際際滷

際際滷Share a Scribd company logo

Unique way-to-hack-into-a-python-web-service

Download as PPTX, PDF
T
Tilak T

This document discusses unique ways to hack into Python web services. It begins with an introduction to web services and common vulnerabilities like SQL injection and cross-site scripting. It then explores specific vulnerabilities like JSON web token manipulation, insecure deserialization, and insecure direct object references. For each vulnerability, it provides examples of attacks and recommendations for mitigation techniques. It concludes with tips for integrating security testing into the development process to help prevent threats.

1 of 38
Download to read offline
Unique ways to Hack into a Python Web Service Copyright - we45, 2018
Copyright - we45, 2018 About Senior Solutions Engineer at we45 Developer of Open-Source Project called Orchestron, ThreatPlaybook Part of multiple CTF @ti1akt https://github.com/we45/orchestron-community https://github.com/we45/ThreatPlaybook
Agenda Intro to Web-Services Common Vulnerabilities Unique Vulnerabilities Some of Remediation Techniques Demo ! Copyright - we45, 2018
What is Web-Service? It designed to support interoperable machine to machine over the internet It is not tied to any one operating system or programming language Copyright - we45, 2018
Types of Web-Service? SOAP Web Services RESTful web services Copyright - we45, 2018
Python Rest Frameworks DjangoRestFramework Flask Falcon Pyramid CherryPy Bottle Copyright - we45, 2018
Common Security Threats SQL Injection Cross Site Scripting Broken Authentication Security Misconfiguration Cross-site Request Forgery Many More .. Copyright - we45, 2018
Copyright - we45, 2018 Django prevents some of these attacks SQL Injection Cross-Site Request Forgery Cross-Site Scripting Session Hijacking
What about these JWT Manipulation Xml External Entity InsecureDirectObjectReference Server-Side Template Injection Etc Copyright - we45, 2018
JWT Manipulation OWASP-2017 A5 Broken Access Control Copyright - we45, 2018
Copyright - we45, 2018 Why JWT Stateless Application Authorization Mechanism Transfers information between server and client Scalable and decoupled
Copyright - we45, 2018 JSON Web Token(JWT) The process is relatively simple (typically): Once a user authenticates, the server generates some JSON payload (with some info) and signs the JSON payload with a key This can be a HMAC Based Key (HS256) or a Asymmetric System (RS256) The token is sent by the client (like a session cookie) The server attempts to verify the token based on the signature and
Lots of ways to get JWT wrong JWT allows for a none signature for a token Algo Confusion Attacks: CVE-2017-11424 CVE-2015-9235 JWT verification on non-unique private claims
Copyright - we45, 2018 Recent Attack source: https://thehackernews.com/2018/04/auth0-authentication-bypass.html
Copyright - we45, 2018
Mitigation Validate using Unique ID Ensure that JWT implementation doesnt support None signature JWT lifetime relatively short Check library flaw Copyright - we45, 2018
Insecure Deserialization OWASP-2017 A8 Insecure Deserialization Copyright - we45, 2018
Copyright - we45, 2018 What is Serialization Serialization means converting object into a binary stream.
Copyright - we45, 2018 What is Deserialization Deserialization means converting binary stream into an object.
Copyright - we45, 2018
Security Gotcha !!! Malformed data deserialisation Abusive of an application logic Denial-of-Service Remote code execution Copyright - we45, 2018
Copyright - we45, 2018 Recent Attack Source https://thehackernews.com/2018/08/php-deserialization-wordpress.html Sourcehttps://threatpost.com/java-serialization-bug-crops-up-at-paypal/116054/
Copyright - we45, 2018
Copyright - we45, 2018 Vulnerabilities Serialization formats Source https://thehackernews.com/2018/08/php-deserialization-wordpress.html
Copyright - we45, 2018
Copyright - we45, 2018
Copyright - we45, 2018
Mitigations Integrate integrity check such as digital signature Isolate then deserialise the data Monitor incoming and outgoing network connectivity Instead of yaml.load use yaml.safe_load Copyright - we45, 2018
Insecure Direct Object Reference OWASP-2017 A8 Broken Access Control Copyright - we45, 2018
Insecure Direct Object reference id,pid,uid are often seen in HTTP parameter Accessing other user privilege Backend not properly validated users Copyright - we45, 2018
Copyright - we45, 2018 How it works
Copyright - we45, 2018 Yahoo Breach Source:https://thehackernews.com/2014/03/yahoo-vulnerability-allows-hacker-to_1.html
Copyright - we45, 2018
Mitigation Validate user using requested query Check database is that user is genuine or not Custom validation in server side as well as client side JWT should be invalidated once the user is logout Copyright - we45, 2018
Some Tips Copyright - we45, 2018
Copyright - we45, 2018 To Prevent some of threats Run SCA, https://github.com/pyupio/safet y Run SAST https://github.com/PyCQA/ban dit Run DAST https://www.owasp.org/index.p hp/OWASP_Zed_Attack_Prox y_Project Include security testing in DevOps pipeline
Copyright - we45, 2018 Basic Pipeline Demo
Copyright - we45, 2018 Download Examples and 際際滷s You can download it from http://github.com/we45/djang ocon-2018 @ti1akt Thank you https://github.com/we45/orchestron-community https://github.com/we45/ThreatPlaybook

