Web Security Foundations!

IV Conference on Cybersecurity and Cybercrime
by Renato Rodrigues



Web Apps
Issues
Out of the Box
Out There

Web Applications

What IS it?
In computing, a web application or web app is a client–server software application which the client (or user interface) runs in a web browser.
https://en.wikipedia.org/wiki/Web_application


Concept
Modern Apps

Images from Google Images.

The Big Picture
Maybe we should know where they live!
We know that a modern Web App is a pile of technology.
How many
stacks are being used?
The
links between them?
Possible
weaknesses?
Can we understand:

Browsers










Images from Alrra Browser-Logos.

Issues

Cross-site scripting (XSS)

Cross-site Request Forgery (CSRF)

No/SQL Injection (No/SQLi)

Remote Code Execution (RCE)
XML External Entity (XXE)
Session Fixation
Dir Traversal
Insecure Direct Object References
Broken Authentication and Session Management
Server Side Request Forgery (SSRF)
Unvalidated Redirects and Forwards
Insecure Cryptographic Storage
Relative Path Overwrite (RPO)
...

OUT OF THE BOX

HTTP Headers
In Short
HTTP message headers are used to precisely describe the resource being fetched or the behavior of the server or the client. Custom proprietary headers can be added using the 'X-' prefix; others are listed in an IANA registry, whose original content was defined in RFC 4229.
HTTP headers are the core part of HTTP requests and responses, and they carry information about the browser, the requested content, the server and much more.

X-XSS-Protection
Sets the configuration for the cross-site scripting filters built into most browsers. The best configuration is "X-XSS-Protection: 1; mode=block".
X-XSS-Protection 1; mode=block
Information from SecurityHeaders.io

X-Frame-Options
Tells the browser whether you want to allow your site to be framed or not. By preventing a browser from framing your site you can defend against attacks like clickjacking.
X-Frame-Options SAMEORIGIN | DENY
Information from SecurityHeaders.io

X-Content-Type-Options
Stops a browser from trying to MIME-sniff the content type and forces it to stick with the declared content-type. This helps to reduce the danger of drive-by downloads. The only valid value for this header is "X-Content-Type-Options: nosniff".
X-Content-Type-Options nosniff
Information from SecurityHeaders.io

Content-Security-Policy
Is an "effective" measure to protect your site from several attacks. By setting sources of approved content, you can prevent the browser from loading malicious assets.
Content-Security-Policy default-src 'self'; script-src 'self' ...
Information from SecurityHeaders.io
CSP Builder (Helper): https://report-uri.io/home/generate

Strict-Transport-Security
Is an excellent feature to support on your site and strengthens your implementation of TLS by getting the User Agent to enforce the use of HTTPS.
Strict-Transport-Security max-age=31536000; includeSubdomains; preload
Information from SecurityHeaders.io

Public-Key-Pins
Protects your site from MiTM attacks using rogue X.509 certificates.
By whitelisting only the identities that the browser should trust, your users are protected in the event a certificate authority is compromised.
Public-Key-Pins pin-sha256="t/OMbK...JM="; max-age=600; report-uri="..."
Information from SecurityHeaders.io

Subresource Integrity
Mechanism by which user agents may verify that a fetched resource has been delivered without unexpected manipulation.
<script src="https://example.com/example-framework.js"
integrity="sha384-Li9vy3DqF8tnTXu...gNR/VqsVpcw+T...Jr7"
crossorigin="anonymous"></script>
Information from W3C.

Cookies
Prefixes, Session, Secure, HTTPOnly and SameSite
Input Validation
Client and Server Side Always!
More to come: Feature and Referrer Policy, Expect-CT ...
Not out of box but...

Out There

BUG BOUNTIES
//bugcrowd.com - //hackerone.com - //synack.com
Search for a Security Page or security.txt
A bug bounty program is a deal offered by many websites and software developers by which individuals can receive recognition and compensation for reporting bugs , especially those pertaining to exploits and vulnerabilities.
https://en.wikipedia.org/wiki/Bug_bounty_program

Write a proper report and always remember to be polite!
It's Over!
Web Security Foundations!
By Renato Rodrigues
Web Security Foundations!
On this presentation, I will tap into the foundations of web security and also give an overview of the latest attacks trends. Ultimately, provide ways to improve or put new skills into practice to stay ahead of the game.