Guillermo Rodas
Google Developer Expert in Web Technologies, Community Organizer, and Online Teacher.
Introduction to Security
@rodasdev
Guillermo Rodas
Google Developer Expert in Web Technologies
Community Organizer and Online Teacher.
https://guillermorodas.com
@rodasdev
You can Google me as well.
AGENDA
- Injection
- Broken Authentication
- Sensitive Data Exposure
OWASP
The Open Web Application Security Project®
Injection
Almost any source of data can be an injection vector:
-
Environment variables
-
Parameters
-
External and internal web services
Attack Vectors
An application is vulnerable to attack when:
- User-supplied data is not validated, filtered, or sanitized by the application.
- Hostile data is directly used or concatenated, in dynamic queries, commands, or stored procedures.
SQL Injection
SELECT *
FROM users
WHERE email = '$email'
AND password = md5('$password')
Persistent XSS
Reflected XSS
DOM-based XSS
Why context matters
Broken Authentication
Attackers have access to hundreds of millions of valid username and passwords:
-
Credential stuffing
-
Default admin account lists
-
Automated brute force
Attack Vectors
Session management attacks are well understood, particularly in relation to unexpired session tokens.
Attack Vectors
Is the Application Vulnerable?
- Permits brute force or other automated attacks.
- Permits default, weak, or well-known passwords.
- Uses weak or ineffective credential recovery and forgot-password processes, such as “knowledge-based answers”.
- Uses plain text, encrypted, or weakly hashed passwords.
- Does not properly invalidate Session IDs User sessions or authentication tokens during logout or a period of inactivity.
📖 Storytime
JWT
{ id: 1, user: "A"}
Text
If (isValid(JWT)) {
userId = decode(JWT).payload.id
}
Text
HTTP/1.1 200 OK
id=A
jwt=eyJhbGciO...
Text
HTTP/1.1 200 OK
id=B
jwt=eyJhbGciO...
B
😩
Text
If (isValid(JWT)) {
userId = params.id
}
Sensitive Data Exposure
Attack Vectors
Rather than directly attacking crypto, attackers:
- Steal keys
- Execute man-in-the-middle attacks
- Steal clear text data off the server
Is the Application Vulnerable?
The first thing is to determine the protection needs of data in transit and at rest.
For example, passwords, credit card numbers, health records, personal information and business secrets require extra protection
- Is any data transmitted in clear text? This concerns protocols such as HTTP, SMTP, and FTP.
- Are any old or weak cryptographic algorithms used either by default or in older code?
- Are default crypto keys in use, weak crypto keys generated or re-used, or is proper key management or rotation missing?
📖 Storytime
What is EXIF Data?
Exchangeable Image File Format (EXIF) is a standard that defines specific information related to an image or other media captured by a digital camera. It is capable of storing such important data as camera exposure, date/time the image was captured, and even GPS location.
When you browse Instagram and find former Australian Prime Minister Tony Abbott's passport number
The Most Expensive Lesson Of My Life: Details of SIM port hack
Bonus 🎈
Questions?
Introduction to Security in the Web
By Guillermo Rodas
