Effective approaches to web application security
-
Upload
zane-lackey -
Category
Technology
-
view
14.315 -
download
2
Transcript of Effective approaches to web application security
![Page 2: Effective approaches to web application security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ba282b4c905ae618b4b91/html5/thumbnails/2.jpg)
Who am I?
• Security Engineering Manager @ Etsy – Lead AppSec/NetSec/SecEng/RiskEng teams
• Formerly @ iSEC Partners
• Books/presenta%ons primarily focused on applica%on and mobile security
![Page 3: Effective approaches to web application security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ba282b4c905ae618b4b91/html5/thumbnails/3.jpg)
What is Etsy?
Online marketplace for crea%ve independent
businesses
![Page 4: Effective approaches to web application security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ba282b4c905ae618b4b91/html5/thumbnails/4.jpg)
Scale at Etsy
1.5B pageviews/mo 40M uniques/mo #50 by US traffic*
* November2012, Alexa site ranking
![Page 5: Effective approaches to web application security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ba282b4c905ae618b4b91/html5/thumbnails/5.jpg)
About this talk
Real world approaches to web applica%on security challenges
![Page 6: Effective approaches to web application security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ba282b4c905ae618b4b91/html5/thumbnails/6.jpg)
About this talk
Specifically, techniques that are simple and effec*ve
![Page 7: Effective approaches to web application security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ba282b4c905ae618b4b91/html5/thumbnails/7.jpg)
Con%nuous deployment?
![Page 8: Effective approaches to web application security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ba282b4c905ae618b4b91/html5/thumbnails/8.jpg)
<-‐ What it (hopefully) isn’t
![Page 9: Effective approaches to web application security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ba282b4c905ae618b4b91/html5/thumbnails/9.jpg)
Three words: iterate, iterate, iterate
![Page 10: Effective approaches to web application security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ba282b4c905ae618b4b91/html5/thumbnails/10.jpg)
![Page 11: Effective approaches to web application security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ba282b4c905ae618b4b91/html5/thumbnails/11.jpg)
Etsy pushes to produc%on 30 *mes a day on
average
![Page 12: Effective approaches to web application security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ba282b4c905ae618b4b91/html5/thumbnails/12.jpg)
(dogs push too)
![Page 13: Effective approaches to web application security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ba282b4c905ae618b4b91/html5/thumbnails/13.jpg)
But doesn’t the rapid rate of change mean
things are less secure?!
![Page 14: Effective approaches to web application security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ba282b4c905ae618b4b91/html5/thumbnails/14.jpg)
Actually, the opposite is true
![Page 15: Effective approaches to web application security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ba282b4c905ae618b4b91/html5/thumbnails/15.jpg)
Being able to deploy quick is our #1 security feature
![Page 16: Effective approaches to web application security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ba282b4c905ae618b4b91/html5/thumbnails/16.jpg)
Compared to
We’ll rush that security fix. It will go out … in about 6 weeks.
-‐ Former vendor at Etsy
![Page 17: Effective approaches to web application security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ba282b4c905ae618b4b91/html5/thumbnails/17.jpg)
What it boils down to (spoiler alert)
• Make things safe by default
• Detect risky func%onality / Focus your efforts
• Automate as much as you can
• Know when the house is burning down
![Page 18: Effective approaches to web application security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ba282b4c905ae618b4b91/html5/thumbnails/18.jpg)
Safe by default
![Page 19: Effective approaches to web application security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ba282b4c905ae618b4b91/html5/thumbnails/19.jpg)
How have the tradi%onal defenses for XSS worked out?
![Page 20: Effective approaches to web application security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ba282b4c905ae618b4b91/html5/thumbnails/20.jpg)
![Page 21: Effective approaches to web application security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ba282b4c905ae618b4b91/html5/thumbnails/21.jpg)
Safe by default
• Problems? – Ofen done on a per-‐input basis
• Easy to miss an input or output – May use defenses in wrong context
• Input valida%on pagern may block full HTML injec%on, but not injec%ng inside JS
– May put defenses on the client side in JS – Etc …
These problems miss the point
![Page 22: Effective approaches to web application security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ba282b4c905ae618b4b91/html5/thumbnails/22.jpg)
Safe by default
• The real problem is that it’s hard to find where protec%ons have been missed
• How can we change our approach to make it simpler?
