Secure Coding

Here are some of the notes I took while attending a 4 day secure coding workshop. Even thought I've read about many of these things before, getting hands on experience in exploiting them was a real eye opener for me.

Hands on hacking

OWASP has created a container you can run and hack, exploiting the most common web app vulnerabilities. A good accompanying slide deck explaining these techniques is also available.

Through these tasks in the dojo, you get to learn and exploit several of the CWE Top 25 vulnerabilities.

SSL is secure, right?

• DEF CON 17 - Moxie Marlinspike - More Tricks for Defeating SSL
• DEF CON 19 - Moxie Marlinspike - SSL And The Future Of Authenticity

SSL strip

sslstrip is a tool that exploits the fact that many users connect to the http version of the website first before they're redirected by the web server to the https version.

To protect against sslstrip attacks, use we can use HSTS

Passwords

You can gauge how long it'll take to crack your password by visiting this website and enter your password.

tl;dr:

I love sugar drinks and cupcakes

can be more secure than

so#$%efoR

Common passwords

Rainbow tables are pre-generated hashes using the most popular algorithms. This means that if you have the hash of a password, but not the password itself, you can search the Rainbow tables using this website to get the password.

The way to mitigate this, is to use a salt so that the hashes differ, even for the same password.

As for the most common passwords, The Register has an interesting article about the most common passwords here

Store salt and hash together

auth0.com says we should have a salt per hash, and store these together in the db:

In practice, we store the salt in cleartext along with the hash in our database. We would store the salt f1nd1ngn3m0, the hash 07dbb6e6832da0841dd79701200e4b179f1a94a7b3dd26f612817f3c03117434, and the username together so that when the user logs in, we can lookup the username, append the salt to the provided password, hash it, and then verify if the stored hash matches the computed hash.

| username | salt     | hash               |
+----------+----------+--------------------+
| john     | jkbPo$#% | acbd18db4cc2f85ced |

See the auth0.com article for further details.

Further reading

• Smashing The Stack For Fun And Profit
• Bug hunting bounties
• Certificate pinning
• XSS filter evasion cheatsheet
• CSS injection
• Book recommendation: The Web Application Hacker's Handbook : Finding and Exploiting Security Flaws
• inject code in a buffer overflow
• burp suite
• MySpace XSS worm

Licensed under CC BY ~ 📡 RSS feed ~ ✉ torstein.k.johansen @ gmail ~ 🐘 @skybert@hachyderm.io ~ 🎥 youtube.com/@skybert