KharkivJS 2018 Information Security Practice

•

0 likes•311 views

Real examples of hacking. Set of demos for JavaScript developers based on twitter like application written in ReactJs and NodeJs. We will run real code and real exploits during demo.

Viktor Turskyi
Information Security Practice
2018

Viktor Turskyi
● CEO at WebbyLab
● 15 years in software development

Why I talk about security?
1. I switched to software development from IT security
2. I work with software engineers for many years and this topic is highly
undercovered
3. I work with different businesses for many years and risks are highly
underestimated
4. Governmental regulations (GDPR, PCI DSS etc)
5. It makes you a better software engineer
6. It is FUN!!

What I will talk about?
1. Not about OWASP (Open Web Application Security Project) Top 10 report
2. Not about security tools (metasploit, sqlmap etc)
3. Not about content security policy.
4. Only practical cases that we’ve met in real life.
5. JavaScript based demos
6. Real cases simulated in environment
a. React frontend
b. NodeJs backend
c. Set of exploits

Case 1: Takeaways
Mongo ID predictable
UUID v1 predictable (unique, but not random)
UUID v4 predictable
Always think about predictability of URLs (keys, etc)

Case 2: Takeaways
Think about bruteforce
Reset actions:
SMS codes
CAPTCHA Codes

Use npm audit
JWT vulnerability example
Check your dependencies
Security is a question of trust
apt update
Case 3: Takeaways

Case 4: Takeaways
Thinks about edge cases
Just know how system works

Case 5: Takeaways
Do not use regex for extracting script tags
Use sanitizer with tags and attrs white-listing
CORS will allow you do cross domain request
XSS worms issues

Case 6: Takeaways
Know HTML page parsing
Think about data usage context

Case 7: Takeaways
Think about communication
Get the whole picture
Use HTTPS everywhere

Case 8..14:
Case 8: Clickjacking
Case 9: Tabnapping
Case 10: CSRF (cookie, basic auth)
Case 11: SQL Injection (pass through ORM)
Case 12: ORM Injection
Case 13: Unsafe HTTPS Redirect
Case 14: Target=_blank (without rel="noopener noreferrer")

What I like information security?
Information security is about understanding how things work
It makes you a better developer
You can create more complex projects
It is fun

Viktor Turskyi
viktor@webbylab.com
@koorchik @koorchik
https://webbylab.com

This document discusses secure ways to store user credentials and passwords. It introduces hashing and salting as techniques to securely store passwords. Hashing involves generating a unique string from a password, while salting adds a random string to the password before hashing. This prevents hashed passwords from being decrypted if the hash is obtained, and ensures even identical passwords have different hashes when salted differently. The document outlines how hashing and salting of passwords can be implemented when users register and login, providing a secure way to authenticate users without revealing their actual passwords.

6 ways to hack your JavaScript application by Viktor Turskyi

OdessaJS Conf

JS Fest 2019. Виктор Турский. 6 способов взломать твое JavaScript приложение

JSFestUA

Smart Bombs: Mobile Vulnerability and Exploitation

Tom Eston

Kevin Johnson, John Sawyer and Tom Eston have spent quite a bit of time evaluating mobile applications in their respective jobs. In this presentation they will provide the audience an understanding of how to evaluate mobile applications, examples of how things have been done wrong and an understanding of how you can perform this testing within your organization. This talk will work with applications from the top three main platforms; iOS, Android and Blackberry. Kevin, Tom and John have used a variety of the top 25 applications for each of these platforms to provide real world examples of the problems applications face.

Formative Task 3: Social Engineering Attacks

DamaineFranklinMScBE

Describe briefly the OSI Reference model and its relevance to computer security. [4 Marks] • Ans 1: The Open System Interconnection Model (OSI) is a standardized framework for describing how computers communicate with each other over a network system. The OSI model also conceptualizes how data flows through a stack of seven layers, beginning with the physical layer and continuing through the datalink, network, transport, session, presentation, and finally the application layer (Simoneau, 2006)

THE METHOD OF DETECTING ONLINE PASSWORD ATTACKS BASED ON HIGH-LEVEL PROTOCOL ...

IJCNCJournal

Although there have been many solutions applied, the safety challenges related to the password security mechanism are not reduced. The reason for this is that while the means and tools to support password attacks are becoming more and more abundant, the number of transaction systems through the Internet is increasing, and new services systems appear. For example, IoT also uses password-based authentication. In this context, consolidating password-based authentication mechanisms is critical, but monitoring measures for timely detection of attacks also play an important role in this battle. The password attack detection solutions being used need to be supplemented and improved to meet the new situation. In this paper we propose a solution that automatically detects online password attacks in a way that is based solely on the network, using unsupervised learning techniques and protected application orientation. Our solution therefore minimizes dependence on the factors encountered by host-based or supervised learning solutions. The certainty of the solution comes from using the results of in-depth analysis of attack characteristics to build the detection capacity of the mechanism. The solution was implemented experimentally on the real system and gave positive results.

