Web Security for the Developer
This article is aimed at developers who would like to improve their security skills. It assumes a basic knowledge of at least one programming language and a reasonable understanding of web applications.
Security is an important area of expertise for a developer. However, it is often difficult to know where to begin your learning. In this article we aim to cover a number of tools which can be used to start your journey.
We will cover two main resources for learning about security:
We will also introduce two new tools for testing applications:
These tools will be introduced in the context of OWASP Juice Shop, so for an outline of their use refer to the appropriate section.
Secure Code Warrior
Secure Code Warrior is a website offering a bank of information on various vulnerabilities, as well as a ‘training ground’ feature that allows you to try out some of your new knowledge on real code!
There is the option to try for free, which I would recommend for anyone thinking about using this resource.
On clicking the link you are taken to the above screen, and we can begin our challenges.
The initial challenge was around SQL Injection. The tasks come in two stages. An initial step to select some vulnerable code, then a secondary step to choose a solution.
In the window above we are given the opportunity to select a block of code we feel may be responsible for the vulnerability. For this particular example we notice there is no sanitisation of strings used in a SQL query.
On choosing correctly we advanced to the screen below where we may pick a solution.
Usually four options are presented, and it is up to us to decide the most appropriate. Once we have found the correct one we advance to the next challenge! It’s very simple, but it’s a good way to discover and drill into different types of vulnerability.
OWASP Juice Shop
The OWASP Juice Shop is a little bit more involved (and in my opinion a little bit more fun). The most concise summary of the tool is the one provided by the developers themselves:
OWASP Juice Shop is probably the most modern and sophisticated insecure web application! It can be used in security trainings, awareness demos, CTFs and as a guinea pig for security tools! Juice Shop encompasses vulnerabilities from the entire OWASP Top Ten along with many other security flaws found in real-world applications!
To see it in action I recommend running it locally. Once you have it up and running you are greeted with a screen similar to the below.
Inside the Juice Shop we are greeted with our first task, finding the hidden score board. The formats of the challenges are based around exploring the site searching for vulnerabilities. Opening the source of the page I was able to solve the first assignment.
Challenges rapidly become significantly more involved. There are some spoilers coming up, so look away now if you’re planning on solving everything yourself!
The first task we will examine in detail is to give one of their products a zero star review. To do so we will also introduce the Burp Suite tool. At the highest level Burp Suite is a range of cyber security tools used for penetration testing. For our use I downloaded the community edition and set it up as a proxy for Firefox in order to intercept requests.
Starting up the tool we can see the proxy has begun on
127.0.0.1:8080, by redirecting browser requests through this address we are able to intercept them in the tool.
We browse to the Customer Feedback page and prepare to submit a review.
On doing so we can see the requests being pushed from the site through our Burp Suite proxy.
We can then alter this request to have a rating of zero, forward it on and solve the challenge.
We now move from Burp Suite to OWASP Zed Attack Proxy (ZAP), a web app scanner we can use to look for vulnerabilities in Juice Shop.
OWASP ZAP is web application security scanner. It boasts a number of features, but the one we will focus on in this article is its spidering capabilities.
By entering a root URL in the application we are able to index a number of the pages contained on the Juice Shop site. This is particularly useful when looking for accidentally exposed endpoints.
As we can see below, they have not secured their ftp endpoint, allowing us to go in and directly browse their files, solving a second challenge!
In conclusion, we have provided a solid starting point for any engineer looking to improve their security knowledge.