9 |
10 | # OWASP Top Ten Security Vulnerabilities Workshop
11 |
12 | 
13 |
14 |
15 |
16 |
19 |
20 | ---
21 |
22 | # Introduction: OWASP 🐝
23 |
24 |
25 |
26 | - The Open Web Application Security Project (**OWASP**) is a **non profit** foundation that works to improve the security of software
27 |
28 | - OWASP has community-led **open-source** software projects, hundreds of local chapters worldwide, tens of thousands of members, and leading educational and training conferences
29 |
30 |
31 |
32 | ---
33 |
34 | # Introduction: OWASP Top Ten
35 |
36 |
37 |
38 | - The **[OWASP Top Ten](https://owasp.org/Top10/)** is a standard awareness document for developers and web application security
39 | - It represents a broad consensus about the most critical security risks to web applications
40 |
41 |
42 |
43 | ---
44 |
45 | # Workshop Setup
46 |
47 |
48 |
49 | - This workshop will explain each of the 10 vulnerabilities
50 | - There is a Fastify node.js server demonstrating the security issues
51 | - At each step you are asked to fix the vulnerability in the server
52 | - You will find the solution to each step in the file `solution.js` inside `src/a{n}-{name}` folder (the actual path may vary)
53 | - The 💡 icon indicates hints
54 |
55 |
56 |
57 | ---
58 |
59 | # Getting setup
60 |
61 |
62 |
63 | #### Requirements
64 |
65 |
66 | 67 | - Node LTS 68 | - docker 69 | - docker-compose 70 | - Postman (if you want to be able to test vulnerabilities) 71 | 72 | #### Setup 73 | 74 |
75 | 76 | ```bash 77 | git clone https://github.com/nearform/owasp-top-ten-workshop 78 | npm ci 79 | npm run db:up 80 | npm run db:migrate 81 | ``` 82 | 83 |
84 |
85 | ---
86 |
87 | # Running the modules
88 |
89 | 66 | 67 | - Node LTS 68 | - docker 69 | - docker-compose 70 | - Postman (if you want to be able to test vulnerabilities) 71 | 72 | #### Setup 73 | 74 |
75 | 76 | ```bash 77 | git clone https://github.com/nearform/owasp-top-ten-workshop 78 | npm ci 79 | npm run db:up 80 | npm run db:migrate 81 | ``` 82 | 83 |
90 |
91 | - `cd src/a{x}-step-name`
92 | - `npm start` will run the server ready to respond to requests
93 | - `npm run verify` will run automated tests that fail by default until this step's issue is solved
94 | - Check out README.md in the projects for potential additional info
95 |
96 |
97 |
98 | ### Example
99 |
100 | ```bash
101 | cd src/a01-access-control
102 | npm start
103 | ```
104 |
105 | The server for that step will run on http://localhost:3000
106 |
107 | ---
108 |
109 | # Testing the vulnerabilities
110 |
111 |
112 |
113 | - Some vulnerabilities involve sending specific requests to the server. We will be using the tool Postman to send those requests
114 | - The `postman` folder contains a collection that can be imported into Postman to easily send those requests
115 | - The Postman collection is pre-logged in with user `alice`. The `Bearer token` is set that represents `alice`.
116 |
117 |
118 |
119 | ---
120 |
121 | # Automated testing
122 |
123 |
124 |
125 | - Some vulnerabilities have automated tests which verify the presence of the vulnerability
126 | - Those tests will fail until you fix the vulnerability
127 | - `npm run verify` in a step's folder
128 |
129 |
130 |
131 | ---
132 |
133 | # A01 Broken Access Control
134 |
135 |
136 |
137 | - [AO1:2021 - Broken Access Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control/)
138 | - User should only act based on specific permissions
139 | - Incorrect permissions -> unauthorised access of data
140 |
141 |
142 | ---
143 |
144 | # A01 Common vulnerabilities
145 |
146 |
147 |
148 | - Not applying principle of **least privilege**
149 | - Checks can be bypassed by tampering with page or request
150 | - Allowing access to someone else's info by knowing the UUID
151 | - CORS allows untrusted origins
152 |
153 |
154 |
155 | ---
156 |
157 | # A01 How to Prevent
158 |
159 |
160 |
161 | - Deny access by default
162 | - Avoid duplication of access control logic
163 | - Enforce **user ownership** when manipulating data
164 |
165 |
166 |
167 | ---
168 |
169 | # A01 Exercise
170 |
171 |
172 |
173 | - The `/profile` route returns sensitive user data
174 | - It takes a `username` query parameter to return the user's info
175 |
176 | ```
177 | GET http://localhost:3000/profile?username=alice
178 | ```
179 |
180 | ```json
181 | {
182 | "id": 1,
183 | "username": "alice",
184 | "age": 23
185 | }
186 | ```
187 |
188 |
189 |
190 | ---
191 |
192 | # A01 The problem
193 |
194 |
195 |
196 | - Run the server for step 1 (`cd src/a01-access-control`, `npm start`)
197 | - In Postman, run the query for A01: Access Control. Observe the data for Alice being returned
198 | - Now change the `username` query parameter to `bob`. Result:
199 |
