Security are happening every day. Some make it to the news, some don't. The question is: do you want your company to be in the news? Guess not. Security can be enforced at multiple levels, but we will focus on the basic one: in the code. In the talk, Isabelle explains why developers need to care about security, which tools are their disposal and demo several approaches to basically hack yourself, because somebody (or something!) out there is already trying or planning to. Find out more at https://madrid2018.codemotionworld.com/speakers/

1. You want your apps to be safe?
Hack yourselves!
Isabelle Mauny - 42Crunch
Madrid | November 30 - December 1, 2018
ISABELLE@42CRUNCH.COM

2. OWASP : FROM 2010 THROUGH 2017
2
TOP 10 2010
A1: Injection
A2: Cross-Site Scripting (XSS)
A3: Broken Authentication and Session Management
A4: Insecure Direct Object References
A5: Cross-Site Request Forgery (CSRF)
A6: Security Misconfiguration
A7: Insecure Cryptographic Storage
A8: Failure to Restrict URL Access
A9: Insufficient Transport Layer Protection
A10: Unvalidated Redirects and Forwards
Top 10 2017
A1: Injection*
A2: Broken Authentication*
A3: Sensitive Data Exposure*
A4: XML External Entities (XXE)*
A5: Broken Access Control*
A6: Security Misconfiguration*
A7: Cross-Site Scripting (XSS)*
A8: Insecure Deserialization*
A9: Using Components with Known Vulnerabilities*
A10: Insufficient Logging&Monitoring*
* APPLIES TO APIs!

3. LET’S LOOK AT A
BROKEN APP
3

4. 4

5. NOT ONLY IN
DEMOS…
5

6. BROKEN AUTHENTICATION (A2)
6
I am not advertising this API,
how could anyone know about it ?!
https://motherboard.vice.com/en_us/article/598xaa/remini-app-exposed-childrens-data-open-api

7. 7
Information Leakage (A3)
Broken Access Control (A5)
Check: https://www1.cs.fau.de/filepool/
projects/n26/n26-roots.pdf
Watch video at: https://media.ccc.de/v/
33c3-7969-shut_up_and_take_my_money

8. N26 CONTINUED…
8

9. 9
Failed to properly validate that you
can’t input any other number than
yours!

10. TITLE TEXT
Remote Command Execution (A1)
SQL Injection (A1)
JSON injection (A1)
Information Leakage (A3)
Broken Access Control (A5)
Check: https://blog.talosintelligence.com/2018/07/
samsung-smartthings-vulns.html
10

11. 11https://www.talosintelligence.com/reports/TALOS-2018-0539/

12. UNPROTECTED API ! (A6)
Remote Command Execution
SQL Injection
Buffer Overflow
JSON injection
Information Leakage
Check: https://blog.talosintelligence.com/2018/07/samsung-
smartthings-vulns.html
12https://ninja.style/post/bcard/

13. AND OF COURSE …. EQUIFAX FOR A9
13

14. WHY IS THIS
HAPPENING?
14

15. WE ARE
HUMANS!
15

16. 16

17. TITLE TEXTDIGITAL TRANSFORMATION MADNESS….
17
APPLICATION
DEVELOPMENT
APPLICATION
SECURITY

18. CONTROLLER LAYER IS GONE!
18Internal Applications Legacy Systems Databases
Integration
Layer
Technical and
Functional
(micro)Services
SaaS Applications
Things
App-level
APIs

19. TITLE TEXTHOW SECURITY PEOPLE FEEL ABOUT APIS
19

20. YOU GOT
THE
POWER!
20

21. LETS COVER THE
BASICS…
21

22. 22

23. KNOW YOUR
APIS
23
1
See: https://www.owasp.org/index.php/Application_Threat_Modeling

24. OPEN BANKING SAMPLE CATEGORISATION
24
API Category Data Sensitivity
Operations
Sensitivity
Authentication
Requirements
Integrity
Requirement
ATMs OpenData Low Low None None
Accounts Read High Medium Medium Required
Payments Write High High High Required

25. VALIDATE AND
SANITIZE INPUT
25
URL validation
Verb validation
✓ Reject if not valid
Query params validation
✓ Min / Max / Pattern-based matching
Content-Type validation
✓ Don’t accept as-is!
Accept Header validation
✓ Don’t copy into Content-Type
Data inbound
✓ Format
✓ Message Size and complexity
Data outbound
✓ Data Leakage
✓ Exception Leakage
✓ Use rules against data dictionary
2
OPENAPI SPECIFICATION to the RESCUE !

26. USE OAUTH
PROPERLY
26
OAuth Grant Types
✓ Authorization Code
✓ Others are usually not the safe option.
Do not use OAuth as proof of authentication, use
OpenID Connect instead.
Leverage PKCE
3
OPENAPI SPECIFICATION to the RESCUE !

27. OAUTH THREAT LANDSCAPE
Sensitive information
✓ Access tokens: the key to open the API door
✓ Refresh tokens: the key to obtain many valid access tokens
✓ Authorization code : to obtain an access token
✓ State : protection against CSRF attacks
Common attacks vectors
✓ Token leakage g TLS 1.2 + strong ciphers, short-lived, token binding, protected storage
✓ Code Interception attacks g Use PKCE (Proof Key for Code Exchange)
✓ Token replay g Token Binding (over TLS) or Mutual TLS for OAuth
✓ Redirect URI Forgery g standard CRSF attacks countermeasures (OWASP)
REQUIRES PROTECTION MEASURES ON CLIENT AND SERVER SIDE
27

28. VALIDATE JSON
WEB TOKENS
28
Don’t trust the incoming tokens!
Client could have been compromised…
Validate algorithm (the one you chose!)
✓ HS256
✓ RS256 (recommended)
Reject None!
Validate signature
✓ Prefer digital signatures over HMAC
✓ If not, be careful of key exchange
Validate standard claims and your own claims
See details Learn the best practices for keeping your JWTs secure.
4
OPENAPI SPECIFICATION (AGAIN) to the RESCUE !

29. EXTERNAL/ PUBLIC VS INTERNAL TOKENS
29
Token Server
Validate/
Issue token

30. FINE-GRAIN
AUTHORIZATION
30
Who is calling ?
✓ Is it your own app ?
✓ Is it a trusted user ?
What can they do ?
OAuth Scopes are often not enough !
✓ Need Attributes-based Access Control (ABAC)
solution (XACML!)
5

31. FINDING
VULNERABILITIES
31

32. START EARLY: SHIFT LEFT !
32
DeploymentTestingDevelopmentDesign

33. 33
Development
Security
Operations
Business

34. COVER THE
BASICS
34
Use Trusted Libraries
Don’t re-invent the wheel!
Automated Analysis
Static code analysis
3rd party libraries validation (CVEs), e.g.
NPS / Snyk for Node.js
GitHub dependencies graph
Manual Analysis
Code reviews
1

35. 35
https://hackernoon.com/im-harvesting-credit-card-numbers-and-passwords-from-your-site-here-s-how-9a8cb347c5b5

36. 36

37. HACK
YOURSELVES!
37
API Scanning/Fuzzing
✓ Veracode, Coverity
✓ 42Crunch (coming soon!)
Transport analysis
✓ SSL Labs
✓ Hardenize
Further Analysis
✓ Bug Bounty
✓ Pen Testing
2

38. 38
PROTECT YOUR
APIS
3
Protect all APIs ( public, private, SaaS)
AUTOMATICALLY deploy security measures
such as API Security Gateways/Firewalls
✓ Enforce Rate Limiting
• Brute force attacks (see N26!)
• DOS attacks
✓ Data Validation / JWT Validation / Auth / Azn
✓ Serves as Virtual Patching (as a WAF does for applications)
✓ Deploy at the edge and/or close to APIs (microservices
architecture)

39. Use Development ticketing system for
tracking issues
Analyse runtime behaviour and raise
issues automatically
39
MONITOR AND
ANALYZE
4

40. JOIN THE MAILING LIST !
APISECURITY.IO
REGISTER AND LEARN FROM MORE STORIES!

41. RESOURCES
41

42. RESOURCES
OWASP Top 10
✓ https://www.owasp.org/index.php/Category:OWASP_Top_Ten_2017_Project
OWASP DevSlop Project
✓ https://www.owasp.org/index.php/OWASP_DevSlop_Project
Chaos Engineering
✓ http://principlesofchaos.org
✓ https://github.com/dastergon/awesome-chaos-engineering
OWASP ZAP
✓ https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
Source Code Analysis
✓ https://www.owasp.org/index.php/Source_Code_Analysis_Tools
Code Security reviews
✓ https://www.owasp.org/index.php/Code_Review_Introduction
Systems Scans
✓ https://www.owasp.org/index.php/Category:Vulnerability_Scanning_Tools
Security Methodology
✓ https://developer.rackspace.com/blog/fanatical-security-delivered-by-quality-engineering-security-team/ 42

43. RESOURCES
SSL Setup Scan
✓ https://hardenize.com
✓ https://securityheaders.io
✓ https://www.ssllabs.com/ssltest/
Threat Modelling
✓ https://www.owasp.org/index.php/Application_Threat_Modeling
Attacks Type Information
✓ XSS: https://excess-xss.com
✓ Buffer Overflow: https://www.youtube.com/watch?v=1S0aBV-Waeo
✓ SQL injection: https://www.youtube.com/watch?v=ciNHn38EyRc
✓ Cookie stealing /XSS: https://www.youtube.com/watch?v=T1QEs3mdJoc
Pixi / DevSlop
✓ https://github.com/DevSlop/Pixi
✓ https://devslop.co
JWT as session data
✓ https://dzone.com/articles/stop-using-jwts-as-session-tokens
Node JS Security recommendations
✓ https://medium.com/@nodepractices/were-under-attack-23-node-js-security-best-practices-e33c146cb87d
43