There are so many sophisticated ways to exploit web applications, that it’s almost impossible for a developer to write completely secure code. But we can’t accept this situation. We can’t expose our users (and our user's data) to hackers. So what we can do? We can switch from defense to offense. We can take hacking tools, used by malicious hackers, and use them to test our web application for security issues. In this talk, we will take a vulnerable web application, and try to find as many vulnerabilities as we can - using only automated tools. I’ll discuss the vulnerabilities we find, explain why we should care - and how we can remediate it securely. All the tools I’ll use are tools you can start using today - to scan your applications and make sure you deploy more secure applications.

1. Hacking Like a FED
Omer Levi Hevroni
@omerlh
@SolutoEng

2. Every line of code can introduce a new security issue
@omerlh

3. @omerlh

4. I’m a Developer
@omerlh

5. AppSec @
@omerlh

6. https://www.solutotlv.com/ @omerlh

7. @omerlh

8. @omerlh
FED’s Hacking Tool

9. @omerlhhttps://github.com/omerlh/juice-shop/pull/6

10. @omerlh

11. @omerlh
Dynamic Analysis Security Testing
https://www.zaproxy.org/

12. @omerlh
What Zap does?
• Inspecting request and response
• Run scan rules:
○ Cookies misconfiguration
○ Security HTTP Headers
○ Mixed Content
○ And many more

13. @omerlh
Leveraging End to End Tests

14. @omerlh
Example: Proxy Configuration

15. @omerlh
Running in the CI
• Run e2e tests
• Proxy through Zap
• Fail the build

16. @omerlh
And the result…

17. @omerlh

18. @omerlh

19. @omerlh
Cross Site Request Forgery (CSRF)

21. @omerlh

22. @omerlh
Mitigating CSRF
• Using SameSite attribute
• Adding Anti-CSRF token
https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cross-
Site_Request_Forgery_Prevention_Cheat_Sheet.md

23. @omerlh
Static Analysis Security Testing
https://github.com/ajinabraham/NodeJsScan

24. @omerlh
Running it in the CI
Target Folder Repot file

25. @omerlh

26. @omerlh
Failing the build
Glue file Repot file

27. @omerlh
And the results…

28. @omerlh
trackorder.js

29. @omerlh
Normal Input

30. @omerlh
Malicious Input

31. @omerlh
Exploit time!

32. @omerlh
Viola!

33. @omerlh
Mitigating NoSQLi
• Never trust user input
• Input Sanitization

34. @omerlh
Packages Scanning
https://snyk.io/

35. @omerlh

36. @omerlh
What if one of this packages is vulnerable?

37. @omerlh
Running in the CI
https://snyk.io/docs/github/

38. @omerlh
And the results…

39. @omerlh
Let’s zoom in

40. @omerlh
Cross Site Scripting
• Code injection
• Usually, very high risk

41. @omerlh
Let’s zoom in

42. @omerlh
We can see the original GitHub issue!

43. @omerlh
Let’s exploit it!

44. @omerlh
Viola!

45. @omerlh
Fixing Vulnerable Packages

46. @omerlh
Mitigating XSS
• Never trust user input
• Input sanitization
• Security headers
• React is not immune to XSS!
https://github.com/OWASP/CheatSheetSeries/blob/master/che
atsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.md

47. @omerlh
Wrapping Up

48. @omerlhhttps://github.com/omerlh/juice-shop/pull/6

49. @omerlh
Tool Type Tool Name Ease of Use
Packages Scanning Snyk Easy
Static Analysis NodeJSScan Medium
Dynamic Analysis OWASP Zap Hard
https://wp.me/pakmvi-3g
Tools Summary

50. @omerlh
Feedback is much appreciated!

51. @omerlh

52. @omerlh
https://wp.me/pakmvi-3g

53. Thank You
Omer Levi Hevroni
April 2019
@omerlh
http://jobs.soluto.com/