Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Pentesting for Developers

Chris Cornutt
February 07, 2019
Technology
0
140

Pentesting for Developers

While secure development practices are an important part of keeping your application and its data protected, you also have to prove your defenses are working. Developers are used to things like unit testing and even functional testing but some feel out of their depth when it comes to security testing. Effective security testing, or pentesting, is easier than you might think.

We’ll start by introducing some of the techniques and tools you can use to test your own applications and finish with a contest to see how much you’ve learned.

Chris Cornutt

February 07, 2019
Tweet

More Decks by Chris Cornutt

See All by Chris Cornutt
Securing Legacy Applications
ccornutt
0
140
Securing Legacy Applications - Longhorn PHP 2018
ccornutt
1
190
Pieces of Auth
ccornutt
0
340
Securing Legacy Applications
ccornutt
0
510
Build Security In
ccornutt
0
210
Introduction to Slim 3
ccornutt
0
170
Securing Legacy Applications
ccornutt
0
32
PHP Security, Redfined
ccornutt
0
280
PHP Security Bootcamp
ccornutt
2
310

Other Decks in Technology

See All in Technology
Рекомендации с нуля: как мы в Lamoda превратили главную страницу в ключевую точку входа для персонализированного шоппинга. Данил Комаров, Data Scientist, Lamoda Tech
lamodatech
0
850
AIコーディングの最前線 〜活用のコツと課題〜
pharma_x_tech
4
2.9k
バクラクの認証基盤の成長と現在地 / bakuraku-authn-platform
convto
4
850
QA/SDETの現在と、これからの挑戦
imtnd
0
160
クラウド開発環境Cloud Workstationsの紹介
yunosukey
0
210
Linuxのパッケージ管理とアップデート基礎知識
go_nishimoto
0
690
Goの組織でバックエンドTypeScriptを採用してどうだったか / How was adopting backend TypeScript in a Golang company
kaminashi
12
9k
Стильный код: натуральный поиск редких атрибутов по картинке. Юлия Антохина, Data Scientist, Lamoda Tech
lamodatech
0
850
Databricksで完全履修!オールインワンレイクハウスは実在した!
akuwano
0
130
地味にいろいろあった! 2025春のAmazon Bedrockアップデートおさらい
minorun365
PRO
2
530
Twelve-Factor-Appから学ぶECS設計プラクティス/ECS practice for Twelve-Factor-App
ozawa
3
140
2025-04-14 Data & Analytics 井戸端会議 Multi tenant log platform with Iceberg
kamijin_fanta
0
140

Featured

See All Featured
The Web Performance Landscape in 2024 [PerfNow 2024]
tammyeverts
5
550
jQuery: Nuts, Bolts and Bling
dougneiner
63
7.7k
It's Worth the Effort
3n
184
28k
KATA
mclloyd
29
14k
[RailsConf 2023] Rails as a piece of cake
palkan
54
5.5k
How to Think Like a Performance Engineer
csswizardry
23
1.5k
The Language of Interfaces
destraynor
157
25k
Side Projects
sachag
453
42k
How to train your dragon (web standard)
notwaldorf
91
6k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
45
9.5k
Designing for humans not robots
tammielis
253
25k
What’s in a name? Adding method to the madness
productmarketing
PRO
22
3.4k

Transcript

  1. PENTESTING FOR DEVELOPERS Chris Cornutt - Sunshine PHP 2019 for

    setup: http://signup.capturetf.com
  2. None

  3. We’ll Cover… • The most common issues in web application

    security • The top vulnerability types • Tools and techniques …and then the really fun stuff

  4. What this is not • A step-by-step guide into fixing

    the issues we find • A comprehensive listing of everything to test • An assurance that your application is completely secure

  5. Setup Time Do you have your environment yet? http://signup.capturetf.com

  6. Cross-Site Scripting

  7. Cross-Site Scripting (XSS) • Injection attack • User-supplied content used

    without validation, filtering or escaping • Different contexts: HTML, HTML attributes, Javascript, CSS, XML…

  8. Cross-Site Scripting (XSS) http://mycoolsite.com?user=user1 http://mycoolsite.com?user=<script>alert(1)</script> <?php echo $_GET[‘user’]; ?>

  9. Direct Object Reference

  10. Direct Object Reference • “Security through obscurity” • Magic URLs

    • Inadequate authentication/authorization protection http://mycoolsite.com/user/view/1 http://mycoolsite.com/admin http://mycoolsite.com/debug

  11. Poor Auth Practices

  12. Poor Auth Practices • User-controllable functionality • Not universally enforced

    • Plain-text credentials • Poor password policies/reset handling • Federation vs Local

  13. SQL Injection

  14. SQL Injection • Bypass controls to execute arbitrary SQL •

    Usually caused by string concatenation • Prepared statements/bound parameters

  15. SQL Injection $sql = ‘select * from users where username

    = “foo” and password = “‘.$password.’” $password = ‘ccornutt’; $password = ‘“” or 1=1; select * from users where username = “foo” and password = “” or 1=1;

  16. Information Exposure

  17. Information Exposure • Exposing sensitive information publicly • Error messages

    • Unprotected directories or files in the document root • Public-facing files considered “secret”

  18. Let’s get hacking… uh, I mean, testing!

  19. Challenge #1

  20. Challenge #1 Hints Hidden data Authorization Encryption

  21. Challenge #2

  22. Challenge #2 Hints Public Information Poor Auth Handling Obscurity

  23. Challenge #3

  24. Challenge #3 Hints Filter User input

  25. Challenge #4

  26. Challenge #4 Hints Poor Authentication Handling Default credentials

  27. Challenge #5

  28. Challenge #5 Hints User Input Serialization

  29. Challenge #6

  30. Challenge #6 Hints User Input SQL Injection

  31. Challenge #7

  32. info@websec.io @enygma

  33. Thanks! @enygma @securingphp https://websec.io info@websec.io