SlideShare a Scribd company logo

[OPD 2019] Web Apps vs Blockchain dApps

โ€ข
โ€ข
OWASP
OWASP

Damian Rusinek

Internet
1 of 55
Download to read offline
www.securing.pldrdr_zz Damian Rusinek Web Apps vs Blockchain dApps (Smart Contracts): tools, vulns and standards OWASP Poland Day, Wrocล‚aw 2019 16th of October 2019
www.securing.pldrdr_zzdrdr_zz Damian Rusinek damianrusinek @ github โ€ข Pentester โ€ข Researcher โ€ข Focused on blockchain and smart contracts Security Researcher & Pentester Assistant Professor Introducing Decentralized Applications by analogy to Web Apps https://bit.ly/2kpfKkm Last year on AppSec EU London & OWASP Poland Day Warsaw drdr_zz
www.securing.pldrdr_zzdrdr_zz Web 3.0 They are using Decentralized Applications or Platforms
www.securing.pldrdr_zz www.securing.pldrdr_zz Decentralized Apps And why are they becoming important? WHAT IS IT?
www.securing.pldrdr_zzdrdr_zz What are Decentralized Applications? โ€ข Decentralized Application are like Web Applications with decentralized storage and governance. โ€ข Web Apps โ€ข Facebook โ€ข Reddit โ€ข Decentralized Apps โ€ข Steemit (a kind of decentralized Reddit)
www.securing.pldrdr_zzdrdr_zz Why are Decentralized Applications important? โ€ข There exist great projects already: โ€ข Augur (decentralized oracle and prediction market), โ€ข Gnosis (prediction platform), โ€ข MakerDAO (decentralized finance). โ€ข The market is worth billions of $ in cryptocurrencies. โ€ข A chance for new technologies (e.g. financial technology) โ€ข Easy decentralized banking, โ€ข No brokers (direct payments). โ€ข Big players: โ€ข Hyperledger (Linux Foundation, IBM, Intel, SAP), โ€ข Libra (Facebook).
www.securing.pldrdr_zzdrdr_zz What is so special about Decentralized Apps? โ€ข Trustlessness: Use blockchain to store code and data (state). โ€ข No one can turn it off permanently (anyone can bring it to live). โ€ข Everyone can have it (like keeping the database of FB or Reddit locally).
www.securing.pldrdr_zzdrdr_zz Where is the main difference? Architecture Decentralized ApplicationWeb Application
www.securing.pldrdr_zzdrdr_zz Where is the main difference? Architecture Web Application Hybrid Decentralized Application
www.securing.pldrdr_zz www.securing.pldrdr_zz Decentralized Apps ARE THOSE SECURE?
www.securing.pldrdr_zzdrdr_zz Are Decentralized Apps secure? โ€ข Undestroyable: No one can turn it off โ€ข Cryptographically secure: All transactions are digitally signed โ€ข Publicly verifiable: Anyone can verify the code of smart contracts โ€ข But stillโ€ฆ.
www.securing.pldrdr_zzdrdr_zz Are Decentralized Apps secure? โ€ข Undestroyable: No one can turn it off โ€ข Cryptographically secure: All transactions are digitally signed โ€ข Publicly verifiable: Anyone can verify the code of smart contracts โ€ข But stillโ€ฆ.
www.securing.pldrdr_zzdrdr_zz Are Decentralized Apps secure? โ€ข Undestroyable: No one can turn it off โ€ข Cryptographically secure: All transactions are digitally signed โ€ข Publicly verifiable: Anyone can verify the code of smart contracts โ€ข But stillโ€ฆ. Expectations Reality
www.securing.pldrdr_zz www.securing.pldrdr_zz Web Apps vs Decentralized Apps WE NEED SECURITY!
www.securing.pldrdr_zzdrdr_zz Security Projects & Standards Web Apps โ€ข Most common vulnerabilities? โ€ข OWASP Top 10 โ€ข The knowledge base about the weaknesses? โ€ข Mitre CWE (Common Weakness Enumeration) โ€ข The end to end security checklist to perform an audit? โ€ข OWASP ASVS (Application Security Verification Standard) Decentralized Apps โ€ข Most common vulnerabilities? โ€ข DASP Top 10 (https://dasp.co) โ€ข The knowledge base about the weaknesses? โ€ข SWC Registry (https://smartcontractsecurity.github.io/SWC-registry/) โ€ข The end to end security checklist to perform an audit?
www.securing.pldrdr_zz www.securing.pldrdr_zz SCSVS - Smart Contracts Security Verification Standard
www.securing.pldrdr_zzdrdr_zz โ€ข Objectives: โ€ข Provide a checklist for architects, developers and security reviewers. โ€ข Help to mitigate known vulnerabilities by design. โ€ข Help to develop high quality code of the smart contracts. โ€ข Provide a clear and reliable assessment of how secure the smart contract is in relation to the percentage of SCSVS coverage. โ€ข Format similar to ASVS. SCSVS - Objectives
www.securing.pldrdr_zzdrdr_zz SCSVS - Categrories V8: Business Logic V9: Denial of Service V10: Token V11: Code Clarity V12: Test Coverage V13: Known Attacks V1: Architecture, Design and Threat Modelling V2: Access Control V3: Blockchain Data V4: Communications V5: Arithmetic V6: Malicious Input Handling V7: Gas Usage & Limitations
www.securing.pldrdr_zzdrdr_zz Software Development Life Cycle SCSVS covers all stages of SDLC process.
www.securing.pldrdr_zzdrdr_zz โ€ข Approaches โ€ข OWASP SAMM โ€ข SDL (Security Development Lifecycle) โ€ข BSIMM (Builing Secuirty in Maturity Model) Software Development Life Cycle DISCLAIMER This is not a presentation about how to introduce security to your SDLC.
www.securing.pldrdr_zz www.securing.pldrdr_zz Web Apps vs Decentralized Apps - Analysis & Requirements SDLC
www.securing.pldrdr_zzdrdr_zz Similiarities โ€ข Threat modelling SDLC โ€“ Analysis & Requirements 1.1 Verify that the every introduced design change is preceded by an earlier threat modelling. 1.2 Verify that the documentation clearly and precisely defines all trust boundaries in the contract (trusted relations with other contracts and significant data flows).
www.securing.pldrdr_zzdrdr_zz Differences โ€“ Sensitive data SDLC โ€“ Analysis & Requirements Web Apps โ€ข Stored in protected database Decentralized Apps โ€ข Stored on public blockchain โ€ข Forever โ€ข Anyone can read 3.1 Verify that any data saved in the contracts is not considered safe or private (even private variables). 3.2 Verify that no confidential data is stored in the blockchain (passwords, personal data, token etc.).
www.securing.pldrdr_zzdrdr_zz Differences โ€“ Public access SDLC โ€“ Analysis & Requirements Web Apps โ€ข Allowed only to part of application โ€ข Frontend โ€ข API Decentralized Apps โ€ข Allowed to the whole application โ€ข Code is public โ€ข Functions are public by default
www.securing.pldrdr_zzdrdr_zz Differences โ€“ Public access SDLC โ€“ Analysis & Requirements โ€ข Parity Wallet hack โ€ข 150k ETH stolen (~30kk $) โ€ข https://bit.ly/2kpfKkm 2.7 Verify that visibility of all functions is specified.
www.securing.pldrdr_zzdrdr_zz Differences โ€“ Randomness SDLC โ€“ Analysis & Requirements Web Apps โ€ข A matter of a function call Decentralized Apps โ€ข Not trivially achieved in the decentralized computer โ€ข No local parameters can be used
www.securing.pldrdr_zzdrdr_zz Differences โ€“ Randomness SDLC โ€“ Analysis & Requirements โ€ข EOSPlay hack โ€ข 30k EOS stolen (~100k USD) โ€ข SmartBillions Lottery hack โ€ข 400 ETH stolen (~80k USD) โ€ข https://bit.ly/2jJEKPd 7.5 Verify that the contract does not generate pseudorandom numbers trivially basing on the information from blockchain (e.g. seeding with the block number).
www.securing.pldrdr_zzdrdr_zz New threat actors for Decentralized Apps SDLC โ€“ Requirements & Analysis โ€ข Miners/Validators โ€ข Validate transactions and add new blocks
www.securing.pldrdr_zzdrdr_zz New threat actors for Decentralized Apps SDLC โ€“ Requirements & Analysis โ€ข Augur vulnerability โ€ข DoS on smart contract โ€ข Business logic abuse by miner โ€ข 5k $ bounty https://hackerone.com/reports/377398
www.securing.pldrdr_zzdrdr_zz New threat actors for Decentralized Apps SDLC โ€“ Requirements & Analysis 8.1 Verify that the contract logic implementation corresponds to the documentation. 8.3 Verify that the contract has business limits and correctly enforces it. 9.3 Verify that the contract logic does not disincentivize users to use contracts (e.g. the cost of transaction is higher than the profit).
www.securing.pldrdr_zz www.securing.pldrdr_zz Web Apps vs Decentralized Apps - Design SDLC
www.securing.pldrdr_zzdrdr_zz Similiarities โ€ข Least privilege rule โ€ข Access control โ€ข Public and known to everyone โ€ข Centralized and simple SDLC โ€“ Design 2.3 Verify that the creator of the contract complies with the rule of least privilege and his rights strictly follow the documentation. 2.11 Verify that all user and data attributes used by access controls are kept in trusted contract and cannot be manipulated by other contracts unless specifically authorized.
www.securing.pldrdr_zzdrdr_zz Differences โ€“ Loops SDLC โ€“ Design Web Apps โ€ข Infinite loops -> DoS Decentralized Apps โ€ข Unbound loops -> DoS
www.securing.pldrdr_zzdrdr_zz Differences โ€“ Loops SDLC โ€“ Design โ€ข GovernMentals โ€ข A ponzi scheme โ€ข Iteration over a huge array โ€ข 1100 ETH frozen โ€ข https://bit.ly/2kVXwaj 7.3 Verify that the contract does not iterate over unbound loops. 8.8 Verify that the contract does not send funds automatically but it lets users withdraw funds on their own in separate transaction instead.
www.securing.pldrdr_zzdrdr_zz Decreasing the risk SDLC โ€“ Design โ€ข Decentralized Applications keep cryptocurrencies โ€ข The higher the amount the bigger the incentive for hackers 1.8 Verify that the amount of cryptocurrencies kept on contract is controlled and at the minimal acceptable level.
www.securing.pldrdr_zz www.securing.pldrdr_zz Web Apps vs Decentralized Apps - Implementation SDLC
www.securing.pldrdr_zzdrdr_zz โ€ข Great tools โ€ข Perform basic security analysis โ€ข But we still make bugs. โ€ข Sounds familiar? โ˜บ SDLC โ€“ Implementation
www.securing.pldrdr_zzdrdr_zz Similarities โ€“ Arithmetic bugs SDLC โ€“ Implementation Web Apps โ€ข Not that common Decentralized Apps โ€ข Overflows and underflows
www.securing.pldrdr_zzdrdr_zz Similarities โ€“ Arithmetic bugs SDLC โ€“ Implementation โ€ข Multiple ERC20 Smart Contracts โ€ข Allow to transfer more than decillions (10^60) of tokens โ€ข https://bit.ly/2lWa9ma โ€ข https://bit.ly/2ksNEF1
www.securing.pldrdr_zzdrdr_zz Similarities โ€“ Arithmetic bugs SDLC โ€“ Implementation 5.1 Verify that the values and math operations are resistant to integer overflows. Use SafeMath library for arithmetic operations. 5.2 Verify that the extreme values (e.g. maximum and minimum values of the variable type) are considered and does change the logic flow of the contract. 5.3 Verify that non-strict inequality is used for balance equality.
www.securing.pldrdr_zzdrdr_zz Differences โ€“ Recursive calls SDLC โ€“ Implementation Web Apps โ€ข Must be explicitly included in the logic Decentralized Apps โ€ข Executing some logic multiple times in one call โ€ข The DAO hack โ€ข Recursive withdrawals โ€ข 3.6 mln ETH stolen โ€ข https://bit.ly/2hBQjKq 4.5 Verify that re-entrancy attack is mitigated by blocking recursive calls from other contracts. Do not use call and send function unless it is a must. 4.6 Verify that the result of low-level function calls (e.g. send, delegatecall, call) from another contracts is checked.
www.securing.pldrdr_zz www.securing.pldrdr_zz Web Apps vs Decentralized Apps - Testing SDLC
www.securing.pldrdr_zzdrdr_zz Similarities โ€“ Great tools for automatic scans SDLC โ€“ Testing Web Apps Decentralized Apps 1.11 Verify that code analysis tools are in use that can detect potentially malicious code. https://securify.ch https://bit.ly/2mpaL3U https://tool.smartdec.net https://mythx.io/
www.securing.pldrdr_zzdrdr_zz Similiarities โ€“ Ensuring the testing takes place โ€ข including manual security tests SDLC โ€“ Analysis & Requirements 12.1 Verify that all functions of verified contract are covered with tests in the development phase. 12.2 Verify that the implementation of verified contract has been checked for security vulnerabilities using static and dynamic analysis. 12.3 Verify that the specification of smart contract has been formally verified. 12.4 Verify that the specification and the result of formal verification is included in the documentation. 1.3 Verify that the SCSVS, security requirements or policy is available to all developers and testers.
www.securing.pldrdr_zzdrdr_zz Similiarities โ€“ Business logic errors โ€ข Hard to find using automated scans โ€ข MakerDAO vulnerability โ€ข Allows to create DAI cryptocurrency without coverage โ€ข 25k $ bounty SDLC โ€“ Analysis & Requirements 1.10 Verify that the business logic in contracts is consistent. Important changes in the logic should be allowed for all or none of the contracts. 8.2 Verify that the business logic flows of smart contracts proceed in a sequential step order and it is not possible to skip any part of it or to do it in a different order than designed. https://hackerone.com/reports/672664
www.securing.pldrdr_zz www.securing.pldrdr_zz Web Apps vs Decentralized Apps - Deployment SDLC
www.securing.pldrdr_zzdrdr_zz Differences โ€“ Initialization stage SDLC โ€“ Deployment Web Apps โ€ข Setting up configurations and integrations โ€ข Performed once during deployment Decentralized Apps โ€ข Setting up configurations and integrations โ€ข What if one can (re-)initialize the contract?
www.securing.pldrdr_zzdrdr_zz Differences โ€“ Initialization stage SDLC โ€“ Deployment โ€ข Parity Wallet hack (2nd): โ€ข Kill contract shared by hundreds of other contracts โ€ข 500k ETH frozen (~100kk USD) โ€ข https://bit.ly/2kIBYhA โ€ข https://bit.ly/2kpfKkm
www.securing.pldrdr_zzdrdr_zz Differences โ€“ Initialization stage SDLC โ€“ Deployment 11.7 Verify that all storage variables are initialised. 2.8 Verify that the initialization functions are marked internal and cannot be executed twice. 9.1 Verify that the self-destruct functionality is used only if necessary.
www.securing.pldrdr_zz www.securing.pldrdr_zz Web Apps vs Decentralized Apps - Maintenance SDLC
www.securing.pldrdr_zzdrdr_zz Similarities โ€“ Logs SDLC โ€“ Maintenance Web Apps โ€ข Kept safe on the server Decentralized Apps โ€ข Public events 3.4 Verify that there is a component that monitors access to sensitive contract data using events.
www.securing.pldrdr_zzdrdr_zz Differences โ€“ Security Alert and Fix SDLC โ€“ Maintenance Web Apps โ€ข Application goes down โ€ข The bug is fixed (patch) โ€ข Application redeployed Decentralized Apps โ€ข Smart contract goes down โ€ข The bug is fixed (patch) โ€ข Smart contract deployed again 1.6 Verify that there exists a mechanism that can temporarily stop the sensitive functionalities of the contract in case of a new attack. This mechanism should not block access to the assets (e.g. tokens) for the owners. 1.4 Verify that there exists an upgrade process for the contract which allows to deploy the security fixes.
www.securing.pldrdr_zzdrdr_zz Security Projects & Standards Web Apps โ€ข Most common vulnerabilities? โ€ข OWASP Top 10 โ€ข The knowledge base about the weaknesses? โ€ข Mitre CWE (Common Weakness Enumeration) โ€ข The end to end security checklist to perform an audit? โ€ข OWASP ASVS (Application Security Verification Standard) Decentralized Apps โ€ข Most common vulnerabilities? โ€ข DASP Top 10 (https://dasp.co) โ€ข The knowledge base about the weaknesses? โ€ข SWC Registry (https://smartcontractsecurity.github.io/SWC-registry/) โ€ข The end to end security checklist to perform an audit? SCSVS
www.securing.pldrdr_zzdrdr_zz V13: Known attacks SCSVS โ€“ The special category โ€ข Quick check for well known attacks 13.4 Verify that the contract is not vulnerable to Silent Failing Sends and Unchecked-Send attacks. [4.6] Verify that the result of low-level function calls (e.g. send, delegatecall, call) from another contracts is checked. [4.7] Verify that the third party contracts do not shadow special functions (e.g. revert). 13.2 Verify that the contract is not vulnerable to Reentrancy attack. [4.5] Verify that the re-entrancy attack is mitigated by blocking recursive calls from the other contracts. Do not use call and send functions unless it is a must.
www.securing.pldrdr_zz Thank you! Damian.Rusinek@securing.pl @drdr_zz Free 13-part security checklist Want a security audit of smart contract? Go for SCSVS!

