SlideShare a Scribd company logo

Unique way-to-hack-into-a-python-web-service

Download as PPTX, PDF
T
Tilak T

Some of the unique vulnerabilities in Python Rest Framework, and How to fix those vulnerabilities

Technology
1 of 38
Unique ways to Hack into a Python Web Service Copyright - we45, 2018
Copyright - we45, 2018 About ● Senior Solutions Engineer at we45 ● Developer of Open-Source Project called Orchestron, ThreatPlaybook ● Part of multiple CTF @ti1akt https://github.com/we45/orchestron-community https://github.com/we45/ThreatPlaybook
Agenda ● Intro to Web-Services ● Common Vulnerabilities ● Unique Vulnerabilities ● Some of Remediation Techniques ● Demo ! Copyright - we45, 2018
What is Web-Service? ● It designed to support interoperable machine to machine over the internet ● It is not tied to any one operating system or programming language Copyright - we45, 2018
Types of Web-Service? ● SOAP Web Services ● RESTful web services Copyright - we45, 2018
Python Rest Frameworks ● DjangoRestFramework ● Flask ● Falcon ● Pyramid ● CherryPy ● Bottle Copyright - we45, 2018
Common Security Threats ● SQL Injection ● Cross Site Scripting ● Broken Authentication ● Security Misconfiguration ● Cross-site Request Forgery ● Many More .. Copyright - we45, 2018
Copyright - we45, 2018 Django prevents some of these attacks ● SQL Injection ● Cross-Site Request Forgery ● Cross-Site Scripting ● Session Hijacking
What about these ● JWT Manipulation ● Xml External Entity ● InsecureDirectObjectReference ● Server-Side Template Injection ● Etc … Copyright - we45, 2018
JWT Manipulation OWASP-2017 A5 Broken Access Control Copyright - we45, 2018
Copyright - we45, 2018 Why JWT ● Stateless Application ● Authorization Mechanism ● Transfers information between server and client ● Scalable and decoupled
Copyright - we45, 2018 JSON Web Token(JWT) • The process is relatively simple (typically): • Once a user authenticates, the server generates some JSON payload (with some info) and signs the JSON payload with a key • This can be a HMAC Based Key (HS256) or a Asymmetric System (RS256) • The token is sent by the client (like a session cookie) • The server attempts to verify the token based on the signature and
Lots of ways to get JWT wrong • JWT allows for a “none” signature for a token • Algo Confusion Attacks: • CVE-2017-11424 • CVE-2015-9235 • JWT verification on non-unique private claims
Copyright - we45, 2018 Recent Attack source: https://thehackernews.com/2018/04/auth0-authentication-bypass.html
Copyright - we45, 2018
Mitigation ● Validate using Unique ID ● Ensure that JWT implementation doesn’t support ‘None’ signature ● JWT lifetime relatively short ● Check library flaw Copyright - we45, 2018
Insecure Deserialization OWASP-2017 A8 Insecure Deserialization Copyright - we45, 2018
Copyright - we45, 2018 What is Serialization ● Serialization means converting object into a binary stream.
Copyright - we45, 2018 What is Deserialization ● Deserialization means converting binary stream into an object.
Copyright - we45, 2018
Security Gotcha !!! ● Malformed data deserialisation ● Abusive of an application logic ● Denial-of-Service ● Remote code execution Copyright - we45, 2018
Copyright - we45, 2018 Recent Attack Source https://thehackernews.com/2018/08/php-deserialization-wordpress.html Sourcehttps://threatpost.com/java-serialization-bug-crops-up-at-paypal/116054/
Copyright - we45, 2018
Copyright - we45, 2018 Vulnerabilities Serialization formats Source https://thehackernews.com/2018/08/php-deserialization-wordpress.html
Copyright - we45, 2018
Copyright - we45, 2018
Copyright - we45, 2018
Mitigations ● Integrate integrity check such as digital signature ● Isolate then deserialise the data ● Monitor incoming and outgoing network connectivity ● Instead of ‘yaml.load’ use yaml.safe_load Copyright - we45, 2018
Insecure Direct Object Reference OWASP-2017 A8 Broken Access Control Copyright - we45, 2018
Insecure Direct Object reference ● “id”,”pid”,”uid” are often seen in HTTP parameter ● Accessing other user privilege ● Backend not properly validated users Copyright - we45, 2018
Copyright - we45, 2018 How it works
Copyright - we45, 2018 Yahoo Breach Source:https://thehackernews.com/2014/03/yahoo-vulnerability-allows-hacker-to_1.html
Copyright - we45, 2018
Mitigation ● Validate user using requested query ● Check database is that user is genuine or not ● Custom validation in server side as well as client side ● JWT should be invalidated once the user is logout Copyright - we45, 2018
Some Tips Copyright - we45, 2018
Copyright - we45, 2018 To Prevent some of threats ● Run SCA, ● https://github.com/pyupio/safet y ● Run SAST ● https://github.com/PyCQA/ban dit ● Run DAST ● https://www.owasp.org/index.p hp/OWASP_Zed_Attack_Prox y_Project ● Include security testing in DevOps pipeline
Copyright - we45, 2018 Basic Pipeline Demo
Copyright - we45, 2018 Download Examples and Slides ● You can download it from ○ http://github.com/we45/djang ocon-2018 @ti1akt Thank you https://github.com/we45/orchestron-community https://github.com/we45/ThreatPlaybook

