DevConf.US 2020 - OWASP Top -10 - Allon Mureinik

•

0 gostou•198 visualizações

Not everyone is a security expert. Of course, not everyone needs to be a security expert, but in today’s world of rapid development and deployment, developers cannot afford to ignore security considerations completely, and “just leave it up to the security team to review”. In this talk, I’ll present the OWASP Top-10 project, an (incomplete) list of the top security vulnerabilities (web) developers face. I will then talk about how developer-awareness from the ground up is a key to shifting left the way we think about security, which is the first step in creating better-secured applications. Slides from my talk at DevConf.US 2020 Recording: https://www.youtube.com/watch?v=Unf-U_hPpH4 Demo code: https://github.com/mureinik/owasp-top10-demo

Software

OWASP Top Ten
Quickstart Your Security Awareness
Allon Mureinik
Senior Manager, Seeker Node.js and .NET Agents
Synopsys, Inc.
allon.mureinik@synopsys.com
@mureinik
https://www.linkedin.com/in/mureinik/

© 2020 Synopsys, Inc. 2OWASP Top Ten – Quickstart Your Security Awareness (Allon Mureinik, DevConf.US 2020, cc-by-sa-4.0)
Setting Expectations
http://montypython.com/

© 2020 Synopsys, Inc. 3OWASP Top Ten – Quickstart Your Security Awareness (Allon Mureinik, DevConf.US 2020, cc-by-sa-4.0)
Security is everyone's responsibility
https://thenounproject.com/term/security/957678

© 2020 Synopsys, Inc. 4OWASP Top Ten – Quickstart Your Security Awareness (Allon Mureinik, DevConf.US 2020, cc-by-sa-4.0)
But it starts with the developer
https://thenounproject.com/term/developer/94089

© 2020 Synopsys, Inc. 5OWASP Top Ten – Quickstart Your Security Awareness (Allon Mureinik, DevConf.US 2020, cc-by-sa-4.0)
OWASP
https://owasp.org/

© 2020 Synopsys, Inc. 6OWASP Top Ten – Quickstart Your Security Awareness (Allon Mureinik, DevConf.US 2020, cc-by-sa-4.0)
OWASP Top Ten
https://owasp.org/www-project-top-ten/
1. Injection
2. Broken Authentication
3. Sensitive Data Exposure
4. XML External Entities (XXE)
5. Broken Access Control
6. Security Misconfiguration
7. Cross-Site Scripting (XSS)
8. Insecure Deserialization
9. Using Components with Known Vulnerabilities
10.Insufficient Logging and Monitoring

© 2020 Synopsys, Inc. 7OWASP Top Ten – Quickstart Your Security Awareness (Allon Mureinik, DevConf.US 2020, cc-by-sa-4.0)
OWASP Top Ten
https://owasp.org/www-project-top-ten/
1. Injection
2. Broken Authentication
3. Sensitive Data Exposure
4. XML External Entities (XXE)
5. Broken Access Control
6. Security Misconfiguration
7. Cross-Site Scripting (XSS)
8. Insecure Deserialization
9. Using Components with Known Vulnerabilities
10.Insufficient Logging and Monitoring

© 2020 Synopsys, Inc. 8OWASP Top Ten – Quickstart Your Security Awareness (Allon Mureinik, DevConf.US 2020, cc-by-sa-4.0)
A1:2017 Injection
https://thenounproject.com/term/injection/1827356

© 2020 Synopsys, Inc. 9OWASP Top Ten – Quickstart Your Security Awareness (Allon Mureinik, DevConf.US 2020, cc-by-sa-4.0)
SQL Injection
https://xkcd.com/327/

© 2020 Synopsys, Inc. 10OWASP Top Ten – Quickstart Your Security Awareness (Allon Mureinik, DevConf.US 2020, cc-by-sa-4.0)
Log Injection
app.post('/logi', function(req, res) {
// We trust our users, every login will be successful!
const username = req.body.username;
// Enterprise-grade logging FTW!
console.log(username + ' logged in.');
res.end('Logged in with the honor system');
});

