Applicaon Security - hd7exploit.files.wordpress.com · Modules • Web Applicaon Security [season...

60
Applica’on Security Nam.Dinh Security Researcher & Developer Applica’on Security - Nam.Dinh 1

Transcript of Applicaon Security - hd7exploit.files.wordpress.com · Modules • Web Applicaon Security [season...

Page 1: Applicaon Security - hd7exploit.files.wordpress.com · Modules • Web Applicaon Security [season 1] 1. NodeJs Applicaon Security.[3hours] 2. PHP Applicaon Security, Web Applicaon

Applica'onSecurity

Nam.DinhSecurityResearcher&Developer

Applica'onSecurity-Nam.Dinh 1

Page 2: Applicaon Security - hd7exploit.files.wordpress.com · Modules • Web Applicaon Security [season 1] 1. NodeJs Applicaon Security.[3hours] 2. PHP Applicaon Security, Web Applicaon

WhoamI?

•  SecurityResearcherandDeveloper.•  FocusonWebsiteApplica'onVulnerabilityAnalystandExploita'on.

•  Hackingforfun…

Applica'onSecurity-Nam.Dinh 2

Page 3: Applicaon Security - hd7exploit.files.wordpress.com · Modules • Web Applicaon Security [season 1] 1. NodeJs Applicaon Security.[3hours] 2. PHP Applicaon Security, Web Applicaon

Modules•  WebApplica'onSecurity[season1]

1.  NodeJsApplica'onSecurity.[3hours]2.  PHPApplica'onSecurity,WebApplica'onFirewall,

IntrusionDetec'onSystem.[3hours]•  Wri'ngExploita'on[season2]

1.  C/C++,Assembly,Disassembly,ReverseEngineering,WriVngShellcode…[8hours]

2.  Exploit:StackOverflow,HeapOverflow,Off-By-One,FormatString,UseA^erFree…[8hours]

3.  SEHoverwrite,Egghun'ng,ROPchains,bypassDEP,ASLR…[8hours]

Applica'onSecurity-Nam.Dinh 3

Page 4: Applicaon Security - hd7exploit.files.wordpress.com · Modules • Web Applicaon Security [season 1] 1. NodeJs Applicaon Security.[3hours] 2. PHP Applicaon Security, Web Applicaon

AgendaSeason1.1NodeJsApplica'onSecurity

I.  Introduc'onII.  NodeArchitectureIII.  VulnerabilityManagementIV.  CrossSiteScrip'ng–XSSV.  CrossSiteRequestForgery–CSRFVI.  DirectoryTraversalVII.  CommandInjec'onVIII.  Objec'onInjec'onIX.  SQLInjec'on–SQLiX.  DOSXI.  BruteForceXII.  MemoryLeakXIII.  ProtectdataXIV.  Authen'ca'on&Authoriza'onXV.  LogXVI.  Misconfigura'on,SSLXVII.  HelmetXVIII.  Demo&&Q&A

Applica'onSecurity-Nam.Dinh 4

Page 5: Applicaon Security - hd7exploit.files.wordpress.com · Modules • Web Applicaon Security [season 1] 1. NodeJs Applicaon Security.[3hours] 2. PHP Applicaon Security, Web Applicaon

I.Introduc'onElementsofInforma'onsecurity

Confiden/ality–dataandinforma'onassetsmustbeconfinedtopeopleauthorizedtoaccessandnotbedisclosedtoothers;Integrity–keepingthedataintact,completeandaccurate,andITsystemsopera'onal;Availability–authorizeduserswhenneeded.

Applica'onSecurity-Nam.Dinh 5

hkp://resources.infosecins'tute.com/key-elements-informa'on-security-policy

Page 6: Applicaon Security - hd7exploit.files.wordpress.com · Modules • Web Applicaon Security [season 1] 1. NodeJs Applicaon Security.[3hours] 2. PHP Applicaon Security, Web Applicaon

I.Introduc'onHTML5TOP10

Applica'onSecurity-Nam.Dinh 6

Page 7: Applicaon Security - hd7exploit.files.wordpress.com · Modules • Web Applicaon Security [season 1] 1. NodeJs Applicaon Security.[3hours] 2. PHP Applicaon Security, Web Applicaon

I.Introduc'onOWASPTop10

Applica'onSecurity-Nam.Dinh 7

Page 8: Applicaon Security - hd7exploit.files.wordpress.com · Modules • Web Applicaon Security [season 1] 1. NodeJs Applicaon Security.[3hours] 2. PHP Applicaon Security, Web Applicaon

I.Introduc'onToolsandServices

•  Acune/x:testsforSQLInjec'on,XSS,XXE,SSRF,HostHeaderInjec'onandover3000otherwebvulnerabili'es.

•  BurpSuite:Coverageofover100genericvulnerabili/es,suchasSQLinjec'onandcross-sitescrip'ng(XSS),withgreatperformanceagainstallvulnerabili'esintheOWASPtop10.

•  sucuri.net:Mi'gateDDoSakacks,improveandop'mizeyourwebsite'sperformance,andstophackersfromexploi'ngso^warevulnerabili'es(i.e.,SQLi,XSS,RCE,etc.).Cloud-basedprotec'on,noinstalla'onrequired.

•  Nmap,Netcat,Metasploit,Kali2…

Applica'onSecurity-Nam.Dinh 8

Page 9: Applicaon Security - hd7exploit.files.wordpress.com · Modules • Web Applicaon Security [season 1] 1. NodeJs Applicaon Security.[3hours] 2. PHP Applicaon Security, Web Applicaon

I.Introduc'onSta'cSecurityAnalyst

–PakernMatching§  Ischeckedagainstalistofan'pakerns.

