At Ekoparty, during the pre-conference days I took the training Security for web developers by Andrés Riancho.
The course was structured following the OWASP Top 10 vulnerabilities.
For each one, the vulnerability was presented, attack vectors shown and a real running example was presented. We attacked it with a tool or by hand and then saw countermeasures.
I summarize here the highlights for a developer with little penetration-testing experience (concepts, techniques and tools):
- Injections: don’t use blacklists based solutions.
- ZAP, a tool to discover vulnerabilities in websites. Starting with an initial URL it can, for example, fuzz it or change its parameters to discover XSS or SQL injection vulnerabilities.
- Once an SQL injection vulnerability is discovered a tool like sqlmap can be used to discover which RDBMS is running on the back end, but this is just the beginning. It contains all the tricks for SQL injections: it can get the whole database schema, run queries, get passwords and even, depending on the RDBMS configuration, provide a remote shell.
- SQL Injection can be solved/mitigated using prepared statements, ORMs or (not recommended) escaping queries.
- There are 3 types of XSS: reflected, persisted, DOM.
- Single Page Applications are prone to DOM-XSS. Suggestion: encode parameters used in document.write. JQuery and other frameworks come with functions for this.
- XSS consequences go far beyond showing a pop up in the client. For a complete picture check this framework.
- If marked as httpOnly the browser won’t allow it to be read with document.cookie.
- If marked as secure, cookies aren’t sent via HTTP.
- Session attacks:
- Session prediction: don’t use, for example, sequential numbers for session IDs.
- Session expiration: don’t allow old sessions.
- Sessions must expire in both client side and server side.
- Don’t have session tokens in the URL.
- When using hash functions:
- Recommended: SHA256, SHA512, PBKDF2.
- Not recommended: MD5, SHA1.