SQL injection
A SQL injection is an attack in which the attacker executes arbitrary SQL
commands on an application’s database by supplying malicious resource
inserted into a SQL into a SQL statement.
So SQL injection can lead to sensitive data leaks, authentication bypass,
tampering of the database, and remote code execution (following
different contexts).
Slide 7
Slide 7 text
SQL injection
Error based context…
1) SELECT email FROM neiluser WHERE login = ''; DELETE FROM
users WHERE '1'='1';
2) Now, all the user entries will be wiped off your database!
Upload web shell…
' UNION SELECT "" INTO OUTFILE
"/var/www/html/shell.php"
Slide 8
Slide 8 text
SQL injection
Error based context…
Slide 9
Slide 9 text
SQL injection – Django Framework tips
The countermeasure against an SQL injection is simple. My suggestion is using
the Django ORM rather than crafting SQL statements by hand. The preceding
example should be implemented as follows:
User.objects.get(account_name=name_input).email
At this point of code, Django's database drivers will automatically escape the
parameters. There could be instances where developers would need to resort to raw
SQL, say, due to limitations of the Django ORM. For example, the where clause of the
extra() or RawSQL() method of a QuerySet allows raw SQL. This SQL code will not be
escaped against SQL injections(it's not reliable).
If you are using the low-level ORM resource, such as the execute() method, then you
might want to pass bind parameters instead of interpolating the SQL string yourself.
It's strongly recommended that you check whether each user input has been
properly escaped.
Slide 10
Slide 10 text
SQL injection
Django example raw(),RawSQL:
Like a terror
movie...
IDOR - Insecure Direct Object
References
IDOR is a type of bug present in almost every application. They happen when the
application grants direct access to a resource based on the user’s input, without
validation.
IDOR vulnerabilities’ impact depends of context:
* Account takeover, Access very important data such as wallet address, credit card.
* Change another users’ public data, access private or public important data (such as
tickets, invoice, payment information, user address)
* Access or delete or change any private data (personal info: name, adress etc.)
* Access any data without proper permissions
Slide 17
Slide 17 text
IDOR - Insecure Direct Object
References
* Account takeover, Access very important data (such as credit card)
# Example:
POST /user/update/credentials
login=admin&pass=4321&id=3 (body of request)
If the attacker creates an automated process to brute user UID, into
vulnerability context, the system can setup each password of another user to
"4321".
Slide 18
Slide 18 text
IDOR - Insecure Direct Object
References
Account takeover, Access very important data (such as credit card)
POST /user/update/credentials
login=admin&pass=4321&id=3 (body of request)
If the attacker creates an automated process to brute user UID, into
vulnerability context, the system can setup each password of another user to
"4321".
BIZARRE BUG !!!!!
Slide 19
Slide 19 text
IDOR - Insecure Direct Object
References
POST /user/update/credentials/3
login=admin&pass=4321(body of request)
Like a terror
movie...
Slide 20
Slide 20 text
IDOR - Insecure Direct Object
References
POST /user/update/credentials/3
login=admin&pass=4321(body of request)
Like a terror
movie...
Slide 21
Slide 21 text
IDOR - Insecure Direct Object
References
Simple suggestion for mitigation in Django 3 framework context...
Proper
validation!!!
Slide 22
Slide 22 text
IDOR - Insecure Direct Object
References
Simple suggestion for mitigation in Django 3 framework context...
Proper
validation!!!
Slide 23
Slide 23 text
IDOR - Insecure Direct Object
References
Every resource for CRUD context needs a properly understood validation.
https://cwe.mitre.org/data/definitions/639.html
Delete user example:
Authorization: Bearer mytoken123
GET /user/delete/101
Slide 24
Slide 24 text
Nightmare like Hp
lovecraft books...
Slide 25
Slide 25 text
IDOR - Insecure Direct Object
References
Delete user example(golang+gin framework):
GET /user/delete/101
Authorization: Bearer mytoken123
Like a terror
movie...
Slide 26
Slide 26 text
IDOR - Insecure Direct Object
References
Delete user example(golang+gin framework):
GET /user/delete/101
Authorization: Bearer mytoken123
Like a terror
movie...
