SlideShare a Scribd company logo

Secure Coding BSSN Semarang Material.pdf

N
nanangAris1

This document provides an introduction to application security. It discusses why security is important and how applications can become vulnerable. It outlines common application security attacks like SQL injection, cross-site scripting, and denial-of-service attacks. It also discusses software security standards, models and frameworks like OWASP that can help make applications more secure. The document emphasizes the importance of secure coding practices and security testing to prevent vulnerabilities.

Education
Related topics:
Information Security
1 of 103
Download to read offline
1
2
Most read
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
SECURE CODING FOR STARTUP DIGITAL Introduction to Secure Coding Modul 1
Outline • Security and Application security • Common Application Security Attack • Software Security Standards, Models, and Framework • Threat Modeling • Vulnerability Assessment on Application
Security and Application Security
Why security? • Fundamental aspects of information must be protected • Confidential data • Employee information • Business models • Protect identity and resources • The internet was initially designed for connectivity • Trust assumed • We do more with the Internet nowadays • Security protocols are added on top of the TCP/IP • We can’t keep ourselves isolated from the Internet • Most business communications are done online • We provide online service(s) • We get services from 3rd-party organizations online
Confidentiality Integrity Availability Security Goal of Information Security Prevents unauthorized use or disclosure of information Authorized users have reliableand timely access to Information Safeguards the accuracy and completenessof information
Essential Services Ability to permit or deny the use of an object by a subject It’s provide 3 (three) essential services: • Authentication (who can login) • Authorization (what authorized users can do) • Accountability (identifies what a user did)
Example of Security Breaches • haveibeenpwned.com tracks account that have been compromised and released into the public.
Example of Security Breaches • zone-h.org tracks and archives website defacements.
Secure Application • An application is said to be secure when it ensures confidentiality, integrity and availability of its restricted resources • Restricted resource is any object, data, feature, or function of an application designed to be accessed by only authorized user User The user supplies his/her identity and secret The user is authenticated by checking the veracity of the secret The user is authorized to use one or more protected resource The set of resources that the user is authorized to use defines the level of trust granted to the user
Need for Application Security • Attackers exploit vulnerabilities in the applications to launch various attacks and gain unauthorized access to resources • A successful attack may impact into: • Financial Loss • Affects Business Continuity • Closure of Business • Disclosure of Business Information • Damages Reputation • Fraudulent Transactions
Common Attacks
SQL Injection Attack • SQL injection attacks use a series of malicious SQL queries to directly manipulate the database in a vulnerable web application • The goal are to bypass normal security measures and obtain direct access to valuable data • SQL injection attacks can often be executed from the address bar, from within application fields, and through queries and searches • This attack is possible only when the application executes dynamic SQL statements and stores procedures with arguments based on the user input
Cross-site Scripting (XSS) Attacks • Cross-site scripting ('XSS' or 'CSS') attacks exploit vulnerabilities in dynamically generated web pages, which enables malicious attackers to inject client-side script into web pages viewed by other users • It occurs when invalidated input data is included in dynamic content that is sent to a user's web browser for rendering • Attackers inject malicious JavaScript, VBScript, ActiveX, HTML, or Flash for execution on a victim's system by hiding it within legitimate requests
Impact • Malicious script execution • Redirecting to a malicious server • Exploiting user privileges • Ads in hidden IFRAMES and pop-ups • Data manipulation • Session hijacking • Brute force password cracking • Data theft • Intranet probing • Keylogging and remote monitoring
Mechanism <html> <body> <? php print "Not found: " . urldecode($_SERVER[“ REQUEST_URI"]); ?> </body> </html> Server Code http://certifiedhacker.com /jason_file.html http://certifiedhacker.com/<script> alert(“WARNING: The applicationhas encounteredan error");</script> Server response Server response WARNING: The application has encountered an error 404 Not Found Warning Normal Request XSS Attack
Parameter Tampering • A web parameter tampering attack involves manipulation of parameters exchanged between client and server in order to modify application data such as user credentials and permissions, price, and quantity of products.
Directory Traversal • Directory traversal allows attackers to access restricted directories including application source code, configuration, and critical system files and execute commands outside the webserver's root directory • Accessing files located outside the web publishing directory using directory traversal • Attackers can manipulate variables that reference files with “dot- dot-slash (../)” sequences and its variations • http://www.example.com/process.jsp=../../../../some dir/some file • http://www.example.com/../../../../some dir/some file
Cross-site Request Forgery (CSRF) Attack • Cross-site request forgery (CSRF) attacks exploit web page vulnerabilities that allow an attacker to force an unsuspecting user's browser to send malicious requests, which they did not intend to send • The user, who is the victim holds an active session with a trusted site and simultaneously visits a malicious site, which injects an HTTP request for the trusted site into the victim user’s session, compromising its integrity
Mechanism 1. User logs into trusted server using his/her credentials 2. Server sets a session cookiein the user’s browser 6. Malicious code is executed in the trusted server 3. Attacker sends a phishing mail tricking user to send a requestto a malicious site 4. User requests a page fromthe malicious server 5. Responsepage contains malicious code Trusted Server Malicious Server Attacker User
Denial-of-Service (DoS) Attack • User Registration DoS • The attacker could create a program that submits the registration forms repeatedly; adding a large number of spurious users to the application • User Enumeration • If application states, which are a part of the username/password pair is incorrect, an attacker can automate the process of trying common usernames from a dictionary file to enumerate the users of the application • Login Attack • The attacker may overload the login process by continually sending login requests that require the presentation tier to access the authentication mechanism, rendering it unavailable or unreasonably slow to respond • Account Lock Out Attacks • The attacker may enumerate usernames through another vulnerability in the application and then attempt to authenticate the site using valid usernames and incorrect passwords which will lock out the accounts after a specified number of failed attempts. At this point legitimate users will not be able to use the site
Session Attacks • Cookie Poisoning • Cookies are used to maintain session state in the otherwise stateless HTTP protocol Cookie poisoning attacks involve modification of the contents of a cookie (personal information stored in a web user's computer) in order to bypass security mechanisms • Poisoning allows an attacker to inject malicious content, modify the user's online experience, and obtain unauthorized information • A proxy can be used for rewriting the session data, displaying the cookie data, and/or specifying a new user ID or other session identifiers in the cookie • Session Fixation • In a session fixation attack, the attacker tricks the user to access a genuine webserver using an explicit session ID value • Attacker assumes the identity of the victim and exploits his credentials at the server Attacker
Cookie Poisoning Mechanism Web Server Attacker User GET /store/buy.jsp?checkout=yes HTTP/1.0 Host: www.example.com Accept: */* Referrer: http://www.example.com/showprods.jsp Cookie: JSESSIONID=325896ASDD23SA3587; BasketSize=3; Item1=1258; Item2=2658; Item3=6652; TotalPrice=11568 GET /store/buy.jsp?checkout=yes HTTP/1.0 Host: www.example.com Accept: */* Referrer: http://www.example.com/showprods.jsp Cookie: JSESSIONID=325896ASDD23SA3587; BasketSize=3; Item1=1258; Item2=2658; Item3=6652; TotalPrice=100; User browses a web page User Webserver replies with requested page and sets a cookie on the user’s browser Attacker steals cookie (Sniffing, XSS, phishing attack) Attacker orders for product using modified cookie Product is delivered to attacker’saddress Attacker
Session Fixation Mechanism Server Attacker User 1. Attacker logs on to the bank website using his credentials 2. Webserver sets a session ID on the attacker’s machine 3. Attacker sends an email containing a link with a fix session ID 4. User clicks on the link and is redirected to the bank website 5. User logs into the server using his credentialsand fixed session ID 6. Attacker logs into the server using the victim’scredentialswith the same session ID
Why Application Become Vulnerable ?
Reasons • Most of the software development related curriculum often do not address security issues • No proper guidance provided to relevant stakeholders at different phases of the project development • Failure to gather application security requirements in the inception phase • Improper application of security principles in the design phase • Insecure coding techniques give space to various vulnerabilities • Lack of security testing in the testing phase • Security negligence in the deployment phase
Common Flaws due to Insecure Coding Techniques • Improper Input Validation • Broken Authentication and Session Management • Insecure Cryptographic Storage • Improper Error Handling • Insufficient Transport Layer Protection • Unvalidated Redirects and Forwards • Insecure Direct Object References • Failure to Restrict URL Access
Standards, Model and Framework
• The Open Web Application Security Project® (OWASP) is a nonprofit foundation that works to improve the security of software. • Focus: • Tools and Resources • Community and Networking • Education & Training The Open Web Application Security Project (OWASP)
Top 10 Web Application Security Risks A1: Injection A2: Broken Authentication A3: Sensitive Data Exposure A4: XML Eksternal Entity (XXE) A5: Broken Access Control A6: Security Misconfiguration A7: Cross-Stie Scripting (XSS) A8: Insecure Deserialization A9: Using Component With Known Vulnerability A10: Unsufficient Logging and Monitoring
A1: Injection • Injection flaws are web application vulnerabilities that allow untrusted data to be interpreted and executed as part of a command or query • Attackers exploit injection flaws by constructing malicious commands or queries that result in data loss or corruption, lack of accountability, or denial of access • Type of injection: • SQL Injection • Command Injection • LDAP Injection
