29
Why AppSec Matters? Aldo Salas [email protected]

Why AppSec Matters? - OWASPWhy AppSec Matters? Aldo Salas [email protected] Agenda • Intro. • Current status of AppSecin the industry. • Case study. • Why OWASP matters

  • Upload
    others

  • View
    5

  • Download
    0

Embed Size (px)

Citation preview

Page 1: Why AppSec Matters? - OWASPWhy AppSec Matters? Aldo Salas aldo.salas@owasp.org Agenda • Intro. • Current status of AppSecin the industry. • Case study. • Why OWASP matters

WhyAppSec Matters?

[email protected]

Page 2: Why AppSec Matters? - OWASPWhy AppSec Matters? Aldo Salas aldo.salas@owasp.org Agenda • Intro. • Current status of AppSecin the industry. • Case study. • Why OWASP matters

Agenda

• Intro.• CurrentstatusofAppSec intheindustry.• Casestudy.• WhyOWASPmatters.

Page 3: Why AppSec Matters? - OWASPWhy AppSec Matters? Aldo Salas aldo.salas@owasp.org Agenda • Intro. • Current status of AppSecin the industry. • Case study. • Why OWASP matters

Aboutme

• 10+yearsofexperienceinAppSec.• CurrentlyworkingforFortune500Company.• Independentresearcherinfreetime(bugbounty).

• ChapterLeaderforAguascalientes.• Favoritevulnerability:SQLInjection.• ProudU.A.A.alumnus.

Page 4: Why AppSec Matters? - OWASPWhy AppSec Matters? Aldo Salas aldo.salas@owasp.org Agenda • Intro. • Current status of AppSecin the industry. • Case study. • Why OWASP matters

I’mnotheretoscareyou…

• OrmaybeIam

Page 5: Why AppSec Matters? - OWASPWhy AppSec Matters? Aldo Salas aldo.salas@owasp.org Agenda • Intro. • Current status of AppSecin the industry. • Case study. • Why OWASP matters

Anotherweek,anotherhack

Andthelistgoeson:http://www.itgovernance.co.uk/blog/list-of-data-breaches-and-cyber-attacks-in-march-2016/

Page 6: Why AppSec Matters? - OWASPWhy AppSec Matters? Aldo Salas aldo.salas@owasp.org Agenda • Intro. • Current status of AppSecin the industry. • Case study. • Why OWASP matters

Wearenotdoingagreatjob

Page 7: Why AppSec Matters? - OWASPWhy AppSec Matters? Aldo Salas aldo.salas@owasp.org Agenda • Intro. • Current status of AppSecin the industry. • Case study. • Why OWASP matters

Real-lifecasestudy

Page 8: Why AppSec Matters? - OWASPWhy AppSec Matters? Aldo Salas aldo.salas@owasp.org Agenda • Intro. • Current status of AppSecin the industry. • Case study. • Why OWASP matters

Background• Thirdpartyusedtocollectfestivalsandnew-hiresinformation.• Thefollowingemailwassenttoartists/managers/assistants:

• Firstthoughton“public_key”:Maybeit’sanauthenticationtoken,notidealbutstillprovidessomelevelofauthentication.

Page 9: Why AppSec Matters? - OWASPWhy AppSec Matters? Aldo Salas aldo.salas@owasp.org Agenda • Intro. • Current status of AppSecin the industry. • Case study. • Why OWASP matters

Phase 1:Discovery

Page 10: Why AppSec Matters? - OWASPWhy AppSec Matters? Aldo Salas aldo.salas@owasp.org Agenda • Intro. • Current status of AppSecin the industry. • Case study. • Why OWASP matters

Publickeyparameter:

• Removingpublic_key =UnauthenticatedAccessToData

Page 11: Why AppSec Matters? - OWASPWhy AppSec Matters? Aldo Salas aldo.salas@owasp.org Agenda • Intro. • Current status of AppSecin the industry. • Case study. • Why OWASP matters

AnalyzingURL:

• Changing IDinURL=InsecureDirectObjectReference(Stillunauthenticated)

