SlideShare a Scribd company logo

Security Ninjas: An Open Source Application Security Training Program

OpenDNS, profile picture
OpenDNS

The document outlines a comprehensive agenda for an application security training program focused on common AppSec mistakes and best practices. Key topics include injection vulnerabilities, broken authentication, cross-site scripting, security misconfigurations, sensitive data exposure, and cross-site request forgery, along with preventive measures for each. The training emphasizes the importance of security planning, continuous updates, and minimizing risks through policies such as the principle of least privilege and input validation.

Technology
Related topics:
Application SecurityNetwork Security Information Security
1 of 57
Downloaded 347 times
1
2
3
4
5
6
7
8
Most read
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
Most read
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
Most read
* CONFIDENTIAL Shru%  Gupta   Applica%on  Security  Engineer,  OpenDNS         Security  Ninjas   Applica%on  Security  Training  Program      
Agenda   Most  Common  AppSec  Mistakes  +  Hack  Lab     Best  Prac%ces   Q/A   Swag  
Setup   Firefox   FoxyProxy   Burp  Suite   Docker  container  or  Web  server  instance    
Agenda   Most  Common  Mistakes  +  Hack  Lab     Best  Prac%ces   Q/A   Swag  
#1  Injec6on   ▪  What  is  it?  
#1  Injec6on  
#1  Injec6on  
#1  Injec6on   ▪  What  is  it?   –   Untrusted  data  is  sent  to  an  interpreter     –   command  /  query   –   headers   –   cookies   –   {..  any  other  form  of  input  ..}     –   Interpreter  is  tricked  into  execu6ng  unintended   commands  
#1  Injec6on   ▪  What  all  is  suscep%ble?   –   SQL   –   Hadoop   –   SOAP   –   XML   –   {..Anything..}  
#1  Injec6on   ▪  Why  does  it  happen?     ‒  Use  of  interpreters  doesn’t  clearly  separate  untrusted   data  from  commands   ‒  Lack  of  input  valida6on/  sani6za6on   ‒  AWacker  is  able  to  change  execu%on  context      
#1  Injec6on   ▪  Basic  SQLi  example   SELECT  UserId,  Name,  Password  FROM  Users  WHERE  UserId  =  105  or  1=1  
#1  Injec6on   ▪  How  to  prevent  it?   -  Use  APIs  that  provide  parameterized  /  sani%zed   interfaces   -  Validate  input  against  whitelist   -  DON’T  use  a  blacklist   -  Escape  special  characters  which  you  had  to  whitelist        
#2  Broken  Authen6ca6on  &  Session  Management   ▪  Weak  Authen%ca%on  logic   ▪  Imperfect  implementa%on   ▪  Insufficient  protec%on  of  session  token   ▪  Etc.  
#2  Broken  Authen6ca6on  &  Session  Management   ▪  How  to  prevent  it?           -  Use  strong  algorithms  to  generate  (random)  secrets     -  Protect  secrets  throughout  their  lifecycle   -  Consider  having  centralized  authen%ca%on  and  session   management  APIs   -  Implement  strong  account  management  func6ons  (e.g.,  account   crea%on,  change  password,  recover  password,  etc.)   -  Protect  against  XSS    
#2  Broken  Authen6ca6on  &  Session  Management   ▪  Authen%ca%on  bypass  example  
#3  Cross-­‐Site  Scrip6ng  (XSS)   ▪  What  is  it?   -  Applica%on  takes  untrusted  data     -  Sends  it  to  web  browser  without  proper  valida6on   and  encoding   -  Allows  aPackers  to  execute  scripts  in  the  vic6m’s   browser     -  hijack  user  sessions   -  deface  web  sites   -  redirect  user  to  malicious  sites   -  etc.  
#3  Cross-­‐Site  Scrip6ng  (XSS)   ▪  Types  of  XSS   –   Reflected   –   Stored   –   DOM  based  
#3  Reflected  Cross-­‐Site  Scrip6ng  (XSS)   ▪  Injected  script  is  instantly  reflected  off  the  web  server   ‒   error  message   ‒   search  result   ‒   any  other  response  that  includes  some  or  all  of  the                  input  sent   ▪  Delivered  via  another  route  to  the  vic%m     -  email,  other  website,  etc.  
#3  Reflected  Cross-­‐Site  Scrip6ng  (XSS)   ▪  Example:   hWp://example.com/index.php?user=<script>alert(123);</script>  
