Application Security - APT 3090

Transcript

1. Application Security Lochemem Bruno Michael

2. Simple test What does the code in the image evaluate

   to? A) Undefined B) Object {name: ‘Michael’, major: ‘APT’} Why? const user = { name: ‘Michael’, major: ‘APT’ } function getUser() { return user; }

3. What is Application Security? Application security encompasses a genealogy of

   techniques used to prevent and fix flaws in applications.

4. Common Security Threats Sensitive data exposure Injection Broken authentication Broken

   Access Control

5. Injection

6. How it happens Untrusted data is sent to an interpreter

   as part of a command or query. A) SQL injection B) Request parameter injection //do not do this function dbFn(\PDO $pdo, string $stdId) : IO { return IO::return($pdo) ->map(function ($pdo) use ($stdId) { $stmt = $pdo->query(‘ SELECT student_name, student_id FROM students WHERE student_id = $stdId ’) ... }) } //do not do this either function inputfn() : string { //state monad return State::of(‘php://input’) ->flatMap(‘file_get_contents’); }

7. How to guard against it A) Write prepared SQL statements

   B) Avoid ORMs which are non-prepared statement compatible C) Escape query and input parameters D) Use LIMIT in SQL queries to prevent mass data leakage function dbFn(\PDO $pdo, string $stdId) : IO { return IO::return($pdo) ->map(function ($pdo) use ($stdId) { $stmt = $pdo->query(‘ SELECT student_name, student_id FROM students WHERE student_id = :stdId ’); $stmt->bind(‘:stdId’, $stdId, \PDO::PARAM_STR); ... }) } function inputfn() : string { //state monad return State::of(‘php://input’) ->map(‘file_get_contents’) ->flatMap( function ($input) { return array_map( function ($str) { return htmlentities($str, ENT_QUOTES); }, $input ); } ); }

8. Broken Authentication

9. Potential weaknesses Broken authentication exists in situations where the attackers

   can use credential stuffing and password cracking techniques. A) Well known passwords are generally accepted (admin, password etc) B) Passwords are weakly hashed or stored in plain text C) Knowledge based answers are used for credential recovery

10. How to guard against it A) Use modern secure hashing

    algorithms for passwords B) Implement weak password checks C) Consider using OAuth D) Log authentication errors function passwordHash(string $password) : string { return password_hash( $password, PASSWORD_BCRYPT, [‘cost’ => 12] ); } function passwordVerify( string $hash, string $password ) : bool { return password_verify($hash, $password); } function isPasswordLongEnough(string $password) : bool { return mb_strlen($password, ‘utf-8’) > 12 ? true : false; } function passwordIsAlphanumeric(string $password) : bool { return preg_match(‘/[0-9a-za-z]+/’, $password) ? true : false; }

11. Sensitive Data Exposure

12. What is sensitive data? Sensitive data is anything whose significance

    warrants concealment. Encipherment keys, passwords, and API keys are considered sensitive.

13. How to prevent this A) Use modern, secure cryptographic algorithms

    B) Classify data as either processed, transmitted or stored C) Hide sensitive data from viewers D) Use SSL\TLS //Keys.php class Keys { const APP_TOKEN = ‘app token’; const APP_SECRET = ‘app secret’; } //API request function search(API $service, string $param) : IO { return IO::return($param) ->map( function ($param) use ($service) { return $service ->searchFor($param) ->keys(Keys::APP_TOKEN, Keys::APP_SECRET); } ) ... }

14. Broken Access Control

15. Manifestations A) Easily modifiable URLs, app state, and HTML B)

    Easy account privilege elevation C) CORS misconfiguration D) Easy access to privileged data pages

16. How to prevent this A) Deny access to private resources

    B) Disable web server directory listing C) Use Rate limiting APIs D) Never publically cache data served from protected pages E) Domain access control //public API’s only header(‘Access-Control-Allow-Origin: *’); //private APIs only header(‘Access-Control-Allow-Origin: https://your-site’); //caching for private content header(‘Cache-control: no-cache must-revalidate’); //.htaccess file Options -Indexes

17. Other Security Threats - Cross Site Scripting (XSS) - Using

    components with known vulnerabilities - Insufficient Logging and Monitoring Information obtained from OWASP

18. Contact Lochemem Bruno Michael [email protected] https://githshowcase.com/ ace411 https://github.com/ace411