A2: Broken Authentication • Attackers can exploit vulnerabilities in authentication or session management functions such as exposed accounts, session IDs, logout, password management, timeouts, remember me, secret question, and account update to impersonate users • Broken authentication attacks forms: • Session ID in URLs --> Attackers sniff the network traffic or trick users to get session IDs and then reuse those session IDs for malicious purposes • Password Exploitation --> Attackers can gain access to a web application's password database. If user passwords are not encrypted, an attacker can exploit any user’s password • Timeout Exploitation --> If an application’s timeouts are not set properly and a user closes their browser without logging out from sites accessed through a public computer, an attacker can use the same browser later and exploit that user's privileges
A3: Sensitive Data Exposure • Many web applications do not properly protect their sensitive data from unauthorized users • Sensitive data exposure occurs due to flaws like insecure cryptographic storage and information leakage • When an application uses poorly written encryption code to securely encrypt and store sensitive data in the database, an attacker can exploit this flaw and steal or modify weakly protected sensitive data such as credit cards numbers, SSNs, and other authentication credentials
A4: XML Eksternal Entity (XXE) • XML External Entity attack is a server side request forgery (SSRF) attack that can occur when a misconfigured XML parser allows applications to parse XML input from an unreliable source • Attackers can a refer a victim’s web application to an external entity by including the reference in the malicious XML input • When this malicious input is processed by the weakly configured XML parser of a target web application, it enables the attacker to access protected files and services from servers or connected networks
A5: Broken Access Control • Access control refers to how a web application grants access to its content and functions for some privileged users and restricts others • Broken access control is a method in which an attacker identifies a flaw related to access control and bypasses the authentication, which allows them to compromise the network • It allows an attacker to act as users or administrators with privileged functions and create, access, update or delete every record
A6: Security Misconfiguration • By exploiting misconfiguration vulnerabilities like unvalidated inputs, parameter/form tampering, improper error handling, insufficient transport layer protection, etc., attackers gain unauthorized access to default accounts, can read unused pages, can read/write unprotected files and directories, etc. • Security misconfiguration can occur at any level of an application stack, including the platform, web server, application server, framework, and custom code. • Types: • Unvalidated Inputs • Parameter/Form Tampering • Improper Error Handling • Insufficient Transport Layer Protection
A7: Cross-Stie Scripting (XSS) • Cross-site scripting ('XSS' or 'CSS') attacks exploit vulnerabilities in dynamically generated web pages, enabling malicious attackers to inject client side scripts into web pages viewed by other users • It occurs when unvalidated input data is included in dynamic content that is sent to a user's web browser for rendering • Attackers inject malicious JavaScript, VBScript, ActiveX, HTML, or Flash for execution on a victim's system by hiding it within legitimate requests • Some XSS attack exploits include malicious script execution, redirecting to a malicious server, exploiting user privileges, ads in hidden IFRAMES and pop ups, data manipulation, etc.
A8: Insecure Deserialization • Data serialization and deserialization is an effective process of linearizing and de-linearizing data objects for transmission to other networks or systems • Attackers inject malicious code into serialized data and forward the malicious serialized data to the victim • Insecure deserialization deserializes the malicious serialized content along with the injected malicious code, compromising the system or network
A9: Using Component With Known Vulnerability • Most web applications that use components such as libraries and frameworks always execute them with full privileges, and flaws in any component can result in serious impact • Attackers can identify weak components or dependencies by scanning or by performing manual analysis • Attackers search for any vulnerabilities on exploit sites such as Exploit Database (https://www.exploit-db.com/), and SecurityFocus (https://www.securityfocus.com) • If a vulnerable component is identified, the attacker customizes the exploit as required and execute the attack • Successful exploitation allows the attacker to cause serious data loss or take full control of the servers
A10: Unsufficient Logging and Monitoring • Web applications maintain logs to track usage patterns, such as user login credentials and admin login credentials • Insufficient logging and monitoring refer to the scenario where the detection software either does not record the malicious event or ignores important details about the event • Attackers usually inject, delete, or tamper the web application logs to engage in malicious activities or hide their identities • Insufficient logging and monitoring vulnerability increases the difficulty of detecting attempts of malicious attacks and allows attackers to perform malicious attacks like password brute forcing to steal confidential passwords
OWASP Mobile Top 10 M1: Improper Platform Usage M2: Insecure Data Storage M3: Insecure Communication M4: Insecure Authentication M5: Insufficient Cryptography M6: Insecure Authorization M7: Client Code Quality M8: Code Tampering M9: Reverse Engineering M10: Extraneous Functionality
M1: Improper Platform Usage • This category covers misuse of a platform feature or failure to use platform security controls. It might include Android intents, platform permissions, misuse of TouchID, the Keychain, or some other security control that is part of the mobile operating system. • Exploitability is EASY correspond to the same attack vectors available through the traditional OWASP Top Ten. Any exposed API call can serve as attack vector here.
M2: Insecure Data Storage • An adversary that has attained a lost/stolen mobile device, malware or another repackaged app acting on the adversary’s behalf that executes on the mobile device. • Exploitability is EASY In the event that an adversary physically attains the mobile device, the adversary hooks up the mobile device to a computer with freely available software. These tools allow the adversary to see all third-party application directories that often contain stored personally identifiable information (PII) or other sensitive information assets. An adversary may construct malware or modify a legitimate app to steal such information assets.
M3: Insecure Communication • When designing a mobile application, data is commonly exchanged in a client-server fashion. When the solution transmits its data, it must traverse the mobile device’s carrier network and the internet. Threat agents might exploit vulnerabilities to intercept sensitive data while it’s traveling across the wire. The following threat agents exist: • An adversary that shares your local network (compromised or monitored Wi-Fi), • Carrier or network devices (routers, cell towers, proxy’s, etc), or • Malware on your mobile device. • Exploitability is EASY. The exploitabilty factor of monitoring a network for insecure communications ranges. Monitoring traffic over a carrier’s network is harder than that of monitoring a local coffee shop’s traffic. In general, targeted attacks are easier to perform.
M4: Insecure Authentication • Threat agents that exploit authentication vulnerabilities typically do so through automated attacks that use available or custom-built tools. • Exploitability is EASY. Once the adversary understands how the authentication scheme is vulnerable, they fake or bypass authentication by submitting service requests to the mobile app’s backend server and bypass any direct interaction with the mobile app. This submission process is typically done via mobile malware within the device or botnets owned by the attacker.
M5: Insufficient Cryptography • Threat agents include the following: anyone with physical access to data that has been encrypted improperly, or mobile malware acting on an adversary’s behalf. • Exploitability is EASY. The attack vectors correspond to the same attack vectors available through the traditional OWASP Top Ten. Any exposed API call can serve as attack vector here.
M6: Insecure Authorization • Threat agents that exploit authorization vulnerabilities typically do so through automated attacks that use available or custom-built tools. • Exploitability is EASY. Once the adversary understands how the authorization scheme is vulnerable, they login to the application as a legitimate user. They successfully pass the authentication control. Once past authentication, they typically force-browse to a vulnerable endpoint to execute administrative functionality. This submission process is typically done via mobile malware within the device or botnets owned by the attacker.
M7: Poor Code Quality • Threat Agents include entities that can pass untrusted inputs to method calls made within mobile code. These types of issues are not necessarily security issues in and of themselves but lead to security vulnerabilities. For example, buffer overflows within older versions of Safari (a poor code quality vulnerability) led to high risk drive-by Jailbreak attacks. Poor code-quality issues are typically exploited via malware or phishing scams. • Exploitability is DIFFICULT. An attacker will typically exploit vulnerabilities in this category by supplying carefully crafted inputs to the victim. These inputs are passed onto code that resides within the mobile device where exploitation takes place. Typical types of attacks will exploit memory leaks and buffer overflows.
M8: Code Tampering • Typically, an attacker will exploit code modification via malicious forms of the apps hosted in third-party app stores. The attacker may also trick the user into installing the app via phishing attacks. • Exploitability is EASY. Typically, an attacker will do the following things to exploit this category: • Make direct binary changes to the application package’s core binary • Make direct binary changes to the resources within the applicaiton’s package • Redirect or replace system APIs to intercept and execute foreign code that is malicious
M9: Reverse Engineering • An attacker will typically download the targeted app from an app store and analyze it within their own local environment using a suite of different tools. • Exploitability is EASY. An attacker must perform an analysis of the final core binary to determine its original string table, source code, libraries, algorithms, and resources embedded within the app. Attackers will use relatively affordable and well-understood tools like IDA Pro, Hopper, otool, strings, and other binary inspection tools from within the attacker’s environment.
M10: Extraneous Functionality • Typically, an attacker seeks to understand extraneous functionality within a mobile app in order to discover hidden functionality in in backend systems. The attacker will typically exploit extraneous functionality directly from their own systems without any involvement by end-users. • Exploitability is EASY. An attacker will download and examine the mobile app within their own local environment. They will examine log files, configuration files, and perhaps the binary itself to discover any hidden switches or test code that was left behind by the developers. They will exploit these switches and hidden functionality in the backend system to perform an attack.
Threat Modeling
Threat Modeling • Threat modeling is a process of identifying, analyzing, and mitigating the threats to the application • It is a structured approach that allows the developer to rate the threats based on the architecture and implementation of the application • It is performed at the design phase of the secure development lifecycle • It is an iterative process that starts from the design phase of the application and iterates throughout the application lifecycle until all possible threats to the applications are identified • The output of threat modeling is a threats model exposing all the possible threats and vulnerabilities on an application
