matthew hughes. who am i? pen tester coder blogger all around nice guy
TRANSCRIPT
![Page 1: Matthew Hughes. Who am I? Pen tester Coder Blogger All around nice guy](https://reader030.vdocuments.mx/reader030/viewer/2022032706/56649de65503460f94adefeb/html5/thumbnails/1.jpg)
Security Testing for Web Developers
Matthew Hughes
![Page 2: Matthew Hughes. Who am I? Pen tester Coder Blogger All around nice guy](https://reader030.vdocuments.mx/reader030/viewer/2022032706/56649de65503460f94adefeb/html5/thumbnails/2.jpg)
Who am I?Pen testerCoderBloggerAll around nice guy.
![Page 3: Matthew Hughes. Who am I? Pen tester Coder Blogger All around nice guy](https://reader030.vdocuments.mx/reader030/viewer/2022032706/56649de65503460f94adefeb/html5/thumbnails/3.jpg)
Who am I?Ethical Hacking for Computer Security BSc
2009 - 2011Internship at Mad Security 2010-2011Internship at St Noble/MMV – 2011Developer at CIC 2011-2012Unemployed “Entrepreneur” – Current
![Page 4: Matthew Hughes. Who am I? Pen tester Coder Blogger All around nice guy](https://reader030.vdocuments.mx/reader030/viewer/2022032706/56649de65503460f94adefeb/html5/thumbnails/4.jpg)
What is this all about then? Most web applications are insecure. Secure coding is hard. Developers generally don’t know how to test
their own sites. Insecure web applications are generally bad.
![Page 5: Matthew Hughes. Who am I? Pen tester Coder Blogger All around nice guy](https://reader030.vdocuments.mx/reader030/viewer/2022032706/56649de65503460f94adefeb/html5/thumbnails/5.jpg)
Why should you care?Security breaches are very expensive. Security breaches make you look like a
moron. It’s fairly easy to mitigate against them. Hacking is fun. Security consultants are fucking expensive.
![Page 6: Matthew Hughes. Who am I? Pen tester Coder Blogger All around nice guy](https://reader030.vdocuments.mx/reader030/viewer/2022032706/56649de65503460f94adefeb/html5/thumbnails/6.jpg)
What will this talk cover?This talk is not exhaustive. It will only cover a
fraction of the basics. It will discuss various kinds of attack you can
expect your application to endure. It will give you an understanding of how to
test for security vulnerabilities in your application.
![Page 7: Matthew Hughes. Who am I? Pen tester Coder Blogger All around nice guy](https://reader030.vdocuments.mx/reader030/viewer/2022032706/56649de65503460f94adefeb/html5/thumbnails/7.jpg)
What will this talk cover?Detection
Reflected XSSStored XSSXSRFSQLi
MitigationVulnerability disclosure
![Page 8: Matthew Hughes. Who am I? Pen tester Coder Blogger All around nice guy](https://reader030.vdocuments.mx/reader030/viewer/2022032706/56649de65503460f94adefeb/html5/thumbnails/8.jpg)
What will this talk cover?This talk is an introduction. It won’t cover
everything. Web application security is a HUGE domain.
![Page 9: Matthew Hughes. Who am I? Pen tester Coder Blogger All around nice guy](https://reader030.vdocuments.mx/reader030/viewer/2022032706/56649de65503460f94adefeb/html5/thumbnails/9.jpg)
A bit of history…1995 – Most websites tended to be static
pages coded in pure HTML. 1999 – Perl and PHP gain popularity, and
their relative ease of use allow for beginners to make web apps.
And it sorta goes downhill from there…
![Page 10: Matthew Hughes. Who am I? Pen tester Coder Blogger All around nice guy](https://reader030.vdocuments.mx/reader030/viewer/2022032706/56649de65503460f94adefeb/html5/thumbnails/10.jpg)
So, what happened next?Nobody really understood the risks involved
with dynamic websites. More and more companies began to rely on
web apps. More and more companies experienced
security breaches…Which for the most part has been fun to
watch…
![Page 11: Matthew Hughes. Who am I? Pen tester Coder Blogger All around nice guy](https://reader030.vdocuments.mx/reader030/viewer/2022032706/56649de65503460f94adefeb/html5/thumbnails/11.jpg)
Notable examplesSony PSN Hack
77 million pieces of personally information were leaked via SQLi.
