Please enable JavaScript.

Coggle requires JavaScript to display documents.

SSD - Coggle Diagram

- - - - unauthorized data altering is blocked
    - - unaurhtorized data reading is blocked
    - - The application systems is available for legitimate usage
  - - - Wigfi, mobildata, bt, NFC
    - - Web Apps
      - Native apps
      - Hybrid Apps
        
        Mobile apps with backend service layer
  - - - NFC
        
        Samsung Pay, Android Pay, CapitalOne Wallet
      - SMS
        
        PayPal
      - QR Codes
        
        PayPal, Level Up
      - P2P m-app
        
        PayPal, Facebook, Snapchat
      - mPOS
        
        Amazon, Square, PayPal
      - Location based beacon tech
        
        PayPal, iBeacon
      - mCommerce
        
        PayPal, Apple Pay, Samsung Pay
  - - - device lost/theft is common
    - - external devices can contains unsafe content or malicious stuff
    - - Jailbreaking
        
        IOS
      - Rooting
        
        Android
    - - the way most of the people use it, make it easier to attack. Ex: accepting application user permissions without reading properly
  - - - How do we manage access controls for rach application
    - - The authenticity of the application. The validity
    - - The approach to conceal data on device to address device left or theft
    - - How do we do process isolation. Some applications are limited by accessing sensitive data or systems on a device
    - - Grant set of permissions to each application, limiting each application to access device data/systems within scope of the permission.
  - - - Linux users and permissions
      - Apps are run in VMs. Each process has its own isolated user id id.
    - - App can by default interact with OS.
      - But, for any other interactions user should provide permission at install time.
      - Additional privileges are needed are specified in a Manifest file
    - - SQLite or flat file DBs.
    - - Java, Executeable bundleed with manifest files and packaged to Android Package files(APK).
      - Packages are signed with developer certificate and sent to Play store
      - Custome ROMs
        
        customized android OS images can be installed to these devices
  - - - Similar to MacOS and based on Trusted BSD
      - Uses MAC to restrict capabilities of applications
      - Sandbox applications
      - Hardware accelerated AES-256 encryption to encrypt all data store in the flash memory of the device
    - - can accesstem app specific file system, freely
    - - SQL flat file Database, Key Chains to store passwords, cookies
    - - tough process
      - Develpoers have to register with Apple
      - Developed using Objective C
      - Code will be signed by an Apple issued certificate
  - - - UEFI BIOS Compenent
    - - Tamper-resistant cryptographic module
  - - - M1: Improper Platform Usage
      - M2: Insecure Data Storage
        
        without encryption
      - M3: Insecure Communication
      - M4: Insecure Authentication
      - M5: Insufficient Cryptography
      - M6: Insecure Authorization
      - M7: Client Code Quality
      - M8: Code Tampering
      - M9: Reverse Engineering
      - M10: Extraneous Functionality
  - - - hardcoded information are easily accessible by decrypting
    - - At logout all token must be deleted on the client
    - - Some private URLs may can be accessed as public.
    - - loosing device may cause many problems for interconnected accounts
  - - - EX: DroidBox
    - - MobSF
    - - Install BURP certificate in android device (https://blog.ropnop.com/configuring-burp-suite-with-android-nougat/)
    - - Apktool
        
        both decompiling and recompiling
      - dex2jar to reverse into jar
      - JD-GUI to view the reversed code
    - - Sdk/build-tools/28.0.3
        *apksigner verify --print-certs <apk_name>.apk*
    - - Ex: Yaazhini
    - - MobSF
        
        All inone automateded penetration -testing, malware analysis, security assessrnent framework
- - - - csrf is not there
  - - - Improper error handling will expose application technologies and server technologies, db technoloigies. ex: Apache 7 tomcat server error handling
      - never use default configurations (default ports, default, SSl certificated, default credentials)
    - - accesing admind account details via a user details api path. original: api/user?username=ryan insecure: api/user?username= admin
    - - solution is automatic log monitoring
    - - redirects should be always validated ones and redirect should not be able to be changed explicitly
    - - solution: each function should validate the user before executing further
  - - - detect hardcoded unsafe stuff
      - bad pracitses
  - - - by using hashing the object. same objects should have the same hash value when validating. if the modified hash value won't match the original object's hash value
  - - - Direct 3rd party dependency vulnerabilities (a library that is used in the component)
      - Indirect 3rd party library issues (a library of a library that is used in the component)(inside dependency tree)
      - How to get rid
        
        upgrade to a higher version
        
        contact the developers of the vulnerable library and get it fixed
        
        for nested(transitive) vulnerable dependency, check if directly dependent lib has a higher version that depends on a safer version of the nested lib
  - - - a list of information security vulnerabilities
      - has a ranking way
      - helps to analyze 3rd party dependency vulnerabilities
      - tools and platforms
        
