Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Pentestingfor startups<br />By<br /> Levi Gross<br />
Shameless self promotion<br />I work at AxialMarket<br />Researching computer security for 11 years.<br />Pentesting for 8...
Disclaimer<br />This talk is strictly for educational purposes. I am not responsible for any outcome of this talk.<br />Al...
The cost of ignorance<br />Dropbox<br />Gawker<br />Sony<br />
Python<br />Dangerous models<br />Pickle<br />Code execution<br />urllib<br />ssl certs<br />file:// is valid<br />Redirec...
Django<br />Auth Framework<br />Session framework<br />Uses unique hashes <br />Uses salted hashes<br />Can use MD5 and cr...
Ruby<br />$SAFE isn’t really safe<br />Even layer 4 can be bypassed by exceptions<br />Patched but still insecure<br />SSL...
Rails<br />Secure session framework<br />Try not to store data in cookies<br />Remember base64 is not a method of encrypti...
Information Disclosure<br />Your Parts are showing<br />
General Information Disclosure<br />Job sites<br />Internal<br />External<br />Exceptions propagating to the end user<br /...
And so the fun begins…<br />File "/opt/python/domains/bitbucket.org/2011-01-05/bitbucket/../bitbucket/apps/bb/clogging.py"...
Pasting code into images<br />
But wait there’s more<br />remote: Push worked, but post-receive failed: Connection reset by peer<br />remote: /data/githu...
Not just code hosting sites<br />
Django Information Disclosure<br />Using the default URLS<br />Default paths for media<br />Admin Urls<br />Putting DB fie...
Rails Information Disclosure<br />Using insecure gems<br />Don’t let exceptions propagate to a user<br />Raw template code...
Countermeasures<br />Never let exceptions propagate to end user<br />Don’t paste your raw tracebacks directly into any pub...
Build a profile of your target<br />Blackbox testing<br />Look for patterns<br />Corners cut<br />Style of code (html)<br ...
Time to kick down the door<br />
Session Hijacking<br />TCP sniffing<br />Firesheep<br />ARP Poisoning<br />
HTTP Sessions in Django & Rails<br />Django<br />Each session is a unique hash value<br />Cookies can be read via javascri...
Session Hijacking in Django and Rails<br />Once you have the cookie you have the user….<br />
Attack Scenarios<br />TCP Sniffing<br />WiFi<br />ARP Poisoning<br />Thank you SSL for being useless<br />Stealing cookies...
Countermeasures<br />General<br />Cycle sessions when user authenticates<br />Use a cryptographic nonce<br />Django<br />M...
XSS (Cross site scripting)<br />Enables attackers to inject client-side script (html/JS) into web pages viewed by other us...
XSS in Django<br />Auto escapes ‘<>&” with their “safe alternatives”<br />Problems<br />Any other unicode will bypass this...
XSS in Rails<br /> 2.x <br />Variables aren’t automatically escaped<br />Tags are stripped using the strip_tags method<br ...
Attack Scenarios<br />Steal user info<br />Change User settings<br />Steal an admin cookie and add yourself as an admin us...
Countermeasures<br />General<br />Force the browser to use UTF-8<br />Never trust user input<br />Don’t use user input for...
Clickjacking<br />Overlaying the current website with an IFRAME.<br />Tricking the user into clicking on certain elements<...
Attack Scenario<br />Lure the user to your site.<br />Add yourself as an admin user<br />The skies the limit<br />
Frame busting<br />X-FRAME-OPTIONS DENY<br />Disable IFRAME javascript<br />Restricted => IE<br />Sandbox => Chrome<br />d...
CSRF<br />Cross site request forgery<br />
CSRF in Django<br />Built in CSRF protection<br />Keep up to date<br />In the form and the HTTP headers/Cookie<br />Attack...
CSRF in Rails<br />Like Django recently changed<br />REST makes things harder…<br />Stored in the cookie<br />Attacks<br /...