Recommended

[OPD 2019] Inter-application vulnerabilities
[OPD 2019] Inter-application vulnerabilities[OPD 2019] Inter-application vulnerabilities
[OPD 2019] Inter-application vulnerabilities
OWASP
ย 
[OPD 2019] Threat modeling at scale
[OPD 2019] Threat modeling at scale[OPD 2019] Threat modeling at scale
[OPD 2019] Threat modeling at scale
OWASP
ย 
[OPD 2019] .NET Core Security
[OPD 2019] .NET Core Security[OPD 2019] .NET Core Security
[OPD 2019] .NET Core Security
OWASP
ย 
[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...
OWASP
ย 
[OPD 2019] Automated Defense with Serverless computing
[OPD 2019] Automated Defense with Serverless computing[OPD 2019] Automated Defense with Serverless computing
[OPD 2019] Automated Defense with Serverless computing
OWASP
ย 
[OPD 2019] Storm Busters: Auditing & Securing AWS Infrastructure
[OPD 2019] Storm Busters: Auditing & Securing AWS Infrastructure[OPD 2019] Storm Busters: Auditing & Securing AWS Infrastructure
[OPD 2019] Storm Busters: Auditing & Securing AWS Infrastructure
OWASP
ย 
[OPD 2019] Trusted types and the end of DOM XSS
[OPD 2019] Trusted types and the end of DOM XSS[OPD 2019] Trusted types and the end of DOM XSS
[OPD 2019] Trusted types and the end of DOM XSS
OWASP
ย 
Security in microservices architectures
Security in microservices architecturesSecurity in microservices architectures
Security in microservices architectures
inovia
ย 

