SlideShare une entreprise Scribd logo
1  sur  53
Télécharger pour lire hors ligne
The Art of Identifying
Vulnerabilities
CascadiaFest 2015
adam_baldwin
evilpacket
The Art of Identifying Vulnerabilities  - CascadiaFest 2015
The Art of Identifying
Vulnerabilities
CascadiaFest 2015
What is a vulnerability?
Is it a bug?
The Art of Identifying Vulnerabilities  - CascadiaFest 2015
A PROMISE
THAT CAN BE
BROKEN
Systems knowledge
Security knowledge
Curiosity
To find vulnerabilities
SYSTEMS
Vulnerabilities grow in
the cracks between
nuances & assumptions
You must understand the
nuances of the systems
you create and consume
https://www.youtube.com/watch?v=8aGhZQkoFbQ
What the heck is the
event loop anyway?
JavaScript Nuances
http://dorey.github.io/JavaScript-Equality-Table/
http://nrn.io/view/javascript-common-pitfalls
http://youdontknowjs.com
JavaScript Nuances
db.passwd == user.passwd
The comparison x == y, where x and y are values, produces true or false. Such a comparison is performed as follows:
If Type(x) is the same as Type(y), then
If Type(x) is Undefined, return true.
If Type(x) is Null, return true.
If Type(x) is Number, then
If x is NaN, return false.
If y is NaN, return false.
If x is the same Number value as y, return true.
If x is +0 and y is −0, return true.
If x is −0 and y is +0, return true.
Return false.
If Type(x) is String, then return true if x and y are exactly the same sequence of characters (same length and same characters in corresponding positions). Otherwise, return false.
If Type(x) is Boolean, return true if x and y are both true or both false. Otherwise, return false.
Return true if x and y refer to the same object. Otherwise, return false.
If x is null and y is undefined, return true.
If x is undefined and y is null, return true.
If Type(x) is Number and Type(y) is String,
return the result of the comparison x == ToNumber(y).
If Type(x) is String and Type(y) is Number,
return the result of the comparison ToNumber(x) == y.
If Type(x) is Boolean, return the result of the comparison ToNumber(x) == y.
If Type(y) is Boolean, return the result of the comparison x == ToNumber(y).
If Type(x) is either String or Number and Type(y) is Object,
return the result of the comparison x == ToPrimitive(y).
If Type(x) is Object and Type(y) is either String or Number,
return the result of the comparison ToPrimitive(x) == y.
Return false.
NOTE 1 Given the above definition of equality:
String comparison can be forced by: "" + a == "" + b.
Numeric comparison can be forced by: +a == +b.
Boolean comparison can be forced by: !a == !b.
NOTE 2 The equality operators maintain the following invariants:
A != B is equivalent to !(A == B).
A == B is equivalent to B == A, except in the order of evaluation of A and B.
NOTE 3 The equality operator is not always transitive. For example, there might be two distinct String objects, each representing the same String value; each String object would be considered equal to the String value by the == operator, but the two String
objects would not be equal to each other. For Example:
new String("a") == "a" and "a" == new String("a")are both true.
new String("a") == new String("a") is false.
NOTE 4 Comparison of Strings uses a simple equality test on sequences of code unit values. There is no attempt to use the more complex, semantically oriented definitions of character or string equality and collating order defined in the Unicode
specification. Therefore Strings values that are canonically equal according to the Unicode standard could test as unequal. In effect this algorithm assumes that both Strings are already in normalised form.
The Abstract Equality Comparison Algorithm
ಠ_ಠ
Vulnerabilities are
prevalent between one
system & another
The Art of Identifying Vulnerabilities  - CascadiaFest 2015
Whose code are you
running in production?
The Art of Identifying Vulnerabilities  - CascadiaFest 2015
Vulnerabilities multiply
in the presence of
complexity
The Art of Identifying Vulnerabilities  - CascadiaFest 2015
SECURITY
Let's put on our security hat
Where to start?
Think like an attacker.
"The trust that happens without conscious decision, like
a person sitting in a chair assuming someone hasn't
removed one of the legs since they last sat in it."
- Jon Lamendola
"Thinking like an attacker means that we try to push
the boundaries of useful things to see how we can get
them to do something that it was not designed for."
- Matt Lowe
What promises does it make?
How does it make money?
The Art of Identifying Vulnerabilities  - CascadiaFest 2015
OWASP Top 10
Broken auth & Session
Management
Injection
Security Misconfiguration
Insecure Direct Object Reference
Cross-Site Scripting (XSS)
Missing Function Level Access
Control
Sensitive Data Exposure
Unvalidated Redirects &
Forwards
Using Known Vulnerable
Components
Cross-Site Request Forgery
The Art of Identifying Vulnerabilities  - CascadiaFest 2015
nodesecurity.io/advisories
https://github.com/paragonie/awesome-appsec
Learn from others
CURIOSITY
If you don't look, you
won't find anything.
Act Ridiculous
The Art of Identifying Vulnerabilities  - CascadiaFest 2015
How can it be used in other
ways?
Ask questions, avoid
statements
"A User would never..."
It's about what you don't
know not what you know
DEMO
Understand the Code & Threat
Model
Identify Inputs (Sources)
Identify Sinks
Follow the data
Source -> Sink
Test & Validate
Repeat
tldr; Process
The Art of Identifying Vulnerabilities  - CascadiaFest 2015
Understand the Code
• "miliseconds conversion utility"
• Simple JS without strict mode
• Doesn't use any builtins (core functions)
• It's intended to be used in the browser and
server side
FOLLOW THE DATA
SOURCE SINK
Identify Inputs (sources)
• exports is one function
• takes a value
• Takes optional options argument
Identify data Sinks
• Converted value is returned
• regex is a sink that has known attacks
(regular expression denial of service)
1 var match = /^((?:d+)?.?d+) *(milliseconds?|msecs?|ms|
seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|years?|
yrs?|y)?$/i.exec(str);
cat index.js | esgraph | dot -Tpng
> out.png
1 var ms = require('./');
2 var genstr = function (len, chr) {
3 var result = "";
4 for (i=0; i<=len; i++) {
5 result = result + chr;
6 }
7
8 return result;
9 }
10
11 ms(genstr(process.argv[2], "5") + " minutea");
Test & Validate
Test & Validate
Length Run time (seconds)
10000 0.720
20000 2.491
30000 5.629
40000 12.386
Be okay with boring, monotonous
and unfruitful testing
Be persistent
</presentation>
adam_baldwin
evilpacket

Contenu connexe

En vedette

Continuous Security
Continuous SecurityContinuous Security
Continuous SecurityAdam Baldwin
 
Security First - Adam Baldwin
Security First - Adam BaldwinSecurity First - Adam Baldwin
Security First - Adam BaldwinAdam Baldwin
 
Secure Node Code (workshop, O'Reilly Security)
Secure Node Code (workshop, O'Reilly Security)Secure Node Code (workshop, O'Reilly Security)
Secure Node Code (workshop, O'Reilly Security)Guy Podjarny
 
Node Day - Node.js Security in the Enterprise
Node Day - Node.js Security in the EnterpriseNode Day - Node.js Security in the Enterprise
Node Day - Node.js Security in the EnterpriseAdam Baldwin
 
DevSecOps SG Introduction - August Meetup
DevSecOps SG Introduction - August MeetupDevSecOps SG Introduction - August Meetup
DevSecOps SG Introduction - August MeetupDevSecOpsSg
 
Jakob Holderbaum - Managing Shared secrets using basic Unix tools
Jakob Holderbaum - Managing Shared secrets using basic Unix toolsJakob Holderbaum - Managing Shared secrets using basic Unix tools
Jakob Holderbaum - Managing Shared secrets using basic Unix toolsDevSecCon
 
RoboCop: Bringing Law and Order to CI/CD
RoboCop: Bringing Law and Order to CI/CDRoboCop: Bringing Law and Order to CI/CD
RoboCop: Bringing Law and Order to CI/CDFranklin Mosley
 
Dev seccon london 2016 intelliment security
Dev seccon london 2016   intelliment securityDev seccon london 2016   intelliment security
Dev seccon london 2016 intelliment securityDevSecCon
 
DevSecOps Singapore introduction
DevSecOps Singapore introductionDevSecOps Singapore introduction
DevSecOps Singapore introductionStefan Streichsbier
 
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & RecoveryCLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & RecoveryPriyanka Aash
 
Vulnerability Advisor Deep Dive (Dec 2016)
Vulnerability Advisor Deep Dive (Dec 2016)Vulnerability Advisor Deep Dive (Dec 2016)
Vulnerability Advisor Deep Dive (Dec 2016)Canturk Isci
 
Safely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous DeliverySafely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous DeliverySeniorStoryteller
 
Rugged DevOps: Aligning Your Team and Your Powers for Success
Rugged DevOps: Aligning Your Team and Your Powers for SuccessRugged DevOps: Aligning Your Team and Your Powers for Success
Rugged DevOps: Aligning Your Team and Your Powers for SuccessSeniorStoryteller
 
The End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon LietzThe End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon LietzSeniorStoryteller
 
Dom & Tom NYC Healthcare Cloud Meetup Case Study (5/4)
Dom & Tom NYC Healthcare Cloud Meetup Case Study (5/4)Dom & Tom NYC Healthcare Cloud Meetup Case Study (5/4)
Dom & Tom NYC Healthcare Cloud Meetup Case Study (5/4)Dominic Tancredi
 
How can i find my security blind spots ulf mattsson - aug 2016
How can i find my security blind spots   ulf mattsson - aug 2016How can i find my security blind spots   ulf mattsson - aug 2016
How can i find my security blind spots ulf mattsson - aug 2016Ulf Mattsson
 
Null application security in an agile world
Null application security in an agile worldNull application security in an agile world
Null application security in an agile worldStefan Streichsbier
 
Myths and realities of data security and compliance - Isaca Alanta - ulf matt...
Myths and realities of data security and compliance - Isaca Alanta - ulf matt...Myths and realities of data security and compliance - Isaca Alanta - ulf matt...
Myths and realities of data security and compliance - Isaca Alanta - ulf matt...Ulf Mattsson
 

En vedette (20)

Continuous Security
Continuous SecurityContinuous Security
Continuous Security
 
Security First - Adam Baldwin
Security First - Adam BaldwinSecurity First - Adam Baldwin
Security First - Adam Baldwin
 
Nodevember 2015
Nodevember 2015Nodevember 2015
Nodevember 2015
 
Secure Node Code (workshop, O'Reilly Security)
Secure Node Code (workshop, O'Reilly Security)Secure Node Code (workshop, O'Reilly Security)
Secure Node Code (workshop, O'Reilly Security)
 
Node Day - Node.js Security in the Enterprise
Node Day - Node.js Security in the EnterpriseNode Day - Node.js Security in the Enterprise
Node Day - Node.js Security in the Enterprise
 
DevSecOps SG Introduction - August Meetup
DevSecOps SG Introduction - August MeetupDevSecOps SG Introduction - August Meetup
DevSecOps SG Introduction - August Meetup
 
Jakob Holderbaum - Managing Shared secrets using basic Unix tools
Jakob Holderbaum - Managing Shared secrets using basic Unix toolsJakob Holderbaum - Managing Shared secrets using basic Unix tools
Jakob Holderbaum - Managing Shared secrets using basic Unix tools
 
RoboCop: Bringing Law and Order to CI/CD
RoboCop: Bringing Law and Order to CI/CDRoboCop: Bringing Law and Order to CI/CD
RoboCop: Bringing Law and Order to CI/CD
 
Dev seccon london 2016 intelliment security
Dev seccon london 2016   intelliment securityDev seccon london 2016   intelliment security
Dev seccon london 2016 intelliment security
 
DevSecOps Singapore introduction
DevSecOps Singapore introductionDevSecOps Singapore introduction
DevSecOps Singapore introduction
 
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & RecoveryCLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
 
