12. Small companies don’t have $$$ to spend on all
the latest tools, like BurpSuite, etc.
There are excellent tools.
The tools don’t replace thinking.
13. "security, just like disaster recovery, is a lifestyle,
not a checklist"
This is not a black and white problem
Source: https://news.ycombinator.com/item?id=11323849
21. Source: https://msdn.microsoft.com/en-us/magazine/ee336031.aspx
Developer point of view….
DREAD
Parameter
Ratin
g
Rationale
Damage
Potential
5 An attacker could read and alter data in the
product database.
Reproducibility 10 Can reproduce every time.
Exploitability 2 Easily exploitable by automated tools found on
the Internet.
Affected Users 1 Affects critical administrative users
Discoverability 1 Affected page “admin.aspx” easily guessed by an
attacker.
Overall Rating 3.8
22. Source: https://msdn.microsoft.com/en-us/magazine/ee336031.aspx
Tester point of view…
DREAD
Parameter
Ratin
g
Rationale
Damage
Potential
10 An attacker could read and alter data in the
product database.
Reproducibility 10 Can reproduce every time.
Exploitability 10 Easily exploitable by automated tools found on
the Internet.
Affected Users 10 Affects critical administrative users
Discoverability 10 Affected page “admin.aspx” easily guessed by an
attacker.
Overall Rating 10
24. OWASP Top 10
Source: https://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf.
25. OWASP TOP 10
A1: Injection
http://example.com/app/accountVi
ew?id='
A2: Broken Authentication and
Session Management
http://example.com/sale/saleitem
s?sessionid=268544541&dest=Hawai
i
A3: Cross Site Scripting (XSS) <script>alert('test');</script>
A4: Insecure Direct Object
References
http://example.com/app/accountIn
fo?acct=notmyacct
A5: Security Misconfiguration
Default admin account enabled;
directories shown on site;
Stack traces shown to users;
Source: https://www.owasp.org/index.php/Top_10_2013-Top_10
26. OWASP TOP 10
A6: Sensitive Data Exposure
SSL not being used
Heartbleed
Bad programming (Obamacare)
A7: Missing Function Level
Access Control
Access areas where you shouldn’t
be able to access
A8: Cross-Site Request Forgery
<img
src="http://example.com/app/tran
sferFunds?amount=1500&destinatio
nAccount=attackersAcct#"
width="0" height="0" />
A9: Using Components with
known vulnerability
Not patching your 3rd party sh*t
A10: Unvalidated redirects and
forwards
http://www.example.com/redirect.
jsp?url=evil.com
Source: https://www.owasp.org/index.php/Top_10_2013-Top_10
27. Vulnerability Tool
A1: Injection SQLMap or ZAP
A2: Broken Authentication and Session
Management
ZAP
A3: Cross Site Scripting (XSS) ZAP
A4: Insecure Direct Object References ZAP
A5: Security Misconfiguration OpenVAS
A6: Sensitive Data Exposure Your brain…
A7: Missing Function Level Access Control OpenVAS
A8: Cross-Site Request Forgery ZAP
A9: Using Components with known vulnerability OpenVAS
A10: Unvalidated redirects and forwards ZAP
28. Demos: Setup
Virtualbox running “OWASP Broken Web Apps”
This VM has LOTS of broken web applications
that are designed to learn from.
29. What is Wireshark
Network packet / protocol analysis tool
Allows users to capture network traffic from any
interface, like Ethernet, Wifi, Bluetooth, USB, etc
38. What is OWASP ZAP?
Find security vulnerabilities in your web
applications
Can be used both manually and in an automated
manner
39. Why use ZAP?
Can be used to find many of the top 10 exploits
Can be quick integrated into you manual or
automated workflow
Can be used in active or passive mode
48. Threat Modeling - What is it?
A way to analyze and communicate security
related problems
This is a much larger topic than we have time for
… but I’ll give you the basics
49. Threat Modeling - Why do this?
To explain to management
To explain to customers
To explain to developers, architects, etc.