Recommended

[OPD 2019] Inter-application vulnerabilities
[OPD 2019] Inter-application vulnerabilities[OPD 2019] Inter-application vulnerabilities
[OPD 2019] Inter-application vulnerabilities
OWASP
ย 
[OPD 2019] Threat modeling at scale
[OPD 2019] Threat modeling at scale[OPD 2019] Threat modeling at scale
[OPD 2019] Threat modeling at scale
OWASP
ย 
[OPD 2019] .NET Core Security
[OPD 2019] .NET Core Security[OPD 2019] .NET Core Security
[OPD 2019] .NET Core Security
OWASP
ย 
[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...
OWASP
ย 
[OPD 2019] Automated Defense with Serverless computing
[OPD 2019] Automated Defense with Serverless computing[OPD 2019] Automated Defense with Serverless computing
[OPD 2019] Automated Defense with Serverless computing
OWASP
ย 
[OPD 2019] Storm Busters: Auditing & Securing AWS Infrastructure
[OPD 2019] Storm Busters: Auditing & Securing AWS Infrastructure[OPD 2019] Storm Busters: Auditing & Securing AWS Infrastructure
[OPD 2019] Storm Busters: Auditing & Securing AWS Infrastructure
OWASP
ย 
[OPD 2019] Trusted types and the end of DOM XSS
[OPD 2019] Trusted types and the end of DOM XSS[OPD 2019] Trusted types and the end of DOM XSS
[OPD 2019] Trusted types and the end of DOM XSS
OWASP
ย 
Security in microservices architectures
Security in microservices architecturesSecurity in microservices architectures
Security in microservices architectures
inovia
ย 
Microservices Security: dos and don'ts
Microservices Security: dos and don'tsMicroservices Security: dos and don'ts
Microservices Security: dos and don'ts
Minded Security
ย 
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
Ajin Abraham
ย 
Zero trust Architecture
Zero trust Architecture Zero trust Architecture
Zero trust Architecture
AddWeb Solution Pvt. Ltd.
ย 
API Security in a Microservices World
API Security in a Microservices WorldAPI Security in a Microservices World
API Security in a Microservices World
42Crunch
ย 
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
Ajin Abraham
ย 
Owasp Mobile Risk Series : M4 : Unintended Data Leakage
Owasp Mobile Risk Series : M4 : Unintended Data LeakageOwasp Mobile Risk Series : M4 : Unintended Data Leakage
Owasp Mobile Risk Series : M4 : Unintended Data Leakage
Anant Shrivastava
ย 
Beyond the mcse red teaming active directory
Beyond the mcse red teaming active directoryBeyond the mcse red teaming active directory
Beyond the mcse red teaming active directory
Priyanka Aash
ย 
Are You Properly Using JWTs?
Are You Properly Using JWTs?Are You Properly Using JWTs?
Are You Properly Using JWTs?
42Crunch
ย 
WEBINAR: Positive Security for APIs: What it is and why you need it!
WEBINAR: Positive Security for APIs: What it is and why you need it! WEBINAR: Positive Security for APIs: What it is and why you need it!
WEBINAR: Positive Security for APIs: What it is and why you need it!
42Crunch
ย 
Dev secops on the offense automating amazon web services account takeover
Dev secops on the offense automating amazon web services account takeoverDev secops on the offense automating amazon web services account takeover
Dev secops on the offense automating amazon web services account takeover
Priyanka Aash
ย 
(SACON) Pradyumn Nand & Mrinal Pande - Metron & Blitz, Building and scaling y...
(SACON) Pradyumn Nand & Mrinal Pande - Metron & Blitz, Building and scaling y...(SACON) Pradyumn Nand & Mrinal Pande - Metron & Blitz, Building and scaling y...
(SACON) Pradyumn Nand & Mrinal Pande - Metron & Blitz, Building and scaling y...
Priyanka Aash
ย 
Red Team vs. Blue Team on AWS
Red Team vs. Blue Team on AWSRed Team vs. Blue Team on AWS
Red Team vs. Blue Team on AWS
Priyanka Aash
ย 
Building layers of defense for your application
Building layers of defense for your applicationBuilding layers of defense for your application
Building layers of defense for your application
VMware Tanzu
ย 
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez YalonCheckmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Adar Weidman
ย 
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standardsWebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
SecuRing
ย 
Acunetix Training and ScanAssist
Acunetix Training and ScanAssistAcunetix Training and ScanAssist
Acunetix Training and ScanAssist
Bryan Ferrario
ย 
A Deep Dive into Spring Application Events
A Deep Dive into Spring Application EventsA Deep Dive into Spring Application Events
A Deep Dive into Spring Application Events
VMware Tanzu
ย 
Become a Cloud Security Ninja
Become a Cloud Security NinjaBecome a Cloud Security Ninja
Become a Cloud Security Ninja
Amazon Web Services
ย 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
ย 
Application Security Workshop
Application Security Workshop Application Security Workshop
Application Security Workshop
Priyanka Aash
ย 
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standardsWebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
SecuRing
ย 
Web Apps vs Blockchain dApps (Smart Contracts): tools, vulns and standards
Web Apps vs Blockchain dApps (Smart Contracts): tools, vulns and standardsWeb Apps vs Blockchain dApps (Smart Contracts): tools, vulns and standards
Web Apps vs Blockchain dApps (Smart Contracts): tools, vulns and standards
SecuRing
ย 

More Related Content

What's hot

AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
Ajin Abraham
ย 
Are You Properly Using JWTs?
Are You Properly Using JWTs?Are You Properly Using JWTs?
Are You Properly Using JWTs?
42Crunch
ย 
WEBINAR: Positive Security for APIs: What it is and why you need it!
WEBINAR: Positive Security for APIs: What it is and why you need it! WEBINAR: Positive Security for APIs: What it is and why you need it!
WEBINAR: Positive Security for APIs: What it is and why you need it!
42Crunch
ย 
Dev secops on the offense automating amazon web services account takeover
Dev secops on the offense automating amazon web services account takeoverDev secops on the offense automating amazon web services account takeover
Dev secops on the offense automating amazon web services account takeover
Priyanka Aash
ย 
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standardsWebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
SecuRing
ย 
Acunetix Training and ScanAssist
Acunetix Training and ScanAssistAcunetix Training and ScanAssist
Acunetix Training and ScanAssist
Bryan Ferrario
ย 

What's hot (20)

Microservices Security: dos and don'ts
Microservices Security: dos and don'tsMicroservices Security: dos and don'ts
Microservices Security: dos and don'ts
ย 
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
ย 
Zero trust Architecture
Zero trust Architecture Zero trust Architecture
Zero trust Architecture
ย 
API Security in a Microservices World
API Security in a Microservices WorldAPI Security in a Microservices World
API Security in a Microservices World
ย 
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
ย 
Owasp Mobile Risk Series : M4 : Unintended Data Leakage
Owasp Mobile Risk Series : M4 : Unintended Data LeakageOwasp Mobile Risk Series : M4 : Unintended Data Leakage
Owasp Mobile Risk Series : M4 : Unintended Data Leakage
ย 
Beyond the mcse red teaming active directory
Beyond the mcse red teaming active directoryBeyond the mcse red teaming active directory
Beyond the mcse red teaming active directory
ย 
Are You Properly Using JWTs?
Are You Properly Using JWTs?Are You Properly Using JWTs?
Are You Properly Using JWTs?
ย 
WEBINAR: Positive Security for APIs: What it is and why you need it!
WEBINAR: Positive Security for APIs: What it is and why you need it! WEBINAR: Positive Security for APIs: What it is and why you need it!
WEBINAR: Positive Security for APIs: What it is and why you need it!
ย 
Dev secops on the offense automating amazon web services account takeover
Dev secops on the offense automating amazon web services account takeoverDev secops on the offense automating amazon web services account takeover
Dev secops on the offense automating amazon web services account takeover
ย 
(SACON) Pradyumn Nand & Mrinal Pande - Metron & Blitz, Building and scaling y...
(SACON) Pradyumn Nand & Mrinal Pande - Metron & Blitz, Building and scaling y...(SACON) Pradyumn Nand & Mrinal Pande - Metron & Blitz, Building and scaling y...
(SACON) Pradyumn Nand & Mrinal Pande - Metron & Blitz, Building and scaling y...
ย 
Red Team vs. Blue Team on AWS
Red Team vs. Blue Team on AWSRed Team vs. Blue Team on AWS
Red Team vs. Blue Team on AWS
ย 
Building layers of defense for your application
Building layers of defense for your applicationBuilding layers of defense for your application
Building layers of defense for your application
ย 
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez YalonCheckmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
ย 
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standardsWebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
ย 
Acunetix Training and ScanAssist
Acunetix Training and ScanAssistAcunetix Training and ScanAssist
Acunetix Training and ScanAssist
ย 
A Deep Dive into Spring Application Events
A Deep Dive into Spring Application EventsA Deep Dive into Spring Application Events
A Deep Dive into Spring Application Events
ย 
Become a Cloud Security Ninja
Become a Cloud Security NinjaBecome a Cloud Security Ninja
Become a Cloud Security Ninja
ย 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
ย 
Application Security Workshop
Application Security Workshop Application Security Workshop
Application Security Workshop
ย 

Similar to [OPD 2019] Web Apps vs Blockchain dApps

WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standardsWebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
SecuRing
ย 
Web Apps vs Blockchain dApps (Smart Contracts): tools, vulns and standards
Web Apps vs Blockchain dApps (Smart Contracts): tools, vulns and standardsWeb Apps vs Blockchain dApps (Smart Contracts): tools, vulns and standards
Web Apps vs Blockchain dApps (Smart Contracts): tools, vulns and standards
SecuRing
ย 
CONFidence 2018: Outsmarting smart contracts - an essential walkthrough a blo...
CONFidence 2018: Outsmarting smart contracts - an essential walkthrough a blo...CONFidence 2018: Outsmarting smart contracts - an essential walkthrough a blo...
CONFidence 2018: Outsmarting smart contracts - an essential walkthrough a blo...
PROIDEA
ย 
Mobile Commerce: A Security Perspective
Mobile Commerce: A Security PerspectiveMobile Commerce: A Security Perspective
Mobile Commerce: A Security Perspective
Pragati Rai
ย 
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
Sergey Gordeychik
ย 

Similar to [OPD 2019] Web Apps vs Blockchain dApps (20)

WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standardsWebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
ย 
Web Apps vs Blockchain dApps (Smart Contracts): tools, vulns and standards
Web Apps vs Blockchain dApps (Smart Contracts): tools, vulns and standardsWeb Apps vs Blockchain dApps (Smart Contracts): tools, vulns and standards
Web Apps vs Blockchain dApps (Smart Contracts): tools, vulns and standards
ย 
Understanding the Basics of Decentralized Applications (dApps)
Understanding the Basics of Decentralized Applications (dApps)Understanding the Basics of Decentralized Applications (dApps)
Understanding the Basics of Decentralized Applications (dApps)
ย 
Securing your Cloud Environment v2
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2
ย 
Is Blockchain Right for You? The Million Dollar Question
Is Blockchain Right for You? The Million Dollar QuestionIs Blockchain Right for You? The Million Dollar Question
Is Blockchain Right for You? The Million Dollar Question
ย 
How sdp delivers_zero_trust
How sdp delivers_zero_trustHow sdp delivers_zero_trust
How sdp delivers_zero_trust
ย 
Block chain technology
Block chain technology Block chain technology
Block chain technology
ย 
Block chain technology
Block chain technologyBlock chain technology
Block chain technology
ย 
Own_blockchain_ Development_Mobiloitte_V1.2.pdf
Own_blockchain_ Development_Mobiloitte_V1.2.pdfOwn_blockchain_ Development_Mobiloitte_V1.2.pdf
Own_blockchain_ Development_Mobiloitte_V1.2.pdf
ย 
Second line of defense for cybersecurity : Blockchain
Second line of defense for cybersecurity : BlockchainSecond line of defense for cybersecurity : Blockchain
Second line of defense for cybersecurity : Blockchain
ย 
CONFidence 2018: Outsmarting smart contracts - an essential walkthrough a blo...
CONFidence 2018: Outsmarting smart contracts - an essential walkthrough a blo...CONFidence 2018: Outsmarting smart contracts - an essential walkthrough a blo...
CONFidence 2018: Outsmarting smart contracts - an essential walkthrough a blo...
ย 
Algorand Technical Workshop 2021
Algorand Technical Workshop 2021Algorand Technical Workshop 2021
Algorand Technical Workshop 2021
ย 
Hypori Performance Webinar
Hypori Performance WebinarHypori Performance Webinar
Hypori Performance Webinar
ย 
Mobile Commerce: A Security Perspective
Mobile Commerce: A Security PerspectiveMobile Commerce: A Security Perspective
Mobile Commerce: A Security Perspective
ย 
Blockchain on Azure
Blockchain on AzureBlockchain on Azure
Blockchain on Azure
ย 
Blockchain a-new-disruption-in-financial-servies - IBM
Blockchain a-new-disruption-in-financial-servies - IBMBlockchain a-new-disruption-in-financial-servies - IBM
Blockchain a-new-disruption-in-financial-servies - IBM
ย 
Blockchain a-new-disruption-in-financial-servies by ibm
Blockchain a-new-disruption-in-financial-servies by ibm Blockchain a-new-disruption-in-financial-servies by ibm
Blockchain a-new-disruption-in-financial-servies by ibm
ย 
Blockchain a-new-disruption-in-financial-services - IBM
Blockchain a-new-disruption-in-financial-services - IBMBlockchain a-new-disruption-in-financial-services - IBM
Blockchain a-new-disruption-in-financial-services - IBM
ย 
WebGoat.SDWAN.Net in Depth
WebGoat.SDWAN.Net in DepthWebGoat.SDWAN.Net in Depth
WebGoat.SDWAN.Net in Depth
ย 
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
ย 

More from OWASP

[OPD 2019] Life after pentest
[OPD 2019] Life after pentest[OPD 2019] Life after pentest
[OPD 2019] Life after pentest
OWASP
ย 
[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020
OWASP
ย 
[OPD 2019] Governance as a missing part of IT security architecture
[OPD 2019] Governance as a missing part of IT security architecture[OPD 2019] Governance as a missing part of IT security architecture
[OPD 2019] Governance as a missing part of IT security architecture
OWASP
ย 
[OPD 2019] Side-Channels on the Web:โ€จAttacks and Defenses
[OPD 2019] Side-Channels on the Web:โ€จAttacks and Defenses[OPD 2019] Side-Channels on the Web:โ€จAttacks and Defenses
[OPD 2019] Side-Channels on the Web:โ€จAttacks and Defenses
OWASP
ย 
[OPD 2019] Advanced Data Analysis in RegSOC
[OPD 2019] Advanced Data Analysis in RegSOC[OPD 2019] Advanced Data Analysis in RegSOC
[OPD 2019] Advanced Data Analysis in RegSOC
OWASP
ย 
[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokens[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokens
OWASP
ย 
[OPD 2019] Rumpkernels meet fuzzing
[OPD 2019] Rumpkernels meet fuzzing[OPD 2019] Rumpkernels meet fuzzing
[OPD 2019] Rumpkernels meet fuzzing
OWASP
ย 
[Wroclaw #9] To be or Not To Be - Threat Modeling in Security World
[Wroclaw #9] To be or Not To Be - Threat Modeling in Security World[Wroclaw #9] To be or Not To Be - Threat Modeling in Security World
[Wroclaw #9] To be or Not To Be - Threat Modeling in Security World
OWASP
ย 

More from OWASP (20)

