SlideShare a Scribd company logo

Application Security from the Inside - OWASP

Sqreen
Sqreen

Presentation at the OWASP (Open Web Application Security Project) on how to make apps secure by protecting them from the inside. Detecting and protecting from 1. SQL injection 2. Cross Site Scripting (XSS) 3. Third party components vulnerabilities 4. Shell injection etc.

Technology
1 of 27
Download to read offline
Application security from the inside
Agenda How to make apps more secure? 1. Triggering new vulnerabilities (bad guys) 2. Detecting/protecting found issues (good guys) 1. SQL injection 2. Cross Site Scripting (XSS) 3. Third party components vulnerabilities 4. Shell injection 2
About Me Jean-Baptiste Aviat CTO at Sqreen (https://sqreen.io) We protect applications automatically Sqreen is hiring Former RedTeam security engineer at Apple
The best place for app security • Where to gather accurate information for securing an application? • How to change the tires of a car running at 100 mph? • How to make the diagnosis continuous, as modern release cycles? 4
App security: the place to be • Need to get closer to the runtime • Retrieve all required data, while the application processes it • Work with the deployed, running application • Obvious solution: instrumentation 5
Debugging allows… • Devs & hackers method to inspect live apps • Access anything in it – CPU registers – Addressable memory of the whole process: functions, symbols… – Threads • And to modify anything in it – Modify return values 6
7 (byebug) thread list + 1 #<Thread:0x007fe41b0d1ae0@2.2.0/webrick/server.rb:283 run> ... 2 #<WEBrick::Utils::TimeoutHandler::Thread:0x007fe41b0d1220@2.2.0/webrick/ utils.rb:162 sleep> 2.2.0/webrick/utils.rb:173 3 #<Thread:0x007fe4140bc408 sleep> 2.2.0/webrick/server.rb:174 (byebug) thread switch 3 3 #<Thread:0x007fe4140bc408 sleep> 2.2.0/webrick/server.rb:174 (byebug) thread switch 3 [168, 177] in 2.2.0/webrick/server.rb 172: while @status == :Running 173: begin => 174: if svrs = IO.select([shutdown_pipe[0], *@listeners], nil, nil, 2.0) 175: if svrs[0].include? shutdown_pipe[0] 176: break At first sight
Web application specifics • Relevant information in a web application: – User request (headers, cookies, parameters…) and server response – Any function call and its arguments • Database requests • File operations • External APIs calls • Syscalls… – All current threads 8
9 0 ActiveRecord::ConnectionAdapters::SQLite3Adapter.exec_query(sql#String, name#String…) … 7 PostsController.set_post … 23 ActionController::ParamsWrapper.process_action(action#NilClass, *args#Array) … 27 ActionController::Metal.dispatch(action#NilClass, request#ActionDispatch::Request) … 37 Rack::ETag.call(env#Hash) … 40 ActionDispatch::ParamsParser.call(env#Hash) … 44 ActionDispatch::Cookies.call(env#Hash) 45 ActiveRecord::QueryCache.call(env#Hash) … 74 WEBrick::HTTPServer.service(req#WEBrick::HTTPRequest, res#WEBrick::HTTPResponse) 75 WEBrick::HTTPServer.run(sock#TCPSocket) 76 block in WEBrick::GenericServer.start_thread(sock#TCPSocket, &block#NilClass) Looking closer…
• Application instrumentation • Different ways to identify vulnerabilities • And many solutions to prevent them – Patch a function return value – Encode a function arguments – Raise an exception to prevent further execution 10
11 (byebug) break ActiveRecord::ConnectionAdapters::SQLite3Adapter.exec_query Successfully created breakpoint with id 1 (byebug) continue [283, 292] in …/active_record/connection_adapters/sqlite3_adapter.rb 287: => 288: def exec_query(sql, name = nil, binds = []) 289: type_casted_binds = binds.map { |col, val| 290: [col, type_cast(val, col)] 291: } 292: (byebug) var local binds = [] name = Post Load self = #<ActiveRecord::ConnectionAdapters::SQLite3Adapter:0x007fb1eb30df50> sql = SELECT * FROM posts WHERE id=3 (byebug) self.quote("it's a string") "'it''s a string'" Where the database is accessed