Threat Modeling Process The steps involved in Threat Modeling process are as follows: 1. Identify Security Objective 2. Application Overview 3. Decompose Application 4. Identify Threats 5. Identify Vulnerabilities
Identify Security Objectives • To proceed with creating threat model for an application, the security objectives of the application should be identified clearly • These security objectives are goals and constraints that needs to be attain to maintain confidentiality, integrity, and availability of application and its data • Security objectives are the subset of the application’s functional objectives • With security objectives clearly identified, • You can identify the areas which need more closer attention and where to focus your efforts • You can understand goals of potential attackers
Application Overview • The aim of creating application overview is to understand what the application does • Creating an application overview Involves: • Understanding the application functionality • Understanding the purpose and the key features of the application • Identifying application users or clients • Activities: • Draw the end-to-end deployment architecture • Identify various user roles • Identify use case scenarios • Identify technologies • Identify application security mechanisms
Decompose Application • Decompose the application to the level where it is possible to identify external entities, trust boundaries, data flow, entry points, and privileged code in the application and recognize the areas of vulnerabilities among them • It helps to conduct attack surface analysis • Activities: • Prepare and Document Threat Model Information • Enumerate External Dependencies • Enumerate Entry Points • Enumerate Assets • Enumerate Trust levels • Data Flow Diagrams
Identify Threat • To identify threats, they need to be broadly categorized into different possible categories • This threat categorization provides structured way to systematically identify different threats on the application • Threat identification process uses STRIDE model to categorize threats and examine each aspect of the security profile of the application
The STRIDE Model • The STRIDE model categorizes the application threats based on the goals and purpose of the attack which helps developer to develop a security strategy • It also includes the countermeasures for all threat categories Threat Desiredproperty Description Spoofing Authenticity Unauthorized access to a systemby using a falseidentity Tampering Integrity Code and data modification without authorization Ability Repudiation Non-repudiability Ability of users to claim that they do not performsomeactions againstthe application Information disclosure Confidentiality Unwanted exposureof private data to unauthorized users Denial of Service Availability Ability to deny a systemor application unavailable to the legitimate users Elevation of Privilege Authorization Ability of user with limited privileges to elevate their privileges with an application without authorization
Rating the Threats: DREAD Model • DREAD stands for damage potential, reproducibility, exploitability, affected users, and discoverability • DREAD model is used to rate the various security threats on the application by calculating risks of each threats • The severity levels are assigned to various threats on the application so as to mitigate these threats as per their severity
DREAD Model Rating High(3) Medium(2) Low(1) D Damage Potential The attacker can subvertthe security system; getfull trust authorization run as administrator; upload content Leaking sensitiveinformation Leaking trivial information R Reproducibility The attack can be produced every time and does not require a timing window The attack can be reproduced, but only with a timing window and a particular racesituation The attack is very difficult to reproduceeven with knowledgeof the security hole E Exploitability A novice programmer could make the attack in a shorttime A skilled programmer could make the attack then repeat the steps The attacker requires an extremely skilled person and in-depth knowledgeevery time to exploit A Affected Users All users, defaultconfiguration key customers Some users, non-default configuration Very small percentage of users, obscurefeatureaffects anonymous users D Discoverability Published information explains the attack. The vulnerability is found in the mostcommonly used feature and is very noticeable The vulnerability in a seldom-used part of the productand only a few users should comeacross it. It would take somethinking to see malicious use The bug is obscureand it is unlikely that users will work outdamage potential Copyright
Identify Vulnerabilities • Move to the next chapter...
Vulnerability Identification in Practice
Vulnerability Research • The process of analyzing protocols, services, and configurations to discover vulnerabilities and design flaws that will expose an operating system and its applications to exploit, attack, or misuse • Vulnerabilities are classified based on severity level (low, medium, or high) and exploit range (local or remote) • An administrator needs vulnerability research: • To gather information concerning security trends, threats, attack surfaces, attack vectors and techniques • To discover weaknesses in the OS and applications, and alert the network administrator before a network attack • To gather information to aid in the prevention of security issues • To know how to recover from a network attack
Vulnerability Assessment • Vulnerability assessment is an in depth examination of the ability of a system or application, including current security procedures and controls, to withstand the exploitation It recognizes, measures, and classifies security vulnerabilities in a computer system, network, and communication channels • A vulnerability assessment may be used to: • Identify weaknesses that could be exploited • Predict the effectiveness of additional security measures in protecting information resources from attacks • Information obtained from the vulnerability scanner includes: • Network vulnerabilities Open ports and running services Application and services vulnerabilities Application and services configuration errors
Practical • Requirements: • Virtualbox with Extension Pack is installed • Kalilinux Virtual image (https://images.kali.org/virtual-images/kali-linux- 2021.1-vbox-amd64.ova) • Seattle v0.3 VM (https://download.vulnhub.com/seattle/Seattle-0.0.3.7z) • please install the extension pack before you start using Virtualbox. Download the latest Virtualbox and Virtualbox Extension pack (fo All supported platform) using following link (https://www.virtualbox.org/wiki/Downloads) • Please add the two VMs to your virtualbox
Networking • Ensure your VMs connected using NAT networks configuration
Practical Objective • Perform vulnerability scanning on the application • Launch SQL Injection attack • Launch Cross-Site Scripting Attack
Start Your VM • Start your Kalilinux machine • Username: kali • Password: kali • Start your Seattle v0.3 machine • Username: root • Password: PASSWORD • check the network connection of the Seattle machine find the IP Address
Step 1 • Check the web page
Step 2 • Scan the machine using nmap for machine security posture • #sudo nmap -sS -A 10.0.2.7
Step 3 • Scan the machine using nikto for common vulnerability on the web page • #nikto -host 10.0.2.7
Step 4 • Scan the machine using dirb for directory list of the web page • #dirb http://10.0.2.7
Step 5 • Scan another vulnerability with another tools • Burpsuite • Acunetix • Manual recconaissance • etc
Summary • Secure application is needed by the public accessed application to prevent an attack • There are some common attacks which is launched in the public accessed application • OWASP is a standard that can be used for evaluating the application security
SECURE CODING FOR STARTUP DIGITAL Secure Coding In Practice Modul 2
Outline • Authentication and Authorization • Authentication and Authorization Problems • Defensive Coding Practices
Authentication It means to verify or prove a user’s identity • The term of “user” may refer to: • Person • Application or process • Machine or device • To prove identity, a user must present either of the following: • What you know (password, passphrase, PIN) • What you have (token, smart cards, passcodes, RFID) • Who you are (biometrics such as fingerprints and iris scan, signature or voice) • Location or IP • We can also use Picture
Authentication: using Picture • Recall-based • Recognition-based
Authorization • Defines the user’s right and permission on a system • Typically done after user has been authenticated • Grants a user access to resource and what action he is permitted to perform on that resource • Access criteria based on the level of trust: • Roles • Groups • Location • Time • Transaction type
Authentication VS Authorization Authentication Mechanism Authorization Mechanism Client Service To limit user and usage
Problems and Causes • Obvious Username/password (credentials) during input
Problems and Causes • Un-encrypted credentials or using obsolete encryption or default
Problems and Causes • Weak credentials
Problems and Causes • Open/Public index or .git page
Problems and Causes • Bypass Authentication - IDOR (Insecure Direct Object Reference)
Problems and Causes • Account takeover
Problems and Causes • Smart Account Recovery
Problems and Causes • Weak Input Validation • SQL Injection • URL Enumeration
Problems and Causes • Data Breach
Problems and Causes • Sniffing • Spoofing • Phishing • Malware/Spyware/Keylogger
Problems and Causes • Fail Two Factor Authentication
Authentication and Authorization: Prevent • Strict Access Control • Deny Access by Default • Role-based Access Control (RBAC) • Permission-based Access Control (PBAC)
Authentication and Authorization: Prevent • Single Sign On It improves security as there are less user credentials at risk, but there is a definite need for multi-factor authentication (MFA)
Authentication and Authorization: Prevent • Complex Encryption • Use Salt • Use Passphrase • Keep away sensitive data
Authentication and Authorization: Prevent • Multi Factor Authentication • Use Captcha or Token for single Session
Authentication and Authorization: Prevent • Avoid Public Wi-fi
Authentication and Authorization: Prevent • Use Latest SSL or HTTPS
Authentication and Authorization: Prevent • Frequent Back-up
Authentication and Authorization: Prevent • Server-side Input validation • Server-side Input sanitation • Server-side Input parameter casting • Server-side Input limitation
Authentication and Authorization: Prevent • Manage the session • Short and Long • Track the session • Cookies and Httpsession
Authentication and Authorization: Prevent • General Error Message • Urgent User Notification
Summary Secure coding is the practice of developing computer software in a way that guards against the accidental introduction of security vulnerabilities. Defects, bugs and logic flaws are consistently the primary cause of commonly exploited software vulnerabilities. Through the analysis of thousands of reported vulnerabilities, security professionals have discovered that most vulnerabilities stem from a relatively small number of common software programming errors. By identifying the insecure coding practices that lead to these errors and educating developers on secure alternatives, organizations can take proactive steps to help significantly reduce or eliminate vulnerabilities in software before deployment.
Thank You

