DAST for Developers

Speaker 1: Awesome. Hi everyone. I am Tanya and I am your workshop host and I am co hosting this with NeuraLegion. So they are my startup friends basically. And we started talking about how we could do a workshop and how it could be fun to do one together. And so they have made a really cool product that I have played with a bunch of times. And so I was like, I’m, I really like it hub actions and secede. And they said, We really like scanning web apps and then finding things wrong with them. And I was like, Let’s mash our goals together and then invite lots of people to join us. And so that is how this workshop came to be. And so, Oh, yes, and I’m from Week Purple. And so we are going to get started now. I hope that all of you are on the chat with us. If you have questions, you can post them there or you can go to the discord. So if you are stuck with a technical problem and you need a lot of help, you should probably go to the discord. If you have a quick question in the chat that you want, that is okay with me reading out to everyone, not your name, but I’m going to read out in the chat to everyone what the question is and answer it for everyone. So let’s go. So first of all, I talk about myself so that, you know, I’m qualified to give this talk. This is the thing that everyone does. This is me kind of smirking at the camera and being like, This is weird to do a photo shoot. So I’m Tanya Janca. I have a training company called We Hack Purple. I am known as she Purple. And yes, some of my hair is purple. It’s because I’m a purple teamer. So blue team defends red team attacks and when you just can’t make up your mind. When you do both or when you do apps, you’re often called Purple Team. And so that’s where that came from. I wrote a book, it’s called Alice and Bob Learned Application Security, and I think it’s great and my mom hasn’t read it yet, but she told me she thinks it’s great too. I have been doing tech a long time. I’m one of the founders of Woe Sack women of security if you want to meet other women because sometimes you just want to hang out with other women and then get hair tips and that’s okay. I am super obsessed with OWASP, the Open Web Application Security Project. I do a lot of things. I’m just basically a nerd on the Internet. That’s that’s basically it. I figured out how to be a nerd on the Internet as a full time job. Okay, Next, let’s talk about Legion, my friends that are in Israel and California. And so some of them are in Israel and some of them are in California. So and I am in the West Coast as well. So when we have meetings, it’s always confusing when you book a time. They are developer centric based and a fuzzier. We are just using the desk today because we didn’t want to make a giant mess, to be quite blunt. That’s it. Yes. My mom has to like my book, right? So they were founded in 2018 and we hung out together in person at this. That’s the first time I met them, just not on the internet and. Will there be a session about the buzzer? I don’t I don’t know if we’re going to do a session about the feather. Today we’re just covering the dast. I know that.

 

Speaker 2: There demand if there’s a lot of demand, maybe we’ll do one about that. So let us know. Talk to us.

 

Speaker 1: Yeah. Yeah. So maybe let gordie or anyone else on the NeuraLegion team know. I don’t know if you know, but they have a twitter and I tweet at them and I’m silly. And bar has bar he’s he’s on their technical team and you can’t see him right now but he’s really good at responding with the absolute best cat gifs just in case you need that in your life, because I do. So they have offices in Boston, San Francisco, London, Tel Aviv and Bosnia. There are 36 people on their team now, which is absolutely incredible for like a company that started in 2018. That’s amazing. And they have raised seed funding from top VCs. And for today’s session, do we need our own project to feed the scanner? Nope. We have a project for you. Yeah. So we actually have what we’re going to do is we are going to use GitHub actions to load up juice shop from OWASP and then we are going to automate their tool, attacking it and finding results and giving it to us. I love automation. So yeah. And because you shop is intentionally vulnerable. Are we looking to expand into India? So we have purples actually expanding into India. We are currently translating our first course into Hindi and into French. But I don’t know, I can’t speak for Norwegian if they’re going to be expanding into India.

 

Speaker 2: We are doing some stuff there right now. Being me, I’ll post my email on here. Ping me in.

 

Speaker 1: Yeah, you should put it into the chat. So what do they do? So they provide developer focused apps, tech solutions, which is why we get along so well, because there are way more devs than there are security people. And so we want to make as many nice tools for devs as we can so the security people can do just the security stuff and putting it in a GitHub action or putting it in your pipeline because it works with a bunch of pipeline tools is the best. Um, there’s a question in the Q&A, which I will get to in a second. And basically that’s why we get along so well, because they’re like, if we can make it. So it’s really, really nice. For devs, then we can be earlier in the system development lifecycle and then we can get things fixed faster. And also they have like a bunch of things inside the tool which we’ll see in a few minutes so that it can help you fix the thing. It’s like, Oh, this is what this is and this is how you do this and here’s some links and here’s some help. And that’s what I always wanted as a dev as opposed to an email with a rapport that didn’t have any links or any help in it, like actually having access to the tool and being able to see inside of it myself and to be able to rerun it myself. So it’s like, okay, I did this, I think I fixed it. Let’s rerun the tool, having to wait for the security team when I was a dev that stunk. So. Um, question in the chat, so I’m going to answer it live. Is this all about tooling or will we see manual stuff? You will not see manual testing in this app. We are going to do GitHub actions and we’re going to have to code some YAML like this much though. Like almost nothing. And so no, we’re not going to do manual security testing. We’re just going to use lots of GitHub actions and lots of next test, which is the name of the NeuraLegion engine. DAST So I hope I have answered your question. If not, please re elaborate. Okay, so they scan web apps and APIs specifically rest and soap, and then they do mobile apps as well. So that’s good because we still want to be secure. When we use mobile apps, they build scanned, surface from the very first unit test. What is scan surface? I want you to answer. What can surface is because I don’t know how to explain that. I believe you mean.

 

Speaker 2: Naturally, essentially all the all the entry points for the application and anything that can actually be exploited or exposed. That’s the entire surface of how you can get that nice.

 

Speaker 1: So they have a really, really great crawler, which we are going to use, but it’s going to break the build and then we they do secede. And what we’re going to see for CI CD today is going to be GitHub actions. And so far I’ve received zero false positives and that is their promise. Zero false positives, actionable results and remediation guidelines. Yes. Oops. Buttons. This is the team. I asked them to take this photo for me. Isn’t it amazing? So these are the faces of Legion? Yes. So workshop participation pre rex. So do they just use a JS crawler as well, or is it just a scraper? That is a question for GA. So here. So I’m going to very briefly go over the steps of things that you definitely should have done before. This workshop is creating a GitHub account, making sure your computer is connected to the Internet, which obviously it is, or you wouldn’t be here. But when I give training at conferences, sometimes that’s not the case. Modern Web browsers. So we would prefer that you’re using Firefox, Chrome or Edge. I’m going to use Firefox and that includes the Firefox developer version. Either Firefox is fine, a Zoom account. So clearly you’re doing that and if you said yes to come here, you probably have a pretty good sense of humor. There’s another question Is there any integration with other tools Bitbucket, Azure, DevOps, Jenkins, Bamboo, etc.? Or would you like to put into the chat just how many different CI CD’s that your tool works with? Because I know it is a bunch.

 

Speaker 2: The answer is yes to all of the above, but bar you can post more.

 

Speaker 1: Nice. Okay. So pre req. So you definitely all did this before, right? So if you have not done it go to get hub dot com slash join and then join. I’m really hoping you all did this because I’m going to go through this very fast. So you would create a username and password. Don’t tell me. Solve the cute puzzle where you put the llama in a circle around till its head is facing up. Select the free plan and you’re all set. I’m going. So what is that? Because that’s what we’re doing today. Oh, thank you, Dieter. Because you’re so sweet. So what is dest, right? It’s dynamic application security testing. So that’s what it stands for. But okay, so I’m going to give you a super formal definition, and then I’m going to give you a Tonya definition after. So this is the Wikipedia definition. So a DAS tool is a program like an application, a piece of software that communicates with a web application through the web frontend in order to identify potential vulnerabilities in the web application and any architectural weaknesses. It performs a black box test, and by black box we mean you can’t see inside a wait box test means you can see the code and a gray box test means you can see some of the code, but maybe you can’t see all of it. And basically it’s probably a mess like the testing situation. It’s probably supposed to be a wait box, but they wouldn’t give you everything. And that’s fine. I’ll take what I can get. I feel this definition is limited because the next task that we’re going to play with it actually also it also tests APIs and you don’t they don’t have a web front end. So how does it do that? There’s talks to the swagger file, like the API definition of file, and then it’s like, okay, now I see your definition. Now I know how you want me to talk to you, and then it starts talking to it and then looking for problems. And so we’re going to do that today too, because just because there’s no front end does not mean we don’t need to secure it. It’s really important. So sometimes that’s is called web app scanning. That’s what I call it. So like this or for instance, I feel, Oh, no, Scarlett Johansson behind. This is awful. Just imagine her looking ridiculously bad ass. And then this. I feel this is the best image specifically for the next task because of bar so more. Oh, there’s a question without a swagger file. Would this tool be ineffective for APIs? Hmm. That sounds like a question for bar because you are able to manually. I know. Talk to an API without a swagger definition file. It’s just awful and painful and not pleasant at all. But I think that this is a question so I’m going to answer. I’m going to say type the answer. Oops, no, I’m going to say answer live and I am going to assign this question to bar. So without a swagger file, I was going to copy it into the chat so everyone can see it. Would this tool be ineffective? I don’t think it would be very effective, that’s for sure. But I don’t know if it would work at all.

 

Speaker 2: You can also use Postman Collections, but I’ll let Barr reply in more detail.

 

Speaker 1: Oh cool.

 

Speaker 2: So I’ll write the answer in the chat.

 

Speaker 1: Okay. So Postman is a tool where you can talk to APIs directly and so you give it the request and it tries to figure out how to talk to it. And then you can do manual testing and you can send requests to it, etc.. But yeah, Barbara’s going to answer that in the chat. That’s a really great question. A. Oh, Ozma. I hope I said that right.

 

Speaker 2: Every time you just add one point that it’s not limited to Oz. It gives you your name. Ozzy Osbourne.

 

Speaker 1: Nice. Ozzy.

 

Speaker 2: Important to note that it’s not just rest APIs, soap APIs and other formats. We can support those.

 

Speaker 1: So sometimes that’s really important because guess what? When you do apps like the devs have no pity for you. If you’re like, Oh my, my tool only covers this, they’re like, I don’t care, I’m going to use the cool tech I want to use. So this is great. Okay, so sometimes it’s called web app scanning, but basically it interacts with your web app as it’s running. So it’s not looking at your written code. Your web app is running on a container, on a platform as a service. It’s on a server or virtual machine somewhere, and it is interacting with your application. If your application doesn’t actually run yet, you can’t use a DAST yet. It will proxy your connection. So that means it wants to be in the middle between your browser or whatever is calling, and then it’s going to talk directly to your your API or your web app. So it’s going to send requests and responses or forward them in between it, and it’s going to spy on all those with your permission, obviously. And then it’s going to tell you about what it sees in those requests and responses, and then it will actually send some of its own. It’s going to try to click every link and crawl all around and find every single page. And it is going to look at every one of those very carefully and try to figure out what is potentially wrong with it. It does passive observation, so it will just look at the requests and responses, but then it will script responses and requests itself. Sometimes people call this attacking or scanning. Yes, it’s a lot like burp suite is a lot like burp suite, except way easier to drive. So I love burp suite like genuinely, but when I first turned it on, it was so hard to use. It took me over an hour to figure out just how to turn it on. I felt like such a dummy. By the end of the weekend I was like, Did I get dumber this weekend or smarter? Oh, so to to to echo your question, Joel. Is next. As considered as a vam tool. What does vam stand for? VAM Vulnerability.

 

Speaker 2: Vulnerability assessment.

 

Speaker 1: Oh, I’ve just never.

 

Speaker 2: Heard of n.

 

Speaker 1: Oh no. This doesn’t scan infrastructure. It scans web applications and APIs. So web applications which are custom built by your team as opposed to a VA tool like GNAT, like Nessus, which I love. Also, to be clear. Nessus scans the crap out of operating systems. It’s awesome at that. But every operating system is sort of the same. So if Barr has Windows 2008 server packed or packed to R2, and I also have that because we’re both tragic security characters in a novel from the past, we would both have the same security problems potentially. So if his configuration was hardened and mine wasn’t, it’s still comparing the same configuration options and it’s like, Gosh, Barr has made good life choices and Tanya has made bad life choices. And so that’s what a VA tool does, is it generally scans operating systems versus a person that. Is running a dark past. This would be like Zap. That a tax proxy? Yes. Oh, been very good question. This is in the exact same category as that. It’s in the same category as burp suite, app scan, sticks, skip, fish, arachnid, etc.. Okay. So burp has a jillion a gazillion extensions. Yeah, it does. And that can be fun. So like, if you’re an expert and you’re a pen tester and you’ve been using it a really long time, it’s like a samurai with a samurai sword and that’s really cool. However, there are very few samurai guys in this world and a lot of us aren’t samurai guys and we still need our apps to be secure. Does that make sense? And so just running dast as opposed to also running the Norwegian fencer, it’s like this is your first step at making sure your apps are secure and it’s going to catch everything that’s obvious, which is super duper important because if it’s obvious to the next desk, that means it can be obvious to a malicious actor and you better fix those things. Just to be.

 

Speaker 2: Clear, you won’t get false positives, which.

 

Speaker 1: Is very important thing. Yeah. So when you run a tool like Burp suite and you open it all up, it’s going to tell you a zillion things, a gazillion things if I am following Oz’s language, which I really like. But a lot of those things are going to be false positives. It’s telling you everything that might be an issue because it thinks you’re an expert and you’re going to go and dig right in. But we are not doing that today because this course is 3 hours and not one week. And if we go a little over, it’s okay. I want to make sure that everyone has every single question answered By the end of this. I want you to all feel confident that you can go and scan your own apps with your boss’s permission, just to be clear. So I want to make sure. Did I get everyone’s question that was in here? If there are more questions, put them in the chat because I don’t want to continue on to another part. And then people are like, Oh, I’m so lost.

 

Speaker 2: And you have discord as well for technical questions, or put them in the Q&A because we can manage that too.