Recommended

stackconf 2021 | Continuous Security – integrating security into your pipelines
stackconf 2021 | Continuous Security – integrating security into your pipelinesstackconf 2021 | Continuous Security – integrating security into your pipelines
stackconf 2021 | Continuous Security – integrating security into your pipelinesNETWAYS
 
stackconf 2021 | First hand experience: How Nextcloud stayed productive durin...
stackconf 2021 | First hand experience: How Nextcloud stayed productive durin...stackconf 2021 | First hand experience: How Nextcloud stayed productive durin...
stackconf 2021 | First hand experience: How Nextcloud stayed productive durin...NETWAYS
 
CodeFest 2014. Белов С. — BlackBox тестирование безопасности клиент-серверног...
CodeFest 2014. Белов С. — BlackBox тестирование безопасности клиент-серверног...CodeFest 2014. Белов С. — BlackBox тестирование безопасности клиент-серверног...
CodeFest 2014. Белов С. — BlackBox тестирование безопасности клиент-серверног...CodeFest
 
MRA AMA Part 8: Secure Inter-Service Communication
MRA AMA Part 8: Secure Inter-Service CommunicationMRA AMA Part 8: Secure Inter-Service Communication
MRA AMA Part 8: Secure Inter-Service CommunicationNGINX, Inc.
 
The printing press of 2021 - using GitLab to publish the VSHN Handbook
The printing press of 2021 - using GitLab to publish the VSHN HandbookThe printing press of 2021 - using GitLab to publish the VSHN Handbook
The printing press of 2021 - using GitLab to publish the VSHN HandbookAarno Aukia
 
Crikeycon 2019 Velociraptor Workshop
Crikeycon 2019 Velociraptor WorkshopCrikeycon 2019 Velociraptor Workshop
Crikeycon 2019 Velociraptor WorkshopVelocidex Enterprises
 
Paris Open Source Summit, Floss - Innovation collaborative 2017 Alessandra Ba...
Paris Open Source Summit, Floss - Innovation collaborative 2017 Alessandra Ba...Paris Open Source Summit, Floss - Innovation collaborative 2017 Alessandra Ba...
Paris Open Source Summit, Floss - Innovation collaborative 2017 Alessandra Ba...Alessandra Bagnato
 
Debugging Your Debugging Tools: What to do When Your Service Mesh Goes Down
Debugging Your Debugging Tools: What to do When Your Service Mesh Goes DownDebugging Your Debugging Tools: What to do When Your Service Mesh Goes Down
Debugging Your Debugging Tools: What to do When Your Service Mesh Goes DownAspen Mesh
 