–Tain'ng

§  Givenanakackvectorcomingthroughreq.query/req.body§  Checkifitreachesnon-sani'zedhtmlcontexts(XSS)orSQL

calls(SQLi)

–SymbolicExecu'on(mostcomputa'onallyexpensive)§  Exploreallbranchesthatmightbetraversed§  Executeaprogramwithoutaconcretevalueliketain'ng§  Determinewhatconstraintscanreachapar'cularbranch(if(s==1)fail())

Applica'onSecurity-Nam.Dinh 9

Page 10: Applicaon Security - hd7exploit.files.wordpress.com · Modules • Web Applicaon Security [season 1] 1. NodeJs Applicaon Security.[3hours] 2. PHP Applicaon Security, Web Applicaon

NodeJsApplica'onSecurity

-Somedemosandexamplesexploitrealmodulesandapplica'onsthatisrequire:

Ø BasicunderstandingwebprogramingØ JavascriptØ NodejsØ Top10OWASPwebapplica'on.

-Don’ttrainprogramingwithnodejsandjavascript-A^erthismoduleyoucan:

Ø UnderstandingandApplingbestsecurityprac'cesforrealapplica'ons.

Ø CanexploitNodejsApplica'on.Applica'onSecurity-Nam.Dinh 10

Page 11: Applicaon Security - hd7exploit.files.wordpress.com · Modules • Web Applicaon Security [season 1] 1. NodeJs Applicaon Security.[3hours] 2. PHP Applicaon Security, Web Applicaon

VulnerabilityManagement•  CVE:hkp://cve.mitre.org/inuse/:Astheinterna'onalindustrystandardforcybersecurityvulnerabilityandexposurenames,CVEIden'fiersareincludedinnumerousproductsandservicesandarethefounda'onofothers.

•  Securityupdates:–  hkps://nodejs.org/en/blog/vulnerability/-Nodejs–  hkps://expressjs.com/en/advanced/security-updates.html-Express

–  Snyk-ThirdParty–  hkps://nodesecurity.io/-ThirdParty

Applica'onSecurity-Nam.Dinh 11

Page 12: Applicaon Security - hd7exploit.files.wordpress.com · Modules • Web Applicaon Security [season 1] 1. NodeJs Applicaon Security.[3hours] 2. PHP Applicaon Security, Web Applicaon

NodeArchitect

Applica'onSecurity-Nam.Dinh 12

Page 13: Applicaon Security - hd7exploit.files.wordpress.com · Modules • Web Applicaon Security [season 1] 1. NodeJs Applicaon Security.[3hours] 2. PHP Applicaon Security, Web Applicaon

Firstofall•  Strictmodechangesbothsyntaxandrun'mebehaviortobelesstolerantoferrorsandambiguousconstructs.

•  JavaScriptrepresentsallnumbersasdoublefloa'ngpointnumbers.

•  ParseInt,ParseFloat.•  Bydefault,variablesareglobal.•  Usestrictcomparison===toavoidconversionissueswithcomparisons.

•  _.isEmpty(11)-Lodash•  PreventParameterPollu'ontoStopPossibleUncaughtExcep'ons

•  …hkps://nodesource.com/blog/nine-security-'ps-to-keep-express-from-geVng-pwned/

Applica'onSecurity-Nam.Dinh 13

Page 14: Applicaon Security - hd7exploit.files.wordpress.com · Modules • Web Applicaon Security [season 1] 1. NodeJs Applicaon Security.[3hours] 2. PHP Applicaon Security, Web Applicaon

1.Crosssitescrip'ng-XSS

•  Allowakackertoinjectclient-clientscriptsintouser’sbrowser.

•  3types:Reflected,Stored,andDOM.•  CheckUrl,HTMLbody,submikeddata,CSSakributes,Javascript…

•  Templateenginelibrarydoesthiswellenoughbydefault?

•  Akackvectors:post,comment,form,email…

Applica'onSecurity-Nam.Dinh 14

Page 15: Applicaon Security - hd7exploit.files.wordpress.com · Modules • Web Applicaon Security [season 1] 1. NodeJs Applicaon Security.[3hours] 2. PHP Applicaon Security, Web Applicaon

WOW

hkps://github.com/Seman'c-Org/Seman'c-UIApplica'onSecurity-Nam.Dinh 15

Page 16: Applicaon Security - hd7exploit.files.wordpress.com · Modules • Web Applicaon Security [season 1] 1. NodeJs Applicaon Security.[3hours] 2. PHP Applicaon Security, Web Applicaon

2.CrossSiteRequestForgery-CSRF

•  Forceuser’sbrowertosendrequestsdonotintend.

•  Protec'on:– Csurf

<inputtype="hidden"name=“csrf”value={{csr^oken}}/>

– Doublecookies•  Check:hkps://hd7exploit.wordpress.com/2017/05/27/dvwa-csrf-high-level/

Applica'onSecurity-Nam.Dinh 16

Page 17: Applicaon Security - hd7exploit.files.wordpress.com · Modules • Web Applicaon Security [season 1] 1. NodeJs Applicaon Security.[3hours] 2. PHP Applicaon Security, Web Applicaon

3.Dic/onarytraversal

•  Allowhackerstoaccessfilesrestrictedoutsiterootwebdirectory.varreadStream=fs.createReadStream(fullFilePath);readStream.on('error',func'on(err){res.json({'error':err});});readStream.pipe(res);

hkps://pentest.wp/salary?file=..%2F..%2F..%2F..%2Fetc%2Fpasswd

Applica'onSecurity-Nam.Dinh 17

Page 18: Applicaon Security - hd7exploit.files.wordpress.com · Modules • Web Applicaon Security [season 1] 1. NodeJs Applicaon Security.[3hours] 2. PHP Applicaon Security, Web Applicaon

4.Commandinjec'on

•  Commandsexecutedthroughthechild_processmodule,usingexec[/bin/sh],execFile,spawn,orfork.