 

Speaker 1: Cool. Thank you. So the last thing on the slide is fuzzing. Well, actually, it’s I thought the white looked really good with the orange, but anyway. So I’m just going to explain, fuzzing Yuval, and then I’m going to explain why we use CCD again. So fuzzing is, like I said earlier, is with where you will not where you where the fuzziness is a piece of software that is going to look at your app. It’s specifically for input validation. And so the number one cause of vulnerabilities in Tanya’s professional opinion in apps is because input from the user, from other systems, from your own database is not validated correctly and they let in bad stuff and then it makes your app do weird stuff. And sometimes that weird stuff turns out to be a vulnerability and a security problem. And so a fuzzier what it does is it tests the crap out of every single input to your application. It puts in garbage. It puts in things that it thinks might hurt you. It puts everything it can possibly think of, and it tests that your app continues to respond gracefully. And if at any point your app acts differently, it returns a weird thing, anything like that. It takes note because it’s going to try to mess with you. We are not covering the user today because. Oh, could you reshare the discord link and the chat just because now we’ve chatted a lot and so it’s very far away. Um, would one of you mind doing that from neural legion? I’m going to assume that you’re going to do it.

 

Speaker 2: We’ll be out of there.

 

Speaker 1: Awesome. So we are just fasting today. We’re not fuzzing. Yeah, I know. Dast is not a verb, but we’re just going to do a regular scan. Fuzzing can create false positives, and we really wanted to make sure all of the positives were true for you. And that’s what their dast does. So how difficult is it to validate inputs? Just wondering. So if you have a feather, I think it’s great. Oh wait, how difficult is it to validate inputs? I was thinking of how how good it is from the Tester side. How difficult is it to validate inputs from a dev side? Well, you would think it was the most difficult challenge on the planet. However, I feel that we should use something called an approved list and we should get to know our regular expressions and basically we should only accept known good input. But unfortunately what a lot of devs do is they use a deny or a block list or sometimes called a blacklist and basically they’re like, Oh, no script tags and no double quotes and no back slashes as opposed to saying this is a user name and the only things we accept are upper and lower case letters and numbers, and that’s it, buddy. No special characters for you. So as opposed to trying to not have all of the bad characters, we’re just only allowing the good characters. And if every single dev could learn fantastic input validation and become best friends with regular expressions, life would be wonderful. All bar and I, we could just go home. We don’t have any jobs anymore. Yes. So following a wait list or like an approved list is, I guess, difficult for some. I equate often will sit with devs and talk with them and they’re like, Yeah, I made a wait list, I made an approved list, but they’ve made a block list. And then like, I don’t know, sometimes I draw pictures on a whiteboard and that helps. I cover this a lot in my book and I remember my editor is saying like, Why are you covering this for like the third time but in a different and new way? I’m like, because this is a really hard concept to actually get ingrained in people so much that they always do it that way. I know I was a dev and I screwed this up. I was not the perfect dev. Let’s be clear. Every bad thing that I tell devs not to do now, I did it at one point. That’s why I know. Okay. So. You might want to take a screenshot of this. It’s up to you. So, you know, like the long list of things they do or you could bookmark or Legion’s website I have. It’s totally up to you, but they do a lot of stuff. And the main thing that we are going to do today, again, we’re not using next plate. We’re not using the feather. We’re just using next asset. So you’re only seeing like half the stuff it does. So, Oh, bar would say mostly it falls into creating and allow list, meaning you would need to think ahead of all the OC inputs and only allow them. But devs are lazy so hey, don’t call devs lazy. That’s so not true.

 

Speaker 2: Devs we.

 

Speaker 1: Oh we the devs. Yeah it’s true. It’s it’s work. Being a dev is not like the easiest job. Unlike us. So security people, we just need to find one hole in your app and we’re like, We look awesome. Well, you have to defend every single line of code. It’s it’s kind of a. We want to press this magical button right here. Fork. This is what we want to do so you can see me. This is the little mean. She acts purple here. You should see your user here and we’re going to press the fork button, which I would open up my slides, but then we’re just going to actually let me open them up. This will be good, actually. Let’s do it. So I’m going to slideshow full screen in it. I’m. So the next thing is we’re going to set up our next asset account. And we do that like this. So you should have an email that looks like this in your inbox from Allegiant. Yes. So it’s going to look like this. You’re going to have to create a password. You should save it somewhere so that you have it. You’re going to have to repeat it and then you’re going to click the sign up button. And then you will be inside and it will look like this. Unless. You have turned on dark mode, in which case it’s going to look like this. So let’s do these steps. So I have my lovely email from here. It is. So this is my confirmation. Email confirmation instructions. Hello Tanya, you should confirm your email address. So I’m going to do that. So I’m going to copy the link and open it here so that it doesn’t do something silly. And so if all of you could do this with me, that would be cool. So all of you are copying and pasting this into your web browser, and then we’re going to come up with an email. Yes.

 

Speaker 2: Oh.

 