More Related Content

PPTX
Vulnerabilities in Web Applications
Venkat Ramana Reddy Parine
 
PPTX
Web and Mobile Application Security
Prateek Jain
 
PDF
CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)
Sam Bowne
 
PPSX
Web application security
Akhil Raj
 
PDF
Engineering Software Products: 7. security and privacy
software-engineering-book
 
PPTX
Web application security part 01
Prachi Gulihar
 
PDF
OWASP TOP 10 by Team xbios
Vi Vek
 
PDF
Jonathan Singer - Wheezing The Juice.pdf
Jonathan Singer
 
Vulnerabilities in Web Applications
Venkat Ramana Reddy Parine
 
Web and Mobile Application Security
Prateek Jain
 
CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)
Sam Bowne
 
Web application security
Akhil Raj
 
Engineering Software Products: 7. security and privacy
software-engineering-book
 
Web application security part 01
Prachi Gulihar
 
OWASP TOP 10 by Team xbios
Vi Vek
 
Jonathan Singer - Wheezing The Juice.pdf
Jonathan Singer
 

Similar to Secure Coding BSSN Semarang Material.pdf (20)

PPTX
How to Test for The OWASP Top Ten
Security Innovation
 
PPTX
Solving Labs for Common Web Vulnerabilities: A Hands-On Guide
Boston Institute of Analytics
 
PDF
Web security uploadv1
Setia Juli Irzal Ismail
 
PDF
Owasp top 10 vulnerabilities 2013
Vishrut Sharma
 
PPTX
webapplicationattacks-101005070110-phpapp02.pptx
SyedAliShahid3
 
PPTX
CyberSecurityppt. pptx
iamayesha2526
 
PPTX
Owasp top 10 2017
ibrahimumer2
 
PPS
Security testing
Tabăra de Testare
 
PPT
Unit 5
DhanalakshmiVelusamy1
 
PPTX
Web Security
Ali Habeeb
 
PDF
Security testing presentation
Confiz
 
DOCX
Unit 5 Web Application and Hacking Techniques.docx
Guna Dhondwad
 
PDF
Lets Make our Web Applications Secure
Aryashree Pritikrishna
 
PPTX
Cyber Security # Lec 2
Kabul Education University
 
PPTX
Security Testing Training With Examples
Alwin Thayyil
 
PPT
Secure code practices
Hina Rawal
 
PPTX
Identifying and Eradicating Web Application Vulnerabilities : Cyber Security ...
Boston Institute of Analytics
 
PPTX
Sql Injection
penetration Tester
 
PPTX
Web Hacking Series Part 5
Aditya Kamat
 
PPTX
Securing the Web @RivieraDev2016
Sumanth Damarla
 
How to Test for The OWASP Top Ten
Security Innovation
 
Solving Labs for Common Web Vulnerabilities: A Hands-On Guide
Boston Institute of Analytics
 
Web security uploadv1
Setia Juli Irzal Ismail
 
Owasp top 10 vulnerabilities 2013
Vishrut Sharma
 
webapplicationattacks-101005070110-phpapp02.pptx
SyedAliShahid3
 
CyberSecurityppt. pptx
iamayesha2526
 
Owasp top 10 2017
ibrahimumer2
 
Security testing
Tabăra de Testare
 
Unit 5
DhanalakshmiVelusamy1
 
Web Security
Ali Habeeb
 
Security testing presentation
Confiz
 
Unit 5 Web Application and Hacking Techniques.docx
Guna Dhondwad
 
Lets Make our Web Applications Secure
Aryashree Pritikrishna
 
Cyber Security # Lec 2
Kabul Education University
 
Security Testing Training With Examples
Alwin Thayyil
 
Secure code practices
Hina Rawal
 
Identifying and Eradicating Web Application Vulnerabilities : Cyber Security ...
Boston Institute of Analytics
 
Sql Injection
penetration Tester
 
Web Hacking Series Part 5
Aditya Kamat
 
Securing the Web @RivieraDev2016
Sumanth Damarla
 
Ad

Recently uploaded (20)

PPTX
Pharmacology of Heart Failure /Pharmacotherapy of CHF
Rajshri Ghogare
 
PDF
Physiotherapy_for_Respiratory_and_Cardiac_Problems WEBBER.pdf
DrMONISHAphysio
 