Page 12: Why AppSec Matters? - OWASPWhy AppSec Matters? Aldo Salas aldo.salas@owasp.org Agenda • Intro. • Current status of AppSecin the industry. • Case study. • Why OWASP matters

Analyzingpage:

Page 13: Why AppSec Matters? - OWASPWhy AppSec Matters? Aldo Salas aldo.salas@owasp.org Agenda • Intro. • Current status of AppSecin the industry. • Case study. • Why OWASP matters

Analyzingpage:

• FilesarestoredinAWSS3• Fileisalwaysrenamedtooriginal.ext• Unauthenticatedaccesstouploadedfilesaswell.• Bruteforcing offilesispossiblebutnotreallyneeded.

Page 14: Why AppSec Matters? - OWASPWhy AppSec Matters? Aldo Salas aldo.salas@owasp.org Agenda • Intro. • Current status of AppSecin the industry. • Case study. • Why OWASP matters

Summarysofar:• Unauthenticatedaccesstoartistprofile.

• AccesstoANYprofileispossibleusingInsecureDirectObject

References.

• UnrestrictedFileUploadispossible.

• UnauthenticatedAccesstouploadedfilesispossible.

Page 15: Why AppSec Matters? - OWASPWhy AppSec Matters? Aldo Salas aldo.salas@owasp.org Agenda • Intro. • Current status of AppSecin the industry. • Case study. • Why OWASP matters

Reminder:thisisasinglepage.

Page 16: Why AppSec Matters? - OWASPWhy AppSec Matters? Aldo Salas aldo.salas@owasp.org Agenda • Intro. • Current status of AppSecin the industry. • Case study. • Why OWASP matters

Phase2:Automation

Page 17: Why AppSec Matters? - OWASPWhy AppSec Matters? Aldo Salas aldo.salas@owasp.org Agenda • Intro. • Current status of AppSecin the industry. • Case study. • Why OWASP matters

Automatingdataretrievaltodemonstraterisk

• InitialResults:• Morethan80thousandrecordsfound.

• Notes:• Morethan170thousandrequestsweresent.• Morethan6GBsweredownloaded.• Iwasneverstoppednorevendetected.

Page 18: Why AppSec Matters? - OWASPWhy AppSec Matters? Aldo Salas aldo.salas@owasp.org Agenda • Intro. • Current status of AppSecin the industry. • Case study. • Why OWASP matters

Phase3:Parsingdata

Page 19: Why AppSec Matters? - OWASPWhy AppSec Matters? Aldo Salas aldo.salas@owasp.org Agenda • Intro. • Current status of AppSecin the industry. • Case study. • Why OWASP matters

Parsingdata:• NumberOfDirectURLsToDownloadFilesobtained:

Page 20: Why AppSec Matters? - OWASPWhy AppSec Matters? Aldo Salas aldo.salas@owasp.org Agenda • Intro. • Current status of AppSecin the industry. • Case study. • Why OWASP matters

Parsingdata:• ArtistsPIIincludingemailsandphones

Page 21: Why AppSec Matters? - OWASPWhy AppSec Matters? Aldo Salas aldo.salas@owasp.org Agenda • Intro. • Current status of AppSecin the industry. • Case study. • Why OWASP matters

Parsingdata:• Andmuch,muchmore:

Page 22: Why AppSec Matters? - OWASPWhy AppSec Matters? Aldo Salas aldo.salas@owasp.org Agenda • Intro. • Current status of AppSecin the industry. • Case study. • Why OWASP matters

Possibleoutcomesifexploitedbyattackers:

• Headlinesinthenews:• “HUNDRESOFTHOUSANDSARTISTSDETAILSLEAKEDBYCOMPANY”

• “WANTTAYLORSWIFT’SNUMBER?WE’VEGOTIT”

• Attackerssellingorleakingartistsinformation(stalkers,curiouspeople,etc.)

• Fraudandpotentiallegalconsequences(SSNsinvolved).• Phishingcampaignsagainstretrievedemails.• Etc.,etc.,etc.