200 | ```json
201 | {
202 | "id": 2,
203 | "username": "bob",
204 | "age": 31
205 | }
206 | ```
207 |
208 | - Bob's data is being exposed! Remember we're logged in as Alice and shouldn't see Bob's data
209 |
210 |
211 |
212 | ---
213 |
214 | # A01 Fixing it 🪄
215 |
216 |
217 |
218 | - Run the automated tests for step 1 - `npm run verify`
219 | - The tests fail because the server shouldn't return Bob's data
220 | - Edit the `/profile` route in the exercise folder to return only the `logged-in` user's profile without exposing other people's profiles
221 | - 💡 The server uses [fastify-jwt](https://github.com/fastify/fastify-jwt) to handle authentication
222 |
223 |
224 |
225 | ---
226 |
227 | # A01 Solution 💡
228 |
229 |
230 |
231 | - The issue comes from the usage of a user-supplied `query` parameter to choose which profile's info to check
232 | - The server should instead fetch the only the `logged-in` user's info and reply with `403` in other cases
233 |
234 | ```js
235 | async req => {
236 | if (!req.user) {
237 | throw new errors.Unauthorized()
238 | }
239 | const username = req.user.username // 💡 We get the username from the logged in user, not from the query!
240 | if (username !== req.query.username) {
241 | throw new errors.Forbidden() // if does not match with the user's one, return a 403 Forbidden error
242 | }
243 | return user
244 | }
245 | ```
246 |
247 |
248 |
249 | ---
250 |
251 | # A02 Cryptographic Failures
252 |
253 |
254 |
255 | - [A02: Cryptographic Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures/)
256 | - Weak or inexistent **cryptography** of sensitive data
257 | - Passwords, credit card numbers, health records, personal information, business secrets...
258 | - Anything protected by privacy laws or other regulations
259 |
260 |
261 |
262 | ---
263 |
264 | # A02 Common vulnerabilities
265 |
266 |
267 |
268 | - Weak or outdated cryptographic algorithms like **md5 ⚠️**
269 | - Weak secret keys, default ones, keys from online tutorials, keys checked in source control...
270 | - Lack of traffic encryption (**HTTPS**)
271 | - Insufficient entropy in seed generation
272 |
273 |
274 |
275 | ---
276 |
277 | # A02 How to Prevent
278 |
279 |
280 |
281 | - Check sensitive data is well **encrypted**. Avoid storing sensitive data unnecessarily
282 | - Use up to date and strong standard algorithms
283 | - Proper key/secrets management (**private keys in git ⚠️**)
284 | - Disable caching for responses that contain sensitive data
285 |
286 |
287 |
288 | ---
289 |
290 | # A02 A weak hashing algorithm
291 |
292 |
293 |
294 | - The `/all-data` endpoint returns all users and their passwords (hashed using md5). Imagine this as a data breach
295 | - Result of the `all-data` endpoint
296 |
297 | ```json
298 | [
299 | {
300 | "username": "bob",
301 | "password": "884a22eb30e5cfd71894d43ac553faa5"
302 | },
303 | {
304 | "username": "alice",
305 | "password": "5e9d11a14ad1c8dd77e98ef9b53fd1ba"
306 | }
307 | ]
308 | ```
309 |
310 |
311 |
312 | ---
313 |
314 | # A02 The problem
315 |
316 |
317 |
318 | - Using the `/all-data` route, find Alice's hashed password
319 | - With this password hash, try to find the original password Alice created
320 | - the Postman collection contains requests for doing the queries
321 | - 💡 There are websites to decrypt md5
322 |
323 |
324 |
325 | ---
326 |
327 | # A02 Fixing it 🪄
328 |
329 |
330 |
331 | - md5 hash is vulnerable and shouldn't be used
332 | - In `src/a02-cryptographic-failure`, fix the hashing algorithm used to be a strong algorithm instead of md5
333 | - Using [bcrypt](https://www.npmjs.com/package/bcrypt) is a good idea for passwords
334 | - The application exposes a `/change-password` route used to change a user's password
335 |
336 |
337 |
338 | ---
339 |
340 | # A02 Solution 💡
341 |
342 |
343 |
344 | ```js
345 | // utils/crypto.js
346 | import { hash, compare } from 'bcrypt'
347 |
348 | const saltRounds = 10
349 |
350 | export async function hashPassword(password) {
351 | return await hash(password, saltRounds)
352 | }
353 | ```
354 |
355 |
356 |
357 | ---
358 |
359 | # A02 Solution 💡 (2)
360 |
361 |
362 |
363 | ```js
364 | // utils/crypto.js
365 | export async function comparePassword(password, hash) {
366 | return await compare(password, hash)
367 | }
368 | ```
369 |
370 |
371 |
372 | ---
373 |
374 | # A03 Injection 💉
375 |
376 |
377 |
378 | - [A03: Injection](https://owasp.org/Top10/A03_2021-Injection/)
379 | - Injections are a form of attack where a malicious payload is able to effectively inject an arbitrary bit of query or code on the target server
380 | - Injections can result in data loss or corruption, lack of accountability, or denial of access. Injections can sometimes lead to complete host takeover.
