Razvan Preda WEB APPLICATION SECURITY 1.Introduction 2.API’s - the new Apps 3.OWASP Top API security 4.Tips & Tricks 5.5G impact on security 6.Latest news 

WEB APPLICATION SECURITY Security Model Layers OSI Model Layers 

It is the most vulnerable part of any IT security infrastructure. Most cyber-attacks we see today are a result of some form of human error. Educate and train professionals to be aware of cybersecurity attacks - phishing attacks, good password protocols, recent cyber scams … WEB APPLICATION SECURITY Human Layer 

WEB APPLICATION SECURITY OSI - Open System Interconnection 

WEB APPLICATION SECURITY The layer closest to the end-users, this layer interacts directly with the software application, which in turn, will interact with the end-users. Application Layer (Layer 7) 

WEB APPLICATION SECURITY 

• Improper asset management • Broken object level authorization • Excessive data exposure • Broken user authentication • Lack of resources & rate limiting • Broken Function Level Authorization • Mass Assignment • Insu ff icient Logging & Monitoring • XXE injection OWASP - API security WEB APPLICATION SECURITY 

1. Improper asset management Is a vulnerability caused by lack of a technical overview of deployed API assets where these assets may be vulnerable to exploits due to stagnation and lack of oversight and ownership. 

1. Improper asset management Test the forgotten password functionality by submitting request to server 

Improper asset management HTTP Request POST /api/v2/validate-code HTTP/1.1 Host: www.test.com User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/ 76.0.3809.100 Safari/537.36 Referer: www.test.com Connection: close Content-Lenght: 97 { “code”: “2200” } HTTP/1.1 401 Unauthorized Content-Type: application/json Transfer-Encoding chunked Keep-Alive: timeout=60 { “message”: “The supplied token is invalid”, “remaining_attempts”: 4 } HTTP Response 

Improper asset management HTTP Request POST /api/v1/validate-code HTTP/1.1 HTTP/1.1 401 Unauthorized Content-Type: application/json Transfer-Encoding chunked Keep-Alive: timeout=60 { “message”: “The supplied token is invalid” } Could v1 vulnerable to token brute force attack? 

Improper asset management APIs tend to expose multiple endpoints over traditional web applications, making proper and updated documentation highly important. Further, to mitigate against vulnerabilities caused by improper asset management, developers should always make sure that no outdated or legacy API endpoints are available for use in the production environment. 

BOLA - It occurs when an attacker can successfully make a request for a data object that should be restricted. 2.Broken object level authorization 

2.Broken object level authorization Order details 

Broken object level authorization HTTP Request GET /api/users/3432/orders HTTP/1.1 Host: www.test.com User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/ 76.0.3809.100 Safari/537.36 Referer: www.test.com Connection: close Content-Lenght: 33 { “ fi lter”: “all” } HTTP/1.1 200 OK Content-Type: application/json Transfer-Encoding chunked Keep-Alive: timeout=60 { “user”: { “name”: “Bob”, “age”: 92 }, “orders”: [{ “id”: “20038483” “name”: “Test” “cost”: 5.40 “status”: “delivered” }] HTTP Response 

Broken object level authorization HTTP Request GET /api/users/{user}/orders HTTP/1.1 - Server responds with an array of orders, associated with the current user. -Additionally, the response contains personal information about the user. GET /api/users/85848/orders HTTP/1.1 

Broken object level authorization HTTP Request GET /api/users/85848/orders HTTP/1.1 HTTP/1.1 200 OK Content-Type: application/json Transfer-Encoding chunked Keep-Alive: timeout=60 { “user”: { “name”: “Alice”, “age”: 30 }, “orders”: [{ “id”: “88187” “name”: “Test 2” “cost”: 10.40 “status”: “delivered” }] 

Broken object level authorization The vulnerability is known as a Broken Object Level Authorization attack in which a malicious user gains access to a resource belonging to another user due to the lack of proper authorization checks. This attack can potentially occur in any application feature where untrusted parameter values are passed to the application without performing authentication and authorization checks. 

When these API's return all data to the client 3.Excessive data exposure 

3.Excessive data exposure Forgotten password functionality by submitting request to server 

Excessive data exposure HTTP Request POST /api/forgot-password HTTP/1.1 Host: www.test.com User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/ 76.0.3809.100 Safari/537.36 Referer: www.test.com Connection: close Content-Lenght: 97 { “email”: “[email protected]” } 

Excessive data exposure HTTP Response HTTP/1.1 202 Accepted Content-Type: application/json Transfer-Encoding chunked Connection: keep-alive { “lastLogin”: “2020-03-18T11:40:23.3”, “resetLink”: “https://test.com/account/reset- password?token=hsd6336y8w76dg2763d”, “email”: “[email protected]", “username”: “test123” } Account Takeover? 

