slides: https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2016-2#tab=Conferenceday
apk: http://image.slidesharecdn.com/english-final-140610053432-phpapp02/95/android-applications-in-the-cruel-world-how-to-save-them-from-threats-6-638.jpg?cb=1402390537
tools:
wordpress: blogging software with CMS features
AngularJS
Compression
https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
use cases
demo
trends
Securing Android Applications
Dario Incalzaapk: http://image.slidesharecdn.com/english-final-140610053432-phpapp02/95/android-applications-in-the-cruel-world-how-to-save-them-from-threats-6-638.jpg?cb=1402390537
tools:
- https://bytecodeviewer.com/ uses multiple decompilers
- apktool
- mitmproxy https://mitmproxy.org/
- xPosed: http://repo.xposed.info/module/de.robv.android.xposed.installer
- inject / modify running Android app (root)
- linux memory extractor: dump memory https://github.com/504ensicsLabs/LiME/
- obfuscate / encrypt
- communication
- execution env (root etc)
- full disk encryption: keys are in mem at runtime
- passwords: char[] & PBKDF2
- key management:
- keystore (rooted devices)
- sharedpreferences
- no AES in ECB
- check logs
- sdcard is readable
- securerandom issue http://android-developers.blogspot.be/2013/08/some-securerandom-thoughts.html
- obfuscation / code protection
- nonobvious branching
- reflection
- proguard http://proguard.sourceforge.net/
- test rooting: google safetynet api -- JWS with "attest" https://developer.android.com/training/safetynet/index.html
The State of Security of WordPress (plugins)
Yorick Kosterwordpress: blogging software with CMS features
- enumerate media
- php "unserialize" https://www.owasp.org/index.php/PHP_Object_Injection
- core: security:
- filter / escaped, etc
- but: no prepared statements, MD5 passwords
- plugins: relatively ok
- escape html etc
- meterpreter
- https://codex.wordpress.org/Hardening_WordPress
Securing AngularJS Applications
Sebastian LekiesAngularJS
- "declarative templating"
- contextual auto escaping (html, url, resource_url)
- managed by the $sceProvider
- URL / output $compileProvider
- auto-encoding
- URL validation: $sceDelegateProvider resourceURLWhitelist / Blacklist
- html sanitizer: removes all script
- do not generate templates based on user input
- do not write user input befor AngularJS is loaded -- careful with mixing other libraries
- inserting HTML in DOM
- ngBindHtml with trustAsHtml -- security is disabled! -- use ng-bind-html
- DIY escapeForHtml() call --managing security on your own is dangerous: AngularJS will sanitize the input for you
- do not use jqLite
- white/blacklisting URLs
- wildcards in schemes:
- other urls can replace the wildcard! (e.g; http://evil.com/?ignore=.//my.org/
- replace http: with javascript:
- wildcards in domains: replace domainname
- toplevel domains: replace them with your own (my.evil.com
- regexps
- conclusion: ONLY whitelist specific URLs, do NOT use regexp / wildcards
- wildcards in schemes:
Compression Bombs Strike Back
Giancarlo PellegrinoCompression
- main lossless algorithm: deflate (zlib, gzip etc)
- protocols: IMAP, XMPP, SSH, HTTP response:
- Accept-Encoding: deflate/gzip
- Content-Encoding: gzip etc
- DOS "computationally intensive"
- data amplification
- unbalance client/server (server caches compress file, client always decompresses)
- zip bombs: 42kb -- 4.5PB unzipped (1996)
- xmlbombs: recursive entities (2003)
- attack clients:
- html content bomb: e.g. 4GB of whitespace -- gzipped: 4mb: https://www.cyberis.co.uk/2013/08/vulnerabilities-that-just-wont-die.html
- manipulate Content-Length
- server attacks
- SOAP POST requests, gzipped
- JSON POST
- XMPP
- fixed runtimes
- Apache Httpd
- tomcat
- axis2
- first authenticate before uncompressing
- input validation: size (check decompression ratio, limit size of decompressed message)
- correctly chain + interprete payload
- logger: resource exhaustion (e.g. decompress before logging)
- zip size header can be different than actual zipped content
Zap it !
Zakaria Rachidhttps://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
use cases
- simple scanning
- automatic security integration tests
docker pull owasp/zap2docker-weekly docker run owasp/zap2docker-weekly zap-baseline.py -t http://target
- security plugin
- zap api
Stealing Secrets through Browser-based Side-channel Attacks
Tom Van Goethem- compression: guess char-by-char and check if this impacts response size
- gzip + input controlled by attacker (or mitm)
- find out response size:
- cache api: + authenticted cross-origin responses
- quota restrictions - can calculate response size of other site
- getEstimate(): exact quota
- but: after decompression
- tcp windows: extra round trip
- measure number of roundtrips
- cache api: + authenticted cross-origin responses
- no compression, but bandwidth
- do not compress secrets
- samesite cookies
- no third party cookies
Handling of Security Requirements in Software Development Lifecycle
Daniel Keferdemo
- securityRAT https://github.com/SecurityRAT/SecurityRAT
Closing Keynote: The Future of Security
Bart Preneeltrends
- big data / analysis
- visibility
- mass surveillance
- privace as security property
- privacy by design:
- "General Data Protection Regulation" GDPR
- cryptowars continue
- offense over defence (0-days)
- avoid single point of failure / trust
- future
- future of internet: simple but secure
- small local data instead of centralised
- distributed solutions (e.g. bitcoins)
- big data --> encrypted data
- open source solutions