Vulnerability Advisor Deep Dive (Dec 2016)
Vulnerability Advisor Deep Dive (Dec 2016)Vulnerability Advisor Deep Dive (Dec 2016)
Vulnerability Advisor Deep Dive (Dec 2016)
 
Safely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous DeliverySafely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous Delivery
 
Rugged DevOps: Aligning Your Team and Your Powers for Success
Rugged DevOps: Aligning Your Team and Your Powers for SuccessRugged DevOps: Aligning Your Team and Your Powers for Success
Rugged DevOps: Aligning Your Team and Your Powers for Success
 
The End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon LietzThe End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon Lietz
 
Dom & Tom NYC Healthcare Cloud Meetup Case Study (5/4)
Dom & Tom NYC Healthcare Cloud Meetup Case Study (5/4)Dom & Tom NYC Healthcare Cloud Meetup Case Study (5/4)
Dom & Tom NYC Healthcare Cloud Meetup Case Study (5/4)
 
Evident io Continuous Compliance - Mar 2017
Evident io Continuous Compliance - Mar 2017Evident io Continuous Compliance - Mar 2017
Evident io Continuous Compliance - Mar 2017
 
How can i find my security blind spots ulf mattsson - aug 2016
How can i find my security blind spots   ulf mattsson - aug 2016How can i find my security blind spots   ulf mattsson - aug 2016
How can i find my security blind spots ulf mattsson - aug 2016
 
Null application security in an agile world
Null application security in an agile worldNull application security in an agile world
Null application security in an agile world
 
Myths and realities of data security and compliance - Isaca Alanta - ulf matt...
Myths and realities of data security and compliance - Isaca Alanta - ulf matt...Myths and realities of data security and compliance - Isaca Alanta - ulf matt...
Myths and realities of data security and compliance - Isaca Alanta - ulf matt...
 

Similaire à The Art of Identifying Vulnerabilities - CascadiaFest 2015

Microsoft opened the source code of Xamarin.Forms. We couldn't miss a chance ...
Microsoft opened the source code of Xamarin.Forms. We couldn't miss a chance ...Microsoft opened the source code of Xamarin.Forms. We couldn't miss a chance ...
Microsoft opened the source code of Xamarin.Forms. We couldn't miss a chance ...PVS-Studio
 
Big Brother helps you
Big Brother helps youBig Brother helps you
Big Brother helps youPVS-Studio
 
A well-typed program never goes wrong
A well-typed program never goes wrongA well-typed program never goes wrong
A well-typed program never goes wrongJulien Wetterwald
 
Fast Automated Unpacking and Classification of Malware
Fast Automated Unpacking and Classification of MalwareFast Automated Unpacking and Classification of Malware
Fast Automated Unpacking and Classification of MalwareSilvio Cesare
 
Real World Haskell: Lecture 4
Real World Haskell: Lecture 4Real World Haskell: Lecture 4
Real World Haskell: Lecture 4Bryan O'Sullivan
 
Accord.Net: Looking for a Bug that Could Help Machines Conquer Humankind
Accord.Net: Looking for a Bug that Could Help Machines Conquer HumankindAccord.Net: Looking for a Bug that Could Help Machines Conquer Humankind
Accord.Net: Looking for a Bug that Could Help Machines Conquer HumankindPVS-Studio
 
Source code of WPF samples by Microsoft was checked
Source code of WPF samples by Microsoft was checkedSource code of WPF samples by Microsoft was checked
Source code of WPF samples by Microsoft was checkedPVS-Studio
 
findbugs Bernhard Merkle
findbugs Bernhard Merklefindbugs Bernhard Merkle
findbugs Bernhard Merklebmerkle
 
AI and ML Skills for the Testing World Tutorial
AI and ML Skills for the Testing World TutorialAI and ML Skills for the Testing World Tutorial
AI and ML Skills for the Testing World TutorialTariq King
 
JavaScript Foundations Day1
JavaScript Foundations Day1JavaScript Foundations Day1
JavaScript Foundations Day1Troy Miles
 
Looking for Bugs in MonoDevelop
Looking for Bugs in MonoDevelopLooking for Bugs in MonoDevelop
Looking for Bugs in MonoDevelopPVS-Studio
 