[OPD 2019] Life after pentest
[OPD 2019] Life after pentest[OPD 2019] Life after pentest
[OPD 2019] Life after pentest
ย 
[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020
ย 
[OPD 2019] Governance as a missing part of IT security architecture
[OPD 2019] Governance as a missing part of IT security architecture[OPD 2019] Governance as a missing part of IT security architecture
[OPD 2019] Governance as a missing part of IT security architecture
ย 
[OPD 2019] Side-Channels on the Web:โ€จAttacks and Defenses
[OPD 2019] Side-Channels on the Web:โ€จAttacks and Defenses[OPD 2019] Side-Channels on the Web:โ€จAttacks and Defenses
[OPD 2019] Side-Channels on the Web:โ€จAttacks and Defenses
ย 
[OPD 2019] Advanced Data Analysis in RegSOC
[OPD 2019] Advanced Data Analysis in RegSOC[OPD 2019] Advanced Data Analysis in RegSOC
[OPD 2019] Advanced Data Analysis in RegSOC
ย 
[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokens[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokens
ย 
[OPD 2019] Rumpkernels meet fuzzing
[OPD 2019] Rumpkernels meet fuzzing[OPD 2019] Rumpkernels meet fuzzing
[OPD 2019] Rumpkernels meet fuzzing
ย 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software
ย 
[Wroclaw #9] To be or Not To Be - Threat Modeling in Security World
[Wroclaw #9] To be or Not To Be - Threat Modeling in Security World[Wroclaw #9] To be or Not To Be - Threat Modeling in Security World
[Wroclaw #9] To be or Not To Be - Threat Modeling in Security World
ย 
OWASP Poland 13 November 2018 - Martin Knobloch - Building Secure Software
OWASP Poland 13 November 2018 - Martin Knobloch - Building Secure SoftwareOWASP Poland 13 November 2018 - Martin Knobloch - Building Secure Software
OWASP Poland 13 November 2018 - Martin Knobloch - Building Secure Software
ย 
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-mining
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-miningOWASP Poland Day 2018 - Amir Shladovsky - Crypto-mining
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-mining
ย 
OWASP Poland Day 2018 - Damian Rusinek - Outsmarting smart contracts
OWASP Poland Day 2018 - Damian Rusinek - Outsmarting smart contractsOWASP Poland Day 2018 - Damian Rusinek - Outsmarting smart contracts
OWASP Poland Day 2018 - Damian Rusinek - Outsmarting smart contracts
ย 
OWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologies
OWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologiesOWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologies
OWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologies
ย 
OWASP Poland Day 2018 - Dani Ramirez - IPMI hacking
OWASP Poland Day 2018 - Dani Ramirez - IPMI hackingOWASP Poland Day 2018 - Dani Ramirez - IPMI hacking
OWASP Poland Day 2018 - Dani Ramirez - IPMI hacking
ย 
OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...
OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...
OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...
ย 
OWASP Poland Day 2018 - Omer Levi Hevroni - Secure the Pipeline
OWASP Poland Day 2018 - Omer Levi Hevroni - Secure the PipelineOWASP Poland Day 2018 - Omer Levi Hevroni - Secure the Pipeline
OWASP Poland Day 2018 - Omer Levi Hevroni - Secure the Pipeline
ย 
OWASP Poland Day 2018 - Kuai Hinojosa - Key tips to build resilient software
OWASP Poland Day 2018 - Kuai Hinojosa - Key tips to build resilient softwareOWASP Poland Day 2018 - Kuai Hinojosa - Key tips to build resilient software
OWASP Poland Day 2018 - Kuai Hinojosa - Key tips to build resilient software
ย 
OWASP Poland Day 2018 - Ralf Kempf - SAP Security - Detecting the hand still ...
OWASP Poland Day 2018 - Ralf Kempf - SAP Security - Detecting the hand still ...OWASP Poland Day 2018 - Ralf Kempf - SAP Security - Detecting the hand still ...
OWASP Poland Day 2018 - Ralf Kempf - SAP Security - Detecting the hand still ...
ย 
OWASP Poland Day 2018 - Johan Peeters - Designing access control with OAuth a...
OWASP Poland Day 2018 - Johan Peeters - Designing access control with OAuth a...OWASP Poland Day 2018 - Johan Peeters - Designing access control with OAuth a...
OWASP Poland Day 2018 - Johan Peeters - Designing access control with OAuth a...
ย 
OWASP Poland Day 2018 - Anthony Fielding and William Jardine - Common App Vulns
OWASP Poland Day 2018 - Anthony Fielding and William Jardine - Common App VulnsOWASP Poland Day 2018 - Anthony Fielding and William Jardine - Common App Vulns
OWASP Poland Day 2018 - Anthony Fielding and William Jardine - Common App Vulns
ย 

Recently uploaded

Lucknow โคCALL GIRL 88759*99948 โคCALL GIRLS IN Lucknow ESCORT SERVICEโคCALL GIRL
Lucknow โคCALL GIRL 88759*99948 โคCALL GIRLS IN Lucknow ESCORT SERVICEโคCALL GIRLLucknow โคCALL GIRL 88759*99948 โคCALL GIRLS IN Lucknow ESCORT SERVICEโคCALL GIRL
Lucknow โคCALL GIRL 88759*99948 โคCALL GIRLS IN Lucknow ESCORT SERVICEโคCALL GIRL
imonikaupta
ย 
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
SUHANI PANDEY
ย 
โžฅ๐Ÿ” 7737669865 ๐Ÿ”โ–ป mehsana Call-girls in Women Seeking Men ๐Ÿ”mehsana๐Ÿ” Escorts...
โžฅ๐Ÿ” 7737669865 ๐Ÿ”โ–ป mehsana Call-girls in Women Seeking Men ๐Ÿ”mehsana๐Ÿ” Escorts...โžฅ๐Ÿ” 7737669865 ๐Ÿ”โ–ป mehsana Call-girls in Women Seeking Men ๐Ÿ”mehsana๐Ÿ” Escorts...
โžฅ๐Ÿ” 7737669865 ๐Ÿ”โ–ป mehsana Call-girls in Women Seeking Men ๐Ÿ”mehsana๐Ÿ” Escorts...
nirzagarg
ย 
( Pune ) VIP Pimpri Chinchwad Call Girls ๐ŸŽ—๏ธ 9352988975 Sizzling | Escorts | G...
( Pune ) VIP Pimpri Chinchwad Call Girls ๐ŸŽ—๏ธ 9352988975 Sizzling | Escorts | G...( Pune ) VIP Pimpri Chinchwad Call Girls ๐ŸŽ—๏ธ 9352988975 Sizzling | Escorts | G...
( Pune ) VIP Pimpri Chinchwad Call Girls ๐ŸŽ—๏ธ 9352988975 Sizzling | Escorts | G...
nilamkumrai
ย 
Wagholi & High Class Call Girls Pune Neha 8005736733 | 100% Gennuine High Cla...
Wagholi & High Class Call Girls Pune Neha 8005736733 | 100% Gennuine High Cla...Wagholi & High Class Call Girls Pune Neha 8005736733 | 100% Gennuine High Cla...
Wagholi & High Class Call Girls Pune Neha 8005736733 | 100% Gennuine High Cla...
SUHANI PANDEY
ย 
๐Ÿ’š๐Ÿ˜‹ Bilaspur Escort Service Call Girls, 9352852248 โ‚น5000 To 25K With AC๐Ÿ’š๐Ÿ˜‹
๐Ÿ’š๐Ÿ˜‹ Bilaspur Escort Service Call Girls, 9352852248 โ‚น5000 To 25K With AC๐Ÿ’š๐Ÿ˜‹๐Ÿ’š๐Ÿ˜‹ Bilaspur Escort Service Call Girls, 9352852248 โ‚น5000 To 25K With AC๐Ÿ’š๐Ÿ˜‹
๐Ÿ’š๐Ÿ˜‹ Bilaspur Escort Service Call Girls, 9352852248 โ‚น5000 To 25K With AC๐Ÿ’š๐Ÿ˜‹
nirzagarg
ย 
All Time Service Available Call Girls Mg Road ๐Ÿ‘Œ โญ๏ธ 6378878445
All Time Service Available Call Girls Mg Road ๐Ÿ‘Œ โญ๏ธ 6378878445All Time Service Available Call Girls Mg Road ๐Ÿ‘Œ โญ๏ธ 6378878445
All Time Service Available Call Girls Mg Road ๐Ÿ‘Œ โญ๏ธ 6378878445
ruhi
ย 
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
tanu pandey
ย 
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
Call Girls in Nagpur High Profile Call Girls
ย 
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
SUHANI PANDEY
ย 
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
singhpriety023
ย 
Busty DesiโšกCall Girls in Vasundhara Ghaziabad >เผ’8448380779 Escort Service
Busty DesiโšกCall Girls in Vasundhara Ghaziabad >เผ’8448380779 Escort ServiceBusty DesiโšกCall Girls in Vasundhara Ghaziabad >เผ’8448380779 Escort Service
Busty DesiโšกCall Girls in Vasundhara Ghaziabad >เผ’8448380779 Escort Service
Delhi Call girls
ย 
Call Girls Sangvi Call Me 7737669865 Budget Friendly No Advance BookingCall G...
Call Girls Sangvi Call Me 7737669865 Budget Friendly No Advance BookingCall G...Call Girls Sangvi Call Me 7737669865 Budget Friendly No Advance BookingCall G...
Call Girls Sangvi Call Me 7737669865 Budget Friendly No Advance BookingCall G...
roncy bisnoi
ย 
valsad Escorts Service โ˜Ž๏ธ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...
valsad Escorts Service โ˜Ž๏ธ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...valsad Escorts Service โ˜Ž๏ธ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...
valsad Escorts Service โ˜Ž๏ธ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...
Call Girls In Delhi Whatsup 9873940964 Enjoy Unlimited Pleasure
ย 
Call Girls in Prashant Vihar, Delhi ๐Ÿ’ฏ Call Us ๐Ÿ”9953056974 ๐Ÿ” Escort Service
Call Girls in Prashant Vihar, Delhi ๐Ÿ’ฏ Call Us ๐Ÿ”9953056974 ๐Ÿ” Escort ServiceCall Girls in Prashant Vihar, Delhi ๐Ÿ’ฏ Call Us ๐Ÿ”9953056974 ๐Ÿ” Escort Service
Call Girls in Prashant Vihar, Delhi ๐Ÿ’ฏ Call Us ๐Ÿ”9953056974 ๐Ÿ” Escort Service
9953056974 Low Rate Call Girls In Saket, Delhi NCR
ย 
Hireโ† Young Call Girls in Tilak nagar (Delhi) โ˜Ž๏ธ 9205541914 โ˜Ž๏ธ Independent Esc...
Hireโ† Young Call Girls in Tilak nagar (Delhi) โ˜Ž๏ธ 9205541914 โ˜Ž๏ธ Independent Esc...Hireโ† Young Call Girls in Tilak nagar (Delhi) โ˜Ž๏ธ 9205541914 โ˜Ž๏ธ Independent Esc...
Hireโ† Young Call Girls in Tilak nagar (Delhi) โ˜Ž๏ธ 9205541914 โ˜Ž๏ธ Independent Esc...
Delhi Call girls
ย 
WhatsApp ๐Ÿ“ž 8448380779 โœ…Call Girls In Mamura Sector 66 ( Noida)
WhatsApp ๐Ÿ“ž 8448380779 โœ…Call Girls In Mamura Sector 66 ( Noida)WhatsApp ๐Ÿ“ž 8448380779 โœ…Call Girls In Mamura Sector 66 ( Noida)
WhatsApp ๐Ÿ“ž 8448380779 โœ…Call Girls In Mamura Sector 66 ( Noida)
Delhi Call girls
ย 