Attack Scenario<br />Attacker uses XSS to inject code within admin site to exploit internal site CSRF issue<br /><imgsrc=<...
Cookie Poisoning<br />Cookies are encoded<br />Base64<br />People never see them…. <br />Lets store important information<...
Cookie Poisoning in Django<br />Django defaults to it’s session backend which doesn’t do this.<br />Attack<br />People wil...
Cookie Poisoning in Rails<br />Rails allows you to shoot yourself in the foot.<br />Attack<br />Storing info in cookies<br...
Attack Scenario<br />Pass malformed cookie back to the server<br />DDOS<br />Remote code execution<br />Impersonation<br />
Counter Measures<br />Use sticky sessions<br />Django<br />Use session app<br />Use a consistent session backend<br />Esca...
HTTP Parameter Poisoning<br />Injecting invalid values into HTTP params<br />Directory Traversal<br />http://someserver/so...
HTTP Parameter Poisoning in Django<br />Django is immune to <br />Directory Traversal<br />HTTP Response Splitting<br />Re...
HTTP Parameter Poisoning in Rails<br />Blind use of HTTP parameters<br />Invalid file name checking<br />arbitrary file up...
Attack Scenarios<br />Remote code execution via the cache/session layer<br />Authentication bypass by GET/POST switch.<br />
Logic Flaws<br />Unauthenticated views<br />Information leaks<br />Weak or invalid permissions<br />eval<br />Passing unsa...
Exploiting Logic Flaws in Django &Rails	<br />Django<br />@login_required<br />Permissions are global<br />Objects are ser...
SQL Injection<br />Cookies<br />HTTP Parameters<br />Logic Flaws<br />XSS<br />
SQL Injection in Django<br />Parameterized queries<br />LIKE queries are escaped<br />Attacks<br />WHERE is still injectab...
SQL Injection in Rails<br />Uses regular expression to “escape” values<br />Even with parameterized queries <br />*.connec...
Attack Scenarios<br />Information theft<br />Hosting malware or exploits<br />Full site exploitation<br />
Counter Measures<br />Only use permissions that you need<br />Validate and sanitize all input (twice cannot hurt)<br />Enc...
Passwords in Django<br />Brute force friendly<br />Salted hashes<br />Good but not perfect<br />Timing attacks<br />Mitiga...
Passwords in Rails<br />No authentication<br />Very popular<br />REST Authentication<br />Blind use of params[:]<br />Clea...
What are timing attacks<br />Side channel attacks<br />Linear operations<br />The dangerous binary comparison..<br />
Countermeasures<br />
Authentication<br />OAUTH<br />Everyone forgets to use SSL<br />Even if you do your still opening yourself up to a Man In ...
Attack Scenarios<br />Crack password<br />SQL injection<br />Brute Force<br />Phishing<br />DDOS<br />No SSL on OAuth<br /...
Countermeasures<br />Dual factor authentication<br />Rate limit authentication logic<br />Monitoring<br />Tough permission...
Denial of Service in Django & Rails	<br />Remember the GIL<br />No rate limiting<br />Switching HTTP methods<br />Python<b...
Great another crazy guy screaming about the end of the world.<br />Never rely on one thing alone.<br />Ask yourself at eve...
Recommended Reading	<br />General<br />https://www.owasp.org<br />https://www.owasp.org/index.php/Top_10_2010-Main<br />Wr...