•  execFile,however,executesthefiledirectly,givingakackersamuchsmallerakacksurface(limitedbythefilebeingexecuted).varparsedUrl=url.parse(request.url,true);response.writeHead(200,{"Content-Type":"text/html"});exe.exec('ping-c2'+parsedUrl.query.ping,func'on(err,data){ response.write("Hello"+data); response.end();});

hkps://nodesecurity.io/advisories/117

Applica'onSecurity-Nam.Dinh 18

Page 19: Applicaon Security - hd7exploit.files.wordpress.com · Modules • Web Applicaon Security [season 1] 1. NodeJs Applicaon Security.[3hours] 2. PHP Applicaon Security, Web Applicaon

WTH

•  shell-quotecannotcorrectlyescapetheredirec'onoperators‘>’,‘<’whenusedinsideofthe.quote()func'on.

•  Vulcode:hkps://github.com/substack/node-shell-quote/blob/1.6.0/index.js

hkps://www.npmjs.com/package/shell-quoteApplica'onSecurity-Nam.Dinh 19

Page 20: Applicaon Security - hd7exploit.files.wordpress.com · Modules • Web Applicaon Security [season 1] 1. NodeJs Applicaon Security.[3hours] 2. PHP Applicaon Security, Web Applicaon

5.Objec'onInjec'on

•  eval()func'onisacommonfunc'onofnodejsthatiseasytoexploitifdatapassedtoitnotfilteredcorrectly

•  hkps://hd7exploit.wordpress.com/2017/05/29/exploi'ng-node-js-deserializa'on-bug-for-

remote-code-execu'on-cve-2017-5941/

Applica'onSecurity-Nam.Dinh 20

Page 21: Applicaon Security - hd7exploit.files.wordpress.com · Modules • Web Applicaon Security [season 1] 1. NodeJs Applicaon Security.[3hours] 2. PHP Applicaon Security, Web Applicaon

WOW•  Dust.jshelper•  Ref:hkp://artsploit.blogspot.com/2016/08/pprce2.html?m=1

hkps://github.com/hapijs/bassmasterTheLibusedbyPaypalisvulsinthepastApplica'onSecurity-Nam.Dinh 21

Page 22: Applicaon Security - hd7exploit.files.wordpress.com · Modules • Web Applicaon Security [season 1] 1. NodeJs Applicaon Security.[3hours] 2. PHP Applicaon Security, Web Applicaon

6.SQLinjec'on•  Injectarbitrarydataintoqueryleadtobypassauthen'ca'on,controldata,

executecommandsontheopera'ngsystem…•  Error-basedSQLi•  Union-basedSQLi

–  SELECT*FROMuserWHEREid='1'UNIONALLSELECTNULL,CONCAT(0x717a7a6a71,(CASEWHEN(ISNULL(TIMESTAMPADD(MINUTE,6999,NULL)))THEN1ELSE0END),0x717a6b7a71),NULL–Melq’

–  SELECT*FROMuserWHEREid='1'UNIONALLSELECTNULL,CONCAT(0x717a7a6a71,IFNULL(CAST(schema_nameASCHAR),0x20),0x717a6b7a71),NULLFROMINFORMATION_SCHEMA.SCHEMATA–jPek’

•  BlindSQLi–  SELECT*FROMuserWHEREid='1'AND7507=IF((48=48),SLEEP(5),7507)–SXqI’–  SELECT*FROMuserWHEREid='1'AND23=23AND'xWyF'='xWyF’

•  Libs:Node-mysql,serialize…•  SeVng:mul'pleStatements:false

Applica'onSecurity-Nam.Dinh 22

Page 23: Applicaon Security - hd7exploit.files.wordpress.com · Modules • Web Applicaon Security [season 1] 1. NodeJs Applicaon Security.[3hours] 2. PHP Applicaon Security, Web Applicaon

WOW

./sqlmap.py-u"hkps://pentest.wp/sqli?id=1"--fresh-queries--techniqueu--dbs

hkps://s3.amazonaws.com/snyk-rules-pre-repository/snapshots/master/patches/npm/sequelize/20160106/sequelize_20160106_d198d78182cbf1ea3ef1706740b35813a6aa0838.patch

serialize

Applica'onSecurity-Nam.Dinh 23

Page 24: Applicaon Security - hd7exploit.files.wordpress.com · Modules • Web Applicaon Security [season 1] 1. NodeJs Applicaon Security.[3hours] 2. PHP Applicaon Security, Web Applicaon

7.MemoryLeak

•  Bufferwillbeeasilyrunoutofmemory.•  BuffersinV8[32bit]cannotbebiggerthan0x3FFFFFFFbytes(aliklebitlessthan1GB)

•  Readchunksinto1bufferandreturnthisbufferwhenit'sdone.

•  vardata=newBuffer(inputData);???

Applica'onSecurity-Nam.Dinh 24

Page 25: Applicaon Security - hd7exploit.files.wordpress.com · Modules • Web Applicaon Security [season 1] 1. NodeJs Applicaon Security.[3hours] 2. PHP Applicaon Security, Web Applicaon

8.Protec'ondata•  Cryptographyisaresource-heavyprocess.•  hkps://github.com/rzcoder/node-rsa•  hkps://github.com/brix/crypto-js•  hkps://nodejs.org/api/crypto.html

Applica'onSecurity-Nam.Dinh 25

Page 26: Applicaon Security - hd7exploit.files.wordpress.com · Modules • Web Applicaon Security [season 1] 1. NodeJs Applicaon Security.[3hours] 2. PHP Applicaon Security, Web Applicaon

varcrypto=require('crypto'),algorithm='aes-256-ctr',password='d6F3Efeq’;func'onencrypt(text){varcipher=crypto.createCipher(algorithm,password)varcrypted=cipher.update(text,'u�8','hex')crypted+=cipher.final('hex');returncrypted;}func'ondecrypt(text){vardecipher=crypto.createDecipher(algorithm,password)vardec=decipher.update(text,'hex','u�8')dec+=decipher.final('u�8');returndec;}varhw=encrypt("helloworld")//outputshelloworldconsole.log(decrypt(hw));