Recently uploaded (20)

Russian Call Girls in %(+971524965298 )# Call Girls in Dubai
Russian Call Girls in %(+971524965298 )# Call Girls in DubaiRussian Call Girls in %(+971524965298 )# Call Girls in Dubai
Russian Call Girls in %(+971524965298 )# Call Girls in Dubai
ย 
Lucknow โคCALL GIRL 88759*99948 โคCALL GIRLS IN Lucknow ESCORT SERVICEโคCALL GIRL
Lucknow โคCALL GIRL 88759*99948 โคCALL GIRLS IN Lucknow ESCORT SERVICEโคCALL GIRLLucknow โคCALL GIRL 88759*99948 โคCALL GIRLS IN Lucknow ESCORT SERVICEโคCALL GIRL
Lucknow โคCALL GIRL 88759*99948 โคCALL GIRLS IN Lucknow ESCORT SERVICEโคCALL GIRL
ย 
Microsoft Azure Arc Customer Deck Microsoft
Microsoft Azure Arc Customer Deck MicrosoftMicrosoft Azure Arc Customer Deck Microsoft
Microsoft Azure Arc Customer Deck Microsoft
ย 
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
ย 
โžฅ๐Ÿ” 7737669865 ๐Ÿ”โ–ป mehsana Call-girls in Women Seeking Men ๐Ÿ”mehsana๐Ÿ” Escorts...
โžฅ๐Ÿ” 7737669865 ๐Ÿ”โ–ป mehsana Call-girls in Women Seeking Men ๐Ÿ”mehsana๐Ÿ” Escorts...โžฅ๐Ÿ” 7737669865 ๐Ÿ”โ–ป mehsana Call-girls in Women Seeking Men ๐Ÿ”mehsana๐Ÿ” Escorts...
โžฅ๐Ÿ” 7737669865 ๐Ÿ”โ–ป mehsana Call-girls in Women Seeking Men ๐Ÿ”mehsana๐Ÿ” Escorts...
ย 
( Pune ) VIP Pimpri Chinchwad Call Girls ๐ŸŽ—๏ธ 9352988975 Sizzling | Escorts | G...
( Pune ) VIP Pimpri Chinchwad Call Girls ๐ŸŽ—๏ธ 9352988975 Sizzling | Escorts | G...( Pune ) VIP Pimpri Chinchwad Call Girls ๐ŸŽ—๏ธ 9352988975 Sizzling | Escorts | G...
( Pune ) VIP Pimpri Chinchwad Call Girls ๐ŸŽ—๏ธ 9352988975 Sizzling | Escorts | G...
ย 
Wagholi & High Class Call Girls Pune Neha 8005736733 | 100% Gennuine High Cla...
Wagholi & High Class Call Girls Pune Neha 8005736733 | 100% Gennuine High Cla...Wagholi & High Class Call Girls Pune Neha 8005736733 | 100% Gennuine High Cla...
Wagholi & High Class Call Girls Pune Neha 8005736733 | 100% Gennuine High Cla...
ย 
๐Ÿ’š๐Ÿ˜‹ Bilaspur Escort Service Call Girls, 9352852248 โ‚น5000 To 25K With AC๐Ÿ’š๐Ÿ˜‹
๐Ÿ’š๐Ÿ˜‹ Bilaspur Escort Service Call Girls, 9352852248 โ‚น5000 To 25K With AC๐Ÿ’š๐Ÿ˜‹๐Ÿ’š๐Ÿ˜‹ Bilaspur Escort Service Call Girls, 9352852248 โ‚น5000 To 25K With AC๐Ÿ’š๐Ÿ˜‹
๐Ÿ’š๐Ÿ˜‹ Bilaspur Escort Service Call Girls, 9352852248 โ‚น5000 To 25K With AC๐Ÿ’š๐Ÿ˜‹
ย 
All Time Service Available Call Girls Mg Road ๐Ÿ‘Œ โญ๏ธ 6378878445
All Time Service Available Call Girls Mg Road ๐Ÿ‘Œ โญ๏ธ 6378878445All Time Service Available Call Girls Mg Road ๐Ÿ‘Œ โญ๏ธ 6378878445
All Time Service Available Call Girls Mg Road ๐Ÿ‘Œ โญ๏ธ 6378878445
ย 
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
ย 
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
ย 
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
ย 
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
ย 
Busty DesiโšกCall Girls in Vasundhara Ghaziabad >เผ’8448380779 Escort Service
Busty DesiโšกCall Girls in Vasundhara Ghaziabad >เผ’8448380779 Escort ServiceBusty DesiโšกCall Girls in Vasundhara Ghaziabad >เผ’8448380779 Escort Service
Busty DesiโšกCall Girls in Vasundhara Ghaziabad >เผ’8448380779 Escort Service
ย 
Call Girls Sangvi Call Me 7737669865 Budget Friendly No Advance BookingCall G...
Call Girls Sangvi Call Me 7737669865 Budget Friendly No Advance BookingCall G...Call Girls Sangvi Call Me 7737669865 Budget Friendly No Advance BookingCall G...
Call Girls Sangvi Call Me 7737669865 Budget Friendly No Advance BookingCall G...
ย 
valsad Escorts Service โ˜Ž๏ธ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...
valsad Escorts Service โ˜Ž๏ธ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...valsad Escorts Service โ˜Ž๏ธ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...
valsad Escorts Service โ˜Ž๏ธ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...
ย 
Call Girls in Prashant Vihar, Delhi ๐Ÿ’ฏ Call Us ๐Ÿ”9953056974 ๐Ÿ” Escort Service
Call Girls in Prashant Vihar, Delhi ๐Ÿ’ฏ Call Us ๐Ÿ”9953056974 ๐Ÿ” Escort ServiceCall Girls in Prashant Vihar, Delhi ๐Ÿ’ฏ Call Us ๐Ÿ”9953056974 ๐Ÿ” Escort Service
Call Girls in Prashant Vihar, Delhi ๐Ÿ’ฏ Call Us ๐Ÿ”9953056974 ๐Ÿ” Escort Service
ย 
Hireโ† Young Call Girls in Tilak nagar (Delhi) โ˜Ž๏ธ 9205541914 โ˜Ž๏ธ Independent Esc...
Hireโ† Young Call Girls in Tilak nagar (Delhi) โ˜Ž๏ธ 9205541914 โ˜Ž๏ธ Independent Esc...Hireโ† Young Call Girls in Tilak nagar (Delhi) โ˜Ž๏ธ 9205541914 โ˜Ž๏ธ Independent Esc...
Hireโ† Young Call Girls in Tilak nagar (Delhi) โ˜Ž๏ธ 9205541914 โ˜Ž๏ธ Independent Esc...
ย 
WhatsApp ๐Ÿ“ž 8448380779 โœ…Call Girls In Mamura Sector 66 ( Noida)
WhatsApp ๐Ÿ“ž 8448380779 โœ…Call Girls In Mamura Sector 66 ( Noida)WhatsApp ๐Ÿ“ž 8448380779 โœ…Call Girls In Mamura Sector 66 ( Noida)
WhatsApp ๐Ÿ“ž 8448380779 โœ…Call Girls In Mamura Sector 66 ( Noida)
ย 
Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtReal Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirt
ย 