Slide 27
Slide 27 text
IDOR - Insecure Direct Object
References
Mitigation for delete user example(golang+gin framework):
Proper
validation!!!
Simple suggestion for mitigation in golang with gin framework context...
Slide 28
Slide 28 text
IDOR - Insecure Direct Object
References
Mitigation for delete user example(golang+gin framework):
Proper
validation!!!
Simple suggestion for mitigation in golang with gin framework context...
Slide 29
Slide 29 text
Other
contexts
Imagine...
Into another hand...
delete all wallets !!!
all bank accounts!!!
critical!!!
Race conditions
A race condition happens when two sections of code that are designed to be
executed in a sequence get executed out of sequence. Following computer
science, concurrency is the ability to execute different parts of a program
simultaneously without affecting the outcome of the program.
Slide 32
Slide 32 text
Race conditions
So concurrency can drastically improve the performance of programs because
different parts of the program’s operation can be run at once. It’s common to
see concurrency has two types multiprocessing and multithreading, so you can
use in POSIX threads resources with mutex locks and semaphores. Still, you can
see different courses to solve problems with different stuff, external devices like
GPU something using OpenCL/Cuda resources, clusters like shared systems like
OpenMPI.
But for the sake of the simple, we into this presenter gonna following web
approach. if a race condition is found on a critical functionality like cash
withdrawal, wallet transfer, or credit card payment, the vulnerability could lead
to infinite financial gain for the attacker.
Prevent race conditions
The key to prevent race conditions is using mechanisms that ensure
threads using the same resources don’t execute simultaneously, most
programming languages that have concurrency abilities also have some
sort of synchronization functionality built in.
Django framework context for update into database without following
race condition :
Other contexts Celery, RabbitMQ. . . here exist a world of alternatives to fix a
possible race condition.
Slide 41
Slide 41 text
The practice of creating a
rate-limiting following Mitre
Remote code execution “RCE”
Code injection vulnerabilities happen when applications
allow user input to be concatenated with executable code.
Sometimes this happens unintentionally when applications
pass unsanitized data into executed code; because this fact is
bad practice, use functions like popen(), system(), execv(),
eval() or functions of resources following the same purpose
to execute the command directly in the operational system.
Example:
Like a terror
movie...
Slide 46
Slide 46 text
Remote code execution “RCE”
Code injection vulnerabilities happen when applications
allow user input to be concatenated with executable code.
Sometimes this happens unintentionally when applications
pass unsanitized data into executed code; because this fact is
bad practice, use functions like popen(), system(), execv(),
eval() or functions of resources following the same purpose
to execute the command directly in the operational system.
Example:
Like a terror
movie...
Slide 47
Slide 47 text
Remote code execution “RCE”
Code injection vulnerabilities happen when applications allow user input to be concatenated with
executable code.
Example attack:
Like a terror
movie...
Slide 48
Slide 48 text
Remote code execution “RCE”
Code injection vulnerabilities happen when applications allow user
input to be concatenated with executable code.
Example attack:
Like a terror
movie...
Slide 49
Slide 49 text
Remote code execution “RCE”
Code injection vulnerabilities happen when applications allow user
input to be concatenated with executable code.
Example attack:
Like a terror
movie...
Insufficient Precision or Accuracy
When a security decision or calculation requires highly precise, accurate
numbers, some resource such as financial calculations or prices, then
small variations in the number could be exploited by an attacker.
Resources that anyone needs to pay attention to in a finance context.
1) Rounding
2) Truncation
3) Integer overflow
4)Integer underflow
Slide 53
Slide 53 text
Big traps in rounds
Python example:
Result: “5.4“, “5.3” and “5.4”
Slide 54
Slide 54 text
Big traps in rounds
Python example:
Result: “1.11”, “1.10”
Slide 55
Slide 55 text
Gain 0.00000001 btc per request
Critical!!!
Slide 56
Slide 56 text
Mitigation for rounding pitfalls
Remember, always use the proper validation for each
context type. If you need to round up any context,
study the real necessity and create a function to list
anomalies. And then always discard the input context
that causes mistakes in rounding.