Questions<br />
Upcoming SlideShare
Loading in …5
×

Pentesting for startups

3,952 views

Published on

Published in: Technology
  • DOWNLOAD FULL BOOKS, INTO AVAILABLE FORMAT ......................................................................................................................... ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Pentesting for startups

  1. 1. Pentestingfor startups<br />By<br /> Levi Gross<br />
  2. 2. Shameless self promotion<br />I work at AxialMarket<br />Researching computer security for 11 years.<br />Pentesting for 8 years<br />Python is my language of choice <br />Contact info<br />Blog: http://www.levigross.com<br />levi@levigross.com<br />@levigross<br />
  3. 3. Disclaimer<br />This talk is strictly for educational purposes. I am not responsible for any outcome of this talk.<br />All images used in the subsequent slides are for informational purposes only and are owned by their respective copyright holders.<br />
  4. 4. The cost of ignorance<br />Dropbox<br />Gawker<br />Sony<br />
  5. 5. Python<br />Dangerous models<br />Pickle<br />Code execution<br />urllib<br />ssl certs<br />file:// is valid<br />Redirects allow any file to be read (this was fixed in 2.7.2)<br />XSS in Basic HTTPServer<br />A wide open playground<br />But syntax is holy<br />Easy to execute code on the host system<br />eval<br />input<br />Unicode issues<br />C extensions <br />
  6. 6. Django<br />Auth Framework<br />Session framework<br />Uses unique hashes <br />Uses salted hashes<br />Can use MD5 and crypt but will auto upgrade<br />Basic global permission structure<br />cache backend uses pickle<br />Default use of unicode<br />Default URLS<br />Exceptions don’t propagate back to the user<br />Automatic variable escape<br />Built in CSRF protection<br />Unique hashes<br />In web forms as well as in the cookie<br />
  7. 7. Ruby<br />$SAFE isn’t really safe<br />Even layer 4 can be bypassed by exceptions<br />Patched but still insecure<br />SSL verification is disabled by default<br />Global Variables<br />Language syntax isn’t holy<br />Eval<br />FileUtils<br />remove_entry_secure<br />WEBrick issues<br />Buffer overflow in ARGF.inplace_mode= <br />C extensions<br />
  8. 8. Rails<br />Secure session framework<br />Try not to store data in cookies<br />Remember base64 is not a method of encryption.<br />The database is your friend<br />No information should be put into cookies besides for the hash<br />Signed cookies<br />REST<br />Basic permissions<br />Default variable escape<br />Escaping SQL statements<br />
  9. 9. Information Disclosure<br />Your Parts are showing<br />
  10. 10. General Information Disclosure<br />Job sites<br />Internal<br />External<br />Exceptions propagating to the end user<br />Showing everyone what you are running<br />Post mortem blog posts<br />Google<br />Pastebins<br />Complaints<br />Stack Exchange<br />Github<br />Mailing lists<br />Anomalies<br />Forgotten password?<br />Just ask…<br />
  11. 11. And so the fun begins…<br />File "/opt/python/domains/bitbucket.org/2011-01-05/bitbucket/../bitbucket/apps/bb/clogging.py", line 60, in wrap<br /> return f(request, *args, **kwargs)<br />File "/opt/python/domains/bitbucket.org/2011-01-05/bitbucket/../bitbucket/apps/bb/decorators.py", line 111, in wrap<br /> return f(req, *a, **kwa)<br />File "/opt/python/domains/bitbucket.org/2011-01-05/bitbucket/../bitbucket/apps/bb/views.py", line 211, in frontpage<br /> newsfeed = load_from_store(request.user)<br />File "/opt/python/domains/bitbucket.org/2011-01-05/bitbucket/../bitbucket/apps/bb/newsfeed.py", line 39, in load_from_store<br /> if not r.exists(key):<br />File "/opt/python/domains/bitbucket.org/current/bitbucket/local/env/lib/python2.7/site-packages/redis/client.py", line 529, in exists<br /> return self.execute_command('EXISTS', name)<br />File "/opt/python/domains/bitbucket.org/current/bitbucket/local/env/lib/python2.7/site-packages/redis/client.py", line 330, in execute_command<br /> **options<br />File "/opt/python/domains/bitbucket.org/current/bitbucket/local/env/lib/python2.7/site-packages/redis/client.py", line 309, in _execute_command<br />self.connection.send(command, self)<br />File "/opt/python/domains/bitbucket.org/current/bitbucket/local/env/lib/python2.7/site-packages/redis/client.py", line 82, in send<br />self.connect(redis_instance)<br />File "/opt/python/domains/bitbucket.org/current/bitbucket/local/env/lib/python2.7/site-packages/redis/client.py", line 67, in connect<br /> redis_instance._setup_connection()<br />File "/opt/python/domains/bitbucket.org/current/bitbucket/local/env/lib/python2.7/site-packages/redis/client.py", line 424, in _setup_connection<br />self.execute_command('SELECT', self.connection.db)<br />File "/opt/python/domains/bitbucket.org/current/bitbucket/local/env/lib/python2.7/site-packages/redis/client.py", line 330, in execute_command<br /> **options<br />File "/opt/python/domains/bitbucket.org/current/bitbucket/local/env/lib/python2.7/site-packages/redis/client.py", line 312, in _execute_command<br /> return self.parse_response(command_name, **options)<br />File "/opt/python/domains/bitbucket.org/current/bitbucket/local/env/lib/python2.7/site-packages/redis/client.py", line 390, in parse_response<br /> response = self._parse_response(command_name, catch_errors)<br />File "/opt/python/domains/bitbucket.org/current/bitbucket/local/env/lib/python2.7/site-packages/redis/client.py", line 335, in _parse_response<br /> response = conn.read()[:-2] # strip last two characters (rn)<br />File "/opt/python/domains/bitbucket.org/current/bitbucket/local/env/lib/python2.7/site-packages/redis/client.py", line 99, in read<br /> return self._fp.readline()<br />File "/opt/python/2.7/lib/python2.7/socket.py", line 445, in readline<br /> data = self._sock.recv(self._rbufsize)<br />
  12. 12. Pasting code into images<br />
  13. 13. But wait there’s more<br />remote: Push worked, but post-receive failed: Connection reset by peer<br />remote: /data/github/current/vendor/gems/ruby/1.8/gems/redis-2.2.0/lib/redis/client.rb:234:in `ensure_connected'<br />remote: /data/github/current/vendor/gems/ruby/1.8/gems/redis-2.2.0/lib/redis/client.rb:114:in `process'<br />remote: /data/github/current/vendor/gems/ruby/1.8/gems/redis-2.2.0/lib/redis/client.rb:183:in `logging'<br />remote: /data/github/current/vendor/gems/ruby/1.8/gems/redis-2.2.0/lib/redis/client.rb:113:in `process'<br />remote: /data/github/current/vendor/gems/ruby/1.8/gems/redis-2.2.0/lib/redis/client.rb:38:in `call'<br />remote: /data/github/current/vendor/gems/ruby/1.8/gems/redis-2.2.0/lib/redis.rb:428:in `sadd'<br />remote: /usr/lib/ruby/1.8/monitor.rb:242:in `synchronize'<br />remote: /data/github/current/vendor/gems/ruby/1.8/gems/redis-2.2.0/lib/redis.rb:427:in `sadd'<br />remote: /data/github/current/vendor/gems/ruby/1.8/gems/redis-namespace-0.8.0/lib/redis/namespace.rb:188:in `send'<br />remote: /data/github/current/vendor/gems/ruby/1.8/gems/redis-namespace-0.8.0/lib/redis/namespace.rb:188:in `method_missing'<br />remote: /data/github/current/vendor/gems/ruby/1.8/gems/resque-1.10.0/lib/resque.rb:184:in `watch_queue'<br />remote: /data/github/current/vendor/gems/ruby/1.8/gems/resque-1.10.0/lib/resque.rb:129:in `push'<br />remote: /data/github/current/vendor/gems/ruby/1.8/gems/resque-1.10.0/lib/resque/job.rb:51:in `create'<br />remote: /data/github/current/lib/rock_queue.rb:58:in `enqueue'<br />remote: /data/github/current/lib/rock_queue.rb:28:in `push'<br />remote: hooks/post-receive:37<br />
  14. 14. Not just code hosting sites<br />
  15. 15. Django Information Disclosure<br />Using the default URLS<br />Default paths for media<br />Admin Urls<br />Putting DB fields in urls<br />URLS == Views<br />Switching GET and POST<br />Dajax<br />Celery<br />Piston<br />Template code in the html<br />
