why appsec matters? - owaspwhy appsec matters? aldo salas [email protected] agenda • intro. •...
TRANSCRIPT
![Page 2: Why AppSec Matters? - OWASPWhy AppSec Matters? Aldo Salas aldo.salas@owasp.org Agenda • Intro. • Current status of AppSecin the industry. • Case study. • Why OWASP matters](https://reader033.vdocument.in/reader033/viewer/2022051812/602a375fc313425bcb04efd4/html5/thumbnails/2.jpg)
Agenda
• Intro.• CurrentstatusofAppSec intheindustry.• Casestudy.• WhyOWASPmatters.
![Page 3: Why AppSec Matters? - OWASPWhy AppSec Matters? Aldo Salas aldo.salas@owasp.org Agenda • Intro. • Current status of AppSecin the industry. • Case study. • Why OWASP matters](https://reader033.vdocument.in/reader033/viewer/2022051812/602a375fc313425bcb04efd4/html5/thumbnails/3.jpg)
Aboutme
• 10+yearsofexperienceinAppSec.• CurrentlyworkingforFortune500Company.• Independentresearcherinfreetime(bugbounty).
• ChapterLeaderforAguascalientes.• Favoritevulnerability:SQLInjection.• ProudU.A.A.alumnus.
![Page 4: Why AppSec Matters? - OWASPWhy AppSec Matters? Aldo Salas aldo.salas@owasp.org Agenda • Intro. • Current status of AppSecin the industry. • Case study. • Why OWASP matters](https://reader033.vdocument.in/reader033/viewer/2022051812/602a375fc313425bcb04efd4/html5/thumbnails/4.jpg)
I’mnotheretoscareyou…
• OrmaybeIam
![Page 5: Why AppSec Matters? - OWASPWhy AppSec Matters? Aldo Salas aldo.salas@owasp.org Agenda • Intro. • Current status of AppSecin the industry. • Case study. • Why OWASP matters](https://reader033.vdocument.in/reader033/viewer/2022051812/602a375fc313425bcb04efd4/html5/thumbnails/5.jpg)
Anotherweek,anotherhack
Andthelistgoeson:http://www.itgovernance.co.uk/blog/list-of-data-breaches-and-cyber-attacks-in-march-2016/
![Page 6: Why AppSec Matters? - OWASPWhy AppSec Matters? Aldo Salas aldo.salas@owasp.org Agenda • Intro. • Current status of AppSecin the industry. • Case study. • Why OWASP matters](https://reader033.vdocument.in/reader033/viewer/2022051812/602a375fc313425bcb04efd4/html5/thumbnails/6.jpg)
Wearenotdoingagreatjob
![Page 7: Why AppSec Matters? - OWASPWhy AppSec Matters? Aldo Salas aldo.salas@owasp.org Agenda • Intro. • Current status of AppSecin the industry. • Case study. • Why OWASP matters](https://reader033.vdocument.in/reader033/viewer/2022051812/602a375fc313425bcb04efd4/html5/thumbnails/7.jpg)
Real-lifecasestudy
![Page 8: Why AppSec Matters? - OWASPWhy AppSec Matters? Aldo Salas aldo.salas@owasp.org Agenda • Intro. • Current status of AppSecin the industry. • Case study. • Why OWASP matters](https://reader033.vdocument.in/reader033/viewer/2022051812/602a375fc313425bcb04efd4/html5/thumbnails/8.jpg)
Background• Thirdpartyusedtocollectfestivalsandnew-hiresinformation.• Thefollowingemailwassenttoartists/managers/assistants:
• Firstthoughton“public_key”:Maybeit’sanauthenticationtoken,notidealbutstillprovidessomelevelofauthentication.
![Page 9: Why AppSec Matters? - OWASPWhy AppSec Matters? Aldo Salas aldo.salas@owasp.org Agenda • Intro. • Current status of AppSecin the industry. • Case study. • Why OWASP matters](https://reader033.vdocument.in/reader033/viewer/2022051812/602a375fc313425bcb04efd4/html5/thumbnails/9.jpg)
Phase 1:Discovery
![Page 10: Why AppSec Matters? - OWASPWhy AppSec Matters? Aldo Salas aldo.salas@owasp.org Agenda • Intro. • Current status of AppSecin the industry. • Case study. • Why OWASP matters](https://reader033.vdocument.in/reader033/viewer/2022051812/602a375fc313425bcb04efd4/html5/thumbnails/10.jpg)
Publickeyparameter:
• Removingpublic_key =UnauthenticatedAccessToData
![Page 11: Why AppSec Matters? - OWASPWhy AppSec Matters? Aldo Salas aldo.salas@owasp.org Agenda • Intro. • Current status of AppSecin the industry. • Case study. • Why OWASP matters](https://reader033.vdocument.in/reader033/viewer/2022051812/602a375fc313425bcb04efd4/html5/thumbnails/11.jpg)
AnalyzingURL:
• Changing IDinURL=InsecureDirectObjectReference(Stillunauthenticated)
![Page 12: Why AppSec Matters? - OWASPWhy AppSec Matters? Aldo Salas aldo.salas@owasp.org Agenda • Intro. • Current status of AppSecin the industry. • Case study. • Why OWASP matters](https://reader033.vdocument.in/reader033/viewer/2022051812/602a375fc313425bcb04efd4/html5/thumbnails/12.jpg)
Analyzingpage:
![Page 13: Why AppSec Matters? - OWASPWhy AppSec Matters? Aldo Salas aldo.salas@owasp.org Agenda • Intro. • Current status of AppSecin the industry. • Case study. • Why OWASP matters](https://reader033.vdocument.in/reader033/viewer/2022051812/602a375fc313425bcb04efd4/html5/thumbnails/13.jpg)
Analyzingpage:
• FilesarestoredinAWSS3• Fileisalwaysrenamedtooriginal.ext• Unauthenticatedaccesstouploadedfilesaswell.• Bruteforcing offilesispossiblebutnotreallyneeded.
![Page 14: Why AppSec Matters? - OWASPWhy AppSec Matters? Aldo Salas aldo.salas@owasp.org Agenda • Intro. • Current status of AppSecin the industry. • Case study. • Why OWASP matters](https://reader033.vdocument.in/reader033/viewer/2022051812/602a375fc313425bcb04efd4/html5/thumbnails/14.jpg)
Summarysofar:• Unauthenticatedaccesstoartistprofile.
• AccesstoANYprofileispossibleusingInsecureDirectObject
References.
• UnrestrictedFileUploadispossible.
• UnauthenticatedAccesstouploadedfilesispossible.
![Page 15: Why AppSec Matters? - OWASPWhy AppSec Matters? Aldo Salas aldo.salas@owasp.org Agenda • Intro. • Current status of AppSecin the industry. • Case study. • Why OWASP matters](https://reader033.vdocument.in/reader033/viewer/2022051812/602a375fc313425bcb04efd4/html5/thumbnails/15.jpg)
Reminder:thisisasinglepage.
![Page 16: Why AppSec Matters? - OWASPWhy AppSec Matters? Aldo Salas aldo.salas@owasp.org Agenda • Intro. • Current status of AppSecin the industry. • Case study. • Why OWASP matters](https://reader033.vdocument.in/reader033/viewer/2022051812/602a375fc313425bcb04efd4/html5/thumbnails/16.jpg)
Phase2:Automation
![Page 17: Why AppSec Matters? - OWASPWhy AppSec Matters? Aldo Salas aldo.salas@owasp.org Agenda • Intro. • Current status of AppSecin the industry. • Case study. • Why OWASP matters](https://reader033.vdocument.in/reader033/viewer/2022051812/602a375fc313425bcb04efd4/html5/thumbnails/17.jpg)
Automatingdataretrievaltodemonstraterisk
• InitialResults:• Morethan80thousandrecordsfound.
• Notes:• Morethan170thousandrequestsweresent.• Morethan6GBsweredownloaded.• Iwasneverstoppednorevendetected.
