background image

Hack Your Own Code: Advanced training for developers

 

Charles

Trainer:David Byrne, Charles Henderson (Trustwave)

Audience Background: Technical, Programmers

Skill Level: Intermediate, Advanced, Programmers

Duration: 2 days – July 10-11, 2012

Training Summary:

This class provides developers an exciting chance to hone their programming skills while also learning to exploit common web vulnerabilities. Unlike most training, this will not use static demos based on pre-canned source code. Students will program small parts of a larger application during the class’s lab periods. After the component has been written, students will review the code for the vulnerability being focused on in the lab. Vulnerable code will be run on a class-accessible server while the instructor guides students through exploiting the vulnerabilities. After the vulnerability has exploited, students will be shown how their own code can be fixed (if it was vulnerable) and the best way to prevent the flaw in the first place.

This full process will be performed for all major code vulnerabilities in the OWASP Top Ten. Exploitation and patching labs (but not programming) will be held for other vulnerabilities, including logic flaws that are hard to represent on the Top Ten. Several labs will feature prizes for the students that first find or exploit the targeted vulnerability. Environments and examples will be setup for all major platforms requested by pre-registered students. Students should bring a laptop with them, preferably with VMWare Player already installed. A virtual machine based on the OWASP Live Boot CD will be provided for lab work. The virtual machine will include development tools, but students should feel free to bring their favorite programs too.

Attendee takeaways and key learning objectives:

  • How to prevent common vulnerabilities with secure development practices.
  • How vulnerabilities can be exploited in the real world.
  • How vulnerabilities can be located and patched in existing code.

Trainer Bio:

David Byrne has worked in information security for over a decade. Currently, he is a managing consultant in Trustwave’s Application Security group. Before Trustwave, David was the Security Architect at Dish Network, one of the world’s largest satellite television companies. In 2006, he started the Denver chapter of OWASP. In 2008, David released Grendel (grendel-scan.com), an open source web application security scanner. David has presented at a number of security events including OWASP AppSec USA, OWASP Research Europe, DEFCON, Black Hat, Toorcon, FROC, the SANS penetration testing summit, and the Computer Security Institute’s annual conference.

Charles Henderson is the Director of Application Security Services of SpiderLabs at Trustwave. Charles Henderson began his career in computer security in 1993, specializing in penetration testing as well as security and vulnerability research. As Director of Application Security Services at SpiderLabs, he leads the team responsible for Application Penetration Testing, Code Review, Secure Development Training, and other elite application security consulting services. Prior to joining SpiderLabs, Henderson ran his own boutique application security testing firm. Henderson’s firm provided offensive security services to a wide variety of clients in the United States and Europe. Henderson speaks frequently at major industry events and conferences, including BlackHat, DEF CON, AppSec US, AppSec EU, SOURCE, and the International Association of Financial Crime Investigators convention.

 

Outline:

  • Â Introductions
  • Agenda
  • Secure Development Lifecycle (SDLC)

A cradle to grave development life cycle is outlined. Threat modeling is introduced as a means of ensuring that software design can meet policy needs.

  • Â Lab: Threat Modeling

 Different application scenarios will be described and the class will verbally work through modeling threats to them. The primary goal is to get developers to think like an attacker, allowing them to anticipate threats to their own applications.

  • Â Principles of Secure Code

Focusing on code quality concepts, the practices that help to quantify secure coding are explored. Practical goals and approaches are reviewed, so that a consistent understanding of “secure” can be encouraged and measured appropriately.

  • Â Authentication & Authorization

The different aspects of authentication and authorization are covered. Pitfalls and common attacks against identity management are explored. Mistakes covered include insecure direct object references, failure to restrict URL access, and various types of other authentication and authorization bypass.

  • Â Lab: Access Control

Students will learn to attack several web pages that contain a variety of access control vulnerabilities, including Insecure Direct Object Access and Failure to Restrict URL Access. After the vulnerabilities have been exploited, the source code will be reviewed by the students to pinpoint where the flaw was introduced. Strategies will be discussed for preventing this type of flaw.

 

  • Mini-Lab: Weak Session Identifiers

A variety of weak and some strong session identifiers will be provided to students, along with tools for gauging their strength.

 

  • Â Session Management

Due to the stateless nature of the web, the security implications of session generation and management are discussed. This includes both client-side token tracking and server-side session handling.

  • Lab: SQL Injection

Students will finish a simple web page that generates a report based on user-supplied input. Student code (and vulnerable code provided by the instructor) will be deployed on the class web server and tested for SQL Injection vulnerabilities. Students will be shown how SQL Injection can be exploited to extract data and execute arbitrary system commands.

After the attacks are complete, vulnerable source code will be reviewed as a group to spot where the vulnerability was introduced.

  • Â Lab: Cross-Site Scripting

Students will finish two simple web pages that store user-supplied input for comments on a blog. Student code (and vulnerable code provided by the instructor) will be deployed on the class web server and tested for Cross-Site Scripting vulnerabilities. Students will be shown how Cross-Site Scripting can be exploited to control a victim user’s browser and supply arbitrary content on the website.

After the attacks are complete, vulnerable source code will be reviewed as a group to spot where the vulnerability was introduced.

  • Â Input Validation

The heart of securing software is dealing with user-controlled data to ensure that it doesn’t violate the integrity of a computer system. Improper input validation can allow for vulnerabilities like Cross-Site Scripting and SQL Injection, which are covered extensively. Where relevant, buffer overflow attacks will be covered. Less common input validation vulnerabilities such as XML Injection, XML Entity Expansion, XPATH Injection, and LDAP Injection are also discussed. The advantages of white-listing over blacklisting are explained, and examples are provided of when more flexible validation schemes are required.

  • Â Lab: SQL Injection Patching

The source code from the SQL Injection lab will be revisited and the vulnerabilities will be patched and tested.

  • Lab: Cross-Site Scripting Patching

The source code from the Cross-Site Scripting lab will be revisited and the vulnerabilities will be patched and tested.

  • Â Proper Encryption

Initialization vectors, key generation and storage, cipher selection, and decryption oracles will all be discussed. Hashing and secure password storage will also be explained.

  • Â Mini-Lab: Hash Breaking

A set of insecurely generated password hashes will be provided to the students along with tools used for password attacks. Students will be shown how easy and fast it is to obtain plaintext passwords from insecure storage.

  • Â Logic Flaws

Application logic flaws can be devastating, but may take no special technical skills to exploit. Preventing them during the design and implementation phases will be discussed, as will techniques for finding logic flaws in existing applications.

  • Â Lab: Logic Flaw Exploitation

Students will be given access to several webpages with logic flaws on the class server.

  • Â Other Attacks

This module explores additional vectors of attack such as Cross-Site Request Forgery, insecure redirects, HTTP response splitting, browser specific issues, and rich media security. Compound and other advanced attacks are also covered in this module.

  • Mini-Lab: XML Attacks

Students will be given the opportunity to interact with several webpages that accept XML input. A number of XML attacks will be possible, including XML Injection, XML Bombs, and XML System Entity Expansion.

 

  • Â Security Hygiene

Handling exceptional circumstances poorly can leak information about a system useful to an attacker, and in some cases be a source of compromise themselves. This module outlines a variety of concerns and best practices in the logging and communication of errors.

 

  • Â Final Lab: Hacking Contest

All remaining time will be used for students to test their skills against an intentionally vulnerable web application. The student that discovers the most vulnerabilities will receive the grand prize!