Here are some of the notes I took while attending a 4 day secure coding workshop. Even thought I've read about many of these things before, getting hands on experience in exploiting them was a real eye opener for me.
Hands on hacking
OWASP has created a container you can run and hack, exploiting the most common web app vulnerabilities. A good accompanying slide deck explaining these techniques is also available.
Through these tasks in the dojo, you get to learn and exploit several of the CWE Top 25 vulnerabilities.
SSL is secure, right?
- DEF CON 17 - Moxie Marlinspike - More Tricks for Defeating SSL
- DEF CON 19 - Moxie Marlinspike - SSL And The Future Of Authenticity
SSL strip
sslstrip is a tool that exploits
the fact that many users connect to the http
version of the website
first before they're redirected by the web server to the https
version.
To protect against sslstrip attacks, use we can use HSTS
Passwords
You can gauge how long it'll take to crack your password by visiting this website and enter your password.
tl;dr:
I love sugar drinks and cupcakes
can be more secure than
so#$%efoR
Common passwords
Rainbow tables are pre-generated hashes using the most popular algorithms. This means that if you have the hash of a password, but not the password itself, you can search the Rainbow tables using this website to get the password.
The way to mitigate this, is to use a salt so that the hashes differ, even for the same password.
As for the most common passwords, The Register has an interesting article about the most common passwords here
Store salt and hash together
auth0.com says we should have a salt per hash, and store these together in the db:
In practice, we store the salt in cleartext along with the hash in our database. We would store the salt f1nd1ngn3m0, the hash 07dbb6e6832da0841dd79701200e4b179f1a94a7b3dd26f612817f3c03117434, and the username together so that when the user logs in, we can lookup the username, append the salt to the provided password, hash it, and then verify if the stored hash matches the computed hash.
| username | salt | hash |
+----------+----------+--------------------+
| john | jkbPo$#% | acbd18db4cc2f85ced |
See the auth0.com article for further details.