Working Effectively With Legacy Code
Working Effectively With Legacy CodeWorking Effectively With Legacy Code
Working Effectively With Legacy CodeNaresh Jain
 
AN ALTERNATIVE APPROACH FOR SELECTION OF PSEUDO RANDOM NUMBERS FOR ONLINE EXA...
AN ALTERNATIVE APPROACH FOR SELECTION OF PSEUDO RANDOM NUMBERS FOR ONLINE EXA...AN ALTERNATIVE APPROACH FOR SELECTION OF PSEUDO RANDOM NUMBERS FOR ONLINE EXA...
AN ALTERNATIVE APPROACH FOR SELECTION OF PSEUDO RANDOM NUMBERS FOR ONLINE EXA...cscpconf
 
AML_030607.ppt
AML_030607.pptAML_030607.ppt
AML_030607.pptbutest
 
DSR Testing (Part 1)
DSR Testing (Part 1)DSR Testing (Part 1)
DSR Testing (Part 1)Steve Upton
 
DISE - Windows Based Application Development in C#
DISE - Windows Based Application Development in C#DISE - Windows Based Application Development in C#
DISE - Windows Based Application Development in C#Rasan Samarasinghe
 

Similaire à The Art of Identifying Vulnerabilities - CascadiaFest 2015 (20)

Microsoft opened the source code of Xamarin.Forms. We couldn't miss a chance ...
Microsoft opened the source code of Xamarin.Forms. We couldn't miss a chance ...Microsoft opened the source code of Xamarin.Forms. We couldn't miss a chance ...
Microsoft opened the source code of Xamarin.Forms. We couldn't miss a chance ...
 
Big Brother helps you
Big Brother helps youBig Brother helps you
Big Brother helps you
 
A well-typed program never goes wrong
A well-typed program never goes wrongA well-typed program never goes wrong
A well-typed program never goes wrong
 
Fast Automated Unpacking and Classification of Malware
Fast Automated Unpacking and Classification of MalwareFast Automated Unpacking and Classification of Malware
Fast Automated Unpacking and Classification of Malware
 
Real World Haskell: Lecture 4
Real World Haskell: Lecture 4Real World Haskell: Lecture 4
Real World Haskell: Lecture 4
 
Accord.Net: Looking for a Bug that Could Help Machines Conquer Humankind
Accord.Net: Looking for a Bug that Could Help Machines Conquer HumankindAccord.Net: Looking for a Bug that Could Help Machines Conquer Humankind
Accord.Net: Looking for a Bug that Could Help Machines Conquer Humankind
 
Source code of WPF samples by Microsoft was checked
Source code of WPF samples by Microsoft was checkedSource code of WPF samples by Microsoft was checked
Source code of WPF samples by Microsoft was checked
 
findbugs Bernhard Merkle
findbugs Bernhard Merklefindbugs Bernhard Merkle
findbugs Bernhard Merkle
 
AI and ML Skills for the Testing World Tutorial
AI and ML Skills for the Testing World TutorialAI and ML Skills for the Testing World Tutorial
AI and ML Skills for the Testing World Tutorial
 
Overview of Java
Overview of Java Overview of Java
Overview of Java
 
JavaScript Foundations Day1
JavaScript Foundations Day1JavaScript Foundations Day1
JavaScript Foundations Day1
 
Pythonintro
PythonintroPythonintro
Pythonintro
 
Looking for Bugs in MonoDevelop
Looking for Bugs in MonoDevelopLooking for Bugs in MonoDevelop
Looking for Bugs in MonoDevelop
 
Robots in Swift
Robots in SwiftRobots in Swift
Robots in Swift
 
Working Effectively With Legacy Code
Working Effectively With Legacy CodeWorking Effectively With Legacy Code
Working Effectively With Legacy Code
 
AN ALTERNATIVE APPROACH FOR SELECTION OF PSEUDO RANDOM NUMBERS FOR ONLINE EXA...
AN ALTERNATIVE APPROACH FOR SELECTION OF PSEUDO RANDOM NUMBERS FOR ONLINE EXA...AN ALTERNATIVE APPROACH FOR SELECTION OF PSEUDO RANDOM NUMBERS FOR ONLINE EXA...
AN ALTERNATIVE APPROACH FOR SELECTION OF PSEUDO RANDOM NUMBERS FOR ONLINE EXA...
 