Abusing "Accepted Risk" With 3rd Party C2 - HackMiamiCon5

sixdub

This document discusses how threat actors can abuse third-party services like social media, cloud storage, and communication platforms to establish command and control (C2) infrastructure and exfiltrate data. It provides examples of real-world adversary campaigns that have leveraged services like Twitter, GitHub, Yahoo Mail, Dropbox, Google Forms, and others. The document argues that detecting such abuse is challenging as it can mimic normal user behavior, but outlines approaches like analyzing network flows, process correlations, and anomalies to help identify compromised systems communicating with third parties for malicious purposes. Detecting these threats requires collecting and correlating diverse endpoint and network data sources.

Defense in Depth: Lessons Learned Securing 200,000 Sites

Pantheon

Have you ever heard: "HTTPS will slow down your site"? How about: "I'm too small of a website, no one will want to hack me."? All too often security misconceptions lead to security apathy. Join us as we debunk these security myths and more! We’ll start at the 10,000-foot level, reviewing common myths about secure development, then zoom in closer for a look at security best practices, concluding with a deep-dive into a few of the most effective attack mitigation strategies. With the battlescars to backup the information, our presenters will leave you with strategies to handle securing your project with confidence.

The document discusses five common information security mistakes organizations make: 1) over-relying on network defenses and not focusing enough on application security, 2) believing technology alone will solve security issues without proper training and processes, 3) making assumptions about people's abilities and behaviors, 4) thinking secure software is too costly, and 5) focusing only on recent threats instead of long-term strategies. It provides examples to illustrate these mistakes and recommends organizations do a self-assessment, create an internal security team, ask tough questions, and educate employees to avoid these issues.

BsidesMCR_2016-what-can-infosec-learn-from-devops

James '-- Mckinlay

The document discusses the history and evolution of DevOps practices over time, from concepts like daily builds in the 1990s to more recent approaches like infrastructure as code and serverless architectures. It provides an overview of key figures and texts that helped establish ideas like continuous integration, continuous delivery, and site reliability engineering. The document also shares the author's perspective on what commercial security tools have been developed for DevOps workflows and mentions some open source collaboration and automation tools.

Hacking - CEH Cheat Sheet Exercises.pdf

john485745

The document provides guidance on using cheat sheets to study for the EC-Council Certified Ethical Hacker exam. It recommends printing out the cheat sheets, copying them by hand multiple times, and adding notes to help master the concepts and recall important information during the exam without needing the original sheets. A chapter map outlines the topics covered in the various cheat sheets to aid preparation.

Security engineering 101 when good design & security work together

Wendy Knox Everette

Security concerns are often dealt with as an afterthought—the focus is on building a product, and then security features or compensating controls are thrown in after the product is nearly ready to launch. Why do so many development teams take this approach? For one, they may not have an application security team to advise them. Or the security team may be seen as a roadblock, insisting on things that make the product less user friendly, or in tension with performance goals or other business demands. But security doesn’t need to be a bolt-on in your software process; good design principles should go hand in hand with a strong security stance. What does your engineering team need to know to begin designing safer, more robust software from the get-go? Drawing on experience working in application security with companies of various sizes and maturity levels, Wendy Knox Everette focuses on several core principles and provides some resources for you to do more of a deep dive into various topics. Wendy begins by walking you through the design phase, covering the concerns you should pay attention to when you’re beginning work on a new feature or system: encapsulation, access control, building for observability, and preventing LangSec-style parsing issues. This is also the best place to perform an initial threat model, which sounds like a big scary undertaking but is really just looking at the moving pieces of this application and thinking about who might use them in unexpected ways, and why. She then turns to security during the development phase. At this point, the focus is on enforcing secure defaults, using standard encryption libraries, protecting from malicious injection, insecure deserialization, and other common security issues. You’ll learn what secure configurations to enable, what monitoring and alerting to put in place, how to test your code, and how to update your application, especially any third-party dependencies. Now that the software is being used by customers, are you done? Not really. It’s important to incorporate information about how customers interact as well as any security incidents back into your design considerations for the next version. This is the time to dust off the initial threat model and update it, incorporating everything you learned along the way.

Cross-Site Scripting (XSS)

Daniel Tumser

Cross-Site Scripting (XSS) is a web security vulnerability that allows attackers to inject client-side scripts into web pages viewed by other users. There are three main types of XSS attacks: reflected XSS, stored XSS, and DOM-based XSS. XSS has been one of the top vulnerabilities on the OWASP Top Ten list for many years. While XSS attacks can compromise user sessions and steal sensitive data, developers can prevent XSS through proper input sanitization and output encoding. As web applications continue to grow in use, jobs in web application security and penetration testing are also expected to increase significantly in the coming years.