SQL injection detection • Inside an app, full access to: – Raw SQL query just as the database receives it – Database system (Oracle, MySQL…) – Database configuration (encoding) – Untrusted parameters • Ability to parse the complete SQL query 12
SQL injection • Untrusted entry used in a SQL request • Assume pwd is injectable • Injected query: • The SQL query has to be valid to trigger an injection • How to prove that an injection happened? 13 SELECT * FROM users WHERE pwd = ‘sun' LIMIT 1 SELECT * FROM users WHERE pwd = 'sun' OR 1=1--+’ LIMIT 1
Request just before it leaves the app to the DB: Reminder: we know the database, its charset, encoding rules… 1 user entry, multiple SQL tokens: This is an injection. 14 SELECT * FROM users WHERE password = 'sun' OR 1=1-- ' SELECT * FROM users WHERE password = sun OR 1 = 1
#0 ActionView::OutputBuffer.<<(value#NilClass) #1 ActionView::CompiledTemplates._app_views_posts_show_html_erb…(local_assigns, output_buffer) #2 block in ActionView::Template.render(view, locals#Hash, buffer#NilClass, &block#Proc) #3 #<Class:ActiveSupport::Notifications>.instrument(name#String, payload#Hash) […] #18 ActionView::Rendering._render_template(options#Hash) #19 ActionController::Streaming._render_template(options#Hash) #0 is string concatenation #1 is template insertion Rendering a template
(byebug) break ActionView::OutputBuffer.<< [6, 15] in actionview-4.2.3/lib/action_view/buffers.rb … 10: def <<(value) => 11: return self if value.nil? 12: super(value.to_s) 13: end 14: alias :append= :<< 15: (byebug) var local value = "my <script>alert()</script> title" (byebug) value.html_safe? true String concatenation
[6, 15] in app/views/posts/show.html.erb 8: 9: <p> 10: <strong>Title:</strong> => 11: <%= @post.title %> 12: </p> 13: In Template Insertion
XSS detection • Inside an app, access to: – Template engine (JSF, ERB…) – Partially rendered page – Fully rendered page – Generated page type – HTML, CSS, JSON… – Untrusted parameters 18
XSS detection • HTML can be parsed • Injection if: – User entry adds HTML to the rendered page • HTML node • HTML attribute • In such cases, we have an HTML injection 19 <div><script src=atta.ck/></script>Safari</div> <a href=‘#’ onclick=‘alert()’>Data</div>
Third party components vulnerabilities 20
irb(main):001:0> Gem.loaded_specs.map do |k, v| puts "%20st%st%s " % [k, v.version, v.homepage] end rake 10.4.2 i18n 0.7.0 http://github.com/svenfuchs/i18n tzinfo 1.2.2 http://tzinfo.github.io activesupport 4.2.3 http://www.rubyonrails.org erubis 2.7.0 http://www.kuwata-lab.com/erubis/ nokogiri 1.6.6.2 http://nokogiri.org actionview 4.2.3 http://www.rubyonrails.org sqlite3 1.3.10 https://github.com/sparklemotion/sqlite3-ruby execjs 2.6.0 https://github.com/rails/execjs ... CVE-2015-1819 CVE-2015-7941 CVE-2015-7942 CVE-2015-8035 An application dependencies
3rd party components vuln. • Application knows its libraries – Version – Configuration – Dependencies • And OS libraries • Correlation with public security advisories • And restrict / correct the vulnerable paths 22
Shell injection 23
• Inside an app, access to: – Command (before execution) – Shell • Type (Bash, ksh, PowerShell, cmd.exe…) • Version (ShellShock vulnerable?) – Environment – User parameters 24
Shell injection • Similar to SQL injection • Ability to parse the executed command – Legitimate command: – Injected command: • Possible correlation with untrusted parameters 25 whois jbaviat.sqreen.io whois jbaviat.sqreen.io ; cat /etc/passwd
@JbAviat Questions? 26 jb@sqreen.io
Sqreen: you code, we protect • We protect applications automatically • Beta program available: Contact us to be part of it • Sqreen is hiring 27

