Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Picking the low hanging-fruit – Easy pentest wi...

Marcus Bointon
November 02, 2023
Technology
0
76

Picking the low hanging-fruit – Easy pentest wins (IPC Munich 2023)

Penetration tests are a critical part of data protection for web services, but often much of their effort is wasted reporting simple things that can easily be avoided in advance.
We will look at security issues that are often found in pentests, concentrating on those that can be resolved quickly and easily in one place (in any language), and show how to fix them, freeing up expensive pentester resources for tackling more complex challenges.

Marcus Bointon

November 02, 2023
Tweet

More Decks by Marcus Bointon

See All by Marcus Bointon
QUIC and HTTP/3: the next step in web performance
synchro
0
13
Hands-on Privacy (IPC Munich 2023)
synchro
0
58
Hansel & Gretel do TLS - PHPSW 2020
synchro
0
46
It's new, it's shiny, it's... email?
synchro
0
160
Understanding Privacy By Design – ConFoo 2020
synchro
0
200
Hansel & Gretel do TLS - PHPBenelux 2020
synchro
0
240
What's new in TLS 1.3 (ConFoo 2019)
synchro
0
58
Practical privacy - GDPR explained (ConFoo Montreal 2019)
synchro
0
250
Deploying IPv6 (IPC Munich 2018)
synchro
0
140

Other Decks in Technology

See All in Technology
透過型SMTPプロキシによる送信メールの可観測性向上: Update Edition / Improved observability of outgoing emails with transparent smtp proxy: Update edition
linyows
2
210
rootlessコンテナのすゝめ - 研究室サーバーでもできる安全なコンテナ管理
kitsuya0828
3
380
Making your applications cross-environment - OSCG 2024 NA
salaboy
0
190
AGIについてChatGPTに聞いてみた
blueb
0
130
SSMRunbook作成の勘所_20241120
koichiotomo
2
130
VideoMamba: State Space Model for Efficient Video Understanding
chou500
0
190
Can We Measure Developer Productivity?
ewolff
1
150
スクラムチームを立ち上げる〜チーム開発で得られたもの・得られなかったもの〜
ohnoeight
2
350
100 名超が参加した日経グループ横断の競技型 AWS 学習イベント「Nikkei Group AWS GameDay」の紹介/mediajaws202411
nikkei_engineer_recruiting
1
170
オープンソースAIとは何か? --「オープンソースAIの定義 v1.0」詳細解説
shujisado
7
820
Security-JAWS【第35回】勉強会クラウドにおけるマルウェアやコンテンツ改ざんへの対策
4su_para
0
180
信頼性に挑む中で拡張できる・得られる1人のスキルセットとは?
ken5scal
2
530

Featured

See All Featured
Fireside Chat
paigeccino
34
3k
A Modern Web Designer's Workflow
chriscoyier
693
190k
Measuring & Analyzing Core Web Vitals
bluesmoon
4
120
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
42
9.2k
Documentation Writing (for coders)
carmenintech
65
4.4k
Product Roadmaps are Hard
iamctodd
PRO
49
11k
Ruby is Unlike a Banana
tanoku
97
11k
Large-scale JavaScript Application Architecture
addyosmani
510
110k
Keith and Marios Guide to Fast Websites
keithpitt
409
22k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
47
5k
Code Review Best Practice
trishagee
64
17k
Embracing the Ebb and Flow
colly
84
4.5k

Transcript

  1. Marcus Bointon – IPC Munich 2023 Picking the low-hanging fruit;

    Easy pentest wins Avoiding security issues with up-front measures

  2. Marcus Bointon – @[email protected] – Easy Pentest Wins – IPC

    Munich 2023 My name is… • Inigo Montoya • @[email protected] • Radically Open Security • Pentests, code audits • Pentest reports

  3. Marcus Bointon – @[email protected] – Easy Pentest Wins – IPC

    Munich 2023 Back-to-front security •Cloud provider •Infrastructure •Server con fi g •Client con fi g

  4. Marcus Bointon – @[email protected] – Easy Pentest Wins – IPC

    Munich 2023 Pentest targets • Information disclosure • Obsolescence • Miscon fi guration • Inconsistency • Errors • Sanitisation, validation, and escaping

  5. Marcus Bointon – @[email protected] – Easy Pentest Wins – IPC

    Munich 2023 Cloud provider security • IP addresses • Private only • IPv6 • Security groups • Allow what’s needed, no more 
 • Up-to-date OS images • Immutable instances, read-only FS • SSH access • Keys, not passwords • Bastions