        NVD - US National Vulner DB
        
        OWASP Dependency check
  - - - Security guidelines
  - - - OWASP WebGoat
    - - Damn Vulnerable WebApplication
- - - - header
        
        metadata about token type and crypto algorithm
      - payload
        
        user information liek name, role, expiration
      - signature
        
        encrypted and hashed
        
        used to validate the recieved header and payload. First hash value(hash_received) of header and payload is generated. Then decrypt the signature using JWT secret key to get the original_hash value. If hash_recieved == original_hash , then JWT is valid.
        
        generated in server side by encrypting hashed content ( header and payload ) using server JWT secret key
  - - - mandatory to inform that this is a OpenID authentication request
  - - - Accesstoken
      - ID token
        
        A JWT containing user details like email, name, profileImage
        
        Also contains subject Issuing Authority, Audience, Issued data, expiration date
      - Refresh token to get a new access token
  - - - Securely exposes Web APIs using frameworks such as OAuth
      - Throttling
      - API versioning/lifecycle
      - Can be used for system integration (like ESB, data services)
      - Can be cloud based
      - Can be integrated with Identity providers (federated authentication/authorization etc)
  - - - ReponseType=code&scope=openid,other-scope
        
        reponses a access_token and a id token
        
        access_token can be then used for requesting claims with Bearer enabled requests
        
        ‘state’ parameter is set to avoid CSRF attacks
    - - Combination of Authorization Code and Implicit flow
        
        useful for Single Sign on application
      - ReponseType=code%20<id_token or token>&scope=openid,other-scope
        
        Returns a Auth code and id_token
        
        The Auth code is used to get the the id_token and access_token. Then step 1 id_token is compared with step2 id_token for validation. If matching, then authentication is sucessfull/.
        
        Then access_token can be used to get the claims
      - additionally a 'nonce' parameter is set to mitigate replay attacks
    - - ReponseType=id_token&scope=openid,other-scope
        
        additionally a 'nonce' parameter is set to mitigate replay attacks
        
        response only a id_token which also includes the claims requested.
  - - - ● Defines a standard mechanism for single logout
      - ● Provides a standard API for client registration
      - ● Provides a standard API for information
      - discovery
      - ● Build with security in mind.
      - ● Provides an authentication + authorization layer.
      - ● Provides a standard API for login
- - - - wHY THEN CBC?
  - - - Authentication
      - Confidentiality
      - Non-repudiation
  - - - Share a common symmetric secret key (RANDOMLY GENERATED & encrypted using public key of other party)
      - Use the common symmetric secret key to encrypt and
        decrypt private data.
  - - - usage
        
        hash(password+salt_value) for password storing
        
        Used to create MAC(Message Authentication Code)
        
        Used for hashing software releasing binaries
        
        Blockchain
    - - (HMAC)
        
        To create MAC using a keyed hash function
- - - - Ledger is a sequence of transactions
  - - - single point of failure
      - single point of unavailibilityf
      - data is centralized
  - - - We have to completely depend on the TA
      - ● For a payment system, Assume TA as the bank
      - ○ Bank provides the official sequence of transactions and account balances.
      - ○ When you want to spend your money, you send a message to bank.
      - ○ Bank permits transaction if you have money, and updates account balances.
    - - Single point of failure
      - Concentration of power
        
        “He who controls the past, controls the future”
        
        TA can censor transactions, impose new conditions to get
        
        transactions included in history, etc.
      - Maybe there is nobody we can trust.(even banks)
  - - - Many unknown parties
      - writes by all partiicipants
      - reads by all participants
      - consensus by proof of work
    - - write permissions are centralized
      - reads may be public or restricted
      - paticipaints are only from one org
      - multiple algorithms for consensus
    - - knwown parties form multiple orgs
      - writes require consensus of severral participants
      - reads may be public or restricted
      - multiple algos for consensus
  - - - may contain
        
        Transactions (financial, asset transfer, etc)
        
        ● Private Identity
        
        ● Work History
        
        ● Health Care Records etc
      - Chain of Blocks
        
        Each “confirmed” block references the previous one, forming a chain of
        blocks.
        