PPTX
PPT- ENG7_QUARTER1_LESSON1_WEEK1. IMAGERY -DESCRIPTIONS pptx.pptx
KMDee
 
PDF
2.FourierTransform-ShortQuestionswithAnswers.pdf
Raji Murugan
 
PDF
Abdominal Access Techniques with Prof. Dr. R K Mishra
mohitsuren827
 
PDF
Supply Chain Operations Speaking Notes -ICLT Program
labyankof
 
PPTX
school management -TNTEU- B.Ed., Semester II Unit 1.pptx
NihumathunnisaH
 
PPTX
human mycosis Human fungal infections are called human mycosis..pptx
shilpa939953
 
PDF
STATICS OF THE RIGID BODIES Hibbelers.pdf
pascualasturiaskaye4
 
PDF
Origin of periodic table-Mendeleev’s Periodic-Modern Periodic table
Mithil Fal Desai
 
PDF
Microbial disease of the cardiovascular and lymphatic systems
KeyaSharma
 
PDF
Classroom Observation Tools for Teachers
Nicaramirez
 
PPTX
The Healthy Child – Unit II | Child Health Nursing I | B.Sc Nursing 5th Semester
RAKESH SAJJAN
 
PDF
FourierSeries-QuestionsWithAnswers(Part-A).pdf
Raji Murugan
 
PDF
Pre independence Education in Inndia.pdf
goofy5603
 
PPTX
Final Presentation General Medicine 03-08-2024.pptx
ZaheerAhmad228692
 
PDF
O7-L3 Supply Chain Operations - ICLT Program
labyankof
 
PDF
RMMM.pdf make it easy to upload and study
sajedul2
 
PDF
Mark Klimek Lecture Notes_240423 revision books _173037.pdf
pascalgumisiriza1
 
PDF
Module 4: Burden of Disease Tutorial Slides S2 2025
Jonathan Hallett
 
Pharmacology of Heart Failure /Pharmacotherapy of CHF
Rajshri Ghogare
 
Physiotherapy_for_Respiratory_and_Cardiac_Problems WEBBER.pdf
DrMONISHAphysio
 
PPT- ENG7_QUARTER1_LESSON1_WEEK1. IMAGERY -DESCRIPTIONS pptx.pptx
KMDee
 
2.FourierTransform-ShortQuestionswithAnswers.pdf
Raji Murugan
 
Abdominal Access Techniques with Prof. Dr. R K Mishra
mohitsuren827
 
Supply Chain Operations Speaking Notes -ICLT Program
labyankof
 
school management -TNTEU- B.Ed., Semester II Unit 1.pptx
NihumathunnisaH
 
human mycosis Human fungal infections are called human mycosis..pptx
shilpa939953
 
STATICS OF THE RIGID BODIES Hibbelers.pdf
pascualasturiaskaye4
 
Origin of periodic table-Mendeleev’s Periodic-Modern Periodic table
Mithil Fal Desai
 
Microbial disease of the cardiovascular and lymphatic systems
KeyaSharma
 
Classroom Observation Tools for Teachers
Nicaramirez
 
The Healthy Child – Unit II | Child Health Nursing I | B.Sc Nursing 5th Semester
RAKESH SAJJAN
 
