Download - Beating the Pentester
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES2 © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES.
Boy BaukemaSenior Application Security Consultant
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES3 © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES.
Adrian H.Pentester
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES4 © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES.
Adrian H.Enemy nr. 1
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES5
Agenda
• Introduction
• Bare fists
• Baseball bats (Lucille)
• Assorted items
• Conclusions
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES12
Attack: Known Vulnerabilities
Your application Other applications
Framework (Composer) Libraries
PHP Interpreter
Webserver (Apache, Nginx) Other services
Operating System
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES13
https://snyk.io/blog/owasp-top-10-breaches/
Top of the charts
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES14
Defense: Monitoring & patching
• Monitor security patches for third party software
• Be prepared to fix rapidly (DevOps)
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES15
Docker effect
Your application
Your Framework Your (Composer) Libraries
Your PHP Interpreter
Your Webserver (Apache,
Nginx)
Your other services
Operating System
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES17
I blame Doug Mclroy, and so should you
Write programs to handle text streams, because that is a universal interface.
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES18
Angular templates
Content
CSS
CSV
HTTP Header
HTML
JavaScript / JSON
URL
XML
…
CSV
Database (ORM)
File paths
HTTP
LDAP
Logs (syslog)
Memcached
Shell
Solr
…
Eval
Math
Sprintf
Regexp
…
APPLICATION
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES24
Defense: Separation of Concerns &Contextual encoding ALAP
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES25
Defense: Validate ASAP
• Does it have a datatype?
• Can it be of infinite length?
– Does your storage impose size limits?
• Can it be any arbitrary byte?
– Should it conform to a pattern?
– Should it match a known value in the data storage?
– Should it be UTF-8? Printable?
http://phpsecurity.readthedocs.io/en/latest/Input-Validation.html
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES29
• OWASP Top 10
• OWASP Application Security Verification Standard (ASVS)
• OWASP Testing Guide
• MITRE Common Weakness Enumeration
• github.com/PaulSec/awesome-sec-talks
• https://h1.sintheticlabs.com/bounties.html
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES30
Training
• Basics:
– Zend Certification
• Advanced:
– OWASP
– Security Vendor
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES31
• NULL byte attacks
• JSON </script> injection
• XML External Entities
• Preg_match /e
• Remote File Inclusion
• HTTP Header injection
Deprecated attacks
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES32
Improved features
• random_bytes
• password_hash
• htmlentities defaults
• Blade / Twig
• PSR-7 (vs $_ globals)
• PDO Prepared Statements
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES33 © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES
If you know the pentesterbut not yourself, for every validation added you will also suffer a security bug.
― Sun Tzu
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES34
• Accessibility
• Availability
• Backup
• Compliance
• Documentation
• Fun
• Maintainability
Non-functional requirements
• Performance
• Platform compatibility
• Reporting
• Scalability
• Security
• Usability
wikipedia.org/wiki/Non-functional_requirement
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES37
Quick and dirty threat modelling
1. What are you building?
2. What can go wrong?
3. What should you do about that?
4. Did you analyse that correctly?
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES38
As a user I would like to reset my password if I have forgotten it.
What are we building?
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES39
• Spoofing
• Tampering
• Repudiation
• Information leakage
• Denial of Service
• Elevation of Privilege
What can go wrong?
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES40
What should we do?
• … and did we analyse correctly?
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES41
Доверяй, но проверяй
• Embedding security:
– Code Review
– Functional Testing
– Unit testing
– Security Testing (OWASP ASVS)
• Security tooling:
– Static Application Security Testing (SAST)
– Dynamic Application Security Testing (DAST)
– Fuzzing
– Manual Penetration Testing
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES43
Operations
• Password hygiene:
– Password Manager
– 2 Factor Authentication
– Have I Been Pwned?
• PhishMe
• Encrypted storage
• Testing system recoveries
• Firewall
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES46 © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES.
Thank Youjoind.in/talk/f8142
veracode.com/demo
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES47
Images
• Brain by Nicholas Herdemanhttps://www.flickr.com/photos/95943853@N00/17584291945/
• CCTV by Peter Hellberghttps://www.flickr.com/photos/peterhellberg/5119089864
• Doug McIlroy by Faces of Open Source http://facesofopensource.com/doug-mcilroy/
• 125/365 Dolls in the Rain by Joe Lodge https://www.flickr.com/photos/joe57spike/5690570945