#3  Stored  Cross-­‐Site  Scrip6ng  (XSS)   ▪  Injected  script  is  permanently  stored  on  target  servers   -  database   -  message  forum   -  visitor  logs     -  comment  fields     ▪  Vic%m  then  retrieves  malicious  script  from  the  server  when   he  requests  the  stored  informa%on   ▪  Examples   -  Forums   -  Kibana  search  interface  for  Elas%csearch  
#3  Cross-­‐Site  Scrip6ng  (XSS)   ▪  How  to  prevent  XSS?   ‒ Input  valida%on   ‒ Context  based  output  encoding     hWps://www.owasp.org/index.php/XSS_(Cross_Site_Scrip%ng)_Preven%on_Cheat_Sheet     ‒ Content  Security  Policy  ?    
#4  Insecure  Direct  Object  References   ▪  Reference  to  internal  implementa%on  object  is  exposed   ▪  e.g.,  file,  directory,  database  key,  etc.   ▪  Lack  of  access  controls/  other  protec6ons   ▪  AWackers  can  manipulate  these  references  to  access  unauthorized  data  
#4  Insecure  Direct  Object  References   ▪  Example:     ▪  Anyone  can  access  any  file  uploaded  on  HipChat  if  he  has  the  URL  
#4  Insecure  Direct  Object  References   ▪  How  to  prevent  it?               -  Verify  user  is  authorized  to  access  the  exact  resource  they  have   requested   -  If  the  reference  is  an  indirect  reference,  does  mapping  to  the   direct  reference  fail  to  limit  the  values  to  those  authorized  for  the   current  user?              
#5  Security  Misconfigura6on   ▪  Can  be  anywhere  in  the  tech  stack   ‒   planorm   ‒   web  server   ‒   database   ‒   framework   ‒   etc.   ▪   Collec%ve  effort  between  devs  and  Infra  
#5  Security  Misconfigura6on   ▪  Example:   ‒   default  user  account  is  not  removed   ‒   script  kiddie  runs  automated  tool   ‒   tools  can  easily  detect  this   ‒   dang!      
#5  Security  Misconfigura6on   ▪  How  to  prevent  it?   ‒  Security  hardening  throughout  Applica6on  Stack   ‒  Unnecessary  features  enabled  or  installed?     ‒  Secure  values  not  set?     ‒  Default  accounts/  passwords  s%ll  enabled  or  unchanged?   ‒  Overly  informa6ve  error  messages  to  users?   ‒  Sopware  out  of  date?          
#6  Sensi6ve  Data  Exposure   ▪  Client  side   -  hardcoded  secrets,  cache,  headers,  excep%ons,  ..   ▪  In  transit     -  SSL  problems,  MITM,  ..   ▪  Server  side   -  weak  crypto/  keys/  hashes,  insufficient  DB  protec%on,  ..  
#6  Sensi6ve  Data  Exposure   ▪  FB  access  token  example  
#6  Sensi6ve  Data  Exposure   ▪  How  to  prevent  it?   ‒   Determine  what  data  needs  to  be  protected  and  how  much     ‒   Use  strong  crypto  algos/  keys  /  modes  /  passwords   ‒   Don’t  store  data  unnecessarily   ‒   Turn  off  autocomplete  on  forms  and  caching     ‒   Encrypt  all  sensi6ve  data  at  rest  and  transit  (internally  &  externally)   ‒   Control  access  to  sensi%ve  data    
#7  Missing  Func6on  Level  Access  Control   ▪  Making  sure  only  the  right  people  have  access  to  the  right  func%ons   ▪  Func%ons  may  be  called  through   ‒   URL  parameters   ‒   REST  style  URLs   ‒   etc.?  
#7  Missing  Func6on  Level  Access  Control     ▪  Facebook  12k  bug  bounty  which  let  anyone  delete  images  
#7  Missing  Func6on  Level  Access  Control   ▪  How  to  prevent  it?   ‒   Hiding  func%onality  from  the  UI  won’t  help   ‒   Server  side  Authen6ca6on  and  Access  Control  checks   ‒   Server  side  checks  shouldn’t  solely  rely  on  informa%on  provided  by                    client   ‒   Deny  by  default   ‒   Central  authoriza%on  module  ?   ‒   Rate  limi%ng?  
#8  Cross-­‐Site  Request  Forgery  (CSRF)   ▪  APacker  can  formulate  all  HTTP  parameters  for  a  request   ▪  Browsers  send  session  cookies  automa%cally     ▪  AWacker  tricks  end  user  into  execu6ng  unwanted  ac6ons  on  a  web   applica%on  in  which  he/she  is  currently  authen6cated   ▪  Target:  state  changing  func%ons    
#8  Cross-­‐Site  Request  Forgery  (CSRF)  
#8  Cross-­‐Site  Request  Forgery  (CSRF)   ▪  Example:                   <img  src="hWp://example.com/app/transferFunds?   amount=1500&des%na%onAccount=aWackersAcct#“  width="0"   height="0"  />                                          
