Holistic Info-Sec for Web Developers - Fascicle 1
Homepage
Please support this book:
buy it (PDF, EPUB, MOBI)
Table of Contents
Foreword
Preface
Description
Purpose
Reason
Acknowledgements
Influences
Introduction
7. VPS
1. SSM Asset Identification
2. SSM Identify Risks
Forfeit Control thus Security
Windows
PsExec
Pass The Hash (PTH) suite of Metasploit Modules
PowerShell
PowerShell Exploitation via Executable C/- Psmsf
PowerShell Payload creation details
PowerShell Exploitation Evolution
PowerShell Exploitation via Office Documents C/- Nishang
Adding Persistence C/- Meterpreter
Adding Persistence C/- PowerSploit
Unnecessary and Vulnerable Services
Overly Permissive File Permissions, Ownership and Lack of Segmentation
Weak Password Strategies
Root Logins
SSH
To Many Boot Options
Portmap
EXIM
NIS
Rpcbind
Telnet
FTP
NFS
Lack of Visibility
Docker
Consumption from Registries
Doppelganger images
The Default User is Root
Docker Host, Engine and Containers
Namespaces
Control Groups
Capabilities
Linux Security Modules (LSM)
SecComp
Read-only Containers
Application Security
Using Components with Known Vulnerabilities
Lack of Backup
Lack of Firewall
3. SSM Countermeasures
Forfeit Control thus Security
Windows
PsExec and Pass The Hash (PTH)
PowerShell Exploitation with Persistence
Minimise Attack Surface by Installing Only what you Need
Disable, Remove Services. Harden what is left
Partitioning on OS Installation
Apt Proxy Set-up
Review Password Strategies
Consider changing to Bcrypt
Password GRUB
Disable Root Logins from All Terminals
SSH
Symmetric Cryptosystems
Asymmetric Cryptosystems
Hashing
SSH Connection Procedure
Establishing your SSH Servers Key Fingerprint
Hardening SSH
Tunneling SSH
Disable Boot Options
Lock Down the Mounting of Partitions
Portmap
Disable, Remove Exim
Remove NIS
Rpcbind
Remove Telnet
Remove FTP
NFS
Lack of Visibility
Logging and Alerting
Web Server Log Management
System Loggers Reviewed
Aims
Environmental Considerations
Initial Set-Up
Improving the Strategy
Proactive Monitoring
Evaluation Criteria
Goals
Sysvinit, Upstart, systemd & Runit
forever
PM2
Supervisor
Monit
Passenger
Getting Started with Monit
Keep Monit Alive
Keep NodeJS Application Alive
Statistics Graphing
Collectd
Graphite
Assembling the Components
Host Intrusion Detection Systems (HIDS)
Tripwire
RkHunter
Chkrootkit
Unhide
Ossec
Stealth
Deeper with Ossec
Deeper with Stealth
Outcomes
Stealth Up and Running
Docker
Consumption from Registries
Doppelganger images
The Default User is Root
Hardening Docker Host, Engine and Containers
Haskell Dockerfile Linter
Lynis
Docker Bench
CoreOS Clair
Banyanops collector
Anchore
TwistLock
Possible contenders to watch
Namespaces
Control Groups
Capabilities
Linux Security Modules (LSM)
Seccomp
Read-only Containers
runC and where it fits in
Using runC Standalone
Application Security
Using Components with Known Vulnerabilities
Schedule Backups
Host Firewall
Preparation for DMZ
Confirm DMZ has
Additional Web Server Preparation
Post DMZ Considerations
4. SSM Risks that Solution Causes
Forfeit Control thus Security
Windows
PsExec and Pass The Hash (PTH)
PowerShell Exploitation with Persistence
Minimise Attack Surface by Installing Only what you Need
Disable, Remove Services. Harden what is left
Partitioning on OS Installation
Review Password Strategies
SSH
Disable Boot Options
Mounting of Partitions
Portmap
Exim
Remove NIS
Rpcbind
Telnet
FTP
NFS
Lack of Visibility
Logging and Alerting
Web Server Log Management
Proactive Monitoring
Statistics Graphing
Host Intrusion Detection Systems (HIDS)
Docker
Linux Security Modules (LSM)
Schedule Backups
Host Firewall
5. SSM Costs and Trade-offs
Forfeit Control thus Security
Windows
PsExec and Pass The Hash (PTH)
PowerShell Exploitation with Persistence
Minimise Attack Surface by Installing Only what you Need
Disable, Remove Services. Harden what is left
Partitioning on OS Installation
Review Password Strategies
SSH
Disable Boot Options
Mounting of Partitions
Portmap
Exim
Remove NIS
Rpcbind
Telnet
FTP
NFS
Lack of Visibility
Logging and Alerting
Web Server Log Management
Proactive Monitoring
Statistics Graphing
Host Intrusion Detection Systems (HIDS)
Docker
Schedule Backups
Host Firewall
8. Network
1. SSM Asset Identification
2. SSM Identify Risks
Fortress Mentality
Lack of Segmentation
Lack of Visibility
