WEBVTT

00:00:00.000 --> 00:00:05.970 align:middle line:90%


00:00:05.970 --> 00:00:08.700 align:middle line:84%
Welcome to the third and last
part of Insufficient Logging

00:00:08.700 --> 00:00:11.710 align:middle line:90%
and Monitoring session.

00:00:11.710 --> 00:00:15.210 align:middle line:84%
In this part, we will
discuss mitigation.

00:00:15.210 --> 00:00:17.970 align:middle line:84%
We will start discussing what
makes an application vulnerable

00:00:17.970 --> 00:00:20.880 align:middle line:84%
and then we will handle OWASP
Juice Shop vulnerable source

00:00:20.880 --> 00:00:21.660 align:middle line:90%
code.

00:00:21.660 --> 00:00:24.180 align:middle line:84%
Before closing this
session, we will discuss how

00:00:24.180 --> 00:00:26.670 align:middle line:90%
to avoid such vulnerabilities.

00:00:26.670 --> 00:00:29.340 align:middle line:84%
When auditible events,
such as logins, either

00:00:29.340 --> 00:00:32.340 align:middle line:84%
successful or failed attempts,
and high value transactions

00:00:32.340 --> 00:00:36.150 align:middle line:84%
are not logged or log messages
do not include enough details,

00:00:36.150 --> 00:00:38.700 align:middle line:90%
applications are at risk.

00:00:38.700 --> 00:00:41.610 align:middle line:84%
If logs are stored locally
only or they are not

00:00:41.610 --> 00:00:43.740 align:middle line:84%
monitored for
suspicious activity,

00:00:43.740 --> 00:00:45.450 align:middle line:84%
then they won't
help organizations

00:00:45.450 --> 00:00:49.720 align:middle line:84%
to detect and mitigate security
incidents on a timely fashion.

00:00:49.720 --> 00:00:52.110 align:middle line:84%
If alerting thresholds
are not well adjusted

00:00:52.110 --> 00:00:55.680 align:middle line:84%
or response escalation processes
are not in place or effective,

00:00:55.680 --> 00:00:58.600 align:middle line:84%
then malicious activity
may still pass unnoticed.

00:00:58.600 --> 00:01:01.200 align:middle line:84%
The same is valid if all
this fails under attack

00:01:01.200 --> 00:01:03.750 align:middle line:90%
due to high traffic or load.

00:01:03.750 --> 00:01:06.120 align:middle line:84%
Already discussed
security misconfigurations

00:01:06.120 --> 00:01:08.010 align:middle line:84%
may make logs and
alerting events

00:01:08.010 --> 00:01:10.320 align:middle line:84%
available to regular
users and attackers,

00:01:10.320 --> 00:01:12.980 align:middle line:84%
leaving the
application vulnerable.

00:01:12.980 --> 00:01:17.130 align:middle line:84%
Let's now have a look
at the source code.

00:01:17.130 --> 00:01:19.980 align:middle line:84%
From project page, we will jump
straight to the GitHub repo.

00:01:19.980 --> 00:01:29.190 align:middle line:90%


00:01:29.190 --> 00:01:32.400 align:middle line:84%
We are looking for the server.js
script, where we should

00:01:32.400 --> 00:01:33.780 align:middle line:90%
find the login root setup.

00:01:33.780 --> 00:01:53.560 align:middle line:90%


00:01:53.560 --> 00:01:55.480 align:middle line:84%
The login function
is implemented

00:01:55.480 --> 00:01:58.300 align:middle line:90%
in the root/login.js file.

00:01:58.300 --> 00:02:00.617 align:middle line:84%
Let's jump to the
implementation.

00:02:00.617 --> 00:02:03.540 align:middle line:90%


00:02:03.540 --> 00:02:05.150 align:middle line:84%
This is a server
side source code

00:02:05.150 --> 00:02:06.605 align:middle line:84%
responsible to
perform the log-in.

00:02:06.605 --> 00:02:12.520 align:middle line:90%


00:02:12.520 --> 00:02:15.790 align:middle line:84%
First we have a database query
to bring the matching record.

00:02:15.790 --> 00:02:28.820 align:middle line:90%


00:02:28.820 --> 00:02:32.020 align:middle line:84%
This source code branch
corresponds to a successful log

00:02:32.020 --> 00:02:32.640 align:middle line:90%
in.

00:02:32.640 --> 00:02:34.790 align:middle line:84%
The afterLogin
function is called.

00:02:34.790 --> 00:02:36.988 align:middle line:90%
Let's check its implementation.

00:02:36.988 --> 00:02:42.850 align:middle line:90%


00:02:42.850 --> 00:02:45.550 align:middle line:84%
All its logic is focused
on finding or creating

00:02:45.550 --> 00:02:48.900 align:middle line:84%
a new user shopping basket,
nothing related to the login.

00:02:48.900 --> 00:02:58.430 align:middle line:90%


00:02:58.430 --> 00:03:01.100 align:middle line:84%
Back to the login function,
failed login attempts

00:03:01.100 --> 00:03:03.740 align:middle line:84%
are handled in this
source code branch.