381 | - Common targets: **SQL, NoSQL, ORM, LDAP, JS eval**
382 |
383 |
384 |
385 | ---
386 |
387 | # A03 Common vulnerabilities
388 |
389 |
390 |
391 | - Lack of validation or **sanitization** of user input
392 | - Dynamic queries or non-parameterized calls without context-aware **escaping** are used directly in the interpreter
393 | - Hostile data is used within object-relational mapping (ORM) **search parameters** to extract additional, sensitive records
394 |
395 |
396 |
397 | ---
398 |
399 | # A03 Attack
400 |
401 |
402 |
403 | - Run the server for step 3 (`cd src/a03-injection`, `npm start`)
404 | - In Postman, run the query for `A03: Get customer by name`. Observe the data for `name: "alice"` being returned
405 | - Try to run the query for `A03: SQL Injection`. Observe all the customers being returned
406 | - The query param value `' OR '1'='1` takes advantage of the unsafe string concatenation to create this SQL query
407 | `SELECT * FROM customers WHERE name='' OR '1'='1'` which will return every record in the table
408 |
409 |
410 |
411 | ---
412 |
413 | # A03 Fixing it 🪄
414 |
415 |
416 |
417 | - 💡 Prefer using a safe API that **sanitizes input** e.g `@nearform/sql`
418 | - **Escape special characters** using the specific escape syntax for that interpreter
419 | - Avoid user-supplied table names or column names as they cannot be escaped
420 | - **Automated testing** of all parameters, headers, URL, cookies, JSON, SOAP, and XML data inputs is strongly encouraged
421 |
422 |
423 |
424 | ---
425 |
426 | # A03 Solution 💡
427 |
428 |
429 |
430 | - The `@nearform/sql` library escapes special characters contained in the user's input
431 |
432 | ```js
433 | // import SQL from '@nearform/sql'
434 | export default async function customer(fastify) {
435 | fastify.get(
436 | '/customer',
437 | {
438 | onRequest: [fastify.authenticate]
439 | },
440 | async req => {
441 | const { name } = req.query
442 | const { rows: customers } = await fastify.pg.query(
443 | SQL`SELECT * FROM customers WHERE name=${name}`
444 | )
445 | if (!customers.length) throw errors.NotFound()
446 | return customers
447 | }
448 | )
449 | }
450 | ```
451 |
452 |
453 |
454 | ---
455 |
456 | # A04 Insecure Design
457 |
458 |
459 |
460 | - [A04: Insecure Design](https://owasp.org/Top10/A04_2021-Insecure_Design/)
461 | - Fundamental **design flaws** of the software can cause security issues
462 | - Those issues cannot be fixed by a better more secure code implementation
463 | - Failure to determine the level of security required during design
464 |
465 |
466 |
467 | ---
468 |
469 | # A04 Examples
470 |
471 |
472 |
473 | - A forgotten password flow with **_"security questions"_** is insecure by design because more than one person can know the answer
474 | - An ecommerce website sells high-end video cards that scalpers buy with bots to resell (bad PR with customers)
475 | - A cinema chain allows booking up to fifteen attendees before requiring a deposit. An attacker could make **hundreds of small booking requests** at once to block all seats, causing massive revenue loss
476 |
477 |
478 |
479 | ---
480 |
481 | # A04 How to prevent
482 |
483 |
484 |
485 | - Model threats for the application, all its flows and business logic
486 | - Continuously evaluate security requirement and design during the development lifecycle
487 | - Consider security rules and access controls for every user story
488 | - **Use unit and integration tests** to verify the application is resistant to the threat model
489 |
490 |
491 |
492 | ---
493 |
494 | # A04 Exercise
495 |
496 |
497 |
498 | - The `/buy-product` endpoint does not have protection against bots run by scalpers
499 | - It means that someone can buy a lot of stock quickly and leave legitimate customers without any