Speaker 1: Okay. So which theme do you want me to use? Darker light. Let’s hear some votes. Dark, dark, dark light. Dark, dark, dark, dark. We’re going dark. It’s happening. It’s happening. Oh, okay. So c running scans. I am allowed five. Do you want to know why? That’s because I’m running the workshop. You’re only allowed one. Do you want to know why? Because there’s 250 of you. And so now if you look at my slides. The next thing that we’re supposed to do is we’re supposed to create APIs in the next task, and then we’re going to put them into our GitHub secrets. So I’m going to slide this away. Now I just like to remember and remind everyone what we’re doing. So we’re going to need to create two keys. So one is to connect GitHub to neural legion, and then the other one is to make a repeater, and the repeater is the one that does all the talking and makes the test actually happen. So just noting again, the username is the original email you got in your invite sent. So make sure when logging in you use it, even if it’s just an alias. Male. Hello, Darkness, my old friend. Oh, my gosh. Let’s make API keys. So everyone go up here to your little user person, and we’re going to click on there and we’re going to go to user settings and this is where we’re going to make some stuff. Okay. So we’re going to click here. And so, yes, we could turn on two factor authentication. You would definitely want to do this if this was not a workshop, I don’t think you should have a security tool that does not have two factor authentication turned on because that would be very bad. And I bet you’re thinking we’re going to press this button, but we’re not yet. That’s not what we’re doing right now. What we’re doing. So can we use the same API key for both services right now? When you say both services, do you mean which both do you mean? So we’re going to create two keys and put both of them into GitHub. And they do different things. So let me let me explain. So all of you have clicked the user button and you’re in here and we’re going to scroll down, we’re going to scroll down and we’re going to see a whole bunch of stuff and at the very bottom, manage your API keys and see how it says no API keys. That’s not acceptable. Obviously we want to key. Can we use the same API keys for both service repeater and neural legion? No, we have to create two. And don’t worry, it’s not hard. We got this, so let’s do create. So we’re going to press this button here which will be in teal blue if you’re in dark mode and it will be. Wait, wait. What color is it if you’re in light mode? Same color. Och, but back to dark mode obviously. So let’s create a new API key. So we’re going to click it and I’m going to name it GitHub API key because obviously I’m extremely creative human. You can name it anything you want. The name of this doesn’t matter. But when we go into GitHub, the name really matters. We are actually creating one API key and one repeater. Oh, and both has an ID, but you can think about it like an API key and an API ID. What? Barr said he’s correct. So we have to choose our scope. So create new API key and then we have to tell it what powers it can have. So we’re in a workshop. So we’re probably going to just click select all. You should click that button. So we’re going to click Select all. And we got here by doing this. So this little arrow next to two scopes. However, I don’t know if you would want to do that necessarily in a production environment. You might not want to give it archives, read and write. You might not want to integrate every single thing. You might want to apply least privilege to this section. You might say, You know what? I don’t want to read the users or I don’t want it. We need it to have repeaters, just to be clear, and we need it to have the scan stuff. We don’t need to have delete scan though, so we could theoretically turn that off. But I find in a workshop when I try to apply least privilege, unless the workshop is about least privilege, someone can’t get their thing running and it’s because we removed a privilege. And then that is frustrating for people attending. And so we are going to click the magical select all button. But again, in production, you might not want to do that. So let’s click create. This is our new API key. We would like to copy this so we’re going to highlight it and click copy. So I want to make sure everyone has gotten to this part. And now we’re going to go back to our GitHub action. So we can see. In the repo that we forked. So remember so github.com your username here for mine’s purple. Yours is probably something equally cool. And then example actions. And so. We are literally following this exact thing. So what we’re doing is number two, and so we are setting the next plate token. So that’s what we’ve copied and then we’re going to create the repeater. And so to do this, we want to click on settings. This is the settings for this forked repo. This is not the settings for your entire user on GitHub, it’s just for this. So one more note After hearing from a few attendees, this is not a self sign service. If you didn’t get an invite, the login will not work. Hmm. So if you need an invite, you need to ask really nicely. Art. We’re getting. Should probably ask for. So let’s all click on Settings together. Yeah. Perhaps it will be good to know which privileges the API will need for prod. It would need scan. Stop. Scan. Start. Scan. Read. Scan. Write. It does not need scan delete. And then that’s it. So we’re running it with tests just with that. And it was fine. But. If someone doesn’t check one of those. And there’s hundreds of you and one of me. We’re going to have a problem. So, everyone, for now, please click select all. And so let’s go to Settings. So again, that’s right here. And then we are going to go down to secrets. That’s right here. So again, we’re going to go to Settings and then secrets and we’re going to add some secrets. Ciara says there are no secrets in this repository. Sad face. We want to add secrets now, so we’re going to click the new secret button. And we’re going to immediately just paste what we had because. We want to pace that and not lose it. And then I don’t know if you’re like me, but I have totally forgotten what the new secret name is. So I’m going to go and I’m going to open in another window the code. And I am going to go here and then copy and paste it from here. So I’m going to just put it in the chat that you want to name your secret next plate token. So I realized that at least half of you are currently typing out the value of my API key. The joke is on you because I will be able to tell if you are running scans on my behalf and then I will close. I will stop sharing my screen and just do a new API token and then you’ll all be lost with your one scanner only. So I ask gently and nicely that you don’t steal it. But I’m telling you, I’m aware you could. And if I see a bunch of scans running that I know aren’t me, I’m going to swap it out. And that will theoretically be your punishment and I will delete that token. So let’s click the add secret button. So again, we’ve named it an exploit underscore token and it has to be all uppercase or it will not be a happy camper. And we’re going to click Add Secret and then we’re going to click new secret again. And I’m going to go and I’m going to take the name Repeater and I’m going to paste it into the chat because that’s how I am. Tanya the holder of the Keys, It’s so true. And we are going to go back to secrets and we’re just going to paste this name and then let’s go make a repeater together. So again, this is secret number two. It’s named Repeater, all uppercase. And let’s go back to neural legion. Oh, this is where I was resetting my password. So I’m going to close this. It’s created our API key. We are happy and we’ve enabled 13 scopes because we’re very generous. So let’s go over to repeaters. So that is underneath scans, which quite frankly is the most fun thing to click on. But until we have our repeater, there’s not going to be anything exciting there. So see how it says no repeaters. Obviously, that’s not acceptable. So let’s go. So we’re on repeaters and we’re going to click the plus button because we want to make a repeater. And again, the repeater is the thing that communicates back and forth between wherever you’re doing the scanning and the next dast, which is in the cloud for neural region. So we’re going to name it GitHub repeater, but you can name it anything. It does not matter what you name it at all. And my description is going to be GitHub Repeater Pew pew. Hi everyone. You should probably have a clever name then or a clever description. It’s up to you. And so it makes this UUID. So this is our our identifier of our repeater. And so we’re going to copy this. So when GitHub actions is running, it’s going to use the API key to start talking to neural legion, and then it’s going to use this to say, Oh, this is the repeater she made, this is the one she wants because eventually you might have many repeaters, like for different apps and different different projects that you’re doing. And so that’s why it’s important. So you might give one repeater to each team. And oh, you don’t have the repeater enabled in your account. Ruchi Hata, can you repeat what the repeater actually does? So I just did that. So I’m hoping because I saw your question after, I’m hoping that that’s what you wanted. I can’t create a repeater. It says not available in my current plan. Denzil dah or timber. I need your help. Okay. For everyone else. I am going to copy this. So can anyone make a repeater? Is anyone successfully making a repeater? Yes. Yes I did. I did. I did. Yes. Okay. So for everyone that doesn’t have one. Talk to Barr in the discord. Yes. So let’s go back. So in the repeater here, we’ve clicked plus and made one and then you can click this copy button and it copies it for you. And it’s the UID that we want. And then we go back into the secrets and we’re making a new secret and you just copy and paste it in here and then we click. Add secret. And so now I have my two secrets and GitHub will use them automatically as part of the CI CD. But you wouldn’t have the secrets in there if you hadn’t cloned it yet. So let’s go back to our code. So we click here and then we can see our code. So the way that GitHub actions work is so you have actions here. So that’s when stuff’s running, that’s the workflows running. But then if you want to see the code, the workflow which is written in YAML, yaml programming language. You have to go into the code and then see how it says dot GitHub workflows. We’re going to be in there. But first, I need to point something out to all of you. You’re lagging behind. Please show how you set up the repeater. Yeah, I’m just going to very quickly repeat the repeater part. So we go to repeater and we click the plus button, you name it, whatever you want to. You give it whatever description that you want to and you click add. And then we copy it here. And then we put it into our secrets by going to settings. And then into secrets. And then adding a secret named repeater. So you click new secret, you name it Repeater. And then you copy and paste this value that you uid into it, and then you click the save secret button. Yeah. And it needs to be the name needs to be repeater all capital for it to work. YAML is case sensitive and it’s also space sensitive. So if you use a tab versus spaces, it gets extremely upset. And I have to say that I have sworn at YAML quite a few times because I think that’s dumb. Okay. Can you show how I created the API key? Yeah. So to create the API key, we go to our user person. So that’s here, our little dude and we click on him or her or them and we click user settings and then in user settings. We have to scroll all the way down to the bottom of the screen and we click create new API key. And in it we do. Plus we name it wherever we want to. And then for scope we have to click select all and then we click the create button. But I’m going to cancel because I already have a key. That’s very nice. So I’m going to click Cancel and then it will it will show you the API key and you copy it. Yes, there will be a recording available after. There will be a recording available after and forever. So you can keep playing with this and trying it and doing stuff with it. But you will only get one engine only I get five engines. Ha ha ha. They’re like, We’re going to give you three. And then I woke up and there were five and I was really happy. So I think YAML is a markup language, actually. Yeah, you’re right. It is. And so secret name for API key is an exploit token. Awesome. My pleasure. So now we are in our GitHub actions example. So we’re in the code. So a github action is a bunch of YAML that will run our CI CD for us. And so I want us to look at the code and I’m going to talk about it. And then I want us to run it and I’m going to trick you and make it not work first, because I’m sure. Okay, so everyone click on this one. So we’re in code. And then we’re going to click on the workflows because we want to see what’s in there. And so we see run CI dot yaml. That’s the one we want and see. There’s a comment used you shop version 11. This is because we want to find stuff that’s wrong. Um. I have a message from someone, but it’s so far. Yeah. Thank you, Anatol. I can’t remember if I said that. Right and at all. Thank you. Yep. That’s the trick that I’m throwing at them. Well. Ha ha ha. Okay, so we’re going to click on here and look at the demo. And you don’t need to understand all of this to make it work. Each different person that makes a security tool, they write a GitHub action free to use, and you don’t usually need to understand much of how it works. You just need to understand the parts that are interesting to you. And so. What we have are three branches. And if you recall, we’re in the crawler branch because that’s the first test we’re going to do. There’s a ha file branch, which we’re going to do, and then swagger, which is where we’re going to scan an API because we want to do all three things. So pull request Branch main, we don’t have a bunch of branches in here. This is just for demo purposes. They’ve created this so that any of their customers who want an example of how it works with GitHub actions can just copy and paste this and use it whenever they want to. And I was like, I want to use it, so. Basically when there’s a pull request to the main branch, it’s going to run. When there’s pushes on any of these branches, it’s going to run. Okay, So we’re going to push stuff. You’re right. So people are already starting scans and that’s okay and that’s totally fine. But I’m going to walk everyone through it. Who has not done that? So jobs start and wait on scan. So first it’s going to get Ubuntu because we have to put it on something and the job is to run an exploit scan. So the first thing it does is it checks out the version of the action. And then it makes a place where it can install the next clue. So that’s. Command line interface. And so that’s the thing that runs the repeater for you. So we’re installing that inside to GitHub actions, which is pretty cool. And then it’s going to save some environment variables. And guess what? They are. They are our secrets, right? So we want to make sure that we’re saving those secrets. And then Docker compose up. So it starts our Docker image. And then it’s going to start an exploit scan. What’s the email? Oh. Parishes troubleshooting with people. Okay, so skin ID. So the scan ID is basically what we’re asking it to do. And so what we’re asking it to do is run a test and you can tell it which tests you want it to run. And so we have limited time, so we’re only going to do so many. And so we’re going to tell to you see SRF, sometimes affectionately known as C Surf. It stands for Cross-Site Request forgery. That’s bad. It’s was on the O’s top ten, but it is not anymore. And then we’re going to run dom based cross-site scripting tests because we want to see if there’s that type of vulnerability and we’re going to talk about that vulnerability in a bit. We’re going to test to see if security headers are missing because a lot of developers appear to have an allergy to security headers and don’t think that they’re as fantastic and amazing as I know that they are. And then secret tokens. We’re going to look to see if there’s any secrets that should not be there because that’s bad. So then name. So we want to run juice shop. See how it has the cute juice emoticon. So juice shop for the GitHub version of it branch and then we’re telling it the GitHub branch number. So basically we’re telling it which version of juice shop to run because urine is like on top of it. The guy that leads the project for Juice shop and we found stuff wrong with it and then he fixed it because he’s awesome. But that makes for a bad demo. So we’re using an old version. So just to be clear, Bjorn’s amazing. Och, yes. Thank you, Art. I appreciate your reminders. So then we’re going to set the crawler. So again, a crawler, it clicks on all the links and looks all over. This is slow going and you would not normally do this in a scan, you would have it already have that stuff discovered and recorded in something called a horror file. So when you use a browser to record automation, it saves a horror file. And so you would do that in advance. So it already knows all of the layout of your app, and we’re going to do that in scan number two. So but we’re going to crawl because that’s fun. And then it’s saying, Which repeater is it? And it’s the repeater token we gave it and then it wants a token and that is our API to connect to our specific instance in the next, the next best application because you don’t want to see my scan results or maybe you do, but we don’t want that. So then we’re going to go down a bit and then it’s saying Echo this out. Where do you see the scan results? You will see the scan results in case your name get output from scan. So it will run and say it started the scan and then it does this thing called wait for issues. And so it pauses GitHub and it tells it to stop and just wait while the scan finishes running and crawling and doing its stuff. And then either the build breaks and it will break here and show us or. It will scan a long time till it’s done, and then it will get here and it will say, Stop scan. So it’s either going to break the build or it’s going to run the completion and not find anything wrong and it’s going to stop the scan. And then if always like it just is telling it, stop scanning, don’t scan. And definitely and we have a thing you might want to see here is we have a 20 minute interval and so so it times out after 20 minutes. This is because you have to pay for GitHub action time. And so imagine if you’re running like five scanners and then they just like went on forever and you didn’t notice. It could be really expensive cloud Bill for you. And that sucks. So. You might notice here, breakpoint is set to high. I want to set this to medium. I’ve decided. I’m not sure how I feel and I don’t want it to go and break only on a high. I want to break on a medium so all of us are going to edit this code together now. So let’s go up here and we’re going to click this edit button. So again, I’m just going to put this here so you know where I am. And I’m going to put this for everyone to see. So you should be here. And we’re going to click the edit button. So click edit. And then we’re going to scroll on down here to where it says hi. And we’re going to type the word medium. So I want to break on a medium issue. And then I’m going to click Start Commit. So I’m going to. Wait a second. And I’m going to just like change breakpoint to break on media. So remember, so we go scroll down to the bottom, the very, very bottom. This is the very bottom of the YAML code breakpoint and change high to medium because we want to break on medium. Is everyone doing okay with this? Because then we’re going to click the start commit button and then I’m going to throw my first curve ball. Yes. So. I’m going to write Break on Medium. Crawl Crawler. You can write whatever you want. But as my boss at Microsoft told me, you can’t just press commit changes all the time, Tanya. You actually have to comment like a real dev. And then I laughed at him and I was like, Devs don’t comment all the time. And then he said, You have to be the ideal dev if you are a developer advocate. And I was like, That’s true. So we’re going to click commit changes and then what’s going to happen? Nothing. Nothing’s happening. But what should be happening is a GitHub action should be running. That’s what should be happening. So let’s go click over here at actions and see what’s going on. I hear someone is unmuted themselves. Do you want to talk? So now I understand my workflows. Now go ahead and enable them. So now they are enabled. However, they’re not going to run. Because we didn’t do anything right. Because it’s too late. Oh, tell GitHub. No, I don’t want to give you feedback right now. That’s inconvenient. So where does this fit in the pipeline? How do you automate this? Kemba. I am so about to show you this. So let’s go back to our code. And let’s edit or read me because it’s easiest to edit the read me. So we’re again, we’re in code. To read me should just be open like this and we’re going to click the edit button. And I’m going to put the number sign so that it’s a comment and it’s going to say, Tanya was here, exclamation mark. And then I’m going to go down and my commit change is going to say, Tanya was here and I’m going to commit. This changes. These changes are going to the crawler branch. Remember, we have three branches ones for scanning the API. One is for scanning with a header file and one is for scanning with the crawler and we are about to crawl. So I’m going to click the commit changes. I’m hoping everyone’s with me and I didn’t go too fast. So we’re editing the file. You can put in whatever you want to. It could just be a space and then we’re going to commit the changes. You can put whatever commit comment you want. We’re going to click commit changes. And if you remember our code and our YAML file, it said when you commit changes, it’s going to run our workflow. And the workflow is the automation. The workflow is the CI CD pipeline and we’re going to go watch that run. But there is a question I need to answer first. In essence, all GitHub actions is doing is creating a Docker image to run the CLI. You can always change the target on line 39, right? Yeah, you can change whatever you want to. You can’t change the stuff inside neural Legion’s repo, but you can just do whatever you want in yours. And if you’re gutsy like me, you might even send them pull requests. Because I do that sometimes and I make issues and things. And so, yes, you can change whatever you want to and. I think that’s pretty good. I like it personally. So let’s go see our actions run. So again in the code section is the workflows and this is the YAML file with the actions like the things it’s supposed to do, but this is it dynamically running. So let’s go click here and then you have to click on your comment, which is why I made a good comment because I have made this mistake before where it’s like, read my file, read me file, read me file, read me file. Did we change another thing in the code? Expect the medium. So I checked that in before we ran. So that’s the only thing we changed was to run on a medium. Okay. Okay, so let’s look at our results. So to see your results, you go and scans. If you don’t see anything here, you click refresh. And then C, one issue for issues. So let’s go check it out. So you just click on it and it’s going to show us all the stuff. So. Status stopped because it had a medium, so it didn’t get to complete all of its scans. See how it’s like I didn’t even get to finish? We have a whole bunch of notifications here. It’s telling me a whole bunch of stuff, but I would rather look through this part. Then I would rather look through this part, then look at the notifications personally. So let’s start so activated modules. DAST So remember, there’s also the feather. We did not fuzz discovery types. Crawler So remember we’re having it crawl and click each link, so it’s very slow. Elapsed time, one minute and 11 seconds. So that’s pretty fast. It scanned the juice shop version that we had running inside of GitHub actions. It discovered 20 entry points. So that’s pretty sweet. It didn’t discover any parameters because it didn’t get to complete its 137 requests, and I guess it did 1.9 requests per second, which sounds pretty darn good. And then although a note, questions are good. So these are the settings that we set, remember. So this is when we started the scan. This is what we told it to crawl. These are the tests we tell it to run. So we wanted it to do four tests. Then did we do third party tests? No. Did we do business logic tests? No. And so these are all of the things that we told it to do. So we also told it specifically to look at the URL queries, the URL fragments and the body. And then this is the repeater we told it to use. So let’s go back to this and then progress. It didn’t finish, and that’s okay. The runtime notifications, I don’t want to read that. We could read an engine log if we wanted to, but mostly I’m just like, Tell me what happened. That’s what I care about. So we can see it Discovered a whole bunch of different pages. And that’s nice. But again, I just want to see the results. Look at this. So let’s go back to our code. So everyone, let’s click here on code. And let’s go to workflow. So again, we’re going to code and then workflows. And then I want to make sure that everyone edited this. And that they actually put medium. So for anyone that’s stuck on issues. Is it because you did not put medium and you put high because the crawler is so slow? Because it’s supposed to be. You did, but still. Oh, you, Val, that sucks. Okay. Hmm. Yours is on Medium. So everyone did the right things and stuff is just being weird. I am sorry this is happening. So you fixtures by rolling back the change you committed in the Read Me file. Oh, interesting. Okay, everyone try rolling back the change in the file and see if that works. So how can I do that? Let’s go to my code and then let’s go to my redmi file. And then I see that there is a history and I’m like, Oh, I regret this decision. Oh, but it’s verified and it’s committed. Honestly, I forget how to like. Roll that back. Read me version. You. Oh, yeah. Here’s a pool. Are you stuck? Okay, so we’re very close to 5050 and. Hmm. Okay. So it would look like 70% of us. We’re like 68%. Oh. Like a pretty good amount. Are ready to go on. And so. Yeah. Is it not going to start a new scan? So how about this? I’m going to show everyone how to kill their scan, and we’re going to do a faster scan. So let’s kill our skin. So I’m going to end the pull. And thank you for running the poll. So let’s go into NeuraLegion and let’s go into scans. So if you still have a scan running, you can click stop. So everyone who scan is just still running, still running, click the stop button. Because I don’t want you to all just have to wait and not get to do the next step. And we’re going to try to figure out why it was doing that. But so everyone we go to scans. This is here, you click on your scan and if it’s running, you click stop. I can’t because it says it’s cute and option is not enabled. Oh no. Oh, okay. I am not sure how to help you, Dieter. And you, Val. Oh, you can just delete it instead. Okay. Do you have the delete option? If you have the delete option, delete the scan. Perfect. Delete it. And then let’s run another scan that will be way shorter and hopefully we’ll get everyone on board. Okay. Oh, good. Awesome. Awesome. Okay. So let’s go. Back to our main code. So we’ll just go here. And then I want everyone to click her file. So again, we’re going to go code here. We’re in our example actions folder that we for we for that project. And then we click code and then we have clicked her file, which is the second one for her file as a reminder. So QA teams make a lot of awesome hard files. So you want to be good friends with your QA team. And basically it’s where they have used a browser and a tool to record them using your product and then they save it as a ha file the automation of it running. And so it has all the discovery points and everything in it. And then we feed that in to the next down and then it knows what it’s doing and it’s like, I’m awesome. Source. So then it’s going to run way faster than the crawler. However, we have set this one, so let’s go look in our workflows. You don’t have the header file. Okay, So for you, Val, did you click in the branches? Do you have multiple branches? And then can you click here for the HA file? And then. Then do you see the HA file here? So everyone should have one called G shop. Ha. You’re all good. Okay. Perfect. Okay. So let’s go and check out how the workflow is slightly different. So we clicked on workflows and we’re going to click on the YAML and we are in the HA file branch. And so if we come down here. It is still set to medium, but we’re going to change this to high and then we are just going to look for one test. So we’re going to change this back to high and we’re going to change it. So it just does the DOM access test. Gardner If we’re going to find something fun.

 

Speaker 2: Let’s hope so.