© 2020 Synopsys, Inc. 11OWASP Top Ten – Quickstart Your Security Awareness (Allon Mureinik, DevConf.US 2020, cc-by-sa-4.0)
Log Injection - demo

© 2020 Synopsys, Inc. 12OWASP Top Ten – Quickstart Your Security Awareness (Allon Mureinik, DevConf.US 2020, cc-by-sa-4.0)
A4:2017 XML External Entities (XXE)
https://thenounproject.com/term/xml/3123782

© 2020 Synopsys, Inc. 13OWASP Top Ten – Quickstart Your Security Awareness (Allon Mureinik, DevConf.US 2020, cc-by-sa-4.0)
XXE Injection
app.use(bodyParser.text({type: '*/*'}));
app.post('/xxe', function(req, res) {
const parsed = libxmljs.parseXml(req.body, {noent: true});
const name = parsed.get('//name').text();
res.end('Name is: ' + name);
});

© 2020 Synopsys, Inc. 14OWASP Top Ten – Quickstart Your Security Awareness (Allon Mureinik, DevConf.US 2020, cc-by-sa-4.0)
XXE Injection - demo

© 2020 Synopsys, Inc. 15OWASP Top Ten – Quickstart Your Security Awareness (Allon Mureinik, DevConf.US 2020, cc-by-sa-4.0)
A7:2017 Cross-Site Scripting (XSS)
https://thenounproject.com/term/html/101165

© 2020 Synopsys, Inc. 16OWASP Top Ten – Quickstart Your Security Awareness (Allon Mureinik, DevConf.US 2020, cc-by-sa-4.0)
Stored XSS
app.get('/xss', function (req, res) {
db.all('SELECT comment FROM comments ORDER BY ts DESC', [], function(err, rows) {
const comments = rows.map(r => r.comment).join('<br/>');
const body =
`<html lang="en">
<body>
How is DevConf.US so far?<br/>
<form action="/xss" method="post">
<input name="comment" type="text"> <input type="submit">
</form>
<br/>
Here's what others are saying:<br/>
${comments}
</body>
</html>`;
res.send(body);
});
});

© 2020 Synopsys, Inc. 17OWASP Top Ten – Quickstart Your Security Awareness (Allon Mureinik, DevConf.US 2020, cc-by-sa-4.0)
Stored XSS (cont.)
app.post('/xss', function (req, res) {
db.run('INSERT INTO comments(comment) VALUES (?)',
[req.body.comment],
function (err) {
if (err) {
return console.log(err.message);
}
});
res.writeHead(302, {
'Location': 'xss'
});
res.end();
});

© 2020 Synopsys, Inc. 18OWASP Top Ten – Quickstart Your Security Awareness (Allon Mureinik, DevConf.US 2020, cc-by-sa-4.0)
Stored XSS - demo

© 2020 Synopsys, Inc. 19OWASP Top Ten – Quickstart Your Security Awareness (Allon Mureinik, DevConf.US 2020, cc-by-sa-4.0)
Summary
https://thenounproject.com/term/brief/935656

© 2020 Synopsys, Inc. 20OWASP Top Ten – Quickstart Your Security Awareness (Allon Mureinik, DevConf.US 2020, cc-by-sa-4.0)
•OWASP Top-10 Project:
https://owasp.org/www-project-top-ten/
•Source code for the demos:
https://github.com/mureinik/owasp-top10-demo
•curl, used throughout the demos:
https://curl.haxx.se/
Some useful links

© 2020 Synopsys, Inc. 21OWASP Top Ten – Quickstart Your Security Awareness (Allon Mureinik, DevConf.US 2020, cc-by-sa-4.0)
Questions?
https://thenounproject.com/term/questions/1195076/

Thank You
Contact
allon.mureinik@synopsys.com
@mureinik
https://www.linkedin.com/in/mureinik/