Biggest leak in history.Outage lasted for 24 days. Total costs were $171 Million USD
![Page 12: Matthew Hughes. Who am I? Pen tester Coder Blogger All around nice guy](https://reader030.vdocuments.mx/reader030/viewer/2022032706/56649de65503460f94adefeb/html5/thumbnails/12.jpg)
TJX Hack45 million pieces of credit card information
were leaked. Attacker used SQLi and sniffed traffic. Breach cost $200 million
Notable Examples
![Page 13: Matthew Hughes. Who am I? Pen tester Coder Blogger All around nice guy](https://reader030.vdocuments.mx/reader030/viewer/2022032706/56649de65503460f94adefeb/html5/thumbnails/13.jpg)
Notable ExamplesSamy worm
Samy Kamkar used an XSS vulnerability in MySpace to get anyone who viewed his profile to friend request him, and add “and most of all, Samy is my hero” and the exploit code to their profiles.
Within 20 hours, over 1,000,000 had their pages compromised.
![Page 14: Matthew Hughes. Who am I? Pen tester Coder Blogger All around nice guy](https://reader030.vdocuments.mx/reader030/viewer/2022032706/56649de65503460f94adefeb/html5/thumbnails/14.jpg)
What conclusions can we draw?Security breaches can happen to large
corporations with huge amounts of resources. Security breaches are expensive. Really
expensive. They can also be pretty funny.
![Page 15: Matthew Hughes. Who am I? Pen tester Coder Blogger All around nice guy](https://reader030.vdocuments.mx/reader030/viewer/2022032706/56649de65503460f94adefeb/html5/thumbnails/15.jpg)
Cross Site Scripting (XSS)XSS happens when an input isn’t correctly
sanitized and is either reflected in the page (reflected XSS) or stored within the application and rendered for each subsequent user (stored XSS).
Whilst XSS attacks may seem harmless, they can be the precursor to social engineering attacks, XSRF attacks and can be used to steal cookies.
![Page 16: Matthew Hughes. Who am I? Pen tester Coder Blogger All around nice guy](https://reader030.vdocuments.mx/reader030/viewer/2022032706/56649de65503460f94adefeb/html5/thumbnails/16.jpg)
Cross Site Scripting (XSS)<script>alert(‘xss’)</script>Some sites in order to mitigate against XSS
attacks forbid the usage of ‘alert’… This doesn’t really mitigate against XSS. Just use ‘prompt’. As we will see in the next slide…
Tags with attribute values can be mitigated by crafting your attack string with “> at the front.
“><script>alert(‘xss’);</script>
![Page 17: Matthew Hughes. Who am I? Pen tester Coder Blogger All around nice guy](https://reader030.vdocuments.mx/reader030/viewer/2022032706/56649de65503460f94adefeb/html5/thumbnails/17.jpg)
Cross Site Scripting (XSS)
![Page 18: Matthew Hughes. Who am I? Pen tester Coder Blogger All around nice guy](https://reader030.vdocuments.mx/reader030/viewer/2022032706/56649de65503460f94adefeb/html5/thumbnails/18.jpg)
Cross Site Scripting (XSS)
![Page 19: Matthew Hughes. Who am I? Pen tester Coder Blogger All around nice guy](https://reader030.vdocuments.mx/reader030/viewer/2022032706/56649de65503460f94adefeb/html5/thumbnails/19.jpg)
SQL InjectionGenerally, most dynamic websites contain a
data store. These are generally interacted with using
SQL. SQL is standardized, meaning that the attack
syntax generally works an all DBMS’ORM and NoSQL databases are vulnerable to
injection attacks. Just not SQL attacks.
![Page 20: Matthew Hughes. Who am I? Pen tester Coder Blogger All around nice guy](https://reader030.vdocuments.mx/reader030/viewer/2022032706/56649de65503460f94adefeb/html5/thumbnails/20.jpg)
SQL InjectionConsider the following SQL query“Select * from users where username =
@param;”What would happen if we were to put in the
following parameter. “dave’ or ‘1’ = 1”Since one does equal one, it will return all
values.With union queries, one can add data into
other tables, creating the potential to create new accounts.
![Page 21: Matthew Hughes. Who am I? Pen tester Coder Blogger All around nice guy](https://reader030.vdocuments.mx/reader030/viewer/2022032706/56649de65503460f94adefeb/html5/thumbnails/21.jpg)
SQL InjectionSQL Injection can also be used to bypass
authentication.Consider the following SQL query“Select * from users where username =
@params and passworld = @params”. What would happen if you were to pass it the
followingAdmin ‘ ---You can now authenticate against any
account without knowing the password…
![Page 22: Matthew Hughes. Who am I? Pen tester Coder Blogger All around nice guy](https://reader030.vdocuments.mx/reader030/viewer/2022032706/56649de65503460f94adefeb/html5/thumbnails/22.jpg)
Cross Site Request Forgery (XSRF)Consider the following URL:http://bankofliverpool.com/transfer?acount=p
urpleaki&amount=9001&for=JenniferEllisonIf the user is authenticated and the site is
vulnerable to XSRF, then Jennifer Ellison is about to get over nine thousand pounds from Purple Aki
“But surely this is just a browser/local user issue?”