![Page 18: Why AppSec Matters? - OWASPWhy AppSec Matters? Aldo Salas aldo.salas@owasp.org Agenda • Intro. • Current status of AppSecin the industry. • Case study. • Why OWASP matters](https://reader033.vdocument.in/reader033/viewer/2022051812/602a375fc313425bcb04efd4/html5/thumbnails/18.jpg)
Phase3:Parsingdata
![Page 19: Why AppSec Matters? - OWASPWhy AppSec Matters? Aldo Salas aldo.salas@owasp.org Agenda • Intro. • Current status of AppSecin the industry. • Case study. • Why OWASP matters](https://reader033.vdocument.in/reader033/viewer/2022051812/602a375fc313425bcb04efd4/html5/thumbnails/19.jpg)
Parsingdata:• NumberOfDirectURLsToDownloadFilesobtained:
![Page 20: Why AppSec Matters? - OWASPWhy AppSec Matters? Aldo Salas aldo.salas@owasp.org Agenda • Intro. • Current status of AppSecin the industry. • Case study. • Why OWASP matters](https://reader033.vdocument.in/reader033/viewer/2022051812/602a375fc313425bcb04efd4/html5/thumbnails/20.jpg)
Parsingdata:• ArtistsPIIincludingemailsandphones
![Page 21: Why AppSec Matters? - OWASPWhy AppSec Matters? Aldo Salas aldo.salas@owasp.org Agenda • Intro. • Current status of AppSecin the industry. • Case study. • Why OWASP matters](https://reader033.vdocument.in/reader033/viewer/2022051812/602a375fc313425bcb04efd4/html5/thumbnails/21.jpg)
Parsingdata:• Andmuch,muchmore:
![Page 22: Why AppSec Matters? - OWASPWhy AppSec Matters? Aldo Salas aldo.salas@owasp.org Agenda • Intro. • Current status of AppSecin the industry. • Case study. • Why OWASP matters](https://reader033.vdocument.in/reader033/viewer/2022051812/602a375fc313425bcb04efd4/html5/thumbnails/22.jpg)
Possibleoutcomesifexploitedbyattackers:
• Headlinesinthenews:• “HUNDRESOFTHOUSANDSARTISTSDETAILSLEAKEDBYCOMPANY”
• “WANTTAYLORSWIFT’SNUMBER?WE’VEGOTIT”
• Attackerssellingorleakingartistsinformation(stalkers,curiouspeople,etc.)
• Fraudandpotentiallegalconsequences(SSNsinvolved).• Phishingcampaignsagainstretrievedemails.• Etc.,etc.,etc.
![Page 23: Why AppSec Matters? - OWASPWhy AppSec Matters? Aldo Salas aldo.salas@owasp.org Agenda • Intro. • Current status of AppSecin the industry. • Case study. • Why OWASP matters](https://reader033.vdocument.in/reader033/viewer/2022051812/602a375fc313425bcb04efd4/html5/thumbnails/23.jpg)
Whatcould’vebeendonebetter:• Preventunauthenticatedaccesstothepage.
• Onceauthenticationhasbeenimplemented,performauthorizationchecks.
• Validateatserver-sidetheuploadedfiles.
• Alsoaddauthenticationcheckstothefiles.
• LoggingandIPS/IDSconfigurationtodetectunusualactivity.
![Page 24: Why AppSec Matters? - OWASPWhy AppSec Matters? Aldo Salas aldo.salas@owasp.org Agenda • Intro. • Current status of AppSecin the industry. • Case study. • Why OWASP matters](https://reader033.vdocument.in/reader033/viewer/2022051812/602a375fc313425bcb04efd4/html5/thumbnails/24.jpg)
Toolsusedfordiscoveryandexploit:
• Pythonprogramminglanguagetocodesmalldownloadscript.
• StandardUnixtoolstoparsedata(find,cat,cut,grep,sort,sed,ls,wget).
![Page 25: Why AppSec Matters? - OWASPWhy AppSec Matters? Aldo Salas aldo.salas@owasp.org Agenda • Intro. • Current status of AppSecin the industry. • Case study. • Why OWASP matters](https://reader033.vdocument.in/reader033/viewer/2022051812/602a375fc313425bcb04efd4/html5/thumbnails/25.jpg)
Questions?
![Page 26: Why AppSec Matters? - OWASPWhy AppSec Matters? Aldo Salas aldo.salas@owasp.org Agenda • Intro. • Current status of AppSecin the industry. • Case study. • Why OWASP matters](https://reader033.vdocument.in/reader033/viewer/2022051812/602a375fc313425bcb04efd4/html5/thumbnails/26.jpg)
WhyOWASPMatters?
• Allthevulnerabilitiesshowninthispresentationcould’vebeenavoidedbyfollowingOWASPrecommendations.
![Page 27: Why AppSec Matters? - OWASPWhy AppSec Matters? Aldo Salas aldo.salas@owasp.org Agenda • Intro. • Current status of AppSecin the industry. • Case study. • Why OWASP matters](https://reader033.vdocument.in/reader033/viewer/2022051812/602a375fc313425bcb04efd4/html5/thumbnails/27.jpg)
OWASPTOP10misses:
• A1– Injection• A2– BrokenAuthenticationandSessionManagement
• A4– InsecureDirectObjectReferences
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
![Page 28: Why AppSec Matters? - OWASPWhy AppSec Matters? Aldo Salas aldo.salas@owasp.org Agenda • Intro. • Current status of AppSecin the industry. • Case study. • Why OWASP matters](https://reader033.vdocument.in/reader033/viewer/2022051812/602a375fc313425bcb04efd4/html5/thumbnails/28.jpg)
Questions?