AML_030607.ppt
AML_030607.pptAML_030607.ppt
AML_030607.ppt
 
DSR Testing (Part 1)
DSR Testing (Part 1)DSR Testing (Part 1)
DSR Testing (Part 1)
 
Type Systems
Type SystemsType Systems
Type Systems
 
DISE - Windows Based Application Development in C#
DISE - Windows Based Application Development in C#DISE - Windows Based Application Development in C#
DISE - Windows Based Application Development in C#
 

Plus de Adam Baldwin

Attacking open source using abandoned resources
Attacking open source using abandoned resourcesAttacking open source using abandoned resources
Attacking open source using abandoned resourcesAdam Baldwin
 
JavaScript Supply Chain Security
JavaScript Supply Chain SecurityJavaScript Supply Chain Security
JavaScript Supply Chain SecurityAdam Baldwin
 
Building a Threat Model & How npm Fits Into It
Building a Threat Model & How npm Fits Into ItBuilding a Threat Model & How npm Fits Into It
Building a Threat Model & How npm Fits Into ItAdam Baldwin
 
Hunting for malicious modules in npm - NodeSummit
Hunting for malicious modules in npm - NodeSummitHunting for malicious modules in npm - NodeSummit
Hunting for malicious modules in npm - NodeSummitAdam Baldwin
 
Node Security Project - LXJS 2013
Node Security Project - LXJS 2013Node Security Project - LXJS 2013
Node Security Project - LXJS 2013Adam Baldwin
 
JSConf 2013 Builders vs Breakers
JSConf 2013 Builders vs BreakersJSConf 2013 Builders vs Breakers
JSConf 2013 Builders vs BreakersAdam Baldwin
 
EV1LSHA - Misadventures in the land of Lua
EV1LSHA - Misadventures in the land of LuaEV1LSHA - Misadventures in the land of Lua
EV1LSHA - Misadventures in the land of LuaAdam Baldwin
 
Writing an (in)secure webapp in 3 easy steps
Writing an (in)secure webapp in 3 easy stepsWriting an (in)secure webapp in 3 easy steps
Writing an (in)secure webapp in 3 easy stepsAdam Baldwin
 
Pony Pwning Djangocon 2010
Pony Pwning Djangocon 2010Pony Pwning Djangocon 2010
Pony Pwning Djangocon 2010Adam Baldwin
 

Plus de Adam Baldwin (9)

Attacking open source using abandoned resources
Attacking open source using abandoned resourcesAttacking open source using abandoned resources
Attacking open source using abandoned resources
 
JavaScript Supply Chain Security
JavaScript Supply Chain SecurityJavaScript Supply Chain Security
JavaScript Supply Chain Security
 
Building a Threat Model & How npm Fits Into It
Building a Threat Model & How npm Fits Into ItBuilding a Threat Model & How npm Fits Into It
Building a Threat Model & How npm Fits Into It
 
Hunting for malicious modules in npm - NodeSummit
Hunting for malicious modules in npm - NodeSummitHunting for malicious modules in npm - NodeSummit
Hunting for malicious modules in npm - NodeSummit
 
Node Security Project - LXJS 2013
Node Security Project - LXJS 2013Node Security Project - LXJS 2013
Node Security Project - LXJS 2013
 
JSConf 2013 Builders vs Breakers
JSConf 2013 Builders vs BreakersJSConf 2013 Builders vs Breakers
JSConf 2013 Builders vs Breakers
 
EV1LSHA - Misadventures in the land of Lua
EV1LSHA - Misadventures in the land of LuaEV1LSHA - Misadventures in the land of Lua
EV1LSHA - Misadventures in the land of Lua
 