Pre-sharekey

hkps://github.com/chris-rock/node-crypto-examples/blob/master/crypto-stream.jsApplica'onSecurity-Nam.Dinh 26

Page 27: Applicaon Security - hd7exploit.files.wordpress.com · Modules • Web Applicaon Security [season 1] 1. NodeJs Applicaon Security.[3hours] 2. PHP Applicaon Security, Web Applicaon

Publickey

•  hkps://git.daplie.com/coolaj86/examples-rsa-keypairs

Applica'onSecurity-Nam.Dinh 27

Page 28: Applicaon Security - hd7exploit.files.wordpress.com · Modules • Web Applicaon Security [season 1] 1. NodeJs Applicaon Security.[3hours] 2. PHP Applicaon Security, Web Applicaon

9.Authen'ca'on&Authoriza'on•  Timeoutsesssion,HTTPonly,Secure=true•  Hash+saltwithbcrypt,makestrongrule.Passwordsal9ngmeansadding

asecretstringtoallpasswordsbeforehashingtheminordertoavoidgeVngthesamehashforcommonpasswords.

•  User2password,2factorauthen'ca'on,2user,OTP•  Checken/tyowneronAPI,Route,Datasentbyclientoranother

services...

app.use(session({secret:'mySecretCookieSalt',key:'myCookieSessionId',cookie:{hkpOnly:true,secure:true,domain:'example.com',path:'/foo/bar',//Cookiewillexpirein1hourfromwhenit'sgeneratedexpires:newDate(Date.now()+60*60*1000)}}));

Applica'onSecurity-Nam.Dinh 28

Page 29: Applicaon Security - hd7exploit.files.wordpress.com · Modules • Web Applicaon Security [season 1] 1. NodeJs Applicaon Security.[3hours] 2. PHP Applicaon Security, Web Applicaon

10.Bruteforce•  Dic'onary•  Rainbowtable•  Randomize•  express-limiter-whicheffec'velyblocksanIPaddressfrommakinganoutrageous

numberofrequests.

varclient=require('redis').createClient()varlimiter=require('express-limiter')(app,client)//BruceForcepreventlimiter({path:'/bf',method:'get',lookup:'headers.x-forwarded-for',//behindaproxy//10requestsperminutetotal:10,expire:1000*60})

Applica'onSecurity-Nam.Dinh 29

hkps://www.howtogeek.com/166832/brute-force-akacks-explained-how-all-encryp'on-is-vulnerable/

Page 30: Applicaon Security - hd7exploit.files.wordpress.com · Modules • Web Applicaon Security [season 1] 1. NodeJs Applicaon Security.[3hours] 2. PHP Applicaon Security, Web Applicaon

11.DOS•  EvilRegexes:ARegexiscalled"evil"ifitcanstuckoncra^ed

input.Thatcausesanalgorithmtoruninthemostinefficientwaypossible

•  EvilRegexpaYerncontains:–  Groupingwithrepe''on–  Insidetherepeatedgroup:–  Repe''on–  Alterna'onwithoverlapping

•  ExamplesofEvilPaYerns:–  (a+)–  ([a-zA-Z]+)*–  (a|aa)–  (a|a?)+–  (.*a){x}|forx>10

•  Detec/on:RXRR(sta'canalysis),SDLRegExFuzzer.Applica'onSecurity-Nam.Dinh 30

Page 31: Applicaon Security - hd7exploit.files.wordpress.com · Modules • Web Applicaon Security [season 1] 1. NodeJs Applicaon Security.[3hours] 2. PHP Applicaon Security, Web Applicaon

HowRegExEnginesWork

•  WhenapplyingcattoHecapturedaca[ishforhiscat.Whathappened?

•  MomentJS-varMONTHS_IN_FORMAT=/D[oD]?(\[[^\[\]]*\]|\s+)+MMMM?/;[exploited]+varMONTHS_IN_FORMAT=/D[oD]?(\[[^\[\]]*\]|\s)+MMMM?/;[fixed]

Applica'onSecurity-Nam.Dinh 31

hkp://www.regular-expressions.info/engine.htmlhkp://www.regular-expressions.info/catastrophic.html

Page 32: Applicaon Security - hd7exploit.files.wordpress.com · Modules • Web Applicaon Security [season 1] 1. NodeJs Applicaon Security.[3hours] 2. PHP Applicaon Security, Web Applicaon

11.DOS&DDOS•  Exploitweeknessonsourcecode.•  Preventvalidrequest•  Synchronousac/onislongwillleadto

DOS…

•  Nginxforsta'cfileserving•  Usingmul/pleprocesses•  process.nextTick:runbeforeanyI/Ois

firedoneventqueue[willbeinvokedonnextevenloop]

•  setImmediate:pushedontheendofeventqueueofeventI/O

hkp://www.cisco.com/c/en/us/about/press/internet-protocol-journal/back-issues/table-contents-30/dos-akacks.html Applica'onSecurity-Nam.Dinh 32

Page 33: Applicaon Security - hd7exploit.files.wordpress.com · Modules • Web Applicaon Security [season 1] 1. NodeJs Applicaon Security.[3hours] 2. PHP Applicaon Security, Web Applicaon

11.DOS&DDOSNodejsCluster

Applica'onSecurity-Nam.Dinh 33

Page 34: Applicaon Security - hd7exploit.files.wordpress.com · Modules • Web Applicaon Security [season 1] 1. NodeJs Applicaon Security.[3hours] 2. PHP Applicaon Security, Web Applicaon

12.Log

•  Donotlogsensi'veinforma'on.•  Logrequest/response.•  LogUsertransac'ons.•  Libs:Winston,morgan…•  …•  ThinkofLogcentralize,SIEM

Applica'onSecurity-Nam.Dinh 34

Page 35: Applicaon Security - hd7exploit.files.wordpress.com · Modules • Web Applicaon Security [season 1] 1. NodeJs Applicaon Security.[3hours] 2. PHP Applicaon Security, Web Applicaon

13.EnableTLS/SSL

•  NginxandNodejs.•  NginxSSLtermina'onwithNodejs.•  Runsslyze,a2sv,NmaptovalidateSSLtransmission.

