WEBVTT 00:00:00.000 --> 00:00:06.810 align:middle line:90% 00:00:06.810 --> 00:00:08.820 align:middle line:84% Welcome to the third and last part of Security 00:00:08.820 --> 00:00:10.260 align:middle line:90% Misconfiguration session. 00:00:10.260 --> 00:00:13.110 align:middle line:84% In this part, we will discuss security misconfiguration 00:00:13.110 --> 00:00:13.980 align:middle line:90% mitigation. 00:00:13.980 --> 00:00:15.570 align:middle line:84% We will start discussing what makes 00:00:15.570 --> 00:00:17.340 align:middle line:84% an application vulnerable, and then we 00:00:17.340 --> 00:00:20.220 align:middle line:84% will hunt OWASP Juice Shop vulnerable source code. 00:00:20.220 --> 00:00:22.620 align:middle line:84% Before closing this session, we will discuss how 00:00:22.620 --> 00:00:24.930 align:middle line:90% to avoid such vulnerabilities. 00:00:24.930 --> 00:00:29.100 align:middle line:84% Only required services, ports, pages, accounts, and privileges 00:00:29.100 --> 00:00:30.870 align:middle line:90% should be installed and enabled. 00:00:30.870 --> 00:00:33.240 align:middle line:84% Otherwise, the attacks you face will be wider 00:00:33.240 --> 00:00:35.550 align:middle line:90% and more difficult to protect. 00:00:35.550 --> 00:00:37.710 align:middle line:84% Typically, default accounts and their passwords 00:00:37.710 --> 00:00:40.557 align:middle line:84% are public knowledge since they are documented. 00:00:40.557 --> 00:00:42.390 align:middle line:84% Deploying the application with such accounts 00:00:42.390 --> 00:00:45.720 align:middle line:84% enabled leave the door wide open to attackers. 00:00:45.720 --> 00:00:47.580 align:middle line:84% Overly informative error messages 00:00:47.580 --> 00:00:49.320 align:middle line:84% provide attackers better understanding 00:00:49.320 --> 00:00:52.140 align:middle line:90% of the target application. 00:00:52.140 --> 00:00:54.580 align:middle line:84% Security settings of some system components, 00:00:54.580 --> 00:00:57.270 align:middle line:84% such as application frameworks or databases, 00:00:57.270 --> 00:01:00.000 align:middle line:90% are not set to secure values. 00:01:00.000 --> 00:01:03.090 align:middle line:84% Latest security features are missing, disabled, or not 00:01:03.090 --> 00:01:04.440 align:middle line:90% configured securely. 00:01:04.440 --> 00:01:07.050 align:middle line:84% All this leaves the application vulnerable. 00:01:07.050 --> 00:01:09.690 align:middle line:84% If the server does not send appropriate security headers 00:01:09.690 --> 00:01:12.720 align:middle line:84% or directives, or they are not set to secure values, 00:01:12.720 --> 00:01:15.420 align:middle line:84% then both the client and client server communication 00:01:15.420 --> 00:01:17.450 align:middle line:90% are at risk. 00:01:17.450 --> 00:01:19.330 align:middle line:84% Let's have a look at the source code. 00:01:19.330 --> 00:01:22.300 align:middle line:84% From projects page, we will jump straight to GitHub repo. 00:01:22.300 --> 00:01:27.090 align:middle line:90% 00:01:27.090 --> 00:01:29.160 align:middle line:84% Let's first check the security misconfiguration 00:01:29.160 --> 00:01:30.330 align:middle line:90% in the login endpoint. 00:01:30.330 --> 00:02:00.730 align:middle line:90% 00:02:00.730 --> 00:02:02.530 align:middle line:84% POST requests to the login endpoint 00:02:02.530 --> 00:02:04.195 align:middle line:84% are handled by the login function. 00:02:04.195 --> 00:02:09.330 align:middle line:90% 00:02:09.330 --> 00:02:12.880 align:middle line:84% This fuction is provided by the login.js file in the root 00:02:12.880 --> 00:02:13.380 align:middle line:90% folder. 00:02:13.380 --> 00:02:31.110 align:middle line:90% 00:02:31.110 --> 00:02:34.330 align:middle line:84% This is where everything happens. 00:02:34.330 --> 00:02:37.120 align:middle line:84% First, the sequelized query, which returns a promise. 00:02:37.120 --> 00:02:40.840 align:middle line:90% 00:02:40.840 --> 00:02:44.040 align:middle line:84% If the query succeeds returning zero or more records, 00:02:44.040 --> 00:02:45.780 align:middle line:90% then execution continues here. 00:02:45.780 --> 00:02:48.890 align:middle line:90% 00:02:48.890 --> 00:02:51.800 align:middle line:84% When the sequelized query fails with an error, 00:02:51.800 --> 00:02:53.750 align:middle line:84% then it is caught here, and the error 00:02:53.750 --> 00:02:57.500 align:middle line:90% passed to the express framework. 00:02:57.500 --> 00:03:00.350 align:middle line:84% We need to see how the framework is handling error. 00:03:00.350 --> 00:03:02.600 align:middle line:84% Let's get back to the server.js file. 00:03:02.600 --> 00:03:30.340 align:middle line:90% 00:03:30.340 --> 00:03:31.960 align:middle line:84% This is the error and link setup. 