FourierSeries-QuestionsWithAnswers(Part-A).pdf
Raji Murugan
 
Pre independence Education in Inndia.pdf
goofy5603
 
Final Presentation General Medicine 03-08-2024.pptx
ZaheerAhmad228692
 
O7-L3 Supply Chain Operations - ICLT Program
labyankof
 
RMMM.pdf make it easy to upload and study
sajedul2
 
Mark Klimek Lecture Notes_240423 revision books _173037.pdf
pascalgumisiriza1
 
Module 4: Burden of Disease Tutorial Slides S2 2025
Jonathan Hallett
 
Ad

Secure Coding BSSN Semarang Material.pdf

  • 2. Outline • Security and Application security • Common Application Security Attack • Software Security Standards, Models, and Framework • Threat Modeling • Vulnerability Assessment on Application
  • 4. Why security? • Fundamental aspects of information must be protected • Confidential data • Employee information • Business models • Protect identity and resources • The internet was initially designed for connectivity • Trust assumed • We do more with the Internet nowadays • Security protocols are added on top of the TCP/IP • We can’t keep ourselves isolated from the Internet • Most business communications are done online • We provide online service(s) • We get services from 3rd-party organizations online
  • 5. Confidentiality Integrity Availability Security Goal of Information Security Prevents unauthorized use or disclosure of information Authorized users have reliableand timely access to Information Safeguards the accuracy and completenessof information
  • 6. Essential Services Ability to permit or deny the use of an object by a subject It’s provide 3 (three) essential services: • Authentication (who can login) • Authorization (what authorized users can do) • Accountability (identifies what a user did)
  • 7. Example of Security Breaches • haveibeenpwned.com tracks account that have been compromised and released into the public.
  • 8. Example of Security Breaches • zone-h.org tracks and archives website defacements.
  • 9. Secure Application • An application is said to be secure when it ensures confidentiality, integrity and availability of its restricted resources • Restricted resource is any object, data, feature, or function of an application designed to be accessed by only authorized user User The user supplies his/her identity and secret The user is authenticated by checking the veracity of the secret The user is authorized to use one or more protected resource The set of resources that the user is authorized to use defines the level of trust granted to the user
  • 10. Need for Application Security • Attackers exploit vulnerabilities in the applications to launch various attacks and gain unauthorized access to resources • A successful attack may impact into: • Financial Loss • Affects Business Continuity • Closure of Business • Disclosure of Business Information • Damages Reputation • Fraudulent Transactions
  • 12. SQL Injection Attack • SQL injection attacks use a series of malicious SQL queries to directly manipulate the database in a vulnerable web application • The goal are to bypass normal security measures and obtain direct access to valuable data • SQL injection attacks can often be executed from the address bar, from within application fields, and through queries and searches • This attack is possible only when the application executes dynamic SQL statements and stores procedures with arguments based on the user input
  • 13. Cross-site Scripting (XSS) Attacks • Cross-site scripting ('XSS' or 'CSS') attacks exploit vulnerabilities in dynamically generated web pages, which enables malicious attackers to inject client-side script into web pages viewed by other users • It occurs when invalidated input data is included in dynamic content that is sent to a user's web browser for rendering • Attackers inject malicious JavaScript, VBScript, ActiveX, HTML, or Flash for execution on a victim's system by hiding it within legitimate requests
  • 14. Impact • Malicious script execution • Redirecting to a malicious server • Exploiting user privileges • Ads in hidden IFRAMES and pop-ups • Data manipulation • Session hijacking • Brute force password cracking • Data theft • Intranet probing • Keylogging and remote monitoring
  • 15. Mechanism <html> <body> <? php print "Not found: " . urldecode($_SERVER[“ REQUEST_URI"]); ?> </body> </html> Server Code http://certifiedhacker.com /jason_file.html http://certifiedhacker.com/<script> alert(“WARNING: The applicationhas encounteredan error");</script> Server response Server response WARNING: The application has encountered an error 404 Not Found Warning Normal Request XSS Attack
  • 16. Parameter Tampering • A web parameter tampering attack involves manipulation of parameters exchanged between client and server in order to modify application data such as user credentials and permissions, price, and quantity of products.
  • 17. Directory Traversal • Directory traversal allows attackers to access restricted directories including application source code, configuration, and critical system files and execute commands outside the webserver's root directory • Accessing files located outside the web publishing directory using directory traversal • Attackers can manipulate variables that reference files with “dot- dot-slash (../)” sequences and its variations • http://www.example.com/process.jsp=../../../../some dir/some file • http://www.example.com/../../../../some dir/some file
  • 18. Cross-site Request Forgery (CSRF) Attack • Cross-site request forgery (CSRF) attacks exploit web page vulnerabilities that allow an attacker to force an unsuspecting user's browser to send malicious requests, which they did not intend to send • The user, who is the victim holds an active session with a trusted site and simultaneously visits a malicious site, which injects an HTTP request for the trusted site into the victim user’s session, compromising its integrity
  • 19. Mechanism 1. User logs into trusted server using his/her credentials 2. Server sets a session cookiein the user’s browser 6. Malicious code is executed in the trusted server 3. Attacker sends a phishing mail tricking user to send a requestto a malicious site 4. User requests a page fromthe malicious server 5. Responsepage contains malicious code Trusted Server Malicious Server Attacker User
  • 20. Denial-of-Service (DoS) Attack • User Registration DoS • The attacker could create a program that submits the registration forms repeatedly; adding a large number of spurious users to the application • User Enumeration • If application states, which are a part of the username/password pair is incorrect, an attacker can automate the process of trying common usernames from a dictionary file to enumerate the users of the application • Login Attack • The attacker may overload the login process by continually sending login requests that require the presentation tier to access the authentication mechanism, rendering it unavailable or unreasonably slow to respond • Account Lock Out Attacks • The attacker may enumerate usernames through another vulnerability in the application and then attempt to authenticate the site using valid usernames and incorrect passwords which will lock out the accounts after a specified number of failed attempts. At this point legitimate users will not be able to use the site
  • 21. Session Attacks • Cookie Poisoning • Cookies are used to maintain session state in the otherwise stateless HTTP protocol Cookie poisoning attacks involve modification of the contents of a cookie (personal information stored in a web user's computer) in order to bypass security mechanisms • Poisoning allows an attacker to inject malicious content, modify the user's online experience, and obtain unauthorized information • A proxy can be used for rewriting the session data, displaying the cookie data, and/or specifying a new user ID or other session identifiers in the cookie • Session Fixation • In a session fixation attack, the attacker tricks the user to access a genuine webserver using an explicit session ID value • Attacker assumes the identity of the victim and exploits his credentials at the server Attacker
  • 22. Cookie Poisoning Mechanism Web Server Attacker User GET /store/buy.jsp?checkout=yes HTTP/1.0 Host: www.example.com Accept: */* Referrer: http://www.example.com/showprods.jsp Cookie: JSESSIONID=325896ASDD23SA3587; BasketSize=3; Item1=1258; Item2=2658; Item3=6652; TotalPrice=11568 GET /store/buy.jsp?checkout=yes HTTP/1.0 Host: www.example.com Accept: */* Referrer: http://www.example.com/showprods.jsp Cookie: JSESSIONID=325896ASDD23SA3587; BasketSize=3; Item1=1258; Item2=2658; Item3=6652; TotalPrice=100; User browses a web page User Webserver replies with requested page and sets a cookie on the user’s browser Attacker steals cookie (Sniffing, XSS, phishing attack) Attacker orders for product using modified cookie Product is delivered to attacker’saddress Attacker
  • 23. Session Fixation Mechanism Server Attacker User 1. Attacker logs on to the bank website using his credentials 2. Webserver sets a session ID on the attacker’s machine 3. Attacker sends an email containing a link with a fix session ID 4. User clicks on the link and is redirected to the bank website 5. User logs into the server using his credentialsand fixed session ID 6. Attacker logs into the server using the victim’scredentialswith the same session ID
  • 25. Reasons • Most of the software development related curriculum often do not address security issues • No proper guidance provided to relevant stakeholders at different phases of the project development • Failure to gather application security requirements in the inception phase • Improper application of security principles in the design phase • Insecure coding techniques give space to various vulnerabilities • Lack of security testing in the testing phase • Security negligence in the deployment phase
  • 26. Common Flaws due to Insecure Coding Techniques • Improper Input Validation • Broken Authentication and Session Management • Insecure Cryptographic Storage • Improper Error Handling • Insufficient Transport Layer Protection • Unvalidated Redirects and Forwards • Insecure Direct Object References • Failure to Restrict URL Access
  • 28. • The Open Web Application Security Project® (OWASP) is a nonprofit foundation that works to improve the security of software. • Focus: • Tools and Resources • Community and Networking • Education & Training The Open Web Application Security Project (OWASP)
  • 29. Top 10 Web Application Security Risks A1: Injection A2: Broken Authentication A3: Sensitive Data Exposure A4: XML Eksternal Entity (XXE) A5: Broken Access Control A6: Security Misconfiguration A7: Cross-Stie Scripting (XSS) A8: Insecure Deserialization A9: Using Component With Known Vulnerability A10: Unsufficient Logging and Monitoring
  • 30. A1: Injection • Injection flaws are web application vulnerabilities that allow untrusted data to be interpreted and executed as part of a command or query • Attackers exploit injection flaws by constructing malicious commands or queries that result in data loss or corruption, lack of accountability, or denial of access • Type of injection: • SQL Injection • Command Injection • LDAP Injection
  • 31. A2: Broken Authentication • Attackers can exploit vulnerabilities in authentication or session management functions such as exposed accounts, session IDs, logout, password management, timeouts, remember me, secret question, and account update to impersonate users • Broken authentication attacks forms: • Session ID in URLs --> Attackers sniff the network traffic or trick users to get session IDs and then reuse those session IDs for malicious purposes • Password Exploitation --> Attackers can gain access to a web application's password database. If user passwords are not encrypted, an attacker can exploit any user’s password • Timeout Exploitation --> If an application’s timeouts are not set properly and a user closes their browser without logging out from sites accessed through a public computer, an attacker can use the same browser later and exploit that user's privileges