  16. 16. Rails Information Disclosure<br />Using insecure gems<br />Don’t let exceptions propagate to a user<br />Raw template code in the page<br />View logic written in Javascript<br />Default URLS<br />Object ID’s in the URL<br />
  17. 17. Countermeasures<br />Never let exceptions propagate to end user<br />Don’t paste your raw tracebacks directly into any public online location.<br />Sanitize them<br />Every bit of information that is released can be used against you.<br />Don’t rely on anything here for security<br />
  18. 18. Build a profile of your target<br />Blackbox testing<br />Look for patterns<br />Corners cut<br />Style of code (html)<br />Learn about the application<br />Learn the problems/issues programmers face when dealing with these systems<br />Gauge difficulty<br />
  19. 19. Time to kick down the door<br />
  20. 20. Session Hijacking<br />TCP sniffing<br />Firesheep<br />ARP Poisoning<br />
  21. 21. HTTP Sessions in Django & Rails<br />Django<br />Each session is a unique hash value<br />Cookies can be read via javascript<br />Predictable cookie name ‘sessionid’<br />Uses the pickle model<br />Defaults to an insecure cookie<br />Values are stored in the session backend<br />No default cookie domain<br />File backend allows for reading on /tmp folder<br />Immune to classic cookie poisoning <br />Rails<br />Signed cookies<br />Default storage is to the cookie…<br />
  22. 22. Session Hijacking in Django and Rails<br />Once you have the cookie you have the user….<br />
  23. 23. Attack Scenarios<br />TCP Sniffing<br />WiFi<br />ARP Poisoning<br />Thank you SSL for being useless<br />Stealing cookies via a 3rd party site<br />Who needs passwords when you have sessions…<br />
  24. 24. Countermeasures<br />General<br />Cycle sessions when user authenticates<br />Use a cryptographic nonce<br />Django<br />Make sure you set the following settings<br />HTTP_ONLY (Only in 1.3) <br />SECURE<br />Change the cookie name<br />Serialize using JSON or YAML<br />Rails<br />Sign cookies<br />Make the cookies secure and HTTP only<br />Use the DB to store session data<br />Clear the sessions after login<br />
  25. 25. XSS (Cross site scripting)<br />Enables attackers to inject client-side script (html/JS) into web pages viewed by other users.<br />
  26. 26. XSS in Django<br />Auto escapes ‘<>&” with their “safe alternatives”<br />Problems<br />Any other unicode will bypass this check<br />If items are not properly quoted you can still inject attributes into tags<br />Other special characters aren’t escaped ( )<br />Designers<br />Hate |safe and just use {% autoescape off %}<br />
  27. 27. XSS in Rails<br /> 2.x <br />Variables aren’t automatically escaped<br />Tags are stripped using the strip_tags method<br />3.x<br />Automatic variable escape<br />Unless you use raw<br />or some other function that doesn’t return safe output<br />Attack<br />White lists are useless<br />selselectect <scri<script>pt><br />Sanitizing the HTML special characters has the same issue Django has.<br />Tags that don’t sanitize<br />Concatenation will remove any escaping<br />Sanitizing doesn’t always work. <br />AJAX still isn’t escaped<br />
  28. 28. Attack Scenarios<br />Steal user info<br />Change User settings<br />Steal an admin cookie and add yourself as an admin user.<br />Execute code as an admin to add yourself as an admin user<br />
  29. 29. Countermeasures<br />General<br />Force the browser to use UTF-8<br />Never trust user input<br />Don’t use user input for HTML tag attributes<br />Take a page out of the python zen<br />In the face of ambiguity, refuse the temptation to guess.<br />Django<br />Use the OWASP ESAPI<br />If you need styling<br />Use Sanitizers<br />lxml<br />bleach<br />Use markdown<br />Use whitelists not blacklists<br />Rails<br />Escape all user input<br />before_filter :only => […] instead of :except => […]<br />Use sanitizers<br />
