web application security - devfest + gday george town 2016
TRANSCRIPT
![Page 1: Web Application Security - DevFest + GDay George Town 2016](https://reader036.vdocuments.site/reader036/viewer/2022062522/5873dbd61a28abd72e8b4c25/html5/thumbnails/1.jpg)
Web ApplicationSecurity
By Gareth Davies - Mindvalley CTOFounder of www.darknet.org.uk
Founder of www.security-forums.comslideshare.com/ShaolinTiger
![Page 2: Web Application Security - DevFest + GDay George Town 2016](https://reader036.vdocuments.site/reader036/viewer/2022062522/5873dbd61a28abd72e8b4c25/html5/thumbnails/2.jpg)
So, Who am I?
• I work at Mindvalley – we hiring! mindvalley.com/careers• Ex penetration testing team lead (hacker for hire)• Founder of prominent infosec blog Darknet.org.uk
![Page 3: Web Application Security - DevFest + GDay George Town 2016](https://reader036.vdocuments.site/reader036/viewer/2022062522/5873dbd61a28abd72e8b4c25/html5/thumbnails/3.jpg)
Darknet – A Brief History• Started in 1999 on EFnet (IRC) by me• Original IRC co-founder from Penang• Website launched in 2000• Current format launched in 2006• Top 5 Infosec Blog• 40,000+ RSS Subscribers• Nominated for multiple awards
Full History: http://www.darknet.org.uk/about/
![Page 4: Web Application Security - DevFest + GDay George Town 2016](https://reader036.vdocuments.site/reader036/viewer/2022062522/5873dbd61a28abd72e8b4c25/html5/thumbnails/4.jpg)
Security-Forums.com – A Brief History• Started in 2002 as the Darknet Forum• Wanted to move away from Usenet• Became the fastest growing infosec forum• Referenced in Microsoft Newsletter• Running phpBB• Sold in 2004 to WindowSecurity.com
Visit: http://www.security-forums.com/
![Page 5: Web Application Security - DevFest + GDay George Town 2016](https://reader036.vdocuments.site/reader036/viewer/2022062522/5873dbd61a28abd72e8b4c25/html5/thumbnails/5.jpg)
This Talk• This talk covers:• The principle of infosec• The basic do’s and don’ts • OWASP Top 10
Who has been hacked before? Who knows the subject well or has worked in infosec? Who is familiar with OWASP Top 10?
![Page 6: Web Application Security - DevFest + GDay George Town 2016](https://reader036.vdocuments.site/reader036/viewer/2022062522/5873dbd61a28abd72e8b4c25/html5/thumbnails/6.jpg)
An Introduction To Infosec
![Page 7: Web Application Security - DevFest + GDay George Town 2016](https://reader036.vdocuments.site/reader036/viewer/2022062522/5873dbd61a28abd72e8b4c25/html5/thumbnails/7.jpg)
What is Information Security?• It is quite a vague phrase – but it can be defined.
C
AI
![Page 8: Web Application Security - DevFest + GDay George Town 2016](https://reader036.vdocuments.site/reader036/viewer/2022062522/5873dbd61a28abd72e8b4c25/html5/thumbnails/8.jpg)
The CIA Triad
•The basic model for Information Security:
•Confidentiality (keeping the data secret)•Integrity (keeping the data unchanged)•Availability (keeping the data accessible)
![Page 9: Web Application Security - DevFest + GDay George Town 2016](https://reader036.vdocuments.site/reader036/viewer/2022062522/5873dbd61a28abd72e8b4c25/html5/thumbnails/9.jpg)
Confidentiality“ Preventing the unauthorized disclosure of information”
• Yahoo Hack exposed 500 Million Accounts• Can lead to legal issues• Hacker only needs ‘read’ access
![Page 10: Web Application Security - DevFest + GDay George Town 2016](https://reader036.vdocuments.site/reader036/viewer/2022062522/5873dbd61a28abd72e8b4c25/html5/thumbnails/10.jpg)
Integrity“ Guarding against improper information modification or destruction”
• Less frequent but more damaging• Can remain undetected for long periods (APT)• Hacker does need ‘write’ access
![Page 11: Web Application Security - DevFest + GDay George Town 2016](https://reader036.vdocuments.site/reader036/viewer/2022062522/5873dbd61a28abd72e8b4c25/html5/thumbnails/11.jpg)
Availability“Ensuring timely and reliable access to the information”
• DDoS attacks can be extremely damaging• Very hard to prevent and protect against• Hacker needs NO access
![Page 12: Web Application Security - DevFest + GDay George Town 2016](https://reader036.vdocuments.site/reader036/viewer/2022062522/5873dbd61a28abd72e8b4c25/html5/thumbnails/12.jpg)
Web App Do’s & Don’ts
