Embed Size (px)
Citation preview
Hacker, you shall not pass!Web application secure development
Cláudio André | claudioandre (at) gmail.com | @clviper
whoami
● 10+ years working in Information Systems
● Penetration Tester @
● Web applications, Mobile applications and Infrastructure
● Blog: security.claudio.pt
SPECIALLY T
SQL Injection
● SQL query manipulation via input data from
client;
https://www.owasp.org/index.php/SQL_Injection
SQL Injection
● SQL query manipulation via input data from
client;
● String concatenation;
https://www.owasp.org/index.php/SQL_Injection
SQL Injection
select name from users where user = ‘admin’
and password = ‘ubberpa$$w0rd’
https://www.owasp.org/index.php/SQL_Injection
SQL Injection
select name from users where user = ‘admin’
and password = ‘ubberpa$$w0rd’
select name from users where user = ‘admin’
and password = ‘xpto’ or 1=1--’
https://www.owasp.org/index.php/SQL_Injection
SQL Injection Demo
Fixing SQL Injection
● Use of prepared statements (Parameterized
Queries)
https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
Fixing SQL Injection
● Use of prepared statements (Parameterized
Queries)
https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
Cross Site Scripting (XSS)
● Injection of malicious scripts via input data
from the client;
https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29
Cross Site Scripting (XSS)
● Injection of malicious scripts via input data
from the client;
● Script reflection on the page;
https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29
Cross Site Scripting (XSS)
● Injection of malicious scripts via input data
from the client;
● Script reflection on the page;
● Reflected, Stored and DOM based;
https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29
Cross Site Scripting (XSS)
Request: http://vulnerablesite.local/index?name=Guest
Response:
<html>
<body>
<div>
Hello Guest
</div>
</body>
</html>
https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29
Cross Site Scripting (XSS)
Request: http://vulnerablesite.local/index?name=<script>alert(“xss”)</script>
Response:
<html>
<body>
<div>
Hello <script>alert(“xss”)</script>
</div>
</body>
</html>
https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29
Cross Site Scripting (XSS)
Request: http://vulnerablesite.local/index?name=<script>alert(“xss”)</script>
Response:
<html>
<body>
<div>
Hello <script>alert(“xss”)</script>
</div>
</body>
</html>
https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29
Cross Site Scripting (XSS) Demo
Fixing XSS
● Not straightforward;
● Start with HTML Escape and Attribute
Escape.
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
Cross Site Request Forgery (CSRF)
● Force user to execute unwanted actions on
a web application;
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28
Cross Site Request Forgery (CSRF)
● Force user to execute unwanted actions on
a web application;
● Session Riding;
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28
Cross Site Request Forgery (CSRF)
● Force user to execute unwanted actions on
a web application;
● Session Riding;
● Phishing Attacks
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28
Cross Site Request Forgery (CSRF)
Request:
http://vulnerablesite.local/changepassword?newpwd=MyS3cr3tPa$$word
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28
Cross Site Request Forgery (CSRF)
Request:
http://vulnerablesite.local/changepassword?newpwd=MyS3cr3tPa$$word
Attack:
<img src=”http://vulnerablesite.local/changepassword?newpwd=owned”>
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28
Cross Site Request Forgery (CSRF) Demo
Fixing CSRF
● Synchronizer Token Pattern
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet
Fixing CSRF
● Synchronizer Token Pattern
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet
Triple A
● Authentication
● Authorization
● Access Control
Some best practices on Authentication
● NO PLAIN TEXT!!! Use of strong
cryptographic algorithms;
https://www.owasp.org/index.php/Authentication_Cheat_Sheet
Some best practices on Authentication
● NO PLAIN TEXT!!! Use of strong
cryptographic algorithms;
● No limit for character set and max lengths;
https://www.owasp.org/index.php/Authentication_Cheat_Sheet
Some best practices on Authentication
● NO PLAIN TEXT!!! Use of strong
cryptographic algorithms;
● No limit for character set and max lengths;
● Enforce strong password policy;
https://www.owasp.org/index.php/Authentication_Cheat_Sheet
Some best practices on Authentication
● Prevent Brute-Force Attacks. Implement
Captcha.
https://www.owasp.org/index.php/Authentication_Cheat_Sheet
Some best practices on Authentication
● Prevent Brute-Force Attacks. Implement
Captcha.
● Normalize error messages;
https://www.owasp.org/index.php/Authentication_Cheat_Sheet
Access Control
● Vertical Access Control Attack
https://www.owasp.org/index.php/Access_Control_Cheat_Sheet
Access Control
● Vertical Access Control Attack
https://www.owasp.org/index.php/Access_Control_Cheat_Sheet
Request: http://vulnerablesite.local/mainPage
Access Control
● Vertical Access Control Attack
https://www.owasp.org/index.php/Access_Control_Cheat_Sheet
Request: http://vulnerablesite.local/mainPage
Request: http://vulnerablesite.local/adminPage
Access Control
● Horizontal Access Control Attack
https://www.owasp.org/index.php/Access_Control_Cheat_Sheet
Access Control
● Horizontal Access Control Attack
https://www.owasp.org/index.php/Access_Control_Cheat_Sheet
Request: http://vulnerablesite.local/getUserProfile?id=1337
Access Control
● Horizontal Access Control Attack
https://www.owasp.org/index.php/Access_Control_Cheat_Sheet
Request: http://vulnerablesite.local/getUserProfile?id=1337
Request: http://vulnerablesite.local/getUserProfile?id=1338
Access Control
● Business Logic Access Control Attack
https://www.owasp.org/index.php/Access_Control_Cheat_Sheet
Access Control
● Business Logic Access Control Attack
https://www.owasp.org/index.php/Access_Control_Cheat_Sheet
http://vulnerablesite.local/shop?action=chooseFormat
http://vulnerablesite.local/shop?action=makePayment
http://vulnerablesite.local/shop?action=downloadMovie
Some best practices on Access Control
● Implement roles and permissions
https://www.owasp.org/index.php/Access_Control_Cheat_Sheet
Some best practices on Access Control
● Implement roles and permissions
● Perform authorization validation on all
pages.
https://www.owasp.org/index.php/Access_Control_Cheat_Sheet
Some best practices on Access Control
● Implement roles and permissions
● Perform authorization validation on all
pages.
● Data-Context access controls
https://www.owasp.org/index.php/Access_Control_Cheat_Sheet
Open Web Application Security Project (OWASP)
● Not-for-profit charitable organization focused
on improving the security of software;
Open Web Application Security Project (OWASP)
● Not-for-profit charitable organization focused
on improving the security of software;
● Best practices;
Open Web Application Security Project (OWASP)
● Not-for-profit charitable organization focused
on improving the security of software;
● Best practices;
● OWASP Top 10;
OWASP TOP 10
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
OWASP Vulnerable Web Applications Directory
● Vulnerable web applications for web dev,
security auditors and pentesters.
● Offline, Online, Virtual Machines and ISOs.
https://www.owasp.org/index.php/OWASP_Vulnerable_Web_Applications_Directory_Project#tab=Main
Portswigger Burp Suite
● Integrated platform for web application
security tests.
Portswigger Burp Suite
● Integrated platform for web application
security tests.
● Has free version and is cross platform.
Portswigger Burp Suite
● Integrated platform for web application
security tests.
● Has free version and is cross platform.
● Not only for infosec guys. Devs should use
it.
