The document discusses web security fundamentals, emphasizing the importance of integrating security throughout the Software Development Life Cycle (SDLC). It categorizes vulnerabilities into technical, logical, and configuration issues while detailing specific examples and recommended fixes for each type of vulnerability, such as SQL injections and insecure deserialization. The importance of threat modeling and monitoring is also highlighted to prevent breaches and ensure application security.

1. Recap: WebSec 101
Jannis Kirschner

2. Why Security?
src: https://www.veracode.com/blog/2016/08/top-4-reasons-why-application-security-should-be-your-focus

3. S-SDLC
• Secure Software
Development Lifecycle
• Integrating security
measures in every part of
the SDLC

4. Threat Modeling

5. OWASP Top 10
• Open Web Application Standard Project
• List of current threats
• Sorted by likelihood + impact
• Updated every few years
• Translated to several languages

6. Security Can Be Split Into 3 Classes
Technical Logical Configuration Issues
A1 Injection A2 Broken Authentication A3 Sensitive Data Exposure
A4 XXE A5 Broken Access Control A6 Security Misconfiguration
A7 XSS A9 Known Vulns
A8 Insecure Deserialization A10 Insufficient Logging

7. Technical Vulnerabilities
• Usually easiest to spot
• Happens when data doesn’t get properly validated/escaped
• When software can’t distinguish between data und logic context
• Common examples are Injections, XXE, Buffer Overflows
• Fixes usually involve validation

8. A1 Injection
• Root Cause: When data input gets interpreted as code (sql, xml, ldap)
• Impact: Depends on sql server config (from CRUD operations to RCE)
• Fix: Prepared Statements, Stored Procedures, (Escaping)
• Can be «blind» = no feedback from application (can be leaked by
factors like time, different behaviour)
1) ‘ characters from input field get interpreted as sql query code
2) Query evaluates statement to true and returns all entries

9. A4 XXE
• Root-Cause: Happens when external DTD’s/Stylesheets get resolved
• Impact: Read arbitrary files & «portscan» (RCE with libs like php expect)
• Fix: Disable parsing
1) Read file and save as DTD
2) Print content of «DTD»

10. A7 XSS
• Root Cause: Browser interprets data as javascript code
• Impact: Leak (non http-only) cookies, redirections...
• Fix: Output escaping, CSP-Headers, NoScript
• Multiple types:
• 1: Reflected = Requires user interaction (eg. click on link)
• 2: Stored = Affects all users because stored on server
• 3: Dom-based = Never reaches server
1) User opens link, reflected js gets executed
2) User visits guestbook, stored js gets executed
3) User opens link, dom-based js gets executed
4) Because location.search gets text
5) And attr «rewrites» object

11. A8 Insecure Deserialization («Object Injection»)
• Root Cause: When serialized data (serialize, pickle, yaml) gets
trusted/evaluated
• Impact: From privilege escalation to rce
• Fix: Validation
1) Input gets trusted, user becomes admin through setting flag clientside
2) User sends serialized object
3) Server deserializes data
4) Object gets interpreted as «inject» variable
5) Variable gets evaluated leading to RCE

12. Logical Vulnerabilities
• Errors in application logic
• Harder to identify
• Examples are Access Control Issues, Race Conditions, Unexpected
Behaviour
• Fixes can range from validation to redesign of application

13. A2 Broken Authentication
• Collection of issues connected to the authentication process
• Examples are user pw’s not hashed, no session timeout, no rotating
session id’s etc...
• Fix: Application redesign, Implementation MFA

14. A5 Broken Access Control
• Collection of issues connected to authorisation
• Impact: Sensitive Data Exposure, Privilege Escalation
• Fix: ACL’s and validation
1) Attacker could input arbitrary account name and view private information

15. Configuration Issues
• Often easy to find by scanners
• Can be caused when software is misconfigured
• Examples are Path Traversal, Using Vulnerable Libraries, Unsufficient
Logging, Open AWS S3 buckets etc...
• Usually patched by editing configuration files

16. A3 Sensitive Data Exposure
• Collection of issues regarding sensitive data
• Examples are plaintext protocols, default crypto keys, public S3
buckets

17. A6 Security Misconfiguration
• Collection of issues regarding various misconfigurations
• Examples are unnecessary open ports, path traversal, default
passwords, public error logs
Admin:Admin

18. A9 Components with known vulnerabilities
• Using libraries that contain known vulnerable code
• Can be checked with: https://www.cvedetails.com/
• Case-Study: JS Event-Stream Library

19. A10 Insufficient Logging and Monitoring
• When security issues only get detected after a breach or can’t be
reconstructed due to missing logs
• Logging/Monitoring has to be part of every step of the S-SDLC