Pentesting for Developers

Slide 1

Slide 1 text

PENTESTING FOR DEVELOPERS Chris Cornutt - Sunshine PHP 2019 for setup: http://signup.capturetf.com

Slide 2

Slide 2 text

No content

Slide 3

Slide 3 text

We’ll Cover… • The most common issues in web application security • The top vulnerability types • Tools and techniques …and then the really fun stuﬀ

Slide 4

Slide 4 text

What this is not • A step-by-step guide into ﬁxing the issues we ﬁnd • A comprehensive listing of everything to test • An assurance that your application is completely secure

Slide 5

Slide 5 text

Setup Time Do you have your environment yet? http://signup.capturetf.com

Slide 6

Slide 6 text

Cross-Site Scripting

Slide 7

Slide 7 text

Cross-Site Scripting (XSS) • Injection attack • User-supplied content used without validation, ﬁltering or escaping • Diﬀerent contexts: HTML, HTML attributes, Javascript, CSS, XML…

Slide 8

Slide 8 text

Cross-Site Scripting (XSS) http://mycoolsite.com?user=user1 http://mycoolsite.com?user=alert(1)

Slide 9

Slide 9 text

Direct Object Reference

Slide 10

Slide 10 text

Direct Object Reference • “Security through obscurity” • Magic URLs • Inadequate authentication/authorization protection http://mycoolsite.com/user/view/1 http://mycoolsite.com/admin http://mycoolsite.com/debug

Slide 11

Slide 11 text

Poor Auth Practices

Slide 12

Slide 12 text

Poor Auth Practices • User-controllable functionality • Not universally enforced • Plain-text credentials • Poor password policies/reset handling • Federation vs Local

Slide 13

Slide 13 text

SQL Injection

Slide 14

Slide 14 text

SQL Injection • Bypass controls to execute arbitrary SQL • Usually caused by string concatenation • Prepared statements/bound parameters

Slide 15

Slide 15 text

SQL Injection $sql = ‘select * from users where username = “foo” and password = “‘.$password.’” $password = ‘ccornutt’; $password = ‘“” or 1=1; select * from users where username = “foo” and password = “” or 1=1;

Slide 16

Slide 16 text

Information Exposure

Slide 17

Slide 17 text

Information Exposure • Exposing sensitive information publicly • Error messages • Unprotected directories or ﬁles in the document root • Public-facing ﬁles considered “secret”

Slide 18

Slide 18 text

Let’s get hacking… uh, I mean, testing!

Slide 19

Slide 19 text

Challenge #1

Slide 20

Slide 20 text

Challenge #1 Hints Hidden data Authorization Encryption

Slide 21

Slide 21 text

Challenge #2

Slide 22

Slide 22 text

Challenge #2 Hints Public Information Poor Auth Handling Obscurity

Slide 23

Slide 23 text

Challenge #3

Slide 24

Slide 24 text

Challenge #3 Hints Filter User input

Slide 25

Slide 25 text

Challenge #4

Slide 26

Slide 26 text

Challenge #4 Hints Poor Authentication Handling Default credentials

Slide 27

Slide 27 text

Challenge #5

Slide 28

Slide 28 text

Challenge #5 Hints User Input Serialization

Slide 29

Slide 29 text

Challenge #6

Slide 30

Slide 30 text

Challenge #6 Hints User Input SQL Injection

Slide 31

Slide 31 text

Challenge #7

Slide 32

Slide 32 text

[email protected] @enygma

Slide 33

Slide 33 text

Thanks! @enygma @securingphp https://websec.io [email protected]