        Details of ‘unconfirmed’ transactions are distributed throughout the entire
        distributed peer-to-peer network.
    - - these are computaino resouerce used for validating confirming unconfirmed blocks. ex: graphic cards, ASIC miners
      - once a miner confirmed a block, the current node's local chain will get appended by it, and also the rest of other peer nodes will also be updated.
    - - finding a number by hashing it until finding first 30 cahractes as 30 0s in the hashed string. When found, the proof of work is given for that number.
    - - acts as a 3rd party
    - - non-financial
      - financial
    - - Complex
        
        Slow (7-10 transactions per sec)
        
        Wastage of Resources (10min extensive consumption of resources TO CONFIRM A block)
        
        Privacy
- - - - physical assets or, idea , formula
    - - which page, which app module ?
    - - what threats can directly attack
  - - - Static analysis of code
      - Fuzzing or other dynamic testing
      - Pentest/red team
      - Wait for bug reports after release
      - Ask external ethical hackers to find vulnerabilities
  - - - Spoofed packets
    - - Bufferoverflows
    - - SQL injection, XSS, Input tampering
  - - - Time consuming
      - Doifficult to show a proper ROI
      - Fairly dry stuff to do
    - - Attacker
      - Trust boundary
      - attacks
      - exploit
      - vulnerabilities
        
        weaknes that may become a threat
      - application
      - threats
        
        undesired action that can damage resources
        
        Threast agenet is the person who do the attack
      - assests
        
        resources
    - - Flow
        
        Requirements
        
        analyzing and coming up with final sec requirements
        
        Design
        
        Implementation
        
        5.Verification
        
        Release
        
        Response
        
        Training
      - Who should involve
        
        Architect, business Analyst, Developer, QA Lead
      - Best performed during design phase
      - Threat analysis
        
        Attack trees
        
        example:
        
        define a probabale attack
        
        then define the ways that attack can happen
        
        define and implemeent solutions for each
        
        train the users the best practices for using the system
        
        Design use case and mis-use cases for each functionality
        
        Next, design security requirements
        
        Security mechanisms
      - Indetifying thrats
        
        STRIDE
        
        Spoofing
        
        Tampering
        
        Repudiation
        
        Information Disclousure
        
        DoS
        
        Elevation of previlage
      - Validaion
        
        Validation of the model
        
        Validation of enumerated threats
        
        Validation of mitigations
        
        Validation of assumptions
      - Advantages and Disadvantages
        
        Advantages
        
        Can be used to find threats to a system early in the development process
        
        Can be used by both security experts and non-security experts
        
        Can be used to guide other security assessment activities
        
        Disadvantages
        
        Upfront costs (training, software, and setup)
        
        addtional documentations
- - - - others cannot see unauthorized content
    - - others cannot alter what you send
    - - To establish a valid uniquely secure channel between two valid parties
  - - - by network people
    - - by SE
  - - - use PUBLIC Key crptography to establish a shared secret key betwwen the client and server
      - Negotiates cipher suit algorithms and establsih and shares a master secret
      - can also authenticate server and/or client
    - - Uses the secret key established in the handshake protocol for encryption communicating data
- - - - done at apllication level.
      - such as
        
        protecting object with permissions or requiring users to change pwd with a policy
    - - written security policies or methods used to check the effectiveness of security using assessments or auditing.
    - - server protection
  - - - designed to provide guidance or direction
    - - designed to discourage the attackers
    - - designed to prevent an attack
    - - Designed to detect an attack
    - - Designed to mitigate the damage
    - - designed to bring back a system to its normal operational state
  - - - when the organization wants to share users' data with a 3rd party
    - - defined by system or per organizational security policy
    - - system administrator is responsible for managing access controls
  - - - File1: ( (read, {user1}), (write, {user2}) )
    - - content oriented. (can be used in environements when roles change frequently)
    - - User is shown only allowed interfaces
    - - User1: ( (read, {file1,file2}), (write, {}) )
    - - constraint on time. access expires after the time limit
    - - role oriented access controls
  - - - Authorization Code Grant
      - Implicit Grant
      - Resource Owner Password Credentials Grant
      - Client Credentials Grant
    - - ClientApp
      - Resource Server
      - Authorization Server
    - - Client application redirects webpage to AUTH Server.
        