#8  Cross-­‐Site  Request  Forgery  (CSRF)     ▪  Myth  :  Mul%step  transac%ons  are  immune  to  CSRF   ▪  AWackers  can  easily  forge  a  series  of  requests  by  using  mul%ple  tags  or   possibly  JavaScript                          
#8  Cross-­‐Site  Request  Forgery  (CSRF)   ▪  How  to  prevent  it?   ‒   Add  unpredictability   ‒   Unique  random  token   ‒   CAPTCHA   ‒   2  factor  confirma%on     ▪  There  are  OWASP  libraries  you  can  use  e.g.,  CSRF  Guard  
#9  Using  Components  with  Known  Vulnerabili6es   ▪  Applica%on/Tech  Stack  uses  vulnerable  components   ‒   Frameworks   ‒   Libraries   ‒   Servers   ‒   OSes   ‒   other  components  
#9  Using  Components  with  Known  Vulnerabili6es   ▪  Easy  exploita%on  using  tools  like  Metasploit    
#9  Using  Components  with  Known  Vulnerabili6es   ▪  How  to  prevent  it?   ‒   Keep  a  check  on  vulnerabili%es  that  come  out     ‒   CVE   ‒   Mailing  lists   ‒   Calculate  risk   ‒   Upgrade  vulnerable  components  
#10  Unvalidated  Redirects  and  Forwards   ▪  Applica%on  takes  input  from  user     ▪  Uses  it  to  formulate  Redirect/  Forward  loca%on  without  input   valida%on   ▪  AWacker  misuses  this  for  malicious  redirec%ons/  forwarding    
#10  Unvalidated  Redirects  and  Forwards   ▪  AWack  scenarios:   ‒  Malware  installa%on   ‒  Phishing   ‒  Access  Control  bypass       ▪  e.g.,     ▪  hWps://login.opendns.com/umbrella/?return_to=hWps://dashboard2.opendns.com/   ▪  hWps://login.opendns.com/umbrella/?return_to=hWps://dashboard2.opemdns.com/    
#10  Unvalidated  Redirects  and  Forwards   ▪  How  to  prevent  it?   ‒   Avoid  using  user  input  to  determine  des%na%on  URL   ‒   Whitelist  allowed  pages  or  external  sites   ‒   Ensure  URL  is  valid  and  authorized  for  the  user    
Setup     Destroy  your  Docker  container/stop  the  Webserver  running  the   vulnerable  applica%on  
Agenda   Most  Common  Mistakes  +  Hack  Lab     Best  Prac%ces   Q/A   Swag  
Security  Planning   ▪  Involve  the  Security  team  when  planning  a  big  feature  /  product   ▪  Have  Security  features  or  controls  added  to  User  Stories  when  planning  
Using  3rd  Party  Code   ▪  What  to  do  when  using:   –   Security  Libraries   –   Other  Libraries    
Defense  in  Depth   ▪  Why  is  it  important?   -  fail  overs   -  edge  cases   -  adding  more  fric%on  for  aWackers      
Keep  Sohware,  Technologies  etc.  updated   ▪  Why  is  it  important?   ‒   BePer  and  more  features   ‒   Security  vulnerabili6es  get  patched  in  newer  versions   ‒   Newer  versions  get  the  most  aPen6on     ‒   Old  ones  stop  gevng  support     ‒   Turn  on  auto  updates  for  Chrome   ‒   Look  at  updates  on  the  AppStore    
Use  Hard  Passwords   ▪  Why  is  it  important?   ‒   Brute  forcing  passwords   ‒   Dic%onary  based  aWacks   ‒   Hash  cracking   ▪  Use  a  password  manager   ▪  Password  Manager  for  shared  accounts   ▪  Reset  when  someone  leaves  
Be  Minimalis6c   ▪ Principle  of  Least  Privilege   ‒   Employee  termina%on   ‒   Mistakes   ‒   Vulnerabili%es  in  other  S/W  which  leverage  this   ▪ Don’t  install  redundant  sohware,  plugins,  etc.   -  Maintenance  issues   -  People  forget  to  uninstall  them   -  Don't  get  much  aWen%on  from  the  community   -  Open  ports/  services    
Don’t  Hardcode  Secrets  in  Source  Code   ▪  Put  them  in  a  config  file     ▪  Keep  that  in  a  secure  place   ▪  Restrict  access  to  it  
Input  Valida6on   ▪  Why  is  it  important?   ‒  Input  coming  from  outside  the  trust  boundary   ‒  Clean  it  on  the  first  point  of  entry     ‒  Future  dependencies  more  secure   ‒  If  reusing  some  user  input  from  db/  internal  storage,  sani6ze  it  as   per  your  program’s  context   ‒  Mul%ple  orders  of  Injec%on    
Error  Handling   ▪  Why  is  it  important?   ▪  Least  informa%on  disclosure  
Logging  and  Aler6ng   ▪  Why  is  it  important?   ‒   Iden%fy  threats   ‒   Inves%ga%ons   ‒   Mi%gate  problems  before  they  become  too  big   ‒   Good  also  from  func%onality  and  QA  standpoint    
* Shru%  Gupta   shru%@opendns.com   Ques6ons?  