 

Speaker 1: So some of the time it runs and some of the times it doesn’t because Bjorn is amazing and he keeps fixing stuff on us. And I mean that as the highest compliment, even though I’m like, Damn it, we just found something cool. And then he fixes it. It’s like he’s on to us. So again, we are in the run CMO file and we’re going to click the edit button and we’re going to fix we’re going to make two changes before we check it in. So scroll right down to the bottom. And then we want to take medium and we’re going to change it to high. So. So breakpoint at high because we did find a token and that’s cool, but we want to see if we can find a high thing and then we’re going to come up here to the test. So this I’m just going to scroll up so everyone can see. So this is in the section of start next plate scan. And we’re going to just we’re going to delete cross-site request forgery. We’re going to delete looking for secret tokens. Oops, I’m ruining the spacing bar is going to be upset. Then I’m going to release the security headers. So then it’s just going to say test and Dom accesses, but like a good little dev. I’m going to press this across here so it looks pretty because it kind of bugs me if my code’s all mess. So. What this means is continue this command on to the next line so that it looks nicer and it’s easier to read because all of that smushed into one line that’s really hard to understand. So we put it into a bunch of lines, so. And. Oh, yeah. So. The reason why that we chose a certain version of juice shop is because juice shop keeps getting fixed by their amazing team. And so we wanted to choose an old version to make sure it would have problems. And I’m looking and I’m forgetting where it’s choosing the exact version. Oh, here it is to shop right here in front of my face specific number. So we chose a specific version, a specific number because we, the newest one, is fixed and it’s not fun to run a scan and have nothing work. So as I recall, as a reminder, just one test Dom access and we’re going to break on high. And so I’m going to click start Commit and I’m going to say break on high, just one test Dom access. And I’m doing this because comments help me remember what I did. So I’m clicking commit change. Now I’m going to go click on Actions. And so Tanya was here, remember, that broke because we found something and now we’re on break on high. So let’s click in here and to see it run, we have to click here. I’m kind of confused why it doesn’t just show you this immediately because I can’t see any human ever coming in here and being like, Yeah, I just want to see a yellow circle. Obviously, I want to see what’s happening. I don’t understand that that UI decision. I have lots of friends that work at GitHub. I should be like, Hey, you know what I would like? I’ll be like, Tanya, we didn’t build it only for you, so it’s doing its thing. But what we really want to see is we want to look in neural legion. And we want to click our friendly refresh button. And we want to see when this comes up. So if we go back to GitHub, we see it’s Docker composing up and so it’s putting up our Docker image. And then it’s going to sleep 10 seconds. And we do this because Docker needs 10 seconds to load. It’s somewhere between seven, eight and 9 seconds. But 10 seconds means it always works. So we sleep 10 seconds and then it’s going to start the next flight scan and as soon as it gets to waiting for scan. As soon as it gets to waiting for issues and pulling the stunt double. Let’s go back into Legion and let’s press our favorite button, the refresh button. But let’s see what’s happening. So. And so that’s why it’s waiting. So maybe it’ll find it, maybe it won’t. But I want to look back at my code for a second. So in our her file. So. I go to her file. And I open it. That’s cool. Thank you for. Sure. I want to see which URL we told it to go look at. So it’s looking at the juice shop main page. But I believe that there is an about page that it might work on. So let’s try pointing it there and see if it finds it. And let’s run the scan one more time and then if we can’t find it, I want us to scan API’s because I don’t want to just spend the whole time waiting. So I’m going to run this and see if I can find it. So let’s click. So again, we’re in code. We’re in the HA file branch. Remember, there’s three branches. We’re choosing the header file one, then we’re going into the HA file and we’re editing it. And the part we’re going to edit. So we have to scroll down. We’re going to scroll down to line 30 and we’re just going to add the word about. That’s it. So we’re adding the word of boat because I think that a boat page might be not really super secure. And then I’m going to commit my changes. So I’m going to put. Pointed to about page and then I’m going to click commit my changes to this ha file someone put about or aboot we have to spell it correctly and not spell it in Canadian. Uh. Oh, my God. It’s so good. Okay, So. Okay, so now this is going to be running. So let’s go look at our action and we’re going to see it start. So point to the about page. So I’m allowed to run more than one. So it can run both at the same time. So I’m going to click here to see it run because I don’t just like the yellow circle. So eventually this is going to come up and it’s going to get to the good part where it says waiting and pulling. So we want. On this part. Start and exploit scan. And so. Why is it always in cute mode? Is anyone else facing this issue? Chris I don’t know why it’s always in queued mode. I’m going to show everyone just I’m going to repeat briefly what I edited so that someone can catch up with us. So I’m going to go to code and then I’m going to make sure that I am in the HA file branch. And then I’m going to go into the horror file itself. So hopefully I’m answering this live so hopefully the person can see me. So we’re going to go into the file. We’re going to go down to line 30. That’s here and we’re just going to add the word about. And then so you would need to click the edit button, but I don’t want to edit it again because I don’t want to send too many results at the same time. And then you just add on line 30. Just add the word aboot, but really spell it correctly, not Canadian. And then you come down here and then you commit it, and then it’s going to start up your action for you. So now we’re on waiting for issues. I’m going to show my results to everyone. And it’s not finding anything yet, but it’s still running. So we’re going to let it run the whole time. But while we’re doing this, I want to show you a few slides about Dom based cross scripting because I’m not sure if we’re going to run it, but I still want to tell you about it because one, I made really cute slides. Those slides again later. So let’s hit refresh and see if it found it. It might have found it. No, it didn’t find it. That’s okay. Sad face. So this is good and this is bad. So we didn’t find anything. And that’s good because Bjorn and his amazing team of volunteers at the Juice shop group fixed it. It’s kind of sucky for us because I wanted to demo that, but I didn’t want to, like, break juice shop to make it happen. Do you know what I mean? We don’t want to fake it for you. We only want to find genuine vulnerabilities. And so this is what we’ve got. But we have a few minutes left and I’d really like to do some API scanning, so. Let’s do that. So let’s go back to our code and GitHub. So back and GitHub and we’re clicking on our code. And we are going to now pick the branch that says Swagger. So swagger is basically a way to define an API. It’s the open API protocol and you make a swagger file. And I have to say swagger files are actually beautiful. Thank you, Shiva. Swagger files are actually super gorgeous. If you see one, it’s so much prettier than soap, and I like it better. I’m sorry to anyone’s feelings that are hurt that really like soap. I just find open API protocol so much easier to understand and work with. So we’re in our code and we’ve clicked the swagger. And what I want to do is I want to edit the read me so that we kick off a scan. So this is only. Only going to scan the API from juice shop. It’s not going to scan the rest of it. And so this means there’s no web front end that we’re interacting with. And so if we look at the swagger YAML file. Basically, our friends at Legion made this for us. And this is so it can read. See this? It’s reading B2B and then V two, which is where the definition file is. So you would need a link to the API in order to scan it. I heard just some noise, but I guess it’s fine. So title, so new and secure. JSON based API for enterprise customers deprecate deprecated previously offered XML based endpoints and so. I could go through this. But basically this is the stuff that is from Duchamp. Please correct me if I’m wrong, and because we don’t want to write their API, we want their YAML file and we have this so that we can scan it. And so let’s go back to the code. We’re going to make sure we’re in the Swagger branch and let’s edit the read me so that we can do something cool. So I’m going to say here. On your scans APIs, and then I’m going to go down to the bottom. And I’m going to say ruined the read me. It was so nice before Tonya got here. And then I’m going to click Click the commit changes button. Oh, it’s nothing. Make it shorter. Well, tough. Who here is with me? How is the swagger file created? Oh, that is a very good question. Um, bar or art. Would you like to answer that? Because I would say the devs do it, but I want to let bar and or answer if they want to.

 

Speaker 2: Sure. So Swagger file is usually created automatically from the development framework. If we’re talking about more common development framework, like you must know Angular or React or Ruby on Rails or the Django. All of those have their own methods to automatically describe the APIs you’re building inside your products and then to export them in this kind of file. Now, swagger is also called open API, so maybe you know it better by that name.

 

Speaker 1: Yeah, the open API protocol, but then we call it a swagger file. I know. It’s weird. What’s gonna see our stuff running. Wait. We want to go to actions. And then ruined the redmi. And then we’re clicking here. And it’s still Docker composing up. So it’s doing its thing. And then once it gets to start an exploit scam, then we can come over here. We’re going to go to scans very briefly while we’re waiting. I want to talk about the results from our first scanner result. So it actually found things. And. I want to talk about these results just for a minute. These results are the things that help you fix your tool. These are the things that help you make sure that your code is actually secure. And as you can see, there’s a secret leak. So if we click here, it tells us exactly where. The leak is. So it’s unresolved. We haven’t fixed it. And you can assign a person if you want to, but I can only assign myself obviously, I want to make Barr fix it. That’s what everyone does. We make bar do all the work. So details. So the engine detected a clear text API token that should not be available to the public. This is very bad. If your app is doing this, you need to fix this immediately. The fact that it tells you where it is in the code, the fact that it explains how to fix it is really helpful. So additional information. So it looks like it’s a gooey app client ID because the token type is that so? I’m pretty sure that’s what it is. And obviously, of course, we will explain this to the juice shop folks, because I know that they actually want to make scanners not be able to find things. And it obviously all of you are ethical security people. So when you find problems and things, you repeat them. And this is why we’re scanning an old version of do shop, because Bjorn’s team wants to make scanners not be able to find stuff. And they want you to have to do manual security testing on their really, really fun shop. So there’s additional information. And the way they did it was basically they just did a get on this and then it was asking for an API key and it was giving it one disconcerting. Oh, also there is always a link here on all of the pages where it’ll bring you out and tell you even more stuff. And for some of them, Norwegian has built their own articles and their own code samples, etc. to help you fix it. And then some of them, they’re like, everyone always has this problem. Like we can get the same advice that every single other tool gives because it’s a really good advice. So it kind of depends on the things that you’ve found. So, Oh, I’m going to Marcus resolved. Ha ha ha ha. Look how awesome I appear. So let’s go back to my scan results. And then so I pretended that I fixed it. And then. We’re missing a security header, which is obviously so like. I am a big fan of security headers. I think they’re really important. It’s like one or two lines of code that helps you in case of an emergency. I know that a lot of people are like a lot of dads especially are like, Oh, we don’t need it, but it’s another layer of security. So if the crap hits the fan, you make sure you have an umbrella and making sure that you’re using a content security policy header, making sure you’re using strict transport security. I don’t really advise on the ex access protection header anymore. It’s sort of being phased out. I would argue it’s deprecated. So like you can like you can just accept the risk of that warning if you want to. And then misconfigured access control allow origin header again, like you want your access control to be really strict and although it takes time to fix those things, it’s really really worth it. Because having two layers of defence so really good code and then on top of that security headers, stopping things from happening is really important. Content Security policy header. If you have it listing all the resources for your app really, really locked down with CSPs, what you can do is that then you can like. So if you were vulnerable to DOM based cross-site scripting, like the first thing that any malicious actor does, they’re like, Oh, you have access. Great. They always call out somewhere else to like a huge script because generally you’re only going to allow this much and not pages and pages. And so they call out and then the CSPs will stop them from being able to do that. Security headers are very important. Second layer of security for your app. It’s like wearing a seatbelt in a car. I mean, not pretending your car is a bumper car is the number one way. Like good driving is the number one way to protect your car. But having a seat belt is in case bad things happen. You’re ready for it. So I will get off my high horse called security headers and answer the question. Okay, so error process complete with error code one. Oh, okay. So let’s go look at that. Having problem with the first can with timeout issue and repeater status is still disconnected. Uh oh. Okay. Let me go to my scan results and let me see what my scan is doing. So it is running the scan on the swagger file. It’s at 3 minutes and 35 seconds and it has found my missing security headers. It doesn’t have the API token in this API, so that’s why we’re not going to find that. All right, let’s check out our scans. Oh, well, there’s all sorts of other tests. I feel like a super duper duper test would be good. Okay. Broken Crystal is awesome. Oh, look how many things we found. Okay, so let’s look at the shop crawler and see. Oh, 349 requests. Sweet. Wow.

 

Speaker 2: About broken crystals. Make sure to apply more tests if you want to see more exciting results, because I think in our default we have like only the security headers and the dome access. But there is much, much, much more there. So you are free to just add all of those.

 

Speaker 1: I’m running another test now. I like what I can play more. So. Edit. Okay, So the parts where we choose, the tests are near. Here they are. So. Paste and ruining our beautiful line, so. Oh, but no, no commas, everyone. It’s really important you don’t put the comments. So it just is a space in between. So remove the commas. Actually, how about I do this? I’m going to do a slash and then I’m going to put enter. Is that okay? Should that work for my cool.

 

Speaker 2: Wait, the too. So the tool, like the two dashes. I think that’s not an.

 

Speaker 1: O that’s the different test. Yeah. Yeah, it’s different.

 

Speaker 2: It should be like the either.

 

Speaker 1: Okay, cool. And you had RFI. RFI twice. So I guess, like, you really, really want.

 

Speaker 2: To find it, so. Oh, so one was RFI and one was L if I.

 

Speaker 1: Oh, it was. Oh, Oops. It looks like they’re both RFI. But they were.

 

Speaker 2: RF. Yes, it.

 

Speaker 1: Was my turn. If we want to find the stuff. So I’m just going to. Oh, and also I’m going to put that lowercase. Oops. So I’m just going to copy and paste this into the chat in case anyone wants to just copy and paste it with us. So you can just copy that if you desire. So now I’m going to call this all the tests and then I’m going to put broken crystals so we know what we’re testing. Oh, Tanya, spelling crystals. There we go. So I’m going to commit changes. And then we’re going to see that round in in a minute or two. So let’s look. Oops. No, not I want to look at my scans. So. Oh, so we’ve already found more things in the crawler of juice shop. Oh, questions. Starting the crawler again. By editing the red mean the first one stopped on wait for issues API test error process completed with exit code one. Is there a dock that describes the different tests to run? Oh, that’s a good question. Bars there. Is there a document or like a link on your website to all the different tests that there are and what they mean?

 

Speaker 2: Good question. I think there is just getting us the link right now. They can also just start a new scan on the UI if they want. Right. And that will show them all the tests with explanations. That’s true. Just clicking on the new scan, just click your scan without the cl I.

 

Speaker 1: Tonya.

 

Speaker 2: And click on to.

 

Speaker 1: Scan tests.

 

Speaker 2: We’re there now. There you go.

 

Speaker 1: Ooh.

 

Speaker 2: Each of them has an explanation with the eye next to.

 

Speaker 1: Nice. Backup listening tests of backup files are accessible. Ooh, we don’t want that. Let’s look through some of these. Well, I’m stalling a bit. But O’Brien still seems to be stuck. Can someone reach out on a. On the text and help make sure that Joe Biden gets to run the scam because they’re still on process completed with exit code one. Or then can you copy and paste into the chat? Like what? What like anything else that. So which parts did you do? And maybe we can make a scan together. So no open questions. Um. Because I want to I don’t know. I want everyone to get to do a scan because it’s fun. Cookie security. So did you turn on the secure header or did you turn on the HTTP only header? HTML injection. Don’t. Don’t. Dom. Local File Inclusion. Guys and then remote file inclusion. Okay. Oh Baynes, get going to copy and paste some stuff for us so we know what’s going on. This is sweet. This is sweet. Business logic test. Proceed anyway. Yeah. Darn right. Third party tests. Oh. Oh, yeah. Let’s do it. Not all the tests. Additional settings. Concurrent requests. Hmm. Smart scan. So the smart scan means that. They’ve added a bunch of logic to the to the scanner. And so when you click the smart scan, it uses the logic and so it makes better decisions, skip static parameters. PA, Why would we want to skip static parameters?

