devslop - pixi workshop from appsec usa developer summit
TRANSCRIPT
Hacking APIs and Web Services withOWASP
Nicole Becher & Tanya Janca
&
About Us
• Nicole Becher: application security, red teaming, penetration testing, malware analysis, and computer forensics. OWASP Brooklyn Leader, Adjunct Instructor @ NYU, political junkie, marathoner, martial artist & animal lover. WASPY 2017 Winner!!!!!
• Tanya Janca: application security evangelist, web app penetration tester, trainer, public speaker, developer, OWASP Ottawa Leader, effective altruist, paid to be nerdy since the late 90’s. WASPY 2017 Nominee!
In short: Awesome-Sauce
What you are going to need to participate today:
• Laptop with wifi (connected) and admin privileges
• Web proxy like OWASP Zed Attack Proxy Zap or Burp Suite
• Modern web browser like Chrome or FireFox
• We are going to install Docker today
• Then we are going to hack some APIs!
Outline
• The Problem:
– The technical ecosystem is changing
– APIs and Web Services are often underprotected
• Introducing OWASP DevSlop: Pixi
• The Solution: Learn how to hack them using Pixi
• Setup and workshop
• Exercises
• Conclusion: What’s next for DevSlop?
The technical ecosystem is changing. Right now.
There is a paradigm shift, and and many believe that
this is the beginning of the end of monolithic
applications.
No more excessively long release cycles. Reduction
of manual efforts. No more Waterfall.
Security must keep pace.
This model is rapidly changing.
The Web is getting more and more complicated.
What are Microservices?
Netflix uses microservices architecture. It receives more than one BILLION calls everyday from more than 800 different types of devices to its streaming-video API. Each API call then prompts around 5 additional calls to the back end service.
Example microservices app:
1
PROS vs. CONS
• Microservice architecture gives developers the freedom to independently develop and deploy services
• A microservice can be developed by a fairly small team• Code for different services can be written in different
languages• Easy integration and automatic deployment (using open-
source continuous integration tools such as Jenkins, Hudson, etc.)
• The developers can make use of the latest technologies
2
PROS vs. CONS
• The code is organized around business capabilities• Starts the web container more quickly, so the deployment is
also faster• When change is required in a certain part of the application,
only the related service can be modified and redeployed—no need to modify and redeploy the entire application
• Better fault isolation: if one microservice fails, the other will continue to work Easy to scale and integrate with third-party services
• No long-term commitment to technology stack
PROS vs. CONS• Due to distributed deployment, testing can become
complicated and tediousIncreasing number of services can result in information barriers
• The architecture brings additional complexity as the developers have to mitigate fault tolerance, network latency, and deal with a variety of message formats as well as load balancing
• Being a distributed system, it can result in duplication of effort• When number of services increases, integration and managing
whole products can become complicated
2
PROS vs. CONS• In addition to several complexities of monolithic architecture,
the developers have to deal with the additional complexity of a distributed system
• Developers have to put additional effort into implementing the mechanism of communication between the services
• Handling use cases that span more than one service without using distributed transactions is not only tough but also requires communication and cooperation between different teams
• The architecture usually results in increased memory consumption
• Partitioning an application into microservices is very much an art
MASSIVE COMPLEXITY
The API Economy: Explosion of API/webservices
• Microservices
• Containerization
• Front-end frameworks
• SaaS platform/3rd Party API’s
• Open Data/Programmable Web
• Serverless Computing
• Cloud
• DevOps / Agile
• Automation
• Continuous Integration
• Continuous Delivery
What does The API Economy mean for Security?• Security needs:
–To move faster, by automating anything and everything
–Reproducible and accurate results
–Verify/examine/test in shorter cycles, more often
–More training and more tools than ever
–Reduce bottlenecks and stop being “a gate” to developers
• Developers need:
–Security training
–Security tools
–Accurate and quick guidance
–Agility and flexibility
–AppSec Support from Sec Team
Specific problems we are going to look at today
People are ignoring web services and APIs: just because they don’t have pretty GUIs doesn’t mean they can’t be hacked!
OWASP Top Ten 2017 *A10*
Modern applications often involve rich client applications and APIs, such as JavaScript in the browser and mobile apps, that connect to an API of some kind (SOAP/XML, REST/JSON, RPC, GWT, etc.). These APIs are often unprotected and contain numerous vulnerabilities.
http://www.computerworld.com/article/3036964/car-
tech/hackers-can-access-the-nissan-leaf-via-insecure-
apis.html
https://www.stavros.io/posts/winning-candy-crush/
Solution:
Learn how to hack a web app and an API with Pixi, understand common vulnerabilities in web apps & services.
Introducing: &
• Pixi is part of OWASP’s newest project, DevSlop
• Pixi is a vulnerable webapp and vulnerable API.
