$30 off During Our Annual Pro Sale. View Details »

Web Application Security for Beginners (OggCamp 2018)

Daniel Dixon
August 19, 2018
Technology
0
250

Web Application Security for Beginners (OggCamp 2018)

This talk was given at OggCamp 2018 and aims to give a better understanding of both ends of web app security, being attack or defense. It uses the OWASP Top 10 as a guideline for this. More files can be found here: https://github.com/Daniel-Dixon-UTC/talks/tree/master/oggcamp-2018 .

Daniel Dixon

August 19, 2018
Tweet

Other Decks in Technology

See All in Technology
231116 あつまれ入力デバイスの沼 Ryu.Cyberさん
comucal
PRO
0
230
The future is already here – Mastering the challenges of the coming years
ufried
0
320
SIEMを用いて、セキュリティログ分析の可視化と分析を実現し、PDCAサイクルを回してみた
coconala_engineer
1
230
JAWS-UG_YOKOHAMA_20231204
hiashisan
0
320
「成長サイクル」でVUCAの時代を乗りこなす
ar_tama
1
200
SmartHRのマルチプロダクト戦略実行の苦悩と挑戦
h1kita
5
3.5k
【Microsoft社員が振り返る】Microsoft Ignite
yutoy
1
560
dbt Coreとdbt-athenaによるAWS上のdbt環境構築ナレッジ
nayuts
0
310
合宿はいいぞ / Training camp is so good.
okamototakuyasr2
0
120
DevFest Tokyo 2023: Google Cloudでチームで安全にデプロイをする
sakajunquality
2
170
reInvent2023のセキュリティまとめしてGuardDutyQとコストの話します
cmusudakeisuke
0
230
Go Getでのchecksum不一致に遭遇した話とその対応
replu
0
290

Featured

See All Featured
The Mythical Team-Month
searls
214
41k
Mobile First: as difficult as doing things right
swwweet
214
8.3k
Six Lessons from altMBA
skipperchong
18
2.7k
Docker and Python
trallard
32
2.4k
Designing Experiences People Love
moore
133
23k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
39
4k
A better future with KSS
kneath
230
16k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
15
1.7k
A designer walks into a library…
pauljervisheath
199
22k
Art, The Web, and Tiny UX
lynnandtonic
286
19k
Designing for humans not robots
tammielis
246
24k
Creatively Recalculating Your Daily Design Routine
revolveconf
208
11k

Transcript

  1. Web Application Security
    For Beginners
    Daniel Dixon | @SherlockSec | [email protected]

    View Slide

  2. root@kali:~# whoami
    Name: Daniel Dixon
    Username: DigitalSherlock
    Twitter: @SherlockSec
    GitHub: @Daniel-Dixon-UTC
    Website: (email: dan@)sherlock-security.com
    Blog: blog.sherlock-security.com
    Job: GCSE Student @ UTC Sheffield OLP
    Red Teamer
    ^C
    root@kali:~# ./starttalk.sh

    View Slide

  3. Learn and understand what a Web Application is, and where they are used.
    Learn and understand some of the common vulnerabilities in web apps
    Be able to apply these vulnerabilities and exploit the web apps
    Be able to fix these vulnerabilities in web apps
    … Profit?
    Objectives

    View Slide

  4. Web Applications
    Uses and Explanation

    View Slide

  5. − A Web Application is a program whose client runs in a web browser.
    − Common languages used in Web Apps include PHP, HTML and JavaScript
    − Examples of web apps are Web Mail Clients, eCommerce, Messaging Clients.
    What is a Web Application?

    View Slide

  6. OWASP Juice Shop
    https://www.owasp.org/index.php/
    OWASP_Juice_Shop_Project
    − In this talk, we will use OWASP Juice Shop to test some vulnerabilities
    − Juice Shop is intentionally vulnerable to attacks
    − Juice Shop is FOSS and available online.
    Our Example Web Application

    View Slide

  7. Learn and understand what a Web Application is, and where they are used.

    Learn and understand some of the common vulnerabilities in web apps
    Be able to apply these vulnerabilities and exploit the web apps
    Be able to fix these vulnerabilities in web apps
    … Profit?
    Objectives

    View Slide

  8. OWASP Vulnerabilities
    The most common Web Application vulnerabilities.

    View Slide

  9. A1:Injection
    A2:Broken Authentication
    A3:Sensitive Data Exposure
    A4:XML External Entities (XXE)
    A5:Broken Access Control
    A6:Security Misconfiguration
    A7:Cross-Site Scripting (XSS)
    A8:Insecure Deserialization
    A9:Using Components with Known Vulnerabilities
    A10:Insufficient Logging & Monitoring
    OWASP Top 10 Vulnerabilities

    View Slide

  10. Explanation:
    Injection is an attack vector in which malicious code is embedded in a poorly
    designed web application.
    Use Cases:
    Injections are most commonly used against SQL, NoSQL, OS commands and XML.
    Severity:
    This vuln allows for RCE, so a rating of 5 is given. (Extremely Severe)
    OWASP | A1: Injection

    View Slide

  11. View Slide

  12. View Slide

  13. View Slide

  14. View Slide

  15. Mitigation Techniques:
    Who needs a database anyways?
    Sanitize any inputs by escaping special characters like ‘ “ ; -
    OWASP | A1: Injection

