How do you know that your site works as it supposed to? How do you know if it’s down? I was thrilled to realize that most of admins say – well, if nobody calls me on the phone, then it’s fine. But what if you’re in charge of a web hosting platform with thousands of web sites? And let’s say one-minute downtime costs a million? You’d better start planning some monitoring solution before it’s too late.
Continue reading “A10 2017 – Insufficient Logging and Monitoring”
You’ve done it! Congratulations! Your code is nearly perfect and secure, it was tested by a dozen pairs of eyes and money spent on code analyzing software was not in vain. It’s just one final step – let DevOps deploy it and let your customers work with the amazing web site you’ve made.
Next morning you’ve got an email from your boss and he’s not angry. He’s in rage! He’s not impressed with progress you made, but asks a single burning question – what’s that huge white face with stupid mustache he sees instead of a web site?
Your site was defaced overnight. You call DevOps and now it’s your turn to ask questions – guys, what web server do you deploy it on? Is it secure? Do you update it from time to time? Never? Oh …
Continue reading “A9 2017 – Using Components with Known Vulnerabilities”
The serialization is the process of turning some objects into a data format that can be restored later. For example, you have a forum, online shop or any other web site and you have to send objects between different parts of this site. So, during the serialization you transform an object to a byte stream, so it was in a right form to traverse around HTTP traffic or send to be stored in database.
So, the deserialization is the exact opposite process in which we take structured data from some format and rebuild it to an object.
So, what can go wrong, why is that a problem?
Continue reading “A8 2017 – Insecure Deserlization”
Every public speech I make, every lecture I present, I always start with a demo. I know there are highly trained professionals out there with outstanding public speaking and presentation skills who write articles and books about art of public speaking. But I guess for most of us it’s more about finding our own way of speaking to audience.
I start with a demo because I think it makes people more involved. And demos of setting some system up or pentesting with visual results are always entertaining and eye-catching for everybody in the room.
So, when it comes to a demo of XSS there’s no better example than use BeEF.
No, not that one. BeEF as Browser Exploitation Framework
Continue reading “A7 2017 – XSS (part 2)”
Most of the time scripts come from other places than web site itself. These scripts are allowed to operate on the page and usually there’s some mechanism in place to control their behavior. You can think of it as a sand box – each web site runs pretty much independently. This also means that one site opened in a tab of browser isn’t allowed to access data from another site in a tab next to it. So, in theory Cross-Site Script (or XSS) is basically a violation of this principle. And it’s much worse in practice.
Continue reading “A7 2017 – XSS (Part 1)”
Security misconfiguration is a blanket term for a broad specter of vulnerabilities. We won’t look at specific examples today. I want to draw some scenarios that you might find interesting, so you can avoid them.
Continue reading “A6 2017 – Security Misconfiguration”
Alright then, we’re half way through OWASP 10 and I would like to take a break. Let’s talk about different kinds of pentest. What if I tell you that you can penteset … a person? Wait, what? Let’s take a look.
Continue reading “Gone phishing”
With local file inclusion we use files that are already there on the web server. But what if we could execute some file that is not supposed to be there at all. Let’s take a look.
Continue reading “A5: 2017 – Broken Access Control (Part 2)”
Access control is easily confused with authentication. But in fact, access control is about dealing with already authenticated users. «Ok, I see that you’re John123, let’s see where you can go and where you can’t». You might have a decent authentication mechanism, but if access control is broken you can’t really distinct one user from another. Or even worse …
Continue reading “A5: 2017 – Broken Access Control (Part 1)”
XML is a very good way to store and to organize data, and XXE vulnerability takes advantage of XML parsers not data itself. It works like every other injection, but has its own features. Overall in my opinion, it’s little more complex than any other injection around.
Continue reading “A4: 2017 – XML External Entities (XXE)”