Mais conteúdo relacionado

Mais de Allon Mureinik

Node.js’ single-threaded nature makes it very susceptible to DOS attacks. While Node.js’ event loop allows performing some operations in an asynchronous fashion, it’s still quite easy to write a vulnerable Node.js application by making a few simple mistakes. In this talk I’ll cover some common ways a Node.js application may be vulnerable to DoS attacks and some common best-practices and counter measures to defend against such attacks. This first-ever talk at FlawCon, hosted at OggCamp 2019

This DoS goes loop-di-loop

Allon Mureinik

Management seems like a simple job - you tell people what to do, they do it, rinse, repeat. For bad managers, it really is this simple. Good managers do things differently. They let team members affect, if not drive, the team's direction. They allow the best ideas to guide the team's activity, no matter who brings them up. They are not intimidated by non-managers displaying leadership qualities, they encourage them. While these sentiments aren't unique to open source, they are the core of open source communities - allowing individuals to exert influence without any official authority. That's why I think working in open source is the best way to learn how to be a good manager, and I'll try to share this concept in my talk.

How open source made me a better manager

Allon Mureinik

Being a maintainer, or even a notable contributor in an open source project is a damn hard job. Not only are you expected to tackle the hardest programming tasks, but suddenly you're also expected to do all these "softer" things - review other people's work, provide feedback, ramp up other contributors, etc. In this talk from DevConf.us 2018, I've shown how your gut instinct as an engineer - to automate everything - can actually work here too (at least to a certain degree), and take a lot of the load off your shoulders.

Automatic for the People

Allon Mureinik

Being a maintainer, or even a notable contributor in an open source project is a damn hard job. Not only are you expected to tackle the hardest programming tasks, but suddenly you're also expected to do all these "softer" things - review other people's work, provide feedback, ramp up other contributors, etc. In this session, I'll show how your gut instinct as an engineer - to automate everything - can actually work here too (at least to a certain degree), and take a lot of the load off your shoulders. Slides from my DevConf.CZ 2018 talk

Automatic for the people

Allon Mureinik

Mockito - How a mocking library built a real community

Allon Mureinik

Mockito - how a mocking library built a real community (August Penguin 2017)

Allon Mureinik

Java prides itself in not allowing you to shoot yourself in the foot, but doesn't always live up to the hype. Recent editions have introduced powerful new syntactic tools which make development much easier, but can often result in "WAT" moments. This lightening talk (given in Reversim Summit 2016), inspired by Gary Bernhardt's famous WAT talk will showcase some of the cases where Java has left me scratching my head and asking "WAT?".

Reversim Summit 2016 - Ja-WAT

Allon Mureinik

Virtualization Management The oVirt Way (August Penguin 2015)

Allon Mureinik

Designing monolithic infrastructures is a common mistake in large projects. However, more often than not, these infrastructures are too generic, make false assumptions or are simply delivered too late for feature developers to use, becoming "white elephants". This presentation is a case study of the work done by my team to deliver Live Merging of Snapshots oVirt from the initial steps in oVirt 3.1.0 to the full delivery in 3.5.0, and how good design can be feature-driven, building infra-structures step by step, while gaining small wins during the process.

Step by Step - Reusing old features to build new ones

Allon Mureinik

oVirt 3.5 Storage Features Overview

Allon Mureinik

Disaster Recovery Strategies Using oVirt's new Storage Connection Management ...

Allon Mureinik

Live Storage Migration in oVirt (Open Storage Meetup May 2013)

Allon Mureinik

Retro Testing (DevConTLV Jan 2014)

Allon Mureinik

Mais de Allon Mureinik (13)

This DoS goes loop-di-loop

How open source made me a better manager

Automatic for the People

Automatic for the people

Mockito - How a mocking library built a real community

Mockito - how a mocking library built a real community (August Penguin 2017)

Reversim Summit 2016 - Ja-WAT

Virtualization Management The oVirt Way (August Penguin 2015)

Step by Step - Reusing old features to build new ones

oVirt 3.5 Storage Features Overview

Disaster Recovery Strategies Using oVirt's new Storage Connection Management ...

