This one weird trick will secure your web server

should hello so you're good for video your not is your mic not working no I don't hear anything testing okay it was working fun for Chris video mute

laptop there we go all right welcome back so while you're on break did you stop by the vendor area did you say hello to the sponsors thank you for sponsoring besid all right so our next presenter is Mr David Cory I was talking with David earlier today he was telling me about this really cool thing that he did he built this hat it's got a raspberry pie built into so how cool is that right so uh if you get a chance later today you know make sure you Corner a about the raspberry pie hat had describe it uh you have R you no you should have you awkward face to face that really cool uh

so Dave got a great talk and very excited Dave's an awesome guy so please join me and welcoming Mr David [Applause] Cory well thanks everybody for coming out to check this out I know uh everybody's excited to learn what my weird trick is um but first a little bit about me I am a pentester every day for a small company called enisum um I work specifically on applications and application security and so I see a huge variety of applications every week um that range everywhere from you know modern JavaScript Stacks all the way back to like access written in 2000 and struts version one um I'm a dad I do a little bit of programming I like rugby

and whiskey and I shaved off my beard um so I know my wife made me do it um so my disclaimer right now is that this is more of an entry-level talk so if you do any pen testing yourself right now you're going to be bored to death and I won't be offended if you get up and leave but if somebody slashes your tires it was Chris Sanders um so there are no weird tricks involved in this sadly but this is something that I want everybody to be able to take back and have the the Monday morning value as they say so everyone can take back what you learn in here and and improve your situation and

try and you know just make your life a little bit easier um this one all of these vulnerabilities are are extremely dangerous not to not to the systems that they're on and not to lives but to me personally my body because they are killing me slowly every time I have to write a report on clickjacking and which is basically every assessment I do um if you do any time on bug bounties or anything like that everybody submits the clickjacking Bounty because it's on every single application in the world and I don't know why at this point when I was looking for demos for this I just did a search for clickjacking demo in YouTube and the first result result I got was

from 2009 and I just kind of cried for a while so clickjacking is a a very simple attack and it's a a layers problem and the attacker is going to put a layer over usable functionality that says I'm going to change the way the functionality works so this is all based around the iframe tag in HTML now hands up if you've written an application in the last decade that used iframes I got one [Music] leave no so not very common now I don't even understand why these protections are not built into the web servers that we use because this is literally a oneline configuration for everything except for IAS where nothing is one line um but it

is just a couple of clicks and then you can use it or you can protect yourself with it with some JavaScript too which is actually recommended because depending on browsers and the applications you're doing you should have both the application or the web server configuration and the JavaScript to protect yourself from this so I'm going to try and flip over here I made my sacrifice to the demo Gods um and I'm going to show you nothing

[Music] apparently I made this little application um I've been practicing gol a lot so I made this little application just to test this this and it functions um it does what it's supposed to do so what a clickjacking attack does is it utilizes HTML just to capture this website in an iframe [Music]

and

I should have set this up already there's my demo fail so you're going to put this iframe put the application this is this is literally code that is taking the application that I just showed you and putting it into an iframe and putting a layer controlled by the attacker over the real functionality and there's lots of different ways to do this and there's lots of functionality you can do with this but for my my first giveaway for a USB rubber ducky my question is who is the target of the attack in this scenario the user of the website the user of the website so every time I submit this on a report management doesn't care because you're not hacking

their servers right you're I'll bring it up to you a minute um it's the users but I've always been told that you know we need to kind of protect these people because they're the ones that have all the data that we're using anyway um a little bit better example of how something like this would work this is the exact same code but with all of the functionality turned off all of the the red functionality turned off literally the exact same code so you go to you know just put your credentials in and it takes you somewhere that you're not expecting to go now to get this pulled off you have to have some interaction ction with the user like a fishing email

but I think we can all agree at this point that fishing is almost 100% successful to the general population maybe not to you guys um so we're still seeing this on literally every [Music] engagement let's go back over here there we go so moving on to the next one and this is another one that's killing me slowly inside is cookies hands up if you like pumpkin spice no get out um yeah this is this is again literally just a oneline configuration in your web [Music]

server die all right I'm not going to to switch back and forth

[Music] anymore there we go so it's a one line configuration in your web server or in your application say if you have specific cookies on specific portions of your application that you want to protect you can add lines in the controllers and the code to make it do whatever you want to do um now the demo I was going to show here was across scripting demo but I'm not going to flip back and forth anymore and what it does is a lot of times we're looking for xss demos that don't require a lot of strange quoting and stuff like that and what people typically do is like alert one but I like to do alert document. cookie

because that brings up something that I can actually show to management that says look I'm capturing your your J session ID with my crossy scripting attack because you guys didn't put one tiny little bit of code in your application I mean HTTP only insecure is like 20 characters so this is literally every assessment I do um the next big one is caching it's another HTTP header that you can control yourself and this is actually really useful this is one of two in here that are really useful it speeds everything up in the web reduces download times reduces Network traffic and improves your overall experience so when developers hear that naturally they're just the cash all the things but

what happens when you do that eventually 6 months later on pce bin you realize that you literally did cash all the things and someone figured that out so it's very simple to take advantage of this as an attacker in large applications you know maybe shared computers things like that because you can pull all of that out of any browser cache that that normal users use so this one can be a little a little bit confusing for developers because some of the terms don't really make sense like what is a pragma I still don't know and I wrote this talk um the only thing I could find out was a short for pragmatic which really means a lot

