Build. Break. Learn.

Riddhi Shree

A beginner with 10+ years of Software Industry experience

I Take Pride In

Work I've done in my free time!

Enjoyed giving talks, workshops, training, tool demo at conferences

  • Hack-In-The-Box (HITB), Abu Dhabi
  • Nullcon, Goa
  • c0c0n, Kochi
  • BSides, Delhi
  • ISC2, Bangalore

I Believe In

Dreaming big. Breaking rules. Creating awareness.

We're here for?

  1. Injection Attacks
  2. Cross-Site Scripting (XSS)
  3. XML External Entities (XXE)
  4. Broken Authentication & Authorization
  5. Insecure Deserialization
  6. Sensitive Data Exposure
  7. Security Misconfigurations

Let's get started..

Injection Attacks

  1. 1st Order SQL Injection
  2. 2nd Order SQL Injection
  3. OS Command Injection
  4. Template Injection
  5. CRLF Injection

Why does it work?

SQL Injection

OS Command Injection

Template Injection

Template Injection

CRLF Injection

How to Protect?

  • Proper usage of parameterised queries
  • Server-side input validation
  • Proper error handling

Cross Site Scripting (XSS)

  1. Reflected XSS
  2. Stored XSS
  3. DOM-based XSS

Reflected XSS

Stored XSS

DOM Based XSS

How to protect?

  • Contextual output encoding

https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html

XML Eternal Entities (XXE)

  1. File Inclusion

  2. Server-Side Request Forgery (SSRF)

  3. Data Exfiltration

  4. Remote Code Execution (RCE)

Broken Authn and Authz

  1. JWT Validation Bypass

  2. OAuth 2.0 Security Misconfigurations

  3. Session Fixation via HTTP Header Injection

  4. Cross-Site Request Forgery (CSRF)

  5. Insecure Direct Object Reference (IDOR)

  6. Parameter Tampering

JWT Validation Bypass

  • Brute-force JWT Secret
  • The None Algorithm
  • RS256 to HS256

https://jwt.io/

OAUTH 2.0 Authorization

  • https://tools.ietf.org/html/rfc6749

Typical Client-Server Model

  • Client authentication involves resource owner's credentials, i.e., resource owner's credentials are shared with third-party clients

OAUTH 2.0 Security Considerations

  • Unauthenticated Clients
  • Client Impersonation
  • Insecure Transmission of Access/Refresh Tokens
  • Access/Refresh Token Expiry
  • Open Redirection
  • Failure to Detect Authorization Code Compromise
  • Access Token's (Broad) Scope
  • Sensitive Plaitext Information in "state" and "scope"
  • Missing CSRF protection for redirection URI (via "state" parameter)
  • Injection via "state" and "redirect_uri" parameters

Session Fixation via HTTP

  • https://unsecured.nwebsec.com/SessionFixationAttacker

Cross-Site Request Forgery (CSRF)

Insecure Direct Object Reference (IDOR)

Parameter Tampering

  • We have been doing this all along, through all our demos.

Insecure Deserialization

Of Untrusted User Input

Sensitive Data Exposure

  1. Missing/Broken Cryptography

  2. Hardcoded Secrets in JavaScript Files

  3. Verbose Error Messages

  4. Verbose Server Responses

Insufficient Cryptography

  • Poor key management
  • Use of custom encryption protocols
  • Use of insecure algorithms

Security Misconfigurations

  1. Missing Security Headers

  2. Missing Rate Limiting

  3. Weak Password Policy

  4. Use of Default Credentials

  5. Missing Server Side Validations

  6. Permission Issue

Enable HTTP Strict Transport Security (HSTS) Policy

  • Prevent Cookie Hijacking
  • Prevent SSL/TLS downgrade attacks

Content Security Policy (CSP)

Prevent Click-jacking

Amazon Cognito Misconfiguration

  • https://slides.com/riddhishreechaurasia/null-bangalore-vyapi#/4/9
  • https://github.com/riddhi-shree/knowledge-sharing/blob/master/Mobile/Android/amazon_cognito_authz_issue/README.md

Test Your Skills

  • docker run --rm -p 3000:3000 bkimminich/juice-shop
  •  

Further Reading