Web Application Security

KiwiPyCon 2014 Tutorial

files avail http://tinyurl.com/kpcws

Created by Hugh Davenport / @haquaman / hugh@davenport.net.nz

What is Security?

Security is the art of exploiting vulnerabilities in code to produce an aim otherwise intended, which can be used for malicious purposes.

My own definition

What is a vulnerability?

Vulnerabilities can present in a variety of forms, and are basically the lack of code checking for "edge" cases. These edge cases are what allow the vulnerability to be exploited

Dummies Guide to Fixing Vulnerabilities

ESCAPE/FILTER USER INPUT

OWASP

OWASP is a project that helps identify common vulnerabilities, and how to fix them.

OWASP Top 10

Every few years, OWASP releases a "top 10" list of vulnerabilities.

OWASP Top 10

  • A1- Injection
  • A2- Broken Authentication and Session Management
  • A3- Cross-site Scripting (XSS)
  • A4- Insecure Direct Object References
  • A5- Security Misconfiguration

OWASP Top 10

  • A6- Sensitive Data Exposure
  • A7- Missing Function Level Access Control
  • A8- Cross-Site Request Forgery (CSRF)
  • A9- Using Components with Known Vulnerabilities
  • A10- Unvalidated Redirects and Forwards

Injection

Most common injection is SQL injection, but can also be ldap, command, xpath, etc

Broken Authentication and Session Management

Cookies, set httpOnly and secure flags, only store a session key, change session key on a privelege escelation.

Passwords, PLEASE PLEASE HASH THEM!!!

Cross-Site Scripting

FUN!! and really common. User input inserted into HTML and executed like that. Protect with escaping, and other techniques like Content Security Policy (CSP). Limit exposure by correct cookie management.

Insecure Direct Object References

Don't have a public /uploads or similar folder, and instead have a script that validates that a user is allowed to access a certain object.

Security Misconfiguration

Make sure you follow <ahem> documentation, and make sure you follow it right.

Sensitive Data Exposure

ERROR LOGGING DOES NOT BELONG IN PRODUCTION!!

Ensure that users have appropriate level of authorisation before showing content

Missing Function Level Access Control

Ensure that users have appropriate level of authorisation before showing content

Cross-Site Request Forgery (CSRF)

This is where you "entice" a different user (usually of a higher/different level of authorisation) to perform an action on your behalf.

Disable GET methods for actions that change content, and make use of "tokens".

Using Components with Known Vulnerabilities

Upgrade things, read security releases, understand how you are using libraries.

Unvalidated Redirects and Forwards

If you have a function that redirects based on some URL parameter, make sure it is still going to your site...

Heaps more exist!!

Go to Mike Haworth's talk, you'll like it ;)

Some tools

  • Burp Suite
  • Arachni
  • wapiti
  • w3af
  • NeXpose
  • Zed Attack Proxy
  • mitmproxy
  • sqlmap

THE END

BY Hugh Davenport / @haquaman / hugh@davenport.net.nz / davenport.geek.nz