Recommended

Tune your App Perf (and get fit for summer)
Tune your App Perf (and get fit for summer)Tune your App Perf (and get fit for summer)
Tune your App Perf (and get fit for summer)
Sqreen
 
Ruby on Rails security in your Continuous Integration
Ruby on Rails security in your Continuous IntegrationRuby on Rails security in your Continuous Integration
Ruby on Rails security in your Continuous Integration
Sqreen
 
Instrument Rack to visualize
 Rails requests processing
Instrument Rack to visualize
 Rails requests processing Instrument Rack to visualize
 Rails requests processing
Instrument Rack to visualize
 Rails requests processing
Sqreen
 
Serverless security - how to protect what you don't see?
Serverless security - how to protect what you don't see?Serverless security - how to protect what you don't see?
Serverless security - how to protect what you don't see?
Sqreen
 
Policy as code what helm developers need to know about security
Policy as code what helm developers need to know about securityPolicy as code what helm developers need to know about security
Policy as code what helm developers need to know about security
LibbySchulze
 
Using Splunk/ELK for auditing AWS/GCP/Azure security posture
Using Splunk/ELK for auditing AWS/GCP/Azure security postureUsing Splunk/ELK for auditing AWS/GCP/Azure security posture
Using Splunk/ELK for auditing AWS/GCP/Azure security posture
Jose Hernandez
 
Alfredo Reino - Monitoring aws and azure
Alfredo Reino - Monitoring aws and azureAlfredo Reino - Monitoring aws and azure
Alfredo Reino - Monitoring aws and azure
DevSecCon
 
Exploiting IAM in the google cloud platform - dani_goland_mohsan_farid
Exploiting IAM in the google cloud platform - dani_goland_mohsan_faridExploiting IAM in the google cloud platform - dani_goland_mohsan_farid
Exploiting IAM in the google cloud platform - dani_goland_mohsan_farid
CloudVillage
 

Recommended

Tune your App Perf (and get fit for summer)
Tune your App Perf (and get fit for summer)Tune your App Perf (and get fit for summer)
Tune your App Perf (and get fit for summer)
Sqreen
 
Ruby on Rails security in your Continuous Integration
Ruby on Rails security in your Continuous IntegrationRuby on Rails security in your Continuous Integration
Ruby on Rails security in your Continuous Integration
Sqreen
 
Instrument Rack to visualize
 Rails requests processing
Instrument Rack to visualize
 Rails requests processing Instrument Rack to visualize
 Rails requests processing
Instrument Rack to visualize
 Rails requests processing
Sqreen
 
Serverless security - how to protect what you don't see?
Serverless security - how to protect what you don't see?Serverless security - how to protect what you don't see?
Serverless security - how to protect what you don't see?
Sqreen
 
Policy as code what helm developers need to know about security
Policy as code what helm developers need to know about securityPolicy as code what helm developers need to know about security
Policy as code what helm developers need to know about security
LibbySchulze
 
Using Splunk/ELK for auditing AWS/GCP/Azure security posture
Using Splunk/ELK for auditing AWS/GCP/Azure security postureUsing Splunk/ELK for auditing AWS/GCP/Azure security posture
Using Splunk/ELK for auditing AWS/GCP/Azure security posture
Jose Hernandez
 
Alfredo Reino - Monitoring aws and azure
Alfredo Reino - Monitoring aws and azureAlfredo Reino - Monitoring aws and azure
Alfredo Reino - Monitoring aws and azure
DevSecCon
 
Exploiting IAM in the google cloud platform - dani_goland_mohsan_farid
Exploiting IAM in the google cloud platform - dani_goland_mohsan_faridExploiting IAM in the google cloud platform - dani_goland_mohsan_farid
Exploiting IAM in the google cloud platform - dani_goland_mohsan_farid
CloudVillage
 
Scaling Security in the Cloud With Open Source
Scaling Security in the Cloud With Open SourceScaling Security in the Cloud With Open Source
Scaling Security in the Cloud With Open Source
CloudVillage
 
Hacker Proof web app using Functional tests
Hacker Proof web app using Functional testsHacker Proof web app using Functional tests
Hacker Proof web app using Functional tests
Ankita Gupta
 
Stephen Sadowski - Securely automating infrastructure in the cloud
Stephen Sadowski - Securely automating infrastructure in the cloudStephen Sadowski - Securely automating infrastructure in the cloud
Stephen Sadowski - Securely automating infrastructure in the cloud
DevSecCon
 
"You Don't Know NODE.JS" by Hengki Mardongan Sihombing (Urbanhire)
"You Don't Know NODE.JS" by Hengki Mardongan Sihombing (Urbanhire)"You Don't Know NODE.JS" by Hengki Mardongan Sihombing (Urbanhire)
"You Don't Know NODE.JS" by Hengki Mardongan Sihombing (Urbanhire)
Tech in Asia ID
 
Security testautomation
Security testautomationSecurity testautomation
Security testautomation
Linkesh Kanna Velu
 
Automated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSSAutomated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSS
Sonatype
 
AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...
AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...
AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...
Lacework
 
Corpsec: “What Happened to Corpses A and B?”
Corpsec: “What Happened to Corpses A and B?”Corpsec: “What Happened to Corpses A and B?”
Corpsec: “What Happened to Corpses A and B?”
Priyanka Aash
 
DevSecOps - CrikeyCon 2017
DevSecOps - CrikeyCon 2017DevSecOps - CrikeyCon 2017
DevSecOps - CrikeyCon 2017
kieranjacobsen
 
Web & Cloud Security in the real world
Web & Cloud Security in the real worldWeb & Cloud Security in the real world
Web & Cloud Security in the real world
Madhu Akula
 