Always looking for database schema before making any
action around arithmetic, sometimes have a type of
data with auto rounding in a database context when
having any DML command such INSERT/UPDATE. It's
essential to write documentation about this points and
always test the precision of retrieved data from the
database, watching if return proper accuracy without
pitfalls in rounding.
XSS – cross-site scripting
XSS vulnerability occurs when attackers can execute custom scripts on a victim’s
browser, when user input doesn't have a proper validation to remove malicious code. If
an application fails to distinguish between user input and the legitimate code that
makes up a web page, attackers can inject their own code into pages viewed by other
users.
The victim’s browser will execute the malicious script, which might leak personal
information, steal cookies, change site contents(phishing when replacing original
forms), or redirect the user to a malicious site.
1) Render web resources (Any UI resource can be mobile software)
2) Template resources
3) Views
Slide 59
Slide 59 text
XSS – cross-site scripting
Attack to steal cookies :
Slide 60
Slide 60 text
XSS cross-site scripting – Django tips
Django example:
Looking to the default, Django templates auto-escape HTML special characters.
So, if you had displayed the search string in a template, all the tags would have
been HTML encoded. This makes it impossible to inject scripts unless you
explicitly turn them off by marking the content as safe.
Like a terror
movie...
The best practices for cybersecurity
1) Always use TLS in all communications.
2) Always use authentication in each service.
3) Always choose secure cryptography algorithm following important sources like
NIST, Mitre and OWASP(such AES 256GCM, chacha).
4) When working with the HTTP context, never send any secret data using GET
params(it's not reliable).
5) When working with ENV variables, always choose to work with a proper secure
vault to hide all data, maybe using GCP Vault, AWS resource for the vault(never
save a secret key in raw local file).
Slide 67
Slide 67 text
The best practices for cybersecurity
1) When working with databases, always use prepared
statements when working with user inputs (prevent SQL
injection, but sometimes it is not sufficient in many ORM
use contexts such as java's Hibernate).
2) Always choose a proper validation for user input.
3) Always use HTTP hardening headers when working with
HTTP context.
4) Into upload context, always validate the mime type,
content weight, extension of the file, and data content (if
you have proper content without anomaly).
5)Don't keep your source code in web root: This can lead to
an accidental leak of source code if it gets served as plain
text.
Slide 68
Slide 68 text
The best practices for cybersecurity
1) During working with sockets communication, always use
timeouts to prevent memory leaks or another pitfall (such
DoS).
2) When calling syscall open() for resources in the file
system, always uses the call close() (some programming
languages use auto close call).
3) Before open, write or close an archive, it's a good idea to
check the existence of an archive to prevent undefined
behavior
4) Never retrieve errors handlers for users. Instead, save the
error registries in the internal log service(that don't show
errors in a public context, another good fact is this
resource needs a proper authentication to see data).
5) Never save secret data in logs or errors.
Slide 69
Slide 69 text
This is not all, folks !
Big check list to search:
Stack buffer overflow, Heap Overflow, integer overflow, buffer underflow, off-by-
one, memory leak, use after free, double free, race conditions(TOCTOU), lack of
ASLR, lack of DEP, lack of stack cookie, lack of relro, lack of certificate pinning, lack
of signature check, RCE, IDOR, RFI, LFI, SSO, CSRF, SSRF , SSTI, XEE, ReDOS, NoSQLi,
SQLi, blind SQLi, XSS, blind XSS, DomXSS, Open Redirect, Path traversal, Insecure
deserealization, LDAP injection, HQL injection, http parameter pollution, improper
permissions, uncontrolled upload, uncontrolled resource consumption, CSV
injection, graph injection, Denial of service, weak cryptography, lack of salt, lack
of secret key, lack of anti-tampering, lack of root detect, lack of secomp/pledge,
lack of rate limiting, lack of resource anti-robot, lack of http header hardening,
lack of anti-hooking, misconfiguration, Uncontrolled Search Path Element,
information leak,hardcoded credentials, tempest attack...