Writing an (in)secure webapp in 3 easy steps
Writing an (in)secure webapp in 3 easy stepsWriting an (in)secure webapp in 3 easy steps
Writing an (in)secure webapp in 3 easy steps
 
Pony Pwning Djangocon 2010
Pony Pwning Djangocon 2010Pony Pwning Djangocon 2010
Pony Pwning Djangocon 2010
 

Dernier

All in AI: LLM Landscape & RAG in 2024 with Mark Ryan (Google) & Jerry Liu (L...
All in AI: LLM Landscape & RAG in 2024 with Mark Ryan (Google) & Jerry Liu (L...All in AI: LLM Landscape & RAG in 2024 with Mark Ryan (Google) & Jerry Liu (L...
All in AI: LLM Landscape & RAG in 2024 with Mark Ryan (Google) & Jerry Liu (L...Daniel Zivkovic
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemAsko Soukka
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 
100+ ChatGPT Prompts for SEO Optimization
100+ ChatGPT Prompts for SEO Optimization100+ ChatGPT Prompts for SEO Optimization
100+ ChatGPT Prompts for SEO Optimizationarrow10202532yuvraj
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Websitedgelyza
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
UiPath Clipboard AI: "A TIME Magazine Best Invention of 2023 Unveiled"
UiPath Clipboard AI: "A TIME Magazine Best Invention of 2023 Unveiled"UiPath Clipboard AI: "A TIME Magazine Best Invention of 2023 Unveiled"
UiPath Clipboard AI: "A TIME Magazine Best Invention of 2023 Unveiled"DianaGray10
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxGDSC PJATK
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdfPedro Manuel
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Adtran
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXTarek Kalaji
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsSeth Reyes
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesMd Hossain Ali
 

Dernier (20)

All in AI: LLM Landscape & RAG in 2024 with Mark Ryan (Google) & Jerry Liu (L...
All in AI: LLM Landscape & RAG in 2024 with Mark Ryan (Google) & Jerry Liu (L...All in AI: LLM Landscape & RAG in 2024 with Mark Ryan (Google) & Jerry Liu (L...
All in AI: LLM Landscape & RAG in 2024 with Mark Ryan (Google) & Jerry Liu (L...
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystem
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 
100+ ChatGPT Prompts for SEO Optimization
100+ ChatGPT Prompts for SEO Optimization100+ ChatGPT Prompts for SEO Optimization
100+ ChatGPT Prompts for SEO Optimization
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Website
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
UiPath Clipboard AI: "A TIME Magazine Best Invention of 2023 Unveiled"
UiPath Clipboard AI: "A TIME Magazine Best Invention of 2023 Unveiled"UiPath Clipboard AI: "A TIME Magazine Best Invention of 2023 Unveiled"
UiPath Clipboard AI: "A TIME Magazine Best Invention of 2023 Unveiled"
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 
20230104 - machine vision
20230104 - machine vision20230104 - machine vision
20230104 - machine vision
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptx
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdf
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBX
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
 