![Page 23: Matthew Hughes. Who am I? Pen tester Coder Blogger All around nice guy](https://reader030.vdocuments.mx/reader030/viewer/2022032706/56649de65503460f94adefeb/html5/thumbnails/23.jpg)
Cross Site Request Forgery (XSRF)Well, yes and no…The user has to be authenticated on their
local machine and have a valid cookie. But… consider the following code. <img href=http://
bankofliverpool.com/transfer?acount=purpleaki&amount=9001&for=JenniferEllison>
Now, this isn’t a valid image… But the browser will still call that URL.
![Page 24: Matthew Hughes. Who am I? Pen tester Coder Blogger All around nice guy](https://reader030.vdocuments.mx/reader030/viewer/2022032706/56649de65503460f94adefeb/html5/thumbnails/24.jpg)
Going on from here…This is going to be the last I’m going to talk
about when it comes to vulnerability discovery…
It’s a huge field.Web Application Hackers Handbook is a good
place to start… DVWA is a great sandboxed environment
where you can use offensive security testing techniques.
A lot of testing can be automated and there are various firefox/Chrome plugins which do a lot of the legwork.
![Page 25: Matthew Hughes. Who am I? Pen tester Coder Blogger All around nice guy](https://reader030.vdocuments.mx/reader030/viewer/2022032706/56649de65503460f94adefeb/html5/thumbnails/25.jpg)
Going on from hereOWASP is a group dedicated to web app
security. They meet fairly often in these parts and
entrance is free. Read the OWASP Top 10. Just do it.
![Page 26: Matthew Hughes. Who am I? Pen tester Coder Blogger All around nice guy](https://reader030.vdocuments.mx/reader030/viewer/2022032706/56649de65503460f94adefeb/html5/thumbnails/26.jpg)
Another valid point…It’s generally frowned upon to test systems
that don’t belong to you. Don’t do it, unless you have permission, or
you like prison food.
![Page 27: Matthew Hughes. Who am I? Pen tester Coder Blogger All around nice guy](https://reader030.vdocuments.mx/reader030/viewer/2022032706/56649de65503460f94adefeb/html5/thumbnails/27.jpg)
MitigationA good offense is generally the best
defence…Your best is often not good enough, especially
against a really motivated hacker. Web Application firewalls are a solid line of
defence against many attacks. Trustwave’s ModSecurity is very, very good.
![Page 28: Matthew Hughes. Who am I? Pen tester Coder Blogger All around nice guy](https://reader030.vdocuments.mx/reader030/viewer/2022032706/56649de65503460f94adefeb/html5/thumbnails/28.jpg)
MitigationThere’s no point reinforcing a door if you’re
going to leave the windows open. Ensure that the underlying infrastructure is
regularly patched, you have an IDS (Snort is free and very, very good) and you reduce the surface of attack by turning off services you don’t need and running a firewall.
![Page 29: Matthew Hughes. Who am I? Pen tester Coder Blogger All around nice guy](https://reader030.vdocuments.mx/reader030/viewer/2022032706/56649de65503460f94adefeb/html5/thumbnails/29.jpg)
Responsible vulnerability disclosure…We’re all geeks. We’re curious. I know some
of you will discard my valid point I made earlier.
Full Disclosure is bad. Very bad. Responsible disclosure is good. Very good. Upsploit.com is a good resource for handling
vulnerability disclosure.
![Page 30: Matthew Hughes. Who am I? Pen tester Coder Blogger All around nice guy](https://reader030.vdocuments.mx/reader030/viewer/2022032706/56649de65503460f94adefeb/html5/thumbnails/30.jpg)
Keep in touch?Twitter.com/[email protected]/matthewjhughesMatthewhughes.co.uk
![Page 31: Matthew Hughes. Who am I? Pen tester Coder Blogger All around nice guy](https://reader030.vdocuments.mx/reader030/viewer/2022032706/56649de65503460f94adefeb/html5/thumbnails/31.jpg)
Thank you!Any questions?