Presented at
AppSec USA 2015,
Sept. 23, 2015, 3:30 p.m.
(90 minutes).
Note: This is a two day course from Tues 2015-09-22 - Wed 2015-09-23
The Model-View-Controller (MVC) model is commonly adapted by many frameworks. These are used by many business applications today as they bring structure and maintainability to coding. This training will focus on introducing the following design flaws that are applicable to most of the standard and custom-designed MVC frameworks.
• Crash course on Application design and MVC
• Ignore design at your own peril!
• Insecure Invocation of Business Logic
• Data Binding Flaws and Backdoors parameters
• Incorrect implementation of security controls
• Incorrect Placement of Security Checks
• Insecure Configurations
• Control flow vulnerabilities
The first day of the training will cover the above-mentioned general design principles in custom-designed and Struts2 frameworks, and on the second day, Spring and ASP.NET MVC frameworks will be analyzed.
Majority of the code in today's applications come from libraries. According to a recent study done by Contrast Security, 28% of library downloads have known vulnerabilities and the most downloaded vulnerable libraries were GWT, Xerces, Spring MVC and Struts.
Additionally, due to compatibility issues and lack of awareness many of the applications are not upgraded with the secure framework/library versions. This would pose a major risk to the applications. This training will help developers and security analysts in identifying framework specific security vulnerabilities in their applications. Considering these vulnerabilities in Frameworks/libraries are not usually considered in security assessments, this training is going to be a good start.
The hands-on lab exercises incorporate demo applications built using custom-designed frameworks and vulnerable versions of Struts, Spring MVC and ASP.NET MVC applications. Vulnerabilities in these applications are showcased by considering real-time scenarios. Some of the framework-specific vulnerabilities that are included in the demo applications are the following:
• Struts2 Prefixed Parameters OGNL Injection Vulnerability
• Spring Data Binding flaw in multi step operations
• XML External Entity Injection Vulnerability in Spring Framework
All the above-mentioned applications will be shared with the attendees in a VMware image. This will help in avoiding delays occurring due to unwanted installations and dependency issues.
Who Should Take This Course?
• Professional Pentesters - who are auditing business applications designed using standard frameworks
• Design architects and developers - who need to design and code web applications securely
• Anyone with knowledge of MVC frameworks
This training imparts knowledge on secure design principles. It would highlight what goes wrong in most of the custom MVC designs and while using standard MVC frameworks like Spring, Hibernate and Struts. The training will introduce different design related flaws, flaws associated with some vulnerable framework versions and their mitigations.
What Should Students Bring?
All the students will be provided with VMware images with pre-loaded applications and software for lab exercises. Hence, attendees are expected to carry laptops that are installed with VMware player/ workstation.
Presenters:
-
Muhammed Noushad K
- Senior Analyst and Team Lead - Paladion Networks
Muhammed Noushad K. has been associated with information security for more than 6 years with rich experience in Application Security and Secure Code Reviews. He has performed code review of various applications built on diverse frameworks and platforms. He was instrumental in creating code review plans for Struts and Spring frameworks, which are pivotal in performing efficient code reviews. He is also a frequent blogger for Paladion on various application security topics such as Thick Client Testing, Web Services, etc. Currently, he is employed as a Security Researcher at Paladion Networks.
Links:
Similar Presentations: