Find, Hack and Fix Security Vulnerabilities in Cloud Native Apps
Numerous critical vulnerabilities in cloud-native apps arise from logical flaws, incorrect assumptions about dependent technologies, and insecure patching. These flaws lack known syntax or patterns detectable by security testing or scanning tools (SAST, DAST, etc.). This complexity makes building secure apps more challenging than ever.
After years of hands-on penetration testing and secure code review, we've developed a unique workshop that covers the full spectrum of handling security vulnerabilities. You will gain expertise in finding, hacking, and fixing security vulnerabilities in modern apps. This hands-on workshop teaches Defensive Programming principles - a set of battle-tested approaches to ensure effective remediation of security vulnerabilities, making your app secure by design
In this three-part workshop, we comprehensively cover everything from Integer Overflow to Prompt Injection. We begin with essential foundational AppSec topics that every beginner must know, progressing to the identification of hard-to-find security vulnerabilities through Black Box, White Box and Fuzzing approaches. Lastly, we take you one step further, to learn how to effectively address security vulnerabilities and avoid common mistakes in security patching.
Understand the root cause behind software security vulnerabilities, and explore why they are challenging to identify and remediate effectively:
How software is developed
What we believe our software does vs what actually it does
It is difficult to make a deterministic system
Why we have many software vulnerabilities
Software security is fundamentally a software engineering problem
Common, but inadequate approaches to fix vulnerabilities
Security vulnerability is not a software bug
Why post-release patching is dangerous
Learn a technique for early detection of software vulnerabilities and develop a hacker mindset:
Identify software vulnerabilities during team stand-ups
Trust boundary analysis
Five + three threat actors
Discover threats
Common insecure assumptions that are targetted
Rapid Threat Modelling
STRIDE
SecDim's Threat Thinking Matrix
π§πΎβπ» Build a threat model in an attack and defence game
π§πΎβπ» Hack your own program exploitation lab
There are edge cases that can turn an arithmetic result into a security disaster. In this module, we learn how to identify and exploit Numeric Overflow vulnerabilities. We learn the first part of a defensive programming principle that effectively remediates this vulnerability class:
Boeing 787 shutdown: a related security incident
Numeric datatypes: int, long, double, float
How a computer does arithmetic
Why overflow happens
Patriot surface-to-air casualty: a related security incident
Float datatype
How a computer does floating-point arithmetic
Issues with IEEE 754 standard
Rounding imprecision
Approximate representation
What Numeric Overflow is
Root cause of Numeric Overflow
Effected languages by Numeric Overflow
π§π½βπ»π Find: Techniques to discover Numeric Overflow
Identify Numeric Overflow at runtime (blackbox testing)
Identify Numeric Overflow in the code (whitebox testing)
π§π½βπ»π Hack: Techniques to exploit Numeric Overflow
π§π½βπ»π©Ή Fix: How to remediate Numeric Overflow
Common pitfalls to patch Numeric Overflow
Introduction to Defensive Programming Principle 1 (part 1)
Parse Untrusted Data, Don't Validate
Anti-pattern: Lack of data recognition
Part 1: Void and range check
Unicode is complex, and its complexity has introduced new classes of vulnerabilities. In this module, we learn how to identify and exploit Unicode vulnerabilities. We learn the second part of a defensive programming principle that effectively remediates this vulnerability class:
Paypal Homograph: a related security incident
From ASCII to Unicode
Two types of string equivalency in Unicode
Homoglyph and Homograph
Spotify BigBird: a related security incident
Unicode Confusable Characters
Normalisation
Four forms of normalisation
What Unicode Vulnerabilities are
What Visual Spoofing is
What Unsafe Normaliser is
Root cause of Unicode Vulnerabilities
Effected languages by Unicode Vulnerabilities
π§π½βπ»π Find: Techniques to discover Unicode Vulnerabilities
Identify Unicode Vulnerabilities at runtime (blackbox testing)
Identify Unicode vulnerabilities in the code (whitebox testing)
π§π½βπ»π Hack: Techniques to exploit Unicode Vulnerabilities
π§π½βπ»π©Ή Fix: How to remediate Unicode Vulnerabilities
Introduction to Defensive Programming Principle 1 (part 2)
Part 2: Character-set, format and semantic check