  30. 30. Clickjacking<br />Overlaying the current website with an IFRAME.<br />Tricking the user into clicking on certain elements<br />User unknowingly performs action on the website he is logged into.<br />
  31. 31. Attack Scenario<br />Lure the user to your site.<br />Add yourself as an admin user<br />The skies the limit<br />
  32. 32. Frame busting<br />X-FRAME-OPTIONS DENY<br />Disable IFRAME javascript<br />Restricted => IE<br />Sandbox => Chrome<br />designMode in Firefox and Safari<br />Use javascript to navigate back to prevent IFRAMES from opening your site.<br />This is always being exploited so keep up with the latest exploits.<br />Read More: https://www.owasp.org/index.php/Clickjacking<br />
  33. 33. CSRF<br />Cross site request forgery<br />
  34. 34. CSRF in Django<br />Built in CSRF protection<br />Keep up to date<br />In the form and the HTTP headers/Cookie<br />Attacks<br />It’s annoying so people turn it off<br />Only recently do they check AJAX request<br />Use subdomains<br />
  35. 35. CSRF in Rails<br />Like Django recently changed<br />REST makes things harder…<br />Stored in the cookie<br />Attacks<br />A XSS exploit renders this protection useless.<br />Subdomains<br />
  36. 36. Attack Scenario<br />Attacker uses XSS to inject code within admin site to exploit internal site CSRF issue<br /><imgsrc=<evil IP> gives me your NTLM<br />
  37. 37. Cookie Poisoning<br />Cookies are encoded<br />Base64<br />People never see them…. <br />Lets store important information<br />Attacker can<br />Submit a malformed cookie<br />Steal another users cookie<br />
  38. 38. Cookie Poisoning in Django<br />Django defaults to it’s session backend which doesn’t do this.<br />Attack<br />People will still use request.COOKIES<br />Issues with session backend<br />
  39. 39. Cookie Poisoning in Rails<br />Rails allows you to shoot yourself in the foot.<br />Attack<br />Storing info in cookies<br />Not signing cookies<br />Using cookies to manipulate view logic<br />
  40. 40. Attack Scenario<br />Pass malformed cookie back to the server<br />DDOS<br />Remote code execution<br />Impersonation<br />
  41. 41. Counter Measures<br />Use sticky sessions<br />Django<br />Use session app<br />Use a consistent session backend<br />Escape and validate data<br />Rails<br />Sign your cookies<br />Only use hashes<br />Never trust the user<br />
  42. 42. HTTP Parameter Poisoning<br />Injecting invalid values into HTTP params<br />Directory Traversal<br />http://someserver/somepage/?val=g&file=../../../../../../etc/passwd<br />HTTP Response Splitting<br />Injecting /r/n into fields splitting the response headers<br />Remote file inclusion<br />/myview?someparam=C:ftpuploadexploit<br />Invalid method<br />Using a POST in place of a GET and vis a vis<br />Referrer poisoning<br />http://someserver/somepage/?val=g&referrer=<myurl><br />
  43. 43. HTTP Parameter Poisoning in Django<br />Django is immune to <br />Directory Traversal<br />HTTP Response Splitting<br />Remote file inclusion<br />Forms cleaned_data allows for value escaping<br />Attacks<br />Switching GET and Post are not enforced<br />Not all HTTP Params are autoescaped by default<br />Cache and sessions use pickle<br />
  44. 44. HTTP Parameter Poisoning in Rails<br />Blind use of HTTP parameters<br />Invalid file name checking<br />arbitrary file upload and execution<br />XSS<br />Remember use AJAX<br />Privilege escalation<br />SQL Injection<br />
  45. 45. Attack Scenarios<br />Remote code execution via the cache/session layer<br />Authentication bypass by GET/POST switch.<br />
  46. 46. Logic Flaws<br />Unauthenticated views<br />Information leaks<br />Weak or invalid permissions<br />eval<br />Passing unsanitary input around<br />