More Related Content

PDF
Ransomware Resistance
Florian Roth
 
PDF
Setting up CSIRT
APNIC
 
PDF
Vulnerability Management Whitepaper PowerPoint Presentation Slides
SlideTeam
 
PDF
Slides do Treinamento - OWASP TOP 10 (Em português)
Julio Cesar Stefanutto
 
PPTX
Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)
Scott Sutherland
 
PDF
TOP 100 Vulnerabilities Step-by-Step Guide Handbook
Varun Mithran
 
PDF
sqlmap internals
Miroslav Stampar
 
PDF
Stopping zero day threats
Zscaler
 
Ransomware Resistance
Florian Roth
 
Setting up CSIRT
APNIC
 
Vulnerability Management Whitepaper PowerPoint Presentation Slides
SlideTeam
 
Slides do Treinamento - OWASP TOP 10 (Em português)
Julio Cesar Stefanutto
 
Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)
Scott Sutherland
 
TOP 100 Vulnerabilities Step-by-Step Guide Handbook
Varun Mithran
 
sqlmap internals
Miroslav Stampar
 
Stopping zero day threats
Zscaler
 

What's hot (20)

PPTX
Cybersecurity
A. Shamel
 
PPTX
Denial of Service Attacks (DoS/DDoS)
Gaurav Sharma
 
PPT
Introduction to Cyber Security
Stephen Lahanas
 
PDF
Mobile Security
MarketingArrowECS_CZ
 
PPTX
DoS or DDoS attack
stollen_fusion
 
PPSX
Web security
kareem zock
 
PDF
Cybersecurity Awareness Training Presentation v1.3
DallasHaselhorst
 
PPTX
Intrusion detection
CAS
 
PDF
Mobile Security 101
Lookout
 
PDF
OWASP Top 10 - 2017
HackerOne
 
PPT
Cyber Security and Cyber Awareness
Jay Nagar
 
PPTX
DDoS - Distributed Denial of Service
Er. Shiva K. Shrestha
 
PPT
Personal security
Directorate of Information Security | Ditjen Aptika
 
PDF
Overview of the Cyber Kill Chain [TM]
David Sweigert
 
PPTX
Email security
Baliram Yadav
 
PPTX
Buffer overflow attacks
Kapil Nagrale
 
PPTX
Network security
Madhumithah Ilango
 
PPTX
Cyber Security Presentation "It Will Never Happen To Me"
Simon Salter
 
PPTX
Denial of Service Attack
Dhrumil Panchal
 
PPTX
Information Security Awareness Training Open
Fred Beck MBA, CPA
 
Cybersecurity
A. Shamel
 
Denial of Service Attacks (DoS/DDoS)
Gaurav Sharma
 
Introduction to Cyber Security
Stephen Lahanas
 
Mobile Security
MarketingArrowECS_CZ
 
DoS or DDoS attack
stollen_fusion
 
Web security
kareem zock
 
Cybersecurity Awareness Training Presentation v1.3
DallasHaselhorst
 
Intrusion detection
CAS
 
Mobile Security 101
Lookout
 
OWASP Top 10 - 2017
HackerOne
 
Cyber Security and Cyber Awareness
Jay Nagar
 
DDoS - Distributed Denial of Service
Er. Shiva K. Shrestha
 
Personal security
Directorate of Information Security | Ditjen Aptika
 
Overview of the Cyber Kill Chain [TM]
David Sweigert
 
Email security
Baliram Yadav
 
Buffer overflow attacks
Kapil Nagrale
 
Network security
Madhumithah Ilango
 
Cyber Security Presentation "It Will Never Happen To Me"
Simon Salter
 
Denial of Service Attack
Dhrumil Panchal
 
Information Security Awareness Training Open
Fred Beck MBA, CPA
 
Ad

Viewers also liked (20)

PDF
Docker at OpenDNS
OpenDNS
 
PPTX
Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...
OpenDNS
 
PDF
OpenDNS Whitepaper: Platform Technology
Courtland Smith
 
PDF
Implications of Open Source Software Use (or Let's Talk Open Source)
Gail Murphy
 
PPTX
Speak Security: Under the Hood of the OpenDNS Security Research Labs with Dhi...
OpenDNS
 
PPTX
OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014
Leonardo Nve Egea
 
PDF
OpenDNS CTO Dan Hubbard VizSec 2014 Keynote Slides
OpenDNS
 
PPTX
Gamification for security
Vera Trubacheva
 
PDF
Highly Available Docker Networking With BGP
OpenDNS
 
PDF
New DNS Traffic Analysis Techniques to Identify Global Internet Threats
OpenDNS
 
PPTX
September 13, 2016: Security in the Age of Open Source:
Black Duck by Synopsys
 
PDF
Myths and Misperceptions of Open Source Security
Black Duck by Synopsys
 
PPTX
Building an AppSec Pipeline: Keeping your program, and your life, sane
weaveraaaron
 
PDF
Security Training: Necessary Evil, Waste of Time, or Genius Move?
Denim Group
 
PDF
Blackhat USA 2015: BGP Stream Presentation
OpenDNS
 
PPTX
Security guard training
Robert Jack
 
DOCX
Security Officer Training Manual
Scott Warner
 
PPTX
Security training 2017
Cindy Tillery
 
PDF
XSS再入門
Hiroshi Tokumaru
 
PDF
The security officer role in virtual environments - (ISC)2 LATAM CONGRESS 2016
Mateo Martinez
 
Docker at OpenDNS
OpenDNS
 
Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...
OpenDNS
 
OpenDNS Whitepaper: Platform Technology
Courtland Smith
 
Implications of Open Source Software Use (or Let's Talk Open Source)
Gail Murphy
 
Speak Security: Under the Hood of the OpenDNS Security Research Labs with Dhi...
OpenDNS
 
OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014
Leonardo Nve Egea
 
OpenDNS CTO Dan Hubbard VizSec 2014 Keynote Slides
OpenDNS
 
Gamification for security
Vera Trubacheva
 
Highly Available Docker Networking With BGP
OpenDNS
 
New DNS Traffic Analysis Techniques to Identify Global Internet Threats
OpenDNS
 
September 13, 2016: Security in the Age of Open Source:
Black Duck by Synopsys
 
Myths and Misperceptions of Open Source Security
Black Duck by Synopsys
 
Building an AppSec Pipeline: Keeping your program, and your life, sane
weaveraaaron
 
Security Training: Necessary Evil, Waste of Time, or Genius Move?
Denim Group
 
Blackhat USA 2015: BGP Stream Presentation
OpenDNS
 
Security guard training
Robert Jack
 
Security Officer Training Manual
Scott Warner
 
Security training 2017
Cindy Tillery
 
XSS再入門
Hiroshi Tokumaru
 
The security officer role in virtual environments - (ISC)2 LATAM CONGRESS 2016
Mateo Martinez
 
Ad

Similar to Security Ninjas: An Open Source Application Security Training Program (20)

PPT
Secure code practices
Hina Rawal
 
PDF
OWASPTop 10
InnoTech
 
PPTX
Presentation on Top 10 Vulnerabilities in Web Application
Md Mahfuzur Rahman
 
PPTX
Secure practices with dot net services.pptx
Knoldus Inc.
 
