Secure Web Development & Deployment

How to securing website from common attacks

Bonus: Learn how to hack

Cyber Security

CIA Triad, Foundation of Information Security:

  • Confidentiality

    Protecting sensitive information from unauthorized access.

  • Integrity

    Ensuring data accuracy and preventing unauthorized modification.

  • Availability

    Ensuring systems and data are accessible.

Vulnerability = Developer Mistake

SQL Injection: Break Confidentiality

  • Fail validating input
  • Not using proper database library

Regular Expression DoS: lead to break system Availability

  • Lack of ReDos knowledge

Broken Access Control: Break Data Integrity

  • Fail implementing Authorization Logic

Programming Security: Ethical Coding

Is not just about writing good code, it's about making responsible choices.

Any information that can identify an individual, either directly or in combination with other data, it's called PII (Personally Identifiable Information)

Examples:
  • Names, addresses, phone numbers
  • ID Cards: Passport, NPWP, NIK numbers
  • Financial information: credit card numbers, bank account details
  • Online identifiers (IP addresses, cookies)

Programming Security: Securing User's Data

As a Developer, it's your responsibility to protect user data. Follow Regulatory Compliance: PDP (Indonesia), GDPR (EU), CCPA (California)

  • Collect only the necessary personal data for a specific purpose.
  • Collect explicit consent for processing.
  • User controls: Access, deletion, and correction of personal data.
  • Secure storage: encrypt data and implement robust access controls.

Programming Security: Limit & Validation

  • Validate each field

  • Set min/max value for number

  • Limit maximum item displayed in a page

  • Validate URL on redirect parameter

  • Validate URL to prevent SSRF

Programming Security: Be Carefull

  • No Hardcoded Secrets, Use System Variables

  • User query builder / binding to prevent SQLi

  • Secure Error Handling in Production Mode

  • Mask Sensitive data in Log

  • Don’t Use Too Many External Libraries

GIT Security

  • Gitlab/Github Remote Access & integration:

    • Use SSH instead of HTTP

    • Use API token instead of your password

    • Limit remote scope

  • Gitlab/Github Use protected branch for production

    • Prevent direct push

  • GIT is store all history, don't commit sensitive information

    • Use system variables / .env instead of hardcoded credentials

    • Ignore .env, just give the sample values

Github Feature or Bug?

  • Accessing Deleted Fork Data

    • You fork a public repository
    • You commit code to your fork
    • You delete your fork

  • Accessing Deleted Repo Data

    • You have a public repo on GitHub.
    • A user forks your repo.
    • You commit data after they fork it (and they never sync their fork with your updates).
    • You delete the entire repo.

Never commit or publish credentials to github, even in private repositories.

https://trufflesecurity.com/blog/anyone-can-access-deleted-and-private-repo-data-github
https://www.youtube.com/watch?v=EH3tenVGk60

Docker/Container Security

  • Use well-known base image, because it can contain malware [Link]

  • Use .dockerignore to:

    • Reduce context size & image size

    • Exclude .git directory

    • Exclude credentials file (.env)

  • Set correct user for running web process

  • Set correct permission, limit writable directory

PHP Hardening

  • PHP Laravel/CI: Limit php executable only to “index.php” to prevent webshell

  • Set correct user & permission, make only upload directory thats writable

HTTP Server Security

  • Use HTTPS, auto redirect HTTP to HTTPS

  • Block known sensitive URL: .git, .env, logs, backup

  • Use robots.txt to prevent indexes on staging site / admin dashboard

  • Disable debug/error information on production

  • Remove server information header

  • Use Web Application Firewall

Website Security

  • Use cookie instead of local storage to store credentials

  • Limit login attempt and OTP requests

  • Use captcha on login/reset password for public system

  • Disable sourcemap on production site

  • Use CSP header to prevent XSS

  • Use X-Frame-Options header to prevent Clickjacking

Challenge: Find the Flag

In this slide website, there are some mistakes in the development.
Instead of finding credentials like username or password, you must find the FLAG (SHA1 hash).

Example Flag:
FLAG-DEADBEEF00CFC9292AADB5842171863B6053B523
There's 3 Flags.

Challenge: Clues

The sourcemap is enabled in production mode build

The GIT dir is exposed

Flag #1: Inspect The Source Map

Using chrome devtools to inspect

Flag #2: Clone the GIT

Clone the exposed /.git dir using: https://github.com/arthaud/git-dumper


      git clone https://github.com/arthaud/git-dumper
      python -m venv venv
      . ./venv/bin/activate
      pip install -r requirements.txt
      ./git_dumper.py https://secure-web.dev.otesuto.com/ ../output
      cd ../output

Flag #3: Explore the GIT using GitLeaks

Walkthrough GIT histories:


      clone https://github.com/gitleaks/gitleaks.git
      cd gitleaks
      make build
      ./gitleaks git -v ../output

Flag #3: Custom Gitleaks Config

Configuring GitLeaks to find specific credentials.


        # Filename: gitleaks.toml
        title = "Gitleaks FLAG finder"
        useDefault = true
        
        [[rules]]
        id = "flag"
        regex = '''FLAG-[a-zA-Z0-9]+'''      
        

          ./gitleaks git -c ../gitleaks.toml -v ../output

THANKYOU