  • 32. A3: Sensitive Data Exposure • Many web applications do not properly protect their sensitive data from unauthorized users • Sensitive data exposure occurs due to flaws like insecure cryptographic storage and information leakage • When an application uses poorly written encryption code to securely encrypt and store sensitive data in the database, an attacker can exploit this flaw and steal or modify weakly protected sensitive data such as credit cards numbers, SSNs, and other authentication credentials
  • 33. A4: XML Eksternal Entity (XXE) • XML External Entity attack is a server side request forgery (SSRF) attack that can occur when a misconfigured XML parser allows applications to parse XML input from an unreliable source • Attackers can a refer a victim’s web application to an external entity by including the reference in the malicious XML input • When this malicious input is processed by the weakly configured XML parser of a target web application, it enables the attacker to access protected files and services from servers or connected networks
  • 34. A5: Broken Access Control • Access control refers to how a web application grants access to its content and functions for some privileged users and restricts others • Broken access control is a method in which an attacker identifies a flaw related to access control and bypasses the authentication, which allows them to compromise the network • It allows an attacker to act as users or administrators with privileged functions and create, access, update or delete every record
  • 35. A6: Security Misconfiguration • By exploiting misconfiguration vulnerabilities like unvalidated inputs, parameter/form tampering, improper error handling, insufficient transport layer protection, etc., attackers gain unauthorized access to default accounts, can read unused pages, can read/write unprotected files and directories, etc. • Security misconfiguration can occur at any level of an application stack, including the platform, web server, application server, framework, and custom code. • Types: • Unvalidated Inputs • Parameter/Form Tampering • Improper Error Handling • Insufficient Transport Layer Protection
  • 36. A7: Cross-Stie Scripting (XSS) • Cross-site scripting ('XSS' or 'CSS') attacks exploit vulnerabilities in dynamically generated web pages, enabling malicious attackers to inject client side scripts into web pages viewed by other users • It occurs when unvalidated input data is included in dynamic content that is sent to a user's web browser for rendering • Attackers inject malicious JavaScript, VBScript, ActiveX, HTML, or Flash for execution on a victim's system by hiding it within legitimate requests • Some XSS attack exploits include malicious script execution, redirecting to a malicious server, exploiting user privileges, ads in hidden IFRAMES and pop ups, data manipulation, etc.
  • 37. A8: Insecure Deserialization • Data serialization and deserialization is an effective process of linearizing and de-linearizing data objects for transmission to other networks or systems • Attackers inject malicious code into serialized data and forward the malicious serialized data to the victim • Insecure deserialization deserializes the malicious serialized content along with the injected malicious code, compromising the system or network
  • 38. A9: Using Component With Known Vulnerability • Most web applications that use components such as libraries and frameworks always execute them with full privileges, and flaws in any component can result in serious impact • Attackers can identify weak components or dependencies by scanning or by performing manual analysis • Attackers search for any vulnerabilities on exploit sites such as Exploit Database (https://www.exploit-db.com/), and SecurityFocus (https://www.securityfocus.com) • If a vulnerable component is identified, the attacker customizes the exploit as required and execute the attack • Successful exploitation allows the attacker to cause serious data loss or take full control of the servers
  • 39. A10: Unsufficient Logging and Monitoring • Web applications maintain logs to track usage patterns, such as user login credentials and admin login credentials • Insufficient logging and monitoring refer to the scenario where the detection software either does not record the malicious event or ignores important details about the event • Attackers usually inject, delete, or tamper the web application logs to engage in malicious activities or hide their identities • Insufficient logging and monitoring vulnerability increases the difficulty of detecting attempts of malicious attacks and allows attackers to perform malicious attacks like password brute forcing to steal confidential passwords
  • 40. OWASP Mobile Top 10 M1: Improper Platform Usage M2: Insecure Data Storage M3: Insecure Communication M4: Insecure Authentication M5: Insufficient Cryptography M6: Insecure Authorization M7: Client Code Quality M8: Code Tampering M9: Reverse Engineering M10: Extraneous Functionality
  • 41. M1: Improper Platform Usage • This category covers misuse of a platform feature or failure to use platform security controls. It might include Android intents, platform permissions, misuse of TouchID, the Keychain, or some other security control that is part of the mobile operating system. • Exploitability is EASY correspond to the same attack vectors available through the traditional OWASP Top Ten. Any exposed API call can serve as attack vector here.
  • 42. M2: Insecure Data Storage • An adversary that has attained a lost/stolen mobile device, malware or another repackaged app acting on the adversary’s behalf that executes on the mobile device. • Exploitability is EASY In the event that an adversary physically attains the mobile device, the adversary hooks up the mobile device to a computer with freely available software. These tools allow the adversary to see all third-party application directories that often contain stored personally identifiable information (PII) or other sensitive information assets. An adversary may construct malware or modify a legitimate app to steal such information assets.
  • 43. M3: Insecure Communication • When designing a mobile application, data is commonly exchanged in a client-server fashion. When the solution transmits its data, it must traverse the mobile device’s carrier network and the internet. Threat agents might exploit vulnerabilities to intercept sensitive data while it’s traveling across the wire. The following threat agents exist: • An adversary that shares your local network (compromised or monitored Wi-Fi), • Carrier or network devices (routers, cell towers, proxy’s, etc), or • Malware on your mobile device. • Exploitability is EASY. The exploitabilty factor of monitoring a network for insecure communications ranges. Monitoring traffic over a carrier’s network is harder than that of monitoring a local coffee shop’s traffic. In general, targeted attacks are easier to perform.
  • 44. M4: Insecure Authentication • Threat agents that exploit authentication vulnerabilities typically do so through automated attacks that use available or custom-built tools. • Exploitability is EASY. Once the adversary understands how the authentication scheme is vulnerable, they fake or bypass authentication by submitting service requests to the mobile app’s backend server and bypass any direct interaction with the mobile app. This submission process is typically done via mobile malware within the device or botnets owned by the attacker.
  • 45. M5: Insufficient Cryptography • Threat agents include the following: anyone with physical access to data that has been encrypted improperly, or mobile malware acting on an adversary’s behalf. • Exploitability is EASY. The attack vectors correspond to the same attack vectors available through the traditional OWASP Top Ten. Any exposed API call can serve as attack vector here.
  • 46. M6: Insecure Authorization • Threat agents that exploit authorization vulnerabilities typically do so through automated attacks that use available or custom-built tools. • Exploitability is EASY. Once the adversary understands how the authorization scheme is vulnerable, they login to the application as a legitimate user. They successfully pass the authentication control. Once past authentication, they typically force-browse to a vulnerable endpoint to execute administrative functionality. This submission process is typically done via mobile malware within the device or botnets owned by the attacker.
  • 47. M7: Poor Code Quality • Threat Agents include entities that can pass untrusted inputs to method calls made within mobile code. These types of issues are not necessarily security issues in and of themselves but lead to security vulnerabilities. For example, buffer overflows within older versions of Safari (a poor code quality vulnerability) led to high risk drive-by Jailbreak attacks. Poor code-quality issues are typically exploited via malware or phishing scams. • Exploitability is DIFFICULT. An attacker will typically exploit vulnerabilities in this category by supplying carefully crafted inputs to the victim. These inputs are passed onto code that resides within the mobile device where exploitation takes place. Typical types of attacks will exploit memory leaks and buffer overflows.
  • 48. M8: Code Tampering • Typically, an attacker will exploit code modification via malicious forms of the apps hosted in third-party app stores. The attacker may also trick the user into installing the app via phishing attacks. • Exploitability is EASY. Typically, an attacker will do the following things to exploit this category: • Make direct binary changes to the application package’s core binary • Make direct binary changes to the resources within the applicaiton’s package • Redirect or replace system APIs to intercept and execute foreign code that is malicious
  • 49. M9: Reverse Engineering • An attacker will typically download the targeted app from an app store and analyze it within their own local environment using a suite of different tools. • Exploitability is EASY. An attacker must perform an analysis of the final core binary to determine its original string table, source code, libraries, algorithms, and resources embedded within the app. Attackers will use relatively affordable and well-understood tools like IDA Pro, Hopper, otool, strings, and other binary inspection tools from within the attacker’s environment.
  • 50. M10: Extraneous Functionality • Typically, an attacker seeks to understand extraneous functionality within a mobile app in order to discover hidden functionality in in backend systems. The attacker will typically exploit extraneous functionality directly from their own systems without any involvement by end-users. • Exploitability is EASY. An attacker will download and examine the mobile app within their own local environment. They will examine log files, configuration files, and perhaps the binary itself to discover any hidden switches or test code that was left behind by the developers. They will exploit these switches and hidden functionality in the backend system to perform an attack.
  • 52. Threat Modeling • Threat modeling is a process of identifying, analyzing, and mitigating the threats to the application • It is a structured approach that allows the developer to rate the threats based on the architecture and implementation of the application • It is performed at the design phase of the secure development lifecycle • It is an iterative process that starts from the design phase of the application and iterates throughout the application lifecycle until all possible threats to the applications are identified • The output of threat modeling is a threats model exposing all the possible threats and vulnerabilities on an application
