The document discusses various cybersecurity testing techniques, focusing on dynamic and static analysis security testing tools like OWASP ZAP and Nodejsscan. It highlights the risks of common vulnerabilities such as cross-site scripting (XSS) and cross-site request forgery (CSRF), along with mitigation strategies. The author emphasizes the importance of input sanitization and the need to integrate security testing into continuous integration processes.

1. Hacking Like a FED
Omer Levi Hevroni
@omerlh
@SolutoEng

2. Every line of code can introduce a new security issue
@omerlh

3. @omerlh

4. I’m a Developer
@omerlh

5. AppSec @
@omerlh

6. https://www.solutotlv.com/ @omerlh

7. @omerlh

8. @omerlh
FED’s Hacking Tool

9. @omerlhhttps://github.com/omerlh/juice-shop/pull/6

10. @omerlh

11. @omerlh
Dynamic Analysis Security Testing
https://www.zaproxy.org/

12. @omerlh
What Zap does?
• Inspecting request and response
• Run scan rules:
○ Cookies misconfiguration
○ Security HTTP Headers
○ Mixed Content
○ And many more

13. @omerlh
Leveraging End to End Tests

14. @omerlh
Example: Proxy Configuration

15. @omerlh
Running in the CI
• Run e2e tests
• Proxy through Zap
• Fail the build

16. @omerlh
And the result…

17. @omerlh

18. @omerlh

19. @omerlh
Cross Site Request Forgery (CSRF)

21. @omerlh

22. @omerlh
Mitigating CSRF
• Using SameSite attribute
• Adding Anti-CSRF token
https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cross-
Site_Request_Forgery_Prevention_Cheat_Sheet.md

23. @omerlh
Static Analysis Security Testing
https://github.com/ajinabraham/NodeJsScan

24. @omerlh
Running it in the CI
Target Folder Repot file

25. @omerlh

26. @omerlh
Failing the build
Glue file Repot file

27. @omerlh
And the results…

28. @omerlh
trackorder.js

29. @omerlh
Normal Input

30. @omerlh
Malicious Input

31. @omerlh
Exploit time!

32. @omerlh
Viola!

33. @omerlh
Mitigating NoSQLi
• Never trust user input
• Input Sanitization

34. @omerlh
Packages Scanning
https://snyk.io/

35. @omerlh

36. @omerlh
What if one of this packages is vulnerable?

37. @omerlh
Running in the CI
https://snyk.io/docs/github/

38. @omerlh
And the results…

39. @omerlh
Let’s zoom in

40. @omerlh
Cross Site Scripting
• Code injection
• Usually, very high risk

41. @omerlh
Let’s zoom in

42. @omerlh
We can see the original GitHub issue!

43. @omerlh
Let’s exploit it!

44. @omerlh
Viola!

45. @omerlh
Fixing Vulnerable Packages

46. @omerlh
Mitigating XSS
• Never trust user input
• Input sanitization
• Security headers
• React is not immune to XSS!
https://github.com/OWASP/CheatSheetSeries/blob/master/che
atsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.md

47. @omerlh
Wrapping Up

48. @omerlhhttps://github.com/omerlh/juice-shop/pull/6

49. @omerlh
Tool Type Tool Name Ease of Use
Packages Scanning Snyk Easy
Static Analysis NodeJSScan Medium
Dynamic Analysis OWASP Zap Hard
https://wp.me/pakmvi-3g
Tools Summary

50. @omerlh
Feedback is much appreciated!

51. @omerlh

52. @omerlh
https://wp.me/pakmvi-3g

53. Thank You
Omer Levi Hevroni
April 2019
@omerlh
http://jobs.soluto.com/