MODULE 1
Topic: Secure Development LifeCycle And Chain of Security Tools.
Description: This module mainly focuses on the introduction of security terminology and attacking vectors involved in an application. It also provides an overview of application architecture and the role of different tools involved during the entire course. Its content provides an offensive security methodology from a secure development perspective.
Topics Covered:
- JAVA Spring Boot features and its advantages
- Developing a Spring Boot-based REST API
- Enabling session time-out in the REST API
- Hands-on introduction to ZAP and POSTMAN
- What is:
- Insecure Direct Object Reference
- SQL injection
- CSRF token
- Serialization
- Deserialization
- Intercepting proxy tool
Module 1 Exercises:
- Clone the Spring Boot REST API from git repository and configure the cookies with domain, HTTP and Secure flag being set and explore additional Spring Boot security features
- Use of POSTMAN client tool to trigger a request to API
- Intercept the HTTP traffic via proxy tool (ZAP)
- Modify the traffic and analyze the different sets of data (headers, tokens, etc.) being passed
- Create a report on what security feature is missing in the HTTP traffic analysis of your developed API
MODULE 2
Topic: Deserialization Issues in JAVA, Testing, and Mitigating
Description: This module focuses on the different annotation features provided by Spring Boot and develop serialization-deserialization functionality in your API. It provides an overview of the issues related to deserialization in JAVA and how to mitigate these flaws in your API development, as well as different techniques to mitigate input validation bypass issue. It also covers creating custom extensions on ZAP.
Topics Covered:
- Identifying Issues with deserialization
- How to exploit deserialization issues
- How to mitigate and fix deserialization issues
- Validating input on the server side
- Introduction to writing custom extensions on ZAP
- Implementing a passive scanner on ZAP to check the API request-response
- Using a basic authentication method for the APIs to restrict public access
Module 2 Exercises:
- Implement a passive scanner on ZAP with the following features:
- Session cookie without 'HTTP Only' and ‘Secure’ flag in the developed API (from module-1)
- to test whether CSRF token enabled for POST method or not (DVWA app)
MODULE 3
Topic: Security Configuration in Spring Boot and Active Scanning using ZAP
Description: This module focuses on implementing the scope-based authorization features of Spring Boot, secure configuration of an API, along with restricting end-points and internal methods. Moreover, it presents blacklisting of potential dangerous commands in your API Introduction to active scanning feature of ZAP tool.
Topics Covered:
- Spring Security libraries and java-container-security as dependency in POM file
- Configuring Spring Security
- Implementing Scope based authorizations and method level checks
- Introduction to Spring Boot actuator end-points
- Introduction to CVSS and active scanning of ZAP
- Implementing an active scanner feature in ZAP with the following features:
- Trigger a request on an unauthorized end-point and flag the HTTP code in response
- Tamper HTTP verb in the API request and flag the response
- Defining CVSS score and priority in case of a successful attack
Module 3 Exercises:
- Implementing method level authorizations in a REST API
- Enable relevant actuator end-points securely
- Implement an active scanner on ZAP with the following features to check permitted actuator end-points
FINAL EXAM
In this final exercise, you would work on the offensive and defensive side of security, attacking your own developed APIs and mitigating the issues found during your attack.
- Secure Development of a REST API with the following features:
- Development of a REST API with the following features
- authentication via OAuth 2.0 protocol using third party Authentication Server (Facebook, Google, etc.)
- input validation scenario using regular expression:
- Implement passive scanner and active scanner script on OWASP ZAP tool to check for the CSRF token bypass vulnerability (API would be provided to you)
- empty value in CSRF
- provide CVSS rating to the issues detected
- Provide a Final Secure analysis report of your API security testing against the OWASP Top10 attacks using the tools learned in this course.
If any security issues are found during the test, mitigate/fix them and provide a PoC on the fix.
Evaluation would be based on the number of implemented features from the above-mentioned exercise and on the number of vulnerabilities found and mitigated in the report.
Source : https://pentestmag.com/product/purple-teaming-in-java-api-development/
沒有留言:
張貼留言