際際滷

際際滷Share a Scribd company logo

KharkivJS 2018 Information Security Practice

Viktor Turskyi
Viktor Turskyi

Real examples of hacking. Set of demos for JavaScript developers based on twitter like application written in ReactJs and NodeJs. We will run real code and real exploits during demo.

1 of 23
Download to read offline
Viktor Turskyi Information Security Practice 2018
Viktor Turskyi CEO at WebbyLab 15 years in software development
Why I talk about security? 1. I switched to software development from IT security 2. I work with software engineers for many years and this topic is highly undercovered 3. I work with different businesses for many years and risks are highly underestimated 4. Governmental regulations (GDPR, PCI DSS etc) 5. It makes you a better software engineer 6. It is FUN!!
What I will talk about? 1. Not about OWASP (Open Web Application Security Project) Top 10 report 2. Not about security tools (metasploit, sqlmap etc) 3. Not about content security policy. 4. Only practical cases that weve met in real life. 5. JavaScript based demos 6. Real cases simulated in environment a. React frontend b. NodeJs backend c. Set of exploits
Overview of the existing application
Case 1: Email password recovery
Case 1: Takeaways Mongo ID predictable UUID v1 predictable (unique, but not random) UUID v4 predictable Always think about predictability of URLs (keys, etc)
Case 2: Password recovery by SMS
Case 2: Takeaways Think about bruteforce Reset actions: SMS codes CAPTCHA Codes
Case 3: File paths
Use npm audit JWT vulnerability example Check your dependencies Security is a question of trust apt update Case 3: Takeaways
Case 4: Photos upload
Case 4: Takeaways Thinks about edge cases Just know how system works
Case 5: Tweet creation
Case 5: Takeaways Do not use regex for extracting script tags Use sanitizer with tags and attrs white-listing CORS will allow you do cross domain request XSS worms issues
Case 6: HTML page parsing issue
Case 6: Takeaways Know HTML page parsing Think about data usage context
Case 7: Network risks
Case 7: Takeaways Think about communication Get the whole picture Use HTTPS everywhere
Case 8..14: Case 8: Clickjacking Case 9: Tabnapping Case 10: CSRF (cookie, basic auth) Case 11: SQL Injection (pass through ORM) Case 12: ORM Injection Case 13: Unsafe HTTPS Redirect Case 14: Target=_blank (without rel="noopener noreferrer")
What I like information security? Information security is about understanding how things work It makes you a better developer You can create more complex projects It is fun
Thank you!
Viktor Turskyi viktor@webbylab.com @koorchik @koorchik https://webbylab.com

More Related Content

KharkivJS 2018 Information Security Practice

  • 2. Viktor Turskyi CEO at WebbyLab 15 years in software development
  • 3. Why I talk about security? 1. I switched to software development from IT security 2. I work with software engineers for many years and this topic is highly undercovered 3. I work with different businesses for many years and risks are highly underestimated 4. Governmental regulations (GDPR, PCI DSS etc) 5. It makes you a better software engineer 6. It is FUN!!
  • 4. What I will talk about? 1. Not about OWASP (Open Web Application Security Project) Top 10 report 2. Not about security tools (metasploit, sqlmap etc) 3. Not about content security policy. 4. Only practical cases that weve met in real life. 5. JavaScript based demos 6. Real cases simulated in environment a. React frontend b. NodeJs backend c. Set of exploits
  • 5. Overview of the existing application
  • 6. Case 1: Email password recovery
  • 7. Case 1: Takeaways Mongo ID predictable UUID v1 predictable (unique, but not random) UUID v4 predictable Always think about predictability of URLs (keys, etc)
  • 8. Case 2: Password recovery by SMS
  • 9. Case 2: Takeaways Think about bruteforce Reset actions: SMS codes CAPTCHA Codes
  • 10. Case 3: File paths
  • 11. Use npm audit JWT vulnerability example Check your dependencies Security is a question of trust apt update Case 3: Takeaways
  • 12. Case 4: Photos upload
  • 13. Case 4: Takeaways Thinks about edge cases Just know how system works
  • 14. Case 5: Tweet creation
  • 15. Case 5: Takeaways Do not use regex for extracting script tags Use sanitizer with tags and attrs white-listing CORS will allow you do cross domain request XSS worms issues
  • 16. Case 6: HTML page parsing issue
  • 17. Case 6: Takeaways Know HTML page parsing Think about data usage context
  • 19. Case 7: Takeaways Think about communication Get the whole picture Use HTTPS everywhere
  • 20. Case 8..14: Case 8: Clickjacking Case 9: Tabnapping Case 10: CSRF (cookie, basic auth) Case 11: SQL Injection (pass through ORM) Case 12: ORM Injection Case 13: Unsafe HTTPS Redirect Case 14: Target=_blank (without rel="noopener noreferrer")
  • 21. What I like information security? Information security is about understanding how things work It makes you a better developer You can create more complex projects It is fun