Upgrade to Pro — share decks privately, control downloads, hide ads and more …

CakeFest 2023 Workshop 1

Jorge M. González Martín
September 27, 2023
28

CakeFest 2023 Workshop 1

Jorge M. González Martín

September 27, 2023
Tweet

Transcript

  1. Workshop 1 • 3h session • Quick CakePHP intro •

    Authentication • Security • OWASP Top 10 • Code https:/ /bit.ly/3PwZcBr • Database https:/ /bit.ly/3EVN7B0 • Slides
  2. CakePHP Introduction • Setting up a development environment • Example

    application • Baking our application CRUD • API
  3. Setup dev environment • Requirements $ sudo apt install -y

    php-cli php-intl php-mbstring php-sqlite3 zip php-zip // setup composer 5
  4. Composer • Create a CakePHP 5 project • https:/ /github.com/cakephp/app

    • composer install • run App\Console\Installer::postInstall $ composer create-project cakephp/app cakefest2023 Installing... … Do you want to remove the existing VCS (.git, .svn..) history? [Y,n]? ←Y $ cd cakefest # get to the latest version $ composer require cakephp/cakephp:5.x-dev cakephp/chronos:3.x-dev {skeleton} 8
  5. Configuration • Application class • CakePHP Bootstrap • config/bootstrap.php •

    config/app.php • Configure default datasource via environment 10
  6. MVC CakePHP Reusability Model Table Entity Behavior View View Template

    Theme Layout Element Block Helper Controller Controller Action Component Other Cell, Mailer, Command Middleware CakePHP Concepts • Application level • Across applications: Plugin and Middleware 11
  7. • AuthenticationMiddleware::process() • AuthenticationService::authenticate() • First valid result wins •

    Persist the identity if not stateless • Redirect based on unauthenticated or login redirect The authentication process 18
  8. • Adding a login and logout actions to UsersController •

    Preparing a login template Login action 20
  9. • Access authentication results • Check identity • Finish the

    login action • Add logout Log the user in 22
  10. • Access authentication results • Check identity • Finish the

    login action • Add logout ?General concepts 25
  11. • Allowed list of Entity properties to be patched •

    `hidden` for serialization leaks Entity allowed 28
  12. • Validate user input • Escape output • Fail hard

    • Audit / log suspicious activity • Log auth related activity • Enforce 2FA General best practices 33
  13. A01 Broken Access Control - OWASP Top 10:2021 Access control

    enforces policy such that users cannot act outside of their intended permissions. Failures typically lead to unauthorized information disclosure, modification, or destruction of all data or performing a business function outside the user's limits. #1 35
  14. Scenario #2: An attacker simply forces browses to target URLs.

    Admin rights are required for access to the admin page. • 1. FormSecurity • 2. Authorization • 3. CSP Headers • 4. Use Java #1 ? 36
  15. #1 37 Ensure Authorization is in place for all actions

    • 1. FormSecurity • 2. Authorization • 3. CSP Headers • 4. Use Java
  16. A02 Cryptographic Failures - OWASP Top 10:2021 The first thing

    is to determine the protection needs of data in transit and at rest… #2 38
  17. Scenario #1: An application encrypts credit card numbers in a

    database using automatic database encryption. However, this data is automatically decrypted when retrieved, allowing a SQL injection flaw to retrieve credit card numbers in clear text. • 1. Escape template variables • 2. Enforce HTTPS • 3. Encrypt data before save • 4. Use Python #2 ? 39
  18. Example: secure column encryption • 1. Escape template variables •

    2. Enforce HTTPS • 3. Encrypt data before save • 4. Use Python #2 40
  19. A03 Injection - OWASP Top 10:2021 Some of the more

    common injections are SQL, NoSQL, OS command, Object Relational Mapping (ORM), LDAP, and Expression Language (EL) or Object Graph Navigation Library (OGNL) injection. The concept is identical among all interpreters. #3 41
  20. #3 ? 42 Scenario #1: An application uses untrusted data

    in the construction of the following vulnerable SQL call: $query->find()->where("last_name LIKE '$lastName%'"); • 1. Use the ORM properly • 2. Use CSP headers • 3. Filter input • 4. Use ChatGPT to build all your SQL queries
  21. #3 43 Scenario #1: An application uses untrusted data in

    the construction of the following vulnerable SQL call: $query->find()->where("last_name LIKE '$lastName%'"); • 1. Use the ORM properly • 2. Use CSP headers • 3. Filter input • 4. Use ChatGPT to build all your SQL queries
  22. A04 Insecure Design - OWASP Top 10:2021 An insecure design

    cannot be fixed by a perfect implementation as by definition, needed security controls were never created to defend against specific attacks. #4 44
  23. #4 ? 45 Scenario #1: A credential recovery workflow might

    include “questions and answers,”...Questions and answers cannot be trusted as evidence of identity To recover your account tell me: what's your mom's name? • 1. Use stronger password algorithm • 2. Remove the feature completely • 3. Add sound and videos • 4. Use MongoDB
  24. #4 ? 46 Scenario #1: A credential recovery workflow might

    include “questions and answers,”...Questions and answers cannot be trusted as evidence of identity To recover your account tell me: what's your mom's name? • 1. Use stronger password algorithm • 2. Remove the feature completely • 3. Add sound and videos • 4. Use MongoDB
  25. #5 ? 48 Scenario #3: The application server's configuration allows