 

Speaker 2: Why would we do that? So static parameters usually just waste our time. For example, most of you might have noticed that some JavaScript files have in the end some kind of a version equal and then some kind of a number. And whatever you do with this number, you can change it and change it, but nothing will happen because it’s just like a static parameter that may be only relevant for analytics or maybe full log analysis later, and there are a lot of those type of parameters. So skip static params means before we start scanning, we’re validating each of those parameters to see if they make any change in how the application behaves if we play around with them. If. If it does, it will be attacked. If not, then we just skip them to save your time.

 

Speaker 1: So. Oh. Been sent me the like their settings that they had. So they’re in the crawler and like they’re breaking on medium. So they should be finding a bunch of things like it should be breaking and their tests were the four tests, like the original four. So I don’t think it’s that they’ve changed something. I think something else is wrong and I’m not quite sure. Could you reach out?

 

Speaker 2: Yes, sure. Are they on Discord obeying?

 

Speaker 1: Are you on discord? So. Oh, mine is in the chat for sure, because we’re chatting.

 

Speaker 2: Just.

 

Speaker 1: Oh, yes, as benzie. So B.

 

Speaker 2: O.

 

Speaker 1: And z, y.

 

Speaker 2: Z and chain.

 

Speaker 1: Okay, cool. Thank you for helping us understand. Oh, okay. So I want to go back to here. I’m going to cancel and not run this. So we see. So basically, like usually before you put something in the C, I see that you always manually scan the thing, right? Because you want to make sure the tool works and you want to make sure that you find the stuff and you’ve configured it correctly. And so like in my CD, I would probably just scan for the things that scare me the most. So it goes really fast and then I would schedule. So down here schedule I would be scheduling a reoccurring scan on a regular basis and then I would want to have those results like. If there’s highs, I would want to have it like alert me right away that there’s something scary happening. Like, you definitely want to do continuous scanning. So like scan less in your CI CD because you want to go fast and then scan everything like once a week at least, because being able to just like, choose a schedule, that’s honestly, that’s really sweet. Okay, But let’s look at my scan results. So broken crystals, we got some problems, yo. So first, let’s look at due shop. Because it found six. So it found more lows than before. I just found more instances of it, didn’t it? Let’s see. So. So we saw those ones before. Missing Content Type Options Header. Missing X Frames Option Header Bar. Oh, poor Drew Sharp. So let’s go back to our scans and see what’s going on with them. Broken crystals. So this is with less tests. So we’re so we just did four tests, if you can see. And the other one, we’re doing a whole bunch of tests. So I want to look through these results and then I’m going to look through the other one. Okay. So let’s look at our results. So first of all, it found that there. Oh, it has to. Oh, it has gets imposts. I see. I see. So these are. Oh, interesting. Because these are gifts and posts. Assets forms JavaScript. Under. Vulnerabilities, guys. You won’t find the vulnerability folder on a regular app, just to be clear. By the way, I’ve enabled you to go. Oh, also like. We can do just like a regular scan. So. Okay. So, um. Let’s let’s set up a new scan, like a direct scan, because it’ll be faster because it’s not going through GitHub actions. Broken Crystal’s Chris. Crystals, direct scan. And we’re going to do crawler, right? I don’t have a hard file already. Ignore regex? Nope. So scan template now I don’t have a template.

 

Speaker 2: Yeah. No. No need.

 

Speaker 1: Yeah. Do we? Yeah. We want to do everything.

 

Speaker 2: So go to the scan test and let’s just scan everything.

 

Speaker 1: Oh, that don’t. And then so I’m doing all of these, but I also want to do business logic, and I also want to do third party tests, because why not? And then scheduling. We’re not scheduling it. We want it now and then additional settings. So concurrent requests ten, that’s reasonable. We want to do the SMART scan. We want to skip stack parameters because those are boring. They don’t change.

 

Speaker 2: Let’s add the URL path.

 

Speaker 1: Cool. You have turned your URL path and headers on Amazon significantly increase the tax service. Yeah. Obviously we want to do that. Additional host. Know those are enough hosts. Shall we run? Do we need to select a repeater? No, because we’re doing directory. We don’t need one. Let’s do it. Oh, by Andrea, thanks for joining us. Okay, so your X scan. But I want to look I want to look at this one that was doing the full scan while we’re waiting for that to start doing results. So if anyone has specific things you want to see, that’s cool. But otherwise you’re just going to keep seeing what I want to see. So I like seeing all these tests running. That’s right. Do my bidding, destroy my stuff. So, so far, unauthorized cross-site request forgery from Brown Method Post bar. Remember when I was asking about unauthorized cross site request forgery and we’re discussing it? Do you want to tell them about why it’s called unauthorized?

 

Speaker 2: Sure. So unauthorized means that there is no authorization playing playing a role here. So it doesn’t matter if you have a cookie or not or an authorization header or not. It’s basically just some form that does not have a CSS or protection. This means that it’s usually also maybe a bit uninteresting. That’s why it’s low severity, but it can still affect users and that’s why you should make sure that forms and other parameter based entry points have protection against ksf.

 

Speaker 1: Yeah. So like if you’re doing a transaction on your site, you probably want the people to be in an authorized state. So you might be finding that there is a problem, that it’s not passing a cookie like you don’t have a session going. So usually you would have a session going if you’re doing a transaction, but. Sometimes transactions happen in their kind of OC. If that makes sense. Like it’s unauthorized. So let’s say I’m putting. So let’s say this happened recently where I was like, Oh, I’m going to buy cool seeds because I like garden. And my mom sent me this really cool site called Rare Seeds. And so I was just putting lots of things into my shopping cart to see how much it would be because I buy too many seeds. Other women buy shoes, I buy seeds. That’s okay. And I wasn’t authorized yet because I hadn’t made an account yet, so I wasn’t logged in. But I did have a session going and so it’s like if someone was impersonating me, it’s not really a security issue. Like worst case scenario, it’s going to empty my shopping cart, which by the way, it did. And I was pissed. Then I made an account and I was like, They’re awesome at farming and they’re not great at session management. It’s very sad to have all my stuff, like because like I spent a lot of time deciding which seeds I wanted. So yes, that is a great thank you for explaining. Barb. So then it’s also saying you’re missing a bunch of security headers which we’ve already discussed are not good. And then what else? So there’s. As page six, six of six. I want to just show me all of them. Yeah. Because it’s showing me. Oh, now it is showing me one, two, three, four, five, six. So that’s good, actually. So it’s just another security header that’s missing and they’re all low. So let’s go back to our scans and see if there’s anything that’s more exciting. Oh, wow. So we’re now remember, we’re doing a direct scan so it will be faster without doing it in the CIC because it’s directly from their cloud to their cloud. So that’s as fast as you can do it. And so in this one, as you recall, we’re doing a whole lot of tests like we’re doing way, way more. And so it has done a lot of requests. That’s awesome. And we found mediums. So I’m very excited by this. So let’s show. Oh, it’s showing 25 items per page. Perfect. So medium CV, CV, Full path disclosure. And default log location. So let’s start with the first one. So this is a 2020 vulnerability. See how it says CVE 2020. So that means it came out this year. So it’s it’s a during pandemic vulnerability. Okay, so let’s see what’s going on here. Can it tell me more if I click on it? Well, tell me more. Issue. Overview. Good. Loading up so regex and oh my gosh, jQuery. I’ve had so many vulnerabilities with jQuery so regex and its jQuery html pre-filter sometimes may introduce cross scripting so that’s pretty crappy. Make sure to update the component to its latest version or at least the latest stable vulnerability free version. Grammar. Grammar Bar. Bars like I’m ignoring you, Tonya. Known and public component vulnerability. So possible exposure. Yeah, it’s known if there’s a CVT, that means anyone can know about it. And it also means that. It’s a lot easier to exploit because there’s information available on it. So updating jQuery is your best bet. Also, like jQuery is just like so many bad things happen. No, I’m not going to mark his result because I am not actually going to resolve it. I’m not going to state that right now. That sounds like a lot of work. So let’s look at the other one. So this is. So these are two right next to each other in the sea of land. I wonder what is going on with that. So let’s look at this. Dun dun dun. Very similar, but in a I wonder if this isn’t a slightly different section. This looks like it’s the same one. I thought we clicked on 23, not 22. Let’s look again. Let’s go back. Scan. So issues. Oh, yeah. So the first one was 23. Because it’s weird, because it looks like like the vulnerability it’s explaining.

 

Speaker 2: Oh, most likely the story behind it is that they fixed it in the 22 and then they read it was either bypassed like the fix was bypassed and it just had the same issue again.

 

Speaker 1: Oh, my gosh. I so see that as definitely true and happening.

 

Speaker 2: By the way, for high severity.

 

Speaker 1: Nice. Okay. I want to go look at those now. Yeah. How many people do we have left on our thing that are real attendees? Because I want them to see. Okay, let’s look at the highs. Hies. Command injection. Hi, Hata. Thank you for staying. Let’s look at OWS command injection, because that is bad for OSS Operating system. Command injection. Ooh, very bad. O command cat password file. That’s very bad. Oh, hi. Oh, fine. Thank you for saying so. During command injection, the software that constructs a system command usually using externally influenced input does not properly neutralize the input from special elements, but are able to modify the initially intended command. Thumbs down bad user input. Bad user input validation. So this occurred when injecting been. So this is a password file that you don’t want anyone to get. So we definitely don’t want this is very bad. So suggested remedy assume all input is malicious. Um, yes. I literally just recorded a story time episode about this. All input is malicious. Don’t trust anyone, not even your mom. And it’s a story about the time my mom sent me a virus by accident. But the point is, is like any input should be validated before you use it, and it needs to be known safe. Need to reject all stuff that so bad. Oh, so they just removed up time and changed it to show me the stuff I want. So evil. Bah, So evil. Welcome to Broken Crystals. Oh, I love it. Let’s go back and look at some of the other stuff. So. Down, down, down, down, down, down, down, down, down. And 2019. Oh my gosh. I had trouble with Bootstrap as well in 2019. So let’s look at this excess and data template data content and data title. So because there’s three, they get to be a hi properties of tooltip pop over. Oh my gosh. And it’s not even like mandatory, super important valuable features. It’s the tooltip feature. So make sure to update the component to its latest version, or at least to the latest stable vulnerability free version known and public component vulnerability. Very bad. So component bootstrap. I have a video of me updating this and I swear a lot in it. So exercise in three different parts. Oh, gosh, that’s so unfortunate. I’m glad someone found it. And so then I could fix it. I literally had this exact vulnerability in the desktop project in our our Azure website that I made so that we could do awful things to it. Oh, wow. Okay, So let’s go back to our scan and check out more issues. So there’s four highs, but three of them are the same one. So three are command injection. Cool. And we’re showing.

 

Speaker 2: All the new HTML injection ones.

 