The Art of Identifying Vulnerabilities - CascadiaFest 2015

  • 1. The Art of Identifying Vulnerabilities CascadiaFest 2015
  • 4. The Art of Identifying Vulnerabilities CascadiaFest 2015
  • 5. What is a vulnerability?
  • 6. Is it a bug?
  • 8. A PROMISE THAT CAN BE BROKEN
  • 11. Vulnerabilities grow in the cracks between nuances & assumptions
  • 12. You must understand the nuances of the systems you create and consume
  • 16. The comparison x == y, where x and y are values, produces true or false. Such a comparison is performed as follows: If Type(x) is the same as Type(y), then If Type(x) is Undefined, return true. If Type(x) is Null, return true. If Type(x) is Number, then If x is NaN, return false. If y is NaN, return false. If x is the same Number value as y, return true. If x is +0 and y is −0, return true. If x is −0 and y is +0, return true. Return false. If Type(x) is String, then return true if x and y are exactly the same sequence of characters (same length and same characters in corresponding positions). Otherwise, return false. If Type(x) is Boolean, return true if x and y are both true or both false. Otherwise, return false. Return true if x and y refer to the same object. Otherwise, return false. If x is null and y is undefined, return true. If x is undefined and y is null, return true. If Type(x) is Number and Type(y) is String, return the result of the comparison x == ToNumber(y). If Type(x) is String and Type(y) is Number, return the result of the comparison ToNumber(x) == y. If Type(x) is Boolean, return the result of the comparison ToNumber(x) == y. If Type(y) is Boolean, return the result of the comparison x == ToNumber(y). If Type(x) is either String or Number and Type(y) is Object, return the result of the comparison x == ToPrimitive(y). If Type(x) is Object and Type(y) is either String or Number, return the result of the comparison ToPrimitive(x) == y. Return false. NOTE 1 Given the above definition of equality: String comparison can be forced by: "" + a == "" + b. Numeric comparison can be forced by: +a == +b. Boolean comparison can be forced by: !a == !b. NOTE 2 The equality operators maintain the following invariants: A != B is equivalent to !(A == B). A == B is equivalent to B == A, except in the order of evaluation of A and B. NOTE 3 The equality operator is not always transitive. For example, there might be two distinct String objects, each representing the same String value; each String object would be considered equal to the String value by the == operator, but the two String objects would not be equal to each other. For Example: new String("a") == "a" and "a" == new String("a")are both true. new String("a") == new String("a") is false. NOTE 4 Comparison of Strings uses a simple equality test on sequences of code unit values. There is no attempt to use the more complex, semantically oriented definitions of character or string equality and collating order defined in the Unicode specification. Therefore Strings values that are canonically equal according to the Unicode standard could test as unequal. In effect this algorithm assumes that both Strings are already in normalised form. The Abstract Equality Comparison Algorithm ಠ_ಠ
  • 19. Whose code are you running in production?
  • 21. Vulnerabilities multiply in the presence of complexity
  • 24. Let's put on our security hat
  • 25. Where to start? Think like an attacker.
  • 26. "The trust that happens without conscious decision, like a person sitting in a chair assuming someone hasn't removed one of the legs since they last sat in it." - Jon Lamendola
  • 27. "Thinking like an attacker means that we try to push the boundaries of useful things to see how we can get them to do something that it was not designed for." - Matt Lowe
  • 28. What promises does it make?
  • 29. How does it make money?
  • 31. OWASP Top 10 Broken auth & Session Management Injection Security Misconfiguration Insecure Direct Object Reference Cross-Site Scripting (XSS) Missing Function Level Access Control Sensitive Data Exposure Unvalidated Redirects & Forwards Using Known Vulnerable Components Cross-Site Request Forgery
  • 36. If you don't look, you won't find anything.
  • 39. How can it be used in other ways?
  • 40. Ask questions, avoid statements "A User would never..."
  • 41. It's about what you don't know not what you know
  • 42. DEMO
  • 43. Understand the Code & Threat Model Identify Inputs (Sources) Identify Sinks Follow the data Source -> Sink Test & Validate Repeat tldr; Process
  • 45. Understand the Code • "miliseconds conversion utility" • Simple JS without strict mode • Doesn't use any builtins (core functions) • It's intended to be used in the browser and server side
  • 47. Identify Inputs (sources) • exports is one function • takes a value • Takes optional options argument
  • 48. Identify data Sinks • Converted value is returned • regex is a sink that has known attacks (regular expression denial of service) 1 var match = /^((?:d+)?.?d+) *(milliseconds?|msecs?|ms| seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|years?| yrs?|y)?$/i.exec(str);
  • 49. cat index.js | esgraph | dot -Tpng > out.png
  • 50. 1 var ms = require('./'); 2 var genstr = function (len, chr) { 3 var result = ""; 4 for (i=0; i<=len; i++) { 5 result = result + chr; 6 } 7 8 return result; 9 } 10 11 ms(genstr(process.argv[2], "5") + " minutea"); Test & Validate
  • 51. Test & Validate Length Run time (seconds) 10000 0.720 20000 2.491 30000 5.629 40000 12.386
  • 52. Be okay with boring, monotonous and unfruitful testing Be persistent