    View Slide

  16. Explanation:
    This attack vector allows the attacker to capture or bypass the authentication
    methods used in a web app.
    Use Cases:
    Brute force; cred stuffing; Exploiting unexpired session tokens
    Severity:
    This allows the attacker to potentially obtain admin privileges, so is rated at a 4
    OWASP | A2: Broken Authentication

    View Slide

  17. View Slide

  18. View Slide

  19. View Slide

  20. View Slide

  21. View Slide

  22. Mitigation Techniques:
    Remove Authentication altogether
    Don’t use weak security questions. Require MFA. Use Recovery Codes to reset passwords.
    OWASP | A2: Broken Authentication

    View Slide

  23. Explanation:
    This attack vector allows the attacker to obtain sensitive data that the application did
    not correctly protect i.e. credit card information
    Use Cases:
    Credit Card Fraud; Obtaining access to another users account; Obtaining the full
    password file of the application.
    Severity:
    Due to the recent GDPR, this vulnerability has been especially more important, and
    as such is rated at a 5
    OWASP | A3: Sensitive Data Exposure

    View Slide

  24. View Slide

  25. View Slide

  26. View Slide

  27. View Slide

  28. Mitigation Techniques:
    Maybe don’t publicly host company secrets?
    Ensure proper access control; IP Whitelist; Discard of unneeded data
    OWASP | A3: Sensitive Data Exposure

    View Slide

  29. Explanation:
    This attack vector allows the attacker to exploit a poor XML parser to execute
    arbitrary code.
    Use Cases:
    Disclosure of confidential data; Denial of Service; Anything that is possible with
    code.
    Severity:
    As this involves RCE, this attack vector is rated as a 5.
    OWASP | A4: XML External Entities (XXE)

    View Slide

  30. Live Demonstration
    OWASP | A4: XML External Entities (XXE)

    View Slide

  31. Mitigation Techniques:
    Don’t have a relationship with other businesses.
    Don’t allow unrestricted XML upload; Don’t allow XML File Entities;
    OWASP | A4: XML External Entities (XXE)

    View Slide

  32. Explanation:
    This attack vector allows the attacker to access areas of the web app of which they do not have the
    permissions to.
    Use Cases:
    Accessing Admin Panels; Accessing Account Info
    Severity:
    This attack vector is rated as a 3.
    OWASP | A5: Broken Access Control

    View Slide

  33. Live Demonstration
    OWASP | A5: Broken Access Control

    View Slide

  34. Mitigation Techniques:
    Do we really even need administrators?
    Properly configure access controls; Check page and file permissions
    OWASP | A5: Broken Access Control

    View Slide

  35. Explanation:
    This attack vector allows the attacker to take advantage of incorrectly set safeguards
    Use Cases:
    Accessing older software; Directory Listing; Viewing Error Messages
    Severity:
    This attack vector is rated as a 2.
    OWASP | A6: Security Misconfiguration

    View Slide

  36. Live Demonstration
    OWASP | A6: Security Misconfiguration

    View Slide

  37. Mitigation Techniques:
    Write good code that never has errors.
    Disable verbose error messages; Trust no-one.
    OWASP | A6: Security Misconfiguration

    View Slide

  38. Explanation:
    This attack vector allows the attacker to inject malicious JavaScript into in another
    user’s browser. It is the second most common vulnerability found in web apps.
    Use Cases:
    Anything possible with JavaScript
    Severity:
    This attack vector is rated as a 5.
    OWASP | A7: Cross Site Scripting (XSS)

    View Slide

  39. View Slide

  40. Mitigation Techniques:
    Don’t use JavaScript.
    Escape HTML tags; Trust no-one; Use XSS blocking frameworks.
    OWASP | A7: Cross Site Scripting (XSS)

    View Slide

  41. Explanation:
    This attack vector allows the attacker to abuse the logic of a program with untrusted
    data.
    Use Cases:
    Denial Of Service; RCE
    Severity:
    This attack vector is rated as a 5.
    OWASP | A8: Insecure Deserialization

    View Slide

  42. View Slide

  43. View Slide

  44. Mitigation Techniques:
    APIs are bad anyways, don’t bother using them.
    Run the code in a sandbox first; Check the integrity; Enforce strict constraints
    OWASP | A8: Insecure Deserialization

    View Slide

  45. Explanation:
    This attack vector allows the attacker to exploit already documented vulnerabilities in
    components added to the code.
    Use Cases:
    Exploit Dependent
    Severity:
    This attack vector is rated as a 5.
    OWASP | A9: Using Components with Known
    Vulnerabilities

    View Slide

  46. Mitigation Techniques:
    WAFS – Web App From Scratch
    Check the components that you are using; Double check for any typing errors;
    Keep up to date.
    OWASP | A9: Using Components with Known
    Vulnerabilities

    View Slide

  47. Explanation:
    This occurs when security-critical events are not recorded.
    Use Cases:
    Exploit Dependent
    Severity:
    This attack vector is rated as a 5.
    OWASP | A10: Insufficient Logging/Monitoring

    View Slide

  48. Mitigation Techniques:
    Just make your own cyber threat task force
    Keep a verbose set of logs offline. Always monitor for suspicious activity. Have
    a damage control plan just in case.
    OWASP | A10: Insufficient Logging/Monitoring

    View Slide

  49. Learn and understand what a Web Application is, and where they are used.





    Learn and understand some of the common vulnerabilities in web apps
    Be able to apply these vulnerabilities and exploit the web apps
    Be able to fix these vulnerabilities in web apps
    … Profit?
    Objectives

    View Slide

  50. Thank you!
    Questions and credits

    View Slide