Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Pentesting for Developers

Chris Cornutt
February 07, 2019
Technology
0
110

Pentesting for Developers

While secure development practices are an important part of keeping your application and its data protected, you also have to prove your defenses are working. Developers are used to things like unit testing and even functional testing but some feel out of their depth when it comes to security testing. Effective security testing, or pentesting, is easier than you might think.

We’ll start by introducing some of the techniques and tools you can use to test your own applications and finish with a contest to see how much you’ve learned.

Chris Cornutt

February 07, 2019
Tweet

More Decks by Chris Cornutt

See All by Chris Cornutt
Securing Legacy Applications
ccornutt
0
100
Securing Legacy Applications - Longhorn PHP 2018
ccornutt
1
160
Pieces of Auth
ccornutt
0
300
Securing Legacy Applications
ccornutt
0
460
Build Security In
ccornutt
0
170
Introduction to Slim 3
ccornutt
0
160
Securing Legacy Applications
ccornutt
0
32
PHP Security, Redfined
ccornutt
0
260
PHP Security Bootcamp
ccornutt
2
280

Other Decks in Technology

See All in Technology
Python(PYNQ)がテーマのAMD主催のFPGAコンテストに参加してきた
iotengineer22
0
520
rootlessコンテナのすゝめ - 研究室サーバーでもできる安全なコンテナ管理
kitsuya0828
3
390
Lexical Analysis
shigashiyama
1
150
Oracle Cloud Infrastructure データベース・クラウド:各バージョンのサポート期間
oracle4engineer
PRO
29
13k
Terraform Stacks入門 #HashiTalks
msato
0
360
AWS Lambda のトラブルシュートをしていて思うこと
kazzpapa3
2
180
飲食店データの分析事例とそれを支えるデータ基盤
kimujun
0
180
AGIについてChatGPTに聞いてみた
blueb
0
130
Zennのパフォーマンスモニタリングでやっていること
ryosukeigarashi
0
170
リンクアンドモチベーション ソフトウェアエンジニア向け紹介資料 / Introduction to Link and Motivation for Software Engineers
lmi
4
300k
ExaDB-D dbaascli で出来ること
oracle4engineer
PRO
0
3.9k
OCI 運用監視サービス 概要
oracle4engineer
PRO
0
4.8k

Featured

See All Featured
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
25
1.8k
Reflections from 52 weeks, 52 projects
jeffersonlam
346
20k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
169
50k
Fashionably flexible responsive web design (full day workshop)
malarkey
405
65k
Building a Modern Day 
E-commerce SEO Strategy
aleyda
38
6.9k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
131
33k
Facilitating Awesome Meetings
lara
50
6.1k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
26
2.1k
Fontdeck: Realign not Redesign
paulrobertlloyd
82
5.2k
Fantastic passwords and where to find them - at NoRuKo
philnash
50
2.9k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
44
6.8k
Six Lessons from altMBA
skipperchong
27
3.5k

Transcript

  1. PENTESTING FOR DEVELOPERS Chris Cornutt - Sunshine PHP 2019 for

    setup: http://signup.capturetf.com
  2. None

  3. We’ll Cover… • The most common issues in web application

    security • The top vulnerability types • Tools and techniques …and then the really fun stuff

  4. What this is not • A step-by-step guide into fixing

    the issues we find • A comprehensive listing of everything to test • An assurance that your application is completely secure

  5. Setup Time Do you have your environment yet? http://signup.capturetf.com

  6. Cross-Site Scripting

  7. Cross-Site Scripting (XSS) • Injection attack • User-supplied content used

    without validation, filtering or escaping • Different contexts: HTML, HTML attributes, Javascript, CSS, XML…

  8. Cross-Site Scripting (XSS) http://mycoolsite.com?user=user1 http://mycoolsite.com?user=<script>alert(1)</script> <?php echo $_GET[‘user’]; ?>

  9. Direct Object Reference

  10. Direct Object Reference • “Security through obscurity” • Magic URLs

    • Inadequate authentication/authorization protection http://mycoolsite.com/user/view/1 http://mycoolsite.com/admin http://mycoolsite.com/debug

  11. Poor Auth Practices

  12. Poor Auth Practices • User-controllable functionality • Not universally enforced

    • Plain-text credentials • Poor password policies/reset handling • Federation vs Local

  13. SQL Injection

  14. SQL Injection • Bypass controls to execute arbitrary SQL •

    Usually caused by string concatenation • Prepared statements/bound parameters

  15. SQL Injection $sql = ‘select * from users where username

    = “foo” and password = “‘.$password.’” $password = ‘ccornutt’; $password = ‘“” or 1=1; select * from users where username = “foo” and password = “” or 1=1;

  16. Information Exposure

  17. Information Exposure • Exposing sensitive information publicly • Error messages

    • Unprotected directories or files in the document root • Public-facing files considered “secret”

  18. Let’s get hacking… uh, I mean, testing!

  19. Challenge #1

  20. Challenge #1 Hints Hidden data Authorization Encryption

  21. Challenge #2

  22. Challenge #2 Hints Public Information Poor Auth Handling Obscurity

  23. Challenge #3

  24. Challenge #3 Hints Filter User input

  25. Challenge #4

  26. Challenge #4 Hints Poor Authentication Handling Default credentials

  27. Challenge #5

  28. Challenge #5 Hints User Input Serialization

  29. Challenge #6

  30. Challenge #6 Hints User Input SQL Injection

  31. Challenge #7

  32. [email protected] @enygma

  33. Thanks! @enygma @securingphp https://websec.io [email protected]