Excessive data exposure HTTP Request Account Takeover! Access: https://test.com/account/reset-password?token=hsd6336y8w76dg2763d Woah! Submitted password reset token URL, attacker managed to load the password reset page, thereby allowing him to successfully change user account credentials and hijack the account! 

Excessive data exposure This can be achieved by making sure that each API endpoint only responds with the data which is essential for the endpoint's purpose and does not leak any other data. 

Broken User Authentication refers to weaknesses in authentication mechanisms in your application work fl ow 4.Broken user authentication 

Broken user authentication Password Dump - website 

Broken user authentication 

HTTP Request Broken user authentication GET /api/validate-code HTTP/1.1 Host: www.test.com User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/ 537.36 Referer: www.test.com Connection: close Content-Lenght: 97 { “code”: “345334” } 

HTTP Response Broken user authentication HTTP/1.1 200 OK Content-Type: application/json Transfer-Encoding chunked Keep-Alive: timeout=60 { “valid”: false 
 } Could v1 vulnerable to token brute force attack? 

Broken user authentication GET /api/validate-code HTTP/1.1 { “code”: ‘3453453’ 
 } Could endpoint be vulnerable to token brute force attack? 

• Understand exactly how your authentication mechanisms work, don't just blindly implement something like oauth 2, a lot of developers implement this incorrectly.
 • Do not implement your own authentication mechanisms but use well known authentication solutions
 • All authentication endpoints (Including forgot password) should be protected by rate limiting it and implementing lockout mechanisms. These mechanisms have to be stricted than on other endpoints.
 • If possible, implement multi-factor authentication such as SMS or authenticators
 • Do not use API keys for authentication , these should be used for client/app authentication Broken user authentication 

5.Lack of resources & rate limiting In such situations, an API can no longer operate, and will no longer be able to service requests, or potentially even be unable to complete those currently in progress. 

HTTP Request GET /api/sign-up HTTP/1.1 Host: www.test.com User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/ 537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36 Referer: www.test.com Connection: close Content-Lenght: 97 { “name”: “Bob”, “lastName”: “Tour”, “email”: “[email protected]” “mobile”: “076584574”, “password”: “alfa”, “city”: “Sibiu” } 5.Lack of resources & rate limiting 

HTTP Response Lack of resources & rate limiting HTTP/1.1 409 Con fl ict Content-Type: application/json Transfer-Encoding chunked Keep-Alive: timeout=60 { “error”: true, “ fi eld”: “mobile” “message”: “The phone number already exists!” 
 } The above message is indicative of a User Enumeration vulnerability since the application returns an error message indicating that the submitted phone number is already registered 

Lack of resources & rate limiting Brute Force attack: Try: 0683663746 … Try: 0684564746 … Try: 0768956474 registered Try: 0684564778 … 

Lack of resources & rate limiting Implement Rate Limiting Additionally, a generic response message should be displayed 

Broken Function Level Authorization (BFLA) can be considered a higher level version of BOLA. This is because it's focussed on general functions rather than individual objects. The consequence of BFLA is that clients can access functionality beyond their intended access level, such as administrative functions 6.Broken Function Level Authorization 

6.Broken Function Level Authorization GET /api/users/647 HTTP/1.1 Host: www.test.com Referer: www.test.com Connection: close Content-Lenght: 97 HTTP/1.1 200 OK Content-Type: application/json Transfer-Encoding chunked Keep-Alive: timeout=60 { “name”:”Test”, “email”: “[email protected], “phone”: “073535254”
 } 

Broken Function Level Authorization GET /api/users/600 HTTP/1.1 Host: www.test.com Referer: www.test.com Connection: close Content-Lenght: 97 HTTP/1.1 403 Forbidden Content-Type: application/json Transfer-Encoding chunked Keep-Alive: timeout=60 Connection: Close 

Broken Function Level Authorization GET /api/users/600 HTTP/1.1 DELETE /api/users/600 HTTP/1.1 

Broken Function Level Authorization DELETE /api/users/600 HTTP/1.1 Host: www.test.com Referer: www.test.com Connection: close Content-Lenght: 97 HTTP/1.1 200 OK Content-Type: application/json Transfer-Encoding chunked Keep-Alive: timeout=60 { “status”:”success”, “message”: “User [email protected] has been deleted”, } 

Mitigation Enforce proper authentication and authorization checks for each API endpoint, even if some of them are "hidden" from the user interface. Broken Function Level Authorization 

7.Mass Assignment https://mail.com/reset-password?token=bc13-dc8a-80ee-be4837fb948e A malicious user modi fi es properties that they are not supposed to on the data objects, gaining unauthorized access or corrupting data as a result. 

