. Cross-Site Scripting Set of HTTP Response headers (or can be implemented via meta element) that defines where resources can be loaded from, preventing users’ browser from loading data from any other locations.
 
 Header Set Content-Security-Policy: script-src 'self' https://apis.google.com
 
 <meta http-equiv="Content-Security-Policy" content="default-src 'self'"> Prevention - Content-Security-Policy headers
  • 45. A3. Cross-Site Scripting Prevention - Content-Security-Policy headers
  • 46. A3. Cross-Site Scripting Prevention - Content-Security-Policy headers http://caniuse.com/#feat=contentsecuritypolicy
  • 47. A4. Insecure Direct Object References • Occurs when a reference to an internal implementation object (file, directory, database record/key) is exposed as a URL or form parameter • Without subsequent authorization checks, an attacker can manipulate these parameters to access unauthorized data What is it?
  • 48. A4. Insecure Direct Object References Examples
  • 49. A4. Insecure Direct Object References Examples http://foo.bar.edu/file.php?file=report.txt http://foo.bar.edu/file.php?file=../../app/config/database
  • 50. A4. Insecure Direct Object References ATTACK!
  • 51. A4. Insecure Direct Object References • Do not expose internal keys or identifiers for objects • Use object references that are difficult to guess • Perform server-side authorization checks for object access Prevention
  • 52. A5. Security Misconfiguration • Security issues anywhere in the stack • Framework • Application Server • Web Server • Database Server • Operating System • 3rd party contols/modules What is it?
  • 53. A5. Security Misconfiguration • Application dumps stack trace or reveals other debugging information • Default passwords not changed • Out-of-date software • Directory listings enabled Examples
  • 55. A5. Security Misconfiguration • Security hardening throughout the entire application stack • Change default passwords • Disable/remove debugging message and overly informative error messages in production • Remove unnecessary/unused features/modules/ components Prevention
  • 56. A6. Sensitive Data Exposure • Storing and transmitting sensitive data insecurely, due to: • Failure to identify all sensitive data • Failure to identify all locations where sensitive data is stored (database, files, logs, backups, etc) • Failure to identify all locations sensitive data is sent (web, databases, internal communications, external business partners) What is it?
  • 57. A6. Sensitive Data Exposure • Debugging information in comments of ouput sent to the browser • Application that stores sensitive data (correctly) encoutners an error and logs that data insecurely Examples
  • 58. A6. Sensitive Data Exposure ATTACK!
  • 59. A6. Sensitive Data Exposure Prevention
  • 60. Someone can’t steal it if you don’t have it
  • 61. A6. Sensitive Data Exposure • Don’t store sensitive data if you don’t need it • Catalog all sensitive data and where it is used • Disable caching of pages that contains sensitive data • Encrypt all sensitive data at rest and in transit • Use strong standard algorithms and strong keys Prevention
  • 62. A7. Missing Function Level Access Controls • Enforcing proper authorization for requests
 
 
 
 
 What is it?
  • 63. A7. Missing Function Level Access Controls Examples
  • 64. A7. Missing Function Level Access Controls • Attacker notices the URL structure indicates his role
 https://example.com/user/getAccount • Attacker modifies it to another role
 https://example.com/admin/getAccount • The application fails to do a server-side check to verify the request is coming from a user with the proper authorization and the attacker now has access to data on any account Examples
  • 65. A7. Missing Function Level Access Controls ATTACK!
  • 66. A7. Missing Function Level Access Controls • Deny by default • Perform server-side checks for every function/action that requires authorization • Server-side checks should not rely soley on information provided by the client Prevention
  • 67. A8. Cross-Site Request Forgery • Victim’s browser is tricked into issuing commands to a vulnerable web application, to perform an unwanted action on a trusted site for which the user is currently authenticated. • Web browsers automatically include credentials (cookies, sessions, basic authentication headers) with each request, even for requests initiated by a form, script or image on another site • Server-side code processes requests as if they came from the authenticated user • Often combined with Cross-Site Scripting What is it?
  • 68. A8. Cross-Site Request Forgery • Application is built to allow a state change via URL parameters
 
 http://bankx.com/app?action=transfer&amount=3500&destinationAccount=4673243243 • Attacker constructs a request that will transfer funds to to their account and embeds the requests on sites he controls. He then tricks the victim into visiting the site
 
 Examples <img src="http://bankx.com/app?action=transfer&amount=14000&destinationAccount=attackersAcct#" width="0" height="0" />
  • 69. A8. Cross-Site Request Forgery ATTACK!
  • 70. A8. Cross-Site Request Forgery • Eliminate all XSS vulnerabilities in your application • Never allow changes to data via a GET request • Check Origin and Referer headers as a first step • Include a per-request, cryptographically strong or random token to all forms, where the verification token is not provided by the browser • Require reauthentication for sensitive transactions Prevention
  • 71. A9. Using Components with Known Vulnerabilities • Using third-party controls/modules/frameworks with known vulnerabilities anywhere in the stack can be discovered and exploited by automated tools • Third-party libraries/frameworks in an application typically run with the same privileges as the application • Those vulnerabilities can undermine other defenses What is it?
  • 72. A9. Using Components with Known Vulnerabilities ATTACK!
  • 73. A9. Using Components with Known Vulnerabilities • Identify all third-party components in your applications, and potentially throughout the entire stack • Uninstall/disable all third-party components that are not being used • Monitor the security of these components in public databases (CVE, NVD, etc.), security mailing lists • Keep third-party components up-to-date religiously • Develop a security policy on third-party component use Prevention
  • 74. A10. Unvalidated Redirects and Forwards • Application takes input from an external source that is then used to formulate a redirection or forward location without validation • Attacker links to an unvalidated redirect and tricks victims into clicking it. Victims are more likely to click on it, since the link is to a valid site
 
 https://www.irs.gov/taxrefund/claim.jsp? year=2015&dest=ev.il/sDfX4 What is it?
  • 75. A10. Unvalidated Redirects and Forwards • Application uses forwards to route requests between different parts of the site. Pages use a parameter to indicate where the user should be sent if a transaction is successful. • Attacker crafts a URL that will pass the application’s access control check (or is missing control checks) and then forwards the attacker to administrative functionality for which the attacker isn’t authorized. What is it?
  • 76. A10. Unvalidated Redirects and Forwards ATTACK!
  • 77. A10. Unvalidated Redirects and Forwards • Don’t use them unless you absolutely have to • Avoid using user input to detemine destination URL • Whitelist allowed pages or external sites • Ensure URL is valid and authorized for the user Prevention
  • 79. Security is a process, not an event.
  • 80. Developer Take-aways • Security is a process, not an event • Build security into the software development life-cycle
 
 
 
 
 

  • 81. Be paranoid; be skeptical
  • 82. Developer Take-aways • Security is a process, not an event • Build security into the software development life-cycle • Be paranoid; be skeptical • Treat all data as tainted • Validate data first (whitelist), then filter (blacklist) • Validate/clean as early in the process as possible • Encode data appropriately before sending to the client • Never rely on client-side checks
  • 83. Developer Take-aways • Defense-in-depth • Principle of Least Privilege • Limit access to everything • Enforce strong passwords • Don’t harcode secrets in source code • Keep third-party components up-to-date • Error handling and Debug information Continued
  • 84. Questions? Contact gilzow@missouri.edu @gilzow on twitter Example Files: https://github.com/opendns/ Security_Ninjas_AppSec_Training Slidedeck: https://github.com/gilzow/security-ninja/