Recommended

stackconf 2021 | Continuous Security – integrating security into your pipelines
stackconf 2021 | Continuous Security – integrating security into your pipelinesstackconf 2021 | Continuous Security – integrating security into your pipelines
stackconf 2021 | Continuous Security – integrating security into your pipelinesNETWAYS
 
stackconf 2021 | First hand experience: How Nextcloud stayed productive durin...
stackconf 2021 | First hand experience: How Nextcloud stayed productive durin...stackconf 2021 | First hand experience: How Nextcloud stayed productive durin...
stackconf 2021 | First hand experience: How Nextcloud stayed productive durin...NETWAYS
 
CodeFest 2014. Белов С. — BlackBox тестирование безопасности клиент-серверног...
CodeFest 2014. Белов С. — BlackBox тестирование безопасности клиент-серверног...CodeFest 2014. Белов С. — BlackBox тестирование безопасности клиент-серверног...
CodeFest 2014. Белов С. — BlackBox тестирование безопасности клиент-серверног...CodeFest
 
MRA AMA Part 8: Secure Inter-Service Communication
MRA AMA Part 8: Secure Inter-Service CommunicationMRA AMA Part 8: Secure Inter-Service Communication
MRA AMA Part 8: Secure Inter-Service CommunicationNGINX, Inc.
 
The printing press of 2021 - using GitLab to publish the VSHN Handbook
The printing press of 2021 - using GitLab to publish the VSHN HandbookThe printing press of 2021 - using GitLab to publish the VSHN Handbook
The printing press of 2021 - using GitLab to publish the VSHN HandbookAarno Aukia
 
Crikeycon 2019 Velociraptor Workshop
Crikeycon 2019 Velociraptor WorkshopCrikeycon 2019 Velociraptor Workshop
Crikeycon 2019 Velociraptor WorkshopVelocidex Enterprises
 
Paris Open Source Summit, Floss - Innovation collaborative 2017 Alessandra Ba...
Paris Open Source Summit, Floss - Innovation collaborative 2017 Alessandra Ba...Paris Open Source Summit, Floss - Innovation collaborative 2017 Alessandra Ba...
Paris Open Source Summit, Floss - Innovation collaborative 2017 Alessandra Ba...Alessandra Bagnato
 
Debugging Your Debugging Tools: What to do When Your Service Mesh Goes Down
Debugging Your Debugging Tools: What to do When Your Service Mesh Goes DownDebugging Your Debugging Tools: What to do When Your Service Mesh Goes Down
Debugging Your Debugging Tools: What to do When Your Service Mesh Goes DownAspen Mesh
 
Continuous Security in Pipelines
Continuous Security in PipelinesContinuous Security in Pipelines
Continuous Security in PipelinesThoughtworks
 
NGINX Basics: Ask Me Anything – EMEA
NGINX Basics: Ask Me Anything – EMEANGINX Basics: Ask Me Anything – EMEA
NGINX Basics: Ask Me Anything – EMEANGINX, Inc.
 
Using PHP with IBM Bluemix
Using PHP with IBM BluemixUsing PHP with IBM Bluemix
Using PHP with IBM Bluemixvvaswani
 
Contributing to Open Source
Contributing to Open SourceContributing to Open Source
Contributing to Open SourceAll Things Open
 
Jade: Open Source Case Management for SME Law Firms (Oct 2017)
Jade: Open Source Case Management for SME Law Firms (Oct 2017)Jade: Open Source Case Management for SME Law Firms (Oct 2017)
Jade: Open Source Case Management for SME Law Firms (Oct 2017)vvaswani
 
Production-ready progressive web apps
Production-ready progressive web appsProduction-ready progressive web apps
Production-ready progressive web appsYing-Hsiang Liao
 
apidays LIVE Paris - Multicluster Service Mesh in Action by Denis Jannot
apidays LIVE Paris - Multicluster Service Mesh in Action by Denis Jannotapidays LIVE Paris - Multicluster Service Mesh in Action by Denis Jannot
apidays LIVE Paris - Multicluster Service Mesh in Action by Denis Jannotapidays
 