![Page 13: Web Application Security - DevFest + GDay George Town 2016](https://reader036.vdocuments.site/reader036/viewer/2022062522/5873dbd61a28abd72e8b4c25/html5/thumbnails/13.jpg)
NEVER Trust User Input
• Validate type, length, format, range• Use regex, JavaScript form validation + Back-end checks• Always whitelist, not blacklist
![Page 14: Web Application Security - DevFest + GDay George Town 2016](https://reader036.vdocuments.site/reader036/viewer/2022062522/5873dbd61a28abd72e8b4c25/html5/thumbnails/14.jpg)
ALWAYS Protect Data in Transit
• Use HTTPS/TLS for EVERYTHING• Use HSTS To Enforce it• Redirect all HTTP users to HTTPS• Make sure your app to DB connections are encrypted
![Page 15: Web Application Security - DevFest + GDay George Town 2016](https://reader036.vdocuments.site/reader036/viewer/2022062522/5873dbd61a28abd72e8b4c25/html5/thumbnails/15.jpg)
ALWAYS Hash & Salt User Passwords
• Hash ALL stored user passwords• Salt all Hashes (globally unique for each user)• Use bcrypt NOT md5 or SHA-1• Use a validated library, don’t implement yourself
![Page 16: Web Application Security - DevFest + GDay George Town 2016](https://reader036.vdocuments.site/reader036/viewer/2022062522/5873dbd61a28abd72e8b4c25/html5/thumbnails/16.jpg)
ALWAYS Authenticate Users Safely
• Use an existing, mature framework• Consider SSO (login via Facebook/Twitter etc)• Use 2FA for important access (admins/super-users)• Re-authenticate for important actions (like Github/Gmail)• Hide user existence (don’t show ID doesn’t exist error)• Prevent brute forcing with CAPTCHA, rate-limiting etc
![Page 17: Web Application Security - DevFest + GDay George Town 2016](https://reader036.vdocuments.site/reader036/viewer/2022062522/5873dbd61a28abd72e8b4c25/html5/thumbnails/17.jpg)
OWASP Top 10
![Page 18: Web Application Security - DevFest + GDay George Town 2016](https://reader036.vdocuments.site/reader036/viewer/2022062522/5873dbd61a28abd72e8b4c25/html5/thumbnails/18.jpg)
A1- Injection
• NEVER trust user input!• Separate interpreters from command or query• For SQL this means binding calls in prepared statements• Static analysis tools can scan for this
![Page 19: Web Application Security - DevFest + GDay George Town 2016](https://reader036.vdocuments.site/reader036/viewer/2022062522/5873dbd61a28abd72e8b4c25/html5/thumbnails/19.jpg)
A2- Broken Auth & Sessions
• NEVER store plain-text passwords ANYWHERE• Don’t expose Session IDs• Make sure sessions time-out• Rotate Session IDs properly• Don’t send passwords/sessions over unencrypted lines
![Page 20: Web Application Security - DevFest + GDay George Town 2016](https://reader036.vdocuments.site/reader036/viewer/2022062522/5873dbd61a28abd72e8b4c25/html5/thumbnails/20.jpg)
A3- Cross-site Scripting (XSS)
• NEVER trust user input!• These attacks focus on the browser as the interpreter• Properly escape all untrusted data• Whitelist server-side validation (Second layer)• There are specific auto-sanitization libraries (AntiSamy)
![Page 21: Web Application Security - DevFest + GDay George Town 2016](https://reader036.vdocuments.site/reader036/viewer/2022062522/5873dbd61a28abd72e8b4c25/html5/thumbnails/21.jpg)
A4- Insecure Object References
• NEVER trust user input! (seeing a pattern yet?)• Don’t use easily guessable resource names• User per session or indirect object references• Check access authorization on every request
![Page 22: Web Application Security - DevFest + GDay George Town 2016](https://reader036.vdocuments.site/reader036/viewer/2022062522/5873dbd61a28abd72e8b4c25/html5/thumbnails/22.jpg)
A5- Security Misconfiguration
• Don’t trust default config EVER (Google MongoDB hacks)• Always change default account credentials• Learn about the tools you use and how to secure them• Don’t expose detailed error messages/debug strings• Don’t leave samples on the servers (like php_info.php)
![Page 23: Web Application Security - DevFest + GDay George Town 2016](https://reader036.vdocuments.site/reader036/viewer/2022062522/5873dbd61a28abd72e8b4c25/html5/thumbnails/23.jpg)
THE END
For Stalkers Twitter/Insta: @ShaolinTigerBlog: www.shaolintiger.comInfosec: www.darknet.org.ukThis presentation: www.slideshare.net/ShaolinTiger