Live Storage Migration in oVirt (Open Storage Meetup May 2013)

Retro Testing (DevConTLV Jan 2014)

Último

Model Call Girl Services in Delhi reach out to us at 🔝 9953056974 🔝✔️✔️ Our agency presents a selection of young, charming call girls available for bookings at Oyo Hotels. Experience high-class escort services at pocket-friendly rates, with our female escorts exuding both beauty and a delightful personality, ready to meet your desires. Whether it's Housewives, College girls, Russian girls, Muslim girls, or any other preference, we offer a diverse range of options to cater to your tastes. We provide both in-call and out-call services for your convenience. Our in-call location in Delhi ensures cleanliness, hygiene, and 100% safety, while our out-call services offer doorstep delivery for added ease. We value your time and money, hence we kindly request pic collectors, time-passers, and bargain hunters to refrain from contacting us. Our services feature various packages at competitive rates: One shot: ₹2000/in-call, ₹5000/out-call Two shots with one girl: ₹3500/in-call, ₹6000/out-call Body to body massage with sex: ₹3000/in-call Full night for one person: ₹7000/in-call, ₹10000/out-call Full night for more than 1 person: Contact us at 🔝 9953056974 🔝. for details Operating 24/7, we serve various locations in Delhi, including Green Park, Lajpat Nagar, Saket, and Hauz Khas near metro stations. For premium call girl services in Delhi 🔝 9953056974 🔝. Thank you for considering us!

CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE

9953056974 Low Rate Call Girls In Saket, Delhi NCR

At the recent Microsoft Ignite 2023 conference, Microsoft unveiled a groundbreaking strategy that will redefine enterprise work management. The plan involves integrating Microsoft’s key planning tools, Microsoft To Do, Microsoft Planner, and Microsoft Project for the web into a unified experience called “Microsoft Planner.” What does this new strategy from Microsoft mean for current users? Join us and learn how best to take advantage of this announcement while gaining a clear path on how to elevate the current state of Microsoft Planner from a basic task manager to a comprehensive tool for Enterprise Work Management using OnePlan. Learn how OnePlan’s integration with Microsoft Planner allows for strategic alignment with business goals through advanced features like strategic planning, portfolio management, resource management, financial management, and more!

Introducing Microsoft’s new Enterprise Work Management (EWM) Solution

OnePlan Solutions

Unlocking the Future of AI Agents with Large Language Models

aagamshah0812

A great deal of attention in medical devices has shifted towards cybersecurity with the ratification of section 524B of the FD&C act. This new law enables the FDA to enforce cybersecurity controls in any medical device that is capable of networked communications or that has software. In this webinar we will recap the process for managing vulnerabilities, identify categories of vulnerabilities and solutions and more.

The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...

ICS

Define the academic and professional writing..pdf

PearlKirahMaeRagusta1

A Secure and Reliable Document Management System is Essential.docx

ComplianceQuest1

VTU technical seminar 8Th Sem on Scikit-learn

AmarnathKambale

Looking to embark on a digital project in New York City? Choosing the ideal Laravel development partner is pivotal. Begin by defining your project requirements clearly. Assess potential partners' experience, expertise, and technical proficiency, checking portfolios and client testimonials. Effective communication and collaboration are paramount, so evaluate partners' communication styles and project management approaches. Consider long-term scalability and support options, and discuss pricing and contracts transparently. Lastly, trust your instincts when selecting a partner aligned with your vision and values.

How to Choose the Right Laravel Development Partner in New York City_compress...

software pro Development

Craft an AI & Machine Learning Pitch with our Editable Professional PowerPoint Template. Ignite your AI & Machine Learning pitch with our cutting-edge PowerPoint template tailored for the industry. Perfect for AI conferences, investor presentations, sales pitches to tech-focused companies, training sessions, and educational programs. - 20+ editable slides: Get a variety of options to choose from for your presentation. - Time-saving solution: Download, replace text/images with a few clicks. - User-friendly customization: Easy to use and personalize. - Modern and attractive design: Captivating visuals, sleek layout. - Tailored to your requirements: Fully alterable for customization. - Well-organized slides: Complete control over content. - Thematic specificity: Reflects healthcare industry with relevant graphics. - Showcase your business idea: Communicate value proposition effectively.

