Get the basics right!

Hello World 2017

by Renato Rodrigues

Renato Rodrigues  

     SiMpS0N

//pathonproject.com
 

Web Apps
Issues
Out of the Box
Out There

Web Applications

What IS it?

In computing, a web application  or web app  is a client–server software application  which the client (or user interface) runs in a web  browser.

https://en.wikipedia.org/wiki/Web_application

Concept

Modern Apps

Images from Google Images.

The Big Picture

Maybe we should know where they live!

We know that a modern Web App is a pile of technology.

How many stacks are being used?
The links between them?
Possible weaknesses? 

Can we understand:

Browsers

Images from Alrra Browser-Logos.

Issues

Cross-site scripting (XSS)

Cross-site Request Forgery (CSRF)

SQL Injection (SQLi)

Remote Code Execution (RCE)

XML External Entity (XXE)

Session Fixation

Dir Traversal

Insecure Direct Object References

Broken Authentication and Session Management

Server Side Request Forgery (SSRF)

Unvalidated Redirects and Forwards

Insecure Cryptographic Storage

Relative Path Overwrite (RPO)

...

OUT OF THE BOX

X-XSS-Protection

 Sets the configuration for the cross-site scripting filters built into most browsers. The best configuration is "X-XSS-Protection: 1; mode=block".

X-XSS-Protection 1; mode=block

Information from SecurityHeaders.io

X-Frame-Options

Tells the browser whether you want to allow your site to be framed or not. By preventing a browser from framing your site you can defend against attacks like clickjacking.

X-Frame-Options SAMEORIGIN | DENY     

Information from SecurityHeaders.io

X-Content-Type-Options

Stops a browser from trying to MIME-sniff the content type and forces it to stick with the declared content-type. This helps to reduce the danger of drive-by downloads. The only valid value for this header is "X-Content-Type-Options: nosniff".

X-Content-Type-Options nosniff

Information from SecurityHeaders.io

Content-Security-Policy

Is an "effective" measure to protect your site from several attacks. By whitelisting sources of approved content, you can prevent the browser from loading malicious assets.

Content-Security-Policy default-src 'self'; script-src 'self' ...

Information from SecurityHeaders.io

CSP Builder (Helper): https://report-uri.io/home/generate       

Strict-Transport-Security

Is an excellent feature to support on your site and strengthens your implementation of TLS by getting the User Agent to enforce the use of HTTPS.

Strict-Transport-Security max-age=31536000; includeSubdomains; preload        

Information from SecurityHeaders.io

Public-Key-Pins

Information from SecurityHeaders.io

Subresource Integrity

Mechanism by which user agents may verify that a fetched resource has been delivered without unexpected manipulation.

<script src="https://example.com/example-framework.js"
        integrity="sha384-Li9vy3DqF8tnTXu...gNR/VqsVpcw+T...Jr7"
        crossorigin="anonymous"></script>

Information from W3C.

Cookies

Input Validation

More to come: Suborigins, Referrer Policy, Expect-CT ...

Out There

BUG BOUNTIES

//cobalt.io - //bugcrowd.com - //hackerone.com - //synack.com
Search for a Security Page

A bug bounty  program is a deal offered by many websites and software developers by which individuals can receive recognition and compensation for reporting bugs , especially those pertaining to exploits and vulnerabilities.

https://en.wikipedia.org/wiki/Bug_bounty_program

Report

Discovery Date: dd/MM/YY - HH:mm:ss
System/Domain: https://sub.website.com/
Vulnerability Type: XSS / RCE / CSRF / ...
Description: Detailed explanation of the vulnerability 
Impact: In the context of the vulnerable service/app.

Proof of Concept Data (PoC)
* Works in: Google Chrome, Firefox, IE, Safari, ...
* Attack Vector: How to trigger the vulnerability.
* Payload: What triggers the vulnerability. 
PoC Image/Video: Visual proof.
Mitigation: If we have an idea how to fix, we should suggest.
Notes: If pertinent.        

Always remember to be polite!