Using Puppet With A Secrets Server
Using Puppet With A Secrets ServerUsing Puppet With A Secrets Server
Using Puppet With A Secrets Server
conjur_inc
 
Node JS reverse shell
Node JS reverse shellNode JS reverse shell
Node JS reverse shell
Madhu Akula
 
Automated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWSAutomated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWS
Teri Radichel
 
Prepare to defend thyself with Blue/Green
Prepare to defend thyself with Blue/GreenPrepare to defend thyself with Blue/Green
Prepare to defend thyself with Blue/Green
Sonatype
 
Automated Security Testing
Automated Security TestingAutomated Security Testing
Automated Security Testing
seleniumconf
 
How to secure web applications
How to secure web applicationsHow to secure web applications
How to secure web applications
Mohammed A. Imran
 
.NET Security (Radu Vunvulea)
.NET Security (Radu Vunvulea).NET Security (Radu Vunvulea)
.NET Security (Radu Vunvulea)
Radu Vunvulea
 
Mod Security
Mod SecurityMod Security
Mod Security
Abhishek Singh
 
Transfer Learning: Repurposing ML Algorithms from Different Domains to Cloud ...
Transfer Learning: Repurposing ML Algorithms from Different Domains to Cloud ...Transfer Learning: Repurposing ML Algorithms from Different Domains to Cloud ...
Transfer Learning: Repurposing ML Algorithms from Different Domains to Cloud ...
Priyanka Aash
 
Secure Development of Azure Function
Secure Development of Azure FunctionSecure Development of Azure Function
Secure Development of Azure Function
Seven Peaks Speaks
 
Bletchley
BletchleyBletchley
Bletchley
Diogo Mónica
 
From 0 to 0xdeadbeef - security mistakes that will haunt your startup
From 0 to 0xdeadbeef - security mistakes that will haunt your startupFrom 0 to 0xdeadbeef - security mistakes that will haunt your startup
From 0 to 0xdeadbeef - security mistakes that will haunt your startup
Diogo Mónica
 

More Related Content

What's hot

Stephen Sadowski - Securely automating infrastructure in the cloud
Stephen Sadowski - Securely automating infrastructure in the cloudStephen Sadowski - Securely automating infrastructure in the cloud
Stephen Sadowski - Securely automating infrastructure in the cloud
DevSecCon
 
"You Don't Know NODE.JS" by Hengki Mardongan Sihombing (Urbanhire)
"You Don't Know NODE.JS" by Hengki Mardongan Sihombing (Urbanhire)"You Don't Know NODE.JS" by Hengki Mardongan Sihombing (Urbanhire)
"You Don't Know NODE.JS" by Hengki Mardongan Sihombing (Urbanhire)
Tech in Asia ID
 
Automated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSSAutomated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSS
Sonatype
 
AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...
AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...
AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...
Lacework
 
Automated Security Testing
Automated Security TestingAutomated Security Testing
Automated Security Testing
seleniumconf
 
Secure Development of Azure Function
Secure Development of Azure FunctionSecure Development of Azure Function
Secure Development of Azure Function
Seven Peaks Speaks
 

What's hot (20)

Scaling Security in the Cloud With Open Source
Scaling Security in the Cloud With Open SourceScaling Security in the Cloud With Open Source
Scaling Security in the Cloud With Open Source
 
Hacker Proof web app using Functional tests
Hacker Proof web app using Functional testsHacker Proof web app using Functional tests
Hacker Proof web app using Functional tests
 
Stephen Sadowski - Securely automating infrastructure in the cloud
Stephen Sadowski - Securely automating infrastructure in the cloudStephen Sadowski - Securely automating infrastructure in the cloud
Stephen Sadowski - Securely automating infrastructure in the cloud
 
"You Don't Know NODE.JS" by Hengki Mardongan Sihombing (Urbanhire)
"You Don't Know NODE.JS" by Hengki Mardongan Sihombing (Urbanhire)"You Don't Know NODE.JS" by Hengki Mardongan Sihombing (Urbanhire)
"You Don't Know NODE.JS" by Hengki Mardongan Sihombing (Urbanhire)
 
Security testautomation
Security testautomationSecurity testautomation
Security testautomation
 
Automated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSSAutomated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSS
 
AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...
AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...
AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...
 
Corpsec: “What Happened to Corpses A and B?”
Corpsec: “What Happened to Corpses A and B?”Corpsec: “What Happened to Corpses A and B?”
Corpsec: “What Happened to Corpses A and B?”
 