500 |
501 |
502 |
503 | ---
504 |
505 | # A04 Scalping
506 |
507 |
508 |
509 | - Run the server for step 4 (`cd src/a04-insecure-design`, `npm start`)
510 | - In Postman, run the query for `A04: Buy product`. Observe the data for `success: true` being returned
511 | - Run the query many times in a row in a short period of time
512 | - Notice that there is no protection against multiple sequential purchases
513 |
514 |
515 | ---
516 |
517 | # A04 Fixing it 🪄
518 |
519 |
520 |
521 | - Prefer using rate limiter for your routes
522 | - 💡 Using [`fastify-rate-limit`](https://github.com/fastify/fastify-rate-limit) is a good idea for setting a rate limit
523 | - Let's consider a scenario where a user can buy a maximum of two products per minute
524 | - Edit the `/buy-product` route in the exercise folder considering the scenario above
525 |
526 |
527 |
528 | ---
529 |
530 | # A04 Solution 💡
531 |
532 |
533 |
534 | ```js
535 | // register the rateLimit plugin in the server.js file
536 | await fastify.register(rateLimit)
537 | ```
538 |
539 | ```js
540 | // the rate limit is set to a maximum of two purchases per minute
541 | export default async function ecommerce(fastify) {
542 | fastify.post(
543 | '/buy-product',
544 | {
545 | config: {
546 | rateLimit: {
547 | max: 2,
548 | timeWindow: '1 minute'
549 | }
550 | }
551 | },
552 | (req, reply) => {
553 | reply.send({ success: true })
554 | }
555 | )
556 | }
557 | ```
558 |
559 |
560 |
561 | ---
562 |
563 | # A05 Security Misconfiguration
564 |
565 |
566 |
567 | - Security misconfigurations are security controls that are inaccurately configured or left insecure, putting your systems and data at risk
568 | - **Badly configured** servers or services can lead to vulnerabilities
569 | - With increased usage of highly configurable software and cloud APIs, there are many opportunities for misconfiguration
570 |
571 |
572 |
573 | ---
574 |
575 | # A05 Common Vulnerabilities
576 |
577 |
578 |
579 | - Improperly configured **permissions** or security settings
580 | - Unnecessary features enabled: open ports, services, accounts with elevated accesss...
581 | - **Default credentials** unchanged
582 | - Out of date or vulnerable server
583 | - Stack trace from error handling revealing information to users
584 |
585 |
586 |
587 | ---
588 |
589 | # A05 How to prevent
590 |
591 |
592 |
593 | - Repeatable, automated and fast to deploy environments
594 | - Different credentials should be used in each environment
595 | - Frequently review security updates, patches and permissions
596 | - A **segmented architecture** increases security by separating components, tenants, containers or cloud security groups
597 | - An automated **test** to verify the effectiveness of the configurations
598 |
599 |
600 |
601 | ---
602 |
603 | # A05 Unsigned Cookies 🍪
604 |
605 |
606 |
607 | - Run the server for step 5 (`cd src/a05-security-misconfiguration`, `npm start`)
608 | - In Postman, run the query for `A05: Login`. Observe a cookie with `userId=1` being returned
609 | - Try to run the query for `A05: Profile`. Observe the information about profile with `userId=1` being returned
610 | - Try to [change the value of the cookie](https://learning.postman.com/docs/sending-requests/cookies/) to `userId=2`. Observe information about `userId=2` being returned
611 |
612 |
613 |
614 | ---
615 |
616 | # A05 Fixing it 🪄
617 |
618 |
619 |
620 | - 💡 Cookie must always be **[signed](https://github.com/fastify/fastify-cookie)** to ensure they are not getting tampered with on client-side by an attacker
621 | - It's important to use **httpOnly** cookies to prevent the cookie being accessed through client side script
622 | - Store the **signing secret** safely.