![Page 23: Effective approaches to web application security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ba282b4c905ae618b4b91/html5/thumbnails/23.jpg)
Safe by default
Input valida%on Output encoding
![Page 24: Effective approaches to web application security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ba282b4c905ae618b4b91/html5/thumbnails/24.jpg)
Safe by default
Input valida%on Output encoding
![Page 25: Effective approaches to web application security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ba282b4c905ae618b4b91/html5/thumbnails/25.jpg)
Safe by default
Encode dangerous HTML characters to HTML en%%es at the very start of your framework
To repeat… Before input reaches main
applica%on code
![Page 26: Effective approaches to web application security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ba282b4c905ae618b4b91/html5/thumbnails/26.jpg)
Safe by default
On the surface this doesn’t seem like much of a
change
![Page 27: Effective approaches to web application security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ba282b4c905ae618b4b91/html5/thumbnails/27.jpg)
Safe by default
Except, we’ve just made lots of XSS problems grep-‐able
![Page 28: Effective approaches to web application security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ba282b4c905ae618b4b91/html5/thumbnails/28.jpg)
![Page 29: Effective approaches to web application security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ba282b4c905ae618b4b91/html5/thumbnails/29.jpg)
Safe by default
Now we look for a small number of pagerns: • HTML en%ty decoding func%ons or explicit string replacements • Data in formats that won’t be sani%zed
– Ex: Base64 encoded, double URL encoded, etc • Code that opts out of plalorm protec%ons
![Page 30: Effective approaches to web application security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ba282b4c905ae618b4b91/html5/thumbnails/30.jpg)
Safe by default
Fundamentally shifs us:
From: “Where is my app missing protec%ons?” (hard)
To: “Where is it made deliberately unsafe?”
(easy)
![Page 31: Effective approaches to web application security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ba282b4c905ae618b4b91/html5/thumbnails/31.jpg)
Safe by default
Obviously not a panacea – DOM based XSS – Javascript: URLs – Can be a pain during interna%onaliza%on efforts
![Page 32: Effective approaches to web application security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ba282b4c905ae618b4b91/html5/thumbnails/32.jpg)
Focus your efforts
![Page 33: Effective approaches to web application security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ba282b4c905ae618b4b91/html5/thumbnails/33.jpg)
Focus your efforts
• Con%nuous deployment means code ships fast
• Things will go out the door before security team knows about them
• How can we detect high risk func%onality?
![Page 34: Effective approaches to web application security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ba282b4c905ae618b4b91/html5/thumbnails/34.jpg)
Detect risky func%onality
• Know when sensi%ve por%ons of the codebase have been modified
• Build automa%c change aler%ng on the codebase – Iden%fy sensi%ve por%ons of the codebase – Create automa%c aler%ng on modifica%ons
![Page 35: Effective approaches to web application security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ba282b4c905ae618b4b91/html5/thumbnails/35.jpg)
Detect risky func%onality
• Doesn’t have to be complex to be effec%ve
• Approach: – sha1sum sensi%ve plalorm level files – Unit tests alert if hash of the file changes – No%fies security team on changes, drives code review
![Page 36: Effective approaches to web application security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ba282b4c905ae618b4b91/html5/thumbnails/36.jpg)
Detect risky func%onality
• At the plalorm level, watching for changes to site-‐wide sensi%ve func%onality – CSRF defenses – Session management – Encryp%on wrappers – Login/Authen%ca%on – Etc
![Page 37: Effective approaches to web application security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ba282b4c905ae618b4b91/html5/thumbnails/37.jpg)
Detect risky func%onality
• At the feature level, watching for changes to specific sensi%ve methods
• Iden%fying these methods is part of ini%al code review/pen test of new features
