researcher looks for when attacking an app top 5 things a ... · top 5 things a security researcher...
TRANSCRIPT
![Page 1: Researcher Looks for When Attacking an App Top 5 Things a ... · Top 5 Things a Security Researcher Looks for When Attacking an App Robert Kugler](https://reader035.vdocuments.mx/reader035/viewer/2022070809/5f07837c7e708231d41d5b63/html5/thumbnails/1.jpg)
Top 5 Things a Security Researcher Looks for When Attacking an App
Robert Kugler
![Page 2: Researcher Looks for When Attacking an App Top 5 Things a ... · Top 5 Things a Security Researcher Looks for When Attacking an App Robert Kugler](https://reader035.vdocuments.mx/reader035/viewer/2022070809/5f07837c7e708231d41d5b63/html5/thumbnails/2.jpg)
About me● Ethical hacker
● Penetration tester
● Data Protection consultant
● Speaker + Human rights activist
EXPECTATION...
REALITY...
![Page 3: Researcher Looks for When Attacking an App Top 5 Things a ... · Top 5 Things a Security Researcher Looks for When Attacking an App Robert Kugler](https://reader035.vdocuments.mx/reader035/viewer/2022070809/5f07837c7e708231d41d5b63/html5/thumbnails/3.jpg)
1. Injections
2. Broken Authentication 4. XML External Entities
3. Sensitive Data Exposure 5. Broken Access Control
6. Bonus
![Page 4: Researcher Looks for When Attacking an App Top 5 Things a ... · Top 5 Things a Security Researcher Looks for When Attacking an App Robert Kugler](https://reader035.vdocuments.mx/reader035/viewer/2022070809/5f07837c7e708231d41d5b63/html5/thumbnails/4.jpg)
What is it?How to look for it?
What’s the impact?
![Page 5: Researcher Looks for When Attacking an App Top 5 Things a ... · Top 5 Things a Security Researcher Looks for When Attacking an App Robert Kugler](https://reader035.vdocuments.mx/reader035/viewer/2022070809/5f07837c7e708231d41d5b63/html5/thumbnails/5.jpg)
1. Injections
![Page 6: Researcher Looks for When Attacking an App Top 5 Things a ... · Top 5 Things a Security Researcher Looks for When Attacking an App Robert Kugler](https://reader035.vdocuments.mx/reader035/viewer/2022070809/5f07837c7e708231d41d5b63/html5/thumbnails/6.jpg)
What is it?
Insecurely crafted database queries or OS commands mishandling user input
![Page 7: Researcher Looks for When Attacking an App Top 5 Things a ... · Top 5 Things a Security Researcher Looks for When Attacking an App Robert Kugler](https://reader035.vdocuments.mx/reader035/viewer/2022070809/5f07837c7e708231d41d5b63/html5/thumbnails/7.jpg)
How to look for it?
● Fuzz the application using automated scanners & manual analysis
● Check common vulnerable parameters e.g. $id, $username, $password
● Don’t forget cookie values or HTTP headers!
![Page 8: Researcher Looks for When Attacking an App Top 5 Things a ... · Top 5 Things a Security Researcher Looks for When Attacking an App Robert Kugler](https://reader035.vdocuments.mx/reader035/viewer/2022070809/5f07837c7e708231d41d5b63/html5/thumbnails/8.jpg)
What’s the impact?
● Worst-case: Remote Code Execution○
● Best-case: Data loss○
![Page 9: Researcher Looks for When Attacking an App Top 5 Things a ... · Top 5 Things a Security Researcher Looks for When Attacking an App Robert Kugler](https://reader035.vdocuments.mx/reader035/viewer/2022070809/5f07837c7e708231d41d5b63/html5/thumbnails/9.jpg)
2. Broken Authentication
![Page 10: Researcher Looks for When Attacking an App Top 5 Things a ... · Top 5 Things a Security Researcher Looks for When Attacking an App Robert Kugler](https://reader035.vdocuments.mx/reader035/viewer/2022070809/5f07837c7e708231d41d5b63/html5/thumbnails/10.jpg)
What is it?