for catching um and it's heavily browser dependent so you know the organizations have to go back and do some kind of analysis to say well what kind of browsers do we see hitting our application are we internal only is it internet facing what do we what browsers do we want our users to be hitting the application with so it requires a little bit of forethought but it's pretty simple to implement you know it's just one more header in your Apache or engine X ISS IIs config um so moving along quickly the next one is uh the HSS header this is H HTTP strict Transport Security and I always have problem saying that also known better as SSL

stripping um I had a really good image for this one but Chris Sanders made me take it out um and these tools are widely available so SSL strip is on Cali Linux and burp Suite is the primary tool that I use every single day for testing web applications it's literally two checkboxes and I can tell your website I don't want you to be https anymore so if I'm sitting at Starbucks and I fire up you know one of my man man- in-the-middle attacks I can SSL strip everything that is getting sent across that Wi-Fi network and get all of your super secret sensitive data um so for my second giveaway which is this this has to be

someone that's local to the Augusta area or it can come back here on a regular basis um this is a uh gift certificate for the clubhouse they've got some pretty cool robotic stuff going on outside if you haven't checked it out I recommend it um and the question is for the hsts header what is preload what does that

do no takers did you appreciate ke NOP the L on the site so they load quicker nope I'll I'll find a different one to give it away so what preload does is this is a this is basically a contract with the browser vendors so you can get your hsts pre-loaded in the browser list so that your users will always have this header because what it's really important that the first response in that session comes back with the hsts header because if it's not there SSL strip will strip it off and and it doesn't matter um so the First Response always has to have that on there preload is a contract with the browser vendors to to go ahead and get that on the list

always um the next one is one I I just included kind of for fun um because a lot of people don't take this seriously but as I was doing this talk I mean it occurred to me that these are all things that everyone talks about being used for troubleshooting every assessment I do has has these troubleshooting HTTP ERS and I thought who is this for have you ever been troubleshooting an application and said what what version of aspet asp.net do we use I don't know check the HTTP headers anyone hands up no so the only one that I can fathom that this is for now granted there are cases where you're going to use really specific custom

headers in really large applications that really do need troubleshooting but it's not server and it's not powered by right so who is this really for the people who like cves okay so if you can find that version and you can go go out and figure out exactly what type of software people are running I mean that only AIDS attackers I literally could not come up with another reason for those so get rid of them um this next one is is really fun it gets kind of a kind of a bad reputation as being being difficult to work with um content security policy and it can be extremely difficult to work with if you have a very large complex Web 2.0 fancy

application that calls in resources and laugh paths from everywhere but if you start building the application from the beginning with this enabled it's probably the greatest thing ever for protecting your application um it's a white list which we all know is good it ends up with these hairy configurations like this which really cleaned up only comes down to a list of what the resource is and where it's allowed to come from and including CSP headers is one of the best things you can do as far as protecting from injection attacks on on a on a dynamic application um and thankfully there's websites you can go to and if you're just getting into it and just kind of testing out your own

applications put on the report only mode and it will tell you everything that it would have blocked as you went through your application without actually blocking it so you're good to go so this brings me to this little guy after I developed the title for this and I was building this I realized that all I was going to do was stand up here and complain about things and I wanted to be able to give people something to take back with them to help them out so I was looking for a pro a project to start learning goang and so I developed a little tool I call Skinner because it analyzes your head um I kind of regret that now um so what

this does is it's a little tool and go so it's super fast um and it's internal Network friendly there are websites already out there um that will test your security headers and tell you all your your letter grades and stuff like that but I can't take that into my customer Network and tell them that I'm just going to open up the firewall real quick to do this test so it's completely private it doesn't put you on like the top 10 worst of 2015 list um you can feed in a single host or you can feed in just a list of URLs and it'll scan and score everything for you and you know find all the little things that maybe

you missed in your configuration just text reporting right now um I'm working on HTML reporting for the the managers um and the next thing I'm working on is a way to randomize user user agent strings because we bump into applications all the time like mobile apps that expect a certain UA um so it's it's super simple to use and I lied I am going to switch back over to the demo for this one maybe

so it's all text based right now but the beauty of go langang is that you can compile it AC crossplatform if you haven't messed with go yet you install the the compiler and then you just say go get and pass it this URL and it'll pull down all the dependencies and it'll just work so this is probably the best public server that I've seen right now I mean and that's it that was how fast the test takes so it goes through and the scoring is largely arbitrary at this point based upon how annoyed I was at the specific header that I'm scoring um but over time it'll get more mature and we'll you know add a little bit more functionality but

so you can pass in a list of of URLs and it'll score them all for you and you can run them again and again and that's kind of where I got the the Skinner box idea was because you're running it again and again try to get your score up um and that's about it it'll tell you all the information leakage headers that you see up there and you kind of have to decide because I can't make the decision on what your p3p header is supposed to look like um but hopefully you guys will go check it out and take it back and find some value out of

it and that is all I have for you today

um there we go there's the URL to the to get repo and my Twitter handle so if you have any questions I think we're just about out of time but um I'm always around and always willing to talk about this stuff um so hit me

up thank you David uh great talk so we have a couple of minutes uh in