1 00:00:06,440 --> 00:00:07,410 - [Narrator] In this lesson, 2 00:00:07,410 --> 00:00:10,890 we will cover several insecure code practices 3 00:00:10,890 --> 00:00:13,030 that attackers can exploit, 4 00:00:13,030 --> 00:00:14,250 and that you can leverage 5 00:00:14,250 --> 00:00:17,050 during the penetration testing engagement. 6 00:00:17,050 --> 00:00:21,400 The first one is that often developers include information 7 00:00:21,400 --> 00:00:24,970 in source code that could provide too much information 8 00:00:24,970 --> 00:00:27,470 and that might be leveraged by an attacker. 9 00:00:27,470 --> 00:00:32,310 For instance, there may be details about a system passwords 10 00:00:32,310 --> 00:00:35,970 or API credentials, or other sensitive information 11 00:00:35,970 --> 00:00:39,480 that an attacker actually can find and use. 12 00:00:39,480 --> 00:00:41,350 Now MITRE created a standard 13 00:00:41,350 --> 00:00:43,560 called the common weakness enumerator 14 00:00:43,560 --> 00:00:46,980 and that stands for you know, CWE, 15 00:00:46,980 --> 00:00:50,150 and CWE list identifiers that are actually given 16 00:00:50,150 --> 00:00:53,820 to security malpractices, or the underlying 17 00:00:53,820 --> 00:00:56,840 weaknesses that actually introduce 18 00:00:56,840 --> 00:00:58,800 these type of vulnerabilities. 19 00:00:58,800 --> 00:01:01,940 There's one in specifically for information 20 00:01:01,940 --> 00:01:06,800 exposure through comments, that is CWE-615. 21 00:01:06,800 --> 00:01:10,470 And I'm covering, or I'm showing the link here 22 00:01:10,470 --> 00:01:13,970 in the screen, and also the link for 23 00:01:13,970 --> 00:01:16,960 the overall information about CWE. 24 00:01:16,960 --> 00:01:20,190 Now, the other one that I want to cover is the lack of error 25 00:01:20,190 --> 00:01:24,970 handling and overly verbose error handling as well. 26 00:01:24,970 --> 00:01:28,133 Basically, improper error handling is a type of weakness 27 00:01:28,133 --> 00:01:30,210 and malpractice that can actually 28 00:01:30,210 --> 00:01:33,130 provide information to an attacker 29 00:01:33,130 --> 00:01:35,370 to help him or her to perform 30 00:01:35,370 --> 00:01:38,020 additional attacks on the system. 31 00:01:38,020 --> 00:01:41,920 Basically, things like error messages like error codes, 32 00:01:41,920 --> 00:01:46,140 and database dumps, and stack traces can provide 33 00:01:46,140 --> 00:01:50,150 a lot of information that an attacker can use 34 00:01:50,150 --> 00:01:53,190 to learn about potential flaws in the application 35 00:01:53,190 --> 00:01:56,230 that could be further exploited in the system. 36 00:01:56,230 --> 00:01:59,550 Now our best practice is actually to handle error messages 37 00:01:59,550 --> 00:02:02,870 that in a way, that provides meaningful information 38 00:02:02,870 --> 00:02:06,630 to a user, and diagnostic information to developers, 39 00:02:06,630 --> 00:02:11,370 and support staff, but no useful information to an attacker. 40 00:02:11,370 --> 00:02:13,418 The other thing that we still find 41 00:02:13,418 --> 00:02:15,420 in many different implementations 42 00:02:15,420 --> 00:02:17,550 is actually hard coded credentials. 43 00:02:17,550 --> 00:02:20,130 And hard coded credentials are catastrophic flaws 44 00:02:20,130 --> 00:02:22,370 that an attacker can definitely leverage 45 00:02:22,370 --> 00:02:25,000 to completely compromise an application 46 00:02:25,000 --> 00:02:26,683 or the underlying system. 