Application Security or Hacking Yourself... everyone else is

Transcript

1. Application Security or Hacking yourself everyone else is... James McKee

   Prairie.Code() 2017 Twitter: @punkcoder 9/29/2017 Punkcoder.com 1

2. Welcome to Prairie.code() • Thank you especially for joining me

   at 8:30 AM 9/29/2017 Punkcoder.com 2

3. About Me • Network Admin from 1995-2002 • Solutions Developer

   from 2005 – 2017 • Consultant 2007 – 2017 (including 7 fortune 100, 1 fortune 500, and several recognizable non-profits) • @Punkcoder & punkcoder.com 9/29/2017 Punkcoder.com 3

4. Primer • How many people have been to a security

   talk before? 9/29/2017 Punkcoder.com 4

5. Things to know • What I will show you today

   can get you into big trouble (Illegal) if you do this without permission. • Make sure you test in a closed environment to avoid leaking • Virtual Machines • Virtual Networks • No Outside Connection 9/29/2017 Punkcoder.com 5

6. Why Application Security Matters 9/29/2017 Punkcoder.com 6

7. Personal Experience • How many people in this room have

   been effected by a security event? • Application Compromise • Identity Theft • Data Leak 9/29/2017 Punkcoder.com 7

8. APPLICATION SECURITY IS A DEVELOPER PROBLEM • For 2010, the

   OWASP Top 10 Most Critical Web Application Security Risks are: • A1: Injection • A2: Cross-Site Scripting (XSS) • A3: Broken Authentication and Session Management • A4: Insecure Direct Object References • A5: Cross-Site Request Forgery (CSRF) • A6: Security Misconfiguration • A7: Insecure Cryptographic Storage • A8: Failure to Restrict URL Access • A9: Insufficient Transport Layer Protection • A10: Unvalidated Redirects and Forwards 9/29/2017 Punkcoder.com 8

9. APPLICATION SECURITY IS A DEVELOPER PROBLEM • For 2013, the

   OWASP Top 10 Most Critical Web Application Security Risks are: • A1 Injection • A2 Broken Authentication and Session Management • A3 Cross-Site Scripting (XSS) • A4 Insecure Direct Object References • A5 Security Misconfiguration • A6 Sensitive Data Exposure • A7 Missing Function Level Access Control • A8 Cross-Site Request Forgery (CSRF) • A9 Using Components with Known Vulnerabilities • A10 Unvalidated Redirects and Forwards 9/29/2017 Punkcoder.com 9

10. APPLICATION SECURITY IS A DEVELOPER PROBLEM • For 2017, the

    OWASP Top 10 Most Critical Web Application Security Risks (in the Release Candidate) are: • A1 Injection • A2 Broken Authentication and Session Management • A3 Cross-Site Scripting (XSS) • A4 Broken Access Control (As it was in 2004) • A5 Security Misconfiguration • A6 Sensitive Data Exposure • A7 Insufficient Attack Protection (NEW) • A8 Cross-Site Request Forgery (CSRF) • A9 Using Components with Known Vulnerabilities • A10 Underprotected APIs (NEW) 9/29/2017 Punkcoder.com 10

11. Notice a Pattern • We’re not getting any better at

    solving this problem. 9/29/2017 Punkcoder.com 11

12. Know your friends and enemies 9/29/2017 Punkcoder.com 12

13. Think like the Bad Guys • It’s more fun than

    it sounds… • Try your best to ignore what you think you know about your project. • Try to approach it like someone who wants your site offline. • You don’t have to be a super elite hacker to improve the quality of the application your working on. 9/29/2017 Punkcoder.com 13

14. Wealth of Tools for Testing 9/29/2017 Punkcoder.com 14

15. DEMO: SQL INJECTION 9/29/2017 Punkcoder.com 15

16. Fixing SQL Injection • Best Practices: • Parameterize SQL •

    Use ORMs • Don’t Use Dynamic SQL • More Information: • https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet 9/29/2017 Punkcoder.com 16

17. DEMO: Cross Site Request Forgery 9/29/2017 Punkcoder.com 17

18. DEMO: Cross Site Scripting 9/29/2017 Punkcoder.com 18

19. Tools Are Great… • They are no substitute for knowing

    how to perform the attacks yourself. 9/29/2017 Punkcoder.com 19

20. Fixing Cross Site Scripting • Best Practices: • Escape EVERYTHING

    • Use AutoEscaping Template • Use XSS Security Encoding Library • More Information: • https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_C heat_Sheet 9/29/2017 Punkcoder.com 20

21. Fixing CSRF • Best Practices • Check for Headers and

    Demand Same Origin • Include and Check a CSRF Token • More Information: • https://www.owasp.org/index.php/Cross- Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#Warning:_No_Cross- Site_Scripting_.28XSS.29_Vulnerabilities 9/29/2017 Punkcoder.com 21

22. Fixing Sensitive Data Exposure 9/29/2017 Punkcoder.com 22 • Best Practices:

    • Enable HTTPS, Transmit all Data Securely • Never Store Data in ClearText • Encrypt, using known best practices, don’t roll your own. • Ensure that there is no cache where sensitive data is concerned • More Information: • https://www.owasp.org/index.php/Top_10_2017-A6- Sensitive_Data_Exposure • https://blog.detectify.com/2016/07/01/owasp-top-10-sensitive-data- exposure-6/

23. Using Components with Known Vulnerabilities • Best Practices: • Update

    Libraries, perform it regularly • Work with IT to make sure it stays patched. • Monitor for known CVEs • More Information: • https://www.owasp.org/index.php/Top_10_2017-A9- Using_Components_with_Known_Vulnerabilities • https://cve.mitre.org/ • https://www.exploit-db.com/ 9/29/2017 Punkcoder.com 23

24. Broken Access Control • Best Practices: • When possible let

    someone else do it OAuth • Use known Libraries • More Information: • https://www.owasp.org/index.php/Authentication_Cheat_Sheet 9/29/2017 Punkcoder.com 24

25. Training and Resources • Learn Skills • Damn Vulnerable Web

    App - http://www.dvwa.co.uk/ • Hack this Site - https://www.hackthissite.org/pages/index/index.php • Troy Hunt – Hack Yourself First - https://www.pluralsight.com/courses/hack- yourself-first 9/29/2017 Punkcoder.com 25

26. Take Aways • Don’t use ints for ids on query

    or in post… I will find you. • When it comes to application security, tools are good, brains are better. 9/29/2017 Punkcoder.com 26