623 | - Don't store sentive information in cleartext
624 |
625 |
626 |
627 | ---
628 |
629 | # A05 Solution 💡
630 |
631 |
632 |
633 | ```js
634 | export function login(fastify) {
635 | fastify.post('/login', { schema }, async (req, rep) => {
636 | const { username, password } = req.body
637 | const {
638 | rows: [user]
639 | } = await fastify.pg.query(
640 | SQL`SELECT id, username, password FROM users WHERE username = ${username}`
641 | )
642 | if (!user) {
643 | throw errors.Unauthorized('No matching user found')
644 | }
645 | const passwordMatch = await comparePassword(password, user.password)
646 | if (!passwordMatch) {
647 | throw errors.Unauthorized('Invalid Password')
648 | }
649 | rep.setCookie('userId', JSON.stringify(user.id), {
650 | signed: true, // 💡 signing the cookie
651 | httpOnly: true // http only
652 | })
653 | return 'user logged in'
654 | })
655 | }
656 | ```
657 |
658 |
659 |
660 | ---
661 |
662 | # A05 Solution 💡 (2)
663 |
664 |
665 |
666 | ```js
667 | export function profile(fastify) {
668 | fastify.get('/profile', async req => {
669 | const { value: id, valid } = fastify.unsignCookie(
670 | //unsign the cookie and check validity
671 | req?.cookies?.userId || ''
672 | )
673 |
674 | if (!valid) {
675 | // check if the cookie has been tampered
676 | throw new errors.Unauthorized()
677 | }
678 | const {
679 | rows: [user]
680 | } = await fastify.pg.query(
681 | SQL`SELECT id, username, age FROM users WHERE id = ${id}`
682 | )
683 | if (!user) {
684 | throw new errors.NotFound()
685 | }
686 | return user
687 | })
688 | }
689 | ```
690 |
691 |
692 |
693 | ---
694 |
695 | # A06 Vulnerable and Outdated Components
696 |
697 |
698 |
699 | - Applications use a variety of components and libraries which can have security issues
700 | - Vulnerable components can be an attack vector until they are patched
701 | - Particularly relevant in the node.js world with an ever-growing **NPM dependency tree**
702 |
703 |
704 |
705 | ---
706 |
707 | # A06 Common Vulnerabilities
708 |
709 |
710 |
711 | - Not **tracking versions** of used components, including nested dependencies
712 | - Using unsupported or vulnerable software, including OS, web server, database, APIs, libraries, components, runtimes...
713 | - Not **scanning for vulnerabilities** regularly and subscribing to security news for used components
714 | - Not fixing vulnerable dependencies in a timely fashion
715 |
716 |
717 |
718 | ---
719 |
720 | # A06 How to prevent
721 |
722 |
723 |
724 | - Remove **unused dependencies**, unnecessary features, components, files, and documentation
725 | - Continuously inventory the versions of components and their dependencies
726 | - Monitor for libraries and components that are **unmaintained** or do not create security patches for older versions
727 | - Only obtain components from **official** sources over secure links
728 |
729 |
730 |
731 | ---
732 |
733 | # A06 The attack 🥷
734 |
735 |
736 |
737 | - Run the server for step 6 (`cd src/a06-vulnerable-outdated`, `npm start`)
738 | - In Postman, run the query for `A06: Profile`. Observe error `404` being returned
739 | - Try to run the query for `A06: Exploit vulnerability`. Observe the error message response
740 |
741 |
742 | ---
743 |
744 | # A06 The attack (2)
745 |
746 |
747 |
748 | - Because of an outdated version of the HTTP client library **[undici](https://github.com/nodejs/undici)** we can exploit a known **[vulnerability](https://www.cvedetails.com/cve/CVE-2022-35949/)**
749 | - By passing the value `//127.0.0.1` in the username query param, we override the original hostname and we can make the server perform a GET to `127.0.0.1:80`
750 |
751 |
752 | ---
753 |
754 | # A06 Fixing it 🪄
755 |
756 |
757 |
758 | - 💡 Update the library to a version in which this vulnerability was fixed
759 |
760 |
761 |
762 | ---
763 |
764 | # A06 The Solution 💡
765 |
766 |
767 |
768 | ```js
769 | import { request } from 'undici' //💡 updated undici version >= 5.8.1
770 | export default function (fastify) {
771 | fastify.get(
772 | '/profile',
773 | {
774 | onRequest: [fastify.authenticate]
775 | },
776 | async req => {
777 | const { username } = req.query
778 | if (/^\//.test(username)) {
779 | // check username doesn't start with /
780 | throw errors.BadRequest()
781 | }
782 | const { body, statusCode } = await request({
783 | origin: 'http://example.com',
784 | pathname: username
785 | })
786 | if (statusCode !== 200) {
787 | throw errors.NotFound()
788 | }
789 | return body
790 | }
791 | )
792 | }
793 | ```
794 |
795 |
796 |
797 | ---
798 |
799 | # A07 Identification and Authentication Failures
800 |
801 |
802 |
803 | - Verification of the user's identity, **authentication**, and session management is crucial to security
804 | - Weak or vulnerable authentication systems can be exploited to gain access
805 | - Systems with broken authentication can lead to data breaches and passwords leak
806 |
807 |
808 |
809 | ---
810 |
811 | # A07 Common Vulnerabilities
812 |
813 |
814 |
815 | - Application allows for credentials stuffing or brute forcing
816 | - Allows default, weak or known passwords
817 | - Exploitable credential recovery processes
818 | - Lack of effective **multi-factor authentication**
819 | - Unencrypted or weakly encrypted **password storage**
820 |
821 |
822 |
823 | ---
824 |
825 | # A07 How to prevent
826 |
827 |
828 |
829 | - Where possible, implement **multi-factor authentication**
830 | - Require **strong passwords** (length, complexity, rotation policies, and don't allow leaked passwords use)
831 | - Ensure registration and credential recovery use the same messages for all outcomes
832 | - Limit or increasingly delay failed login attempts
833 | - Use secure password data store practices (salting + hashing)
834 |
835 |
836 |
837 | ---
838 |
839 | # A07 Allowing leaked passwords 💧
840 |
841 |
842 |
843 | - In 2017 the NIST **[recommended](https://pages.nist.gov/800-63-3/sp800-63b.html#sec4:~:text=when%20processing%20requests,a%20different%20value)** that websites should check all new passwords against available lists of data breaches.