PDF
Tuenti: Web Application Security
Tuenti
 
PDF
Tuenti: Web Application Security
Guille -bisho-
 
PDF
Owasp Top 10-2013
n|u - The Open Security Community
 
PPTX
Owasp top 10 2017
ibrahimumer2
 
PDF
Owasp top 10 vulnerabilities 2013
Vishrut Sharma
 
PPT
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
Brian Huff
 
PDF
Owasp top 10_openwest_2019
Sean Jackson
 
PDF
A security note for web developers
John Ombagi
 
PDF
Truetesters presents OWASP Top 10 Web Vulnerability
TrueTesters
 
PPTX
How to Test for The OWASP Top Ten
Security Innovation
 
PPTX
Secure Software Engineering
Rohitha Liyanagama
 
PDF
Code securely
Maksym Hopei
 
PPTX
Hackers versus Developers and Secure Web Programming
Akash Mahajan
 
PPTX
OWASP Top 10 - 2017 Top 10 web application security risks
Kun-Da Wu
 
PPTX
The path of secure software by Katy Anton
DevSecCon
 
PPTX
OWASP top 10-2013
tmd800
 
Secure code practices
Hina Rawal
 
OWASPTop 10
InnoTech
 
Presentation on Top 10 Vulnerabilities in Web Application
Md Mahfuzur Rahman
 
Secure practices with dot net services.pptx
Knoldus Inc.
 
Tuenti: Web Application Security
Tuenti
 
Tuenti: Web Application Security
Guille -bisho-
 
Owasp Top 10-2013
n|u - The Open Security Community
 
Owasp top 10 2017
ibrahimumer2
 
Owasp top 10 vulnerabilities 2013
Vishrut Sharma
 
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
Brian Huff
 
Owasp top 10_openwest_2019
Sean Jackson
 
A security note for web developers
John Ombagi
 
Truetesters presents OWASP Top 10 Web Vulnerability
TrueTesters
 
How to Test for The OWASP Top Ten
Security Innovation
 
Secure Software Engineering
Rohitha Liyanagama
 
Code securely
Maksym Hopei
 
Hackers versus Developers and Secure Web Programming
Akash Mahajan
 
OWASP Top 10 - 2017 Top 10 web application security risks
Kun-Da Wu
 
The path of secure software by Katy Anton
DevSecCon
 
OWASP top 10-2013
tmd800
 

More from OpenDNS (16)

PDF
What Happens Before the Kill Chain
OpenDNS
 
PDF
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
OpenDNS
 
PDF
One Phish, Two Phish, Red Phish, Your Account Details Just Got Stolen
OpenDNS
 
PPTX
Standardizing and Strengthening Security to Lower Costs
OpenDNS
 
PDF
IP Routing, AWS, and Docker
OpenDNS
 
PDF
Defcon
OpenDNS
 
PDF
Marauder or Scanning Your DNSDB for Fun and Profit - SOURCE Boston
OpenDNS
 
PDF
Network Security: A Four Point Analysis of Appliances vs. the Cloud
OpenDNS
 
PDF
CanSecWest 2014 Presentation: "Intelligent Use of Intelligence: Design to Dis...
OpenDNS
 
PDF
Rethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie Ahead
OpenDNS
 
PDF
Baythreat Cryptolocker Presentation
OpenDNS
 
PDF
Cryptolocker Webcast
OpenDNS
 
PDF
MSP Webcast - Leveraging Cloud Security to Become a Virtual CIO
OpenDNS
 
PDF
Umbrella for MSPs: Enterprise Grade Malware Protection & Containment
OpenDNS
 
PDF
Fast Detection of New Malicious Domains using DNS
OpenDNS
 
PDF
Umbrella for MSPs: Cloud Security via N-able
OpenDNS
 
What Happens Before the Kill Chain
OpenDNS
 
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
OpenDNS
 
One Phish, Two Phish, Red Phish, Your Account Details Just Got Stolen
OpenDNS
 
Standardizing and Strengthening Security to Lower Costs
OpenDNS
 
IP Routing, AWS, and Docker
OpenDNS
 
Defcon
OpenDNS
 
Marauder or Scanning Your DNSDB for Fun and Profit - SOURCE Boston
OpenDNS
 
Network Security: A Four Point Analysis of Appliances vs. the Cloud
OpenDNS
 
CanSecWest 2014 Presentation: "Intelligent Use of Intelligence: Design to Dis...
OpenDNS
 
Rethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie Ahead
OpenDNS
 
Baythreat Cryptolocker Presentation
OpenDNS
 
Cryptolocker Webcast
OpenDNS
 
MSP Webcast - Leveraging Cloud Security to Become a Virtual CIO
OpenDNS
 
Umbrella for MSPs: Enterprise Grade Malware Protection & Containment
OpenDNS
 
Fast Detection of New Malicious Domains using DNS
OpenDNS
 
Umbrella for MSPs: Cloud Security via N-able
OpenDNS
 

Recently uploaded (20)

PDF
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
PPTX
1. Introduction to Computer Programming.pptx
bonakiduza1024
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PPTX
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PPTX
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
PDF
August Patch Tuesday
Ivanti
 
PDF
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
PDF
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
PDF
Heart disease approach using modified random forest and particle swarm optimi...
IAESIJAI
 
PPTX
OMC Textile Division Presentation 2021.pptx
JahangirAlam816069
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PDF
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
Accuracy of neural networks in brain wave diagnosis of schizophrenia
IAESIJAI
 
PPT
Teaching material agriculture food technology
LiaRayya
 
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
1. Introduction to Computer Programming.pptx
bonakiduza1024
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
August Patch Tuesday
Ivanti
 
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
Heart disease approach using modified random forest and particle swarm optimi...
IAESIJAI
 
OMC Textile Division Presentation 2021.pptx
JahangirAlam816069
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Accuracy of neural networks in brain wave diagnosis of schizophrenia
IAESIJAI
 