        User accepts the consent for requested scopes to be allowed for the client app. (another value called state is also sent for maintaing the state between the auth server)
        
        Auth server sends Authorization Response (Code) to the user.
        
        User provides the Authorization Response (Code) to the client app.
        
        Client app sends a Token request call to the Auth server.
        
        Auth server send back an access_token, refresh_token(Supported only in auth code and password grant types) to the client.
        
        Now client app can access allowed scopes using the access_token
    - - JIT PRovisioning (Just In Time)
        
        Creating a new user account from user data received from resource server's AUTH server as soon as authenticated.
      - Account association
        
        Combining multiple OAuth Server for a single user account.
        Ex: Login for same email,. using FB Login as well as Google Login.
      - IAM SERVERs/iDENTITY PROVIDERS
        
        Auth0
        
        pingidentity
        
        WSO2 Idenitiy Server
    - - Implicit grant type
        
        directly provdiing an access token after user providing consent
      - Password credentials grant type
        
        user's password is passed via POST requests to get a access token. Used for mobile application.
        
        needs header Authorization: Base64(clientId:clientSecret)
      - Client credentials grant type
        
        Via POST: sharing a shared resource in a trusted manner (with authorization) with the client application. No user accounts involved.
        
        needs header Authorization: Base64(clientId:clientSecret)
    - - The request that resource server sends to the auth server to validate access_token of a user
      - Timestamp skew is used to allow some more time for accessToken expiration on the resource server. (time difference between resource server and auth server)
    - - POST auth0_api/revoke
        BODY token=<token>
        HEADER Authorization: Basic base64(clientId:clientSecret)
        :Client app request the Auth server to revoke an access token (and refresh_token) if there is a breach. Auth server will then invalidate the token ASAP.
    - - Automatic Client APP Registration process
    - - Intermediate OAuth server that can connect with another OAuth service provider
- - - - overlaying an attractive action web page over a legitamate web page. Acatual legitmate action is mostly a unsafe user unware action.
  - - - Ex: 1988MorrisWorm, Code Red Worm, SQL Slammer
      - Increasing memopry usage until RAM memory buffer overflows
      - A buffer overflow occurs when data written to an allocated buffer also corrupts data values in memory addresses adjacent to the destination buffer due to insufficient bounds checking.
      - How to prevent
        
        Boundary checking
      - Example
        
        c program
        
        what are registers
        
        highspeed temporary memory storages that CPU uses for processing
        
        How
        
        ex: By changing register values used at the program runtime
        
        By calling a secured function by its address
      - How is the damage?
        
        Cxorruption of other program data
        
        Corruption of control flow structure
        
        Shoutdown of the running prg
        
        Be abale to run protected code in of running program
      - types
        
        Stackbuffer overflow
        
        Can be slightly protected by adding -fno-stack-protector AND adding -mpreffered-stack-boundary=<val> when compiling the prg
        
        types
        
        Heap buffer overflow
        
        harder to attack because of dynamically allocations
      - ways
        
        Read overflow
        
        ex: heartBleed bug
      - Counter measures
        
        Libsafe Project
        
        re-implementing strcpy(), strcat(), gets()
        
        Stack guard
    - - compile it without protection
        
        gcc -ggdb -mpreferred-stack-boundary=2 -fno-stack-protector -o bypass bypass.c
        
        PAssword
        
        P@ssw0rd
        
        See and change disassembly flavor
        
        show disassembly-flavor
        
        set disassembly-flavor int
        
        Add break pointer
        
        b *<address>
        
        Set the value of EAX register
        
        set $eax=0
        
        Examine the registers
        
        info registers
        
        Examing the stack pointer(esp) and precedging 8 adresses's items
        
        x/8xw $esp
        
        Write a string to a file in python
        
        python -c 'print "a"*12 +"\xea\x84\x04\x08"' > attack.txt
    - - heap
        
        memory allocated to variables during runtime using malloc()
      - Stack
        
        Used to store local variables which are only used in a function. These variable are stored in a element called as frame.
      - Data
        