Speaker 1: Oh, cool. So normally you don’t get to have your own person from NeuraLegion in helping you with your scan. Just to be clear, you don’t get to rent a bar just because you want one. It’s a way better, though, just to be clear. It’s like way more fun. And sometimes they send you cat memes and just saying. OC so HTML injections. So this means injecting some HTML into places where you should not be able to do that. Hmm. Let’s look. HTML injection allows an attacker to inject certain HTML tags in a vulnerable parameter, and this happens because the application isn’t properly handling user supplied data, which is another sentence or way of saying user input validation. Yo, it’s very important. It’s literally the most important thing. How hard is it to update the bootstrap? So I found it a bit of a pain in the ass. So I have there’s a video on my YouTube called Bug Slang and for 4 hours I just like fixed bugs because the guest for the dev swap show had to cancel last minute, but I still wanted to have a show and I knew I had to fix those things. And so I updated from DOT. I opted my version of dot net core. I updated the bootstrap and I updated jQuery all at the same time. I can find the video for you if you want. It’s boring and slow, however it’s really useful. That makes sense. So how hard is it to update? So like pressing the update button is never that hard. The problem is that it’s connected to a whole bunch of stuff and it might break one of those things and then you have to troubleshoot that. That’s the part that’s difficult and updating your framework because bootstrap is part of your jQuery framework. And so there might be things that need to be changed in your code so that they work properly and so that everything is still beautiful. And making things beautiful, to be clear, is my super Kryptonite weakness as a developer. All my stuff’s ugly and so I updated it. But the dev swap website was just the default Azure website with our branding put on top of it and I changed the color of blue to our blue and that’s it. So it didn’t do that much. However, when I updated, I can’t remember I updated something else and then Microsoft added What did they add? They added a header somewhere where it did like the GDPR warning. And then that because I had content security policy header and I wasn’t allowing the third party thing to show on my thing and I was calling out to it, it broke all my menus and looked like complete crap for my demos for the next couple of weeks. And then my friend Abel was like, I’ll help you fix it because he used to be part of the desktop project, but then he was really busy and the igniter was happening. So we’re both like flying all over the world and pretty indisposed. And so basically my demos looked really crappy for like a few months and that sucked. So how difficult is it to update? It depends on how good you are at JavaScript and fixing problem, because I was like, my menu is broken and he’s like, just turn off the security header is like able, do not turn off my security header. So basically, like I had to put on my approved list for my content security policy header, a bunch of third party things that they had added as part of this GDPR like, except this cookie warning thing. And that was annoying the end. Okay, so let’s look at this more. So all user supplied data needs to be sanitized. I could not agree with the statement more. I want to share this as this. It’s going to wear it in point to it. Whenever I have meetings with certain clients, I’ll be like, like, here’s your penthouse results. Like what happened in like this. And then it’s like, don’t trust any user input ever. Not even if it’s from your best friend. So it executes unauthorized code or commands and it can bypass a protection mechanism. Yes, it’s very bad. It’s really not good. And so they injected a whole bunch of tags, which can potentially you mark this as multiple vulnerabilities because you successfully injected a bunch of tags or it’s just like it’s one big vulnerability for them to fix. So let’s look at a couple more results and then we’re probably going to wrap up because I actually have to go in 10 minutes because I’m getting my bangs trimmed. That’s right. I have a mask and I’m going to the hairdresser because I literally cannot see like that. Something needs to be done about this. Okay. So total issues, 18 mediums. I like how you’re like, we try not to be too wordy. Okay, let’s look at full path disclosure ou default login location. Let’s look at that first. And then we’ll look at full path disclosure, which could also be known as insecure direct object reference if you’re an OCD person. If you have questions, we are nearing the end, so put them in the chat if you have some. So a default location for the website was detected this. This is usually used for administrative accounts and its location is pretty darn easy to guess. So use a location that’s like way less obvious. Super hidden login. Yes. Implement login throttling and or temporary account lockout? Yes. That’s great advice. Also, if possible, disable remote login by third party services such as PHP, my admin php. So that’s great advice actually. Good job. Awesome. So now let’s look at. More results, specifically full path disclosure. Oh, so. Oh, my gosh. I want to look at oops. Full disclosure vulnerabilities enable an attacker to see the path to a web route file. So what that means is they can try to directly reference that and see if they can get that. And that is quite dangerous. Oh, by ovine, Thank you so much. I really appreciate it. Yes, definitely. Reach out on the discord. And thank you so much for coming. I appreciate it. The Norwegian guys will definitely be happy to hear from you. Okay. So we don’t want them finding stuff in our route directory. We don’t want them finding anything except for our beautiful website gooey that’s fully secure and all of a sudden users are supposed to see in. That’s it. And so this is potentially not really great. So detected was user share. Oh, my gosh. We don’t want to show that. Oh, good evening. So O detected systems Linux. Yeah. So the user shareholder in Linux. There is a lot of stuff in there. We definitely don’t want to actually share that, even though the folders name share so found in URL detected was that a new fake cookie was added with the same name but with a different value appended to the end of the cookies? Oh my. And it’s still let it in. Well, that’s disconcerting. Okay. So to fix this vulnerability. So this is the part that we all want to know the most. Disable bug information on the web servers configuration. Yes. Yes. We don’t want to be giving any information to malicious actors. We want them to try to fingerprint us and find out as little as possible. We want to be more difficult to attack than any of the jerk faces. Want to spend time on us. Right. Because quite often they’re not attacking you. In particular, what they’re attacking is specifically because it’s easy or because they’re trying to generally do a bunch of things. It’s very rare that an advanced attacker has selected you as a very specific long term target, in which case you need to get to know the Norwegian people really well and you need to definitely use the buzzer. But what we want to be is more difficult to attack than all the other websites they visited, so they leave us alone. That’s generally for most businesses. Good enough security posture. And so we definitely want to disable the Web servers configuration information and then improve error handling and parsing of cookies. And oh my gosh. Yeah. So the exceptions and errors will not leak internal information 100%, give the least amount of information possible and give information that is specifically helpful to a regular normal user. A regular normal user does not need to know about your system files ever. The regular normal users like I need to reset my password. Tonya I forget it or I saved the wrong thing into my password. Manager for Tonya. I need to put more money in my account or whatever. They don’t generally need to know what they don’t ever need to know what your internal files are. Okay. So this is pretty cool that we caught a bunch of stuff. Let’s look at all the scans. Actually, 18 medium sweet broken crystals is pretty fantastic. I like it. And briefly, let me see if it’s still in here. I want to just check out what it looks like and then I think we need to do a wrap, guys. Oh, my God. So evil’s floating head in bars now, laughing at me. Laughing. And I know that that is cool. Oh, my gosh, This is the best.

 

Speaker 2: He’s too respectful. He won’t do it out loud.

 

Speaker 1: Oh, my God, I love this. And it’s so lovely how his head’s creepily moving up and down his head. Oh, my gosh. I love this.

 

Speaker 2: I gather that you don’t recognize the head.

 

Speaker 1: Well, isn’t this isn’t this the guy from Breaking Bad? Oh, yeah.

 

Speaker 2: That’s the point of the crystal. It was crystal meth.

 

Speaker 1: Crystal meth? Yeah, very. The worst type of crystal evil crystal. Oh, my gosh. This is so I have to say, I’m enjoying how beautiful that your. You’re totally vulnerable. App is testimonials. Oh my gosh. I should. Can I put a testimonial of silly stuff? This was the most I feel like my testimonial should be. This is the most beautiful, intentionally vulnerable web app ever. Also, it’s fun to have our laugh at me.

 

Speaker 2: That’s by our marketing team.

 

Speaker 1: Oh, my God. It’s no good. Okay. It is time for us to wrap up. Do any users have any last questions? I want to thank you so much for coming, because there are so many things that you can do on the Internet right now. There are lots of different events and Saturday or Saturdays and there’s lots of fun things you could be doing, including this fun thing. So I appreciate you joining us. We’re not be fun without you. The Neural Legion people also. Really. Thank you so much. Thank you, Arthur. Yes, right. Oh, my gosh. This app so fun. So I don’t think you should ever take this app down. Just to be clear, It’s so great. Thank you so much. I’m going to just put out one more slide for just a second so that you know how to get a hold of all of us in case you need to. Because I think that you might want to visit this website narrowly and also mine, which is it here? So I have our faces on top of it. So perhaps follow are Legion online because they might be sharing more cool stuff like videos of their brother and follow me because I’m a nerd on the internet. And with that, we all want to thank you. I know the guys are being quiet, but they’re really they’re happy you came. We’re all very happy you came. So thank you so very much.

 

Speaker 2: Thank you. Thank you.

 

Speaker 1: Thank you. And please feel free to reach out to us. Definitely NeuraLegion can send you is going to for sure send you the link to the video and then a link where probably my slides will just be at that link and it’ll have all the pertinent information and the links for you. And I think that’s it. And you should all still continue to have action or not action access to the tool so you can continue playing with it and the GitHub action, you can continue scanning their broken crystals with it and having fun basically, and try running different tests and see where you get with that. I think we need to close the workshop for today.

 

Speaker 2: Thanks, everybody who joins. Awesome.

 

Speaker 1: Pleasure.

 

Speaker 2: A lot of fun.

 

Speaker 1: Oh, my gosh. Yes. Actually, this was super duper duper fun. Oh, thank you. Thank you. 

 

Speaker 2: Thank you. Thanks, everybody.

 

Speaker 1: Thank you. Bye, everyone.

 

Speaker 2: Bye bye. Bye.

 

Speaker 1: Awesome. Hi everyone. I am Tanya and I am your workshop host and I am co hosting this with NeuraLegion. So they are my startup friends basically. And we started talking about how we could do a workshop and how it could be fun to do one together. And so they have made a really cool product that I have played with a bunch of times. And so I was like, I’m, I really like it hub actions and secede. And they said, We really like scanning web apps and then finding things wrong with them. And I was like, Let’s mash our goals together and then invite lots of people to join us. And so that is how this workshop came to be. And so, Oh, yes, and I’m from Week Purple. And so we are going to get started now. I hope that all of you are on the chat with us. If you have questions, you can post them there or you can go to the discord. So if you are stuck with a technical problem and you need a lot of help, you should probably go to the discord. If you have a quick question in the chat that you want, that is okay with me reading out to everyone, not your name, but I’m going to read out in the chat to everyone what the question is and answer it for everyone. So let’s go. So first of all, I talk about myself so that, you know, I’m qualified to give this talk. This is the thing that everyone does. This is me kind of smirking at the camera and being like, This is weird to do a photo shoot. So I’m Tanya Janca. I have a training company called We Hack Purple. I am known as she Purple. And yes, some of my hair is purple. It’s because I’m a purple teamer. So blue team defends red team attacks and when you just can’t make up your mind. When you do both or when you do apps, you’re often called Purple Team. And so that’s where that came from. I wrote a book, it’s called Alice and Bob Learned Application Security, and I think it’s great and my mom hasn’t read it yet, but she told me she thinks it’s great too. I have been doing tech a long time. I’m one of the founders of Woe Sack women of security if you want to meet other women because sometimes you just want to hang out with other women and then get hair tips and that’s okay. I am super obsessed with OWASP, the Open Web Application Security Project. I do a lot of things. I’m just basically a nerd on the Internet. That’s that’s basically it. I figured out how to be a nerd on the Internet as a full time job. Okay, Next, let’s talk about Legion, my friends that are in Israel and California. And so some of them are in Israel and some of them are in California. So and I am in the West Coast as well. So when we have meetings, it’s always confusing when you book a time. They are developer centric based and a fuzzier. We are just using the desk today because we didn’t want to make a giant mess, to be quite blunt. That’s it. Yes. My mom has to like my book, right? So they were founded in 2018 and we hung out together in person at this. That’s the first time I met them, just not on the internet and. Will there be a session about the buzzer? I don’t I don’t know if we’re going to do a session about the feather. Today we’re just covering the dast. I know that.

 

Speaker 2: There demand if there’s a lot of demand, maybe we’ll do one about that. So let us know. Talk to us.

 

Speaker 1: Yeah. Yeah. So maybe let gordie or anyone else on the NeuraLegion team know. I don’t know if you know, but they have a twitter and I tweet at them and I’m silly. And bar has bar he’s he’s on their technical team and you can’t see him right now but he’s really good at responding with the absolute best cat gifs just in case you need that in your life, because I do. So they have offices in Boston, San Francisco, London, Tel Aviv and Bosnia. There are 36 people on their team now, which is absolutely incredible for like a company that started in 2018. That’s amazing. And they have raised seed funding from top VCs. And for today’s session, do we need our own project to feed the scanner? Nope. We have a project for you. Yeah. So we actually have what we’re going to do is we are going to use GitHub actions to load up juice shop from OWASP and then we are going to automate their tool, attacking it and finding results and giving it to us. I love automation. So yeah. And because you shop is intentionally vulnerable. Are we looking to expand into India? So we have purples actually expanding into India. We are currently translating our first course into Hindi and into French. But I don’t know, I can’t speak for Norwegian if they’re going to be expanding into India.

 

Speaker 2: We are doing some stuff there right now. Being me, I’ll post my email on here. Ping me in.

 

Speaker 1: Yeah, you should put it into the chat. So what do they do? So they provide developer focused apps, tech solutions, which is why we get along so well, because there are way more devs than there are security people. And so we want to make as many nice tools for devs as we can so the security people can do just the security stuff and putting it in a GitHub action or putting it in your pipeline because it works with a bunch of pipeline tools is the best. Um, there’s a question in the Q&A, which I will get to in a second. And basically that’s why we get along so well, because they’re like, if we can make it. So it’s really, really nice. For devs, then we can be earlier in the system development lifecycle and then we can get things fixed faster. And also they have like a bunch of things inside the tool which we’ll see in a few minutes so that it can help you fix the thing. It’s like, Oh, this is what this is and this is how you do this and here’s some links and here’s some help. And that’s what I always wanted as a dev as opposed to an email with a rapport that didn’t have any links or any help in it, like actually having access to the tool and being able to see inside of it myself and to be able to rerun it myself. So it’s like, okay, I did this, I think I fixed it. Let’s rerun the tool, having to wait for the security team when I was a dev that stunk. So. Um, question in the chat, so I’m going to answer it live. Is this all about tooling or will we see manual stuff? You will not see manual testing in this app. We are going to do GitHub actions and we’re going to have to code some YAML like this much though. Like almost nothing. And so no, we’re not going to do manual security testing. We’re just going to use lots of GitHub actions and lots of next test, which is the name of the NeuraLegion engine. DAST So I hope I have answered your question. If not, please re elaborate. Okay, so they scan web apps and APIs specifically rest and soap, and then they do mobile apps as well. So that’s good because we still want to be secure. When we use mobile apps, they build scanned, surface from the very first unit test. What is scan surface? I want you to answer. What can surface is because I don’t know how to explain that. I believe you mean.

 

Speaker 2: Naturally, essentially all the all the entry points for the application and anything that can actually be exploited or exposed. That’s the entire surface of how you can get that nice.

 

Speaker 1: So they have a really, really great crawler, which we are going to use, but it’s going to break the build and then we they do secede. And what we’re going to see for CI CD today is going to be GitHub actions. And so far I’ve received zero false positives and that is their promise. Zero false positives, actionable results and remediation guidelines. Yes. Oops. Buttons. This is the team. I asked them to take this photo for me. Isn’t it amazing? So these are the faces of Legion? Yes. So workshop participation pre rex. So do they just use a JS crawler as well, or is it just a scraper? That is a question for GA. So here. So I’m going to very briefly go over the steps of things that you definitely should have done before. This workshop is creating a GitHub account, making sure your computer is connected to the Internet, which obviously it is, or you wouldn’t be here. But when I give training at conferences, sometimes that’s not the case. Modern Web browsers. So we would prefer that you’re using Firefox, Chrome or Edge. I’m going to use Firefox and that includes the Firefox developer version. Either Firefox is fine, a Zoom account. So clearly you’re doing that and if you said yes to come here, you probably have a pretty good sense of humor. There’s another question Is there any integration with other tools Bitbucket, Azure, DevOps, Jenkins, Bamboo, etc.? Or would you like to put into the chat just how many different CI CD’s that your tool works with? Because I know it is a bunch.

 

Speaker 2: The answer is yes to all of the above, but bar you can post more.

