urlscan.io logo urlscan.io
SecurityTrails logo

secure-web.dev.otesuto.com Open in urlscan Pro
137.184.250.97  Public Scan

Back to summary
URL: https://secure-web.dev.otesuto.com/
Submission: On November 28 via automatic, source certstream-suspicious — Scanned from SG

Form analysis 0 forms found in the DOM

Text Content

SECURE WEB DEVELOPMENT & DEPLOYMENT

How to securing website from common attacks


CYBER SECURITY

CIA Triad, Foundation of Information Security:

 * Confidentiality
   
   Protecting sensitive information from unauthorized access.

 * Integrity
   
   Ensuring data accuracy and preventing unauthorized modification.

 * Availability
   
   Ensuring systems and data are accessible.


VULNERABILITY = DEVELOPER MISTAKE

SQL Injection: Break Confidentiality

 * Fail validating input
 * Not using proper database library

Regular Expression DoS: lead to break system Availability

 * Lack of ReDos knowledge

Broken Access Control: Break Data Integrity

 * Fail implementing Authorization Logic


PROGRAMMING SECURITY: LIMIT & VALIDATION

 * Validate each field

 * Set min/max value for number

 * Limit maximum item displayed in a page

 * Validate URL on redirect parameter

 * Validate URL to prevent SSRF


PROGRAMMING SECURITY: BE CAREFULL

 * No Hardcoded Secrets, Use System Variables

 * User query builder / binding to prevent SQLi

 * Secure Error Handling in Production Mode

 * Mask Sensitive data in Log

 * Don’t Use Too Many External Libraries


GIT SECURITY

 * Gitlab/Github Remote Access & integration:
   
   * Use SSH instead of HTTP
   
   * Use API token instead of your password
   
   * Limit remote scope

 * Gitlab/Github Use protected branch for production
   
   * Prevent direct push

 * GIT is store all history, don't commit sensitive information
   
   * Use system variables / .env instead of hardcoded credentials
   
   * Ignore .env, just give the sample values


GITHUB FEATURE OR BUG?

 * Accessing Deleted Fork Data
   
   * You fork a public repository
   * You commit code to your fork
   * You delete your fork

 * Accessing Deleted Repo Data
   
   * You have a public repo on GitHub.
   * A user forks your repo.
   * You commit data after they fork it (and they never sync their fork with
     your updates).
   * You delete the entire repo.

Never commit or publish credentials to github, even in private repositories.

https://trufflesecurity.com/blog/anyone-can-access-deleted-and-private-repo-data-github
https://www.youtube.com/watch?v=EH3tenVGk60


DOCKER/CONTAINER SECURITY

 * Use well-known base image, because it can contain malware [Link]

 * Use .dockerignore to:
   
   * Reduce context size & image size
   
   * Exclude .git directory
   
   * Exclude credentials file (.env)

 * Set correct user for running web process

 * Set correct permission, limit writable directory


PHP HARDENING

 * PHP Laravel/CI: Limit php executable only to “index.php” to prevent webshell

 * Set correct user & permission, make only upload directory thats writable


HTTP SERVER SECURITY

 * Use HTTPS, auto redirect HTTP to HTTPS

 * Block known sensitive URL: .git, .env, logs, backup

 * Use robots.txt to prevent indexes on staging site / admin dashboard

 * Disable debug/error information on production

 * Remove server information header

 * Use Web Application Firewall


WEBSITE SECURITY

 * Use cookie instead of local storage to store credentials

 * Limit login attempt and OTP requests

 * Use captcha on login/reset password for public system

 * Disable sourcemap on production site

 * Use CSP header to prevent XSS

 * Use X-Frame-Options header to prevent Clickjacking


CHALLENGE: FIND THE FLAG

In this slide website, there are some mistakes in the development.
Instead of finding credentials like username or password, you must find the FLAG
(SHA1 hash).

Example Flag:
FLAG-DEADBEEF00CFC9292AADB5842171863B6053B523
There's 3 Flags.


CHALLENGE: CLUES

The sourcemap is enabled in production mode build

The GIT dir is exposed


ANSWER: 1. INSPECT THE SOURCE MAP

Using chrome devtools to inspect


ANSWER: 2. CLONE THE GIT

Clone the exposed /.git dir using:

 * https://github.com/RonniSkansing/go-rip-git
 * https://github.com/kost/dvcs-ripper/blob/master/rip-git.pl


ANSWER: 3. EXPLORE THE GIT

Walkthrough GIT histories:

 * https://github.com/gitleaks/gitleaks
 * https://github.com/SAP/credential-digger


THANKYOU






Resume presentation
Secure Web Development & Deployment How to securing website from common attacks