WEBVTT 00:00.619 --> 00:04.545 >> Vulnerability Risk Mitigation part 1. 00:04.545 --> 00:07.230 The learning objectives for this lesson are; 00:07.230 --> 00:08.910 to differentiate between types 00:08.910 --> 00:10.950 of web application vulnerabilities, 00:10.950 --> 00:13.725 to define web application components, 00:13.725 --> 00:15.870 and to implement protection strategies 00:15.870 --> 00:17.400 for web applications. 00:17.400 --> 00:22.140 Let's get started. Web application components. 00:22.140 --> 00:24.060 Before we can go into any of 00:24.060 --> 00:25.860 the vulnerabilities and the ways 00:25.860 --> 00:27.200 we can help remedy those, 00:27.200 --> 00:29.405 we're going to discuss the different parts 00:29.405 --> 00:30.740 of web technology 00:30.740 --> 00:32.375 to help us understand 00:32.375 --> 00:34.840 the different parts that can become vulnerable. 00:34.840 --> 00:36.680 The first part we're going to discuss is 00:36.680 --> 00:39.905 client-side processing versus server-side processing. 00:39.905 --> 00:41.450 This is a description of where 00:41.450 --> 00:42.950 the work is being performed. 00:42.950 --> 00:44.060 Is it being performed on 00:44.060 --> 00:45.860 the client's machine or 00:45.860 --> 00:48.110 is it being performed at the server? 00:48.110 --> 00:50.165 Web apps have begun to shift 00:50.165 --> 00:52.054 the work away from server-side, 00:52.054 --> 00:54.100 more towards client-side lately. 00:54.100 --> 00:58.000 JSON Representational State Transfer or REST. 00:58.000 --> 00:59.690 This is a text format that's 00:59.690 --> 01:01.870 used to store and transmit data. 01:01.870 --> 01:04.800 It's similar to XML, although it's simpler. 01:04.800 --> 01:08.910 It is a data exchange based on web technologies. 01:10.030 --> 01:14.030 Simple Object Access Protocol or SOAP. 01:14.030 --> 01:18.490 This is an interface communication mechanism. 01:18.490 --> 01:20.590 SOAP is a protocol instead 01:20.590 --> 01:22.690 of being an architecture like REST. 01:22.690 --> 01:26.720 SOAP APIs can be exploited by SQL injection. 01:26.720 --> 01:28.620 Browser Extensions. 01:28.620 --> 01:30.040 These are adding additional 01:30.040 --> 01:32.495 functionality to our browsers. 01:32.495 --> 01:35.785 It's not accessible by the code launched by the browser, 01:35.785 --> 01:38.740 and plugins can be called by website code. 01:38.740 --> 01:41.200 These are the add-ons that we add onto 01:41.200 --> 01:44.570 Chrome or to Firefox that allow us to say, 01:44.570 --> 01:47.905 HTTPS everywhere forces every website 01:47.905 --> 01:50.005 that we visit to use HTTPS. 01:50.005 --> 01:52.130 It may be U-block origin, 01:52.130 --> 01:53.390 which helps us to block 01:53.390 --> 01:55.790 malicious content or scripts on websites. 01:55.790 --> 01:56.960 But all of these add 01:56.960 --> 02:00.150 additional functionality to our browsers. 02:01.340 --> 02:05.675 Hypertext Markup Language 5, or HTML5, 02:05.675 --> 02:09.395 and Asynchronous JavaScript and XML or AJAX. 02:09.395 --> 02:11.000 These are designed to replace 02:11.000 --> 02:13.265 the flawed functionality of plugins, 02:13.265 --> 02:16.180 but they also bring with them their own new problems. 02:16.180 --> 02:20.240 HTML5 features that you're going to want to 02:20.240 --> 02:22.445 consider when you're looking to 02:22.445 --> 02:25.735 secure a web application would be web messaging, 02:25.735 --> 02:28.260 cross-origin resource sharing, 02:28.260 --> 02:31.875 WebSockets, server-sent events, local, 02:31.875 --> 02:35.430 offline or web storage, client-side databases, 02:35.430 --> 02:38.790 geo-location requests, WebWorders, 02:38.790 --> 02:42.310 Tabnapping, and Sandboxed Frames. 02:44.060 --> 02:46.960 Machine code versus bytecode. 02:46.960 --> 02:50.120 Bytecode represents the intermediary state of 02:50.120 --> 02:52.010 source code that is created by 02:52.010 --> 02:54.080 a high-level language when it's compiled. 02:54.080 --> 02:55.760 It's designed to be 02:55.760 --> 02:58.600 processed by an interpreter on the target system. 