Security

Preventing Security Vulnerabilities in a Web Application – Alexius Diakogiannis – Devoxx Morocco 2023

Posted by Alexius Dionysius Diakogiannis on in Conferences, Security

This a speech I gave during Devoxx Morocco 2023

In today’s digital age, web applications are a crucial part of our lives. However, with great power comes great responsibility. Companies are constantly under threat from malicious users and hackers, which is why it’s essential to safeguard your web applications.

Topics Covered:

  1. Software Development Life Cycle (SDLC) – The Shield of Defense
    • Discover the importance of implementing a robust SDLC to fortify your web application against security vulnerabilities.
  2. Secure Code Writing – The Foundation of Web Application Security
    • Understand the significance of secure coding practices and how they form the bedrock of web application security.
  3. DAST, SCA and SAST tools 
    • Usage and comparison
  4. AI in Development – A Futuristic Approach
    • Explore how artificial intelligence can be harnessed to enhance web application development security.
  5. Code Monitoring in Production – Staying Vigilant
    • Learn the strategies and tools for monitoring your code in a production environment to promptly detect and mitigate vulnerabilities.

📽️ Watch the Video

📄 Find the Presentation Slides

Explore the presentation slides to get an in-depth look at the concepts discussed during the session: Speaker Deck

 

How to install SonarQube locally or in production to check your code for vulnerabilities, performance and maintainability

Posted by Alexius Dionysius Diakogiannis on in Core Java, Open Source, Security
A picture with a teenager starring. the caption sais looking at your code after one year. Did I wrote that?

Introduction

From Wikipedia: SonarQube (formerly Sonar) is an open-source platform developed by SonarSource for continuous inspection of code quality to perform automatic reviews with static analysis of code to detect bugs and code smells on 29 programming languages. SonarQube offers reports on duplicated code, coding standards, unit tests, code coverage, code complexity, comments, bugs, and security recommendations. SonarQube can record metrics history, evolution graphs and provides fully automated analysis and integration with Maven, Ant, Gradle, MSBuild and continuous integration tools (Atlassian Bamboo, Jenkins, Hudson, etc.). In other words it checks if what your team has written is secure, performs well, it is tested and easy to maintain.

Continue reading “How to install SonarQube locally or in production to check your code for vulnerabilities, performance and maintainability”

What is a watering hole attack and how can I defend myself?

Posted by Alexius Dionysius Diakogiannis on in Security

If you have any hunting experience or have been in a beer talk with hunting stories  you probably have came across the term “Watering Hole Attack“. In this attack the hunter is covered near an area with a water hole where animals go in order to drink water, feel safe and usually have their guards down and their instincts more relaxed. So they don’t have to track the prey and attack on the go but wait until it comes to it’s fate on it’s own. Very similar to this approach a hacker targets specific end users by infecting frequently visited websites with malware that spreads to the user’s device.

Continue reading “What is a watering hole attack and how can I defend myself?”

Logging Failed and Successful Authentication Attempts with SpringBoot

Posted by Alexius Dionysius Diakogiannis on in Core Java, Security, Spring

Introduction

In the latest OWASP top 10 (OWASP Top 10:2021) list with, the well known standard awareness document for developers and web application security that represents a broad consensus about the most critical security risks to web applications, a mentioned is made regarding identification and authentication failures (A07:2021 – Identification and Authentication Failures). Previously known as “Broken authentication” it refers to the dangers a web application has from week authentication implementations. Bellow I am going to demonstrate the implementation of one of the counter measures which is to be able to log authentication attempts whether these are successful or not. Continue reading “Logging Failed and Successful Authentication Attempts with SpringBoot”

[UPDATE] Log4j RCE 0-day vulnerability (CVE-2021-44228) mitigation actions

Posted by Alexius Dionysius Diakogiannis on in Security 3 Comments
CVE-2021-44228 - Log4j RCE 0-day mitigation

UPDATE 14/12/2021

I had an update from my very good friend and excellent consultant Stella Varvarigou in which she explained me that setting com.sun.jndi.rmi.object.trustURLCodebase and com.sun.jndi.cosnaming.object.trustURLCodebase to false does not fully mitigate the threat as it is possible to send the exploit code with the request.  [2]

Introduction

Apache Log4j, the most popular logging system, has announced a zero-day exploit CVE-2021-44228 on December 9, 2021 that results in remote code execution. Let’s analyze whys this happened and what can be done in order to mitigate the risk. Continue reading “[UPDATE] Log4j RCE 0-day vulnerability (CVE-2021-44228) mitigation actions”

Oracle’s Weblogic CVE-2019-2725 CRITICAL vulnerability allows spreading of sodinokibi ransomware

Posted by Alexius Dionysius Diakogiannis on in Application Servers, Security

Malicious users are exploiting a vulnerability in Oracle WebLogic CVE-2019-2725 to install a ransomware called Sodinokibi.

Once executed, the Trojan creates the followoing file:
[PATH TO ENCRYPTED FILES]\[RANDOM EXTENSION]-HOW-TO-DECRYPT.txt and deletes Shadow Volume Copies and disables Windows startup repair.

