SlideShare a Scribd company logo

Securing against data theft against Vulnerable dependency

Download as PPTX, PDF
J
Jagdsh L K Chand

This document discusses securing against data theft from vulnerable dependencies in applications. It provides steps to build a demo login and payment page that is vulnerable. The vulnerability allows sensitive data to be leaked to a third party site. It explains how the vulnerability occurred through a vulnerable dependency package and how to detect such issues. Prevention measures are outlined like checking dependencies for known vulnerabilities, keeping dependencies up-to-date, and using vulnerability scanning tools. Resources on analyzing dependencies and common vulnerability databases are also referenced.

Software
1 of 10
Download to read offline
1
2
3
4
5
6
7
8
9
10
Securing against Data theft by vulnerable dependencies in your App - @JagdshLK
Content ● Workshop ○ Build a page which leaks sensitive information. ○ Find out how the data breach occurred. ● What just happened? ● How to find these type of vulnerability? ● Prevention Measures
Workshop: Let’s build a Login and a Payment page!!!
Workshop - Steps Software Prerequisites: ● Git ● Node 10.4.1 or above ● npm 6.1.0 or above Steps: 1. Github search for “VodQA Securing Data theft demo” and clone it. 2. Follow the Readme.Md 3. Develop a login page 4. Develop a payment page which accepts Credit card
README.md Getting Started Prerequisites Make sure you have Node v10.4.1 or above and npm 6.1.0 or above. Installing Clone the repo and run the following inside the cloned directory. npm install Running the application run the following command to run the application npm start
What just happened? Package Manager Vulner Packa UI Code Username: Password: https://www.vulnerabledependency.com Production Vulner Packa app.bundle.js Vulnerable Package package.json
● Collect logs and analyse cross domain calls triggered. ● Beware and decode every information send out of the website and verify the content. ● Analysing the dependency package before using it. How to find this type of vulnerable?
Prevention measures ● Try not to load 3rd party libraries in sensitive information pages. ● Check your dependencies is listed in OWASP Common Vulnerabilities and Exposures (CVE). ○ Making sure CI build fails if a vulnerable dependency is found in frameworks package manager using OWASP tools. ● Ensure your Dependencies is up to date with latest security patches, if any. ● Always use Vulnerability Scanning tools to check for any vulnerables. ● Report a vulnerability found. ● [DEV SPECIFIC] Overwrite the HttpRequest in UI to make sure all requests go through the overwritten HTTPRequest.
How to read a CVE? Major Terms: ● VSS Score ● Confidentiality Impact ● Integrity Impact ● Availability Impact ● Access Complexity ● Authentication ● Vulnerability Type(s) ● CWE ID
Reference ■ https://www.owasp.org/index.php/OWASP_Dependency_Check ■ https://blog.rapid7.com/2016/04/05/client-side-logging-in-javascript/ ■ https://jeremylong.github.io/DependencyCheck/ ■ https://nvd.nist.gov/vuln/search ■ https://www.owasp.org/index.php/Category:Vulnerability_Scanning_Tools ■ https://www.cvedetails.com/ ■ https://www.first.org/cvss/specification-document ■ https://github.com/Jagdsh/VodQA_Securing_Data_theft-demo_reciever ■ https://github.com/Jagdsh/VodQA_Securing_Data_theft-demo

More Related Content

PDF
Make CSRF Again
Netsparker
 
PDF
Tale of Forgotten Disclosure and Lesson learned
Anant Shrivastava
 
PDF
The Art of Executing JavaScript by Akhil Mahendra
Cysinfo Cyber Security Community
 
PDF
Wordpress security best practices - WordCamp Waukesha 2017
vdrover
 
PPTX
Same-origin Policy (SOP)
Netsparker
 
PDF
Hacking Vulnerable Websites to Bypass Firewalls
Netsparker
 
PDF
Securing your AngularJS Application
Philippe De Ryck
 
PPTX
WebdriverIO: the Swiss Army Knife of testing
Daniel Chivescu
 
Make CSRF Again
Netsparker
 
Tale of Forgotten Disclosure and Lesson learned
Anant Shrivastava
 
The Art of Executing JavaScript by Akhil Mahendra
Cysinfo Cyber Security Community
 
Wordpress security best practices - WordCamp Waukesha 2017
vdrover
 
Same-origin Policy (SOP)
Netsparker
 
Hacking Vulnerable Websites to Bypass Firewalls
Netsparker
 
Securing your AngularJS Application
Philippe De Ryck
 
WebdriverIO: the Swiss Army Knife of testing
Daniel Chivescu
 

Similar to Securing against data theft against Vulnerable dependency (20)

PDF
Web Application Security: Introduction to common classes of security flaws an...
Thoughtworks
 
PDF
Tw noche geek quito webappsec
Thoughtworks
 
PDF
AnitaB-Atlanta-CyberSecurity-Weekend-Rana-Khalil.pdf
sk0894308
 
PPTX
Web Security Terms such as what is a WAF, Access Control, Output Encoding ....
Your Study_Buddy
 