02:58.600 --> 03:02.000 The interpreter translate the bytecode into machine code. 03:02.000 --> 03:04.355 Now, machine code is the lowest level of source code 03:04.355 --> 03:08.070 that the devices on the machine can understand. 03:08.900 --> 03:12.010 Software composition analysis. 03:12.010 --> 03:14.645 This is the process where the software will be 03:14.645 --> 03:15.890 analyzed to see if it 03:15.890 --> 03:18.095 contains any open source components, 03:18.095 --> 03:21.470 and that they are themselves secure because 03:21.470 --> 03:23.480 these open source components that we're including 03:23.480 --> 03:25.985 with our own software programs, 03:25.985 --> 03:28.235 they can contain their own vulnerabilities. 03:28.235 --> 03:31.505 This can be performed manually, 03:31.505 --> 03:34.310 but it's usually performed with automation tools. 03:34.310 --> 03:35.930 A good example of one of these tools is 03:35.930 --> 03:37.895 the OWASP dependency check tool. 03:37.895 --> 03:40.580 This will scan source code and it will identify 03:40.580 --> 03:42.230 any publicly known vulnerabilities in 03:42.230 --> 03:46.020 the code and also the libraries that it's using. 03:47.860 --> 03:50.825 Web application vulnerabilities. 03:50.825 --> 03:53.825 The first one we're going to discuss is a race condition. 03:53.825 --> 03:56.330 This occurs when several processes 03:56.330 --> 03:58.130 are needed to complete a task. 03:58.130 --> 04:00.770 The apps can be manipulated by altering 04:00.770 --> 04:02.090 the assumptions that are made on 04:02.090 --> 04:04.295 the processes and their outcomes. 04:04.295 --> 04:06.895 The next is a buffer overflow. 04:06.895 --> 04:10.550 This is when we fill the temporary memory space up. 04:10.550 --> 04:14.660 By doing this, a well-designed attack can add 04:14.660 --> 04:16.100 information to the end of 04:16.100 --> 04:18.620 the buffer in hopes that it will be executed. 04:18.620 --> 04:21.410 You could do this to access other parts of 04:21.410 --> 04:22.910 the system memory and 04:22.910 --> 04:25.735 also for code insertion and execution. 04:25.735 --> 04:27.530 The defenses for this would 04:27.530 --> 04:29.840 include patching, secure coding, 04:29.840 --> 04:33.320 address space layout randomization or ASLR, 04:33.320 --> 04:36.620 and data execution protection or DEP. 04:37.070 --> 04:39.580 Broken authentication. 04:39.580 --> 04:41.030 This is when an app 04:41.030 --> 04:43.310 doesn't protect authentication mechanisms, 04:43.310 --> 04:44.690 it will allow an attacker to 04:44.690 --> 04:47.165 compromise user sessions or passwords. 04:47.165 --> 04:51.080 An example would be session identifiers in a URL. 04:51.080 --> 04:52.655 You've logged onto a website, 04:52.655 --> 04:54.095 and in the URL, if you look, 04:54.095 --> 04:55.595 you've got a session ID. 04:55.595 --> 04:57.500 If we modify that session ID, 04:57.500 --> 05:00.230 we might be able to take over someone else's session. 05:00.230 --> 05:01.730 Defenses against this would 05:01.730 --> 05:05.080 include slowing down failed login attempts, 05:05.080 --> 05:07.685 server-side session management that creates 05:07.685 --> 05:10.175 a random session identifier rather than 05:10.175 --> 05:13.460 one that's easily guessed or follows a pattern, 05:13.460 --> 05:17.940 and not using session IDs and URLs or session timeouts. 05:19.250 --> 05:21.670 Insecure references. 05:21.670 --> 05:23.690 This is a class of vulnerabilities that is 05:23.690 --> 05:26.014 related to weak access controls. 05:26.014 --> 05:29.690 An app takes user-supplied input and then uses that to 05:29.690 --> 05:31.010 give access to areas that 05:31.010 --> 05:33.050 normally shouldn't be accessible to that user. 05:33.050 --> 05:37.355 An example of this is having a user ID in the URL, 05:37.355 --> 05:39.260 similar to the one we just discussed. 