More Related Content

Unique way-to-hack-into-a-python-web-service

  • 1. Unique ways to Hack into a Python Web Service Copyright - we45, 2018
  • 2. Copyright - we45, 2018 About Senior Solutions Engineer at we45 Developer of Open-Source Project called Orchestron, ThreatPlaybook Part of multiple CTF @ti1akt https://github.com/we45/orchestron-community https://github.com/we45/ThreatPlaybook
  • 3. Agenda Intro to Web-Services Common Vulnerabilities Unique Vulnerabilities Some of Remediation Techniques Demo ! Copyright - we45, 2018
  • 4. What is Web-Service? It designed to support interoperable machine to machine over the internet It is not tied to any one operating system or programming language Copyright - we45, 2018
  • 5. Types of Web-Service? SOAP Web Services RESTful web services Copyright - we45, 2018
  • 6. Python Rest Frameworks DjangoRestFramework Flask Falcon Pyramid CherryPy Bottle Copyright - we45, 2018
  • 7. Common Security Threats SQL Injection Cross Site Scripting Broken Authentication Security Misconfiguration Cross-site Request Forgery Many More .. Copyright - we45, 2018
  • 8. Copyright - we45, 2018 Django prevents some of these attacks SQL Injection Cross-Site Request Forgery Cross-Site Scripting Session Hijacking
  • 9. What about these JWT Manipulation Xml External Entity InsecureDirectObjectReference Server-Side Template Injection Etc Copyright - we45, 2018
  • 10. JWT Manipulation OWASP-2017 A5 Broken Access Control Copyright - we45, 2018
  • 11. Copyright - we45, 2018 Why JWT Stateless Application Authorization Mechanism Transfers information between server and client Scalable and decoupled
  • 12. Copyright - we45, 2018 JSON Web Token(JWT) The process is relatively simple (typically): Once a user authenticates, the server generates some JSON payload (with some info) and signs the JSON payload with a key This can be a HMAC Based Key (HS256) or a Asymmetric System (RS256) The token is sent by the client (like a session cookie) The server attempts to verify the token based on the signature and
  • 13. Lots of ways to get JWT wrong JWT allows for a none signature for a token Algo Confusion Attacks: CVE-2017-11424 CVE-2015-9235 JWT verification on non-unique private claims
  • 14. Copyright - we45, 2018 Recent Attack source: https://thehackernews.com/2018/04/auth0-authentication-bypass.html
  • 16. Mitigation Validate using Unique ID Ensure that JWT implementation doesnt support None signature JWT lifetime relatively short Check library flaw Copyright - we45, 2018
  • 17. Insecure Deserialization OWASP-2017 A8 Insecure Deserialization Copyright - we45, 2018
  • 18. Copyright - we45, 2018 What is Serialization Serialization means converting object into a binary stream.
  • 19. Copyright - we45, 2018 What is Deserialization Deserialization means converting binary stream into an object.
  • 21. Security Gotcha !!! Malformed data deserialisation Abusive of an application logic Denial-of-Service Remote code execution Copyright - we45, 2018
  • 22. Copyright - we45, 2018 Recent Attack Source https://thehackernews.com/2018/08/php-deserialization-wordpress.html Sourcehttps://threatpost.com/java-serialization-bug-crops-up-at-paypal/116054/
  • 24. Copyright - we45, 2018 Vulnerabilities Serialization formats Source https://thehackernews.com/2018/08/php-deserialization-wordpress.html
  • 28. Mitigations Integrate integrity check such as digital signature Isolate then deserialise the data Monitor incoming and outgoing network connectivity Instead of yaml.load use yaml.safe_load Copyright - we45, 2018
  • 29. Insecure Direct Object Reference OWASP-2017 A8 Broken Access Control Copyright - we45, 2018
  • 30. Insecure Direct Object reference id,pid,uid are often seen in HTTP parameter Accessing other user privilege Backend not properly validated users Copyright - we45, 2018
  • 31. Copyright - we45, 2018 How it works
  • 32. Copyright - we45, 2018 Yahoo Breach Source:https://thehackernews.com/2014/03/yahoo-vulnerability-allows-hacker-to_1.html
  • 34. Mitigation Validate user using requested query Check database is that user is genuine or not Custom validation in server side as well as client side JWT should be invalidated once the user is logout Copyright - we45, 2018
  • 35. Some Tips Copyright - we45, 2018
  • 36. Copyright - we45, 2018 To Prevent some of threats Run SCA, https://github.com/pyupio/safet y Run SAST https://github.com/PyCQA/ban dit Run DAST https://www.owasp.org/index.p hp/OWASP_Zed_Attack_Prox y_Project Include security testing in DevOps pipeline
  • 37. Copyright - we45, 2018 Basic Pipeline Demo
  • 38. Copyright - we45, 2018 Download Examples and 際際滷s You can download it from http://github.com/we45/djang ocon-2018 @ti1akt Thank you https://github.com/we45/orchestron-community https://github.com/we45/ThreatPlaybook