![Page 38: Effective approaches to web application security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ba282b4c905ae618b4b91/html5/thumbnails/38.jpg)
Detect risky func%onality
• Watch for dangerous func%ons
• Usual candidates: – File system opera%ons – Process execu%on/control – Encryp%on / Hashing – Etc
![Page 39: Effective approaches to web application security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ba282b4c905ae618b4b91/html5/thumbnails/39.jpg)
Detect risky func%onality
• Unit tests watch codebase for dangerous func%ons – Split into separate high risk/low risk lists
• Alerts are emailed to the appsec team, drive code reviews
![Page 40: Effective approaches to web application security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ba282b4c905ae618b4b91/html5/thumbnails/40.jpg)
Detect risky func%onality
• Find out about unused but reachable pages
• Any files s%ll reachable but barely requested are probably old or “temporary” code – aka a goldmine of vulnerabili%es
![Page 41: Effective approaches to web application security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ba282b4c905ae618b4b91/html5/thumbnails/41.jpg)
Detect risky func%onality
1. Walk DocumentRoot, build list of files 2. Compare each file against access log 3. Alert on any files accessed < X %mes in last 30
days
Iden%fied files are worth a manual review, can likely be removed en%rely
![Page 42: Effective approaches to web application security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ba282b4c905ae618b4b91/html5/thumbnails/42.jpg)
Detect risky func%onality
• Monitor applica%on traffic
• Purpose is twofold: – Detec%ng risky func%onality that was missed by earlier processes
– Groundwork for agack detec%on and verifica%on
![Page 43: Effective approaches to web application security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ba282b4c905ae618b4b91/html5/thumbnails/43.jpg)
Detect risky func%onality
• Regex incoming requests at the framework – Sounds like performance nightmare, shockingly isn’t
• Look for HTML/JS in request – This creates a huge number of false posi%ves
• That’s by design, we refine the search later
![Page 44: Effective approaches to web application security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ba282b4c905ae618b4b91/html5/thumbnails/44.jpg)
Detect risky func%onality
• We deliberately want to cast a wide net to see HTML entering the applica%on
• From there, build a baseline of HTML – Entering the applica%on in aggregate – Received by specific endpoints
![Page 45: Effective approaches to web application security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ba282b4c905ae618b4b91/html5/thumbnails/45.jpg)
Detect risky func%onality
What to watch for: – Did a new endpoint suddenly show up?
• A new risky feature might’ve just shipped
– Did the amount of traffic containing HTML just significantly go up? • Worth inves%ga%ng
![Page 46: Effective approaches to web application security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ba282b4c905ae618b4b91/html5/thumbnails/46.jpg)
Detect risky func%onality
Aggregate increased, %me to inves%gate
![Page 47: Effective approaches to web application security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ba282b4c905ae618b4b91/html5/thumbnails/47.jpg)
Automate as much as you can
![Page 48: Effective approaches to web application security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ba282b4c905ae618b4b91/html5/thumbnails/48.jpg)
Automate as much as you can
• Automate finding simple issues to free up resources for more complex tasks
• Use agacker traffic to automa%cally drive tes%ng
• We call it A<ack Driven Tes@ng
![Page 49: Effective approaches to web application security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ba282b4c905ae618b4b91/html5/thumbnails/49.jpg)
Automate as much as you can
• Some cases where this is useful: – Applica%on faults – Reflected XSS – SQLi
![Page 50: Effective approaches to web application security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ba282b4c905ae618b4b91/html5/thumbnails/50.jpg)
Automate as much as you can
• Applica%on faults (HTTP 5xx errors)
• As an agacker, these are one of the first signs of weakness in an app – As a defender, pay agen%on to them!
