BSides Iowa 2017 Wanna break JavaScript and APIs in web apps?
- 1. WANNA BREAK JAVASCRIPT AND ANDY FREEBORN
- 2. ME ▸Penetration Tester at Union Pacific ▸Previous jobs also tested security in all the things ▸Explorer of CPU architectures ▸Loves dank memes 2
- 3. AGENDA ▸Why ▸Tools to identify and break things ▸Thing to break ▸Demo of thing to break 3
- 4. WHY ▸There’s too many versions of JavaScript: http://www.zdnet.com/article/an-insecure-mess-how-flawed-javascript-is-turning-web-into-a-hackers-playground/ 4
- 5. WHAT DOES ALL OF THAT MEAN? ▸JavaScript is evil 5
- 6. WHAT DOES IT REALLY MEAN? ▸Many JavaScripts versions out there work, why update it? ▸Because security ▸Is it really a problem if so many other people use the same thing? ▸Just ask WordPress administrators ▸Unrelated low risk vulnerabilities can be exploited and chained to provide an easy way into your organization ▸ http://buer.haus/2017/03/08/airbnb-when-bypassing-json-encoding-xss-filter-waf-csp-and- auditor-turns-into-eight-vulnerabilities/ 6
- 7. NO REST FOR THE API’S ▸Rest APIs are becoming more available and used ▸Companies are querying data from APIs of various products to make their own aggregated view of data ▸APIs also have a myriad of challenges and can be insecure ▸http://www.zdnet.com/article/apis-examined/ ▸OWASP Top 10 for 2017 (RC1) ▸A10 - Under protected APIs 7
- 8. TOOLS TO BREAK THINGS ▸Chrome and Firefox developer tools ▸Retire.js ▸Node Security Platform and Snyk ▸Postman ▸Burp Suite 8
- 9. CHROME AND FIREFOX DEV TOOLS ▸Both are free, powerful, and easy to use ▸Many free resources available to help you use it ▸https://developers.google.com/web/tools/chrome-devtools/ ▸http://discover-devtools.codeschool.com/ ▸Why use it? ▸Easy to test for a variety of potential security issues 9
- 10. CHROME DEV TOOLS: SHOW ME YOUR SECRETS… OR SOURCE▸URL/route to the administrative page (dirbuster works too) ▸Commented out link to the score-board 10
- 11. CHROME DEV TOOLS: ALWAYS PRETTY- PRINT LUKE, ALWAYS ▸Click the {} symbol 11
- 12. RETIRE.JS ▸Retire.js detects vulnerable JavaScript libraries and/or Node.JS modules ▸Free ▸https://github.com/RetireJS/retire.js ▸Regularly updated as JavaScript and NPM packages age ▸Provides the exact vulnerability associated with a specific version and includes helpful URLs 12
- 13. RETIRE.JS ▸Retire.js can be used in a variety of situations: ▸Chrome extension ▸Firefox extension ▸Standalone to scan a website or file directory ▸Add-on for OWASP Zap (free) ▸Add-on for Burp Suite (requires Pro) in the BApp Store 13
- 14. RETIRE.JS: VULNERABILITIES FOUND WITH THE EXTENSION 14
- 15. RETIRE.JS: VULNERABILITIES FOUND WITH THE CLI ▸sequelize has known vulnerabilities such as SQLi 15
- 16. NODE SECURITY PLATFORM AND SNYK ▸Node Security Platform (project from ^Lift) ▸Free: https://github.com/nodesecurity/nsp ▸Scan a directory to identify issues with Node.JS packages ▸Snyk ▸Free tier available: https://snyk.io/ ▸Checks JavaScript, Ruby, and Java GitHub repositories, public NPM packages, and can scan directories as well 16
- 17. POSTMAN ▸Quickly probe/poke/destroy APIs ▸Free ▸https://www.getpostman.com/ ▸Why not SoapUI? curl? Python requests library? ▸SoapUI works great! Postman is just another option ▸Really why though: History, easily import/export tests to other formats, share tests among team members 17
- 18. POSTMAN DEMO ▸Bypass those silly restrictions in the UI. This could have been done in ZAP, Burp, etc. as well. 18
- 19. BURP SUITE ▸A great tool to proxy network traffic, change it to an unexpected value, and assess platforms like web, mobile, etc. ▸https://portswigger.net/burp/ ▸Does active and passive scanning and has great plugins ▸Specialized plugins require the paid version of Burp ▸$399, but worth it! ▸An excellent alternative is OWASP Zap 19
- 20. BURP SUITE DEMO ▸Get paid! 20
- 21. THING TO BREAK: OWASP JUICE SHOP ▸“OWASP Juice Shop is an intentionally insecure webapp for security trainings written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws.” ▸https://github.com/bkimminich/juice-shop ▸Has a CTF version based on CTFd!!!11! ▸https://github.com/bkimminich/juice-shop-ctf ▸Continually updated with new vulnerabilities, content, languages ▸Author recommends not cheating, but bad guys do! 21
- 22. OWASP JUICE SHOP: WHERE CAN IT RUN? ▸Heroku dyno (Run small web apps online for free) ▸Docker container ▸Someone else’s computer (Amazon Web Services) ▸Your VM or machine ▸Online right now! ▸ https://juice-shop.herokuapp.com/ 22
- 23. OWASP JUICE SHOP: DEMO MACHINE ▸1 VM running Ubuntu 16.04 LTS ▸Download the ISO, boot up, do all the regular updates ▸Install Docker with quick and clear Ubuntu instructions: ▸https://docs.docker.com/engine/installation/linux/ubuntu/ #install-using-the-repository ▸docker pull bkimminich/juice-shop ▸docker run -d -p 3000:3000 bkimminich/juice-shop 23
- 24. OWASP JUICE SHOP: VULNERABILITIES ▸Includes a book to introduce, tackle, and solve the challenges ▸https://www.gitbook.com/book/bkimminich/pwning-owasp-juice- shop/details ▸Examples of vulnerabilities ▸“Log in with the administrator's user credentials without previously changing them or applying SQL Injection.” ▸“XSS Tier 3: Perform a persisted XSS attack with <script>alert("XSS3")</script> without using the frontend application at all.” 24
- 25. OWASP JUICE SHOP: DEMO ▸Walkthrough of the application and see how it works ▸Vulnerabilities to tackle ▸Start with the score board ▸SQLi exploitation flaw in a JavaScript library ▸Insert a XSS payload with the API ▸Manipulate an order request 25
- 26. WHERE ELSE CAN YOU USE THESE SKILLS?▸Automated tools won’t help you here: https://www.offensive-security.com/information-security-training/cracking-the-perimeter/ 26