Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Pentesting for Developers

Pentesting for Developers

While secure development practices are an important part of keeping your application and its data protected, you also have to prove your defenses are working. Developers are used to things like unit testing and even functional testing but some feel out of their depth when it comes to security testing. Effective security testing, or pentesting, is easier than you might think.

We’ll start by introducing some of the techniques and tools you can use to test your own applications and finish with a contest to see how much you’ve learned.

Chris Cornutt

February 07, 2019
Tweet

More Decks by Chris Cornutt

Other Decks in Technology

Transcript

  1. PENTESTING
    FOR DEVELOPERS
    Chris Cornutt - Sunshine PHP 2019
    for setup: http://signup.capturetf.com

    View full-size slide

  2. We’ll Cover…
    • The most common issues in web application security

    • The top vulnerability types

    • Tools and techniques
    …and then the really fun stuff

    View full-size slide

  3. What this is not
    • A step-by-step guide into fixing the issues we find

    • A comprehensive listing of everything to test

    • An assurance that your application is completely secure

    View full-size slide

  4. Setup Time
    Do you have
    your

    environment
    yet?
    http://signup.capturetf.com

    View full-size slide

  5. Cross-Site Scripting

    View full-size slide

  6. Cross-Site Scripting
    (XSS)
    • Injection attack

    • User-supplied content used without validation, filtering or
    escaping

    • Different contexts: HTML, HTML attributes, Javascript,
    CSS, XML…

    View full-size slide

  7. Cross-Site Scripting
    (XSS)
    http://mycoolsite.com?user=user1
    http://mycoolsite.com?user=alert(1)

    View full-size slide

  8. Direct Object
    Reference

    View full-size slide

  9. Direct Object
    Reference
    • “Security through obscurity”

    • Magic URLs

    • Inadequate authentication/authorization protection
    http://mycoolsite.com/user/view/1
    http://mycoolsite.com/admin
    http://mycoolsite.com/debug

    View full-size slide

  10. Poor Auth Practices

    View full-size slide

  11. Poor Auth Practices
    • User-controllable functionality

    • Not universally enforced

    • Plain-text credentials

    • Poor password policies/reset handling

    • Federation vs Local

    View full-size slide

  12. SQL Injection

    View full-size slide

  13. SQL Injection
    • Bypass controls to execute arbitrary SQL

    • Usually caused by string concatenation

    • Prepared statements/bound parameters

    View full-size slide

  14. SQL Injection
    $sql = ‘select * from users where username =
    “foo” and password = “‘.$password.’”
    $password = ‘ccornutt’;
    $password = ‘“” or 1=1;
    select * from users where username = “foo”
    and password = “” or 1=1;

    View full-size slide

  15. Information
    Exposure

    View full-size slide

  16. Information Exposure
    • Exposing sensitive information publicly

    • Error messages

    • Unprotected directories or files in the document root

    • Public-facing files considered “secret”

    View full-size slide

  17. Let’s get hacking…
    uh, I mean, testing!

    View full-size slide

  18. Challenge #1

    View full-size slide

  19. Challenge #1 Hints
    Hidden data
    Authorization
    Encryption

    View full-size slide

  20. Challenge #2

    View full-size slide

  21. Challenge #2 Hints
    Public Information
    Poor Auth Handling
    Obscurity

    View full-size slide

  22. Challenge #3

    View full-size slide

  23. Challenge #3 Hints
    Filter
    User input

    View full-size slide

  24. Challenge #4

    View full-size slide

  25. Challenge #4 Hints
    Poor Authentication Handling
    Default credentials

    View full-size slide

  26. Challenge #5

    View full-size slide

  27. Challenge #5 Hints
    User Input
    Serialization

    View full-size slide

  28. Challenge #6

    View full-size slide

  29. Challenge #6 Hints
    User Input
    SQL Injection

    View full-size slide

  30. Challenge #7

    View full-size slide

  31. Thanks!
    @enygma

    @securingphp

    https://websec.io

    [email protected]

    View full-size slide