PDF
WebGoat.SDWAN.Net in Depth
yalegko
 
PDF
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
Sergey Gordeychik
 
PDF
Owasp top 10 2013
Edouard de Lansalut
 
PDF
Best Practices for Developing Secure Web Applications
ScalaCode
 
PDF
DevSecOps 101
Narudom Roongsiriwong, CISSP
 
PDF
Application Security - Your Success Depends on it
WSO2
 
PPTX
Security-Web Vulnerabilities-Browser Attacks
Raghu Addanki
 
PPTX
Introduction to Web Application Penetration Testing
Rana Khalil
 
PDF
Web Security: What's wrong, and how the bad guys can break your website
Andrew Sorensen
 
PDF
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
sparkfabrik
 
PDF
The State of the Veil Framework
VeilFramework
 
PDF
AV Evasion with the Veil Framework
VeilFramework
 
PDF
Uygulama guvenligi gunu - malicious web sites
Siber Güvenlik Derneği
 
PDF
Owasp masvs spain 17
Luis A. Solís
 
PPTX
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
lior mazor
 
PDF
React commonest security flaws and remedial measures!
Shelly Megan
 
Web Application Security: Introduction to common classes of security flaws an...
Thoughtworks
 
Tw noche geek quito webappsec
Thoughtworks
 
AnitaB-Atlanta-CyberSecurity-Weekend-Rana-Khalil.pdf
sk0894308
 
Web Security Terms such as what is a WAF, Access Control, Output Encoding ....
Your Study_Buddy
 
WebGoat.SDWAN.Net in Depth
yalegko
 
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
Sergey Gordeychik
 
Owasp top 10 2013
Edouard de Lansalut
 
Best Practices for Developing Secure Web Applications
ScalaCode
 
DevSecOps 101
Narudom Roongsiriwong, CISSP
 
Application Security - Your Success Depends on it
WSO2
 
Security-Web Vulnerabilities-Browser Attacks
Raghu Addanki
 
Introduction to Web Application Penetration Testing
Rana Khalil
 
Web Security: What's wrong, and how the bad guys can break your website
Andrew Sorensen
 
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
sparkfabrik
 
The State of the Veil Framework
VeilFramework
 
AV Evasion with the Veil Framework
VeilFramework
 
Uygulama guvenligi gunu - malicious web sites
Siber Güvenlik Derneği
 
Owasp masvs spain 17
Luis A. Solís
 
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
lior mazor
 
React commonest security flaws and remedial measures!
Shelly Megan
 
Ad

Recently uploaded (20)

PDF
Addressing The Cult of Project Management Tools-Why Disconnected Work is Hold...
OnePlan Solutions
 
PDF
Design an Analysis of Algorithms I-SECS-1021-03
DilanEscobar1
 
PDF
Raksha Bandhan Grocery Pricing Trends in India 2025.pdf
Actowiz Solustions
 
PDF
System and Network Administration Chapter 2
jaramharo
 
PDF
T3DD25 TYPO3 Content Blocks - Deep Dive by André Kraus
Andre Kraus
 
PPTX
VVF-Customer-Presentation2025-Ver1.9.pptx
blackmambaettijean
 
PDF
medical staffing services at VALiNTRY
Tiyan Grayson
 
PPTX
Odoo POS Development Services by CandidRoot Solutions
CandidRoot Solutions Private Limited
 
PDF
Understanding Forklifts - TECH EHS Solution
TECH EHS Solution
 
PPTX
Agentic AI : A Practical Guide. Undersating, Implementing and Scaling Autono...
IT IDOL Technologies
 
PDF
Digital Strategies for Manufacturing Companies
Virendra Rai, PMP
 
PDF
EN-Survey-Report-SAP-LeanIX-EA-Insights-2025.pdf
deepakkhaitan3
 
PDF
Flood Susceptibility Mapping Using Image-Based 2D-CNN Deep Learnin. Overview ...
lawrenceomai2
 
PPTX
CHAPTER 2 - PM Management and IT Context
KevinPutra14
 
PDF
SAP S4 Hana Brochure 3 (PTS SYSTEMS AND SOLUTIONS)
pts464036
 
PDF
Adobe Premiere Pro 2025 (v24.5.0.057) Crack free
ghrom2211g
 
PDF
Wondershare Filmora 15 Crack With Activation Key [2025
ghrom2211g
 
PDF
Nekopoi APK 2025 free lastest update
umarali35kp
 
PDF
Audit Checklist Design Aligning with ISO, IATF, and Industry Standards — Omne...
rohnjim07
 
PDF
Internet Downloader Manager (IDM) Crack 6.42 Build 42 Updates Latest 2025
itskinga12
 
Addressing The Cult of Project Management Tools-Why Disconnected Work is Hold...
OnePlan Solutions
 