Insufficient Logging
Lack of Network Intrusion Detection Systems (NIDS)
Spoofing
IP
ARP (Address Resolution Protocol)
DNS
Referrer
EMail Address
Website
Data Exfiltration, Infiltration
Ingress and Egress Techniques
Dropbox
Physical
Mobile Phone Data
DNS, SSH
Doppelganger Domains
Web-sites
SMTP
SSH
Wrongfully Trusting the Loading of Untrusted Web Resources
TLS Downgrade
3. SSM Countermeasures
Fortress Mentality
Lack of Segmentation
Lack of Visibility
Insufficient Logging
Network Time Protocol (NTP)
Lack of Network Intrusion Detection Systems (NIDS)
Spoofing
IP
ARP (Address Resolution Protocol)
DNS
Referrer
EMail Address
Website
Data Exfiltration, Infiltration
Dropbox
Physical
Mobile Phone Data
DNS, SSH
Doppelganger Domains
Web-sites
SMTP
SSH
Wrongfully Trusting the Loading of Untrusted Web Resources
Content Security Policy (CSP)
Sub-resource Integrity (SRI)
TLS Downgrade
HTTP Strict Transport Security (HSTS)
HTTP Strict Transport Security (HSTS) Preload
X.509 Certificate Revocation Evolution
Initiative 1: Certification Revocation List (CRL)
Initiative 2: Online Certificate Status Protocol (OCSP)
One of the Big Problems
Initiative 3: Welcome to OCSP Stapling
OCSP Stapling Problem
Initiative 4: Fix to the OCSP Stapling Problem
4. SSM Risks that Solution Causes
Fortress Mentality
Lack of Segmentation
Lack of Visibility
Insufficient Logging
Lack of Network Intrusion Detection Systems (NIDS)
Spoofing
IP
ARP (Address Resolution Protocol)
DNS
Referrer
Data Exfiltration, Infiltration
Dropbox
Physical
Mobile Phone Data
DNS, SSH
Doppelganger Domains
Wrongfully Trusting the Loading of Untrusted Web Resources
Content Security Policy (CSP)
Sub-resource Integrity (SRI)
TLS Downgrade
HTTP Strict Transport Security (HSTS)
HTTP Strict Transport Security (HSTS) Preload
5. SSM Costs and Trade-offs
Fortress Mentality
Lack of Segmentation
Lack of Visibility
Insufficient Logging
Lack of Network Intrusion Detection Systems (NIDS)
Spoofing
Data Exfiltration, Infiltration
Dropbox
Physical
Mobile Phone Data
DNS, SSH
Doppelganger Domains
Wrongfully Trusting the Loading of Untrusted Web Resources
Content Security Policy (CSP)
Sub-resource Integrity (SRI)
TLS Downgrade
HTTP Strict Transport Security (HSTS)
HTTP Strict Transport Security (HSTS) Preload
9. Cloud
1. SSM Asset Identification
Productivity
Competitive Advantage
Control
Data
2. SSM Identify Risks
Shared Responsibility Model
CSP Responsibility
CSP Customer Responsibility
CSP Evaluation
Cloud Service Provider vs In-house
Skills
EULA
Giving up Secrets
Location of Data
Vendor lock-in
Possible Single Points of Failure
Review Other Chapters
People
Application Security
Network Security
Violations of Least Privilege
Machine Instance Single User Root
CSP Account Single User Root
Storage of Secrets
Private Key Abuse
SSH
TLS
Credentials and Other Secrets
Entered by People (manually)
Entered by Software (automatically)
Serverless
Third Party Services
Perimeterless
Functions
DoS of Lambda Functions
Infrastructure and Configuration Management
AWS
Password-less sudo
3. SSM Countermeasures
Shared Responsibility Model
CSP Responsibility
CSP Customer Responsibility
CSP Evaluation
Cloud Service Provider vs In-house
Skills
EULA
Giving up Secrets
Location of Data
Vendor lock-in
Possible Single Points of Failure
Review Other Chapters
People
Application Security
Network Security
Violations of Least Privilege
Machine Instance Single User Root
CSP Account Single User Root
Storage of Secrets
Private Key Abuse
SSH
TLS
Credentials and Other Secrets
Entered by People (manually)
Entered by Software (automatically)
Serverless
Third Party Services
Perimeterless
Functions
DoS of Lambda Functions
Centralised logging of AWS Lambda Functions
Frameworks
Infrastructure and Configuration Management
AWS
Password-less sudo
Additional Tooling
4. SSM Risks that Solution Causes
Shared Responsibility Model
CSP Evaluation
Cloud Service Provider vs In-house
People
Application Security
Network Security
Violations of Least Privilege
Storage of Secrets
Private Key Abuse
SSH
TLS
Credentials and Other Secrets
Entered by People (manually)
Entered by Software (automatically)
Serverless
Functions
DoS of Lambda Functions
Frameworks
Infrastructure and Configuration Management
AWS
Additional Tooling
5. SSM Costs and Trade-offs
Shared Responsibility Model