00:03:03.740 --> 00:03:08.300 align:middle line:84%
Again, no logging-- just a
401 HTTP response status code

00:03:08.300 --> 00:03:10.740 align:middle line:90%
is returned.

00:03:10.740 --> 00:03:14.100 align:middle line:84%
In case of exception, the
next express framework handler

00:03:14.100 --> 00:03:15.550 align:middle line:90%
is called.

00:03:15.550 --> 00:03:17.710 align:middle line:84%
Let's get back to
the main server.js

00:03:17.710 --> 00:03:20.140 align:middle line:84%
file and check how the
error handling is setup.

00:03:20.140 --> 00:03:44.670 align:middle line:90%


00:03:44.670 --> 00:03:47.160 align:middle line:84%
Errors are handled
by the error handler

00:03:47.160 --> 00:03:51.840 align:middle line:84%
function provided by the node.js
package with the same name.

00:03:51.840 --> 00:04:05.210 align:middle line:90%


00:04:05.210 --> 00:04:07.220 align:middle line:84%
According to the
package documentation,

00:04:07.220 --> 00:04:10.010 align:middle line:84%
it is only intended to
be used in development.

00:04:10.010 --> 00:04:12.600 align:middle line:84%
But this is the only error
handling Juice Shop uses.

00:04:12.600 --> 00:04:17.959 align:middle line:90%


00:04:17.959 --> 00:04:20.000 align:middle line:84%
Still, according to
the documentation,

00:04:20.000 --> 00:04:22.400 align:middle line:84%
full error stack traces
and internal details

00:04:22.400 --> 00:04:24.230 align:middle line:84%
of any object passed
to this module

00:04:24.230 --> 00:04:27.140 align:middle line:90%
will be sent back to the client.

00:04:27.140 --> 00:04:30.230 align:middle line:84%
This makes sense, since we
didn't see any error log files

00:04:30.230 --> 00:04:33.350 align:middle line:84%
during the exploitation part,
and in several other sessions,

00:04:33.350 --> 00:04:38.950 align:middle line:84%
we have got errors client-side
including such information.

00:04:38.950 --> 00:04:40.990 align:middle line:84%
Either successful and
failed login attempts

00:04:40.990 --> 00:04:44.500 align:middle line:84%
should be logged, as well as
input validation failures.

00:04:44.500 --> 00:04:47.170 align:middle line:84%
Such logs should include
sufficient user context

00:04:47.170 --> 00:04:49.840 align:middle line:84%
to identify suspicious
or malicious accounts,

00:04:49.840 --> 00:04:51.880 align:middle line:84%
and held for sufficient
time to allow

00:04:51.880 --> 00:04:54.130 align:middle line:90%
delayed forensic analysis.

00:04:54.130 --> 00:04:55.990 align:middle line:84%
Choose standard
formats for logging,

00:04:55.990 --> 00:04:59.440 align:middle line:84%
enabling logs to be consumed
by a centralized log management

00:04:59.440 --> 00:05:01.130 align:middle line:90%
solution.

00:05:01.130 --> 00:05:03.770 align:middle line:84%
High value transactions
should have an audit trail

00:05:03.770 --> 00:05:07.280 align:middle line:84%
with integrity controls to
prevent tampering and deletion

00:05:07.280 --> 00:05:10.790 align:middle line:84%
and append only database table
or similar may be enough.

00:05:10.790 --> 00:05:12.530 align:middle line:84%
But nowadays, it
can take advantage

00:05:12.530 --> 00:05:16.130 align:middle line:84%
of other technologies,
such as blockchain.

00:05:16.130 --> 00:05:19.250 align:middle line:84%
Adopting a security incident
and event management solution

00:05:19.250 --> 00:05:21.920 align:middle line:84%
will certainly help implementing
effective monitoring

00:05:21.920 --> 00:05:23.030 align:middle line:90%
and alerting.

00:05:23.030 --> 00:05:26.120 align:middle line:84%
A dedicated team in the proper
incident response and recovery

00:05:26.120 --> 00:05:28.850 align:middle line:84%
plan will get your
organization in a better shape

00:05:28.850 --> 00:05:32.070 align:middle line:84%
to handle security
incidents appropriately.

00:05:32.070 --> 00:05:34.890 align:middle line:84%
This was the last session
of OWASP Top 10 Security

00:05:34.890 --> 00:05:36.430 align:middle line:90%
Fundamentals course.

00:05:36.430 --> 00:05:38.010 align:middle line:84%
I hope you have
enjoyed our journey

00:05:38.010 --> 00:05:41.850 align:middle line:84%
through the top 10 most common
web application security risks.

00:05:41.850 --> 00:05:44.430 align:middle line:84%
You can continue practising
on OWASP Juice Shop shop.

00:05:44.430 --> 00:05:47.350 align:middle line:84%
There are several other
vulnerabilities to find.

00:05:47.350 --> 00:05:50.280 align:middle line:84%
Remember to check OWASP's
website at OWASP.org

00:05:50.280 --> 00:05:51.990 align:middle line:90%
and join your local chapter.

00:05:51.990 --> 00:05:53.540 align:middle line:90%
Cheers.

00:05:53.540 --> 00:05:55.000 align:middle line:90%