[OPD 2019] Web Apps vs Blockchain dApps

  • 1. www.securing.pldrdr_zz Damian Rusinek Web Apps vs Blockchain dApps (Smart Contracts): tools, vulns and standards OWASP Poland Day, Wrocล‚aw 2019 16th of October 2019
  • 2. www.securing.pldrdr_zzdrdr_zz Damian Rusinek damianrusinek @ github โ€ข Pentester โ€ข Researcher โ€ข Focused on blockchain and smart contracts Security Researcher & Pentester Assistant Professor Introducing Decentralized Applications by analogy to Web Apps https://bit.ly/2kpfKkm Last year on AppSec EU London & OWASP Poland Day Warsaw drdr_zz
  • 3. www.securing.pldrdr_zzdrdr_zz Web 3.0 They are using Decentralized Applications or Platforms
  • 4. www.securing.pldrdr_zz www.securing.pldrdr_zz Decentralized Apps And why are they becoming important? WHAT IS IT?
  • 5. www.securing.pldrdr_zzdrdr_zz What are Decentralized Applications? โ€ข Decentralized Application are like Web Applications with decentralized storage and governance. โ€ข Web Apps โ€ข Facebook โ€ข Reddit โ€ข Decentralized Apps โ€ข Steemit (a kind of decentralized Reddit)
  • 6. www.securing.pldrdr_zzdrdr_zz Why are Decentralized Applications important? โ€ข There exist great projects already: โ€ข Augur (decentralized oracle and prediction market), โ€ข Gnosis (prediction platform), โ€ข MakerDAO (decentralized finance). โ€ข The market is worth billions of $ in cryptocurrencies. โ€ข A chance for new technologies (e.g. financial technology) โ€ข Easy decentralized banking, โ€ข No brokers (direct payments). โ€ข Big players: โ€ข Hyperledger (Linux Foundation, IBM, Intel, SAP), โ€ข Libra (Facebook).
  • 7. www.securing.pldrdr_zzdrdr_zz What is so special about Decentralized Apps? โ€ข Trustlessness: Use blockchain to store code and data (state). โ€ข No one can turn it off permanently (anyone can bring it to live). โ€ข Everyone can have it (like keeping the database of FB or Reddit locally).
  • 8. www.securing.pldrdr_zzdrdr_zz Where is the main difference? Architecture Decentralized ApplicationWeb Application
  • 9. www.securing.pldrdr_zzdrdr_zz Where is the main difference? Architecture Web Application Hybrid Decentralized Application
  • 11. www.securing.pldrdr_zzdrdr_zz Are Decentralized Apps secure? โ€ข Undestroyable: No one can turn it off โ€ข Cryptographically secure: All transactions are digitally signed โ€ข Publicly verifiable: Anyone can verify the code of smart contracts โ€ข But stillโ€ฆ.
  • 12. www.securing.pldrdr_zzdrdr_zz Are Decentralized Apps secure? โ€ข Undestroyable: No one can turn it off โ€ข Cryptographically secure: All transactions are digitally signed โ€ข Publicly verifiable: Anyone can verify the code of smart contracts โ€ข But stillโ€ฆ.
  • 13. www.securing.pldrdr_zzdrdr_zz Are Decentralized Apps secure? โ€ข Undestroyable: No one can turn it off โ€ข Cryptographically secure: All transactions are digitally signed โ€ข Publicly verifiable: Anyone can verify the code of smart contracts โ€ข But stillโ€ฆ. Expectations Reality
  • 14. www.securing.pldrdr_zz www.securing.pldrdr_zz Web Apps vs Decentralized Apps WE NEED SECURITY!
  • 15. www.securing.pldrdr_zzdrdr_zz Security Projects & Standards Web Apps โ€ข Most common vulnerabilities? โ€ข OWASP Top 10 โ€ข The knowledge base about the weaknesses? โ€ข Mitre CWE (Common Weakness Enumeration) โ€ข The end to end security checklist to perform an audit? โ€ข OWASP ASVS (Application Security Verification Standard) Decentralized Apps โ€ข Most common vulnerabilities? โ€ข DASP Top 10 (https://dasp.co) โ€ข The knowledge base about the weaknesses? โ€ข SWC Registry (https://smartcontractsecurity.github.io/SWC-registry/) โ€ข The end to end security checklist to perform an audit?
  • 16. www.securing.pldrdr_zz www.securing.pldrdr_zz SCSVS - Smart Contracts Security Verification Standard
  • 17. www.securing.pldrdr_zzdrdr_zz โ€ข Objectives: โ€ข Provide a checklist for architects, developers and security reviewers. โ€ข Help to mitigate known vulnerabilities by design. โ€ข Help to develop high quality code of the smart contracts. โ€ข Provide a clear and reliable assessment of how secure the smart contract is in relation to the percentage of SCSVS coverage. โ€ข Format similar to ASVS. SCSVS - Objectives
  • 18. www.securing.pldrdr_zzdrdr_zz SCSVS - Categrories V8: Business Logic V9: Denial of Service V10: Token V11: Code Clarity V12: Test Coverage V13: Known Attacks V1: Architecture, Design and Threat Modelling V2: Access Control V3: Blockchain Data V4: Communications V5: Arithmetic V6: Malicious Input Handling V7: Gas Usage & Limitations
  • 19. www.securing.pldrdr_zzdrdr_zz Software Development Life Cycle SCSVS covers all stages of SDLC process.
  • 20. www.securing.pldrdr_zzdrdr_zz โ€ข Approaches โ€ข OWASP SAMM โ€ข SDL (Security Development Lifecycle) โ€ข BSIMM (Builing Secuirty in Maturity Model) Software Development Life Cycle DISCLAIMER This is not a presentation about how to introduce security to your SDLC.
  • 21. www.securing.pldrdr_zz www.securing.pldrdr_zz Web Apps vs Decentralized Apps - Analysis & Requirements SDLC
  • 22. www.securing.pldrdr_zzdrdr_zz Similiarities โ€ข Threat modelling SDLC โ€“ Analysis & Requirements 1.1 Verify that the every introduced design change is preceded by an earlier threat modelling. 1.2 Verify that the documentation clearly and precisely defines all trust boundaries in the contract (trusted relations with other contracts and significant data flows).
  • 23. www.securing.pldrdr_zzdrdr_zz Differences โ€“ Sensitive data SDLC โ€“ Analysis & Requirements Web Apps โ€ข Stored in protected database Decentralized Apps โ€ข Stored on public blockchain โ€ข Forever โ€ข Anyone can read 3.1 Verify that any data saved in the contracts is not considered safe or private (even private variables). 3.2 Verify that no confidential data is stored in the blockchain (passwords, personal data, token etc.).
  • 24. www.securing.pldrdr_zzdrdr_zz Differences โ€“ Public access SDLC โ€“ Analysis & Requirements Web Apps โ€ข Allowed only to part of application โ€ข Frontend โ€ข API Decentralized Apps โ€ข Allowed to the whole application โ€ข Code is public โ€ข Functions are public by default
  • 25. www.securing.pldrdr_zzdrdr_zz Differences โ€“ Public access SDLC โ€“ Analysis & Requirements โ€ข Parity Wallet hack โ€ข 150k ETH stolen (~30kk $) โ€ข https://bit.ly/2kpfKkm 2.7 Verify that visibility of all functions is specified.
  • 26. www.securing.pldrdr_zzdrdr_zz Differences โ€“ Randomness SDLC โ€“ Analysis & Requirements Web Apps โ€ข A matter of a function call Decentralized Apps โ€ข Not trivially achieved in the decentralized computer โ€ข No local parameters can be used
  • 27. www.securing.pldrdr_zzdrdr_zz Differences โ€“ Randomness SDLC โ€“ Analysis & Requirements โ€ข EOSPlay hack โ€ข 30k EOS stolen (~100k USD) โ€ข SmartBillions Lottery hack โ€ข 400 ETH stolen (~80k USD) โ€ข https://bit.ly/2jJEKPd 7.5 Verify that the contract does not generate pseudorandom numbers trivially basing on the information from blockchain (e.g. seeding with the block number).
  • 28. www.securing.pldrdr_zzdrdr_zz New threat actors for Decentralized Apps SDLC โ€“ Requirements & Analysis โ€ข Miners/Validators โ€ข Validate transactions and add new blocks
  • 29. www.securing.pldrdr_zzdrdr_zz New threat actors for Decentralized Apps SDLC โ€“ Requirements & Analysis โ€ข Augur vulnerability โ€ข DoS on smart contract โ€ข Business logic abuse by miner โ€ข 5k $ bounty https://hackerone.com/reports/377398
  • 30. www.securing.pldrdr_zzdrdr_zz New threat actors for Decentralized Apps SDLC โ€“ Requirements & Analysis 8.1 Verify that the contract logic implementation corresponds to the documentation. 8.3 Verify that the contract has business limits and correctly enforces it. 9.3 Verify that the contract logic does not disincentivize users to use contracts (e.g. the cost of transaction is higher than the profit).
  • 31. www.securing.pldrdr_zz www.securing.pldrdr_zz Web Apps vs Decentralized Apps - Design SDLC
