WEBVTT 00:00:00.000 --> 00:00:06.880 align:middle line:90% 00:00:06.880 --> 00:00:09.790 align:middle line:84% Welcome to the third and last part of Sensitive Data Exposure 00:00:09.790 --> 00:00:11.230 align:middle line:90% session. 00:00:11.230 --> 00:00:13.600 align:middle line:84% In this part, we will discuss sensitive data 00:00:13.600 --> 00:00:15.340 align:middle line:90% exposure mitigation. 00:00:15.340 --> 00:00:17.080 align:middle line:84% We will start discussing what makes 00:00:17.080 --> 00:00:19.120 align:middle line:84% an application vulnerable, and then we 00:00:19.120 --> 00:00:22.090 align:middle line:84% will hunt OWASP Juice Shop vulnerable source code. 00:00:22.090 --> 00:00:26.440 align:middle line:84% Then, we will discuss how to avoid such vulnerabilities. 00:00:26.440 --> 00:00:30.650 align:middle line:84% Let's have a look at what makes Juice Shop vulnerable. 00:00:30.650 --> 00:00:32.750 align:middle line:84% From OWASP Juice Shop project page, 00:00:32.750 --> 00:00:34.655 align:middle line:84% we can jump directly to the GitHub repo. 00:00:34.655 --> 00:00:42.560 align:middle line:90% 00:00:42.560 --> 00:00:44.630 align:middle line:84% Let's first check how credit card details 00:00:44.630 --> 00:00:45.920 align:middle line:90% are handled by the server. 00:00:45.920 --> 00:01:06.400 align:middle line:90% 00:01:06.400 --> 00:01:09.310 align:middle line:84% Cards should be handled by the Finale package, 00:01:09.310 --> 00:01:12.070 align:middle line:84% and all operations passed directly to the card model. 00:01:12.070 --> 00:01:48.580 align:middle line:90% 00:01:48.580 --> 00:01:51.400 align:middle line:84% The card model mplementation has just the schema, 00:01:51.400 --> 00:01:54.250 align:middle line:84% meaning that no operations are performed on user inputs 00:01:54.250 --> 00:01:57.710 align:middle line:84% before being stored or read from the database. 00:01:57.710 --> 00:01:59.836 align:middle line:84% Let's check the front end components. 00:01:59.836 --> 00:02:45.060 align:middle line:90% 00:02:45.060 --> 00:02:47.355 align:middle line:84% Now we know where the credit card number is masked. 00:02:47.355 --> 00:02:50.790 align:middle line:90% 00:02:50.790 --> 00:02:52.860 align:middle line:84% Let's now have a look at the Search feature 00:02:52.860 --> 00:02:55.938 align:middle line:84% to see the source code vulnerable to SQL injection. 00:02:55.938 --> 00:03:53.790 align:middle line:90% 00:03:53.790 --> 00:03:56.170 align:middle line:84% As seen in our first session, we have, 00:03:56.170 --> 00:03:59.280 align:middle line:84% again, a SQL query template interpolated with user 00:03:59.280 --> 00:04:01.365 align:middle line:84% provided data without proper escaping. 00:04:01.365 --> 00:04:06.620 align:middle line:90% 00:04:06.620 --> 00:04:08.510 align:middle line:84% You can now better understand the need 00:04:08.510 --> 00:04:11.360 align:middle line:90% for brackets in our payload. 00:04:11.360 --> 00:04:14.750 align:middle line:84% Let's move forward and see how passwords are stored on signup. 00:04:14.750 --> 00:04:29.780 align:middle line:90% 00:04:29.780 --> 00:04:32.540 align:middle line:84% We're looking for requests submitted to users' end points. 00:04:32.540 --> 00:04:43.450 align:middle line:90% 00:04:43.450 --> 00:04:46.720 align:middle line:84% Apparently, signup is handled by the Finale package 00:04:46.720 --> 00:04:48.730 align:middle line:84% passing data directly to the user model. 00:04:48.730 --> 00:05:01.970 align:middle line:90% 00:05:01.970 --> 00:05:02.810 align:middle line:90% Let's have a look. 00:05:02.810 --> 00:05:27.580 align:middle line:90% 00:05:27.580 --> 00:05:29.200 align:middle line:84% Okay, the password hash is computed 00:05:29.200 --> 00:05:31.840 align:middle line:84% when setting the user model's password property value. 00:05:31.840 --> 00:05:37.030 align:middle line:90% 00:05:37.030 --> 00:05:39.860 align:middle line:84% The insecurity hash function is used. 00:05:39.860 --> 00:05:40.630 align:middle line:90% Let's check it. 00:05:40.630 --> 00:06:01.120 align:middle line:90% 00:06:01.120 --> 00:06:04.600 align:middle line:84% Finally, we have found how password hashes are computed 00:06:04.600 --> 00:06:09.800 align:middle line:84% using MD5 with no salt. Let's discuss 00:06:09.800 --> 00:06:13.510 align:middle line:90% how to mitigate these issues. 00:06:13.510 --> 00:06:18.100 align:middle line:84% Start classifying all processed, stored, and transmitted data. 00:06:18.100 --> 00:06:20.590 align:middle line:84% Identify which data is sensitive according 00:06:20.590 --> 00:06:24.250 align:middle line:84% to privacy laws, regulations, and business needs, 00:06:24.250 --> 00:06:26.050 align:middle line:84% then apply the appropriate controls 00:06:26.050 --> 00:06:28.060 align:middle line:90% as per the classification. 00:06:28.060 --> 00:06:31.120 align:middle line:84% Data that is not retained cannot be stolen. 00:06:31.120 --> 00:06:33.730 align:middle line:84% Discard the necessary data as soon as possible, 00:06:33.730 --> 00:06:35.680 align:middle line:84% or use tokenization or truncation 00:06:35.680 --> 00:06:38.140 align:middle line:84% to avoid sensitive data exposure. 00:06:38.140 --> 00:06:41.650 align:middle line:84% Choose up to date and strong standard algorithms, protocols, 00:06:41.650 --> 00:06:42.820 align:middle line:90% and keys. 00:06:42.820 --> 00:06:45.190 align:middle line:90% Encrypt sensitive data at rest. 00:06:45.190 --> 00:06:48.460 align:middle line:84% For passwords, use strong adaptive and salted hashing 00:06:48.460 --> 00:06:49.510 align:middle line:90% functions. 00:06:49.510 --> 00:06:54.100 align:middle line:84% For in-transit data, use secure protocols such as TLS. 00:06:54.100 --> 00:06:58.090 align:middle line:84% Disable caching for responses that contain sensitive data. 00:06:58.090 --> 00:07:01.510 align:middle line:84% In our next session, we will discuss XXE, 00:07:01.510 --> 00:07:04.360 align:middle line:90% XML External Entities, flaws. 00:07:04.360 --> 00:07:06.910 align:middle line:84% Until then, take your time to carefully read 00:07:06.910 --> 00:07:11.010 align:middle line:84% the Sensitive Data Exposure section of OWASP Top 10. 00:07:11.010 --> 00:07:12.000 align:middle line:90%