844 | - This practice has been adopted by OWASP and became part of their **[recommendation]()**.
845 | - In the real scenario you should try to use something like **[Have I Been Pwned](https://haveibeenpwned.com/Passwords)**
846 |
847 |
848 |
849 | ---
850 |
851 | # A07 Allowing leaked passwords 💧 (2)
852 |
853 |
854 |
855 | - In the workshop - the database contains the list of leaked passwords in `databreachrecords`
856 | - Run the server for step 7 (`cd src/a07-authentication-failures`, `npm start`)
857 | - In Postman, run the query for `A07: Register`. Observe a token is succesfully returned
858 | - In the database check the `databreachrecords` table for password used in the Postman request body
859 |
860 |
861 |
862 | ---
863 |
864 | # A07 Allowing leaked passwords 💧 (3)
865 |
866 |
867 |
868 | - It should not allow to use passwords that are known to be leaked
869 | - Instead it should require the user to set a different password indicating what is the reason
870 | - Place your solution in the `routes/user/index.js`
871 | - Test it by running `npm run verify` (it will fail initially)
872 |
873 |
874 |
875 | ---
876 |
877 | # A07 Fixing it 🪄
878 |
879 |
880 |
881 | - 💡 Using data available in `dataBreachRecords` check if requested password is safe to use
882 | - Run `sql` query inside the `/register` endpoint to check if the password is there
883 | - Return a `400` error with `message` indicating the source of the leak: `'You are trying to use password that is known to be exposed in data breaches: ${source}. Use a different one. Read more here: https://haveibeenpwned.com/Passwords.'`
884 |
885 |
886 |
887 | ---
888 |
889 | # A07 Solution 💡
890 |
891 |
892 |
893 | ```js
894 | const {
895 | rows: [breach]
896 | } = await fastify.pg.query(
897 | SQL`SELECT * FROM databreachrecords WHERE password=${password}`
898 | )
899 |
900 | if (breach) {
901 | res.send(
902 | errors.BadRequest(
903 | `You are trying to use password that is known to be exposed in data breaches: ${breach.source}. Use a different one. Read more here: https://haveibeenpwned.com/Passwords.`
904 | )
905 | )
906 | }
907 | ```
908 |
909 |
910 |
911 | ---
912 |
913 | # A08 Software and Data Integrity Failures
914 |
915 |
916 |
917 | - Code and infrastructure not protected against **integrity violations**
918 | - Attackers gaining access to a plugin and deploy an unverified update which would get distributed to all its users
919 |
920 |
921 |
922 | ---
923 |
924 | # A08 Common Vulnerabilities
925 |
926 |
927 |
928 | - Libraries coming from **untrusted sources**, repos or CDNs
929 | - Deserialization of Untrusted Data, where objects or data are encoded or serialized into a structure that an attacker can see and modify is vulnerable to **insecure deserialization**
930 | - An insecure CI/CD pipeline
931 | - Updates downloaded without sufficient integrity verification
932 |
933 |
934 |
935 | ---
936 |
937 | # A08 How to prevent
938 |
939 |
940 |
941 | - Using digital signatures for integrity checks on data and downloaded software
942 | - Ensure **npm dependencies** are trusted. For higher risks, host a custom repository of packages with internally vetted dependencies
943 | - Use automated tools to verify that components don't contain known vulnerabilities
944 | - Ensure there are code reviews for changes to minimise the risk of malicious code being introduced
945 |
946 |
947 |
948 | ---
949 |
950 | # A08 Exercise: Insecure Deserialization
951 |
952 |
953 |
954 | - Run the server for step 8 (`cd src/a08-software-data-integrity-failures`, `npm start`)