  47. 47. Exploiting Logic Flaws in Django &Rails <br />Django<br />@login_required<br />Permissions are global<br />Objects are serialized<br />Arbitrary input may have some exciting outcomes<br />Logic manipulation<br />debug=True<br />Remember in python nothing is sacred<br />Rails<br />explicit authentication<br />explicit permission checking<br />Ruby syntax is extendable <br />
  48. 48. SQL Injection<br />Cookies<br />HTTP Parameters<br />Logic Flaws<br />XSS<br />
  49. 49. SQL Injection in Django<br />Parameterized queries<br />LIKE queries are escaped<br />Attacks<br />WHERE is still injectable<br />People use cursor.raw() all the time<br />Character escaping is always being broken<br />More python unicode fun….<br />
  50. 50. SQL Injection in Rails<br />Uses regular expression to “escape” values<br />Even with parameterized queries <br />*.connection.quote<br />Very easy to execute raw SQL<br />where<br />order<br />
  51. 51. Attack Scenarios<br />Information theft<br />Hosting malware or exploits<br />Full site exploitation<br />
  52. 52. Counter Measures<br />Only use permissions that you need<br />Validate and sanitize all input (twice cannot hurt)<br />Encrypt sensitive data<br />
  53. 53. Passwords in Django<br />Brute force friendly<br />Salted hashes<br />Good but not perfect<br />Timing attacks<br />Mitigation added in 1.3 but flawed due to pythons string intern<br />Compatible with older insecure hashes<br />The Achilles heel of any system<br />
  54. 54. Passwords in Rails<br />No authentication<br />Very popular<br />REST Authentication<br />Blind use of params[:]<br />Clear text passwords in the logs<br />Brute force friendly<br />Salted hashes<br />Good but not perfect<br />Timing attacks<br />
  55. 55. What are timing attacks<br />Side channel attacks<br />Linear operations<br />The dangerous binary comparison..<br />
  56. 56. Countermeasures<br />
  57. 57. Authentication<br />OAUTH<br />Everyone forgets to use SSL<br />Even if you do your still opening yourself up to a Man In The Middle Attack<br />Best<br />Worst<br />
  58. 58. Attack Scenarios<br />Crack password<br />SQL injection<br />Brute Force<br />Phishing<br />DDOS<br />No SSL on OAuth<br />Even with SSL still vulnerable to a Man In the Middle attack<br />Have fun<br />
  59. 59. Countermeasures<br />Dual factor authentication<br />Rate limit authentication logic<br />Monitoring<br />Tough permission checks<br />Whitelists/blacklists<br />Certificate authentication to verify the provider<br />
  60. 60. Denial of Service in Django & Rails <br />Remember the GIL<br />No rate limiting<br />Switching HTTP methods<br />Python<br />Virtual methods calls<br />Ruby<br />Slow method dispatch<br />
  61. 61. Great another crazy guy screaming about the end of the world.<br />Never rely on one thing alone.<br />Ask yourself at every point of your application. “If someone penetrated until here what is stopping him?” <br />Onion?<br />Code defensively<br />Remember that unknown variables will enter the equation and you have to account for them.<br />Monitor everything<br />Show you care<br />Create a security page<br />Make sure to include a PGP key<br />Create an incident response document<br />Give it a trial run<br />Remember a good programmer looks both ways before crossing a one way street.<br />
  62. 62. Recommended Reading <br />General<br />https://www.owasp.org<br />https://www.owasp.org/index.php/Top_10_2010-Main<br />Writing Secure Code (by Microsoft Press)<br />Hacking Exposed web applications<br />The Web Application Hacker's Handbook<br />http://www.reddit.com/r/netsec<br />Django<br />http://www.djangobook.com/en/2.0/chapter20/<br />Rails<br />http://www.rorsecurity.info/<br />http://groups.google.com/group/rubyonrails-security<br />Tools<br />http://www.metasploit.com/download/<br />http://w3af.sourceforge.net/<br />
  63. 63. Questions<br />

×