WEBVTT 00:00:00.000 --> 00:00:06.550 align:middle line:90% 00:00:06.550 --> 00:00:09.610 align:middle line:84% Welcome to Sensitive Data Exposure session. 00:00:09.610 --> 00:00:13.030 align:middle line:84% In this first part, we will focus on threat analysis. 00:00:13.030 --> 00:00:15.940 align:middle line:84% We will take our time to dig into sensitive data exposure 00:00:15.940 --> 00:00:17.290 align:middle line:90% flaws details. 00:00:17.290 --> 00:00:20.650 align:middle line:84% Then we will discuss how the system can be harmed, 00:00:20.650 --> 00:00:22.780 align:middle line:84% the impact of successful exploitation, 00:00:22.780 --> 00:00:25.000 align:middle line:84% and give you some insights to identify who 00:00:25.000 --> 00:00:27.100 align:middle line:90% may want to harm your system. 00:00:27.100 --> 00:00:29.080 align:middle line:84% Unfortunately, data leaks are becoming 00:00:29.080 --> 00:00:30.460 align:middle line:90% more and more frequent. 00:00:30.460 --> 00:00:33.830 align:middle line:84% Whether data is sensitive is in general business-specific, 00:00:33.830 --> 00:00:36.460 align:middle line:84% but there are some data categories considered sensitive 00:00:36.460 --> 00:00:39.280 align:middle line:84% in nature, such as authentication credentials, 00:00:39.280 --> 00:00:42.310 align:middle line:84% credit card details, and health records. 00:00:42.310 --> 00:00:44.740 align:middle line:84% Whenever data isn't properly protected 00:00:44.740 --> 00:00:47.560 align:middle line:84% at rest or in transit, either internally 00:00:47.560 --> 00:00:50.080 align:middle line:84% and over the internet, then we're 00:00:50.080 --> 00:00:52.840 align:middle line:84% dealing with a sensitive data exposure flaw. 00:00:52.840 --> 00:00:55.870 align:middle line:90% Let me show you something. 00:00:55.870 --> 00:00:57.940 align:middle line:84% This is a very simple sensitive data exposure 00:00:57.940 --> 00:01:01.550 align:middle line:84% scenario in our intentionally vulnerable web application. 00:01:01.550 --> 00:01:05.129 align:middle line:84% In the second part we will exploit this and other issues. 00:01:05.129 --> 00:01:10.080 align:middle line:84% Notice that we access Juice Shop over HTTP and not HTTPS. 00:01:10.080 --> 00:01:12.000 align:middle line:84% This is how it works by design, but it 00:01:12.000 --> 00:01:13.740 align:middle line:84% makes it possible for someone sitting 00:01:13.740 --> 00:01:15.750 align:middle line:84% between the client and the server 00:01:15.750 --> 00:01:20.010 align:middle line:84% to spy, exfiltrate, or tamper with exchange data. 00:01:20.010 --> 00:01:23.130 align:middle line:84% As you can see, the credit card number is masked on the screen, 00:01:23.130 --> 00:01:25.480 align:middle line:90% giving you a sense of security. 00:01:25.480 --> 00:01:29.270 align:middle line:84% Let's see how client and server exchange this data. 00:01:29.270 --> 00:01:31.070 align:middle line:84% At the bottom of the screen, you can 00:01:31.070 --> 00:01:34.790 align:middle line:84% see that the server sent all credit card details, including 00:01:34.790 --> 00:01:37.910 align:middle line:84% the number masked on the screen, in plaintext. 00:01:37.910 --> 00:01:39.800 align:middle line:84% This means that if there's someone sitting 00:01:39.800 --> 00:01:41.870 align:middle line:84% between our browser and the server, 00:01:41.870 --> 00:01:45.500 align:middle line:84% then such actor already has our credit card details. 00:01:45.500 --> 00:01:48.560 align:middle line:84% Probably you'll realise that at least your internet service 00:01:48.560 --> 00:01:51.210 align:middle line:84% provider is always in such position, 00:01:51.210 --> 00:01:55.040 align:middle line:84% but proxy servers and content delivery networks are also 00:01:55.040 --> 00:01:57.800 align:middle line:84% common entities between our browsers and the web 00:01:57.800 --> 00:02:01.440 align:middle line:90% application backend servers. 00:02:01.440 --> 00:02:05.640 align:middle line:84% The credit card issue was quite obvious, but it happens a lot. 00:02:05.640 --> 00:02:08.220 align:middle line:84% Sometimes you have to exploit other vulnerabilities 00:02:08.220 --> 00:02:11.220 align:middle line:84% to uncover unprotected data, such as authentication 00:02:11.220 --> 00:02:13.600 align:middle line:90% data stored in the database. 00:02:13.600 --> 00:02:15.330 align:middle line:84% We will do it in the second part, 00:02:15.330 --> 00:02:18.450 align:middle line:84% but first let's discuss attack vectors. 