955 | - In Postman, try to run the query for `A08: Get profile from cookie`. There is a cookie attached to the request `/profile` containing the user's profile encoded as base64. Observe the request `status code 500` being returned
956 | - This is happening because the server is deserializing a `cookie containing a malicious JavaScript` code which is forcing the server to throw an exception
957 |
958 |
959 |
960 | ---
961 |
962 | # A08 Exercise: Insecure Deserialization
963 |
964 |
965 |
966 | - When decoding the cookie attached to the `/profile` request, this is what the output looks like:
967 |
968 | ```javascript
969 | // base64 to ASCII
970 | {
971 | id: 1,
972 | username:
973 | "_$$ND_FUNC$$_function () {\n throw new Error('server error')\n }()"
974 | }
975 | ```
976 |
977 | - Note that there is an `IIFE` at the end of the username key, and this causes the function to run on the server as it is doing an insecure deserialization
978 | - The full step by step to serialize a JavaScript code and inject it as a cookie can be found [in this article](https://opsecx.com/index.php/2017/02/08/exploiting-node-js-deserialization-bug-for-remote-code-execution/)
979 |
980 |
981 |
982 | ---
983 |
984 | # A08 Fixing it 🪄
985 |
986 |
987 |
988 | - Run the automated tests for step 8 - `npm run verify`
989 | - The tests fail because the server shouldn't trust a library that provides a way to deserialize strings into executable JavaScript code
990 | - Untrusted data passed into `unserialize()` function in `node-serialize` module can be exploited to achieve arbitrary code execution by passing a serialized JavaScript Object with an Immediately invoked function expression (IIFE)
991 | - 💡 `JSON.parse` is a safer way to deserialize data
992 |
993 |
994 |
995 | ---
996 |
997 | # A08 Solution 💡
998 |
999 |
1000 |
1001 | ```js
1002 | export default async function solution(fastify) {
1003 | fastify.get('/profile', req => {
1004 | const cookieAsStr = Buffer.from(req.cookies.profile, 'base64').toString(
1005 | 'ascii'
1006 | )
1007 |
1008 | const profile = JSON.parse(cookieAsStr)
1009 |
1010 | if (profile.username) {
1011 | return 'Hello ' + profile.username
1012 | }
1013 |
1014 | return 'Hello guest'
1015 | })
1016 | }
1017 | ```
1018 |
1019 |
1020 |
1021 | ---
1022 |
1023 | # A09 Security Logging and Monitoring Failures
1024 |
1025 |
1026 |
1027 | - Proper logging and monitoring is **critical** to detecting and responding to breaches
1028 | - It is important for alerting, accountability, visibility and forensics of security incidents
1029 |
1030 |
1031 |
1032 | ---
1033 |
1034 | # A09 Common Vulnerabilities
1035 |
1036 |
1037 |
1038 | - Auditable events, such as logins, failed logins, and **high-value transactions**, are not logged
1039 | - Warnings and errors generate no, inadequate, or unclear log messages
1040 | - Logs of applications and APIs are not monitored for **suspicious activity**
1041 | - The application cannot detect, escalate, or alert for active attacks in real-time or near real-time
1042 |
1043 |
1044 |
1045 | ---
1046 |
1047 | # A09 How to prevent
1048 |
1049 |
1050 |
1051 | - Ensure all login, access control, and server-side input validation failures can be logged with **sufficient user context** to identify suspicious or malicious accounts
1052 | - Ensure log data is encoded correctly to prevent injections or attacks on the logging or monitoring systems
1053 | - Ensure high-value transactions have an audit trail with integrity controls to prevent tampering or deletion, such as append-only database tables or similar.