DevSecOps - CrikeyCon 2017
DevSecOps - CrikeyCon 2017DevSecOps - CrikeyCon 2017
DevSecOps - CrikeyCon 2017
 
Web & Cloud Security in the real world
Web & Cloud Security in the real worldWeb & Cloud Security in the real world
Web & Cloud Security in the real world
 
Using Puppet With A Secrets Server
Using Puppet With A Secrets ServerUsing Puppet With A Secrets Server
Using Puppet With A Secrets Server
 
Node JS reverse shell
Node JS reverse shellNode JS reverse shell
Node JS reverse shell
 
Automated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWSAutomated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWS
 
Prepare to defend thyself with Blue/Green
Prepare to defend thyself with Blue/GreenPrepare to defend thyself with Blue/Green
Prepare to defend thyself with Blue/Green
 
Automated Security Testing
Automated Security TestingAutomated Security Testing
Automated Security Testing
 
How to secure web applications
How to secure web applicationsHow to secure web applications
How to secure web applications
 
.NET Security (Radu Vunvulea)
.NET Security (Radu Vunvulea).NET Security (Radu Vunvulea)
.NET Security (Radu Vunvulea)
 
Mod Security
Mod SecurityMod Security
Mod Security
 
Transfer Learning: Repurposing ML Algorithms from Different Domains to Cloud ...
Transfer Learning: Repurposing ML Algorithms from Different Domains to Cloud ...Transfer Learning: Repurposing ML Algorithms from Different Domains to Cloud ...
Transfer Learning: Repurposing ML Algorithms from Different Domains to Cloud ...
 
Secure Development of Azure Function
Secure Development of Azure FunctionSecure Development of Azure Function
Secure Development of Azure Function
 

Viewers also liked

An IDS for browser hijacking
An IDS for browser hijackingAn IDS for browser hijacking
An IDS for browser hijacking
Diogo Mónica
 
Secure Software Distribution in an Adversarial World
Secure Software Distribution in an Adversarial WorldSecure Software Distribution in an Adversarial World
Secure Software Distribution in an Adversarial World
Diogo Mónica
 
ESORICS 2014: Local Password validation using Self-Organizing Maps
ESORICS 2014: Local Password validation using Self-Organizing MapsESORICS 2014: Local Password validation using Self-Organizing Maps
ESORICS 2014: Local Password validation using Self-Organizing Maps
Diogo Mónica
 
MTLS in a Microservices World
MTLS in a Microservices WorldMTLS in a Microservices World
MTLS in a Microservices World
Diogo Mónica
 

Viewers also liked (15)

Bletchley
BletchleyBletchley
Bletchley
 
From 0 to 0xdeadbeef - security mistakes that will haunt your startup
From 0 to 0xdeadbeef - security mistakes that will haunt your startupFrom 0 to 0xdeadbeef - security mistakes that will haunt your startup
From 0 to 0xdeadbeef - security mistakes that will haunt your startup
 
Leveraging Honest Users: Stealth Command-and-Control of Botnets
Leveraging Honest Users: Stealth Command-and-Control of BotnetsLeveraging Honest Users: Stealth Command-and-Control of Botnets
Leveraging Honest Users: Stealth Command-and-Control of Botnets
 
PhD Thesis Diogo Mónica
PhD Thesis Diogo MónicaPhD Thesis Diogo Mónica
PhD Thesis Diogo Mónica
 
An IDS for browser hijacking
An IDS for browser hijackingAn IDS for browser hijacking
An IDS for browser hijacking
 
WiFiHop - mitigating the Evil twin attack through multi-hop detection
WiFiHop - mitigating the Evil twin attack through multi-hop detectionWiFiHop - mitigating the Evil twin attack through multi-hop detection
WiFiHop - mitigating the Evil twin attack through multi-hop detection
 
Observable Non-Sybil Quorums Construction in One-Hop Wireless Ad Hoc Networks
Observable Non-Sybil Quorums Construction in One-Hop Wireless Ad Hoc NetworksObservable Non-Sybil Quorums Construction in One-Hop Wireless Ad Hoc Networks
Observable Non-Sybil Quorums Construction in One-Hop Wireless Ad Hoc Networks
 
MultiPath TCP - The path to multipath
MultiPath TCP - The path to multipathMultiPath TCP - The path to multipath
MultiPath TCP - The path to multipath
 
Secure Software Distribution in an Adversarial World
Secure Software Distribution in an Adversarial WorldSecure Software Distribution in an Adversarial World
Secure Software Distribution in an Adversarial World
 
ESORICS 2014: Local Password validation using Self-Organizing Maps
ESORICS 2014: Local Password validation using Self-Organizing MapsESORICS 2014: Local Password validation using Self-Organizing Maps
ESORICS 2014: Local Password validation using Self-Organizing Maps
 