Applica'onSecurity-Nam.Dinh 35

Page 36: Applicaon Security - hd7exploit.files.wordpress.com · Modules • Web Applicaon Security [season 1] 1. NodeJs Applicaon Security.[3hours] 2. PHP Applicaon Security, Web Applicaon

OpenSSLHeartbleed•  Thevulnerabilityaffectsallapplica'onsthatuseOpenSSLversions1.0.1-1.0.1fand

permitsanakackertoreadupto64kofservermemory.Thismemorycancontain:•  HTTPrequestsmadebyotheruserstotheserver,whichmayinclude:

–  Sessioncookies–  Usernamesandpasswordssentinformfields–  Useragentandotherheaderssentbytheclient

•  HTTPresponsessentbytheservertootheruserscontainingsensi'veinforma'on•  SSLencryp'onkeys•  Emailmessages(incaseofSMTP,IMAPorPOP3)•  Othersensi'vedatastoredinservermemory

Applica'onSecurity-Nam.Dinh 36

hkps://securityintelligence.com/heartbleed-openssl-vulnerability-what-to-do-protect/

Page 37: Applicaon Security - hd7exploit.files.wordpress.com · Modules • Web Applicaon Security [season 1] 1. NodeJs Applicaon Security.[3hours] 2. PHP Applicaon Security, Web Applicaon

SSLv3POODLE•  (PaddingOracleOnDowngradedLegacyEncryp'on)•  Thisvulnerabilitymayallowanakackerwhoisalreadyman-in-the-middle(atthenetwork

level)todecryptthesta'cdatafromanSSLcommunica'onbetweenthevic'muserandavulnerableserver.

•  TheakackerwillprobablytrytoobtaintheHTTPcookiesorothersta'cdata.•  Forthat,heneedstoconvinceboththevic'm'sbrowserandtheservertospeakSSLv3and

touseavulnerablecipher(inCipherBlockChainingmode).•  ThiscouldbedonebyforcingadowngradeduringtheSSL/TLSnegocia'on.

Applica'onSecurity-Nam.Dinh 37

hkp://www.digitaltsunami.com/2014/10/15/poodle-sslv3-vulnerability/

Page 38: Applicaon Security - hd7exploit.files.wordpress.com · Modules • Web Applicaon Security [season 1] 1. NodeJs Applicaon Security.[3hours] 2. PHP Applicaon Security, Web Applicaon

ScanSSL

hkps://github.com/hahwul/a2svApplica'onSecurity-Nam.Dinh 38

Page 39: Applicaon Security - hd7exploit.files.wordpress.com · Modules • Web Applicaon Security [season 1] 1. NodeJs Applicaon Security.[3hours] 2. PHP Applicaon Security, Web Applicaon

14.Helmet

Applica'onSecurity-Nam.Dinh 39

Page 40: Applicaon Security - hd7exploit.files.wordpress.com · Modules • Web Applicaon Security [season 1] 1. NodeJs Applicaon Security.[3hours] 2. PHP Applicaon Security, Web Applicaon

1.ContentSecurityPolicy•  ContentSecurityPolicyisanW3Cspecifica'onofferingthe

possbilitytoinstructtheclientbrowserfromwhichloca'onand/orwhichtypeofresourcesareallowedtobeloaded.

•  Todefinealoadingbehavior,theCSPspecifica'onuse"direc've"whereadirec'vedefinesaloadingbehaviorforatargetresourcetype.

Applica'onSecurity-Nam.Dinh

hkps://www.html5rocks.com/en/tutorials/security/content-security-policy/

40

Page 41: Applicaon Security - hd7exploit.files.wordpress.com · Modules • Web Applicaon Security [season 1] 1. NodeJs Applicaon Security.[3hours] 2. PHP Applicaon Security, Web Applicaon

2.expectCt-Bhpkp•  expectCtforhandlingCer'ficateTransparency•  Cer'ficateTransparencyisanopenframeworkformonitoringand

audi'ngthecer'ficatesissuedbyCer'ficateAuthori'esinnearreal-'me.•  ByrequiringaCAtologallcer'ficatestheygenerate.•  Siteownerscanquicklyiden'fymis-issuedcer'ficatesanditbecomes

mucheasiertodetectarogueCA.

•  GoogleannouncedinOctober2016thatallcer9ficatesissuedinOctober2017andbeyondwouldneedtobeloggedinCTorChromewouldnottrustthem.ThismeansthatifyouoperateawebsitethatusesHTTPSyouatleastneedtomakesureyourcer9ficateswillcomplywithChrome'sCTpolicybeforeOctober2017April2018(update)ifyouwantyoursitetoworkinChrome.

hkp://thehackernews.com/2016/04/ssl-cer'ficate-transparency.html

Applica'onSecurity-Nam.Dinh 41

Page 42: Applicaon Security - hd7exploit.files.wordpress.com · Modules • Web Applicaon Security [season 1] 1. NodeJs Applicaon Security.[3hours] 2. PHP Applicaon Security, Web Applicaon

WOW

Ex:ConfigureWebservertosendcert

Applica'onSecurity-Nam.Dinh 42

Page 43: Applicaon Security - hd7exploit.files.wordpress.com · Modules • Web Applicaon Security [season 1] 1. NodeJs Applicaon Security.[3hours] 2. PHP Applicaon Security, Web Applicaon

WOW

Applica'onSecurity-Nam.Dinh 43

Page 44: Applicaon Security - hd7exploit.files.wordpress.com · Modules • Web Applicaon Security [season 1] 1. NodeJs Applicaon Security.[3hours] 2. PHP Applicaon Security, Web Applicaon

3.HTTPPublicKeyPinning

•  IfanakackerisabletocompromiseasingleCA,theycanperformMITMakacksonvariousTLSconnec'ons.