Page 23: Why AppSec Matters? - OWASPWhy AppSec Matters? Aldo Salas aldo.salas@owasp.org Agenda • Intro. • Current status of AppSecin the industry. • Case study. • Why OWASP matters

Whatcould’vebeendonebetter:• Preventunauthenticatedaccesstothepage.

• Onceauthenticationhasbeenimplemented,performauthorizationchecks.

• Validateatserver-sidetheuploadedfiles.

• Alsoaddauthenticationcheckstothefiles.

• LoggingandIPS/IDSconfigurationtodetectunusualactivity.

Page 24: Why AppSec Matters? - OWASPWhy AppSec Matters? Aldo Salas aldo.salas@owasp.org Agenda • Intro. • Current status of AppSecin the industry. • Case study. • Why OWASP matters

Toolsusedfordiscoveryandexploit:

• Pythonprogramminglanguagetocodesmalldownloadscript.

• StandardUnixtoolstoparsedata(find,cat,cut,grep,sort,sed,ls,wget).

Page 25: Why AppSec Matters? - OWASPWhy AppSec Matters? Aldo Salas aldo.salas@owasp.org Agenda • Intro. • Current status of AppSecin the industry. • Case study. • Why OWASP matters

Questions?

Page 26: Why AppSec Matters? - OWASPWhy AppSec Matters? Aldo Salas aldo.salas@owasp.org Agenda • Intro. • Current status of AppSecin the industry. • Case study. • Why OWASP matters

WhyOWASPMatters?

• Allthevulnerabilitiesshowninthispresentationcould’vebeenavoidedbyfollowingOWASPrecommendations.

Page 27: Why AppSec Matters? - OWASPWhy AppSec Matters? Aldo Salas aldo.salas@owasp.org Agenda • Intro. • Current status of AppSecin the industry. • Case study. • Why OWASP matters

OWASPTOP10misses:

• A1– Injection• A2– BrokenAuthenticationandSessionManagement

• A4– InsecureDirectObjectReferences

https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

Page 28: Why AppSec Matters? - OWASPWhy AppSec Matters? Aldo Salas aldo.salas@owasp.org Agenda • Intro. • Current status of AppSecin the industry. • Case study. • Why OWASP matters

Questions?

Page 29: Why AppSec Matters? - OWASPWhy AppSec Matters? Aldo Salas aldo.salas@owasp.org Agenda • Intro. • Current status of AppSecin the industry. • Case study. • Why OWASP matters

[email protected]


Appsec Introduction

Appsec Introduction

Documents
AppSec 101 - Eivind Arvesen

AppSec 101 - Eivind Arvesen

Documents
OWASP - Bay Area · OWASP OWASP Bay Area Chapter Plans - 2008 Leaders: Mandeep Khera, Cenzic – Bay Area Chapter – mkhera@owasp.org Brian Bertacini, AppSec Consulting – South

OWASP - Bay Area · OWASP OWASP Bay Area Chapter Plans - 2008 Leaders: Mandeep Khera, Cenzic – Bay Area Chapter – [email protected] Brian Bertacini, AppSec Consulting – South

Documents
20141104 appsec surveillance

20141104 appsec surveillance

Technology
Streamlining AppSec Policy Definition.pptx

Streamlining AppSec Policy Definition.pptx

Technology
OpenSAMM Software Assurance Maturity Model Seba Deleersnyder seba@owasp.org SAMM project co-leaders Pravir Chandra chandra@list.org AppSec USA 2014 Project

OpenSAMM Software Assurance Maturity Model Seba Deleersnyder [email protected] SAMM project co-leaders Pravir Chandra [email protected] AppSec USA 2014 Project

Documents
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data

AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data

Technology
OWASP Women in Application Security Program Seeking ...owasp.org/application security. Attendance for two women to the OWASP Cambridge AppSec EU 2014 conference, and at least one of

OWASP Women in Application Security Program Seeking ...owasp.org/application security. Attendance for two women to the OWASP Cambridge AppSec EU 2014 conference, and at least one of

