Get the basics right!
Hello World 2017
by Renato Rodrigues
Out of the Box
What IS it?
In computing, a web application or web app is a client–server software application which the client (or user interface) runs in a web browser.
Images from Google Images.
The Big Picture
Maybe we should know where they live!
We know that a modern Web App is a pile of technology.
stacks are being used?
The links between them?
Can we understand:
Images from Alrra Browser-Logos.
Cross-site scripting (XSS)
Cross-site Request Forgery (CSRF)
SQL Injection (SQLi)
Remote Code Execution (RCE)
XML External Entity (XXE)
Insecure Direct Object References
Broken Authentication and Session Management
Server Side Request Forgery (SSRF)
Unvalidated Redirects and Forwards
Insecure Cryptographic Storage
Relative Path Overwrite (RPO)
OUT OF THE BOX
Sets the configuration for the cross-site scripting filters built into most browsers. The best configuration is "X-XSS-Protection: 1; mode=block".
X-XSS-Protection 1; mode=block
Tells the browser whether you want to allow your site to be framed or not. By preventing a browser from framing your site you can defend against attacks like clickjacking.
X-Frame-Options SAMEORIGIN | DENY
Stops a browser from trying to MIME-sniff the content type and forces it to stick with the declared content-type. This helps to reduce the danger of drive-by downloads. The only valid value for this header is "X-Content-Type-Options: nosniff".
Is an "effective" measure to protect your site from several attacks. By whitelisting sources of approved content, you can prevent the browser from loading malicious assets.
Content-Security-Policy default-src 'self'; script-src 'self' ...
CSP Builder (Helper): https://report-uri.io/home/generate
Is an excellent feature to support on your site and strengthens your implementation of TLS by getting the User Agent to enforce the use of HTTPS.
Strict-Transport-Security max-age=31536000; includeSubdomains; preload
Protects your site from MiTM attacks using rogue X.509 certificates.
By whitelisting only the identities that the browser should trust, your users are protected in the event a certificate authority is compromised.
Public-Key-Pins pin-sha256="t/OMbK...JM="; max-age=600; report-uri="..."
Mechanism by which user agents may verify that a fetched resource has been delivered without unexpected manipulation.
<script src="https://example.com/example-framework.js" integrity="sha384-Li9vy3DqF8tnTXu...gNR/VqsVpcw+T...Jr7" crossorigin="anonymous"></script>
Information from W3C.
Session, Secure, HTTPOnly and SameSite
Client and Server Side Always!
More to come: Suborigins, Referrer Policy, Expect-CT ...
Not out of box but...
//cobalt.io - //bugcrowd.com - //hackerone.com - //synack.com
Search for a Security Page
A bug bounty program is a deal offered by many websites and software developers by which individuals can receive recognition and compensation for reporting bugs , especially those pertaining to exploits and vulnerabilities.
Discovery Date: dd/MM/YY - HH:mm:ss System/Domain: https://sub.website.com/ Vulnerability Type: XSS / RCE / CSRF / ... Description: Detailed explanation of the vulnerability Impact: In the context of the vulnerable service/app. Proof of Concept Data (PoC) * Works in: Google Chrome, Firefox, IE, Safari, ... * Attack Vector: How to trigger the vulnerability. * Payload: What triggers the vulnerability. PoC Image/Video: Visual proof. Mitigation: If we have an idea how to fix, we should suggest. Notes: If pertinent.
Always remember to be polite!
Get the Basics Right!
By Renato Rodrigues