With the tools I just showed you, you now have
the basics to be able to build a model
55. Threat Modeling
Can be done at various stages of the SDLC
Source: http://www.slideshare.net/starbuck3000/threat-modeling-web-application-a-case-study
68. References
• Preventing CSRF with the same-site cookie attribute: http://www.sjoerdlangkemper.nl/2016/04/14/preventing-csrf-with-
samesite-cookie-attribute/
• Security Ninjas: An Open Source Application Security Training Program: http://www.slideshare.net/OpenDNS/security-
ninjas-opensource
• Threat modeling web application: a case study: http://www.slideshare.net/starbuck3000/threat-modeling-web-application-
a-case-study
• Chapter 3 Threat Modeling: https://msdn.microsoft.com/en-us/library/aa302419.aspx
• Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities:
http://www.slideshare.net/anantshri/understanding-the-known-owasp-a9-using-components-with-known-vulnerabilities
• Real World Application Threat Modelling By Example: http://www.slideshare.net/NCC_Group/real-world-application-threat-
modelling-by-example
• The BodgeIt Store Part 1: http://resources.infosecinstitute.com/the-bodgeit-store-part-1-2/
Notes de l'éditeur
Show in the next slide that all it took was to inspect some JSON from a mobile app and he was able to take control.
Controlling vehicle features of Nissan LEAFs across the globe via vulnerable APIs
Show in the next slide that all it took was to inspect some JSON from a mobile app and he was able to take control.
Short URLs Considered Harmful for Cloud Services
Scan revealed over 270000 publicly accessible OneDrive documents
A similar scan of 100,000,000 random 7-character bit.ly tokens yielded
- URLs to 1,000,000 publicly accessible OneDrive documents. Much of which contained private information
Around 7% of the OneDrive folders discovered in this fashion allow writing.
This means that anyone who randomly scans bit.ly URLs will find thousands of unlocked OneDrive folders and can modify existing files in them or upload arbitrary content, potentially including malware.
Microsoft’s virus scanning for OneDrive accounts is trivial to evade (for example, it fails to discover even the test EICAR virus if the attacker goes to the trouble of compressing it). Furthermore, OneDrive “synchronizes” account contents across the user’s OneDrive clients. Therefore, the injected malware will be automatically downloaded to all of the user’s machines and devices running OneDrive.
Before September 2015, short goo.gl/maps URLs used 5-character tokens.
Our sample random scan of these URLs yielded 23,965,718 live links, of which 10% were for maps with driving directions.
Not talking about
Secure coding
Infrastructure
SDLC
I’m trying to keep this talk as some one who has been through a few ‘audits
Customer initiated typically
Note: we always passed because…
Security is like disaster recovery, it’s a life style… not something you need to do when you need to do it.
Show in the next slide that all it took was to inspect some JSON from a mobile app and he was able to take control.
This isn’t just a talk
Identification tool,
Spoofing: illegally access and use another user's credentials, such as username and password.
Tampering: maliciously change/modify persistent data, such as persistent data in a database, and the alteration of data in transit between two computers over an open network, such as the Internet.
Repudiation: illegal operations in a system that lacks the ability to trace the prohibited operations.
Information disclosure: read a file that one was not granted access to, or to read data in transit.
Denial of service: Threat aimed to deny access to valid users, such as by making a web server temporarily unavailable or unusable.
Elevation of privilege: Threat aimed to gain privileged access to resources for gaining unauthorized access to information or to compromise a system.
The second example I gave, that goes into A4
The first example at the beginning of the talk fell directly into A2, A6 and A7. Could have been caught, if someone had thought about it. (the LEAF car)
A2: Application’s timeouts aren’t set properly… someone closes a browser and the session isn’t invalided.
A3: input isn’t sanitized, thus allowing execution of code.