Web Summit 2015 - Enterprise stage - Cloud, Open-Source, Security
Web Summit 2015 - Enterprise stage - Cloud, Open-Source, SecurityWeb Summit 2015 - Enterprise stage - Cloud, Open-Source, Security
Web Summit 2015 - Enterprise stage - Cloud, Open-Source, Security
 
MTLS in a Microservices World
MTLS in a Microservices WorldMTLS in a Microservices World
MTLS in a Microservices World
 
NoSQL Injections in Node.js - The case of MongoDB
NoSQL Injections in Node.js - The case of MongoDBNoSQL Injections in Node.js - The case of MongoDB
NoSQL Injections in Node.js - The case of MongoDB
 
Security best practices for kubernetes deployment
Security best practices for kubernetes deploymentSecurity best practices for kubernetes deployment
Security best practices for kubernetes deployment
 
Protecting Your Data With AWS KMS and AWS CloudHSM
Protecting Your Data With AWS KMS and AWS CloudHSM Protecting Your Data With AWS KMS and AWS CloudHSM
Protecting Your Data With AWS KMS and AWS CloudHSM
 

Similar to Application Security from the Inside - OWASP

Ruby on Rails Security Updated (Rails 3) at RailsWayCon
Ruby on Rails Security Updated (Rails 3) at RailsWayConRuby on Rails Security Updated (Rails 3) at RailsWayCon
Ruby on Rails Security Updated (Rails 3) at RailsWayCon
heikowebers
 
09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)
09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)
09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)
Igor Bronovskyy
 
JAX London 2021: Jumpstart Your Cloud Native Development: An Overview of Prac...
JAX London 2021: Jumpstart Your Cloud Native Development: An Overview of Prac...JAX London 2021: Jumpstart Your Cloud Native Development: An Overview of Prac...
JAX London 2021: Jumpstart Your Cloud Native Development: An Overview of Prac...
Daniel Bryant
 
Cloud native development without the toil
Cloud native development without the toilCloud native development without the toil
Cloud native development without the toil
Ambassador Labs
 
GOTOpia 2/2021 "Cloud Native Development Without the Toil: An Overview of Pra...
GOTOpia 2/2021 "Cloud Native Development Without the Toil: An Overview of Pra...GOTOpia 2/2021 "Cloud Native Development Without the Toil: An Overview of Pra...
GOTOpia 2/2021 "Cloud Native Development Without the Toil: An Overview of Pra...
Daniel Bryant
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
Slawomir Jasek
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
SecuRing
 
Ajax Performance Tuning and Best Practices
Ajax Performance Tuning and Best PracticesAjax Performance Tuning and Best Practices
Ajax Performance Tuning and Best Practices
Doris Chen
 

Similar to Application Security from the Inside - OWASP (20)

Ruby on Rails Security Updated (Rails 3) at RailsWayCon
Ruby on Rails Security Updated (Rails 3) at RailsWayConRuby on Rails Security Updated (Rails 3) at RailsWayCon
Ruby on Rails Security Updated (Rails 3) at RailsWayCon
 
6 tips for improving ruby performance
6 tips for improving ruby performance6 tips for improving ruby performance
6 tips for improving ruby performance
 
DevOps and the Future of Enterprise Security
DevOps and the Future of Enterprise SecurityDevOps and the Future of Enterprise Security
DevOps and the Future of Enterprise Security
 
Whatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processWhatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the process
 
DevOps and the Future of Enterprise Security
DevOps and the Future of Enterprise SecurityDevOps and the Future of Enterprise Security
DevOps and the Future of Enterprise Security
 
09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)
09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)
09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)
 
Rails Security
Rails SecurityRails Security
Rails Security
 
JAX London 2021: Jumpstart Your Cloud Native Development: An Overview of Prac...
JAX London 2021: Jumpstart Your Cloud Native Development: An Overview of Prac...JAX London 2021: Jumpstart Your Cloud Native Development: An Overview of Prac...
JAX London 2021: Jumpstart Your Cloud Native Development: An Overview of Prac...
 
