Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

KharkivJS 2018 Information Security Practice

Real examples of hacking. Set of demos for JavaScript developers based on twitter like application written in ReactJs and NodeJs. We will run real code and real exploits during demo.

Related Books

Free with a 30 day trial from Scribd

See all
  • Login to see the comments

  • Be the first to like this

KharkivJS 2018 Information Security Practice

  1. 1. Viktor Turskyi Information Security Practice 2018
  2. 2. Viktor Turskyi ● CEO at WebbyLab ● 15 years in software development
  3. 3. Why I talk about security? 1. I switched to software development from IT security 2. I work with software engineers for many years and this topic is highly undercovered 3. I work with different businesses for many years and risks are highly underestimated 4. Governmental regulations (GDPR, PCI DSS etc) 5. It makes you a better software engineer 6. It is FUN!!
  4. 4. What I will talk about? 1. Not about OWASP (Open Web Application Security Project) Top 10 report 2. Not about security tools (metasploit, sqlmap etc) 3. Not about content security policy. 4. Only practical cases that we’ve met in real life. 5. JavaScript based demos 6. Real cases simulated in environment a. React frontend b. NodeJs backend c. Set of exploits
  5. 5. Overview of the existing application
  6. 6. Case 1: Email password recovery
  7. 7. Case 1: Takeaways Mongo ID predictable UUID v1 predictable (unique, but not random) UUID v4 predictable Always think about predictability of URLs (keys, etc)
  8. 8. Case 2: Password recovery by SMS
  9. 9. Case 2: Takeaways Think about bruteforce Reset actions: SMS codes CAPTCHA Codes
  10. 10. Case 3: File paths
  11. 11. Use npm audit JWT vulnerability example Check your dependencies Security is a question of trust apt update Case 3: Takeaways
  12. 12. Case 4: Photos upload
  13. 13. Case 4: Takeaways Thinks about edge cases Just know how system works
  14. 14. Case 5: Tweet creation
  15. 15. Case 5: Takeaways Do not use regex for extracting script tags Use sanitizer with tags and attrs white-listing CORS will allow you do cross domain request XSS worms issues
  16. 16. Case 6: HTML page parsing issue
  17. 17. Case 6: Takeaways Know HTML page parsing Think about data usage context
  18. 18. Case 7: Network risks
  19. 19. Case 7: Takeaways Think about communication Get the whole picture Use HTTPS everywhere
  20. 20. Case 8..14: Case 8: Clickjacking Case 9: Tabnapping Case 10: CSRF (cookie, basic auth) Case 11: SQL Injection (pass through ORM) Case 12: ORM Injection Case 13: Unsafe HTTPS Redirect Case 14: Target=_blank (without rel="noopener noreferrer")
  21. 21. What I like information security? Information security is about understanding how things work It makes you a better developer You can create more complex projects It is fun
  22. 22. Thank you!
  23. 23. Viktor Turskyi @koorchik @koorchik