•  HPKPcancircumventthisthreatfortheHTTPSprotocolbytellingtheclientwhichpublickeybelongstoacertainwebserver

Applica'onSecurity-Nam.Dinh

hkps://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key_Pinning

44

Page 45: Applicaon Security - hd7exploit.files.wordpress.com · Modules • Web Applicaon Security [season 1] 1. NodeJs Applicaon Security.[3hours] 2. PHP Applicaon Security, Web Applicaon

4.noCache-hidePowered

•  noCachetodisableclient-sidecaching.•  hidePoweredtoremovetheX-Powered-Byheader.

Applica'onSecurity-Nam.Dinh 45

Page 46: Applicaon Security - hd7exploit.files.wordpress.com · Modules • Web Applicaon Security [season 1] 1. NodeJs Applicaon Security.[3hours] 2. PHP Applicaon Security, Web Applicaon

5.hstsforHTTPStrictTransportSecurity

•  Unfortunately,HSTSdoesn’tprotectthefirstrequestevermadebytheusertotheapplica'on.Somebrowsersworkwiththislimita'onbyreferencingapredefinedlistofsitesusingHSTS.

Applica'onSecurity-Nam.Dinh 46

Page 47: Applicaon Security - hd7exploit.files.wordpress.com · Modules • Web Applicaon Security [season 1] 1. NodeJs Applicaon Security.[3hours] 2. PHP Applicaon Security, Web Applicaon

WOW

hkps://www.nginx.com/blog/hkp-strict-transport-security-hsts-and-nginx/

Applica'onSecurity-Nam.Dinh 47

Page 48: Applicaon Security - hd7exploit.files.wordpress.com · Modules • Web Applicaon Security [season 1] 1. NodeJs Applicaon Security.[3hours] 2. PHP Applicaon Security, Web Applicaon

6.noSniff-ieNoOpen•  TokeepclientsfromsniffingtheMIMEtype:•  Ifafile’sextension,thesignatureandtheContent-Typediffer,IEwilldeterminetheMIMEtypebyitsfirst256bytes.

•  However,ifanuploadedimagecontainsHTMLand/orJavaScriptcodeandtheuserclicksonalinktodownloadthefile,IEwillexecutethatcode.

•  X-Download-Op9ons:noopen•  FixedonIE8

File.open(“security_logo_en.jpg”,“r”)do|f|puts“rejectfile”iff.read(256)=~/<(.)+>(.)*<\/(.)+>/iEnd

Applica'onSecurity-Nam.Dinh 48

Page 49: Applicaon Security - hd7exploit.files.wordpress.com · Modules • Web Applicaon Security [season 1] 1. NodeJs Applicaon Security.[3hours] 2. PHP Applicaon Security, Web Applicaon

7.frameguard

•  Topreventclickjacking:•  SendingtheproperX-Frame-Op'onsHTTPresponseheadersthatinstructthebrowsertonotallowframingfromotherdomains.

Applica'onSecurity-Nam.Dinh

hkps://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet49

Page 50: Applicaon Security - hd7exploit.files.wordpress.com · Modules • Web Applicaon Security [season 1] 1. NodeJs Applicaon Security.[3hours] 2. PHP Applicaon Security, Web Applicaon

8.dnsPrefetchControl

•  ControlsbrowserDNSprefetching.•  Thisimprovesperformancewhentheuserclicksthelink,buthasprivacyimplica'onsforusers.

•  Itcanappearasifauserisvisi'ngthingstheyaren’tvisi'ng.

Applica'onSecurity-Nam.Dinh 50

Page 51: Applicaon Security - hd7exploit.files.wordpress.com · Modules • Web Applicaon Security [season 1] 1. NodeJs Applicaon Security.[3hours] 2. PHP Applicaon Security, Web Applicaon

9.referrerPolicy•  Websitescanseewhereusersarecomingfrom.

•  no-referrer-when-downgrade(default)•  Theoriginissentasreferrertoa-priorias-much-securedes'na'on(HTTPS->HTTPS),butisn'tsenttoalesssecuredes'na'on(HTTPS->HTTP).

Applica'onSecurity-Nam.Dinh

hkps://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy

51

Page 52: Applicaon Security - hd7exploit.files.wordpress.com · Modules • Web Applicaon Security [season 1] 1. NodeJs Applicaon Security.[3hours] 2. PHP Applicaon Security, Web Applicaon

9.xssFilter

ParameterValueMeaning–  0XSSfilterdisabled–  1XSSfilterenabledandsani'zethepageifakackdetected1;mode=block XSSfilterenabledandpreventrenderingthepageifakackdetected1;report=hkp://example.com/report_URI XSSfilterenabledandreporttheviola'onifakackdetected

Applica'onSecurity-Nam.Dinh 52

Page 53: Applicaon Security - hd7exploit.files.wordpress.com · Modules • Web Applicaon Security [season 1] 1. NodeJs Applicaon Security.[3hours] 2. PHP Applicaon Security, Web Applicaon

Ops

Applica'onSecurity-Nam.Dinh 53

Page 54: Applicaon Security - hd7exploit.files.wordpress.com · Modules • Web Applicaon Security [season 1] 1. NodeJs Applicaon Security.[3hours] 2. PHP Applicaon Security, Web Applicaon

10.HkpOnly

•  NotallowthecookietobeaccessedviaaclientsidescriptsuchasJavaScript.

•  TheHTTPTRACEresponseincludesalltheHTTPheadersincludingauthen'ca'ondataandHTTPcookiecontents,whicharethenavailabletothescript.

•  Canbypassusing:hkps://www.owasp.org/index.php/Cross_Site_Tracing->disableTRACEmethodaswell.