    detailed error messages, e.g., stack traces, to be returned to users. This potentially exposes sensitive information or underlying flaws such as component versions that are known to be vulnerable. "Powered by CakePHP 1.2.1" • 1. Ensure we provide no details about underlying stack • 2. Update to the latest version always • 3. Add security headers • 4. Say you are using another framework
  26. #5 49 Scenario #3: The application server's configuration allows detailed

    error messages, e.g., stack traces, to be returned to users. This potentially exposes sensitive information or underlying flaws such as component versions that are known to be vulnerable. "Powered by CakePHP 1.2.1" • 1. Ensure we provide no details about underlying stack • 2. Update to the latest version always • 3. Add security headers • 4. Say you are using another framework
  27. A06 Vulnerable and Outdated Components - OWASP Top 10:2021 Vulnerable

    Components are a known issue that we struggle to test and assess risk #6 50
  28. #6 ? 51 Scenario #1: Components typically run with the

    same privileges as the application itself, so flaws in any component can result in serious impact. "That old PHPMailer lib not updated since 2016" • 1. Always use secure libraries • 2. Validate, track patch dependencies • 3. Don't use Composer • 4. Use NodeJS
  29. #6 52 Scenario #1: Components typically run with the same

    privileges as the application itself, so flaws in any component can result in serious impact. "That old PHPMailer lib not updated since 2016" • 1. Always use secure libraries • 2. Validate, track patch dependencies • 3. Don't use Composer • 4. Use NodeJS
  30. A07 Identification and Authentication Failures - OWASP Top 10:2021 Confirmation

    of the user's identity, authentication, and session management is critical to protect against authentication-related attacks. #7 53
  31. #7 ? 54 Scenario #1: Credential stuffing, the use of

    lists of known passwords, is a common attack. "Password1" • 1. Rotate passwords every 3 days • 2. Rotate passwords every 7 days • 3. Use MFA (Multi Factor Authentication) • 4. Encrypt passwords with at least 8096 bits
  32. #7 55 Scenario #1: Credential stuffing, the use of lists

    of known passwords, is a common attack. "Password1" • 1. Rotate passwords every 3 days • 2. Rotate passwords every 7 days • 3. Use MFA (Multi Factor Authentication) • 4. Encrypt passwords with at least 8096 bits
  33. A08 Software and Data Integrity Failures - OWASP Top 10:2021

    Software and data integrity failures relate to code and infrastructure that does not protect against integrity violations. An example of this is where an application relies upon plugins, libraries, or modules from untrusted sources. #8 56
  34. #8 ? 57 Scenario #1 Update without signing: Many home

    routers, set-top boxes, device firmware, and others do not verify updates via signed firmware. "Missing signature, install anyway? [Y/n]" • 1. Remove external dependencies not needed • 2. Install packages from trusted sources only • 3. Remove all packages, copy everything to your plugins folder
  35. #8 58 Scenario #1 Update without signing: Many home routers,

    set-top boxes, device firmware, and others do not verify updates via signed firmware. "Missing signature, install anyway? [Y/n]" • 1. Remove external dependencies not needed • 2. Install packages from trusted sources only • 3. Remove all packages, copy everything to your plugins folder
  36. A09 Security Logging and Monitoring Failures - OWASP Top 10:2021

    Logging and monitoring can be challenging to test, often involving interviews or asking if attacks were detected during a penetration test. Detecting and responding to breaches is critical. #9 59
  37. #9 ? 60 Scenario #1: A website operator couldn't detect

    a breach due to a lack of monitoring and logging. As there was no logging or monitoring of the system, the data breach could have been in progress since 2013. • 1. Add logs to relevant/sensitive actions in the site • 2. Add logs to suspicious activityin the site • 3. Add logs to all actions on the site • 4. Add logs to all actions on the site, including all mouse x,y change events
  38. #9 61 Scenario #1: A website operator couldn't detect a

    breach due to a lack of monitoring and logging. As there was no logging or monitoring of the system, the data breach could have been in progress since 2013. • 1. Add logs to relevant/sensitive actions in the site • 2. Add logs to suspicious activityin the site • 3. Add logs to all actions on the site • 4. Add logs to all actions on the site, including all mouse x,y change events
  39. A10 Server Side Request Forgery (SSRF) - OWASP Top 10:2021

    SSRF flaws occur whenever a web application is fetching a remote resource without validating the user-supplied URL. It allows an attacker to coerce the application to send a crafted request to an unexpected destination, even when protected by a firewall, VPN, or another type of network access control list (ACL). #10 62
  40. #10 ? 63 Scenario #2: Sensitive data exposure – Attackers

    can access local files or internal services to gain sensitive information such as file:///etc/passwd and http://localhost:28017/ • 1. Use a deny list and strong regular expressions to validate domains • 2. Sanitize all target IP addresses • 3. Validate target domains with a positive allow list • 4. Block all traffic using a firewall
  41. #10 64 Scenario #2: Sensitive data exposure – Attackers can

    access local files or internal services to gain sensitive information such as file:///etc/passwd and http://localhost:28017/ • 1. Use a deny list and strong regular expressions to validate domains • 2. Sanitize all target IP addresses • 3. Validate target domains with a positive allow list • 4. Block all traffic using a firewall
  42. Security tools & scanners Worth checking your sites before going

    live • https:/ /owasp.org/www-community/Vulnerability_Scanning_Tools