  6. Marcus Bointon – @[email protected] – Easy Pentest Wins – IPC

    Munich 2023 Infrastructure • Firewalls • Block by default • Allow only what’s needed • Rate limits • Consider egress limits • Don’t forget IPv6 
 • SSH access • Do you need it at all? • Keys, not passwords • Non-standard ports • Hardening • Fail2Ban

  7. Marcus Bointon – @[email protected] – Easy Pentest Wins – IPC

    Munich 2023 Testing access • nmap • Don’t test other people’s servers! • ssh-audit • Harden everything • Look in /var/log/auth.log • Integrate with fail2ban

  8. Marcus Bointon – @[email protected] – Easy Pentest Wins – IPC

    Munich 2023 UFW firewall example ufw reset ufw default deny ufw allow from x.x.x.x to any app OpenSSH ufw limit from any to any app OpenSSH ufw allow proto udp from any to any port 60000-61000 ufw allow from any to any app "Nginx Full" ufw enable

  9. Marcus Bointon – @[email protected] – Easy Pentest Wins – IPC

    Munich 2023 nmap and firewall demo

  10. Marcus Bointon – @[email protected] – Easy Pentest Wins – IPC

    Munich 2023 Hardening SSH demo

  11. Marcus Bointon – @[email protected] – Easy Pentest Wins – IPC

    Munich 2023 OS updates • Automate! • Debian/Ubuntu unattended- upgrades • RedHat yum-cron • Windows Update & Defender

  12. Marcus Bointon – @[email protected] – Easy Pentest Wins – IPC

    Munich 2023 Service with a smile • Web servers • TLS con fi g • Security headers • https://ssl-con fi g.mozilla.org/ • Database / cache / queue servers • Should not be accessible from outside • Avoid listening on all interfaces: 0.0.0.0, ::

  13. Marcus Bointon – @[email protected] – Easy Pentest Wins – IPC

    Munich 2023 Testing TLS • Qualys SSL Labs • testssl.sh • securityheaders.com

  14. Marcus Bointon – @[email protected] – Easy Pentest Wins – IPC

    Munich 2023 Security headers • Strict-Transport-Security • Preload if you mean it! • Content-Security-Policy • A talk in its own right • X-Content-Type-Options • Referrer-Policy

  15. Marcus Bointon – @[email protected] – Easy Pentest Wins – IPC

    Munich 2023 Applications • Authentication • Authorisation • Dependencies • Safe coding practices • SQL injection • Cookies

  16. Marcus Bointon – @[email protected] – Easy Pentest Wins – IPC

    Munich 2023 Authentication • Password policy: • Long • Random • Not in known breaches (haveibeenpwned.com) • Strong password hash function • PBKDF2, bcrypt, Argon2ID • Throttle auth routes to prevent brute-force • 2FA – TOTP, PassKeys (WebAuthn)

  17. Marcus Bointon – @[email protected] – Easy Pentest Wins – IPC

    Munich 2023 Authorisation • Principle of least privilege • Privilege separation

  18. Marcus Bointon – @[email protected] – Easy Pentest Wins – IPC

    Munich 2023 Dependencies • PHP: composer audit • roave/security-advisories:dev-master • NodeJS: npm audit • Ruby: ruby-audit • Python: pip-audit

  19. Marcus Bointon – @[email protected] – Easy Pentest Wins – IPC

    Munich 2023 Cookie flags • Secure • Protects against interception • HTTPOnly • Protects against XSS (partly) • SameSite Lax/Strict • Protects against CSRF

  20. Marcus Bointon – @[email protected] – Easy Pentest Wins – IPC

    Munich 2023 Safe coding practices • Use tools to help you • Coding standards • Static analysers • IDE plugins • Pre-commit hooks • Detect secrets, spot debug statements • GPG-sign your commits

  21. Marcus Bointon – @[email protected] – Easy Pentest Wins – IPC

    Munich 2023 Front-end shenanigans • Sanitise • Validate • Escape • Appropriately!

  22. Marcus Bointon – @[email protected] – Easy Pentest Wins – IPC

    Munich 2023 Security is a process • It’s not a thing • A moving target that requires constant vigilance • Made easier with automation

  23. Marcus Bointon – @[email protected] – Easy Pentest Wins – IPC

    Munich 2023 Now let the pentesters do the hard stuff Thank you!