Applica'onSecurity-Nam.Dinh 54

Page 55: Applicaon Security - hd7exploit.files.wordpress.com · Modules • Web Applicaon Security [season 1] 1. NodeJs Applicaon Security.[3hours] 2. PHP Applicaon Security, Web Applicaon

Facebook

Applica'onSecurity-Nam.Dinh 55

Page 56: Applicaon Security - hd7exploit.files.wordpress.com · Modules • Web Applicaon Security [season 1] 1. NodeJs Applicaon Security.[3hours] 2. PHP Applicaon Security, Web Applicaon

Synk

-npminstall–gsnyk-snykwizard

•  Snykcon'nuouslyfindsandfixesvulnerabili'esinyourdependencies.

•  ProtectandmonitoryourJavaScript,RubyandJavaapps

Applica'onSecurity-Nam.Dinh 56

Page 57: Applicaon Security - hd7exploit.files.wordpress.com · Modules • Web Applicaon Security [season 1] 1. NodeJs Applicaon Security.[3hours] 2. PHP Applicaon Security, Web Applicaon

JsLint•  JSHintscansaprogramwrikeninJavaScriptandreports

aboutcommonlymademistakesandpoten'albugs.•  ESLintdoesn’toffersecurityscanningoutofthebox•  Toinstall:$npminstalleslint$npminstalleslint-plugin-scanjs-rules$npminstalleslint-plugin-no-unsafe-innerhtml•  Downloadrulehkps://github.com/18F/compliance-toolkit/blob/master/configs/sta'c/.eslintrc•  Runeslint.

Applica'onSecurity-Nam.Dinh 57

Page 58: Applicaon Security - hd7exploit.files.wordpress.com · Modules • Web Applicaon Security [season 1] 1. NodeJs Applicaon Security.[3hours] 2. PHP Applicaon Security, Web Applicaon

Tips•  DisablingtheROOTaccountandenablingkeybasedauthen'ca'on.•  Crea'ngalowprivilegeaccountandrunningourservicesunderit.•  SeVngupsystemstoforkourserviceandtorestarttheserviceiftheservershould

reboot.•  ConfiguringaproxyinfrontofourservertohandlefileservingandSSL.•  Obtainingalegi'mateSSLcer'ficateforourservice.•  Helmet.•  Configuringourfirewall.•  Updatelatestso^ware.•  Runscanner.•  Donotshowerror.•  Uninstallunnecessaryservice.•  Checkconfigura'ondefault.•  Developershouldbeawarewebsitesecurity.•  …

Applica'onSecurity-Nam.Dinh 58

Page 59: Applicaon Security - hd7exploit.files.wordpress.com · Modules • Web Applicaon Security [season 1] 1. NodeJs Applicaon Security.[3hours] 2. PHP Applicaon Security, Web Applicaon

Demo&&Q&A

•  Exploitapplica'onandapplybestprac'ces

Applica'onSecurity-Nam.Dinh 59

Page 60: Applicaon Security - hd7exploit.files.wordpress.com · Modules • Web Applicaon Security [season 1] 1. NodeJs Applicaon Security.[3hours] 2. PHP Applicaon Security, Web Applicaon

Reference1.   TheWebApplica/onHacker'sHandbook:Findingand

Exploi/ngSecurityFlaws2ndEdi'on2.   NodejsdesignpaYern2ndEdi/on3.   SecureYourNode.jsWebApplica/on:KeepAYackers

OutandUsersHappy4.  hkps://kb.sucuri.net/warnings/hardening/disable-server-

banners5.  hkps://www.blackhat.com/docs/us-15/materials/us-15-

Siman-The-Node-Js-Highway-Akacks-Are-At-Full-Throkle.pdf

6.  hkps://pdfs.seman'cscholar.org/187d/26258dc57d794ce4badb094e64cf8d3f7d88.pdf

7.  …

Applica'onSecurity-Nam.Dinh 60


Top$Ten$Proac+ve$$ Web$Applicaon$Defenses$ … - Jim... · • Move all inline script and style into external scripts • Add the X-Content-Security-Policy response header to instruct

Top$Ten$Proac+ve$$ Web$Applicaon$Defenses$ … - Jim... · • Move all inline script and style into external scripts • Add the X-Content-Security-Policy response header to instruct

Invest’in’security’ to’secure’investments’ · SAP&Security& $ • Complexity&& $Complexity$kills$security.$Many$differentvulnerabiliHes$in$all$ levels$from$network$to$applicaon$

Invest’in’security’ to’secure’investments’ · SAP&Security& $ • Complexity&& $Complexity$kills$security.$Many$differentvulnerabiliHes$in$all$ levels$from$network$to$applicaon$

D.Eng2 Info Session slides 11.6.15-2...The’George’Washington’University’! Doctor’of’Engineering’ " Engineering’Management " D.Eng.Logiscs " Applicaon’ " GW’Contacts’

D.Eng2 Info Session slides 11.6.15-2...The’George’Washington’University’! Doctor’of’Engineering’ " Engineering’Management " D.Eng.Logiscs " Applicaon’ " GW’Contacts’

TimeAllowed-3Hours TXNG

TimeAllowed-3Hours TXNG

Applicaon*Lifecycle* Intelligence:*Splunking* the*Product … · 2017-10-13 · Key*Benefits*of*Applicaon*Lifecycle*Intelligence* * * * * * * Reduced*Time* to*Market Shrink*the*@me*ittakes*

Applicaon*Lifecycle* Intelligence:*Splunking* the*Product … · 2017-10-13 · Key*Benefits*of*Applicaon*Lifecycle*Intelligence* * * * * * * Reduced*Time* to*Market Shrink*the*@me*ittakes*

The$Anatomy$of$a$ Secure$Web$Applicaon$$ Using$Java...JEE Security Realm Provider Proxy jar. Put mykeystore in the indicated place ApacheCon NA 2015 23 Step 3: Enable Java EE Security

The$Anatomy$of$a$ Secure$Web$Applicaon$$ Using$Java...JEE Security Realm Provider Proxy jar. Put mykeystore in the indicated place ApacheCon NA 2015 23 Step 3: Enable Java EE Security