  • 53. Threat Modeling Process The steps involved in Threat Modeling process are as follows: 1. Identify Security Objective 2. Application Overview 3. Decompose Application 4. Identify Threats 5. Identify Vulnerabilities
  • 54. Identify Security Objectives • To proceed with creating threat model for an application, the security objectives of the application should be identified clearly • These security objectives are goals and constraints that needs to be attain to maintain confidentiality, integrity, and availability of application and its data • Security objectives are the subset of the application’s functional objectives • With security objectives clearly identified, • You can identify the areas which need more closer attention and where to focus your efforts • You can understand goals of potential attackers
  • 55. Application Overview • The aim of creating application overview is to understand what the application does • Creating an application overview Involves: • Understanding the application functionality • Understanding the purpose and the key features of the application • Identifying application users or clients • Activities: • Draw the end-to-end deployment architecture • Identify various user roles • Identify use case scenarios • Identify technologies • Identify application security mechanisms
  • 56. Decompose Application • Decompose the application to the level where it is possible to identify external entities, trust boundaries, data flow, entry points, and privileged code in the application and recognize the areas of vulnerabilities among them • It helps to conduct attack surface analysis • Activities: • Prepare and Document Threat Model Information • Enumerate External Dependencies • Enumerate Entry Points • Enumerate Assets • Enumerate Trust levels • Data Flow Diagrams
  • 57. Identify Threat • To identify threats, they need to be broadly categorized into different possible categories • This threat categorization provides structured way to systematically identify different threats on the application • Threat identification process uses STRIDE model to categorize threats and examine each aspect of the security profile of the application
  • 58. The STRIDE Model • The STRIDE model categorizes the application threats based on the goals and purpose of the attack which helps developer to develop a security strategy • It also includes the countermeasures for all threat categories Threat Desiredproperty Description Spoofing Authenticity Unauthorized access to a systemby using a falseidentity Tampering Integrity Code and data modification without authorization Ability Repudiation Non-repudiability Ability of users to claim that they do not performsomeactions againstthe application Information disclosure Confidentiality Unwanted exposureof private data to unauthorized users Denial of Service Availability Ability to deny a systemor application unavailable to the legitimate users Elevation of Privilege Authorization Ability of user with limited privileges to elevate their privileges with an application without authorization
  • 59. Rating the Threats: DREAD Model • DREAD stands for damage potential, reproducibility, exploitability, affected users, and discoverability • DREAD model is used to rate the various security threats on the application by calculating risks of each threats • The severity levels are assigned to various threats on the application so as to mitigate these threats as per their severity
  • 60. DREAD Model Rating High(3) Medium(2) Low(1) D Damage Potential The attacker can subvertthe security system; getfull trust authorization run as administrator; upload content Leaking sensitiveinformation Leaking trivial information R Reproducibility The attack can be produced every time and does not require a timing window The attack can be reproduced, but only with a timing window and a particular racesituation The attack is very difficult to reproduceeven with knowledgeof the security hole E Exploitability A novice programmer could make the attack in a shorttime A skilled programmer could make the attack then repeat the steps The attacker requires an extremely skilled person and in-depth knowledgeevery time to exploit A Affected Users All users, defaultconfiguration key customers Some users, non-default configuration Very small percentage of users, obscurefeatureaffects anonymous users D Discoverability Published information explains the attack. The vulnerability is found in the mostcommonly used feature and is very noticeable The vulnerability in a seldom-used part of the productand only a few users should comeacross it. It would take somethinking to see malicious use The bug is obscureand it is unlikely that users will work outdamage potential Copyright
  • 61. Identify Vulnerabilities • Move to the next chapter...
  • 63. Vulnerability Research • The process of analyzing protocols, services, and configurations to discover vulnerabilities and design flaws that will expose an operating system and its applications to exploit, attack, or misuse • Vulnerabilities are classified based on severity level (low, medium, or high) and exploit range (local or remote) • An administrator needs vulnerability research: • To gather information concerning security trends, threats, attack surfaces, attack vectors and techniques • To discover weaknesses in the OS and applications, and alert the network administrator before a network attack • To gather information to aid in the prevention of security issues • To know how to recover from a network attack
  • 64. Vulnerability Assessment • Vulnerability assessment is an in depth examination of the ability of a system or application, including current security procedures and controls, to withstand the exploitation It recognizes, measures, and classifies security vulnerabilities in a computer system, network, and communication channels • A vulnerability assessment may be used to: • Identify weaknesses that could be exploited • Predict the effectiveness of additional security measures in protecting information resources from attacks • Information obtained from the vulnerability scanner includes: • Network vulnerabilities Open ports and running services Application and services vulnerabilities Application and services configuration errors
  • 65. Practical • Requirements: • Virtualbox with Extension Pack is installed • Kalilinux Virtual image (https://images.kali.org/virtual-images/kali-linux- 2021.1-vbox-amd64.ova) • Seattle v0.3 VM (https://download.vulnhub.com/seattle/Seattle-0.0.3.7z) • please install the extension pack before you start using Virtualbox. Download the latest Virtualbox and Virtualbox Extension pack (fo All supported platform) using following link (https://www.virtualbox.org/wiki/Downloads) • Please add the two VMs to your virtualbox
  • 66. Networking • Ensure your VMs connected using NAT networks configuration
  • 67. Practical Objective • Perform vulnerability scanning on the application • Launch SQL Injection attack • Launch Cross-Site Scripting Attack
  • 68. Start Your VM • Start your Kalilinux machine • Username: kali • Password: kali • Start your Seattle v0.3 machine • Username: root • Password: PASSWORD • check the network connection of the Seattle machine find the IP Address
  • 69. Step 1 • Check the web page
  • 70. Step 2 • Scan the machine using nmap for machine security posture • #sudo nmap -sS -A 10.0.2.7
  • 71. Step 3 • Scan the machine using nikto for common vulnerability on the web page • #nikto -host 10.0.2.7
  • 72. Step 4 • Scan the machine using dirb for directory list of the web page • #dirb http://10.0.2.7
  • 73. Step 5 • Scan another vulnerability with another tools • Burpsuite • Acunetix • Manual recconaissance • etc
  • 74. Summary • Secure application is needed by the public accessed application to prevent an attack • There are some common attacks which is launched in the public accessed application • OWASP is a standard that can be used for evaluating the application security
  • 75. SECURE CODING FOR STARTUP DIGITAL Secure Coding In Practice Modul 2
  • 76. Outline • Authentication and Authorization • Authentication and Authorization Problems • Defensive Coding Practices
  • 77. Authentication It means to verify or prove a user’s identity • The term of “user” may refer to: • Person • Application or process • Machine or device • To prove identity, a user must present either of the following: • What you know (password, passphrase, PIN) • What you have (token, smart cards, passcodes, RFID) • Who you are (biometrics such as fingerprints and iris scan, signature or voice) • Location or IP • We can also use Picture
  • 78. Authentication: using Picture • Recall-based • Recognition-based
  • 79. Authorization • Defines the user’s right and permission on a system • Typically done after user has been authenticated • Grants a user access to resource and what action he is permitted to perform on that resource • Access criteria based on the level of trust: • Roles • Groups • Location • Time • Transaction type
  • 81. Problems and Causes • Obvious Username/password (credentials) during input
  • 82. Problems and Causes • Un-encrypted credentials or using obsolete encryption or default
  • 83. Problems and Causes • Weak credentials
  • 84. Problems and Causes • Open/Public index or .git page
  • 85. Problems and Causes • Bypass Authentication - IDOR (Insecure Direct Object Reference)
  • 86. Problems and Causes • Account takeover
  • 87. Problems and Causes • Smart Account Recovery
  • 88. Problems and Causes • Weak Input Validation • SQL Injection • URL Enumeration
  • 89. Problems and Causes • Data Breach
  • 90. Problems and Causes • Sniffing • Spoofing • Phishing • Malware/Spyware/Keylogger
  • 91. Problems and Causes • Fail Two Factor Authentication
  • 92. Authentication and Authorization: Prevent • Strict Access Control • Deny Access by Default • Role-based Access Control (RBAC) • Permission-based Access Control (PBAC)
  • 93. Authentication and Authorization: Prevent • Single Sign On It improves security as there are less user credentials at risk, but there is a definite need for multi-factor authentication (MFA)
  • 94. Authentication and Authorization: Prevent • Complex Encryption • Use Salt • Use Passphrase • Keep away sensitive data
  • 95. Authentication and Authorization: Prevent • Multi Factor Authentication • Use Captcha or Token for single Session
  • 96. Authentication and Authorization: Prevent • Avoid Public Wi-fi
  • 97. Authentication and Authorization: Prevent • Use Latest SSL or HTTPS
  • 98. Authentication and Authorization: Prevent • Frequent Back-up
  • 99. Authentication and Authorization: Prevent • Server-side Input validation • Server-side Input sanitation • Server-side Input parameter casting • Server-side Input limitation
  • 100. Authentication and Authorization: Prevent • Manage the session • Short and Long • Track the session • Cookies and Httpsession
  • 101. Authentication and Authorization: Prevent • General Error Message • Urgent User Notification
  • 102. Summary Secure coding is the practice of developing computer software in a way that guards against the accidental introduction of security vulnerabilities. Defects, bugs and logic flaws are consistently the primary cause of commonly exploited software vulnerabilities. Through the analysis of thousands of reported vulnerabilities, security professionals have discovered that most vulnerabilities stem from a relatively small number of common software programming errors. By identifying the insecure coding practices that lead to these errors and educating developers on secure alternatives, organizations can take proactive steps to help significantly reduce or eliminate vulnerabilities in software before deployment.