Design an Analysis of Algorithms I-SECS-1021-03
DilanEscobar1
 
Raksha Bandhan Grocery Pricing Trends in India 2025.pdf
Actowiz Solustions
 
System and Network Administration Chapter 2
jaramharo
 
T3DD25 TYPO3 Content Blocks - Deep Dive by André Kraus
Andre Kraus
 
VVF-Customer-Presentation2025-Ver1.9.pptx
blackmambaettijean
 
medical staffing services at VALiNTRY
Tiyan Grayson
 
Odoo POS Development Services by CandidRoot Solutions
CandidRoot Solutions Private Limited
 
Understanding Forklifts - TECH EHS Solution
TECH EHS Solution
 
Agentic AI : A Practical Guide. Undersating, Implementing and Scaling Autono...
IT IDOL Technologies
 
Digital Strategies for Manufacturing Companies
Virendra Rai, PMP
 
EN-Survey-Report-SAP-LeanIX-EA-Insights-2025.pdf
deepakkhaitan3
 
Flood Susceptibility Mapping Using Image-Based 2D-CNN Deep Learnin. Overview ...
lawrenceomai2
 
CHAPTER 2 - PM Management and IT Context
KevinPutra14
 
SAP S4 Hana Brochure 3 (PTS SYSTEMS AND SOLUTIONS)
pts464036
 
Adobe Premiere Pro 2025 (v24.5.0.057) Crack free
ghrom2211g
 
Wondershare Filmora 15 Crack With Activation Key [2025
ghrom2211g
 
Nekopoi APK 2025 free lastest update
umarali35kp
 
Audit Checklist Design Aligning with ISO, IATF, and Industry Standards — Omne...
rohnjim07
 
Internet Downloader Manager (IDM) Crack 6.42 Build 42 Updates Latest 2025
itskinga12
 
Ad

Securing against data theft against Vulnerable dependency

  • 1. Securing against Data theft by vulnerable dependencies in your App - @JagdshLK
  • 2. Content ● Workshop ○ Build a page which leaks sensitive information. ○ Find out how the data breach occurred. ● What just happened? ● How to find these type of vulnerability? ● Prevention Measures
  • 3. Workshop: Let’s build a Login and a Payment page!!!
  • 4. Workshop - Steps Software Prerequisites: ● Git ● Node 10.4.1 or above ● npm 6.1.0 or above Steps: 1. Github search for “VodQA Securing Data theft demo” and clone it. 2. Follow the Readme.Md 3. Develop a login page 4. Develop a payment page which accepts Credit card
  • 5. README.md Getting Started Prerequisites Make sure you have Node v10.4.1 or above and npm 6.1.0 or above. Installing Clone the repo and run the following inside the cloned directory. npm install Running the application run the following command to run the application npm start
  • 6. What just happened? Package Manager Vulner Packa UI Code Username: Password: https://www.vulnerabledependency.com Production Vulner Packa app.bundle.js Vulnerable Package package.json
  • 7. ● Collect logs and analyse cross domain calls triggered. ● Beware and decode every information send out of the website and verify the content. ● Analysing the dependency package before using it. How to find this type of vulnerable?
  • 8. Prevention measures ● Try not to load 3rd party libraries in sensitive information pages. ● Check your dependencies is listed in OWASP Common Vulnerabilities and Exposures (CVE). ○ Making sure CI build fails if a vulnerable dependency is found in frameworks package manager using OWASP tools. ● Ensure your Dependencies is up to date with latest security patches, if any. ● Always use Vulnerability Scanning tools to check for any vulnerables. ● Report a vulnerability found. ● [DEV SPECIFIC] Overwrite the HttpRequest in UI to make sure all requests go through the overwritten HTTPRequest.
  • 9. How to read a CVE? Major Terms: ● VSS Score ● Confidentiality Impact ● Integrity Impact ● Availability Impact ● Access Complexity ● Authentication ● Vulnerability Type(s) ● CWE ID
  • 10. Reference ■ https://www.owasp.org/index.php/OWASP_Dependency_Check ■ https://blog.rapid7.com/2016/04/05/client-side-logging-in-javascript/ ■ https://jeremylong.github.io/DependencyCheck/ ■ https://nvd.nist.gov/vuln/search ■ https://www.owasp.org/index.php/Category:Vulnerability_Scanning_Tools ■ https://www.cvedetails.com/ ■ https://www.first.org/cvss/specification-document ■ https://github.com/Jagdsh/VodQA_Securing_Data_theft-demo_reciever ■ https://github.com/Jagdsh/VodQA_Securing_Data_theft-demo

Editor's Notes

  • #4: Call out Hint: Through which medium server to server communication happen?
  • #5: https://git.thoughtworks.net/security-vulneraibility-apps/vulnurable_dependency_app/blob/master/README.md
  • #6: 10.134.125.167
  • #7: It is a type of DOM-based cross site scripting (XSS) - where the vulnerability is in the client-side code rather than the server-side code.
  • #9: Show to check a dependency is listed in CVE