SecurifyLabs & Tiki @ Countermeasure 2014
SecurifyLabs & Tiki @ Countermeasure 2014SecurifyLabs & Tiki @ Countermeasure 2014
SecurifyLabs & Tiki @ Countermeasure 2014securifylabs
 
proxy2: HTTPS pins and needles
proxy2: HTTPS pins and needlesproxy2: HTTPS pins and needles
proxy2: HTTPS pins and needlesinaz2
 
WSO2 Product Release webinar - WSO2 BAM 2.5
WSO2 Product Release webinar - WSO2 BAM 2.5WSO2 Product Release webinar - WSO2 BAM 2.5
WSO2 Product Release webinar - WSO2 BAM 2.5WSO2
 
Ratpack 101 - GR8Conf 2015
Ratpack 101 - GR8Conf 2015Ratpack 101 - GR8Conf 2015
Ratpack 101 - GR8Conf 2015Alvaro Sanchez-Mariscal
 
NGINX Plus R19 : EMEA
NGINX Plus R19 : EMEANGINX Plus R19 : EMEA
NGINX Plus R19 : EMEANGINX, Inc.
 
Unique way-to-hack-into-a-python-web-service
Unique way-to-hack-into-a-python-web-serviceUnique way-to-hack-into-a-python-web-service
Unique way-to-hack-into-a-python-web-serviceTilak T
 
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptxThe Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptxlior mazor
 
Do It Yourself :: Web App - Web Api
Do It Yourself :: Web App - Web ApiDo It Yourself :: Web App - Web Api
Do It Yourself :: Web App - Web ApiHarish Kannarao
 
VN Tech Seminor Vol.1
VN Tech Seminor Vol.1VN Tech Seminor Vol.1
VN Tech Seminor Vol.1Shuhei Yamashita
 
Swagger - Make your REST APIs accessible - Victor Trakhtenberg
Swagger - Make your REST APIs accessible - Victor TrakhtenbergSwagger - Make your REST APIs accessible - Victor Trakhtenberg
Swagger - Make your REST APIs accessible - Victor TrakhtenbergCodemotion Tel Aviv
 
Bodin - Hullin & Potencier - Magento Performance Profiling and Best Practices
Bodin - Hullin & Potencier - Magento Performance Profiling and Best PracticesBodin - Hullin & Potencier - Magento Performance Profiling and Best Practices
Bodin - Hullin & Potencier - Magento Performance Profiling and Best PracticesMeet Magento Italy
 
WebGoat.SDWAN.Net in Depth
WebGoat.SDWAN.Net in DepthWebGoat.SDWAN.Net in Depth
WebGoat.SDWAN.Net in Depthyalegko
 
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment Sergey Gordeychik
 
Nginx, PHP and Node.js
Nginx, PHP and Node.jsNginx, PHP and Node.js
Nginx, PHP and Node.jsHarald Zeitlhofer
 
Swagger code motion talk
Swagger code motion talkSwagger code motion talk
Swagger code motion talkVictor Trakhtenberg
 

More Related Content

What's hot

Continuous Security in Pipelines
Continuous Security in PipelinesContinuous Security in Pipelines
Continuous Security in PipelinesThoughtworks
 
NGINX Basics: Ask Me Anything – EMEA
NGINX Basics: Ask Me Anything – EMEANGINX Basics: Ask Me Anything – EMEA
NGINX Basics: Ask Me Anything – EMEANGINX, Inc.
 
Using PHP with IBM Bluemix
Using PHP with IBM BluemixUsing PHP with IBM Bluemix
Using PHP with IBM Bluemixvvaswani
 
Contributing to Open Source
Contributing to Open SourceContributing to Open Source
Contributing to Open SourceAll Things Open
 
Jade: Open Source Case Management for SME Law Firms (Oct 2017)
Jade: Open Source Case Management for SME Law Firms (Oct 2017)Jade: Open Source Case Management for SME Law Firms (Oct 2017)
Jade: Open Source Case Management for SME Law Firms (Oct 2017)vvaswani
 
Production-ready progressive web apps
Production-ready progressive web appsProduction-ready progressive web apps
Production-ready progressive web appsYing-Hsiang Liao
 
apidays LIVE Paris - Multicluster Service Mesh in Action by Denis Jannot
apidays LIVE Paris - Multicluster Service Mesh in Action by Denis Jannotapidays LIVE Paris - Multicluster Service Mesh in Action by Denis Jannot
apidays LIVE Paris - Multicluster Service Mesh in Action by Denis Jannotapidays
 