47 00:02:27,870 --> 00:02:29,530 Now, one last concept that I want 48 00:02:29,530 --> 00:02:34,300 to cover here is the use of APIs. 49 00:02:34,300 --> 00:02:36,970 So, Application Programming Interfaces, 50 00:02:36,970 --> 00:02:38,820 because they're actually used everywhere, 51 00:02:38,820 --> 00:02:43,200 but the insecure implementations of those APIs. 52 00:02:43,200 --> 00:02:45,490 In a large number of modern applications 53 00:02:45,490 --> 00:02:47,173 use some type of API to allow 54 00:02:47,173 --> 00:02:51,010 other systems to interact with the application. 55 00:02:51,010 --> 00:02:55,320 The bad thing here is that many APIs lack adequate controls, 56 00:02:55,320 --> 00:02:58,090 or are difficult to monitor as well. 57 00:02:58,090 --> 00:03:00,520 So the breadth and the complexity 58 00:03:00,520 --> 00:03:03,740 of those APIs make it very difficult 59 00:03:03,740 --> 00:03:07,020 to automate effective security testing. 60 00:03:07,020 --> 00:03:08,220 Now, there are a few methods 61 00:03:08,220 --> 00:03:11,720 of technologies behind modern APIs. 62 00:03:11,720 --> 00:03:15,170 They're, you know, the traditional SOAP-based APIs, 63 00:03:15,170 --> 00:03:17,430 those are actually less popular nowadays, 64 00:03:17,430 --> 00:03:22,120 But, that's SOAP stands for Simple Object Access Protocol, 65 00:03:22,120 --> 00:03:25,770 And it's an XML-based specification. 66 00:03:25,770 --> 00:03:30,680 There's also Representational State Transfer, or REST APIs. 67 00:03:31,620 --> 00:03:36,330 These API standards actually easier than SOAP. 68 00:03:36,330 --> 00:03:39,720 It actually uses JSON instead of XML, 69 00:03:39,720 --> 00:03:42,040 and it uses standards like Swagger, 70 00:03:42,040 --> 00:03:44,590 and the open API specification 71 00:03:44,590 --> 00:03:48,170 to document and encourage adoption. 72 00:03:48,170 --> 00:03:50,730 Now, there's also graphQL APIs, 73 00:03:50,730 --> 00:03:52,620 and graphQL is actually a query language 74 00:03:52,620 --> 00:03:56,350 for APIs that provides many developer tools. 75 00:03:56,350 --> 00:03:57,460 It's actually gaining a little bit 76 00:03:57,460 --> 00:03:59,990 of popularity nowadays, is now used for 77 00:03:59,990 --> 00:04:04,990 many mobile applications, and online dashboards as well. 78 00:04:05,020 --> 00:04:07,470 Now, API documentation can provide you 79 00:04:07,470 --> 00:04:09,690 with a great level of detail that can be 80 00:04:09,690 --> 00:04:13,570 very valuable for you to actually perform a pen testing, 81 00:04:13,570 --> 00:04:14,850 right, and perform pen testing 82 00:04:14,850 --> 00:04:17,900 against a specific modern applications. 83 00:04:17,900 --> 00:04:21,760 Now those documentations like Swagger documents, 84 00:04:21,760 --> 00:04:25,593 the Web Service Description Language, or WSDL documents, 85 00:04:26,819 --> 00:04:30,940 and WADL documents, a Web Application Description Language 86 00:04:30,940 --> 00:04:33,450 can definitely allow you to 87 00:04:33,450 --> 00:04:36,290 gain a footprint and to understand better 88 00:04:36,290 --> 00:04:39,110 of how the API is actually constructed, 89 00:04:39,110 --> 00:04:41,730 and how the application is actually behaving. 90 00:04:41,730 --> 00:04:44,740 Now, whenever you're performing a pen test against an API, 91 00:04:44,740 --> 00:04:46,430 it is very important to collect 92 00:04:46,430 --> 00:04:51,430 full request by using a proxy, like Burp Suite 93 00:04:51,700 --> 00:04:54,203 and the OWASP Zed Attack Proxy. 94 00:04:55,150 --> 00:04:57,290 Now, it is important to make sure 95 00:04:57,290 --> 00:04:58,710 that the proxy is actually able 96 00:04:58,710 --> 00:05:01,580 to collect the full API request, 97 00:05:01,580 --> 00:05:06,580 not just the URLs, because REST, SOAP, 98 00:05:06,640 --> 00:05:11,640 and other API services use more than just GET parameters. 99 00:05:11,860 --> 00:05:13,620 So it is very important that you 100 00:05:13,620 --> 00:05:15,870 actually know that and pay attention to that.