CSP Evaluation
Cloud Service Provider vs In-house
People
Application Security
Network Security
Violations of Least Privilege
Storage of Secrets
Private Key Abuse
SSH
TLS
Credentials and Other Secrets
Entered by People (manually)
Entered by Software (automatically)
Serverless
Functions
DoS of Lambda Functions
Frameworks
Infrastructure and Configuration Management
AWS
Additional Tooling
10. Web Applications
1. SSM Asset Identification
2. SSM Identify Risks
Lack of Visibility
Insufficient Logging and Monitoring
Lack of Input Validation, Filtering and Sanitisation
Generic
What is Validation
What is Filtering
What is Sanitisation
Cross-Site Scripting (XSS)
Cross-Site Request Forgery (CSRF)
Injection
SQLi
NoSQLi
Command Injection
XML Injection
XSLT Injection
XPath Injection
XQuery Injection
LDAP Injection
Captcha
Management of Application Secrets
Data-store Compromise
Cracking
Lack of Authentication, Authorisation and Session Management
What is Authentication
What is Authorisation
Cryptography on the Client (AKA Untrusted Crypto)
Consuming Free and Open Source
Insufficient Attack Protection
Lack of Active Automated Prevention
3. SSM Countermeasures
Lack of Visibility
Insufficient Logging
Opening UDP port
Using Posix
Insufficient Monitoring
Dark Cockpit
Statistics Graphing
Lack of Input Validation, Filtering and Sanitisation
Generic
Types of Escaping:
Example in JavaScript and C#
Example in JavaScript and NodeJS
Other things to think about
Cross-Site Scripting (XSS)
Cross-Site Request Forgery (CSRF)
Injection
SQLi
NoSQLi
Command Injection
XML Injection
XSLT Injection
XPath Injection
XQuery Injection
LDAP Injection
Captcha
Types
Offerings
Alternative Approaches
Still Not Cutting it
User Time Expenditure
Bot Pot
Testing
Management of Application Secrets
Store Configuration in Configuration files
node-config
Windows
Linux
Least Privilege
Location
Data-store Compromise
Which KDF to use?
Caching of Sensitive Data
Cracking
Lack of Authentication, Authorisation and Session Management
Chosen technologies:
Technology and Design Decisions
Reference Token vs JSON Web Token (JWT)
IdentityServer3
MembershipReboot
External Identity Providers
Architecture
Securing Sessions
Cryptography on the Client (AKA Untrusted Crypto)
Web Cryptography API
user agent
[[handle]]
CryptoKey
(Web API interface)
The other two Web Crypto API interfaces
Crypto (Web API interface)
SubtleCrypto (Web API interface)
Cloud Storage
Protected Data and Document Exchange
Consuming Free and Open Source
Process
Consumption is Your Responsibility
Keeping Safe
wget, curl, etc
npm install
Doppelganger Packages
Whitelisting Packages via npm Enterprise
Tooling
npm-outdated
npm-check
David
RetireJS
requireSafe
bithound
Node Security Platform (NSP)
Snyk
Insufficient Attack Protection
Web Application Firewall (WAF)
Application Intrusion Detection and Response
Active Automated Prevention
4. SSM Risks that Solution Causes
Lack of Visibility
Insufficient Logging and Monitoring
Lack of Input Validation, Filtering and Sanitisation
Cross-Site Scripting (XSS)
Cross-Site Request Forgery (CSRF)
Injection
SQLi
NoSQLi
Command Injection
XML Injection
XSLT Injection
XPath Injection
XQuery Injection
LDAP Injection
Captcha
Management of Application Secrets
Store Configuration in Configuration files
node-config
Windows:
Linux:
Least Privilege
Location
Data-store Compromise
Lack of Authentication, Authorisation and Session Management
Cryptography on the Client (AKA Untrusted Crypto)
Consuming Free and Open Source
Process
Tooling
Insufficient Attack Protection
5. SSM Costs and Trade-offs
Lack of Visibility
Insufficient Logging and Monitoring
Lack of Input Validation, Filtering and Sanitisation
Cross-Site Scripting (XSS)
Cross-Site Request Forgery (CSRF)
Injection
SQLi
NoSQLi
Command Injection
XML Injection
XSLT Injection
XPath Injection
XQuery Injection
LDAP Injection
Captcha
Management of Application Secrets
Store Configuration in Configuration files
Windows:
Linux
Least Privilege
Location
Data-store Compromise
Lack of Authentication, Authorisation and Session Management
Cryptography on the Client (AKA Untrusted Crypto)
Consuming Free and Open Source
Insufficient Attack Protection
Additional Resources
VPS
Network
Cloud
Web Applications
Attributions
Introduction
VPS
Network
Cloud
Web Applications
© 2015 - 2017 Kim Carter