Documents
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better

Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better

Software
Appsec rump reverse-i_os_machook

Appsec rump reverse-i_os_machook

Technology
AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program

AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program

Technology
AppSec USA - LASCON Edition

AppSec USA - LASCON Edition

Technology
5 5 APPSEC T AREN’T TRUE ODE GBOOK 2 3...But AppSec falls to software vendors. One single technology can secure all applications. 3 APPSEC FACTS THAT AREN’T TRUE 5 APPSEC FACTS

5 5 APPSEC T AREN’T TRUE ODE GBOOK 2 3...But AppSec falls to software vendors. One single technology can secure all applications. 3 APPSEC FACTS THAT AREN’T TRUE 5 APPSEC FACTS

Documents
Practice of AppSec .NET

Practice of AppSec .NET

Software
AppSec is Eating Security

AppSec is Eating Security

Internet
OWASP Security Shepherd Project - Global AppSec · OWASP Security Shepherd Project. @markdenihan mark.denihan@owasp.org @duggan4sean sean.duggan@owasp.org. ... everything after the

OWASP Security Shepherd Project - Global AppSec · OWASP Security Shepherd Project. @markdenihan [email protected] @duggan4sean [email protected]. ... everything after the

Documents
The API Assessment Primer - AppSec · PDF fileThe API Assessment Primer . Agenda • Introduction • Why API security matters • Assessment considerations • Common API vulnerabilities

The API Assessment Primer - AppSec · PDF fileThe API Assessment Primer . Agenda • Introduction • Why API security matters • Assessment considerations • Common API vulnerabilities

Documents
Agile Appsec

Agile Appsec

Documents
LangSec meets protocol state machines - owasp.org

LangSec meets protocol state machines - owasp.org

Documents
Flyer AppSec Forum 2011

Flyer AppSec Forum 2011

Technology
AppSec And Microservices

AppSec And Microservices

Technology
Appsec usa2013 js_libinsecurity_stefanodipaola

Appsec usa2013 js_libinsecurity_stefanodipaola

Technology
Why appsec tools suck | tssci-security · • Interest in appsec tools • Write for tssci-security.com • Involved with OWASP. ... R.Barnett BlackHat DC 09. Title: Why appsec tools

Why appsec tools suck | tssci-security · • Interest in appsec tools • Write for tssci-security.com • Involved with OWASP. ... R.Barnett BlackHat DC 09. Title: Why appsec tools

Documents
OpenSAMM Best Practices, Lessons from the Trenches Seba Deleersnyder seba@owasp.org OpenSAMM project co-leaders Bart De Win bart.dewin@owasp.org AppSec

OpenSAMM Best Practices, Lessons from the Trenches Seba Deleersnyder [email protected] OpenSAMM project co-leaders Bart De Win [email protected] AppSec

Documents
AppSec Consulting Inc

AppSec Consulting Inc

Documents
Fyler AppSec 2011

Fyler AppSec 2011

Technology
OWASP Intra- Governmental Affairs David Campbell dcampbell@owasp.org Denver Chapter Puneet Mehta Puneet.mehta@owasp.org Delhi Chapter

OWASP Intra- Governmental Affairs David Campbell [email protected] Denver Chapter Puneet Mehta [email protected] Delhi Chapter

Documents
The OWASP Foundation AppSec Research 2013 Amsterdam OWASP BeNeLux Candidacy AppSec Europe 2013

The OWASP Foundation AppSec Research 2013 Amsterdam OWASP BeNeLux Candidacy AppSec Europe 2013

Documents
Making Continuous Security a Reality - Global AppSec · Making AppSec a little better each day. aaron.weaver@owasp.org / @weavera Principal AppSec Engineer at 10Security Aaron Weaver

Making Continuous Security a Reality - Global AppSec · Making AppSec a little better each day. [email protected] / @weavera Principal AppSec Engineer at 10Security Aaron Weaver

Documents
AppSec & Microservices - Velocity 2016

AppSec & Microservices - Velocity 2016

Software