Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Ermahgerd Werb Verlns

November 16, 2016

Ermahgerd Werb Verlns


November 16, 2016


  1. View Slide

  2. Husband, Father and Veteran
    A hacker serving people by
    and sharing,
    for the glory of God.
    Tim Tomes

    View Slide

  3. Ermahgerd, Werb Verlns
    [omg, web vulnerabilities]
    1: Common, easily discovered weaknesses
    that reduce a web application's information

    View Slide

  4. View Slide

  5. Transport Layer Security (TLS)
    • The "S" in HTTPS.
    • Prevents eavesdropping and tampering attacks
    by providing end-to-end encryption.
    • Uses long-term asymmetric encryption to
    establish short-term symmetric encryption.
    • Standards change at the pace of technology.
    • Testing this is actually hard, so use...
    – https://www.ssllabs.com/ssltest/

    View Slide

  6. View Slide

  7. View Slide

  8. View Slide

  9. Response Headers
    • Provide the browser with information.
    – Often as behavioral instructions.
    • Good headers (when configured properly):
    – X-Frame-Options: DENY
    – Strict-Transport-Security: max-age=31536000;
    includeSubDomains; preload
    – X-XSS-Protection: 1; mode=block
    – Content-Security-Policy: default-src 'self';
    – Cache-Control: private, no-cache, no-store, max-

    View Slide

  10. Response Headers
    • Bad headers:
    – Server:
    – X-Powered-By:
    – X-AspNet-Version:
    – X-AspNetMvc-Version:
    • Adding and removing headers requires minimal
    • Validate with https://securityheaders.io/.

    View Slide

  11. View Slide

  12. View Slide

  13. Cookie Flags
    • Flags that instruct the browser how to treat the
    domain's cookies.
    • Secure
    – Restrict the cookie to TLS encrypted connections.
    • HttpOnly
    – Prevent JavaScript from accessing the cookie.
    • Never a good reason not to use these.
    • Minor configuration change or minimal code.

    View Slide

  14. View Slide

  15. View Slide

  16. User Enumeration
    • The ability to enumerate user information
    through variable responses from requests using
    valid and invalid information.
    • Response variations include error messages,
    lockouts, query string parameters, spacing,
    timing, anything really.
    • Can exist anywhere the application formulates
    a response based on user-specific information.
    – Login, account recovery, registration, messaging,
    • Be consistent.
    – Not always easy to do.

    View Slide

  17. View Slide

  18. Insecure Direct Object Reference (IDOR)
    • The ability to access information belonging to
    other users by tampering with direct object
    • Not always an integer.
    – GUIDs, encoded DORs, etc.
    – Almost always indicates an IDOR issue.
    • One of the most common and easily
    exploitable flaws, yet impossible for scanners to
    • Check ownership of the referenced object.

    View Slide

  19. View Slide

  20. Missing Function Level Access Control
    • The ability to access higher privilege
    functionality by force browsing to obscured
    • Access controls in the view must match the
    access controls on the controller.
    • Another common and easily exploitable flaw
    that is impossible for scanners to find.
    • Check the permission level of the requested

    View Slide

  21. View Slide

  22. View Slide

  23. Password Security
    • An application should NEVER be able to tell a
    user their password.
    • Encoding != Encryption != Hashing
    • Key management for encryption is hard.
    – Access to the cipher usually means access to the
    • Not all hashing algorithms are created equal.
    – Fast hashing vs. Adaptive hashing
    • Design storage systems assuming eventual

    View Slide

  24. Summary
    • TLS - https://www.ssllabs.com/ssltest/
    • Response Headers - https://securityheaders.io/
    • Cookie Flags - Developer tools.
    • User Enumeration - Check known goods vs.
    known bads.
    • Insecure Direct Object Reference - Change the
    • Missing Function Level Access Control - Force
    • Password Security - Look for evidence.

    View Slide

  25. Tim Tomes
    [email protected]

    View Slide