![Page 51: Effective approaches to web application security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ba282b4c905ae618b4b91/html5/thumbnails/51.jpg)
Automate as much as you can
• Just watching for 5xx errors results in a lot of ephemeral issues that don’t reproduce
• Instead: – Grab last X hours worth of 5xx errors from access logs
– Replay the original request – Alert on any requests which s%ll return a 5xx
![Page 52: Effective approaches to web application security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ba282b4c905ae618b4b91/html5/thumbnails/52.jpg)
Automate as much as you can
• Cron this script to run every few hours
• If a request s%ll triggers an applica%on fault hours later, it’s worth inves%ga%ng
![Page 53: Effective approaches to web application security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ba282b4c905ae618b4b91/html5/thumbnails/53.jpg)
Automate as much as you can
• Similar methodology for verifying reflected XSS
• For reflected XSS we: – Iden%fy requests containing basic XSS payloads – Replay the request – Alert if the XSS payload executed
![Page 54: Effective approaches to web application security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ba282b4c905ae618b4b91/html5/thumbnails/54.jpg)
Automate as much as you can
• Basic payloads commonly used in tes%ng for XSS: – alert() – document.write() – unescape() – String.fromCharCode() – etc
![Page 55: Effective approaches to web application security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ba282b4c905ae618b4b91/html5/thumbnails/55.jpg)
Automate as much as you can
We created a tool to use NodeJS as a headless
browser for verifica%on
![Page 56: Effective approaches to web application security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ba282b4c905ae618b4b91/html5/thumbnails/56.jpg)
Automate as much as you can
Test webserver
1. Fetch URL containing poten%al XSS
![Page 57: Effective approaches to web application security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ba282b4c905ae618b4b91/html5/thumbnails/57.jpg)
Automate as much as you can
Test webserver
2. Page contents returned to a temp buffer, not interpreted yet
![Page 58: Effective approaches to web application security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ba282b4c905ae618b4b91/html5/thumbnails/58.jpg)
Automate as much as you can
Test webserver
3. Inject our instrumented JS into page contents
+
Our JS Page contents
![Page 59: Effective approaches to web application security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ba282b4c905ae618b4b91/html5/thumbnails/59.jpg)
Automate as much as you can
Test webserver
4. Combina%on of instrumented JS + page contents interpreted
+
Our JS Page contents
![Page 60: Effective approaches to web application security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ba282b4c905ae618b4b91/html5/thumbnails/60.jpg)
Automate as much as you can
Test webserver
5. If instrumented JS is executed, alert appsec team for review
![Page 61: Effective approaches to web application security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ba282b4c905ae618b4b91/html5/thumbnails/61.jpg)
Automate as much as you can
• Sample instrumented JS:
(function() { var proxiedAlert = window.alert;
window.alert = function() { location="XSSDETECTED";
}; })();
![Page 62: Effective approaches to web application security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ba282b4c905ae618b4b91/html5/thumbnails/62.jpg)
Automate as much as you can
• Open sourced NodeJS tool – hgps://github.com/zanelackey/projects
• Combine this approach with driving a browser via Wa%r/Selenium – Make sure to use all major browsers
![Page 63: Effective approaches to web application security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ba282b4c905ae618b4b91/html5/thumbnails/63.jpg)
Know when the house is burning down
![Page 64: Effective approaches to web application security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ba282b4c905ae618b4b91/html5/thumbnails/64.jpg)
Know when the house is burning down
Graph early, graph oCen
![Page 65: Effective approaches to web application security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ba282b4c905ae618b4b91/html5/thumbnails/65.jpg)
Know when the house is burning down
Which of these is a quicker way to spot a problem?
