A Beginner's Toolkit for Securing Web Apps

Transcript

1. A Beginner's Toolkit for Securing Web Apps Florencia Herra Vega,

   CUSEC 2017

2. who are you anyway? florencia herra vega @flohdot CTO, peerio.com

   by alonso lópez

3. we are the stonemasons of the 21st century… building rickety

   af catherals

4. security = somebody else’s problem?

5. psst…… your user might be evil

6. individual evil

7. wholesale evil

8. a common weapons arsenal xss! sql injection! unprotected databases! stolen

   passwords!

9. go forth and be concerned

10. is your infrastructure leaky? web server database hello I am

    a web server I listen on port 80 send me requests

11. is your infrastructure leaky? hello I am a database server

    I listen on port 27017 let my data be FREE! web server database hello I am a web server I listen on port 80 send me requests

12. hello I am a database server I listen on port

    27017 let my data be FREE! is your infrastructure leaky? hello I am a database server I listen on port 27017 let my data be FREE! web server database hello I am a web server I listen on port 80 send me requests database web server hello I am a web server I listen on port 80 send me requests

13. is your infrastructure leaky? > Redis is designed to be

    accessed by trusted clients inside > trusted environments. This means that usually it is not a good > idea to expose the Redis instance directly to the internet or, > in general, to an environment where untrusted clients can > directly access the Redis TCP port or UNIX socket. somewhere in the depths of the documentation….

14. what’s in a password? password123 iloveyou9 x1.28YhgIosg0/uT mydogisbob welshman spat

    mediate fluke

15. what’s in a password? password123 iloveyou9 x1.28YhgIosg0/uT mydogisbob welshman spat

    mediate fluke ! hash

16. what’s in a password? password123 iloveyou9 x1.28YhgIosg0/uT mydogisbob welshman spat

    mediate fluke password123 ! ! hash !!!! !!!!

17. what’s in a password? password123 + 14rFtg45 iloveyou9 x1.28YhgIosg0/uT mydogisbob

    welshman spat mediate fluke password123 + T5hGYpwD ⛺ hash

18. what’s in a password? password123 iloveyou9 x1.28YhgIosg0/uT mydogisbob welshman spat

    mediate fluke password123

19. beware of user content

20. user content all up in your databases select * from

    articles where id = $totally_legit_USER_INPUT

21. user content in your html <div class=“reasonableCommentsSection”> <?php echo $user_post

    ?> </div>

22. user content in your html try it yourself! <script>alert(‘oops’);</script>

23. just a whole bunch of really old protocols chattering away

    nbd

24. what even is state?

25. what even is state? username: alice cart_contents: iphone, earbuds store_credit:

    10000

26. what even is state? all requests to bla.com

27. encryption eh? HAVE SOME PERSONAL DATA!!!!!!!! psst i’m gonna tell

    you a secret

28. encryption eh? [unintelligible shouting] [gibberish] HTTPS to the rescue

29. the state of modern webpages super cool recipe blog one

    weird trick wow wow Entrepreneur piverate integrate grok Steve Jobs innovate big data experiential. Minimum viable product 360 campaign ship it grok responsive ship it co-working iterate. Sticky note viral ideate user centered design agile unicorn 360 campaign workflow hacker earned media parallax viral. Personas personas Steve Jobs quantitative vs. qualitative moleskine convergence pitch deck experiential co-working responsive responsive pair programming thought leader personas. Disrupt entrepreneur personas fund minimum viable. Like this! Tweet this! unbelievable whisking technique 152 comments against sous-vide: a polemic buy my book Patreon GitTip Flattr Bitcoin youtube ad network social media google analytics

30. do you trust your third party content providers? (are they

    worth it?)

31. improve your baking •no javascript access •secure (TLS-only) •don’t store

    valuable business data •expire quickly

32. Use a framework! (but also, take it apart)

33. how can people misuse your system?

34. go forth and be concerned & get in touch: @flohdot

35. General Resources • Kelsey Gilmore-Innis — Seriously Strong Security on

    a Shoestring (Pycon) https://www.youtube.com/watch?v=8FeNdXzVLEs • A more detailed guide to a lot of the things in this talk, by Martin Fowler: https://martinfowler.com/articles/web-security-basics.html • The Tangled Web by Michal Zalewski — the best book for understanding the guts of internet architecture and its security problems • Rails security guides with great info on sessions: http:// guides.rubyonrails.org/security.html

36. General Resources • On the surveillance state: Bruce Schneier —

    Data & Goliath, Liars & Outliers • Two “true crime” books that are really fun: • On cyberweapons: Countdown to Zero Day by Kim Zetter • On the botnet industrial complex: Spam Nation by Brian Krebs

37. HTTPS • Free, easy-to-set-up certificates for your web server! https://certbot.eff.org/

    • SSL Labs — test if a website’s transport encryption is any good https:// www.ssllabs.com/ssltest/ • My talk on HTTPS for muggles (now with more Harry Potter metaphors) — https://www.youtube.com/watch?v=oKgzftLmyiE • SSL: it’s hard to get right https://recompilermag.com/issues/issue-1/ssl-its- hard-to-do-right/ • Learn about networking! It will help you understand security Julia Evan’s drawings are a fun place to start: https://drawings.jvns.ca/

38. infrastructure • Silence on the Wire, by Michal Zalewski •

    Penetration Testing, by Georgia Weidman • Intro to isolating servers within a private network with iptables https://www.digitalocean.com/community/tutorials/how-to-isolate- servers-within-a-private-network-using-iptables — also look for DigitalOcean guides to ufw • Consider using a PaaS like Heroku and let them deal with your infrastructure.

39. Passwords • Hash functions taste great — Curtis Lassam https://

    www.youtube.com/watch?v=1c8K0hrglRg • Dropbox’s password entropy calculator https://github.com/ dropbox/zxcvbn • Awesome passphrases from Peerio https:// passphrases.peerio.com