        Readable and writable segments containing static, global, initialized data segments and variables
      - BSS
        
        Readable and writable segments containing static, global
      - tEXT
        
        Read only segment that contains the compiled executable of the program
    - - big-endian and little-endian
        
        theses terms describe the order in which a sequence of bytes are stored in computer memory
        
        types
        
        big-endian
        
        MSB is stored at lowest memory addrees
        
        little-endian
        
        LSB is stored at lowest memory addrees
    - - Categories
        
        Data
        
        arithemtatic and data movemenmt. EBX can hold address of a procedure or a variable. (E<name>X)
        
        accumulator
        
        base
        
        counter
        
        data
        
        Segment
        
        Used as base locations for program instructions, data, and the stack
        
        Index
        
        Contains offsets(distance to the base segment) of data and instructions
        
        base pointer
        
        stack pointer
        
        source index
        
        destination index
        
        Control
        
        EIP (Instruction pointer) holders offset of the instruction to be executed.
        
        EFLAGS
  - - - used to return back to the parent routine address number after a subroutine execution is over
    - - Stores values of local variables
    - - Store values which are passed to the subroutines
    - - Stores previous value of the frame pointer register, before calling the subroutine
- - - - server send this to client first
      - cookies has an expiry date
      - browser has a cookie storage
      - content
        
        Name
        
        Content
        
        Domain
        
        Path
        
        Expiry
      - types
        
        As a session identifier
        
        For personlaization
        
        For user tracking
    - - Stealing session cookies
        
        Attacker can impersonate a legitimate user by stealing a session cookie
        
        how
        
        using man in the middle attack
        
        CSRF attacks
        
        How to avoid
        
        Generate unpredictable cookie ids
        
        Set cookie expiration timeouts and delete them once the session ends
        
        Transfer session id through SSL only
        
        allow session initiated IP address only
        
        Attacks
        
        CSRF (cross site request forgery) - malicious site sending a request to a currently logged in legit web site.
        
        How to avoid
        
        Double submit cookie pattern
        
        Prerequisities
        
        1 more item...
        
        Two cookies are
        
        2 more items...
        
        Use captcha input whenever possible
        
        Use OWASP CSRF Guard
        
        Synchronizer Token Pattern
        
        A token, secret and unique value for each request is embedded for all HTML forms.
        
        Hard to implement for all HTML forms in a large site. But simple to configure.
        
        token, secret and unique values are kept as hidden fields in the form.
        
        XSS must have prevented first.
        
        Cross Site Scripting (XSS)
        
        Inserting malicious javacript code via input fields
        
        Solutions
        
        less practical
        
        Input validaiton
        
        Outpput sanitaization
        
        more practical
        
        OWASP Encoder
        
        Types
        
        Reflected attack
        
        happens realtime
        
        inject via a input tag
        
        when input script is rendered in the response page, malicious sciprt will be executed.(malicious script may steal cookies in the window object)
        
        abilities
        
        session highjacking
        
        site defacement
        
        site redirection
        
        data theft
        
        key-stoke logging
        
        detection tools
        
        dyncamic scannnong tools
        
        statoc code analysis tools()ML, RegEx
        
        Veracode
        
        OWASP Zap
  - - - idempotent, safe
    - - idempotent, safe
    - - idempotent, safe
    - - not idempotent, unsafe
    - - idempotent, unsafe
    - - not idempotent, unsafe
    - - idempotent, unsafe
  - - - boolean
        
        ex: SELECT FROM usrs where username = 'nisuga' OR '1' = '1';
        
        By GET: www.somthing.com/v2/user?username=nisuga' OR '1'='1
      - union injection
        
        eX: SELECT name, price from product where name like '%usb%' union select username, password from user where '1' like '1';
      - Error based
      - Time based
    - - Input validation
      - Disalllow DDL and DML features for the application's database account
    - - :check: BEST :use parameterized SQL queries
      - Blacklistings