TimeAllowed-3Hours cvw - Studycafe · TimeAllowed-3Hours Total No. of Printed Pages - 12 Maximum Marks - 100 cvw r- Answers to questions are to be given only in English except in

TimeAllowed-3Hours cvw - Studycafe · TimeAllowed-3Hours Total No. of Printed Pages - 12 Maximum Marks - 100 cvw r- Answers to questions are to be given only in English except in

TimeAllowed-3Hours ACC6Uf{TS[qG BML

TimeAllowed-3Hours ACC6Uf{TS[qG BML

Topic&5&–Transport Transportservices&and&protocols& · Topic5& 2 6 applicaon& transport network& link& physical& P1 applicaon& transport network& link& physical& applicaon& transport

Topic&5&–Transport Transportservices&and&protocols& · Topic5& 2 6 applicaon& transport network& link& physical& P1 applicaon& transport network& link& physical& applicaon& transport

cen84959 ch01.qxd 3/31/05 3:38 PM Page 4 Applicaon Areas“Termodinamik, Mühendislik Yaklaşımıyla”, kitabındanof Weights and MeasuresalınmışRr. Applicaon Areas A number of

cen84959 ch01.qxd 3/31/05 3:38 PM Page 4 Applicaon Areas“Termodinamik, Mühendislik Yaklaşımıyla”, kitabındanof Weights and MeasuresalınmışRr. Applicaon Areas A number of

Theory and Applicaon of Gas Turbine SystemsTheory and Applicaon of Gas Turbine Systems Part I: ... over 1 GW of sha power and 40% efficiency) ... depends on forward speed and al>tudekshollen/GasTurbine/Lecture_GT_Part_I.pdf ·

Theory and Applicaon of Gas Turbine SystemsTheory and Applicaon of Gas Turbine Systems Part I: ... over 1 GW of sha power and 40% efficiency) ... depends on forward speed and al>tudekshollen/GasTurbine/Lecture_GT_Part_I.pdf ·

Parameter Pollution in Connection Strings Attack€¦ · • MySQL – Does not support Integrated security – It´s possible to manipulate the behavior of the web applicaon, although

Parameter Pollution in Connection Strings Attack€¦ · • MySQL – Does not support Integrated security – It´s possible to manipulate the behavior of the web applicaon, although

dr. brandt poredermabrasion - Sephora · 2015-06-22 · dr. brandt® poredermabrasion™ In-Vivo Test Before & After Pictures! A"er%1%applicaon% Before Before A"er%1%applicaon% Aer4weeks%

dr. brandt poredermabrasion - Sephora · 2015-06-22 · dr. brandt® poredermabrasion™ In-Vivo Test Before & After Pictures! A"er%1%applicaon% Before Before A"er%1%applicaon% Aer4weeks%

Live*Demonstraon:*Bypassing*Applicaon* WhitelisFng*And ......Overview IntroducFon* AWack*Methodology* Applicaon*WhitelisFng*Overview* The*Setup* The*AWack* The*DetecFon* Quesons

Live*Demonstraon:*Bypassing*Applicaon* WhitelisFng*And ......Overview IntroducFon* AWack*Methodology* Applicaon*WhitelisFng*Overview* The*Setup* The*AWack* The*DetecFon* Quesons

Injec&ng(evil(code(in(your(SAP(J2EE(systems:( Security… · Business!applicaon! security!expert Yetanother!security! researcher! erpscan.com ERPScan—investinsecuritytosecureinvestments

Injec&ng(evil(code(in(your(SAP(J2EE(systems:( Security… · Business!applicaon! security!expert Yetanother!security! researcher! erpscan.com ERPScan—investinsecuritytosecureinvestments

20Canada Post Awards for Indigenous Students Applicaon ... · 2020 Canada Post Awards for Indigenous Students – Applicaon Form Deadline: August 31, 2020 INSTRUCTIONS 1. Write an

20Canada Post Awards for Indigenous Students Applicaon ... · 2020 Canada Post Awards for Indigenous Students – Applicaon Form Deadline: August 31, 2020 INSTRUCTIONS 1. Write an

Theory and Applicaon of Gas Turbine Systemskshollen/GasTurbine/Lecture_GT_Part_IV.pdfTheory and Applicaon of Gas Turbine Systems Part IV: Axial and Radial Flow Turbines Munich Summer

Theory and Applicaon of Gas Turbine Systemskshollen/GasTurbine/Lecture_GT_Part_IV.pdfTheory and Applicaon of Gas Turbine Systems Part IV: Axial and Radial Flow Turbines Munich Summer

iOS Applicaon (In)Security OWASP: Google Ireland March 2012 · – “Audi*ng iPhone and iPad Applicaons” by Ilja van Sprundel – “Secure Development on iOS” by David Thiel

iOS Applicaon (In)Security OWASP: Google Ireland March 2012 · – “Audi*ng iPhone and iPad Applicaons” by Ilja van Sprundel – “Secure Development on iOS” by David Thiel

Canadian Residency Applicaon for IMG’summssinternational.weebly.com/uploads/5/0/0/6/50068495/internship... · Canadian Residency Applicaon for IMG’s ... – Paediatrics ... –

Canadian Residency Applicaon for IMG’summssinternational.weebly.com/uploads/5/0/0/6/50068495/internship... · Canadian Residency Applicaon for IMG’s ... – Paediatrics ... –

Web Applicaon Security: from Stac Analysis to Dynamic ...mpc/talks/miguel... · • Distributed Systems Group (GSD) – 12 IST faculty, ~30 PhD students, ~40 MSC students, 3 EC projects

Web Applicaon Security: from Stac Analysis to Dynamic ...mpc/talks/miguel... · • Distributed Systems Group (GSD) – 12 IST faculty, ~30 PhD students, ~40 MSC students, 3 EC projects