Web Application Security Basics
incubator pack
The purpose of the Web Application Security incubator pack is to provide you with a starting point to learning all you need to know to become proficient in security. This pack attempts to bring together the most valuable resources and tutorials that exist and fill in any gaps they may leave, expose you to the skills you will need when working individually or on a team, and the resources to further develop your aptitude in these skills.
INITIAL SET UP
Hardware & software requirements
- Although not necessary, ZAP is a useful cross-platform tool, made freely available by OWASP for determining vulnerabilities.
- VM software that supports running ISO Linux VM's.
- REST client (i.e Postman)
- Postman is great for testing web services and getting to know how they work
- OpenVPN (if you are using Linux, your package manager might simplify installation)
- Apart from being used by several clients as a remote support solution, OpenVPN can also be used to try out challenges in Hack the box.
PRE-READING MATERIAL
- Familiarise yourself with the current OWASP Top Ten.
- Browse the CVE Details database. Most vulnerabilities are reported to CVE Details; however, not all companies report their defects. Do review all release notes of all products that you are using. This is just to give you an idea of noted vulnerabilities in software applications.
- With vulnerabilities such as Spectre, remember that Information Security is in a constant state of flux. What is considered safe today, may not hold in the future(Intel CPU's have recently been in the headlines (again)). No application or operating system is immune to security breaches. Try to keep yourself current with the latest news by subscribing to security feeds such as Slashdot.
- CheckMarx published an infographic based on the 2017 OWASP list; have a look at it here.
- Start learning Python (optional)
- Hackers use Python to automate mundane hacking tasks that they would otherwise have to manually execute. For example, an automated port scanner is part of beginner guides and relatively easy to write.
- You should be able to identify basic types of encoding and encryption:
- Know the difference between Authentication and Authorisation.Both are crucial to developing secure API's.
- Use your code-review to improve security: https://pentesterlab.com/exercises/codereview/course
top 5 owasp resources you should have
- Developer guide
- The top 10 cheat sheet
- Application Security Verification Standard
- Security Knowledge Framework
- The developer cheat sheet
Outcomes of the incubator
Familiarity with OWASP and recent data leaks
Design secure API's
Secure your information
Introduce secure dependencies to a project or client
Practical
Browse through https://pentesterlab.com/exercises?dir=asc&only=free&sort=difficulty
Practical 1: Web for pentester
Practical 2: Web for pentester II
Practical 3: SQL Injection
Practical 4: XSS/ Cross-site scripting
Practical 5: SQL Injection II
Practical 6: ActiveRecord SQL Injection
Hack the invite code in order to become a member: https://www.hackthebox.eu/invite
Welcome to Hack the box
Try out some of the challenges in Hack the box.
What to do after this incubator
After you've done with this incubator, you should have a good understanding of security.
Below are some notes on security.
Section 1
NOtes on information security
- Don't store it if you don't need it. Information that does not exist cannot be leaked or used.
- Additional compliance may apply to certain types of information such as payment data(refer to PCI DSS for more information).
- Sensitive information might need to be encrypted in a secure way before being persisted.
- Servers get stolen out of data centres, your persistence layer should have encryption (i.e encrypted filesystems)
- Don't trust information coming into your network, even if it is from your own mobile app or website.
- PCI DSS (refer to link at the bottom of this page) is an evolving standard that is mandated by several payment processors such as Mastercard and Visa as well as regional payment associations such as PASA and ECPA. Familiarity with PCI DSS is an asset when it comes to designing API's at financial institutions.
Section 2
notes on application security
- Your dependencies might be affected by security vulnerabilities which inherently will make you vulnerable. An automated process such as Nexus Firewall will help mitigate this.
- Code security scans such as CheckMarx can go a long way to detect bad habits (such as hardcoded passwords).
- All API's that can be routed to from outside must be pen (penetration) tested by a third-party organisation that specializes in pen-testing.
- Staying up to date with products that you are using is crucial. Review the release notes between versions in case vulnerabilities have not been reported to CVE Details or you missed the e-mail notification from the vendor.
Section 3
notes from the 2019 infosec world conference
- There is a large gap between teams that do development and the security teams in organisations. There is almost no relationship between the teams which usually leads to tension and frustration.
- If you have a security team at the client you are working with, create a relationship and give them your support.
- It was noted that a security partner(external company) might not always give teams the critical feedback they need, but rather the feedback the business wants. A relationship with the security partner can assist in getting a more accurate and critical result.
- At times the security practices resulted in teams struggling to do their work. This resulted in a Shadow IT being formed.
- A relationship with the security team can go a long way in preventing frustrations due to security requirements/design.
- Remember it only takes 1 well-crafted data packet to breach a vulnerable system.
- A pro-active attitude to security and awareness is needed.
- Quality User/Security Awareness training is still one of the cheapest and most effective ways to prevent a large number of security breaches.
- This type of training does not only apply to developers. It applies to everyone in the company(Operations, Support, Finance, Human Resources, C-level executives).
- An up-to-date active phishing campaign that runs continuously targeting staff can assist in detecting staff that might need training.
- This type of campaign together with training is useful when measuring your IT security.
- Internal hack-our-own-system days can assist in fostering a secure approach when creating systems.
- Quality User/Security Awareness training is still one of the cheapest and most effective ways to prevent a large number of security breaches.
- The OWASP Top 10 list has changed a bit over the years.
- Have a look at the previous years and check out what stood out.
- It looks like we are still struggling with SQL Injection.
- Concerns were raised over mobile security.
- A lot of recent malware on mobile phones were signed with legitimate certificates. The revocation process is also not as effective.
- Device Managers such as Microsoft Intune and Android Device Manager are not always present or correctly configured, thus allowing staff mobile devices access to company data without any means to protect it in the event of theft.
- Passwords also got some attention.
- Passwords are here to stay.
- A very long password that changes every 6 months is considered more secure than a shorter password that changes often.
- An evolving trust factor system that takes context into account when evaluating a request is becoming a must-have. Depending on several factors, a system will issue a trust score to a person/system requesting an action to be performed. If the trust score is lower than what is required, the request can be rejected or sent for additional verification.
links and Feedback
PCI DSS Quick Reference Guide: PCI_DSS-QRG-v3_2_1.pdf
Feedback is important. If you find a cool new resource or feel that any part of this incubator or it's resources are out of date, leave us a message in the Slack channel.