 

Speaker 1: Nice. Okay. So pre req. So you definitely all did this before, right? So if you have not done it go to get hub dot com slash join and then join. I’m really hoping you all did this because I’m going to go through this very fast. So you would create a username and password. Don’t tell me. Solve the cute puzzle where you put the llama in a circle around till its head is facing up. Select the free plan and you’re all set. I’m going. So what is that? Because that’s what we’re doing today. Oh, thank you, Dieter. Because you’re so sweet. So what is dest, right? It’s dynamic application security testing. So that’s what it stands for. But okay, so I’m going to give you a super formal definition, and then I’m going to give you a Tonya definition after. So this is the Wikipedia definition. So a DAS tool is a program like an application, a piece of software that communicates with a web application through the web frontend in order to identify potential vulnerabilities in the web application and any architectural weaknesses. It performs a black box test, and by black box we mean you can’t see inside a wait box test means you can see the code and a gray box test means you can see some of the code, but maybe you can’t see all of it. And basically it’s probably a mess like the testing situation. It’s probably supposed to be a wait box, but they wouldn’t give you everything. And that’s fine. I’ll take what I can get. I feel this definition is limited because the next task that we’re going to play with it actually also it also tests APIs and you don’t they don’t have a web front end. So how does it do that? There’s talks to the swagger file, like the API definition of file, and then it’s like, okay, now I see your definition. Now I know how you want me to talk to you, and then it starts talking to it and then looking for problems. And so we’re going to do that today too, because just because there’s no front end does not mean we don’t need to secure it. It’s really important. So sometimes that’s is called web app scanning. That’s what I call it. So like this or for instance, I feel, Oh, no, Scarlett Johansson behind. This is awful. Just imagine her looking ridiculously bad ass. And then this. I feel this is the best image specifically for the next task because of bar so more. Oh, there’s a question without a swagger file. Would this tool be ineffective for APIs? Hmm. That sounds like a question for bar because you are able to manually. I know. Talk to an API without a swagger definition file. It’s just awful and painful and not pleasant at all. But I think that this is a question so I’m going to answer. I’m going to say type the answer. Oops, no, I’m going to say answer live and I am going to assign this question to bar. So without a swagger file, I was going to copy it into the chat so everyone can see it. Would this tool be ineffective? I don’t think it would be very effective, that’s for sure. But I don’t know if it would work at all.

 

Speaker 2: You can also use Postman Collections, but I’ll let Barr reply in more detail.

 

Speaker 1: Oh cool.

 

Speaker 2: So I’ll write the answer in the chat.

 

Speaker 1: Okay. So Postman is a tool where you can talk to APIs directly and so you give it the request and it tries to figure out how to talk to it. And then you can do manual testing and you can send requests to it, etc.. But yeah, Barbara’s going to answer that in the chat. That’s a really great question. A. Oh, Ozma. I hope I said that right.

 

Speaker 2: Every time you just add one point that it’s not limited to Oz. It gives you your name. Ozzy Osbourne.

 

Speaker 1: Nice. Ozzy.

 

Speaker 2: Important to note that it’s not just rest APIs, soap APIs and other formats. We can support those.

 

Speaker 1: So sometimes that’s really important because guess what? When you do apps like the devs have no pity for you. If you’re like, Oh my, my tool only covers this, they’re like, I don’t care, I’m going to use the cool tech I want to use. So this is great. Okay, so sometimes it’s called web app scanning, but basically it interacts with your web app as it’s running. So it’s not looking at your written code. Your web app is running on a container, on a platform as a service. It’s on a server or virtual machine somewhere, and it is interacting with your application. If your application doesn’t actually run yet, you can’t use a DAST yet. It will proxy your connection. So that means it wants to be in the middle between your browser or whatever is calling, and then it’s going to talk directly to your your API or your web app. So it’s going to send requests and responses or forward them in between it, and it’s going to spy on all those with your permission, obviously. And then it’s going to tell you about what it sees in those requests and responses, and then it will actually send some of its own. It’s going to try to click every link and crawl all around and find every single page. And it is going to look at every one of those very carefully and try to figure out what is potentially wrong with it. It does passive observation, so it will just look at the requests and responses, but then it will script responses and requests itself. Sometimes people call this attacking or scanning. Yes, it’s a lot like burp suite is a lot like burp suite, except way easier to drive. So I love burp suite like genuinely, but when I first turned it on, it was so hard to use. It took me over an hour to figure out just how to turn it on. I felt like such a dummy. By the end of the weekend I was like, Did I get dumber this weekend or smarter? Oh, so to to to echo your question, Joel. Is next. As considered as a vam tool. What does vam stand for? VAM Vulnerability.

 

Speaker 2: Vulnerability assessment.

 

Speaker 1: Oh, I’ve just never.

 

Speaker 2: Heard of n.

 

Speaker 1: Oh no. This doesn’t scan infrastructure. It scans web applications and APIs. So web applications which are custom built by your team as opposed to a VA tool like GNAT, like Nessus, which I love. Also, to be clear. Nessus scans the crap out of operating systems. It’s awesome at that. But every operating system is sort of the same. So if Barr has Windows 2008 server packed or packed to R2, and I also have that because we’re both tragic security characters in a novel from the past, we would both have the same security problems potentially. So if his configuration was hardened and mine wasn’t, it’s still comparing the same configuration options and it’s like, Gosh, Barr has made good life choices and Tanya has made bad life choices. And so that’s what a VA tool does, is it generally scans operating systems versus a person that. Is running a dark past. This would be like Zap. That a tax proxy? Yes. Oh, been very good question. This is in the exact same category as that. It’s in the same category as burp suite, app scan, sticks, skip, fish, arachnid, etc.. Okay. So burp has a jillion a gazillion extensions. Yeah, it does. And that can be fun. So like, if you’re an expert and you’re a pen tester and you’ve been using it a really long time, it’s like a samurai with a samurai sword and that’s really cool. However, there are very few samurai guys in this world and a lot of us aren’t samurai guys and we still need our apps to be secure. Does that make sense? And so just running dast as opposed to also running the Norwegian fencer, it’s like this is your first step at making sure your apps are secure and it’s going to catch everything that’s obvious, which is super duper important because if it’s obvious to the next desk, that means it can be obvious to a malicious actor and you better fix those things. Just to be.

 

Speaker 2: Clear, you won’t get false positives, which.

 

Speaker 1: Is very important thing. Yeah. So when you run a tool like Burp suite and you open it all up, it’s going to tell you a zillion things, a gazillion things if I am following Oz’s language, which I really like. But a lot of those things are going to be false positives. It’s telling you everything that might be an issue because it thinks you’re an expert and you’re going to go and dig right in. But we are not doing that today because this course is 3 hours and not one week. And if we go a little over, it’s okay. I want to make sure that everyone has every single question answered By the end of this. I want you to all feel confident that you can go and scan your own apps with your boss’s permission, just to be clear. So I want to make sure. Did I get everyone’s question that was in here? If there are more questions, put them in the chat because I don’t want to continue on to another part. And then people are like, Oh, I’m so lost.

 

Speaker 2: And you have discord as well for technical questions, or put them in the Q&A because we can manage that too.

 

Speaker 1: Cool. Thank you. So the last thing on the slide is fuzzing. Well, actually, it’s I thought the white looked really good with the orange, but anyway. So I’m just going to explain, fuzzing Yuval, and then I’m going to explain why we use CCD again. So fuzzing is, like I said earlier, is with where you will not where you where the fuzziness is a piece of software that is going to look at your app. It’s specifically for input validation. And so the number one cause of vulnerabilities in Tanya’s professional opinion in apps is because input from the user, from other systems, from your own database is not validated correctly and they let in bad stuff and then it makes your app do weird stuff. And sometimes that weird stuff turns out to be a vulnerability and a security problem. And so a fuzzier what it does is it tests the crap out of every single input to your application. It puts in garbage. It puts in things that it thinks might hurt you. It puts everything it can possibly think of, and it tests that your app continues to respond gracefully. And if at any point your app acts differently, it returns a weird thing, anything like that. It takes note because it’s going to try to mess with you. We are not covering the user today because. Oh, could you reshare the discord link and the chat just because now we’ve chatted a lot and so it’s very far away. Um, would one of you mind doing that from neural legion? I’m going to assume that you’re going to do it.

 

Speaker 2: We’ll be out of there.

 

Speaker 1: Awesome. So we are just fasting today. We’re not fuzzing. Yeah, I know. Dast is not a verb, but we’re just going to do a regular scan. Fuzzing can create false positives, and we really wanted to make sure all of the positives were true for you. And that’s what their dast does. So how difficult is it to validate inputs? Just wondering. So if you have a feather, I think it’s great. Oh wait, how difficult is it to validate inputs? I was thinking of how how good it is from the Tester side. How difficult is it to validate inputs from a dev side? Well, you would think it was the most difficult challenge on the planet. However, I feel that we should use something called an approved list and we should get to know our regular expressions and basically we should only accept known good input. But unfortunately what a lot of devs do is they use a deny or a block list or sometimes called a blacklist and basically they’re like, Oh, no script tags and no double quotes and no back slashes as opposed to saying this is a user name and the only things we accept are upper and lower case letters and numbers, and that’s it, buddy. No special characters for you. So as opposed to trying to not have all of the bad characters, we’re just only allowing the good characters. And if every single dev could learn fantastic input validation and become best friends with regular expressions, life would be wonderful. All bar and I, we could just go home. We don’t have any jobs anymore. Yes. So following a wait list or like an approved list is, I guess, difficult for some. I equate often will sit with devs and talk with them and they’re like, Yeah, I made a wait list, I made an approved list, but they’ve made a block list. And then like, I don’t know, sometimes I draw pictures on a whiteboard and that helps. I cover this a lot in my book and I remember my editor is saying like, Why are you covering this for like the third time but in a different and new way? I’m like, because this is a really hard concept to actually get ingrained in people so much that they always do it that way. I know I was a dev and I screwed this up. I was not the perfect dev. Let’s be clear. Every bad thing that I tell devs not to do now, I did it at one point. That’s why I know. Okay. So. You might want to take a screenshot of this. It’s up to you. So, you know, like the long list of things they do or you could bookmark or Legion’s website I have. It’s totally up to you, but they do a lot of stuff. And the main thing that we are going to do today, again, we’re not using next plate. We’re not using the feather. We’re just using next asset. So you’re only seeing like half the stuff it does. So, Oh, bar would say mostly it falls into creating and allow list, meaning you would need to think ahead of all the OC inputs and only allow them. But devs are lazy so hey, don’t call devs lazy. That’s so not true.

 

Speaker 2: Devs we.

 

Speaker 1: Oh we the devs. Yeah it’s true. It’s it’s work. Being a dev is not like the easiest job. Unlike us. So security people, we just need to find one hole in your app and we’re like, We look awesome. Well, you have to defend every single line of code. It’s it’s kind of a. We want to press this magical button right here. Fork. This is what we want to do so you can see me. This is the little mean. She acts purple here. You should see your user here and we’re going to press the fork button, which I would open up my slides, but then we’re just going to actually let me open them up. This will be good, actually. Let’s do it. So I’m going to slideshow full screen in it. I’m. So the next thing is we’re going to set up our next asset account. And we do that like this. So you should have an email that looks like this in your inbox from Allegiant. Yes. So it’s going to look like this. You’re going to have to create a password. You should save it somewhere so that you have it. You’re going to have to repeat it and then you’re going to click the sign up button. And then you will be inside and it will look like this. Unless. You have turned on dark mode, in which case it’s going to look like this. So let’s do these steps. So I have my lovely email from here. It is. So this is my confirmation. Email confirmation instructions. Hello Tanya, you should confirm your email address. So I’m going to do that. So I’m going to copy the link and open it here so that it doesn’t do something silly. And so if all of you could do this with me, that would be cool. So all of you are copying and pasting this into your web browser, and then we’re going to come up with an email. Yes.

 

Speaker 2: Oh.

 