The first example at the beginning of the talk fell directly into A6 and A7. Could have been caught, if someone had thought about it. (the LEAF car)
A8 - The application allows a user to submit a state changing request that does not include anything secret. For example:
So, the attacker constructs a request that will transfer money from the victim’s account to the attacker’s account, and then embeds this attack in an image request or iframe stored on various sites under the attacker’s control:
A9: Rather simple one: https://www.owasp.org/index.php/OWASP_Dependency_Check
A10: The application has a page called “redirect.jsp” which takes a single parameter named “url”. The attacker crafts a malicious URL that redirects users to a malicious site that performs phishing and installs malware.
The first example at the beginning of the talk fell directly into A6 and A7. Could have been caught, if someone had thought about it. (the LEAF car)
A8 - The application allows a user to submit a state changing request that does not include anything secret. For example:
So, the attacker constructs a request that will transfer money from the victim’s account to the attacker’s account, and then embeds this attack in an image request or iframe stored on various sites under the attacker’s control:
A9: Rather simple one: https://www.owasp.org/index.php/OWASP_Dependency_Check
A10: The application has a page called “redirect.jsp” which takes a single parameter named “url”. The attacker crafts a malicious URL that redirects users to a malicious site that performs phishing and installs malware.
Basically, if you’re doing an audit of your system, you can see all the information that coming/going from it, record it and search on it.
Open Web Application Security Project
Intro into wireshark
QUESTION: who uses wiresshark? Dev tools on your browser?
Provide my example: I am working a networking company… it important to find out what data is being transferred from various devices in the netwoek, so I’m looking at much than just 80 and 443
Every packet is captured
Hit a web site
The idea, you can see everything on the wire. If you’re https, you’ll need the key (and depending on your company, you might get it for testing purposes)
No proxy required
This is a great tool for not just the dev tools portion, but if you doing a threat analysis, you can also find out information about what is incoming/outgoing using this (and TCPDump)
Search around in there using http, tcp,
Explain what I use it for
SHOW:
How to capture packets
Display filters
Follow the stream/conversation
Access to all the protocols
Open Web Application Security Project
Lots of stuff is still insecure. SNMP, 3rd Party tools. Getting right to the wire and finding out is sometimes the best way to tackle this.
SHOW:
- limit requests and captures
-
Active/Passive meaning?
Active/Passive meaning?
Open Web Application Security Project
Active/Passive meaning?
Open Web Application Security Project
The ability to communicate the threat.
This is one way to get buy in (where there might not be buy in)
The ability to communicate the threat.
Now that you have data to show there are vul'n... you need to be able to articulate that to a wider audience. Maybe management, maybe a customer. This tool will help you do that and provide guidance on how to fix issues.
This is one way to get buy in (where there might not be buy in)
Open Web Application Security Project
Product functionality?
- What does it do? Does a human interact with it? Is there a web interface? REST interface? Is it a SaaS? On prem? Will people upload/submit data to the system?
Technologies used:
Linux? Java? Postgres? Spring? Scala? Do you have your security patches applied?
Processes?
- What running on these boxes? Who’s running them? What ports do they have open? Can anyone access them?
Using tools like OWASP ZAP, Wireshark, etc, you can build yourself a plan
These tools can help you articulate the risk
Get a plan together and get your manager to sign off on it.
Get a plan together and get your manager to sign off on it.
Talk about my example:
Decided to pick a vector (A?? With imgur), since I saw some behavirou on my mobile device
Proxed the traffic and looked it via wireshark, got the get command, change the id and was able to get into private areas
Submitted to imgur
Talk about my example:
Decided to pick a vector (A?? With imgur), since I saw some behavirou on my mobile device
Proxed the traffic and looked it via wireshark, got the get command, change the id and was able to get into private areas
Submitted to imgur
Get a plan together and get your manager to sign off on it.
Get a plan together and get your manager to sign off on it.
Some questions for you:
In your environment, do you usually test for security related items? Is this part of your every day activities?