SecurifyLabs & Tiki @ Countermeasure 2014
SecurifyLabs & Tiki @ Countermeasure 2014SecurifyLabs & Tiki @ Countermeasure 2014
SecurifyLabs & Tiki @ Countermeasure 2014securifylabs
 
proxy2: HTTPS pins and needles
proxy2: HTTPS pins and needlesproxy2: HTTPS pins and needles
proxy2: HTTPS pins and needlesinaz2
 
WSO2 Product Release webinar - WSO2 BAM 2.5
WSO2 Product Release webinar - WSO2 BAM 2.5WSO2 Product Release webinar - WSO2 BAM 2.5
WSO2 Product Release webinar - WSO2 BAM 2.5WSO2
 
NGINX Plus R19 : EMEA
NGINX Plus R19 : EMEANGINX Plus R19 : EMEA
NGINX Plus R19 : EMEANGINX, Inc.
 

What's hot (12)

Continuous Security in Pipelines
Continuous Security in PipelinesContinuous Security in Pipelines
Continuous Security in Pipelines
 
NGINX Basics: Ask Me Anything – EMEA
NGINX Basics: Ask Me Anything – EMEANGINX Basics: Ask Me Anything – EMEA
NGINX Basics: Ask Me Anything – EMEA
 
Using PHP with IBM Bluemix
Using PHP with IBM BluemixUsing PHP with IBM Bluemix
Using PHP with IBM Bluemix
 
Contributing to Open Source
Contributing to Open SourceContributing to Open Source
Contributing to Open Source
 
Jade: Open Source Case Management for SME Law Firms (Oct 2017)
Jade: Open Source Case Management for SME Law Firms (Oct 2017)Jade: Open Source Case Management for SME Law Firms (Oct 2017)
Jade: Open Source Case Management for SME Law Firms (Oct 2017)
 
Production-ready progressive web apps
Production-ready progressive web appsProduction-ready progressive web apps
Production-ready progressive web apps
 
apidays LIVE Paris - Multicluster Service Mesh in Action by Denis Jannot
apidays LIVE Paris - Multicluster Service Mesh in Action by Denis Jannotapidays LIVE Paris - Multicluster Service Mesh in Action by Denis Jannot
apidays LIVE Paris - Multicluster Service Mesh in Action by Denis Jannot
 
SecurifyLabs & Tiki @ Countermeasure 2014
SecurifyLabs & Tiki @ Countermeasure 2014SecurifyLabs & Tiki @ Countermeasure 2014
SecurifyLabs & Tiki @ Countermeasure 2014
 
proxy2: HTTPS pins and needles
proxy2: HTTPS pins and needlesproxy2: HTTPS pins and needles
proxy2: HTTPS pins and needles
 
WSO2 Product Release webinar - WSO2 BAM 2.5
WSO2 Product Release webinar - WSO2 BAM 2.5WSO2 Product Release webinar - WSO2 BAM 2.5
WSO2 Product Release webinar - WSO2 BAM 2.5
 
Ratpack 101 - GR8Conf 2015
Ratpack 101 - GR8Conf 2015Ratpack 101 - GR8Conf 2015
Ratpack 101 - GR8Conf 2015
 
NGINX Plus R19 : EMEA
NGINX Plus R19 : EMEANGINX Plus R19 : EMEA
NGINX Plus R19 : EMEA
 

Similar to Unique way-to-hack-into-a-python-web-service

Unique way-to-hack-into-a-python-web-service
Unique way-to-hack-into-a-python-web-serviceUnique way-to-hack-into-a-python-web-service
Unique way-to-hack-into-a-python-web-serviceTilak T
 
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptxThe Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptxlior mazor
 
Do It Yourself :: Web App - Web Api
Do It Yourself :: Web App - Web ApiDo It Yourself :: Web App - Web Api
Do It Yourself :: Web App - Web ApiHarish Kannarao
 
