Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Pentesting for Developers

Pentesting for Developers

While secure development practices are an important part of keeping your application and its data protected, you also have to prove your defenses are working. Developers are used to things like unit testing and even functional testing but some feel out of their depth when it comes to security testing. Effective security testing, or pentesting, is easier than you might think.

We’ll start by introducing some of the techniques and tools you can use to test your own applications and finish with a contest to see how much you’ve learned.

Chris Cornutt

February 07, 2019

More Decks by Chris Cornutt

Other Decks in Technology


  1. PENTESTING FOR DEVELOPERS Chris Cornutt - Sunshine PHP 2019 for

    setup: http://signup.capturetf.com
  2. None
  3. We’ll Cover… • The most common issues in web application

    security • The top vulnerability types • Tools and techniques …and then the really fun stuff
  4. What this is not • A step-by-step guide into fixing

    the issues we find • A comprehensive listing of everything to test • An assurance that your application is completely secure
  5. Setup Time Do you have your environment yet? http://signup.capturetf.com

  6. Cross-Site Scripting

  7. Cross-Site Scripting (XSS) • Injection attack • User-supplied content used

    without validation, filtering or escaping • Different contexts: HTML, HTML attributes, Javascript, CSS, XML…
  8. Cross-Site Scripting (XSS) http://mycoolsite.com?user=user1 http://mycoolsite.com?user=<script>alert(1)</script> <?php echo $_GET[‘user’]; ?>

  9. Direct Object Reference

  10. Direct Object Reference • “Security through obscurity” • Magic URLs

    • Inadequate authentication/authorization protection http://mycoolsite.com/user/view/1 http://mycoolsite.com/admin http://mycoolsite.com/debug
  11. Poor Auth Practices

  12. Poor Auth Practices • User-controllable functionality • Not universally enforced

    • Plain-text credentials • Poor password policies/reset handling • Federation vs Local
  13. SQL Injection

  14. SQL Injection • Bypass controls to execute arbitrary SQL •

    Usually caused by string concatenation • Prepared statements/bound parameters
  15. SQL Injection $sql = ‘select * from users where username

    = “foo” and password = “‘.$password.’” $password = ‘ccornutt’; $password = ‘“” or 1=1; select * from users where username = “foo” and password = “” or 1=1;
  16. Information Exposure

  17. Information Exposure • Exposing sensitive information publicly • Error messages

    • Unprotected directories or files in the document root • Public-facing files considered “secret”
  18. Let’s get hacking… uh, I mean, testing!

  19. Challenge #1

  20. Challenge #1 Hints Hidden data Authorization Encryption

  21. Challenge #2

  22. Challenge #2 Hints Public Information Poor Auth Handling Obscurity

  23. Challenge #3

  24. Challenge #3 Hints Filter User input

  25. Challenge #4

  26. Challenge #4 Hints Poor Authentication Handling Default credentials

  27. Challenge #5

  28. Challenge #5 Hints User Input Serialization

  29. Challenge #6

  30. Challenge #6 Hints User Input SQL Injection

  31. Challenge #7

  32. [email protected] @enygma

  33. Thanks! @enygma @securingphp https://websec.io [email protected]