Parsing URL and file paths is not a trivial task and requires careful handling to avoid vulnerabilities. This module is dedicated to identifying and exploiting two specific vulnerabilities: Path Traversal and Server Side Request Forgery that impact URL or filepath handlers. Additionally, we explore best practices for effectively remediating these vulnerabilities:
Capital One Leak: a related security incident
URL handling is complex
Relative and absolute filepath
What Path Traversal is
What Server Side Request Forgery (SSRF) is
Root causes of Path Traversal & SSRF
Effected languages by Path Traversal & SSRF
π§π½βπ»π Find: Techniques to discover Path Traversal & SSRF
Identify Path Traversal & SSRF at runtime (blackbox testing)
Identify Path Traversal & SSRF in the code (whitebox testing)
π§π½βπ»π Hack: Techniques to exploit Path Traversal & SSRF
π§π½βπ»π©Ή Fix: How to remediate Path Traversal & SSRF
Common pitfalls in patching Path Traversal & SSRF
Anti-pattern: Insufficient data recognition
Canonicalisation
Applying Defensive Programming Principle 1
There are various types of vulnerabilities stemming from the evaluation and execution of untrusted input. In this module, we delve into the identification and exploitation of Injection vulnerabilities. Additionally, we explore a second defensive programming principle that serves as an effective remedy for this class of vulnerabilities:
Uber rider RCE: a related security incident
Why software evaluate and execute inputs
What XSS, SSTI, and SQLi have in common
Template engine
Expression language
What Server Side Template Injection (SSTI) is
Root cause of SSTI
Effected languages by SSTI
π§π½βπ»π Find: Techniques to discover SSTI
Identify SSTI at runtime (blackbox testing)
Identify SSTI in the code (whitebox testing)
π§π½βπ»π Hack: Techniques to exploit SSTI
π§π½βπ»π©Ή Fix: How to remediate Injection Vulnerabilities
Introduction to Defensive Programming Principle 2
Anti-pattern: Loosely defined data model
Anti-pattern: Shotgun parser
Make Unsafe State Unrepresentable
Value Objects
Domain Primitives
Parser differential is a class of vulnerabilities that is challenging to detect and rectify. It is a type of weakness that may not be identified in a standalone system but becomes apparent in communication with other systems. In this module, we focus on the identification and exploitation of Parser Differential vulnerabilities. Additionally, we explore a third defensive programming principle that serves as an effective remedy for this vulnerability class:
Android Signature Bypass: a related security incident
Incomplete protocol design specification
Inconsistent implementation
New security attacks targeting micro service environments
What Parser Differential vulnerability class is
HTTP Desync Request Smuggling
Subject Name Confusion in X.509
JWT Algorithm Confusion
What HTTP Parameter Pollution is
Root cause of HTTP Parameter Pollution
Effected languages by HTTP Parameter Pollution
π§π½βπ»π Find: Techniques to discover HTTP Parameter Pollution
Identify HTTP Parameter Pollution at runtime (blackbox testing)
Identify HTTP Parameter Pollution in the code (whitebox testing)
π§π½βπ»π Hack: Techniques to exploit HTTP Parameter Pollution
π§π½βπ»π©Ή Fix: How to remediate HTTP Parameter Pollution
Introduction to Defensive Programming Principle 3
Anti-pattern: Security via syntactic idioms
Make Unsafe Behaviour Impossible
Design By Contract
Phantom Type
Race condition vulnerabilities, while challenging to trigger, are prevalent in modern applications. This module delves into the identification and exploitation of Race Condition vulnerabilities. Additionally, we explore a fourth defensive programming principle, which, when implemented correctly, serves as a remedy for this vulnerability class:
Privilege Escalation in Steam Engine: a related security incident
Shared resources used by apps
Concurrency and threading
What Race Condition is
What Time of Check Time of Use (TOCTOU) is
Root cause of TOCTOU
Effected languages by TOCTOU
π§π½βπ»π Find: Techniques to discover TOCTOU
Identify TOCTOU at runtime (blackbox testing)
Identify TOCTOU in the code (whitebox testing)
π§π½βπ»π Hack: Techniques to exploit TOCTOU
π§π½βπ»π©Ή Fix: How to remediate TOCTOU
Introduction to Defensive Programming Principle 4
Anti-pattern: Branch on a mutable object
Immutable Branching
Defensive Copying
Immutable Object
Easier to Ask Forgiveness than Permission
A cloud-native app requires parsing incoming requests and deserialising or unbinding them to in-memory objects. However, this process is susceptible to various vulnerabilities and methods of exploitation. In this module, we focus on identifying and exploiting the Mass Assignment vulnerability, a specific weakness in the unbinding process. Additionally, we explore an approach that serves as an effective remedy for this vulnerability:
Github hack: a related security incident
Unbinding vs deserialisation
Object Relational Mapping
What Mass Assignment is
Root cause of Mass Assignment
Effected languages by Mass Assignment
π§π½βπ»π Find: Techniques to discover Mass Assignment
Identify Mass Assignment at runtime (blackbox testing)
Identify Mass Assignment in the code (whitebox testing)
π§π½βπ»π Hack: Techniques to exploit Mass Assignment
π§π½βπ»π©Ή Fix: How to remediate Mass Assignment
Defensive Programming Principle 2 and 3
Anti-pattern: Loosely defined data model
Effective remediation of Mass Assignment
Regular expressions are commonly employed for validating untrusted data. However, as the regular expression engine parses untrusted data, it can become a target for security attacks. This module focuses on identifying and exploiting ReDoS (Regular Expression Denial of Service), a vulnerability in the regular expression systems. Additionally, we delve into best practices for effectively remediating this vulnerability:
StackOverflow Outage: a related security incident
Backtracking
Catastrophic backtracking
What Regular Expression Denial of Service (ReDoS) is
Root cause of ReDoS
Effected languages by ReDoS
π§π½βπ»π Find: Techniques to discover ReDoS
Identify ReDoS at runtime (blackbox testing)
Identify ReDoS in the code (whitebox testing)
π§π½βπ»π Hack: Techniques to exploit ReDoS
π§π½βπ»π©Ή Fix: How to remediate ReDoS
Best practices in remediation of ReDoS
Regex matcher timeout
Atomic grouping
Possessive quantifiers
Text-directed engine
Containers are second layer of defence in a cloud native security. Learn how to identify, exploit and fix insecure containers:
π§π½βπ» Docker-in-docker exploitation
π§π½βπ»π Compromise host via insecure container
π§π½βπ»π Kernel namespaces and capabilities
π§π½βπ»π Privileged containers and RCE
π§π½βπ»π Root containers vs root in the container
π§π½βπ»π Insecure default container capabilities
π§π½βπ»π SUID binaries in container
π§π½βπ»π©ΉHardening containers
Artificial Intelligence (AI) systems have introduced novel classes of vulnerabilities, presenting unique challenges. The vulnerabilities span the pre, during, and post-model creation phases, each with its distinct set of security issues. This module focuses on identifying and exploiting Prompt Injection vulnerabilities in AI systems. Furthermore, we delve into best practices for effectively remediating this vulnerability:
Google Bard disclosed sensitive data: a related security incident
What Large Language Model is
Lack of understanding of LLM capabilities and vulnerabilities
AI vulnerabilities at inference time
What Prompt Injection is
Competitive objectives
Mismatched generalisation
Root cause of Prompt Injection
π§π½βπ»π Find: Techniques to discover Prompt Injection
Identify Prompt Injection at runtime (blackbox testing)
Obfuscation
Token Smuggling
Virtualisation
Context Switching
Payload Splitting
π§π½βπ»π Hack: Techniques to exploit Prompt Injection
π§π½βπ»π©Ή Fix: Best practices to remediate Prompt Injection
Anti-pattern: interpret data as code
Output filtering
Whitelisting or Blacklisting
Stop Sequences
Reinforcement
User Response Tagging
LLM Reevaluation
Sandwich Defence
Identify hard-to-find security vulnerabilities and automate their discovery using fuzzing techniques:
Write security unit tests
Blackbox fuzzing
Coverage guided fuzzing
Property based fuzzing
Swarm fuzzing
Stateful fuzzing
Metamorphic fuzzing
AI assisted fuzzing
Wrap up the workshop with a unique attack and defence competition, leveraging the world's first Attack and Defence SecDim Wargames.
Step-by-step delivery by a highly qualified instructor
Large collection of self-paced git-based labs
Access to an exclusive support forum
Full access to workshop content
You will also get
Practice schedule and mentoring
Standard pathway program
Assessment of your practices
Free attempt to obtain SecDim Certification in Defensive Programming and earn up to 20 hours of professional education
We forget almost 60%
of newly acquired information within a week!
We provide you with a practice schedule
and mentorship during a three month pathway
so that secure software engineering becomes your habit.
Our workshops are offered only a few times a year. Don't miss out.
The SecDim workshop equips you with exceptional technical skills
and analytical thinking highly sought after by top companies.
Earn a
SecDim Certification in Defensive Programming
to open doors to the most interesting security roles worldwide.