AI & Machine Learning Presentation Template

Presentation.STUDIO

How To Use Server-Side Rendering with Nuxt.js

Andolasoft Inc

Test automation is a cornerstone of software development and quality assurance in today's rapidly evolving digital landscape. Its significance cannot be overstated. Businesses can enhance efficiency, productivity, and accelerate software delivery to market through automation, streamlining testing processes effectively. This comprehensive guide addresses the best practices for test automation in 2024. It offers a detailed checklist to empower you to optimize your automation efforts and maintain a competitive edge.

The Ultimate Test Automation Guide_ Best Practices and Tips.pdf

kalichargn70th171

Investing in AI transformation today The modern business advantage: Uncovering deep insights with AI Organizations around the world have come to recognize AI as the transformative technology that enables them to gain real business advantage. AI’s ability to organize vast quantities of data allows those who implement it to uncover deep business insights, augment human expertise, drive operational efficiency, transform their products, and better serve their customers

Microsoft AI Transformation Partner Playbook.pdf

Willy Marroquin (WillyDevNET)

(Vivek)Call Us, 8448380779,Call girls in Delhi NCr – We Offer best in class call girls. escort Service At Affordable Price At low Rate with Space Night 8000 We Are One Of The Oldest Escort and Call girls Agencies in Delhi. You Will Find That Our Female Escorts Are Full Of Fun, Sexy And They Would Love Enjoy Your Company. We Have A Fantastic Selection Of Escort Ladies Available For In-Calls As Well As Out-Calls. Our Escorts Are Not Only Beautiful But All Have Great Personalities Making Them The Perfect Companion For Any Occasion. In-Call:- You Can Come At Our Place in Delhi Our place Which Is Very Clean Hygienic 100% safe Accommodation. Out-Call:- You have To Come Pick The Girl From My Place We Are Also Provide Door Step Services (Delhi Ncr, Noida, Gurgaon, Faridabad, Ghaziabad Note:- Pic Collectors Time Passers Bargainers Stay Away As We Respect The Value For Your Money Time And Expect The Same From You Hygienic:- Full Ac room And Clean Rooms Available In Hotel 24 * 7 Hourly In Delhi NCR More Details, With WhatsApp Number, +91-8448380779

call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️

Delhi Call girls

Foundation models are machine learning models which are easily capable of performing variable tasks on large and huge datasets. FMs have managed to get a lot of attention due to this feature of handling large datasets. It can do text generation, video editing to protein folding and robotics. In case we believe that FMs can help the hospitals and patients in any way, we need to perform some important evaluations, tests to test these assumptions. In this review, we take a walk through Fms and their evaluation regimes assumed clinical value. To clarify on this topic, we reviewed no less than 80 clinical FMs built from the EMR data. We added all the models trained on structured and unstructured data. We are referring to this combination of structured and unstructured EMR data or clinical data.

Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...

harshavardhanraghave

In the realm of real-time applications, Large Language Models (LLMs) have long dominated language-centric tasks, while tools like OpenCV have excelled in the visual domain. However, the future (maybe) lies in the fusion of LLMs and deep learning, giving birth to the revolutionary concept of Large Action Models (LAMs). Imagine a world where AI not only comprehends language but mimics human actions on technology interfaces. For example, the Rabbit r1 device presented at CES 2024, driven by an AI operating system and LAM, brings this vision to life. It executes complex commands, leveraging GUIs with unprecedented ease. In this presentation, join me on a journey as a software engineer tinkering with WebRTC, Janus, and LLM/LAMs. Together, we’ll evaluate the current state of these AI technologies, unraveling the potential they hold for shaping the future of real-time applications.

Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications

Alberto González Trastoy

In the past six months, the AI landscape has undergone a massive transformation, ushering in a new era of productivity with the latest in Large Language Models (LLMs) and AI technology. This deep dive unlocks how to: Create CustomGPT Models: No coding needed to tailor AI for your unique projects. Integrate your own data, including PDFs and Excel sheets, making information handling a breeze. Plus, discover how to call your own actions/integrations for even more personalized utility. Navigate Advanced Prompting: Overcome AI's memory limits and utilize Retrieval-Augmented Generation for accessing your personalized data, streamlining how you interact with AI. Stay Ahead with AI Trends: Peek into the evolving world of LLMs, featuring newcomers like Google Gemini, Anthropic Claude, Open Sora, and Twitter Grok, and understand what their advancements mean for your productivity. Witness Real-Life Transformations: Through examples and prompt demonstrations, see firsthand how these AI strategies revolutionize routine tasks, from data analysis to content creation. Learn to leverage image output and input for advanced practical use cases, adding a new dimension to your productivity toolkit. No previous coding or AI experience is needed for this talk. Stay ahead in the fast-evolving world of work. Embrace the AI revolution and transform your workflow with advanced LLM techniques. Join us to ensure you're not left behind in the productivity race.

AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques

VictorSzoltysek

Looking for an efficient way to manage your finances? Look no further than our money management app. With easy-to-use features, you can track your expenses, create budgets, and monitor your savings goals all in one place. Our app provides real-time updates on your spending habits and helps you make smarter financial decisions. Take control of your finances today with our user-friendly money management app.

Right Money Management App For Your Financial Goals

Jhone kinadey

Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...

OnePlan Solutions

In an era where security concerns are paramount, the integration of artificial intelligence (AI) into CCTV cameras has revolutionized surveillance capabilities. One of the most significant advancements is the ability to achieve real-time threat detection, enabling immediate responses to potential security breaches. This blog explores how AI is reshaping surveillance through real-time threat detection and the implications of this technology.

Optimizing AI for immediate response in Smart CCTV

shikhaohhpro

InShot proinshot.com stands tall among its peers as the ultimate video editing app, offering simplicity, versatility, and power in one package. With its intuitive interface and comprehensive feature set, InShot caters to both beginners and seasoned editors alike. Whether you're creating content for social media, YouTube, or personal projects, InShot empowers you to unleash your creativity and transform your videos into captivating masterpieces. Join the millions of users who trust InShot https://www.proinshot.com/ for all their video editing needs and discover the difference for yourself!

Exploring the Best Video Editing App.pdf

proinshot.com

DevConf.US 2020 - OWASP Top -10 - Allon Mureinik

1. OWASP Top Ten Quickstart Your Security Awareness Allon Mureinik Senior Manager, Seeker Node.js and .NET Agents Synopsys, Inc. allon.mureinik@synopsys.com @mureinik https://www.linkedin.com/in/mureinik/

3. © 2020 Synopsys, Inc. 3OWASP Top Ten – Quickstart Your Security Awareness (Allon Mureinik, DevConf.US 2020, cc-by-sa-4.0) Security is everyone's responsibility https://thenounproject.com/term/security/957678

4. © 2020 Synopsys, Inc. 4OWASP Top Ten – Quickstart Your Security Awareness (Allon Mureinik, DevConf.US 2020, cc-by-sa-4.0) But it starts with the developer https://thenounproject.com/term/developer/94089

6. © 2020 Synopsys, Inc. 6OWASP Top Ten – Quickstart Your Security Awareness (Allon Mureinik, DevConf.US 2020, cc-by-sa-4.0) OWASP Top Ten https://owasp.org/www-project-top-ten/ 1. Injection 2. Broken Authentication 3. Sensitive Data Exposure 4. XML External Entities (XXE) 5. Broken Access Control 6. Security Misconfiguration 7. Cross-Site Scripting (XSS) 8. Insecure Deserialization 9. Using Components with Known Vulnerabilities 10.Insufficient Logging and Monitoring