1054 |
1055 |
1056 |
1057 | ---
1058 |
1059 | # A09 Suspicious activity 🤨
1060 |
1061 |
1062 |
1063 | - Run the server for step 5 (`cd src/a09-security-logging`, `npm run verify`)
1064 | - You can observe a log message `something suspicious is happening`
1065 | - Note that the application is using a vulnerable version of the http client **[undici](https://github.com/nodejs/undici/security/advisories/GHSA-f772-66g8-q5h3)**
1066 |
1067 |
1068 |
1069 | ---
1070 |
1071 | # A09 Fixing it 🪄
1072 |
1073 |
1074 |
1075 | - 💡 Log user input to identify suspicious or malicious access
1076 | - Validate user input
1077 |
1078 |
1079 |
1080 | ---
1081 |
1082 | # A09 Solution 💡
1083 |
1084 |
1085 |
1086 | ```js
1087 | // profile route handler
1088 |
1089 | async req => {
1090 | console.log({
1091 | username: req.user.username, // add context to logs to help identify the user
1092 | input: req.headers['content-type']
1093 | })
1094 | const headerCharRegex = /[^\t\x20-\x7e\x80-\xff]/ // validate user input
1095 | if (headerCharRegex.exec(req.headers['content-type']) !== null) {
1096 | throw errors.BadRequest()
1097 | }
1098 | const { body } = await request('http://localhost:3001', {
1099 | method: 'GET',
1100 | headers: {
1101 | 'content-type': req.headers['content-type']
1102 | }
1103 | })
1104 | return body
1105 | }
1106 | ```
1107 |
1108 |
1109 |
1110 | ---
1111 |
1112 | # A10 Server Side Request Forgery
1113 |
1114 |
1115 |
1116 | - SSRF flaws occur whenever a web application is fetching a remote resource without **validating** the user-supplied URL
1117 | - It allows an attacker to coerce the application to send a crafted request to an **unexpected destination**, even when protected by a firewall, VPN, or another type of network access control list
1118 |
1119 |
1120 |
1121 | ---
1122 |
1123 | # A10 How to prevent
1124 |
1125 |
1126 |
1127 | - **Sanitize and validate** all client-supplied input data
1128 | - Enforce the URL schema, port, and destination with a positive allow list
1129 | - Do not send raw responses to clients
1130 | - Disable HTTP redirections
1131 | - ❗ Do not mitigate SSRF via the use of a deny list or regular expression
1132 |
1133 |
1134 |
1135 | ---
1136 |
1137 | # A10 The Attack 🥷
1138 |
1139 |
1140 |
1141 | - Run the server for step 10 (`cd src/a10-server-side-request-forgery`, `npm start`)
1142 | - In Postman, run the query for `A10: Upload Image`. Observe an image being returned
1143 | - Try to run the query for `A10: Malicious Image url`. Observe `something suspicious is happening` being returned
1144 | - The server is not sanitizing user input so it will send a request to whatever url provided in the payload
1145 |
1146 |
1147 |
1148 | ---
1149 |
1150 | # A10 Fixing it 🪄
1151 |
1152 |
1153 |
1154 | - Sanitize the url making sure it's valid
1155 | - Create a whitelist of allowed domains by adding them in the database column `allowedImageDomain`
1156 | - 💡 Make sure the requested domain is in the whitelist
1157 |
1158 |
1159 |
1160 | ---
1161 |
1162 | # A10 Solution 💡
1163 |
1164 |
1165 |
1166 | ```js
1167 | export default async function profilePicture(fastify) {
1168 | fastify.post(
1169 | '/user/image',
1170 | {
1171 | onRequest: [fastify.authenticate]
1172 | },
1173 | async req => {
1174 | const { imgUrl } = req.body
1175 | const url = validateUrl(imgUrl) // validate url using the URL object
1176 | const {
1177 | rows: [whitelisted]
1178 | } = await fastify.pg.query(
1179 | SQL`SELECT * FROM allowedImageDomain WHERE hostname = ${url.hostname}`
1180 | )
1181 | if (!whitelisted) {
1182 | throw errors.Forbidden()
1183 | }
1184 | const { data } = await axios.get(url.href)
1185 | return data
1186 | }
1187 | )
1188 | }
1189 | ```
1190 |
1191 |
1192 |
1193 | ---
1194 |
1195 | # Beyond the Top 10
1196 |
1197 |
1198 |
1199 | - The OWASP Top 10 is a good introduction to the most common issues to keep in mind while developing
1200 | - By its nature, the Top 10 is a series of guidelines but can't be tested easily as its applications are broad
1201 | - On the other hand the [OWASP Application Security Verification Standard](https://owasp.org/www-project-application-security-verification-standard/) is a comprehensive list of security criteria
1202 | - Those are specific, standardised and verifiable security requirements on which on app can be tested to either pass or fail
1203 |
1204 |
1205 |
1206 | ---
1207 |
1208 | # Other useful OWASP resources
1209 |
1210 |
1211 |
1212 | - The [OWASP Cheat Sheet Series](https://cheatsheetseries.owasp.org) provides condensed information on specific security topics related to OWASP standards
1213 | - The [OWASP Software Assurance Maturity Model](https://owaspsamm.org) can help an organization analyze and improve their software security
1214 |
1215 |
1216 |
1217 | ---
1218 |
1219 | # Thanks For Having Us!
1220 |
1221 | ## 👏👏👏
1222 |
--------------------------------------------------------------------------------