Swagger - Make your REST APIs accessible - Victor Trakhtenberg
Swagger - Make your REST APIs accessible - Victor TrakhtenbergSwagger - Make your REST APIs accessible - Victor Trakhtenberg
Swagger - Make your REST APIs accessible - Victor TrakhtenbergCodemotion Tel Aviv
 
Bodin - Hullin & Potencier - Magento Performance Profiling and Best Practices
Bodin - Hullin & Potencier - Magento Performance Profiling and Best PracticesBodin - Hullin & Potencier - Magento Performance Profiling and Best Practices
Bodin - Hullin & Potencier - Magento Performance Profiling and Best PracticesMeet Magento Italy
 
WebGoat.SDWAN.Net in Depth
WebGoat.SDWAN.Net in DepthWebGoat.SDWAN.Net in Depth
WebGoat.SDWAN.Net in Depthyalegko
 
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment Sergey Gordeychik
 
Magento 2 performance profiling and best practices
Magento 2 performance profiling and best practicesMagento 2 performance profiling and best practices
Magento 2 performance profiling and best practicesJacques Bodin-Hullin
 
Peeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityPeeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityMatt Tesauro
 
An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...
An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...
An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...Abhay Bhargav
 
Give Me Three Things: Anti-Virus Bypass Made Easy
Give Me Three Things: Anti-Virus Bypass Made EasyGive Me Three Things: Anti-Virus Bypass Made Easy
Give Me Three Things: Anti-Virus Bypass Made EasySecurity Weekly
 
Web api security
Web api securityWeb api security
Web api security9xdot
 
APIdays Paris 2019 - API Gateway & Identity Providers, a Match Made in Micros...
APIdays Paris 2019 - API Gateway & Identity Providers, a Match Made in Micros...APIdays Paris 2019 - API Gateway & Identity Providers, a Match Made in Micros...
APIdays Paris 2019 - API Gateway & Identity Providers, a Match Made in Micros...apidays
 
Developer's Guide to JavaScript and Web Cryptography
Developer's Guide to JavaScript and Web CryptographyDeveloper's Guide to JavaScript and Web Cryptography
Developer's Guide to JavaScript and Web CryptographyKevin Hakanson
 
Modern messaging with RabbitMQ, Spring Cloud and Reactor
Modern messaging with RabbitMQ, Spring Cloud and ReactorModern messaging with RabbitMQ, Spring Cloud and Reactor
Modern messaging with RabbitMQ, Spring Cloud and Reactoracogoluegnes
 
RTBkit Meetup - Developer Spotlight, Behind the Scenes of RTBkit and Intro to...
RTBkit Meetup - Developer Spotlight, Behind the Scenes of RTBkit and Intro to...RTBkit Meetup - Developer Spotlight, Behind the Scenes of RTBkit and Intro to...
RTBkit Meetup - Developer Spotlight, Behind the Scenes of RTBkit and Intro to...Datacratic
 
Webinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
Webinar: Extend The Power of The ForgeRock Identity Platform Through ScriptingWebinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
Webinar: Extend The Power of The ForgeRock Identity Platform Through ScriptingForgeRock
 

Similar to Unique way-to-hack-into-a-python-web-service (20)

Unique way-to-hack-into-a-python-web-service
Unique way-to-hack-into-a-python-web-serviceUnique way-to-hack-into-a-python-web-service
Unique way-to-hack-into-a-python-web-service
 
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptxThe Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
 
Do It Yourself :: Web App - Web Api
Do It Yourself :: Web App - Web ApiDo It Yourself :: Web App - Web Api
Do It Yourself :: Web App - Web Api
 
VN Tech Seminor Vol.1
VN Tech Seminor Vol.1VN Tech Seminor Vol.1
VN Tech Seminor Vol.1
 
Swagger - Make your REST APIs accessible - Victor Trakhtenberg
Swagger - Make your REST APIs accessible - Victor TrakhtenbergSwagger - Make your REST APIs accessible - Victor Trakhtenberg
Swagger - Make your REST APIs accessible - Victor Trakhtenberg
 
