12. ATTACK TREES
Open safe
Pick lock Learn combo Cut open Bad setup
Find it written Learn from target
Blackmail Eavesdrop Bribe
Listen to convo Get target to say
13. ATTACK TREES
to get the most out of attack
trees, you have to combine
them with knowledge on the
attackers
14. ATTACK TREES
Open safe (P)
Pick lock (I) Learn combo (P) Cut open (P) Bad setup (I)
Find it written (I) Learn from target (P)
Blackmail (I) Eavesdrop (I) Bribe (P)
Listen to convo (P) Get target to say (I)
16. EXAMPLE ATTACK TREE OF A TRACE ACCOUNT
Get access to account
Modify credentials
in the database
Learn password
Get access
to database
Social
engineering
Get access
to DMZ
Listen on the
transport layer
Brute
force
Bypass access control
SQL
Injection
Session
hijack
Insecure
dependency
19. SECURE TRANSPORT LAYER
Get access to account
Modify credentials
in the database
Learn password
Get access
to database
Social
engineering
Get access
to DMZ
Listen on the
transport layer
Brute
force
Bypass access control
SQL
Injection
Session
hijack
Insecure
dependency
24. BRUTE-FORCE ATTACKS
Get access to account
Modify credentials
in the database
Learn password
Get access
to database
Social
engineering
Get access
to DMZ
Listen on the
transport layer
Brute
force
Bypass access control
SQL
Injection
Session
hijack
Insecure
dependency
25. BRUTE-FORCE PROTECTION
var email = req.body.email
var limit = new Limiter({ id: email, db: db })
limit.get(function(err, limit) {
})
26. BRUTE-FORCE PROTECTION - TIMING ATTACKS
// the bad solution
if (userEnteredPassword === passwordFromDb) {
return true
}
return false
31. SQL INJECTION
Get access to account
Modify credentials
in the database
Learn password
Get access
to database
Social
engineering
Get access
to DMZ
Listen on the
transport layer
Brute
force
Bypass access control
SQL
Injection
Session
hijack
Insecure
dependency
32. DATA VALIDATION - SQL INJECTION
This attack vector consists of
injection of a partial or
complete SQL query via user
input
33. DATA VALIDATION - SQL INJECTION
select username, password from users where
username=$username
can become:
select username, password from users where
username=john or 1=1
34. DATA VALIDATION - SQL INJECTION
Defend against it with
parameterized queries /
prepared statements
35. DATA VALIDATION - SQL INJECTION
// paramaterized
query( "select name from emp where emp_id=$1",
[123] )
// prepared
query( {
name:"emp_name",
text:"select name from emp where emp_id=$1",
values:[123]
})
37. SESSION HIJACK
Get access to account
Modify credentials
in the database
Learn password
Get access
to database
Social
engineering
Get access
to DMZ
Listen on the
transport layer
Brute
force
Bypass access control
SQL
Injection
Session
hijack
Insecure
dependency
39. COOKIES - COOKIE FLAGS
- secure - this attribute tells the browser to only send the cookie if the
request is being sent over HTTPS.
- HttpOnly - this attribute is used to help prevent attacks such as cross-
site scripting, since it does not allow the cookie to be accessed via
JavaScript.
41. DATA VALIDATION - XSS
- Reflected Cross Site Scripting occurs when the attacker injects
executable JavaScript code into the HTML response with specially
crafted links
- Stored Cross Site Scripting occurs when the application stores user
input which is not correctly filtered. It runs within the user’s browser
under the privileges of the web application.
43. SECURITY HEADERS
- Strict-Transport-Security enforces secure (HTTP over SSL/TLS)
connections to the server
- X-Frame-Options provides clickjacking protection
- X-XSS-Protection enables the Cross-site scripting (XSS) filter built into
most recent web browsers
- Content-Security-Policy prevents a wide range of attacks, including
Cross-site scripting and other cross-site injections
45. HANDLING DEPENDENCIES
Get access to account
Modify credentials
in the database
Learn password
Get access
to database
Social
engineering
Get access
to DMZ
Listen on the
transport layer
Brute
force
Bypass access control
SQL
Injection
Session
hijack
Insecure
dependency
50. RESTRICT DATABASE ACCESS
Get access to account
Modify credentials
in the database
Learn password
Get access
to database
Social
engineering
Get access
to DMZ
Listen on the
transport layer
Brute
force
Bypass access control
SQL
Injection
Session
hijack
Insecure
dependency