Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Pentesting for Developers

Pentesting for Developers

While secure development practices are an important part of keeping your application and its data protected, you also have to prove your defenses are working. Developers are used to things like unit testing and even functional testing but some feel out of their depth when it comes to security testing. Effective security testing, or pentesting, is easier than you might think.

We’ll start by introducing some of the techniques and tools you can use to test your own applications and finish with a contest to see how much you’ve learned.

Chris Cornutt

February 07, 2019
Tweet

More Decks by Chris Cornutt

Other Decks in Technology

Transcript

  1. PENTESTING
    FOR DEVELOPERS
    Chris Cornutt - Sunshine PHP 2019
    for setup: http://signup.capturetf.com

    View Slide

  2. View Slide

  3. We’ll Cover…
    • The most common issues in web application security

    • The top vulnerability types

    • Tools and techniques
    …and then the really fun stuff

    View Slide

  4. What this is not
    • A step-by-step guide into fixing the issues we find

    • A comprehensive listing of everything to test

    • An assurance that your application is completely secure

    View Slide

  5. Setup Time
    Do you have
    your

    environment
    yet?
    http://signup.capturetf.com

    View Slide

  6. Cross-Site Scripting

    View Slide

  7. Cross-Site Scripting
    (XSS)
    • Injection attack

    • User-supplied content used without validation, filtering or
    escaping

    • Different contexts: HTML, HTML attributes, Javascript,
    CSS, XML…

    View Slide

  8. Cross-Site Scripting
    (XSS)
    http://mycoolsite.com?user=user1
    http://mycoolsite.com?user=alert(1)

    View Slide

  9. Direct Object
    Reference

    View Slide

  10. Direct Object
    Reference
    • “Security through obscurity”

    • Magic URLs

    • Inadequate authentication/authorization protection
    http://mycoolsite.com/user/view/1
    http://mycoolsite.com/admin
    http://mycoolsite.com/debug

    View Slide

  11. Poor Auth Practices

    View Slide

  12. Poor Auth Practices
    • User-controllable functionality

    • Not universally enforced

    • Plain-text credentials

    • Poor password policies/reset handling

    • Federation vs Local

    View Slide

  13. SQL Injection

    View Slide

  14. SQL Injection
    • Bypass controls to execute arbitrary SQL

    • Usually caused by string concatenation

    • Prepared statements/bound parameters

    View Slide

  15. SQL Injection
    $sql = ‘select * from users where username =
    “foo” and password = “‘.$password.’”
    $password = ‘ccornutt’;
    $password = ‘“” or 1=1;
    select * from users where username = “foo”
    and password = “” or 1=1;

    View Slide

  16. Information
    Exposure

    View Slide

  17. Information Exposure
    • Exposing sensitive information publicly

    • Error messages

    • Unprotected directories or files in the document root

    • Public-facing files considered “secret”

    View Slide

  18. Let’s get hacking…
    uh, I mean, testing!

    View Slide

  19. Challenge #1

    View Slide

  20. Challenge #1 Hints
    Hidden data
    Authorization
    Encryption

    View Slide

  21. Challenge #2

    View Slide

  22. Challenge #2 Hints
    Public Information
    Poor Auth Handling
    Obscurity

    View Slide

  23. Challenge #3

    View Slide

  24. Challenge #3 Hints
    Filter
    User input

    View Slide

  25. Challenge #4

    View Slide

  26. Challenge #4 Hints
    Poor Authentication Handling
    Default credentials

    View Slide

  27. Challenge #5

    View Slide

  28. Challenge #5 Hints
    User Input
    Serialization

    View Slide

  29. Challenge #6

    View Slide

  30. Challenge #6 Hints
    User Input
    SQL Injection

    View Slide

  31. Challenge #7

    View Slide

  32. View Slide

  33. Thanks!
    @enygma

    @securingphp

    https://websec.io

    [email protected]

    View Slide