Next, the Trojan encrypts files on the compromised server. The Trojan appends a random extension to encrypted files that is unique for each compromised computer and creates the a ransom note file in each folder containing encrypted files: [PATH TO ENCRYPTED FILES]\[RANDOM EXTENSION]-HOW-TO-DECRYPT.txt

The ransom note informs the user their files have been encrypted and provides instructions on how they may pay to have the files decrypted.

Unfortunately CVE-2019-2725 is very easy for attackers to exploit, as anyone with HTTP access to a WebLogic server could carry out an attack. Because of this, the bug has a CVSS v3.0 Base Score: 9.8 CRITICAL.

So how safe are you feeling when vising a Weblogic server app these days? :/

Apache Tomcat – Critical Remote Code Execution (RCE) vulnerability (CVE-2017-12617)

Posted by Alexius Dionysius Diakogiannis on in Application Servers, Security

Η ομάδα του Apache Tomcat έχει πρόσφατα επιδιορθώσει πολλές ευπάθειες ασφάλειας. Μια από αυτές θα μπορούσε να επιτρέψει σε έναν μη εξουσιοδοτημένο εισβολέα να εκτελέσει από απόσταση κακόβουλο κώδικα σε επηρεαζόμενους διακομιστές.
Continue reading “Apache Tomcat – Critical Remote Code Execution (RCE) vulnerability (CVE-2017-12617)”

Εγκατάσταση Apache Directory Server (ApacheDS) σε UBUNTU

Posted by Alexius Dionysius Diakogiannis on in Linux, Open Source, Security, Spring

Ο ApacheSD είναι μια ανερχόμενη δύναμη στους Directory Servers, είναι Java based και χρησημοποιεί το γνωστό framework Spring για την λειτουργεία του.

Η Εγκαταστασή του στο Ubuntu είναι αρκετά εύκολή υπόθεση.

Προαπαιτούμενα

Πρέπει να υπάρχει στο σύστημα Java έκδοση 5 ή μεγαλύτερη. Προτείνω την SUN-JAVA και ότι το OpenJDK

Για να το ελενξουμε αυτό δίνουμε

[bash]
java -version
[/bash]

και περιμένουμε να δούμε κάτι παρόμοιο με το παρακάτω

[text]
java version "1.5.0_06"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_06-b05)
Java HotSpot(TM) Client VM (build 1.5.0_06-b05, mixed mode)
[/text]

Αν λοιπον δεν είναι εγκατεστημένη τότε δίνουμε το παρακάτω στην κονσόλα

[bash]
sudo apt-get -y install maven2 sun-java6-jdk java-common
[/bash]
Continue reading “Εγκατάσταση Apache Directory Server (ApacheDS) σε UBUNTU”

Glasshish v3 Installation on Ubuntu / Debian

Posted by Alexius Dionysius Diakogiannis on in Application Servers, JEE, Linux, Open Source, Security

Όλοι όσοι έχουν ασχολιθεί με J2EE development σίγουρα σε κάποια περίοδο έχουν συναντήσει άρθρα τα οποία περιγράφουν το νέο application server της SUN (ORACLE πλέον) τον Glassfish στην περίφημη έκδοσή του την v3.

Η Αλήθεια είναι πως πρόκειται για ένα πολύ μεγάλο βήμα και για έναν πάρα πολύ καλό full j2ee compiant application server ο οποίος έχει πολλές καλές αποκρίσεις και απο πλευράς ταχύτητας αλλά και χρηστηκότητας.

Ας δούμε λοιπόν την εγκατάσταση του σε Ubuntu 10.04 LTS. Με όμοιο τρόπο γίνεται και σε Debian Lenny.

Κάνουμε login σε ένα terminal με χρήστη root ή εναλλακτικά τρέχουμε sudo -i για να έχουμε ισοδύναμη κατάσταση. Εγκαθιστούμε το maven2 και το sun java6 developers kit δίνοντας

[bash]
apt-get -y install maven2 sun-java6-jdk java-common
[/bash]

Continue reading “Glasshish v3 Installation on Ubuntu / Debian”

E-Banking και Ασφάλεια Συναλλαγών

Posted by Alexius Dionysius Diakogiannis on in Security

Για τις περισσότερες Τράπεζες η ασφάλεια των συναλλαγών αποτελεί πρώτη προτεραιότητα και γι αυτό οι επενδύσεις σε αυτό τον τομέα υπήρξαν και συνεχίζουν να είναι ιδιαίτερα σημαντικές. Η υιοθέτηση τεχνολογίας αιχμής με πρωτόκολλα επικοινωνίας και μηχανισμούς ταυτοποίησης συμβάλλουν τα μέγιστα στη διασφάλιση των ηλεκτρονικών συναλλαγών.

Κάποιες βασικές Συμβουλές που πρέπει να γνωρίζουν οι χρήστες που πραγματοποιούν συναλλαγές (e-banking) μέσω του internet, περιγράφονται παρακάτω: Continue reading “E-Banking και Ασφάλεια Συναλλαγών”