● Weak authentication and session management
![Page 11: Researcher Looks for When Attacking an App Top 5 Things a ... · Top 5 Things a Security Researcher Looks for When Attacking an App Robert Kugler](https://reader035.vdocuments.mx/reader035/viewer/2022070809/5f07837c7e708231d41d5b63/html5/thumbnails/11.jpg)
How to look for it?
● Check for default credentials, 2FA, session fixation, session timeouts, bruteforce protections, JWT & OAuth weaknesses
● Look for predictable password reset / confirmation tokens, lifetime of tokens
![Page 12: Researcher Looks for When Attacking an App Top 5 Things a ... · Top 5 Things a Security Researcher Looks for When Attacking an App Robert Kugler](https://reader035.vdocuments.mx/reader035/viewer/2022070809/5f07837c7e708231d41d5b63/html5/thumbnails/12.jpg)
What’s the impact?
● Worst-case: Data loss or privilege escalation○
● Best-case: Targeted account takeover e.g. a 2FA bypass○
![Page 13: Researcher Looks for When Attacking an App Top 5 Things a ... · Top 5 Things a Security Researcher Looks for When Attacking an App Robert Kugler](https://reader035.vdocuments.mx/reader035/viewer/2022070809/5f07837c7e708231d41d5b63/html5/thumbnails/13.jpg)
3. Sensitive Data Exposure
![Page 14: Researcher Looks for When Attacking an App Top 5 Things a ... · Top 5 Things a Security Researcher Looks for When Attacking an App Robert Kugler](https://reader035.vdocuments.mx/reader035/viewer/2022070809/5f07837c7e708231d41d5b63/html5/thumbnails/14.jpg)
What is it?
● Sensitive data is leaked to third parties
![Page 15: Researcher Looks for When Attacking an App Top 5 Things a ... · Top 5 Things a Security Researcher Looks for When Attacking an App Robert Kugler](https://reader035.vdocuments.mx/reader035/viewer/2022070809/5f07837c7e708231d41d5b63/html5/thumbnails/15.jpg)
How to look for it?
● Check for sensitive data transmitted over unencrypted channels or GET requests, vulnerable TLS ciphers, plain text password storage, leaks of tokens through the referrer, unencrypted backups
testssl.sh (command-line)
![Page 16: Researcher Looks for When Attacking an App Top 5 Things a ... · Top 5 Things a Security Researcher Looks for When Attacking an App Robert Kugler](https://reader035.vdocuments.mx/reader035/viewer/2022070809/5f07837c7e708231d41d5b63/html5/thumbnails/16.jpg)
What’s the impact?
● Worst-case: Privilege escalation with stolen credentials
● Best-case: Targeted data loss e.g. losing confidentiality of communications○
![Page 17: Researcher Looks for When Attacking an App Top 5 Things a ... · Top 5 Things a Security Researcher Looks for When Attacking an App Robert Kugler](https://reader035.vdocuments.mx/reader035/viewer/2022070809/5f07837c7e708231d41d5b63/html5/thumbnails/17.jpg)
4. XML External Entities
![Page 18: Researcher Looks for When Attacking an App Top 5 Things a ... · Top 5 Things a Security Researcher Looks for When Attacking an App Robert Kugler](https://reader035.vdocuments.mx/reader035/viewer/2022070809/5f07837c7e708231d41d5b63/html5/thumbnails/18.jpg)
What is it?
● Vulnerable XML parser processes XML external entities and DTDs
![Page 19: Researcher Looks for When Attacking an App Top 5 Things a ... · Top 5 Things a Security Researcher Looks for When Attacking an App Robert Kugler](https://reader035.vdocuments.mx/reader035/viewer/2022070809/5f07837c7e708231d41d5b63/html5/thumbnails/19.jpg)
How to look for it?