Teaching material agriculture food technology
LiaRayya
 

Security Ninjas: An Open Source Application Security Training Program

  • 1. * CONFIDENTIAL Shru%  Gupta   Applica%on  Security  Engineer,  OpenDNS         Security  Ninjas   Applica%on  Security  Training  Program      
  • 2. Agenda   Most  Common  AppSec  Mistakes  +  Hack  Lab     Best  Prac%ces   Q/A   Swag  
  • 3. Setup   Firefox   FoxyProxy   Burp  Suite   Docker  container  or  Web  server  instance    
  • 4. Agenda   Most  Common  Mistakes  +  Hack  Lab     Best  Prac%ces   Q/A   Swag  
  • 5. #1  Injec6on   ▪  What  is  it?  
  • 8. #1  Injec6on   ▪  What  is  it?   –   Untrusted  data  is  sent  to  an  interpreter     –   command  /  query   –   headers   –   cookies   –   {..  any  other  form  of  input  ..}     –   Interpreter  is  tricked  into  execu6ng  unintended   commands  
  • 9. #1  Injec6on   ▪  What  all  is  suscep%ble?   –   SQL   –   Hadoop   –   SOAP   –   XML   –   {..Anything..}  
  • 10. #1  Injec6on   ▪  Why  does  it  happen?     ‒  Use  of  interpreters  doesn’t  clearly  separate  untrusted   data  from  commands   ‒  Lack  of  input  valida6on/  sani6za6on   ‒  AWacker  is  able  to  change  execu%on  context      
  • 11. #1  Injec6on   ▪  Basic  SQLi  example   SELECT  UserId,  Name,  Password  FROM  Users  WHERE  UserId  =  105  or  1=1  
  • 12. #1  Injec6on   ▪  How  to  prevent  it?   -  Use  APIs  that  provide  parameterized  /  sani%zed   interfaces   -  Validate  input  against  whitelist   -  DON’T  use  a  blacklist   -  Escape  special  characters  which  you  had  to  whitelist        
  • 13. #2  Broken  Authen6ca6on  &  Session  Management   ▪  Weak  Authen%ca%on  logic   ▪  Imperfect  implementa%on   ▪  Insufficient  protec%on  of  session  token   ▪  Etc.  
  • 14. #2  Broken  Authen6ca6on  &  Session  Management   ▪  How  to  prevent  it?           -  Use  strong  algorithms  to  generate  (random)  secrets     -  Protect  secrets  throughout  their  lifecycle   -  Consider  having  centralized  authen%ca%on  and  session   management  APIs   -  Implement  strong  account  management  func6ons  (e.g.,  account   crea%on,  change  password,  recover  password,  etc.)   -  Protect  against  XSS    
  • 15. #2  Broken  Authen6ca6on  &  Session  Management   ▪  Authen%ca%on  bypass  example  
  • 16. #3  Cross-­‐Site  Scrip6ng  (XSS)   ▪  What  is  it?   -  Applica%on  takes  untrusted  data     -  Sends  it  to  web  browser  without  proper  valida6on   and  encoding   -  Allows  aPackers  to  execute  scripts  in  the  vic6m’s   browser     -  hijack  user  sessions   -  deface  web  sites   -  redirect  user  to  malicious  sites   -  etc.  
  • 17. #3  Cross-­‐Site  Scrip6ng  (XSS)   ▪  Types  of  XSS   –   Reflected   –   Stored   –   DOM  based  
  • 18. #3  Reflected  Cross-­‐Site  Scrip6ng  (XSS)   ▪  Injected  script  is  instantly  reflected  off  the  web  server   ‒   error  message   ‒   search  result   ‒   any  other  response  that  includes  some  or  all  of  the                  input  sent   ▪  Delivered  via  another  route  to  the  vic%m     -  email,  other  website,  etc.  
  • 19. #3  Reflected  Cross-­‐Site  Scrip6ng  (XSS)   ▪  Example:   hWp://example.com/index.php?user=<script>alert(123);</script>  
  • 20. #3  Stored  Cross-­‐Site  Scrip6ng  (XSS)   ▪  Injected  script  is  permanently  stored  on  target  servers   -  database   -  message  forum   -  visitor  logs     -  comment  fields     ▪  Vic%m  then  retrieves  malicious  script  from  the  server  when   he  requests  the  stored  informa%on   ▪  Examples   -  Forums   -  Kibana  search  interface  for  Elas%csearch  
  • 21. #3  Cross-­‐Site  Scrip6ng  (XSS)   ▪  How  to  prevent  XSS?   ‒ Input  valida%on   ‒ Context  based  output  encoding     hWps://www.owasp.org/index.php/XSS_(Cross_Site_Scrip%ng)_Preven%on_Cheat_Sheet     ‒ Content  Security  Policy  ?    
  • 22. #4  Insecure  Direct  Object  References   ▪  Reference  to  internal  implementa%on  object  is  exposed   ▪  e.g.,  file,  directory,  database  key,  etc.   ▪  Lack  of  access  controls/  other  protec6ons   ▪  AWackers  can  manipulate  these  references  to  access  unauthorized  data  
  • 23. #4  Insecure  Direct  Object  References   ▪  Example:     ▪  Anyone  can  access  any  file  uploaded  on  HipChat  if  he  has  the  URL  
  • 24. #4  Insecure  Direct  Object  References   ▪  How  to  prevent  it?               -  Verify  user  is  authorized  to  access  the  exact  resource  they  have   requested   -  If  the  reference  is  an  indirect  reference,  does  mapping  to  the   direct  reference  fail  to  limit  the  values  to  those  authorized  for  the   current  user?              
  • 25. #5  Security  Misconfigura6on   ▪  Can  be  anywhere  in  the  tech  stack   ‒   planorm   ‒   web  server   ‒   database   ‒   framework   ‒   etc.   ▪   Collec%ve  effort  between  devs  and  Infra  
  • 26. #5  Security  Misconfigura6on   ▪  Example:   ‒   default  user  account  is  not  removed   ‒   script  kiddie  runs  automated  tool   ‒   tools  can  easily  detect  this   ‒   dang!      
  • 27. #5  Security  Misconfigura6on   ▪  How  to  prevent  it?   ‒  Security  hardening  throughout  Applica6on  Stack   ‒  Unnecessary  features  enabled  or  installed?     ‒  Secure  values  not  set?     ‒  Default  accounts/  passwords  s%ll  enabled  or  unchanged?   ‒  Overly  informa6ve  error  messages  to  users?   ‒  Sopware  out  of  date?          
  • 28. #6  Sensi6ve  Data  Exposure   ▪  Client  side   -  hardcoded  secrets,  cache,  headers,  excep%ons,  ..   ▪  In  transit     -  SSL  problems,  MITM,  ..   ▪  Server  side   -  weak  crypto/  keys/  hashes,  insufficient  DB  protec%on,  ..  
  • 29. #6  Sensi6ve  Data  Exposure   ▪  FB  access  token  example  
