Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Pentesting for Developers

Chris Cornutt
February 07, 2019
Technology
0
110

Pentesting for Developers

While secure development practices are an important part of keeping your application and its data protected, you also have to prove your defenses are working. Developers are used to things like unit testing and even functional testing but some feel out of their depth when it comes to security testing. Effective security testing, or pentesting, is easier than you might think.

We’ll start by introducing some of the techniques and tools you can use to test your own applications and finish with a contest to see how much you’ve learned.

Chris Cornutt

February 07, 2019
Tweet

More Decks by Chris Cornutt

See All by Chris Cornutt
Securing Legacy Applications
ccornutt
0
99
Securing Legacy Applications - Longhorn PHP 2018
ccornutt
1
150
Pieces of Auth
ccornutt
0
300
Securing Legacy Applications
ccornutt
0
460
Build Security In
ccornutt
0
170
Introduction to Slim 3
ccornutt
0
150
Securing Legacy Applications
ccornutt
0
32
PHP Security, Redfined
ccornutt
0
260
PHP Security Bootcamp
ccornutt
2
280

Other Decks in Technology

See All in Technology
VPC間の接続方法を整理してみた #自治体クラウド勉強会
non97
1
840
バクラクにおける可観測性向上の取り組み
yuu26
3
420
CAMERA-Suite: 広告文生成のための評価スイート / ai-camera-suite
cyberagentdevelopers
PRO
3
270
ABEMA のコンテンツ制作を最適化!生成 AI x クラウド映像編集システム / abema-ai-editor
cyberagentdevelopers
PRO
1
180
新R25、乃木坂46 Mobileなどのファンビジネスを支えるマルチテナンシーなプラットフォームの全体像 / cam-multi-cloud
cyberagentdevelopers
PRO
1
130
生成AIと知識グラフの相互利用に基づく文書解析
koujikozaki
1
140
omakaseしないための.rubocop.yml のつくりかた / How to Build Your .rubocop.yml to Avoid Omakase #kaigionrails
linkers_tech
3
730
オーティファイ会社紹介資料 / Autify Company Deck
autifyhq
9
120k
初心者に Vue.js を 教えるには
tsukuha
5
390
Fargateを使った研修の話
takesection
0
110
AWS CDKでデータリストアの運用、どのように設計する?~Aurora・EFSの実践事例を紹介~/aws-cdk-data-restore-aurora-efs
mhrtech
4
650
ユーザーの購買行動モデリングとその分析 / dsc-purchase-analysis
cyberagentdevelopers
PRO
2
100

Featured

See All Featured
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
191
16k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
42
9.2k
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
3
370
Being A Developer After 40
akosma
86
590k
Testing 201, or: Great Expectations
jmmastey
38
7k
Writing Fast Ruby
sferik
626
61k
Reflections from 52 weeks, 52 projects
jeffersonlam
346
20k
Embracing the Ebb and Flow
colly
84
4.4k
Building Better People: How to give real-time feedback that sticks.
wjessup
363
19k
Agile that works and the tools we love
rasmusluckow
327
21k
Save Time (by Creating Custom Rails Generators)
garrettdimon
PRO
27
790
Put a Button on it: Removing Barriers to Going Fast.
kastner
59
3.5k

Transcript

  1. PENTESTING FOR DEVELOPERS Chris Cornutt - Sunshine PHP 2019 for

    setup: http://signup.capturetf.com
  2. None

  3. We’ll Cover… • The most common issues in web application

    security • The top vulnerability types • Tools and techniques …and then the really fun stuff

  4. What this is not • A step-by-step guide into fixing

    the issues we find • A comprehensive listing of everything to test • An assurance that your application is completely secure

  5. Setup Time Do you have your environment yet? http://signup.capturetf.com

  6. Cross-Site Scripting

  7. Cross-Site Scripting (XSS) • Injection attack • User-supplied content used

    without validation, filtering or escaping • Different contexts: HTML, HTML attributes, Javascript, CSS, XML…

  8. Cross-Site Scripting (XSS) http://mycoolsite.com?user=user1 http://mycoolsite.com?user=<script>alert(1)</script> <?php echo $_GET[‘user’]; ?>

  9. Direct Object Reference

  10. Direct Object Reference • “Security through obscurity” • Magic URLs

    • Inadequate authentication/authorization protection http://mycoolsite.com/user/view/1 http://mycoolsite.com/admin http://mycoolsite.com/debug

  11. Poor Auth Practices

  12. Poor Auth Practices • User-controllable functionality • Not universally enforced

    • Plain-text credentials • Poor password policies/reset handling • Federation vs Local

  13. SQL Injection

  14. SQL Injection • Bypass controls to execute arbitrary SQL •

    Usually caused by string concatenation • Prepared statements/bound parameters

  15. SQL Injection $sql = ‘select * from users where username

    = “foo” and password = “‘.$password.’” $password = ‘ccornutt’; $password = ‘“” or 1=1; select * from users where username = “foo” and password = “” or 1=1;

  16. Information Exposure

  17. Information Exposure • Exposing sensitive information publicly • Error messages

    • Unprotected directories or files in the document root • Public-facing files considered “secret”

  18. Let’s get hacking… uh, I mean, testing!

  19. Challenge #1

  20. Challenge #1 Hints Hidden data Authorization Encryption

  21. Challenge #2

  22. Challenge #2 Hints Public Information Poor Auth Handling Obscurity

  23. Challenge #3

  24. Challenge #3 Hints Filter User input

  25. Challenge #4

  26. Challenge #4 Hints Poor Authentication Handling Default credentials

  27. Challenge #5

  28. Challenge #5 Hints User Input Serialization

  29. Challenge #6

  30. Challenge #6 Hints User Input SQL Injection

  31. Challenge #7

  32. [email protected] @enygma

  33. Thanks! @enygma @securingphp https://websec.io [email protected]