Mass Assignment HTTP Request POST /api/reset-password HTTP/1.1 Host: www.test.com User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/ 76.0.3809.100 Safari/537.36 Referer: www.test.com Connection: close Content-Lenght: 33 { “password”: “password123”, “isAdmin”: “false” } 

Mass Assignment HTTP Request POST /api/reset-password HTTP/1.1 Host: www.test.com User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/ 537.36 Referer: www.test.com Connection: close Content-Lenght: 33 { “password”: “password123”, “isAdmin”: “true” } HTTP/1.1 202 Accepted Content-Type: application/json Transfer-Encoding chunked Keep-Alive: timeout=60 

Types expected in the requests should be explicitly de fi ned at design time Mass Assignment 

8. Insuf f icient Logging & Monitoring curl --header "Private-Token: t_zPRYZ4pMRQXyznF72g" https://www.blog.com/ api/v4/projects 

8. Insuf f icient Logging & Monitoring 

8. Insuf f icient Logging & Monitoring Mitigation 1.Login, access control failures, and server-side input validation failures can be logged with suf fi cient user context to identify suspicious or malicious accounts, and held for suf fi cient time to allow analysis. (timestamp-method-uri-ip) 2.Ensure logs are generated in a format that can be easily consumed by centralised log management solutions. 3.Establish effective monitoring and alerting such that suspicious activities are detected and responded to in a timely fashion. 

XML external entity injection is a web security vulnerability that allows an attacker to interfere with an application's processing of XML data. It allows an attacker to view fi les on the application server even interact with any back-end or external systems that the application itself access. 9.XXE injection 

XXE injection 

381 XXE injection ]> 381 &somefile; Invalid product ID: root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin 

XXE injection 

Mitigation Con fi gure your XML parsers to disable the parsing of XML eXternal Entities (XXE) and Document Type De fi nitions (DTD) when parsing XML documents. If DTDs cannot be completely disabled, disable the parsing of external general entities and external parameter entities when parsing untrusted XML fi les. libxml_disable_entity_loader(true) - php 8.0 > deprecated XXE injection 

Build your application having in mind the zero trust strategy - never trust, always verify ⁃ fi lter input and escaping output ⁃ always use prepared statements when interact with database ⁃ add rate limiting or captcha where necessary ⁃ always validate data in backend ⁃ use high level authentication, acces control and roles management ⁃ keep your packages, system, libraries up to date ⁃ implement proper logging mechanism ⁃ build a proper exception management ⁃ encript everything - avoid MITM ⁃ log rotation or clear your log fi les regularly to avoid database/app hangs ⁃ max request size max fi le upload max request timeout ⁃ keep in mid ext3 is limited to 64000 fi les/folder ⁃ block tra fi c from unwanted geographical regions, data centres, and Tor relay nodes ⁃ Remove security headers - X-powered-by, Sever, add security headers Strait-Transport- Security, X-Content-Type-Option ⁃ Reduce the risk of API de fi nitions, documentation and sensitive data in untrusted tools Tips & Tricks 

Unfortunately, there's not yet a way to make any web technology completely invulnerable to hackers and cybercrime. Cyber attacks continue to evolve every day, resulting in a need to be constantly improving and implementing new cybersecurity measures. The web security landscape is changing constantly: Never Stop Learning and be proactive Tips & Tricks Implement a cybersecurity strategy 

5G impact on security 

Latest news Site-ul Poliției Locale, spart de un adolescent cu patru clase. 

Latest news Site-ul Poliției Locale Ploiești, spart de un adolescent cu patru clase. 

Latest news Site-ul Poliției Locale, spart de un adolescent cu patru clase. Review Webpage Content for Information Leakage 

WEB APPLICATION SECURITY Don’t be scared by a developer who thinks like a hacker, be scared by a hacker who thinks like a developer! Thank you! Razvan Preda