● Inject external entities in XML payloads and measure response times
● Switch the Content-Type to see if you can find deprecated XML parsers
![Page 20: Researcher Looks for When Attacking an App Top 5 Things a ... · Top 5 Things a Security Researcher Looks for When Attacking an App Robert Kugler](https://reader035.vdocuments.mx/reader035/viewer/2022070809/5f07837c7e708231d41d5b63/html5/thumbnails/20.jpg)
What’s the impact?
● Worst-case: Remote Code Execution○
● Best-case: Data loss○
![Page 21: Researcher Looks for When Attacking an App Top 5 Things a ... · Top 5 Things a Security Researcher Looks for When Attacking an App Robert Kugler](https://reader035.vdocuments.mx/reader035/viewer/2022070809/5f07837c7e708231d41d5b63/html5/thumbnails/21.jpg)
5. Broken Access Control
![Page 22: Researcher Looks for When Attacking an App Top 5 Things a ... · Top 5 Things a Security Researcher Looks for When Attacking an App Robert Kugler](https://reader035.vdocuments.mx/reader035/viewer/2022070809/5f07837c7e708231d41d5b63/html5/thumbnails/22.jpg)
What is it?
● Unauthorized users are able to access sensitive data, mainly a API issue.
![Page 23: Researcher Looks for When Attacking an App Top 5 Things a ... · Top 5 Things a Security Researcher Looks for When Attacking an App Robert Kugler](https://reader035.vdocuments.mx/reader035/viewer/2022070809/5f07837c7e708231d41d5b63/html5/thumbnails/23.jpg)
How to look for it?
● Check for CORS misconfigurations, insecure direct object references (IDORs), privilege escalation through different roles inside the application
![Page 24: Researcher Looks for When Attacking an App Top 5 Things a ... · Top 5 Things a Security Researcher Looks for When Attacking an App Robert Kugler](https://reader035.vdocuments.mx/reader035/viewer/2022070809/5f07837c7e708231d41d5b63/html5/thumbnails/24.jpg)
What’s the impact?
● Worst-case: Data loss○
● Best-case: Privilege escalation or account takeover○
![Page 25: Researcher Looks for When Attacking an App Top 5 Things a ... · Top 5 Things a Security Researcher Looks for When Attacking an App Robert Kugler](https://reader035.vdocuments.mx/reader035/viewer/2022070809/5f07837c7e708231d41d5b63/html5/thumbnails/25.jpg)
Bonus: Server-Side Request Forgery
![Page 26: Researcher Looks for When Attacking an App Top 5 Things a ... · Top 5 Things a Security Researcher Looks for When Attacking an App Robert Kugler](https://reader035.vdocuments.mx/reader035/viewer/2022070809/5f07837c7e708231d41d5b63/html5/thumbnails/26.jpg)
What is it?
● An attacker is able to send a crafted request from a vulnerable web application
![Page 27: Researcher Looks for When Attacking an App Top 5 Things a ... · Top 5 Things a Security Researcher Looks for When Attacking an App Robert Kugler](https://reader035.vdocuments.mx/reader035/viewer/2022070809/5f07837c7e708231d41d5b63/html5/thumbnails/27.jpg)
How to look for it?
● Check common vulnerable endpoints e.g. webhooks, embed videos or pictures
● Make requests to localhost, 127.0.0.1 or use domains pointing to it
● Measure response times, if you don’t have access to the response data
![Page 28: Researcher Looks for When Attacking an App Top 5 Things a ... · Top 5 Things a Security Researcher Looks for When Attacking an App Robert Kugler](https://reader035.vdocuments.mx/reader035/viewer/2022070809/5f07837c7e708231d41d5b63/html5/thumbnails/28.jpg)
What’s the impact?
● Worst-case: Remote Code Execution○
● Best-case: Access to the internal company network○
![Page 29: Researcher Looks for When Attacking an App Top 5 Things a ... · Top 5 Things a Security Researcher Looks for When Attacking an App Robert Kugler](https://reader035.vdocuments.mx/reader035/viewer/2022070809/5f07837c7e708231d41d5b63/html5/thumbnails/29.jpg)
Summary
● Flaws trivial to exploit● Data loss always involved● Manual testing required