4. WHY
▸There’s too many versions of JavaScript:
http://www.zdnet.com/article/an-insecure-mess-how-flawed-javascript-is-turning-web-into-a-hackers-playground/
4
6. WHAT DOES IT REALLY MEAN?
▸Many JavaScripts versions out there work, why update it?
▸Because security
▸Is it really a problem if so many other people use the same thing?
▸Just ask WordPress administrators
▸Unrelated low risk vulnerabilities can be exploited and chained to
provide an easy way into your organization
▸ http://buer.haus/2017/03/08/airbnb-when-bypassing-json-encoding-xss-filter-waf-csp-and-
auditor-turns-into-eight-vulnerabilities/
6
7. NO REST FOR THE API’S
▸Rest APIs are becoming more available and used
▸Companies are querying data from APIs of various
products to make their own aggregated view of data
▸APIs also have a myriad of challenges and can be insecure
▸http://www.zdnet.com/article/apis-examined/
▸OWASP Top 10 for 2017 (RC1)
▸A10 - Under protected APIs
7
8. TOOLS TO BREAK THINGS
▸Chrome and Firefox developer tools
▸Retire.js
▸Node Security Platform and Snyk
▸Postman
▸Burp Suite
8
9. CHROME AND FIREFOX DEV TOOLS
▸Both are free, powerful, and easy to use
▸Many free resources available to help you use it
▸https://developers.google.com/web/tools/chrome-devtools/
▸http://discover-devtools.codeschool.com/
▸Why use it?
▸Easy to test for a variety of potential security issues
9
10. CHROME DEV TOOLS: SHOW ME YOUR
SECRETS… OR SOURCE▸URL/route to the administrative page (dirbuster works too)
▸Commented out link to the score-board
10
11. CHROME DEV TOOLS: ALWAYS PRETTY-
PRINT LUKE, ALWAYS
▸Click the {} symbol
11
12. RETIRE.JS
▸Retire.js detects vulnerable JavaScript libraries and/or
Node.JS modules
▸Free
▸https://github.com/RetireJS/retire.js
▸Regularly updated as JavaScript and NPM packages age
▸Provides the exact vulnerability associated with a specific
version and includes helpful URLs
12
13. RETIRE.JS
▸Retire.js can be used in a variety of situations:
▸Chrome extension
▸Firefox extension
▸Standalone to scan a website or file directory
▸Add-on for OWASP Zap (free)
▸Add-on for Burp Suite (requires Pro) in the BApp Store
13
16. NODE SECURITY PLATFORM AND SNYK
▸Node Security Platform (project from ^Lift)
▸Free: https://github.com/nodesecurity/nsp
▸Scan a directory to identify issues with Node.JS packages
▸Snyk
▸Free tier available: https://snyk.io/
▸Checks JavaScript, Ruby, and Java GitHub repositories,
public NPM packages, and can scan directories as well
16
18. POSTMAN DEMO
▸Bypass those silly restrictions in the UI. This could have
been done in ZAP, Burp, etc. as well.
18
19. BURP SUITE
▸A great tool to proxy network traffic, change it to an unexpected
value, and assess platforms like web, mobile, etc.
▸https://portswigger.net/burp/
▸Does active and passive scanning and has great plugins
▸Specialized plugins require the paid version of Burp
▸$399, but worth it!
▸An excellent alternative is OWASP Zap
19
21. THING TO BREAK: OWASP JUICE SHOP
▸“OWASP Juice Shop is an intentionally insecure webapp for security
trainings written entirely in Javascript which encompasses the entire
OWASP Top Ten and other severe security flaws.”
▸https://github.com/bkimminich/juice-shop
▸Has a CTF version based on CTFd!!!11!
▸https://github.com/bkimminich/juice-shop-ctf
▸Continually updated with new vulnerabilities, content, languages
▸Author recommends not cheating, but bad guys do!
21
22. OWASP JUICE SHOP: WHERE CAN IT
RUN?
▸Heroku dyno (Run small web apps online for free)
▸Docker container
▸Someone else’s computer (Amazon Web Services)
▸Your VM or machine
▸Online right now!
▸ https://juice-shop.herokuapp.com/
22
23. OWASP JUICE SHOP: DEMO MACHINE
▸1 VM running Ubuntu 16.04 LTS
▸Download the ISO, boot up, do all the regular updates
▸Install Docker with quick and clear Ubuntu instructions:
▸https://docs.docker.com/engine/installation/linux/ubuntu/
#install-using-the-repository
▸docker pull bkimminich/juice-shop
▸docker run -d -p 3000:3000 bkimminich/juice-shop
23
24. OWASP JUICE SHOP: VULNERABILITIES
▸Includes a book to introduce, tackle, and solve the challenges
▸https://www.gitbook.com/book/bkimminich/pwning-owasp-juice-
shop/details
▸Examples of vulnerabilities
▸“Log in with the administrator's user credentials without previously
changing them or applying SQL Injection.”
▸“XSS Tier 3: Perform a persisted XSS attack with
<script>alert("XSS3")</script> without using the frontend
application at all.”
24
25. OWASP JUICE SHOP: DEMO
▸Walkthrough of the application and see how it works
▸Vulnerabilities to tackle
▸Start with the score board
▸SQLi exploitation flaw in a JavaScript library
▸Insert a XSS payload with the API
▸Manipulate an order request
25
26. WHERE ELSE CAN YOU USE THESE
SKILLS?▸Automated tools won’t help you here:
https://www.offensive-security.com/information-security-training/cracking-the-perimeter/
26