Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Ermahgerd Werb Verlns

lanmaster53
November 16, 2016
0
210

Ermahgerd Werb Verlns

lanmaster53

November 16, 2016
Tweet

More Decks by lanmaster53

See All by lanmaster53
Rapid Recon for Red Teams
lanmaster53
1
320
OSINT for AppSec: Recon-ng and Beyond
lanmaster53
0
470
Look Ma, No Exploits! - The Recon-ng Framework
lanmaster53
0
350

Featured

See All Featured
Thoughts on Productivity
jonyablonski
55
3k
For a Future-Friendly Web
brad_frost
168
8.2k
Java REST API Framework Comparison - PWX 2021
mraible
PRO
18
6.2k
Raft: Consensus for Rubyists
vanstee
130
5.9k
Large-scale JavaScript Application Architecture
addyosmani
501
110k
Optimising Largest Contentful Paint
csswizardry
6
1.8k
Being A Developer After 40
akosma
52
580k
How GitHub (no longer) Works
holman
299
140k
Art, The Web, and Tiny UX
lynnandtonic
285
18k
Into the Great Unknown - MozCon
thekraken
7
600
Learning to Love Humans: Emotional Interface Design
aarron
265
38k
ParisWeb 2013: Learning to Love: Crash Course in Emotional UX Design
dotmariusz
101
6.4k

Transcript

  1. View Slide

  2. Husband, Father and Veteran
    A hacker serving people by
    working,
    coding,
    teaching,
    and sharing,
    for the glory of God.
    Tim Tomes

    View Slide

  3. Ermahgerd, Werb Verlns
    [omg, web vulnerabilities]
    1: Common, easily discovered weaknesses
    that reduce a web application's information
    assurance.

    View Slide

  4. View Slide

  5. Transport Layer Security (TLS)
    • The "S" in HTTPS.
    • Prevents eavesdropping and tampering attacks
    by providing end-to-end encryption.
    • Uses long-term asymmetric encryption to
    establish short-term symmetric encryption.
    • Standards change at the pace of technology.
    • Testing this is actually hard, so use...
    – https://www.ssllabs.com/ssltest/

    View Slide

  6. View Slide

  7. View Slide

  8. View Slide

  9. Response Headers
    • Provide the browser with information.
    – Often as behavioral instructions.
    • Good headers (when configured properly):
    – X-Frame-Options: DENY
    – Strict-Transport-Security: max-age=31536000;
    includeSubDomains; preload
    – X-XSS-Protection: 1; mode=block
    – Content-Security-Policy: default-src 'self';
    – Cache-Control: private, no-cache, no-store, max-
    age=0

    View Slide

  10. Response Headers
    • Bad headers:
    – Server:
    – X-Powered-By:
    – X-AspNet-Version:
    – X-AspNetMvc-Version:
    • Adding and removing headers requires minimal
    engineering.
    • Validate with https://securityheaders.io/.

    View Slide

  11. View Slide

  12. View Slide

  13. Cookie Flags
    • Flags that instruct the browser how to treat the
    domain's cookies.
    • Secure
    – Restrict the cookie to TLS encrypted connections.
    • HttpOnly
    – Prevent JavaScript from accessing the cookie.
    • Never a good reason not to use these.
    • Minor configuration change or minimal code.

    View Slide

  14. View Slide

  15. View Slide

  16. User Enumeration
    • The ability to enumerate user information
    through variable responses from requests using
    valid and invalid information.
    • Response variations include error messages,
    lockouts, query string parameters, spacing,
    timing, anything really.
    • Can exist anywhere the application formulates
    a response based on user-specific information.
    – Login, account recovery, registration, messaging,
    etc.
    • Be consistent.
    – Not always easy to do.

    View Slide

  17. View Slide

  18. Insecure Direct Object Reference (IDOR)
    • The ability to access information belonging to
    other users by tampering with direct object
    references.
    • Not always an integer.
    – GUIDs, encoded DORs, etc.
    – Almost always indicates an IDOR issue.
    • One of the most common and easily
    exploitable flaws, yet impossible for scanners to
    find.
    • Check ownership of the referenced object.

    View Slide

  19. View Slide

  20. Missing Function Level Access Control
    • The ability to access higher privilege
    functionality by force browsing to obscured
    resources.
    • Access controls in the view must match the
    access controls on the controller.
    • Another common and easily exploitable flaw
    that is impossible for scanners to find.
    • Check the permission level of the requested
    resource.

    View Slide

  21. View Slide

  22. View Slide

  23. Password Security
    • An application should NEVER be able to tell a
    user their password.
    • Encoding != Encryption != Hashing
    • Key management for encryption is hard.
    – Access to the cipher usually means access to the
    key.
    • Not all hashing algorithms are created equal.
    – Fast hashing vs. Adaptive hashing
    • Design storage systems assuming eventual
    compromise.

    View Slide

  24. Summary
    • TLS - https://www.ssllabs.com/ssltest/
    • Response Headers - https://securityheaders.io/
    • Cookie Flags - Developer tools.
    • User Enumeration - Check known goods vs.
    known bads.
    • Insecure Direct Object Reference - Change the
    DORs.
    • Missing Function Level Access Control - Force
    browse.
    • Password Security - Look for evidence.

    View Slide

  25. Tim Tomes
    @lanmaster53
    [email protected]
    http://www.lanmaster53.com
    https://nvisium.com

    View Slide