Upgrade to Pro — share decks privately, control downloads, hide ads and more …

A Beginner's Toolkit for Securing Web Apps

Ba0668208a6e892c6849d75e083c4b41?s=47 FHV
January 14, 2017

A Beginner's Toolkit for Securing Web Apps

Talk presented at CUSEC 2017, January 14 2017/

Ba0668208a6e892c6849d75e083c4b41?s=128

FHV

January 14, 2017
Tweet

Transcript

  1. A Beginner's Toolkit for Securing Web Apps Florencia Herra Vega,

    CUSEC 2017
  2. who are you anyway? florencia herra vega @flohdot CTO, peerio.com

    by alonso lópez
  3. we are the stonemasons of the 21st century… building rickety

    af catherals
  4. security = somebody else’s problem?

  5. psst…… your user might be evil

  6. individual evil

  7. wholesale evil

  8. a common weapons arsenal xss! sql injection! unprotected databases! stolen

    passwords!
  9. go forth and be concerned

  10. is your infrastructure leaky? web server database hello I am

    a web server I listen on port 80 send me requests
  11. is your infrastructure leaky? hello I am a database server

    I listen on port 27017 let my data be FREE! web server database hello I am a web server I listen on port 80 send me requests
  12. hello I am a database server I listen on port

    27017 let my data be FREE! is your infrastructure leaky? hello I am a database server I listen on port 27017 let my data be FREE! web server database hello I am a web server I listen on port 80 send me requests database web server hello I am a web server I listen on port 80 send me requests
  13. is your infrastructure leaky? > Redis is designed to be

    accessed by trusted clients inside > trusted environments. This means that usually it is not a good > idea to expose the Redis instance directly to the internet or, > in general, to an environment where untrusted clients can > directly access the Redis TCP port or UNIX socket. somewhere in the depths of the documentation….
  14. what’s in a password? password123 iloveyou9 x1.28YhgIosg0/uT mydogisbob welshman spat

    mediate fluke
  15. what’s in a password? password123 iloveyou9 x1.28YhgIosg0/uT mydogisbob welshman spat

    mediate fluke ! hash
  16. what’s in a password? password123 iloveyou9 x1.28YhgIosg0/uT mydogisbob welshman spat

    mediate fluke password123 ! ! hash !!!! !!!!
  17. what’s in a password? password123 + 14rFtg45 iloveyou9 x1.28YhgIosg0/uT mydogisbob

    welshman spat mediate fluke password123 + T5hGYpwD ⛺ hash
  18. what’s in a password? password123 iloveyou9 x1.28YhgIosg0/uT mydogisbob welshman spat

    mediate fluke password123
  19. beware of user content

  20. user content all up in your databases select * from

    articles where id = $totally_legit_USER_INPUT
  21. user content in your html <div class=“reasonableCommentsSection”> <?php echo $user_post

    ?> </div>
  22. user content in your html try it yourself! <script>alert(‘oops’);</script>

  23. just a whole bunch of really old protocols chattering away

    nbd
  24. what even is state?

  25. what even is state? username: alice cart_contents: iphone, earbuds store_credit:

    10000
  26. what even is state? all requests to bla.com

  27. encryption eh? HAVE SOME PERSONAL DATA!!!!!!!! psst i’m gonna tell

    you a secret
  28. encryption eh? [unintelligible shouting] [gibberish] HTTPS to the rescue

  29. the state of modern webpages super cool recipe blog one

    weird trick wow wow Entrepreneur piverate integrate grok Steve Jobs innovate big data experiential. Minimum viable product 360 campaign ship it grok responsive ship it co-working iterate. Sticky note viral ideate user centered design agile unicorn 360 campaign workflow hacker earned media parallax viral. Personas personas Steve Jobs quantitative vs. qualitative moleskine convergence pitch deck experiential co-working responsive responsive pair programming thought leader personas. Disrupt entrepreneur personas fund minimum viable. Like this! Tweet this! unbelievable whisking technique 152 comments against sous-vide: a polemic buy my book Patreon GitTip Flattr Bitcoin youtube ad network social media google analytics
  30. do you trust your third party content providers? (are they

    worth it?)
  31. improve your baking •no javascript access •secure (TLS-only) •don’t store

    valuable business data •expire quickly
  32. Use a framework! (but also, take it apart)

  33. how can people misuse your system?

  34. go forth and be concerned & get in touch: @flohdot

  35. General Resources • Kelsey Gilmore-Innis — Seriously Strong Security on

    a Shoestring (Pycon) https://www.youtube.com/watch?v=8FeNdXzVLEs • A more detailed guide to a lot of the things in this talk, by Martin Fowler: https://martinfowler.com/articles/web-security-basics.html • The Tangled Web by Michal Zalewski — the best book for understanding the guts of internet architecture and its security problems • Rails security guides with great info on sessions: http:// guides.rubyonrails.org/security.html
  36. General Resources • On the surveillance state: Bruce Schneier —

    Data & Goliath, Liars & Outliers • Two “true crime” books that are really fun: • On cyberweapons: Countdown to Zero Day by Kim Zetter • On the botnet industrial complex: Spam Nation by Brian Krebs
  37. HTTPS • Free, easy-to-set-up certificates for your web server! https://certbot.eff.org/

    • SSL Labs — test if a website’s transport encryption is any good https:// www.ssllabs.com/ssltest/ • My talk on HTTPS for muggles (now with more Harry Potter metaphors) — https://www.youtube.com/watch?v=oKgzftLmyiE • SSL: it’s hard to get right https://recompilermag.com/issues/issue-1/ssl-its- hard-to-do-right/ • Learn about networking! It will help you understand security Julia Evan’s drawings are a fun place to start: https://drawings.jvns.ca/
  38. infrastructure • Silence on the Wire, by Michal Zalewski •

    Penetration Testing, by Georgia Weidman • Intro to isolating servers within a private network with iptables https://www.digitalocean.com/community/tutorials/how-to-isolate- servers-within-a-private-network-using-iptables — also look for DigitalOcean guides to ufw • Consider using a PaaS like Heroku and let them deal with your infrastructure.
  39. Passwords • Hash functions taste great — Curtis Lassam https://

    www.youtube.com/watch?v=1c8K0hrglRg • Dropbox’s password entropy calculator https://github.com/ dropbox/zxcvbn • Awesome passphrases from Peerio https:// passphrases.peerio.com