Bodin - Hullin & Potencier - Magento Performance Profiling and Best Practices
Bodin - Hullin & Potencier - Magento Performance Profiling and Best PracticesBodin - Hullin & Potencier - Magento Performance Profiling and Best Practices
Bodin - Hullin & Potencier - Magento Performance Profiling and Best Practices
 
WebGoat.SDWAN.Net in Depth
WebGoat.SDWAN.Net in DepthWebGoat.SDWAN.Net in Depth
WebGoat.SDWAN.Net in Depth
 
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
 
Nginx, PHP and Node.js
Nginx, PHP and Node.jsNginx, PHP and Node.js
Nginx, PHP and Node.js
 
Swagger code motion talk
Swagger code motion talkSwagger code motion talk
Swagger code motion talk
 
Magento 2 performance profiling and best practices
Magento 2 performance profiling and best practicesMagento 2 performance profiling and best practices
Magento 2 performance profiling and best practices
 
Peeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityPeeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API Security
 
An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...
An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...
An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...
 
Give Me Three Things: Anti-Virus Bypass Made Easy
Give Me Three Things: Anti-Virus Bypass Made EasyGive Me Three Things: Anti-Virus Bypass Made Easy
Give Me Three Things: Anti-Virus Bypass Made Easy
 
Web api security
Web api securityWeb api security
Web api security
 
APIdays Paris 2019 - API Gateway & Identity Providers, a Match Made in Micros...
APIdays Paris 2019 - API Gateway & Identity Providers, a Match Made in Micros...APIdays Paris 2019 - API Gateway & Identity Providers, a Match Made in Micros...
APIdays Paris 2019 - API Gateway & Identity Providers, a Match Made in Micros...
 
Developer's Guide to JavaScript and Web Cryptography
Developer's Guide to JavaScript and Web CryptographyDeveloper's Guide to JavaScript and Web Cryptography
Developer's Guide to JavaScript and Web Cryptography
 
Modern messaging with RabbitMQ, Spring Cloud and Reactor
Modern messaging with RabbitMQ, Spring Cloud and ReactorModern messaging with RabbitMQ, Spring Cloud and Reactor
Modern messaging with RabbitMQ, Spring Cloud and Reactor
 
RTBkit Meetup - Developer Spotlight, Behind the Scenes of RTBkit and Intro to...
RTBkit Meetup - Developer Spotlight, Behind the Scenes of RTBkit and Intro to...RTBkit Meetup - Developer Spotlight, Behind the Scenes of RTBkit and Intro to...
RTBkit Meetup - Developer Spotlight, Behind the Scenes of RTBkit and Intro to...
 
Webinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
Webinar: Extend The Power of The ForgeRock Identity Platform Through ScriptingWebinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
Webinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
 

Recently uploaded

SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 

Recently uploaded (20)

SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 

Unique way-to-hack-into-a-python-web-service

  • 1. Unique ways to Hack into a Python Web Service Copyright - we45, 2018
  • 2. Copyright - we45, 2018 About ● Senior Solutions Engineer at we45 ● Developer of Open-Source Project called Orchestron, ThreatPlaybook ● Part of multiple CTF @ti1akt https://github.com/we45/orchestron-community https://github.com/we45/ThreatPlaybook
  • 3. Agenda ● Intro to Web-Services ● Common Vulnerabilities ● Unique Vulnerabilities ● Some of Remediation Techniques ● Demo ! Copyright - we45, 2018
  • 4. What is Web-Service? ● It designed to support interoperable machine to machine over the internet ● It is not tied to any one operating system or programming language Copyright - we45, 2018
  • 5. Types of Web-Service? ● SOAP Web Services ● RESTful web services Copyright - we45, 2018
  • 6. Python Rest Frameworks ● DjangoRestFramework ● Flask ● Falcon ● Pyramid ● CherryPy ● Bottle Copyright - we45, 2018
  • 7. Common Security Threats ● SQL Injection ● Cross Site Scripting ● Broken Authentication ● Security Misconfiguration ● Cross-site Request Forgery ● Many More .. Copyright - we45, 2018
  • 8. Copyright - we45, 2018 Django prevents some of these attacks ● SQL Injection ● Cross-Site Request Forgery ● Cross-Site Scripting ● Session Hijacking
  • 9. What about these ● JWT Manipulation ● Xml External Entity ● InsecureDirectObjectReference ● Server-Side Template Injection ● Etc … Copyright - we45, 2018
  • 10. JWT Manipulation OWASP-2017 A5 Broken Access Control Copyright - we45, 2018
  • 11. Copyright - we45, 2018 Why JWT ● Stateless Application ● Authorization Mechanism ● Transfers information between server and client ● Scalable and decoupled
  • 12. Copyright - we45, 2018 JSON Web Token(JWT) • The process is relatively simple (typically): • Once a user authenticates, the server generates some JSON payload (with some info) and signs the JSON payload with a key • This can be a HMAC Based Key (HS256) or a Asymmetric System (RS256) • The token is sent by the client (like a session cookie) • The server attempts to verify the token based on the signature and
  • 13. Lots of ways to get JWT wrong • JWT allows for a “none” signature for a token • Algo Confusion Attacks: • CVE-2017-11424 • CVE-2015-9235 • JWT verification on non-unique private claims
  • 14. Copyright - we45, 2018 Recent Attack source: https://thehackernews.com/2018/04/auth0-authentication-bypass.html
  • 16. Mitigation ● Validate using Unique ID ● Ensure that JWT implementation doesn’t support ‘None’ signature ● JWT lifetime relatively short ● Check library flaw Copyright - we45, 2018
  • 17. Insecure Deserialization OWASP-2017 A8 Insecure Deserialization Copyright - we45, 2018
  • 18. Copyright - we45, 2018 What is Serialization ● Serialization means converting object into a binary stream.
  • 19. Copyright - we45, 2018 What is Deserialization ● Deserialization means converting binary stream into an object.
  • 21. Security Gotcha !!! ● Malformed data deserialisation ● Abusive of an application logic ● Denial-of-Service ● Remote code execution Copyright - we45, 2018
  • 22. Copyright - we45, 2018 Recent Attack Source https://thehackernews.com/2018/08/php-deserialization-wordpress.html Sourcehttps://threatpost.com/java-serialization-bug-crops-up-at-paypal/116054/
  • 24. Copyright - we45, 2018 Vulnerabilities Serialization formats Source https://thehackernews.com/2018/08/php-deserialization-wordpress.html
  • 28. Mitigations ● Integrate integrity check such as digital signature ● Isolate then deserialise the data ● Monitor incoming and outgoing network connectivity ● Instead of ‘yaml.load’ use yaml.safe_load Copyright - we45, 2018
  • 29. Insecure Direct Object Reference OWASP-2017 A8 Broken Access Control Copyright - we45, 2018
  • 30. Insecure Direct Object reference ● “id”,”pid”,”uid” are often seen in HTTP parameter ● Accessing other user privilege ● Backend not properly validated users Copyright - we45, 2018
  • 31. Copyright - we45, 2018 How it works
  • 32. Copyright - we45, 2018 Yahoo Breach Source:https://thehackernews.com/2014/03/yahoo-vulnerability-allows-hacker-to_1.html
  • 34. Mitigation ● Validate user using requested query ● Check database is that user is genuine or not ● Custom validation in server side as well as client side ● JWT should be invalidated once the user is logout Copyright - we45, 2018
  • 35. Some Tips Copyright - we45, 2018
  • 36. Copyright - we45, 2018 To Prevent some of threats ● Run SCA, ● https://github.com/pyupio/safet y ● Run SAST ● https://github.com/PyCQA/ban dit ● Run DAST ● https://www.owasp.org/index.p hp/OWASP_Zed_Attack_Prox y_Project ● Include security testing in DevOps pipeline
  • 37. Copyright - we45, 2018 Basic Pipeline Demo
  • 38. Copyright - we45, 2018 Download Examples and Slides ● You can download it from ○ http://github.com/we45/djang ocon-2018 @ti1akt Thank you https://github.com/we45/orchestron-community https://github.com/we45/ThreatPlaybook