Beating the Pentester

© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES1

PENTESTER

© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES2 © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES.

Boy BaukemaSenior Application Security Consultant


Adrian H.Pentester


Adrian H.Enemy nr. 1


Agenda

• Introduction

• Bare fists

• Baseball bats (Lucille)

• Assorted items

• Conclusions



Known

Vulnerabilities






Attack: Known Vulnerabilities

Your application Other applications

Framework (Composer) Libraries

PHP Interpreter

Webserver (Apache, Nginx) Other services

Operating System


https://snyk.io/blog/owasp-top-10-breaches/

Top of the charts


Defense: Monitoring & patching

• Monitor security patches for third party software

• Be prepared to fix rapidly (DevOps)


Docker effect

Your application

Your Framework Your (Composer) Libraries

Your PHP Interpreter

Your Webserver (Apache,

Nginx)

Your other services

Operating System


Injection


I blame Doug Mclroy, and so should you

Write programs to handle text streams, because that is a universal interface.


Angular templates

Content

CSS

CSV

HTTP Header

HTML

JavaScript / JSON

URL

XML

…

CSV

Database (ORM)

File paths

HTTP

LDAP

Logs (syslog)

Memcached

Shell

Solr

…

Eval

Math

Sprintf

Regexp

…

APPLICATION


Little bit of template code, many contexts


PHP HTML JS URL


Attack: Breaking out into the URL


Attack: Breaking out into JavaScript


Attack: Breaking out into HTML


Defense: Separation of Concerns &Contextual encoding ALAP


Defense: Validate ASAP

• Does it have a datatype?

• Can it be of infinite length?

– Does your storage impose size limits?

• Can it be any arbitrary byte?

– Should it conform to a pattern?

– Should it match a known value in the data storage?

– Should it be UTF-8? Printable?

http://phpsecurity.readthedocs.io/en/latest/Input-Validation.html

http://phpsecurity.readthedocs.io/en/latest/Input-Validation.html


Validate HTML Script content


Defense: Immutable Value Object


So much more…


• OWASP Top 10

• OWASP Application Security Verification Standard (ASVS)

• OWASP Testing Guide

• MITRE Common Weakness Enumeration

• github.com/PaulSec/awesome-sec-talks

• https://h1.sintheticlabs.com/bounties.html

https://github.com/PaulSec/awesome-sec-talks

https://h1.sintheticlabs.com/bounties.html


Training

• Basics:

– Zend Certification

• Advanced:

– OWASP

– Security Vendor


• NULL byte attacks

• JSON </script> injection

• XML External Entities

• Preg_match /e

• Remote File Inclusion

• HTTP Header injection

Deprecated attacks


Improved features

• random_bytes

• password_hash

• htmlentities defaults

• Blade / Twig

• PSR-7 (vs $_ globals)

• PDO Prepared Statements

© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES33 © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES

If you know the pentesterbut not yourself, for every validation added you will also suffer a security bug.

― Sun Tzu


• Accessibility

• Availability

• Backup

• Compliance

• Documentation

• Fun

• Maintainability

Non-functional requirements

• Performance

• Platform compatibility

• Reporting

• Scalability

• Security

• Usability

wikipedia.org/wiki/Non-functional_requirement

https://en.wikipedia.org/wiki/Non-functional_requirement


Security Requirements


Security Grooming

• Security Champion


Quick and dirty threat modelling

1. What are you building?

2. What can go wrong?

3. What should you do about that?

4. Did you analyse that correctly?


As a user I would like to reset my password if I have forgotten it.

What are we building?


• Spoofing

• Tampering

• Repudiation

• Information leakage

• Denial of Service

• Elevation of Privilege

What can go wrong?


What should we do?

• … and did we analyse correctly?


Доверяй, но проверяй

• Embedding security:

– Code Review

– Functional Testing

– Unit testing

– Security Testing (OWASP ASVS)

• Security tooling:

– Static Application Security Testing (SAST)

– Dynamic Application Security Testing (DAST)

– Fuzzing

– Manual Penetration Testing



Operations

• Password hygiene:

– Password Manager

– 2 Factor Authentication

– Have I Been Pwned?

• PhishMe

• Encrypted storage

• Testing system recoveries

• Firewall


PENTESTER


PENTESTER


Thank Youjoind.in/talk/f8142

veracode.com/demo

https://joind.in/talk/f8142

https://veracode.com/demo


Images

• Brain by Nicholas Herdemanhttps://www.flickr.com/photos/95943853@N00/17584291945/

• CCTV by Peter Hellberghttps://www.flickr.com/photos/peterhellberg/5119089864

• Doug McIlroy by Faces of Open Source http://facesofopensource.com/doug-mcilroy/

• 125/365 Dolls in the Rain by Joe Lodge https://www.flickr.com/photos/joe57spike/5690570945

https://www.flickr.com/photos/95943853@N00/17584291945/

https://www.flickr.com/photos/peterhellberg/5119089864

http://facesofopensource.com/doug-mcilroy/

https://www.flickr.com/photos/joe57spike/5690570945

Beating the Pentester

Technology