Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Pentesting for Developers

Chris Cornutt
February 07, 2019
Technology
0
95

Pentesting for Developers

While secure development practices are an important part of keeping your application and its data protected, you also have to prove your defenses are working. Developers are used to things like unit testing and even functional testing but some feel out of their depth when it comes to security testing. Effective security testing, or pentesting, is easier than you might think.

We’ll start by introducing some of the techniques and tools you can use to test your own applications and finish with a contest to see how much you’ve learned.

Chris Cornutt

February 07, 2019
Tweet

More Decks by Chris Cornutt

See All by Chris Cornutt
Securing Legacy Applications
ccornutt
0
87
Securing Legacy Applications - Longhorn PHP 2018
ccornutt
1
150
Pieces of Auth
ccornutt
0
280
Securing Legacy Applications
ccornutt
0
290
Build Security In
ccornutt
0
150
Introduction to Slim 3
ccornutt
0
140
Securing Legacy Applications
ccornutt
0
32
PHP Security, Redfined
ccornutt
0
230
PHP Security Bootcamp
ccornutt
2
200

Other Decks in Technology

See All in Technology
Google Cloudで始めるLLM
john_smith
0
120
3 Flink Mistakes We Made So You Won’t Have To
rmetzger
0
110
スタートアップのためのアジャイルプラクティス -論文100本ノック- #xpjug / Agile Practice for Startup - Papers -
kyonmm
PRO
0
610
マルチプロダクト運用におけるSREのあり方/SRE NEXT 2023-link-and-motivation
lmi
0
240
Juliaってどんなことができるの? for JuliaTokai #16
antimon2
1
130
230930_XP祭り_ビジネスへの越境を考える /230930_XP_Fest_Across_Your_Border_to_Business
mkwrd
PRO
0
350
【IoT-Tech Meetup #5】IoTとは?WireGuard概要とIoTで通信を守る理由
soracom
PRO
0
220
Priorityを制するものはローディングを制す
edwardkenfox
4
330
監視とオブザーバビリティ 〜 悩む前に確認しておくべきこと / 20230926-ssmjp-monitoring-and-observability
opelab
9
1.4k
React Suspenseを使って遷移体験を向上させる
kobayang
3
900
stripeを組み合わせたサーバレスアーキテクチャとシードのスタートアップ ビジネスをグロースするためにやったこと
yoshiitaka
3
110
Deploy web frontend apps with AWS CDK
tmokmss
1
150

Featured

See All Featured
ParisWeb 2013: Learning to Love: Crash Course in Emotional UX Design
dotmariusz
101
6.4k
4 Signs Your Business is Dying
shpigford
172
21k
Building Effective Engineering Teams - LeadDev
addyosmani
21
970
Understanding Cognitive Biases in Performance Measurement
bluesmoon
5
670
Web development in the modern age
philhawksworth
200
9.8k
Agile that works and the tools we love
rasmusluckow
323
20k
Documentation Writing (for coders)
carmenintech
55
3.3k
How GitHub (no longer) Works
holman
300
140k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
351
28k
Code Reviewing Like a Champion
maltzj
510
38k
A better future with KSS
kneath
230
16k
Gamification - CAS2011
davidbonilla
75
4.3k

Transcript

  1. PENTESTING
    FOR DEVELOPERS
    Chris Cornutt - Sunshine PHP 2019
    for setup: http://signup.capturetf.com

    View Slide

  2. View Slide

  3. We’ll Cover…
    • The most common issues in web application security

    • The top vulnerability types

    • Tools and techniques
    …and then the really fun stuff

    View Slide

  4. What this is not
    • A step-by-step guide into fixing the issues we find

    • A comprehensive listing of everything to test

    • An assurance that your application is completely secure

    View Slide

  5. Setup Time
    Do you have
    your

    environment
    yet?
    http://signup.capturetf.com

    View Slide

  6. Cross-Site Scripting

    View Slide

  7. Cross-Site Scripting
    (XSS)
    • Injection attack

    • User-supplied content used without validation, filtering or
    escaping

    • Different contexts: HTML, HTML attributes, Javascript,
    CSS, XML…

    View Slide

  8. Cross-Site Scripting
    (XSS)
    http://mycoolsite.com?user=user1
    http://mycoolsite.com?user=alert(1)

    View Slide

  9. Direct Object
    Reference

    View Slide

  10. Direct Object
    Reference
    • “Security through obscurity”

    • Magic URLs

    • Inadequate authentication/authorization protection
    http://mycoolsite.com/user/view/1
    http://mycoolsite.com/admin
    http://mycoolsite.com/debug

    View Slide

  11. Poor Auth Practices

    View Slide

  12. Poor Auth Practices
    • User-controllable functionality

    • Not universally enforced

    • Plain-text credentials

    • Poor password policies/reset handling

    • Federation vs Local

    View Slide

  13. SQL Injection

    View Slide

  14. SQL Injection
    • Bypass controls to execute arbitrary SQL

    • Usually caused by string concatenation

    • Prepared statements/bound parameters

    View Slide

  15. SQL Injection
    $sql = ‘select * from users where username =
    “foo” and password = “‘.$password.’”
    $password = ‘ccornutt’;
    $password = ‘“” or 1=1;
    select * from users where username = “foo”
    and password = “” or 1=1;

    View Slide

  16. Information
    Exposure

    View Slide

  17. Information Exposure
    • Exposing sensitive information publicly

    • Error messages

    • Unprotected directories or files in the document root

    • Public-facing files considered “secret”

    View Slide

  18. Let’s get hacking…
    uh, I mean, testing!

    View Slide

  19. Challenge #1

    View Slide

  20. Challenge #1 Hints
    Hidden data
    Authorization
    Encryption

    View Slide

  21. Challenge #2

    View Slide

  22. Challenge #2 Hints
    Public Information
    Poor Auth Handling
    Obscurity

    View Slide

  23. Challenge #3

    View Slide

  24. Challenge #3 Hints
    Filter
    User input

    View Slide

  25. Challenge #4

    View Slide

  26. Challenge #4 Hints
    Poor Authentication Handling
    Default credentials

    View Slide

  27. Challenge #5

    View Slide

  28. Challenge #5 Hints
    User Input
    Serialization

    View Slide

  29. Challenge #6

    View Slide

  30. Challenge #6 Hints
    User Input
    SQL Injection

    View Slide

  31. Challenge #7

    View Slide

  32. [email protected]
    @enygma

    View Slide

  33. Thanks!
    @enygma

    @securingphp

    https://websec.io

    [email protected]

    View Slide