7. © 2020 Synopsys, Inc. 7OWASP Top Ten – Quickstart Your Security Awareness (Allon Mureinik, DevConf.US 2020, cc-by-sa-4.0) OWASP Top Ten https://owasp.org/www-project-top-ten/ 1. Injection 2. Broken Authentication 3. Sensitive Data Exposure 4. XML External Entities (XXE) 5. Broken Access Control 6. Security Misconfiguration 7. Cross-Site Scripting (XSS) 8. Insecure Deserialization 9. Using Components with Known Vulnerabilities 10.Insufficient Logging and Monitoring

10. © 2020 Synopsys, Inc. 10OWASP Top Ten – Quickstart Your Security Awareness (Allon Mureinik, DevConf.US 2020, cc-by-sa-4.0) Log Injection app.post('/logi', function(req, res) { // We trust our users, every login will be successful! const username = req.body.username; // Enterprise-grade logging FTW! console.log(username + ' logged in.'); res.end('Logged in with the honor system'); });

12. © 2020 Synopsys, Inc. 12OWASP Top Ten – Quickstart Your Security Awareness (Allon Mureinik, DevConf.US 2020, cc-by-sa-4.0) A4:2017 XML External Entities (XXE) https://thenounproject.com/term/xml/3123782

13. © 2020 Synopsys, Inc. 13OWASP Top Ten – Quickstart Your Security Awareness (Allon Mureinik, DevConf.US 2020, cc-by-sa-4.0) XXE Injection app.use(bodyParser.text({type: '*/*'})); app.post('/xxe', function(req, res) { const parsed = libxmljs.parseXml(req.body, {noent: true}); const name = parsed.get('//name').text(); res.end('Name is: ' + name); });

15. © 2020 Synopsys, Inc. 15OWASP Top Ten – Quickstart Your Security Awareness (Allon Mureinik, DevConf.US 2020, cc-by-sa-4.0) A7:2017 Cross-Site Scripting (XSS) https://thenounproject.com/term/html/101165

16. © 2020 Synopsys, Inc. 16OWASP Top Ten – Quickstart Your Security Awareness (Allon Mureinik, DevConf.US 2020, cc-by-sa-4.0) Stored XSS app.get('/xss', function (req, res) { db.all('SELECT comment FROM comments ORDER BY ts DESC', [], function(err, rows) { const comments = rows.map(r => r.comment).join('<br/>'); const body = `<html lang="en"> <body> How is DevConf.US so far?<br/> <form action="/xss" method="post"> <input name="comment" type="text"> <input type="submit"> </form> <br/> Here's what others are saying:<br/> ${comments} </body> </html>`; res.send(body); }); });

17. © 2020 Synopsys, Inc. 17OWASP Top Ten – Quickstart Your Security Awareness (Allon Mureinik, DevConf.US 2020, cc-by-sa-4.0) Stored XSS (cont.) app.post('/xss', function (req, res) { db.run('INSERT INTO comments(comment) VALUES (?)', [req.body.comment], function (err) { if (err) { return console.log(err.message); } }); res.writeHead(302, { 'Location': 'xss' }); res.end(); });

20. © 2020 Synopsys, Inc. 20OWASP Top Ten – Quickstart Your Security Awareness (Allon Mureinik, DevConf.US 2020, cc-by-sa-4.0) •OWASP Top-10 Project: https://owasp.org/www-project-top-ten/ •Source code for the demos: https://github.com/mureinik/owasp-top10-demo •curl, used throughout the demos: https://curl.haxx.se/ Some useful links

22. Thank You Contact allon.mureinik@synopsys.com @mureinik https://www.linkedin.com/in/mureinik/

DevConf.US 2020 - OWASP Top -10 - Allon Mureinik

Recomendados

Recomendados

Mais conteúdo relacionado

Mais de Allon Mureinik

Mais de Allon Mureinik (13)

Último

Último (20)

DevConf.US 2020 - OWASP Top -10 - Allon Mureinik