![Page 66: Effective approaches to web application security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ba282b4c905ae618b4b91/html5/thumbnails/66.jpg)
Know when the house is burning down
![Page 67: Effective approaches to web application security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ba282b4c905ae618b4b91/html5/thumbnails/67.jpg)
Know when the house is burning down
![Page 68: Effective approaches to web application security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ba282b4c905ae618b4b91/html5/thumbnails/68.jpg)
Know when the house is burning down
• Methodology: – Instrument applica%on to collect data points – Fire them off to an aggrega%on backend – Build individual graphs – Combine groups of graphs into dashboards
• We’ve open sourced our instrumenta%on library – hgps://github.com/etsy/statsd
![Page 69: Effective approaches to web application security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ba282b4c905ae618b4b91/html5/thumbnails/69.jpg)
Know when the house is burning down
![Page 70: Effective approaches to web application security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ba282b4c905ae618b4b91/html5/thumbnails/70.jpg)
Know when the house is burning down
![Page 71: Effective approaches to web application security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ba282b4c905ae618b4b91/html5/thumbnails/71.jpg)
Know when the house is burning down
![Page 72: Effective approaches to web application security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ba282b4c905ae618b4b91/html5/thumbnails/72.jpg)
Know when the house is burning down
![Page 73: Effective approaches to web application security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ba282b4c905ae618b4b91/html5/thumbnails/73.jpg)
Know when the house is burning down
Now we can visually spot agacks
![Page 74: Effective approaches to web application security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ba282b4c905ae618b4b91/html5/thumbnails/74.jpg)
Know when the house is burning down
But who’s watching at 4AM?
![Page 75: Effective approaches to web application security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ba282b4c905ae618b4b91/html5/thumbnails/75.jpg)
Know when the house is burning down
• In addi%on to data visualiza%ons, we need automa%c aler%ng
• Look at the raw data to see if it exceeds certain thresholds
• Works well for graphs like this…
![Page 76: Effective approaches to web application security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ba282b4c905ae618b4b91/html5/thumbnails/76.jpg)
Know when the house is burning down
![Page 77: Effective approaches to web application security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ba282b4c905ae618b4b91/html5/thumbnails/77.jpg)
Know when the house is burning down
But not like this…
![Page 78: Effective approaches to web application security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ba282b4c905ae618b4b91/html5/thumbnails/78.jpg)
Know when the house is burning down
![Page 79: Effective approaches to web application security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ba282b4c905ae618b4b91/html5/thumbnails/79.jpg)
Know when the house is burning down
• We need to smooth out graphs that follow usage pagerns
• Use exponen%al smoothing formulas like Holt-‐Winters
• Math is hard, let’s look at screenshots!
![Page 80: Effective approaches to web application security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ba282b4c905ae618b4b91/html5/thumbnails/80.jpg)
Know when the house is burning down
![Page 81: Effective approaches to web application security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ba282b4c905ae618b4b91/html5/thumbnails/81.jpg)
Know when the house is burning down
• Now that we’ve smoothed out the graphs…
• Use the same approach as before: – Grab the raw data – Look for values above/below a set threshold – Alert
![Page 82: Effective approaches to web application security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ba282b4c905ae618b4b91/html5/thumbnails/82.jpg)
Know when the house is burning down
Have the ability to quickly/easily correlate events
![Page 83: Effective approaches to web application security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ba282b4c905ae618b4b91/html5/thumbnails/83.jpg)
Know when the house is burning down
• Global Request IDs
<?php global $request_uuid; apache_note(’request_uuid', $request_uuid);
![Page 84: Effective approaches to web application security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ba282b4c905ae618b4b91/html5/thumbnails/84.jpg)
Know when the house is burning down
[01/Aug/2012:16:37:41 +0000] "GET /members/twokb/payments HTTP/1.1" 200 "hgps://XXX/members/twokb" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.57 Safari/536.11" MF9JqDVpY93VOMreyvI2UC24wRjT
[Wed Aug 01 16:37:41 2012] [MF9JqDVpY93VOMreyvI2UC24wRjT] [info] [XXX] [kbarry] about to call shop_get_data for shop: [5971709]