Source Code Security the Symantec Way

Symantec

Web Security: What's wrong, and how the bad guys can break your website

Andrew Sorensen

1. The document summarizes a presentation on web security given to the Seattle PHP Users Group. It discusses common web vulnerabilities like SQL injection, cross-site scripting, and insecure direct object references. 2. It provides tips for protecting websites such as implementing a web application firewall, securing file permissions, and using HTML5 features like Content Security Policy headers. 3. The presentation emphasizes that security is an ongoing process of monitoring for updates, testing with hacking tools, and seeking outside reviews of a site's security.

PyConline AU 2021 - Things might go wrong in a data-intensive application

Hua Chu

Web Application Testing for Today’s Biggest and Emerging Threats

Alan Kan

The document discusses emerging threats to web applications and strategies for testing applications to identify vulnerabilities. It finds that nearly half of all vulnerabilities are in web applications, with cross-site scripting and SQL injection being most common. Many vulnerabilities have no patches available yet. New attack types like client-side vulnerabilities are also emerging. The document advocates integrating security testing into the development process to help developers write more secure code and find issues early.

Hacking CEH cheat sheet

International College of Security Studies

New text document

sleucwnq

The document provides a list of interview questions for information security positions. The questions cover a wide range of technical and theoretical topics, and are designed to assess candidates' knowledge as well as their ability to think through problems. The questions probe areas like security news sources, encryption vs compression, HTTP vs HTML, cross-site scripting, cryptography, networking, and organizational priorities. The goal is to evaluate candidates' familiarity with the field as well as their composure when facing unfamiliar questions.

New text document

sleucwnq

The document provides a list of interview questions for information security positions. The questions cover a range of technical and theoretical topics related to information security. They are designed to assess candidates' knowledge as well as their ability to think through problems and articulate their thought processes, even without preparation. The questions range from easy to difficult, and include some "trick" questions intended to expose technical weaknesses rather than test cunning.

Making application threat intelligence practical - DEM06 - AWS reInforce 2019

Amazon Web Services

The daily volume of cyberattacks that target applications and the frequency of associated breaches is overwhelming to even the most experienced security professionals. We cover important lessons learned from F5 Labs’ analysis of global attack data and breach root causes that are attributed to application threats. This helps you understand attackers’ top targets and motives and the changing application security landscape of systems used to launch application attacks. Addressing these threats requires practical controls that organizations can be successful with. We offer tips and tricks that you can work on immediately to address common application threats and appropriately prioritize your application security controls.

Java application security the hard way - a workshop for the serious developer

Steve Poole

Cybercrime is rising at an alarming rate. As a Java developer you know you need to be better informed about security matters but it’s hard to know where to start. This workshop will help you understand how to improve the security of your application through a series of demonstration hacks and related hands on exercises. Serious though the topic is, this practical session will be fun and will leaving you more informed and better prepared. Start building your security memory muscle here

Elementary-Information-Security-Practices

Octogence

This document provides guidelines for elementary information security practices for organizations. It discusses basic steps organizations can take to improve security without spending much money. The guidelines are divided into sections on basic security, web application security, network/host security, and include recommendations such as using strong passwords, encrypting sensitive data, updating software regularly, conducting security awareness training, and closing unnecessary network ports. The overall aim is to help organizations identify and address common security mistakes and vulnerabilities.

Threat Hunting with Splunk

Splunk

Your adversaries continue to attack and get into companies. You can no longer rely on alerts from point solutions alone to secure your network. To identify and mitigate these advanced threats, analysts must become proactive in identifying not just indicators, but attack patterns and behavior. In this workshop we will walk through a hands-on exercise with a real world attack scenario. The workshop will illustrate how advanced correlations from multiple data sources and machine learning can enhance security analysts capability to detect and quickly mitigate advanced attacks.

Big Data Analytics to Enhance Security คุณอนพัทย์ พิพัฒน์กิติบดี Technical Ma...

BAINIDA

This document discusses using big data analytics to enhance security. It begins by defining big data analytics and describing security trends like the evolution from intrusion detection systems to security information and event management (SIEM) to next-generation SIEM using big data analytics. An example of an advanced persistent threat is provided. The document then discusses integrating security analytics with open source tools like SQRRL and Prelert. Finally, it covers how to apply these concepts by determining what security-related data can be collected and two options for implementing big data analytics in a security program.

Threat Hunting with Splunk

Splunk

Threat Hunting with Splunk

Splunk

Why security is the kidney not the tail of the dog v3

Ernest Staats

How to create a high performance excel engine in java script

KharkivJS 2018 Information Security Practice

Recommended

Recommended

More Related Content

Similar to KharkivJS 2018 Information Security Practice

Similar to KharkivJS 2018 Information Security Practice (20)

More from Viktor Turskyi

More from Viktor Turskyi (19)

Recently uploaded

Recently uploaded (20)

KharkivJS 2018 Information Security Practice