  • 30. #6  Sensi6ve  Data  Exposure   ▪  How  to  prevent  it?   ‒   Determine  what  data  needs  to  be  protected  and  how  much     ‒   Use  strong  crypto  algos/  keys  /  modes  /  passwords   ‒   Don’t  store  data  unnecessarily   ‒   Turn  off  autocomplete  on  forms  and  caching     ‒   Encrypt  all  sensi6ve  data  at  rest  and  transit  (internally  &  externally)   ‒   Control  access  to  sensi%ve  data    
  • 31. #7  Missing  Func6on  Level  Access  Control   ▪  Making  sure  only  the  right  people  have  access  to  the  right  func%ons   ▪  Func%ons  may  be  called  through   ‒   URL  parameters   ‒   REST  style  URLs   ‒   etc.?  
  • 32. #7  Missing  Func6on  Level  Access  Control     ▪  Facebook  12k  bug  bounty  which  let  anyone  delete  images  
  • 33. #7  Missing  Func6on  Level  Access  Control   ▪  How  to  prevent  it?   ‒   Hiding  func%onality  from  the  UI  won’t  help   ‒   Server  side  Authen6ca6on  and  Access  Control  checks   ‒   Server  side  checks  shouldn’t  solely  rely  on  informa%on  provided  by                    client   ‒   Deny  by  default   ‒   Central  authoriza%on  module  ?   ‒   Rate  limi%ng?  
  • 34. #8  Cross-­‐Site  Request  Forgery  (CSRF)   ▪  APacker  can  formulate  all  HTTP  parameters  for  a  request   ▪  Browsers  send  session  cookies  automa%cally     ▪  AWacker  tricks  end  user  into  execu6ng  unwanted  ac6ons  on  a  web   applica%on  in  which  he/she  is  currently  authen6cated   ▪  Target:  state  changing  func%ons    
  • 35. #8  Cross-­‐Site  Request  Forgery  (CSRF)  
  • 36. #8  Cross-­‐Site  Request  Forgery  (CSRF)   ▪  Example:                   <img  src="hWp://example.com/app/transferFunds?   amount=1500&des%na%onAccount=aWackersAcct#“  width="0"   height="0"  />                                          
  • 37. #8  Cross-­‐Site  Request  Forgery  (CSRF)     ▪  Myth  :  Mul%step  transac%ons  are  immune  to  CSRF   ▪  AWackers  can  easily  forge  a  series  of  requests  by  using  mul%ple  tags  or   possibly  JavaScript                          
  • 38. #8  Cross-­‐Site  Request  Forgery  (CSRF)   ▪  How  to  prevent  it?   ‒   Add  unpredictability   ‒   Unique  random  token   ‒   CAPTCHA   ‒   2  factor  confirma%on     ▪  There  are  OWASP  libraries  you  can  use  e.g.,  CSRF  Guard  
  • 39. #9  Using  Components  with  Known  Vulnerabili6es   ▪  Applica%on/Tech  Stack  uses  vulnerable  components   ‒   Frameworks   ‒   Libraries   ‒   Servers   ‒   OSes   ‒   other  components  
  • 40. #9  Using  Components  with  Known  Vulnerabili6es   ▪  Easy  exploita%on  using  tools  like  Metasploit    
  • 41. #9  Using  Components  with  Known  Vulnerabili6es   ▪  How  to  prevent  it?   ‒   Keep  a  check  on  vulnerabili%es  that  come  out     ‒   CVE   ‒   Mailing  lists   ‒   Calculate  risk   ‒   Upgrade  vulnerable  components  
  • 42. #10  Unvalidated  Redirects  and  Forwards   ▪  Applica%on  takes  input  from  user     ▪  Uses  it  to  formulate  Redirect/  Forward  loca%on  without  input   valida%on   ▪  AWacker  misuses  this  for  malicious  redirec%ons/  forwarding    
  • 43. #10  Unvalidated  Redirects  and  Forwards   ▪  AWack  scenarios:   ‒  Malware  installa%on   ‒  Phishing   ‒  Access  Control  bypass       ▪  e.g.,     ▪  hWps://login.opendns.com/umbrella/?return_to=hWps://dashboard2.opendns.com/   ▪  hWps://login.opendns.com/umbrella/?return_to=hWps://dashboard2.opemdns.com/    
  • 44. #10  Unvalidated  Redirects  and  Forwards   ▪  How  to  prevent  it?   ‒   Avoid  using  user  input  to  determine  des%na%on  URL   ‒   Whitelist  allowed  pages  or  external  sites   ‒   Ensure  URL  is  valid  and  authorized  for  the  user    
  • 45. Setup     Destroy  your  Docker  container/stop  the  Webserver  running  the   vulnerable  applica%on  
  • 46. Agenda   Most  Common  Mistakes  +  Hack  Lab     Best  Prac%ces   Q/A   Swag  
  • 47. Security  Planning   ▪  Involve  the  Security  team  when  planning  a  big  feature  /  product   ▪  Have  Security  features  or  controls  added  to  User  Stories  when  planning  
  • 48. Using  3rd  Party  Code   ▪  What  to  do  when  using:   –   Security  Libraries   –   Other  Libraries    
  • 49. Defense  in  Depth   ▪  Why  is  it  important?   -  fail  overs   -  edge  cases   -  adding  more  fric%on  for  aWackers      
  • 50. Keep  Sohware,  Technologies  etc.  updated   ▪  Why  is  it  important?   ‒   BePer  and  more  features   ‒   Security  vulnerabili6es  get  patched  in  newer  versions   ‒   Newer  versions  get  the  most  aPen6on     ‒   Old  ones  stop  gevng  support     ‒   Turn  on  auto  updates  for  Chrome   ‒   Look  at  updates  on  the  AppStore    
  • 51. Use  Hard  Passwords   ▪  Why  is  it  important?   ‒   Brute  forcing  passwords   ‒   Dic%onary  based  aWacks   ‒   Hash  cracking   ▪  Use  a  password  manager   ▪  Password  Manager  for  shared  accounts   ▪  Reset  when  someone  leaves  
  • 52. Be  Minimalis6c   ▪ Principle  of  Least  Privilege   ‒   Employee  termina%on   ‒   Mistakes   ‒   Vulnerabili%es  in  other  S/W  which  leverage  this   ▪ Don’t  install  redundant  sohware,  plugins,  etc.   -  Maintenance  issues   -  People  forget  to  uninstall  them   -  Don't  get  much  aWen%on  from  the  community   -  Open  ports/  services    
  • 53. Don’t  Hardcode  Secrets  in  Source  Code   ▪  Put  them  in  a  config  file     ▪  Keep  that  in  a  secure  place   ▪  Restrict  access  to  it  
  • 54. Input  Valida6on   ▪  Why  is  it  important?   ‒  Input  coming  from  outside  the  trust  boundary   ‒  Clean  it  on  the  first  point  of  entry     ‒  Future  dependencies  more  secure   ‒  If  reusing  some  user  input  from  db/  internal  storage,  sani6ze  it  as   per  your  program’s  context   ‒  Mul%ple  orders  of  Injec%on    
  • 55. Error  Handling   ▪  Why  is  it  important?   ▪  Least  informa%on  disclosure  
  • 56. Logging  and  Aler6ng   ▪  Why  is  it  important?   ‒   Iden%fy  threats   ‒   Inves%ga%ons   ‒   Mi%gate  problems  before  they  become  too  big   ‒   Good  also  from  func%onality  and  QA  standpoint