Real World Lessons on the Pain Points of Node.js Applications
Real World Lessons on the Pain Points of Node.js ApplicationsReal World Lessons on the Pain Points of Node.js Applications
Real World Lessons on the Pain Points of Node.js Applications
 
using Mithril.js + postgREST to build and consume API's
using Mithril.js + postgREST to build and consume API'susing Mithril.js + postgREST to build and consume API's
using Mithril.js + postgREST to build and consume API's
 
Automating Workflows for Analytics Pipelines
Automating Workflows for Analytics PipelinesAutomating Workflows for Analytics Pipelines
Automating Workflows for Analytics Pipelines
 
Automated malware analysis
Automated malware analysisAutomated malware analysis
Automated malware analysis
 
Code instrumentation
Code instrumentationCode instrumentation
Code instrumentation
 
Cloud native development without the toil
Cloud native development without the toilCloud native development without the toil
Cloud native development without the toil
 
GOTOpia 2/2021 "Cloud Native Development Without the Toil: An Overview of Pra...
GOTOpia 2/2021 "Cloud Native Development Without the Toil: An Overview of Pra...GOTOpia 2/2021 "Cloud Native Development Without the Toil: An Overview of Pra...
GOTOpia 2/2021 "Cloud Native Development Without the Toil: An Overview of Pra...
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
 
Ajax Performance Tuning and Best Practices
Ajax Performance Tuning and Best PracticesAjax Performance Tuning and Best Practices
Ajax Performance Tuning and Best Practices
 
Re-Design with Elixir/OTP
Re-Design with Elixir/OTPRe-Design with Elixir/OTP
Re-Design with Elixir/OTP
 
Divide and Conquer – Microservices with Node.js
Divide and Conquer – Microservices with Node.jsDivide and Conquer – Microservices with Node.js
Divide and Conquer – Microservices with Node.js
 

Recently uploaded

Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 

Recently uploaded (20)

Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 

Application Security from the Inside - OWASP

  • 2. Agenda How to make apps more secure? 1. Triggering new vulnerabilities (bad guys) 2. Detecting/protecting found issues (good guys) 1. SQL injection 2. Cross Site Scripting (XSS) 3. Third party components vulnerabilities 4. Shell injection 2
  • 3. About Me Jean-Baptiste Aviat CTO at Sqreen (https://sqreen.io) We protect applications automatically Sqreen is hiring Former RedTeam security engineer at Apple
  • 4. The best place for app security • Where to gather accurate information for securing an application? • How to change the tires of a car running at 100 mph? • How to make the diagnosis continuous, as modern release cycles? 4
  • 5. App security: the place to be • Need to get closer to the runtime • Retrieve all required data, while the application processes it • Work with the deployed, running application • Obvious solution: instrumentation 5
  • 6. Debugging allows… • Devs & hackers method to inspect live apps • Access anything in it – CPU registers – Addressable memory of the whole process: functions, symbols… – Threads • And to modify anything in it – Modify return values 6
  • 7. 7 (byebug) thread list + 1 #<Thread:0x007fe41b0d1ae0@2.2.0/webrick/server.rb:283 run> ... 2 #<WEBrick::Utils::TimeoutHandler::Thread:0x007fe41b0d1220@2.2.0/webrick/ utils.rb:162 sleep> 2.2.0/webrick/utils.rb:173 3 #<Thread:0x007fe4140bc408 sleep> 2.2.0/webrick/server.rb:174 (byebug) thread switch 3 3 #<Thread:0x007fe4140bc408 sleep> 2.2.0/webrick/server.rb:174 (byebug) thread switch 3 [168, 177] in 2.2.0/webrick/server.rb 172: while @status == :Running 173: begin => 174: if svrs = IO.select([shutdown_pipe[0], *@listeners], nil, nil, 2.0) 175: if svrs[0].include? shutdown_pipe[0] 176: break At first sight
  • 8. Web application specifics • Relevant information in a web application: – User request (headers, cookies, parameters…) and server response – Any function call and its arguments • Database requests • File operations • External APIs calls • Syscalls… – All current threads 8
  • 9. 9 0 ActiveRecord::ConnectionAdapters::SQLite3Adapter.exec_query(sql#String, name#String…) … 7 PostsController.set_post … 23 ActionController::ParamsWrapper.process_action(action#NilClass, *args#Array) … 27 ActionController::Metal.dispatch(action#NilClass, request#ActionDispatch::Request) … 37 Rack::ETag.call(env#Hash) … 40 ActionDispatch::ParamsParser.call(env#Hash) … 44 ActionDispatch::Cookies.call(env#Hash) 45 ActiveRecord::QueryCache.call(env#Hash) … 74 WEBrick::HTTPServer.service(req#WEBrick::HTTPRequest, res#WEBrick::HTTPResponse) 75 WEBrick::HTTPServer.run(sock#TCPSocket) 76 block in WEBrick::GenericServer.start_thread(sock#TCPSocket, &block#NilClass) Looking closer…
  • 10. • Application instrumentation • Different ways to identify vulnerabilities • And many solutions to prevent them – Patch a function return value – Encode a function arguments – Raise an exception to prevent further execution 10
  • 11. 11 (byebug) break ActiveRecord::ConnectionAdapters::SQLite3Adapter.exec_query Successfully created breakpoint with id 1 (byebug) continue [283, 292] in …/active_record/connection_adapters/sqlite3_adapter.rb 287: => 288: def exec_query(sql, name = nil, binds = []) 289: type_casted_binds = binds.map { |col, val| 290: [col, type_cast(val, col)] 291: } 292: (byebug) var local binds = [] name = Post Load self = #<ActiveRecord::ConnectionAdapters::SQLite3Adapter:0x007fb1eb30df50> sql = SELECT * FROM posts WHERE id=3 (byebug) self.quote("it's a string") "'it''s a string'" Where the database is accessed
  • 12. SQL injection detection • Inside an app, full access to: – Raw SQL query just as the database receives it – Database system (Oracle, MySQL…) – Database configuration (encoding) – Untrusted parameters • Ability to parse the complete SQL query 12
  • 13. SQL injection • Untrusted entry used in a SQL request • Assume pwd is injectable • Injected query: • The SQL query has to be valid to trigger an injection • How to prove that an injection happened? 13 SELECT * FROM users WHERE pwd = ‘sun' LIMIT 1 SELECT * FROM users WHERE pwd = 'sun' OR 1=1--+’ LIMIT 1
  • 14. Request just before it leaves the app to the DB: Reminder: we know the database, its charset, encoding rules… 1 user entry, multiple SQL tokens: This is an injection. 14 SELECT * FROM users WHERE password = 'sun' OR 1=1-- ' SELECT * FROM users WHERE password = sun OR 1 = 1
  • 15. #0 ActionView::OutputBuffer.<<(value#NilClass) #1 ActionView::CompiledTemplates._app_views_posts_show_html_erb…(local_assigns, output_buffer) #2 block in ActionView::Template.render(view, locals#Hash, buffer#NilClass, &block#Proc) #3 #<Class:ActiveSupport::Notifications>.instrument(name#String, payload#Hash) […] #18 ActionView::Rendering._render_template(options#Hash) #19 ActionController::Streaming._render_template(options#Hash) #0 is string concatenation #1 is template insertion Rendering a template
  • 16. (byebug) break ActionView::OutputBuffer.<< [6, 15] in actionview-4.2.3/lib/action_view/buffers.rb … 10: def <<(value) => 11: return self if value.nil? 12: super(value.to_s) 13: end 14: alias :append= :<< 15: (byebug) var local value = "my <script>alert()</script> title" (byebug) value.html_safe? true String concatenation
  • 17. [6, 15] in app/views/posts/show.html.erb 8: 9: <p> 10: <strong>Title:</strong> => 11: <%= @post.title %> 12: </p> 13: In Template Insertion
  • 18. XSS detection • Inside an app, access to: – Template engine (JSF, ERB…) – Partially rendered page – Fully rendered page – Generated page type – HTML, CSS, JSON… – Untrusted parameters 18
  • 19. XSS detection • HTML can be parsed • Injection if: – User entry adds HTML to the rendered page • HTML node • HTML attribute • In such cases, we have an HTML injection 19 <div><script src=atta.ck/></script>Safari</div> <a href=‘#’ onclick=‘alert()’>Data</div>
  • 21. irb(main):001:0> Gem.loaded_specs.map do |k, v| puts "%20st%st%s " % [k, v.version, v.homepage] end rake 10.4.2 i18n 0.7.0 http://github.com/svenfuchs/i18n tzinfo 1.2.2 http://tzinfo.github.io activesupport 4.2.3 http://www.rubyonrails.org erubis 2.7.0 http://www.kuwata-lab.com/erubis/ nokogiri 1.6.6.2 http://nokogiri.org actionview 4.2.3 http://www.rubyonrails.org sqlite3 1.3.10 https://github.com/sparklemotion/sqlite3-ruby execjs 2.6.0 https://github.com/rails/execjs ... CVE-2015-1819 CVE-2015-7941 CVE-2015-7942 CVE-2015-8035 An application dependencies
  • 22. 3rd party components vuln. • Application knows its libraries – Version – Configuration – Dependencies • And OS libraries • Correlation with public security advisories • And restrict / correct the vulnerable paths 22
  • 24. • Inside an app, access to: – Command (before execution) – Shell • Type (Bash, ksh, PowerShell, cmd.exe…) • Version (ShellShock vulnerable?) – Environment – User parameters 24
  • 25. Shell injection • Similar to SQL injection • Ability to parse the executed command – Legitimate command: – Injected command: • Possible correlation with untrusted parameters 25 whois jbaviat.sqreen.io whois jbaviat.sqreen.io ; cat /etc/passwd
  • 27. Sqreen: you code, we protect • We protect applications automatically • Beta program available: Contact us to be part of it • Sqreen is hiring 27