00:03:31.960 --> 00:03:38.040 align:middle line:90% 00:03:38.040 --> 00:03:48.790 align:middle line:84% Errors are handled by the error handler middleware, 00:03:48.790 --> 00:03:52.300 align:middle line:84% and the error handler middleware is provided by the npm error 00:03:52.300 --> 00:03:53.350 align:middle line:90% handler package. 00:03:53.350 --> 00:03:55.618 align:middle line:90% Let's check its documentation. 00:03:55.618 --> 00:04:24.968 align:middle line:90% 00:04:24.968 --> 00:04:27.010 align:middle line:84% Reading the first line should give us a good idea 00:04:27.010 --> 00:04:28.340 align:middle line:90% of what is going on. 00:04:28.340 --> 00:04:30.460 align:middle line:84% This is a development only middleware. 00:04:30.460 --> 00:04:44.740 align:middle line:90% 00:04:44.740 --> 00:04:47.590 align:middle line:84% Then it continues, full error stack traces 00:04:47.590 --> 00:04:49.300 align:middle line:84% and internal details of any object 00:04:49.300 --> 00:04:52.900 align:middle line:84% passed to this middleware will be sent back to the client. 00:04:52.900 --> 00:04:55.510 align:middle line:84% Of course, this is not the right error handler middleware 00:04:55.510 --> 00:04:59.010 align:middle line:84% to have in a production environment. 00:04:59.010 --> 00:05:01.610 align:middle line:84% Let's get back to the repo and check the misconfiguration we 00:05:01.610 --> 00:05:03.050 align:middle line:90% found in the Complaint feature. 00:05:03.050 --> 00:05:28.660 align:middle line:90% 00:05:28.660 --> 00:05:30.970 align:middle line:84% Complaints file uploads are handled here. 00:05:30.970 --> 00:05:48.140 align:middle line:90% 00:05:48.140 --> 00:05:50.690 align:middle line:84% The root is passed several middleware functions, 00:05:50.690 --> 00:05:54.395 align:middle line:84% but XML uploads are handled by the Handle XML Upload function. 00:05:54.395 --> 00:06:33.310 align:middle line:90% 00:06:33.310 --> 00:06:35.170 align:middle line:84% This is interesting, it looks like that, 00:06:35.170 --> 00:06:37.690 align:middle line:84% to disable the feature, someone can do the implementation 00:06:37.690 --> 00:06:41.590 align:middle line:84% and force returning the 410 status code error with a custom 00:06:41.590 --> 00:06:46.810 align:middle line:84% message, leaving the original implementation untouched. 00:06:46.810 --> 00:06:50.140 align:middle line:90% Let's discuss mitigation. 00:06:50.140 --> 00:06:52.480 align:middle line:84% An automated and repeatable hardening process 00:06:52.480 --> 00:06:55.090 align:middle line:84% will allow you to create similar environments. 00:06:55.090 --> 00:06:57.640 align:middle line:84% Note that accounts should be different or at least use 00:06:57.640 --> 00:06:59.560 align:middle line:90% different credentials. 00:06:59.560 --> 00:07:01.570 align:middle line:84% Deploy only what is really required 00:07:01.570 --> 00:07:04.180 align:middle line:84% without any unnecessary features, components, 00:07:04.180 --> 00:07:06.400 align:middle line:90% documentation, and samples. 00:07:06.400 --> 00:07:08.500 align:middle line:84% Security configurations of every component 00:07:08.500 --> 00:07:11.920 align:middle line:84% should be reviewed and updated as part of the patch management 00:07:11.920 --> 00:07:15.050 align:middle line:84% process, in particular, cloud storage permissions. 00:07:15.050 --> 00:07:20.040 align:middle line:84% Orphan AWS S3 buckets lead to subdomain takeover. 00:07:20.040 --> 00:07:21.840 align:middle line:84% Segmented application architectures 00:07:21.840 --> 00:07:23.580 align:middle line:84% provide effective secure separation 00:07:23.580 --> 00:07:25.770 align:middle line:90% between components or tenants. 00:07:25.770 --> 00:07:27.720 align:middle line:84% Containerisation and cloud security groups 00:07:27.720 --> 00:07:30.460 align:middle line:90% make the task easier. 00:07:30.460 --> 00:07:33.640 align:middle line:84% Enforce client side security, configuring security headers 00:07:33.640 --> 00:07:37.520 align:middle line:84% with secure values to be sent as part of responses. 00:07:37.520 --> 00:07:39.410 align:middle line:84% Security settings and configurations 00:07:39.410 --> 00:07:44.250 align:middle line:84% should be continuously verified and tested in all environments. 00:07:44.250 --> 00:07:46.410 align:middle line:84% In our next session, we will discuss 00:07:46.410 --> 00:07:48.840 align:middle line:90% XSS or Cross-Site Scripting. 00:07:48.840 --> 00:07:51.270 align:middle line:84% Until then, take your time to carefully read 00:07:51.270 --> 00:07:55.400 align:middle line:84% the Security Misconfiguration section of OWASP Top 10. 00:07:55.400 --> 00:07:57.000 align:middle line:90%