Introducing:
• Allows users to create accounts, upload photos, send micropayments to others, like photos, etc.
• MEAN Stack: MongoDB, Angularjs, Node/Express
• Docker - containerized
• OpenAPI/Swagger, JSON, JSON web tokens ++
• This app is in highly vulnerable, and fun to break.
• We will be creating videos, workshops, training material and making Pixi available to the public.
The MEAN Stack: •MongoDB - Data Store, consists of collections where are
really just flat files in JSON.
•Angular.js - JavaScript framework. It can be added to an
HTML page with a < script> tag.
•Node - Open-source, cross-platform JavaScript run-time
environment for executing JavaScript code server-side
•Express - Fast, unopinionated, minimalist web framework
for Node.js
MongoDB • There are many non-relational databases
these days. Mongo is a data store that contains “collections” which are really just flat files in Javascript Object Notation (JSON).
• Mongo has its own security vulnerabilities that we will explore soon.
Angular.js• Developed by Google as a front end
framework that relies on API calls to the middle/back end.
• Generally pretty good about input sanitization, but we will see examples of bypassing validation.
Node.js• Server-side javascript framework.• Event-Driven & Asynchronous
Why use Node?• Fast!• Easy to write modules/packages.
Express.js• Web framework that sits on top of Node.js to
handle web requests.
Why use Express?• Lets you quickly create web routes/API calls
Docker - containerization
• Each specified service can be contained in separate docker containers.
• More containers can then be spawned if there is an increase in traffic/load
• One monolith vs Many Containers
• Unique Security Challenges
1
Docker Security Challenges• Always make sure to start Docker containers with the -u flag so
that they run as an ordinary user instead of root. • Remove SUID flags from your container images. This makes
privilege escalation attacks even harder.• Configure Docker control groups, which let you set limits on how
many resources each container can use. This can help prevent preventing container-based DoS attacks.
2
Docker Security Challenges• Use namespaces in Docker to isolate containers from one another.
Namespaces help assure that a user or process running inside one container can’t affect those in other containers.
• Don’t use images from repos you don’t trust. Avoid public repos if they’re not from an official source and you don’t know the maintainer.
• Consider using a tool to validate containers from your registries.
OpenAPI/Swagger•OpenAPI/Swagger is just an API definition service that allows you to define all the routes and methods of an API, and all the headers and parameters needed for consumption.•Meant to allow automated consumption by external services/applications.
JSON web tokens (JWT)•JWT are cryptographically signed tokens that assert claims to an authenticating service.•Very similar to session cookies, but much more universal. Any service can authenticate and decode the token as long as it has the key.•Can be signed symmetrically or asymmetrically.•Security risks related to key storage and overloaded data in JWT.
Introducing:
• OWASP’s Newest Project!
• A collection of ‘DevOps Disasters’, made as a learning & proving ground
• “The Hacker Jungle Gym”, for hackers and developers alike to learn and explore
• Pixi is the first of what will be several installments
• Modern and ‘different’ types of vulnerable web apps
• More vulnerable systems means more learning
Ummm, what is an OWASP Project?• An OWASP project is an open source project related to
Application Security, releases as part of OWASP.
• OWASP projects can be documentation, code or tools. DevSlop is a code project.
• OWASP currently has over 93 active projects!• Projects are popular because it’s a chance to
create anything that they think will help further the goal of OWASP; better AppSec for all.
• Basically, it’s a chance for you to share your awesome with the entire world, with a fantastic support network behind you.
OWASP Projects are divided into categories• Code (Java Encoder, Java HTML Sanitizer projects)• Tools (ZAP, Juice Shop, and DevSlop)• Documentation (Top 10, Testing Guide)Projects have maturity status• Flagship• Lab• Incubator (that’s us!)
Exercises!
Are you all on the Wifi?
Wifi name and password here, make sure everyone is online
Let’s start with installing Docker!
Let’s make sure your web proxies are working
Settings: 127.0.0.1Port: 8080
Not a hacker
Shall we go get Pixi?This needs to be official OWASP GitHubhttps://github.com/thedeadrobots/pixi
> git clone https://github.com/thedeadrobots/pixi.git> docker-compose up
What’s to come for DevSlop? (future)Pixi Roadmap:- Document all the vulnerabilities- Multi language support- Finish CTF mode
DevSlop Roadmap:- HTTP 2.0 app- More DevOps apps
Become a part of DevSlop!Nicole BecherBrooklyn Chapter Leader
@thedeadrobots
Tanya JancaOttawa Chapter Leader
@shehackspurple
Questions?Nicole BecherBrooklyn Chapter Leader
@thedeadrobots
Tanya JancaOttawa Chapter Leader
@shehackspurple