00:02:18.450 --> 00:02:21.000 align:middle line:84% Attackers may not even need to touch your application 00:02:21.000 --> 00:02:22.950 align:middle line:90% to gather some sensitive data. 00:02:22.950 --> 00:02:25.260 align:middle line:84% Quite often, default credentials, keys, 00:02:25.260 --> 00:02:28.500 align:middle line:84% and other tokens are pushed to public repositories. 00:02:28.500 --> 00:02:30.390 align:middle line:84% In other cases, search engines are 00:02:30.390 --> 00:02:33.120 align:middle line:84% enough to reach database backup files, logs, 00:02:33.120 --> 00:02:35.340 align:middle line:90% or other sensitive documents. 00:02:35.340 --> 00:02:37.410 align:middle line:84% Sitting between the client and the server 00:02:37.410 --> 00:02:40.110 align:middle line:84% is a privileged position to access sensitive data, 00:02:40.110 --> 00:02:43.140 align:middle line:84% but with the widespread adoption of HTTPS, 00:02:43.140 --> 00:02:45.870 align:middle line:84% attackers had to develop new techniques. 00:02:45.870 --> 00:02:48.180 align:middle line:84% Client-side attacks, such as manning the browser 00:02:48.180 --> 00:02:50.430 align:middle line:84% or scraping, are common techniques 00:02:50.430 --> 00:02:52.380 align:middle line:90% to gather sensitive data. 00:02:52.380 --> 00:02:55.530 align:middle line:84% Directly attacking cryptography is not an easy task, 00:02:55.530 --> 00:02:59.970 align:middle line:84% unless you're using old or weak algorithms or default, leaked, 00:02:59.970 --> 00:03:01.860 align:middle line:90% or weak cryptographic keys. 00:03:01.860 --> 00:03:05.450 align:middle line:84% And unfortunately, this happens quite often. 00:03:05.450 --> 00:03:08.330 align:middle line:84% When sensitive data is exfiltrated from your system, 00:03:08.330 --> 00:03:10.970 align:middle line:84% it is very likely that sooner or later, it 00:03:10.970 --> 00:03:13.910 align:middle line:84% will be available on the internet or dark web. 00:03:13.910 --> 00:03:16.490 align:middle line:84% Depending on systems nature, exposed data 00:03:16.490 --> 00:03:18.950 align:middle line:84% may allow attackers to perpetrate social engineering 00:03:18.950 --> 00:03:21.410 align:middle line:84% attacks, impersonating your users. 00:03:21.410 --> 00:03:23.660 align:middle line:84% Depending on the exposed data, attackers 00:03:23.660 --> 00:03:26.120 align:middle line:84% might be able to perpetrate some kind of fraud, 00:03:26.120 --> 00:03:28.100 align:middle line:84% taking advantage of systems' inability 00:03:28.100 --> 00:03:32.030 align:middle line:84% to distinguish between malicious activity and a legit one. 00:03:32.030 --> 00:03:35.180 align:middle line:84% Law enforcement is not exactly a technical impact, but rather 00:03:35.180 --> 00:03:36.470 align:middle line:90% a business impact. 00:03:36.470 --> 00:03:38.660 align:middle line:84% Nevertheless, due to data protection laws 00:03:38.660 --> 00:03:41.150 align:middle line:84% and regulations, failing to protect data 00:03:41.150 --> 00:03:43.520 align:middle line:90% may result in huge losses. 00:03:43.520 --> 00:03:46.040 align:middle line:84% There are autonomous systems crawling the web searching 00:03:46.040 --> 00:03:49.070 align:middle line:84% for publicly accessible data, scanning public source code 00:03:49.070 --> 00:03:52.460 align:middle line:84% repositories for leaked secrets or authentication tokens, 00:03:52.460 --> 00:03:54.260 align:middle line:90% they became very popular. 00:03:54.260 --> 00:03:57.650 align:middle line:84% Access to sensitive data does not mean sophisticated tools 00:03:57.650 --> 00:04:00.500 align:middle line:84% and techniques, using a search engine might be enough 00:04:00.500 --> 00:04:03.020 align:middle line:90% and virtually anyone can do it. 00:04:03.020 --> 00:04:05.960 align:middle line:84% Your data will always be available to someone. 00:04:05.960 --> 00:04:09.800 align:middle line:84% Attackers know that, and this is why ransom became so popular, 00:04:09.800 --> 00:04:13.310 align:middle line:84% and lots of leaked data is available for sale online. 00:04:13.310 --> 00:04:16.100 align:middle line:84% Keep in mind that those inside your organization 00:04:16.100 --> 00:04:19.370 align:middle line:84% may have privileged access to sensitive information. 00:04:19.370 --> 00:04:23.530 align:middle line:84% There are different motivations, and they can change over time. 00:04:23.530 --> 00:04:25.990 align:middle line:84% You'll find this table in the OWASP Top 10. 00:04:25.990 --> 00:04:28.380 align:middle line:84% Pause the video and take your time to carefully read it. 00:04:28.380 --> 00:04:30.930 align:middle line:90% 00:04:30.930 --> 00:04:33.860 align:middle line:84% In the next part, we will exploit our target application 00:04:33.860 --> 00:04:36.640 align:middle line:90% to reach some sensitive data. 00:04:36.640 --> 00:04:38.000 align:middle line:90%