  • 32. www.securing.pldrdr_zzdrdr_zz Similiarities โ€ข Least privilege rule โ€ข Access control โ€ข Public and known to everyone โ€ข Centralized and simple SDLC โ€“ Design 2.3 Verify that the creator of the contract complies with the rule of least privilege and his rights strictly follow the documentation. 2.11 Verify that all user and data attributes used by access controls are kept in trusted contract and cannot be manipulated by other contracts unless specifically authorized.
  • 33. www.securing.pldrdr_zzdrdr_zz Differences โ€“ Loops SDLC โ€“ Design Web Apps โ€ข Infinite loops -> DoS Decentralized Apps โ€ข Unbound loops -> DoS
  • 34. www.securing.pldrdr_zzdrdr_zz Differences โ€“ Loops SDLC โ€“ Design โ€ข GovernMentals โ€ข A ponzi scheme โ€ข Iteration over a huge array โ€ข 1100 ETH frozen โ€ข https://bit.ly/2kVXwaj 7.3 Verify that the contract does not iterate over unbound loops. 8.8 Verify that the contract does not send funds automatically but it lets users withdraw funds on their own in separate transaction instead.
  • 35. www.securing.pldrdr_zzdrdr_zz Decreasing the risk SDLC โ€“ Design โ€ข Decentralized Applications keep cryptocurrencies โ€ข The higher the amount the bigger the incentive for hackers 1.8 Verify that the amount of cryptocurrencies kept on contract is controlled and at the minimal acceptable level.
  • 36. www.securing.pldrdr_zz www.securing.pldrdr_zz Web Apps vs Decentralized Apps - Implementation SDLC
  • 37. www.securing.pldrdr_zzdrdr_zz โ€ข Great tools โ€ข Perform basic security analysis โ€ข But we still make bugs. โ€ข Sounds familiar? โ˜บ SDLC โ€“ Implementation
  • 38. www.securing.pldrdr_zzdrdr_zz Similarities โ€“ Arithmetic bugs SDLC โ€“ Implementation Web Apps โ€ข Not that common Decentralized Apps โ€ข Overflows and underflows
  • 39. www.securing.pldrdr_zzdrdr_zz Similarities โ€“ Arithmetic bugs SDLC โ€“ Implementation โ€ข Multiple ERC20 Smart Contracts โ€ข Allow to transfer more than decillions (10^60) of tokens โ€ข https://bit.ly/2lWa9ma โ€ข https://bit.ly/2ksNEF1
  • 40. www.securing.pldrdr_zzdrdr_zz Similarities โ€“ Arithmetic bugs SDLC โ€“ Implementation 5.1 Verify that the values and math operations are resistant to integer overflows. Use SafeMath library for arithmetic operations. 5.2 Verify that the extreme values (e.g. maximum and minimum values of the variable type) are considered and does change the logic flow of the contract. 5.3 Verify that non-strict inequality is used for balance equality.
  • 41. www.securing.pldrdr_zzdrdr_zz Differences โ€“ Recursive calls SDLC โ€“ Implementation Web Apps โ€ข Must be explicitly included in the logic Decentralized Apps โ€ข Executing some logic multiple times in one call โ€ข The DAO hack โ€ข Recursive withdrawals โ€ข 3.6 mln ETH stolen โ€ข https://bit.ly/2hBQjKq 4.5 Verify that re-entrancy attack is mitigated by blocking recursive calls from other contracts. Do not use call and send function unless it is a must. 4.6 Verify that the result of low-level function calls (e.g. send, delegatecall, call) from another contracts is checked.
  • 42. www.securing.pldrdr_zz www.securing.pldrdr_zz Web Apps vs Decentralized Apps - Testing SDLC
  • 43. www.securing.pldrdr_zzdrdr_zz Similarities โ€“ Great tools for automatic scans SDLC โ€“ Testing Web Apps Decentralized Apps 1.11 Verify that code analysis tools are in use that can detect potentially malicious code. https://securify.ch https://bit.ly/2mpaL3U https://tool.smartdec.net https://mythx.io/
  • 44. www.securing.pldrdr_zzdrdr_zz Similiarities โ€“ Ensuring the testing takes place โ€ข including manual security tests SDLC โ€“ Analysis & Requirements 12.1 Verify that all functions of verified contract are covered with tests in the development phase. 12.2 Verify that the implementation of verified contract has been checked for security vulnerabilities using static and dynamic analysis. 12.3 Verify that the specification of smart contract has been formally verified. 12.4 Verify that the specification and the result of formal verification is included in the documentation. 1.3 Verify that the SCSVS, security requirements or policy is available to all developers and testers.
  • 45. www.securing.pldrdr_zzdrdr_zz Similiarities โ€“ Business logic errors โ€ข Hard to find using automated scans โ€ข MakerDAO vulnerability โ€ข Allows to create DAI cryptocurrency without coverage โ€ข 25k $ bounty SDLC โ€“ Analysis & Requirements 1.10 Verify that the business logic in contracts is consistent. Important changes in the logic should be allowed for all or none of the contracts. 8.2 Verify that the business logic flows of smart contracts proceed in a sequential step order and it is not possible to skip any part of it or to do it in a different order than designed. https://hackerone.com/reports/672664
  • 46. www.securing.pldrdr_zz www.securing.pldrdr_zz Web Apps vs Decentralized Apps - Deployment SDLC
  • 47. www.securing.pldrdr_zzdrdr_zz Differences โ€“ Initialization stage SDLC โ€“ Deployment Web Apps โ€ข Setting up configurations and integrations โ€ข Performed once during deployment Decentralized Apps โ€ข Setting up configurations and integrations โ€ข What if one can (re-)initialize the contract?
  • 48. www.securing.pldrdr_zzdrdr_zz Differences โ€“ Initialization stage SDLC โ€“ Deployment โ€ข Parity Wallet hack (2nd): โ€ข Kill contract shared by hundreds of other contracts โ€ข 500k ETH frozen (~100kk USD) โ€ข https://bit.ly/2kIBYhA โ€ข https://bit.ly/2kpfKkm
  • 49. www.securing.pldrdr_zzdrdr_zz Differences โ€“ Initialization stage SDLC โ€“ Deployment 11.7 Verify that all storage variables are initialised. 2.8 Verify that the initialization functions are marked internal and cannot be executed twice. 9.1 Verify that the self-destruct functionality is used only if necessary.
  • 50. www.securing.pldrdr_zz www.securing.pldrdr_zz Web Apps vs Decentralized Apps - Maintenance SDLC
  • 51. www.securing.pldrdr_zzdrdr_zz Similarities โ€“ Logs SDLC โ€“ Maintenance Web Apps โ€ข Kept safe on the server Decentralized Apps โ€ข Public events 3.4 Verify that there is a component that monitors access to sensitive contract data using events.
  • 52. www.securing.pldrdr_zzdrdr_zz Differences โ€“ Security Alert and Fix SDLC โ€“ Maintenance Web Apps โ€ข Application goes down โ€ข The bug is fixed (patch) โ€ข Application redeployed Decentralized Apps โ€ข Smart contract goes down โ€ข The bug is fixed (patch) โ€ข Smart contract deployed again 1.6 Verify that there exists a mechanism that can temporarily stop the sensitive functionalities of the contract in case of a new attack. This mechanism should not block access to the assets (e.g. tokens) for the owners. 1.4 Verify that there exists an upgrade process for the contract which allows to deploy the security fixes.
  • 53. www.securing.pldrdr_zzdrdr_zz Security Projects & Standards Web Apps โ€ข Most common vulnerabilities? โ€ข OWASP Top 10 โ€ข The knowledge base about the weaknesses? โ€ข Mitre CWE (Common Weakness Enumeration) โ€ข The end to end security checklist to perform an audit? โ€ข OWASP ASVS (Application Security Verification Standard) Decentralized Apps โ€ข Most common vulnerabilities? โ€ข DASP Top 10 (https://dasp.co) โ€ข The knowledge base about the weaknesses? โ€ข SWC Registry (https://smartcontractsecurity.github.io/SWC-registry/) โ€ข The end to end security checklist to perform an audit? SCSVS
  • 54. www.securing.pldrdr_zzdrdr_zz V13: Known attacks SCSVS โ€“ The special category โ€ข Quick check for well known attacks 13.4 Verify that the contract is not vulnerable to Silent Failing Sends and Unchecked-Send attacks. [4.6] Verify that the result of low-level function calls (e.g. send, delegatecall, call) from another contracts is checked. [4.7] Verify that the third party contracts do not shadow special functions (e.g. revert). 13.2 Verify that the contract is not vulnerable to Reentrancy attack. [4.5] Verify that the re-entrancy attack is mitigated by blocking recursive calls from the other contracts. Do not use call and send functions unless it is a must.
  • 55. www.securing.pldrdr_zz Thank you! Damian.Rusinek@securing.pl @drdr_zz Free 13-part security checklist Want a security audit of smart contract? Go for SCSVS!