Tilak T Web-Services are taking over the world. Rest-framework is accelerating this development, because of its ease and flexibility. Developers often use and develop REST-based applications because it's exciting to work with. But they forget about security which leads to compromised and exploited applications. For instance, in more recent security tests against Web Services that my team executed, we found that vulnerabilities like Insecure Deserialization, XML External Entities, Server-Side Template Injection and Authorization Flaws are quite prevalent. I have found some simple steps that engineering teams can take towards finding and fixing such vulnerabilities with Web Services. This talk is offering a holistic perspective on finding and fixing some uncommon flaws that will be replete with anecdotes and examples of secure and insecure code. I will also delve into automating SAST and DAST tools using Robot-Framework to identify such flaws in Web-Services.

1. Singapore | 28 Feb - 01 Mar 2019
Web Services aren’t as secure as we
think
Tilak.T

2. Singapore | 28 Feb - 01 Mar 2019
Yours truly
• Senior Solutions Engineer at we45
• Full Stack Developer
• Developer of Open-Source
• Trainer and Speaker
• PSF Member
• Part of multiple CTF
@ti1akt

3. Singapore | 28 Feb - 01 Mar 2019
Outline
• Why security is important
• Unique Vulnerabilities
• Demo !
• DevSecOps Pipeline
@ti1akt

4. Singapore | 28 Feb - 01 Mar 2019
Why web services aren't secure
@ti1akt

5. Singapore | 28 Feb - 01 Mar 2019
Ref: https://www.imperva.com/blog/the-state-of-web-application-vulnerabilities-in-2018/ @ti1akt

6. Singapore | 28 Feb - 01 Mar 2019
Unique Vulnerabilities
• JWT Manipulation
• Insecure Deserialization
• Insecure Direct Object Reference
• Etc …
@ti1akt

7. Singapore | 28 Feb - 01 Mar 2019

8. Singapore | 28 Feb - 01 Mar 2019
@ti1akt

9. Singapore | 28 Feb - 01 Mar 2019
JWT Manipulation
OWASP-2017 A5 Broken Access Control
@ti1akt

10. Singapore | 28 Feb - 01 Mar 2019
Why JWT
• Stateless Application
• Authorization Mechanism
• Transfers information between
server and client
• Scalable and decoupled
@ti1akt

11. Singapore | 28 Feb - 01 Mar 2019
JSON Web Token(JWT)
• The process is relatively simple (typically):
• Once a user authenticates, the server generates some JSON payload (with some info)
and signs the JSON payload with a key
• This can be a HMAC Based Key (HS256) or a Asymmetric System (RS256)
• The token is sent by the client (like a session cookie)
• The server attempts to verify the token based on the signature and allows/disallows
the user to perform actions
@ti1akt

12. Singapore | 28 Feb - 01 Mar 2019
Lots of ways to get JWT wrong
• Modify the algorithm to `none`
• Leakage of sensitive
information
• Algorithm Confusion
• Cracking Secret Keys
@ti1akt

13. Singapore | 28 Feb - 01 Mar 2019
@ti1akt

14. Singapore | 28 Feb - 01 Mar 2019
@ti1akt

15. Singapore | 28 Feb - 01 Mar 2019
Insecure Deserialization
OWASP-2017 A5 Broken Access Control
@ti1akt

16. Singapore | 28 Feb - 01 Mar 2019

17. Singapore | 28 Feb - 01 Mar 2019
@ti1akt

18. Singapore | 28 Feb - 01 Mar 2019
@ti1akt

19. Singapore | 28 Feb - 01 Mar 2019

20. Singapore | 28 Feb - 01 Mar 2019
Basic Pipeline Demo
@ti1akt

21. Singapore | 28 Feb - 01 Mar 2019
SecDevOps Jenkins pipeline
@ti1akt

22. Singapore | 28 Feb - 01 Mar 2019
@ti1akt

23. Singapore | 28 Feb - 01 Mar 2019
Abhay Bhargav
Rahul Raghavan
Sandeep Patil
Sharath Kumar
Nithin Jois

24. Singapore | 28 Feb - 01 Mar 2019
Thank You
https://github.com/we45/DevSecCon2019
@ti1akt