[Wed Aug 01 16:37:41 2012] [MF9JqDVpY93VOMreyvI2UC24wRjT] [info] [XXX_audit] [kbarry] ac%on="view_payments" staff="kbarry" user_id="5597626" sec%on="payment_info"
![Page 85: Effective approaches to web application security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ba282b4c905ae618b4b91/html5/thumbnails/85.jpg)
Know when the house is burning down
Alert on events that (should) never happen
![Page 86: Effective approaches to web application security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ba282b4c905ae618b4b91/html5/thumbnails/86.jpg)
Know when the house is burning down
Successful agacks don’t happen in a vacuum! They generate signals
![Page 87: Effective approaches to web application security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ba282b4c905ae618b4b91/html5/thumbnails/87.jpg)
Know when the house is burning down
1. Iden%fy the signals associated with a vulnerability class
2. Alert when a signal occurs
3. Fix the iden%fied weaknesses
![Page 88: Effective approaches to web application security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ba282b4c905ae618b4b91/html5/thumbnails/88.jpg)
Know when the house is burning down
Two examples: SQLi and code execu%on
![Page 89: Effective approaches to web application security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ba282b4c905ae618b4b91/html5/thumbnails/89.jpg)
Know when the house is burning down
• The road to exploited SQLi is ligered with broken queries
1. Watch the logs for SQL syntax errors 2. Alert when they appear 3. Fix the lack of valida%on allowing the error
![Page 90: Effective approaches to web application security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ba282b4c905ae618b4b91/html5/thumbnails/90.jpg)
Know when the house is burning down
• Further along the agack process, a SQLi agack looks like… your database
• Sensi%ve DB table names shouldn’t be showing up in requests – Alert if they do!
• aka the “Two hours un%l the db is up on pastebin” alert
![Page 91: Effective approaches to web application security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ba282b4c905ae618b4b91/html5/thumbnails/91.jpg)
Know when the house is burning down
A funny story about a code execu%on vuln…
![Page 92: Effective approaches to web application security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ba282b4c905ae618b4b91/html5/thumbnails/92.jpg)
Know when the house is burning down
• preg_replace() in PHP has an interes%ng modifier
“e (PREG_REPLACE_EVAL) If this modifier is set, preg_replace() does normal subs%tu%on of backreferences in the replacement string, evaluates it as PHP code, and uses the result for replacing the search string. “
![Page 93: Effective approaches to web application security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ba282b4c905ae618b4b91/html5/thumbnails/93.jpg)
Know when the house is burning down
• preg_replace() in PHP has an interes%ng modifier
“e (PREG_REPLACE_EVAL) If this modifier is set, preg_replace() does normal subs%tu%on of backreferences in the replacement string, evaluates it as PHP code, and uses the result for replacing the search string.”
![Page 94: Effective approaches to web application security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ba282b4c905ae618b4b91/html5/thumbnails/94.jpg)
Know when the house is burning down
What do the signals for this look like?
![Page 95: Effective approaches to web application security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ba282b4c905ae618b4b91/html5/thumbnails/95.jpg)
Know when the house is burning down
![Page 96: Effective approaches to web application security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ba282b4c905ae618b4b91/html5/thumbnails/96.jpg)
Know when the house is burning down
You can’t fix what you’re not aler%ng on
![Page 97: Effective approaches to web application security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ba282b4c905ae618b4b91/html5/thumbnails/97.jpg)
Conclusions
![Page 98: Effective approaches to web application security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ba282b4c905ae618b4b91/html5/thumbnails/98.jpg)
![Page 99: Effective approaches to web application security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ba282b4c905ae618b4b91/html5/thumbnails/99.jpg)
Have the ability to deploy/respond quickly
![Page 100: Effective approaches to web application security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ba282b4c905ae618b4b91/html5/thumbnails/100.jpg)
• Make things safe by default
• Focus your efforts / Detect risky func%onality
• Automate as much as you can
• Know when the house is burning down
![Page 102: Effective approaches to web application security](https://reader034.fdocuments.in/reader034/viewer/2022052522/554ba282b4c905ae618b4b91/html5/thumbnails/102.jpg)
References / Thanks
• DevOpsSec: hgp://www.slideshare.net/nickgsuperstar/devopssec-‐apply-‐devops-‐principles-‐to-‐security
• Special Thanks: – Nick Galbreath, Dan Kaminsky, Marcus Barczak