05:39.260 --> 05:42.920 But if you see a customer ID 05:42.920 --> 05:44.960 or something that uniquely 05:44.960 --> 05:47.075 identifies that user in the URL, 05:47.075 --> 05:48.680 chances are you can change that to 05:48.680 --> 05:51.020 another number and be able to look into 05:51.020 --> 05:53.600 someone else's profile because 05:53.600 --> 05:57.090 you're using their user ID now in the URL. 05:57.920 --> 06:01.215 Weak ciphers and cipher suites. 06:01.215 --> 06:04.090 Weak ciphers are the individual encryption ciphers 06:04.090 --> 06:06.370 that are not considered safe for modern use. 06:06.370 --> 06:07.780 Examples would be DES, 06:07.780 --> 06:09.484 SHA-1, and MD5. 06:09.484 --> 06:11.440 Now cipher suites, on the other hand, 06:11.440 --> 06:15.115 are all the parts together that deliver a total function. 06:15.115 --> 06:16.600 TLS is an example of 06:16.600 --> 06:18.910 this because it contains key exchange, 06:18.910 --> 06:23.510 digital signature, encryption, and hashing capabilities. 06:24.290 --> 06:27.210 Web application vulnerabilities. 06:27.210 --> 06:28.830 Improper headers. 06:28.830 --> 06:32.380 HTTPS response headers control how 06:32.380 --> 06:36.085 web servers operate to increase their overall security. 06:36.085 --> 06:38.650 Properly configured headers can prevent 06:38.650 --> 06:42.100 cross-site request forgeries, cross-site scripting, 06:42.100 --> 06:44.675 downgrade attacks, cookie hijacking, 06:44.675 --> 06:46.955 user impersonation, click jacking, 06:46.955 --> 06:48.625 and many other attacks. 06:48.625 --> 06:51.170 Certificate errors. This is when 06:51.170 --> 06:55.445 a certificate is improperly set up on a web server. 06:55.445 --> 06:57.395 We use certificates because it's 06:57.395 --> 07:00.485 a critical part of our entire SSL infrastructure. 07:00.485 --> 07:01.765 Servers have a certificate, 07:01.765 --> 07:02.810 clients have a certificate, 07:02.810 --> 07:04.385 and they authenticate with each other. 07:04.385 --> 07:06.080 But if we don't set up a certificate 07:06.080 --> 07:07.175 properly on a server, 07:07.175 --> 07:09.260 it will display an error or to users. 07:09.260 --> 07:11.540 What this does is it trains users to click 07:11.540 --> 07:13.810 past the error so they can access the website. 07:13.810 --> 07:16.640 If users are trained to do that, 07:16.640 --> 07:19.565 and they received a phishing link that leads them to 07:19.565 --> 07:22.340 a cloned Microsoft website with a certificate 07:22.340 --> 07:24.020 that doesn't match Microsoft 07:24.020 --> 07:25.525 and they just click past it, 07:25.525 --> 07:28.640 that now they've fallen for it and the error should be 07:28.640 --> 07:31.805 a warning that this site is not valid. 07:31.805 --> 07:33.710 So we have to do our part to make sure we set up 07:33.710 --> 07:35.750 our certificates properly so that we 07:35.750 --> 07:40.770 don't present users these errors. Let's summarize. 07:40.770 --> 07:43.160 We went over web application vulnerabilities. 07:43.160 --> 07:45.905 We discussed race conditions and buffer overflows. 07:45.905 --> 07:48.785 We also went over web application components 07:48.785 --> 07:51.065 and software composition analysis. 07:51.065 --> 07:53.380 Let's do some example questions. 07:53.380 --> 07:56.210 Question 1, this vulnerability can 07:56.210 --> 07:57.800 occur when several processes 07:57.800 --> 08:00.150 are needed to complete a task. 08:00.470 --> 08:04.965 Race condition. Question 2, 08:04.965 --> 08:07.130 this occurs when temporary memory space 08:07.130 --> 08:08.870 is overflowed with the purpose 08:08.870 --> 08:10.700 of executing additional code or 08:10.700 --> 08:13.620 reading different areas of system memory. 08:13.850 --> 08:19.590 Buffer overflow. Question 3, DES, MD5, 08:19.590 --> 08:25.155 and SHA-1 are examples of this. Weak ciphers. 08:25.155 --> 08:29.660 Finally question 4, this vulnerability is described by 08:29.660 --> 08:31.550 weak access controls that allow 08:31.550 --> 08:33.860 user-supplied input to access areas 08:33.860 --> 08:36.450 that are normally not accessible. 08:36.890 --> 08:39.245 Insecure references. 08:39.245 --> 08:41.210 I hope this lesson was useful for you, 08:41.210 --> 08:43.440 and I'll see you in the next one.