Speaker 1: Okay. So which theme do you want me to use? Darker light. Let’s hear some votes. Dark, dark, dark light. Dark, dark, dark, dark. We’re going dark. It’s happening. It’s happening. Oh, okay. So c running scans. I am allowed five. Do you want to know why? That’s because I’m running the workshop. You’re only allowed one. Do you want to know why? Because there’s 250 of you. And so now if you look at my slides. The next thing that we’re supposed to do is we’re supposed to create APIs in the next task, and then we’re going to put them into our GitHub secrets. So I’m going to slide this away. Now I just like to remember and remind everyone what we’re doing. So we’re going to need to create two keys. So one is to connect GitHub to neural legion, and then the other one is to make a repeater, and the repeater is the one that does all the talking and makes the test actually happen. So just noting again, the username is the original email you got in your invite sent. So make sure when logging in you use it, even if it’s just an alias. Male. Hello, Darkness, my old friend. Oh, my gosh. Let’s make API keys. So everyone go up here to your little user person, and we’re going to click on there and we’re going to go to user settings and this is where we’re going to make some stuff. Okay. So we’re going to click here. And so, yes, we could turn on two factor authentication. You would definitely want to do this if this was not a workshop, I don’t think you should have a security tool that does not have two factor authentication turned on because that would be very bad. And I bet you’re thinking we’re going to press this button, but we’re not yet. That’s not what we’re doing right now. What we’re doing. So can we use the same API key for both services right now? When you say both services, do you mean which both do you mean? So we’re going to create two keys and put both of them into GitHub. And they do different things. So let me let me explain. So all of you have clicked the user button and you’re in here and we’re going to scroll down, we’re going to scroll down and we’re going to see a whole bunch of stuff and at the very bottom, manage your API keys and see how it says no API keys. That’s not acceptable. Obviously we want to key. Can we use the same API keys for both service repeater and neural legion? No, we have to create two. And don’t worry, it’s not hard. We got this, so let’s do create. So we’re going to press this button here which will be in teal blue if you’re in dark mode and it will be. Wait, wait. What color is it if you’re in light mode? Same color. Och, but back to dark mode obviously. So let’s create a new API key. So we’re going to click it and I’m going to name it GitHub API key because obviously I’m extremely creative human. You can name it anything you want. The name of this doesn’t matter. But when we go into GitHub, the name really matters. We are actually creating one API key and one repeater. Oh, and both has an ID, but you can think about it like an API key and an API ID. What? Barr said he’s correct. So we have to choose our scope. So create new API key and then we have to tell it what powers it can have. So we’re in a workshop. So we’re probably going to just click select all. You should click that button. So we’re going to click Select all. And we got here by doing this. So this little arrow next to two scopes. However, I don’t know if you would want to do that necessarily in a production environment. You might not want to give it archives, read and write. You might not want to integrate every single thing. You might want to apply least privilege to this section. You might say, You know what? I don’t want to read the users or I don’t want it. We need it to have repeaters, just to be clear, and we need it to have the scan stuff. We don’t need to have delete scan though, so we could theoretically turn that off. But I find in a workshop when I try to apply least privilege, unless the workshop is about least privilege, someone can’t get their thing running and it’s because we removed a privilege. And then that is frustrating for people attending. And so we are going to click the magical select all button. But again, in production, you might not want to do that. So let’s click create. This is our new API key. We would like to copy this so we’re going to highlight it and click copy. So I want to make sure everyone has gotten to this part. And now we’re going to go back to our GitHub action. So we can see. In the repo that we forked. So remember so github.com your username here for mine’s purple. Yours is probably something equally cool. And then example actions. And so. We are literally following this exact thing. So what we’re doing is number two, and so we are setting the next plate token. So that’s what we’ve copied and then we’re going to create the repeater. And so to do this, we want to click on settings. This is the settings for this forked repo. This is not the settings for your entire user on GitHub, it’s just for this. So one more note After hearing from a few attendees, this is not a self sign service. If you didn’t get an invite, the login will not work. Hmm. So if you need an invite, you need to ask really nicely. Art. We’re getting. Should probably ask for. So let’s all click on Settings together. Yeah. Perhaps it will be good to know which privileges the API will need for prod. It would need scan. Stop. Scan. Start. Scan. Read. Scan. Write. It does not need scan delete. And then that’s it. So we’re running it with tests just with that. And it was fine. But. If someone doesn’t check one of those. And there’s hundreds of you and one of me. We’re going to have a problem. So, everyone, for now, please click select all. And so let’s go to Settings. So again, that’s right here. And then we are going to go down to secrets. That’s right here. So again, we’re going to go to Settings and then secrets and we’re going to add some secrets. Ciara says there are no secrets in this repository. Sad face. We want to add secrets now, so we’re going to click the new secret button. And we’re going to immediately just paste what we had because. We want to pace that and not lose it. And then I don’t know if you’re like me, but I have totally forgotten what the new secret name is. So I’m going to go and I’m going to open in another window the code. And I am going to go here and then copy and paste it from here. So I’m going to just put it in the chat that you want to name your secret next plate token. So I realized that at least half of you are currently typing out the value of my API key. The joke is on you because I will be able to tell if you are running scans on my behalf and then I will close. I will stop sharing my screen and just do a new API token and then you’ll all be lost with your one scanner only. So I ask gently and nicely that you don’t steal it. But I’m telling you, I’m aware you could. And if I see a bunch of scans running that I know aren’t me, I’m going to swap it out. And that will theoretically be your punishment and I will delete that token. So let’s click the add secret button. So again, we’ve named it an exploit underscore token and it has to be all uppercase or it will not be a happy camper. And we’re going to click Add Secret and then we’re going to click new secret again. And I’m going to go and I’m going to take the name Repeater and I’m going to paste it into the chat because that’s how I am. Tanya the holder of the Keys, It’s so true. And we are going to go back to secrets and we’re just going to paste this name and then let’s go make a repeater together. So again, this is secret number two. It’s named Repeater, all uppercase. And let’s go back to neural legion. Oh, this is where I was resetting my password. So I’m going to close this. It’s created our API key. We are happy and we’ve enabled 13 scopes because we’re very generous. So let’s go over to repeaters. So that is underneath scans, which quite frankly is the most fun thing to click on. But until we have our repeater, there’s not going to be anything exciting there. So see how it says no repeaters. Obviously, that’s not acceptable. So let’s go. So we’re on repeaters and we’re going to click the plus button because we want to make a repeater. And again, the repeater is the thing that communicates back and forth between wherever you’re doing the scanning and the next dast, which is in the cloud for neural region. So we’re going to name it GitHub repeater, but you can name it anything. It does not matter what you name it at all. And my description is going to be GitHub Repeater Pew pew. Hi everyone. You should probably have a clever name then or a clever description. It’s up to you. And so it makes this UUID. So this is our our identifier of our repeater. And so we’re going to copy this. So when GitHub actions is running, it’s going to use the API key to start talking to neural legion, and then it’s going to use this to say, Oh, this is the repeater she made, this is the one she wants because eventually you might have many repeaters, like for different apps and different different projects that you’re doing. And so that’s why it’s important. So you might give one repeater to each team. And oh, you don’t have the repeater enabled in your account. Ruchi Hata, can you repeat what the repeater actually does? So I just did that. So I’m hoping because I saw your question after, I’m hoping that that’s what you wanted. I can’t create a repeater. It says not available in my current plan. Denzil dah or timber. I need your help. Okay. For everyone else. I am going to copy this. So can anyone make a repeater? Is anyone successfully making a repeater? Yes. Yes I did. I did. I did. Yes. Okay. So for everyone that doesn’t have one. Talk to Barr in the discord. Yes. So let’s go back. So in the repeater here, we’ve clicked plus and made one and then you can click this copy button and it copies it for you. And it’s the UID that we want. And then we go back into the secrets and we’re making a new secret and you just copy and paste it in here and then we click. Add secret. And so now I have my two secrets and GitHub will use them automatically as part of the CI CD. But you wouldn’t have the secrets in there if you hadn’t cloned it yet. So let’s go back to our code. So we click here and then we can see our code. So the way that GitHub actions work is so you have actions here. So that’s when stuff’s running, that’s the workflows running. But then if you want to see the code, the workflow which is written in YAML, yaml programming language. You have to go into the code and then see how it says dot GitHub workflows. We’re going to be in there. But first, I need to point something out to all of you. You’re lagging behind. Please show how you set up the repeater. Yeah, I’m just going to very quickly repeat the repeater part. So we go to repeater and we click the plus button, you name it, whatever you want to. You give it whatever description that you want to and you click add. And then we copy it here. And then we put it into our secrets by going to settings. And then into secrets. And then adding a secret named repeater. So you click new secret, you name it Repeater. And then you copy and paste this value that you uid into it, and then you click the save secret button. Yeah. And it needs to be the name needs to be repeater all capital for it to work. YAML is case sensitive and it’s also space sensitive. So if you use a tab versus spaces, it gets extremely upset. And I have to say that I have sworn at YAML quite a few times because I think that’s dumb. Okay. Can you show how I created the API key? Yeah. So to create the API key, we go to our user person. So that’s here, our little dude and we click on him or her or them and we click user settings and then in user settings. We have to scroll all the way down to the bottom of the screen and we click create new API key. And in it we do. Plus we name it wherever we want to. And then for scope we have to click select all and then we click the create button. But I’m going to cancel because I already have a key. That’s very nice. So I’m going to click Cancel and then it will it will show you the API key and you copy it. Yes, there will be a recording available after. There will be a recording available after and forever. So you can keep playing with this and trying it and doing stuff with it. But you will only get one engine only I get five engines. Ha ha ha. They’re like, We’re going to give you three. And then I woke up and there were five and I was really happy. So I think YAML is a markup language, actually. Yeah, you’re right. It is. And so secret name for API key is an exploit token. Awesome. My pleasure. So now we are in our GitHub actions example. So we’re in the code. So a github action is a bunch of YAML that will run our CI CD for us. And so I want us to look at the code and I’m going to talk about it. And then I want us to run it and I’m going to trick you and make it not work first, because I’m sure. Okay, so everyone click on this one. So we’re in code. And then we’re going to click on the workflows because we want to see what’s in there. And so we see run CI dot yaml. That’s the one we want and see. There’s a comment used you shop version 11. This is because we want to find stuff that’s wrong. Um. I have a message from someone, but it’s so far. Yeah. Thank you, Anatol. I can’t remember if I said that. Right and at all. Thank you. Yep. That’s the trick that I’m throwing at them. Well. Ha ha ha. Okay, so we’re going to click on here and look at the demo. And you don’t need to understand all of this to make it work. Each different person that makes a security tool, they write a GitHub action free to use, and you don’t usually need to understand much of how it works. You just need to understand the parts that are interesting to you. And so. What we have are three branches. And if you recall, we’re in the crawler branch because that’s the first test we’re going to do. There’s a ha file branch, which we’re going to do, and then swagger, which is where we’re going to scan an API because we want to do all three things. So pull request Branch main, we don’t have a bunch of branches in here. This is just for demo purposes. They’ve created this so that any of their customers who want an example of how it works with GitHub actions can just copy and paste this and use it whenever they want to. And I was like, I want to use it, so. Basically when there’s a pull request to the main branch, it’s going to run. When there’s pushes on any of these branches, it’s going to run. Okay, So we’re going to push stuff. You’re right. So people are already starting scans and that’s okay and that’s totally fine. But I’m going to walk everyone through it. Who has not done that? So jobs start and wait on scan. So first it’s going to get Ubuntu because we have to put it on something and the job is to run an exploit scan. So the first thing it does is it checks out the version of the action. And then it makes a place where it can install the next clue. So that’s. Command line interface. And so that’s the thing that runs the repeater for you. So we’re installing that inside to GitHub actions, which is pretty cool. And then it’s going to save some environment variables. And guess what? They are. They are our secrets, right? So we want to make sure that we’re saving those secrets. And then Docker compose up. So it starts our Docker image. And then it’s going to start an exploit scan. What’s the email? Oh. Parishes troubleshooting with people. Okay, so skin ID. So the scan ID is basically what we’re asking it to do. And so what we’re asking it to do is run a test and you can tell it which tests you want it to run. And so we have limited time, so we’re only going to do so many. And so we’re going to tell to you see SRF, sometimes affectionately known as C Surf. It stands for Cross-Site Request forgery. That’s bad. It’s was on the O’s top ten, but it is not anymore. And then we’re going to run dom based cross-site scripting tests because we want to see if there’s that type of vulnerability and we’re going to talk about that vulnerability in a bit. We’re going to test to see if security headers are missing because a lot of developers appear to have an allergy to security headers and don’t think that they’re as fantastic and amazing as I know that they are. And then secret tokens. We’re going to look to see if there’s any secrets that should not be there because that’s bad. So then name. So we want to run juice shop. See how it has the cute juice emoticon. So juice shop for the GitHub version of it branch and then we’re telling it the GitHub branch number. So basically we’re telling it which version of juice shop to run because urine is like on top of it. The guy that leads the project for Juice shop and we found stuff wrong with it and then he fixed it because he’s awesome. But that makes for a bad demo. So we’re using an old version. So just to be clear, Bjorn’s amazing. Och, yes. Thank you, Art. I appreciate your reminders. So then we’re going to set the crawler. So again, a crawler, it clicks on all the links and looks all over. This is slow going and you would not normally do this in a scan, you would have it already have that stuff discovered and recorded in something called a horror file. So when you use a browser to record automation, it saves a horror file. And so you would do that in advance. So it already knows all of the layout of your app, and we’re going to do that in scan number two. So but we’re going to crawl because that’s fun. And then it’s saying, Which repeater is it? And it’s the repeater token we gave it and then it wants a token and that is our API to connect to our specific instance in the next, the next best application because you don’t want to see my scan results or maybe you do, but we don’t want that. So then we’re going to go down a bit and then it’s saying Echo this out. Where do you see the scan results? You will see the scan results in case your name get output from scan. So it will run and say it started the scan and then it does this thing called wait for issues. And so it pauses GitHub and it tells it to stop and just wait while the scan finishes running and crawling and doing its stuff. And then either the build breaks and it will break here and show us or. It will scan a long time till it’s done, and then it will get here and it will say, Stop scan. So it’s either going to break the build or it’s going to run the completion and not find anything wrong and it’s going to stop the scan. And then if always like it just is telling it, stop scanning, don’t scan. And definitely and we have a thing you might want to see here is we have a 20 minute interval and so so it times out after 20 minutes. This is because you have to pay for GitHub action time. And so imagine if you’re running like five scanners and then they just like went on forever and you didn’t notice. It could be really expensive cloud Bill for you. And that sucks. So. You might notice here, breakpoint is set to high. I want to set this to medium. I’ve decided. I’m not sure how I feel and I don’t want it to go and break only on a high. I want to break on a medium so all of us are going to edit this code together now. So let’s go up here and we’re going to click this edit button. So again, I’m just going to put this here so you know where I am. And I’m going to put this for everyone to see. So you should be here. And we’re going to click the edit button. So click edit. And then we’re going to scroll on down here to where it says hi. And we’re going to type the word medium. So I want to break on a medium issue. And then I’m going to click Start Commit. So I’m going to. Wait a second. And I’m going to just like change breakpoint to break on media. So remember, so we go scroll down to the bottom, the very, very bottom. This is the very bottom of the YAML code breakpoint and change high to medium because we want to break on medium. Is everyone doing okay with this? Because then we’re going to click the start commit button and then I’m going to throw my first curve ball. Yes. So. I’m going to write Break on Medium. Crawl Crawler. You can write whatever you want. But as my boss at Microsoft told me, you can’t just press commit changes all the time, Tanya. You actually have to comment like a real dev. And then I laughed at him and I was like, Devs don’t comment all the time. And then he said, You have to be the ideal dev if you are a developer advocate. And I was like, That’s true. So we’re going to click commit changes and then what’s going to happen? Nothing. Nothing’s happening. But what should be happening is a GitHub action should be running. That’s what should be happening. So let’s go click over here at actions and see what’s going on. I hear someone is unmuted themselves. Do you want to talk? So now I understand my workflows. Now go ahead and enable them. So now they are enabled. However, they’re not going to run. Because we didn’t do anything right. Because it’s too late. Oh, tell GitHub. No, I don’t want to give you feedback right now. That’s inconvenient. So where does this fit in the pipeline? How do you automate this? Kemba. I am so about to show you this. So let’s go back to our code. And let’s edit or read me because it’s easiest to edit the read me. So we’re again, we’re in code. To read me should just be open like this and we’re going to click the edit button. And I’m going to put the number sign so that it’s a comment and it’s going to say, Tanya was here, exclamation mark. And then I’m going to go down and my commit change is going to say, Tanya was here and I’m going to commit. This changes. These changes are going to the crawler branch. Remember, we have three branches ones for scanning the API. One is for scanning with a header file and one is for scanning with the crawler and we are about to crawl. So I’m going to click the commit changes. I’m hoping everyone’s with me and I didn’t go too fast. So we’re editing the file. You can put in whatever you want to. It could just be a space and then we’re going to commit the changes. You can put whatever commit comment you want. We’re going to click commit changes. And if you remember our code and our YAML file, it said when you commit changes, it’s going to run our workflow. And the workflow is the automation. The workflow is the CI CD pipeline and we’re going to go watch that run. But there is a question I need to answer first. In essence, all GitHub actions is doing is creating a Docker image to run the CLI. You can always change the target on line 39, right? Yeah, you can change whatever you want to. You can’t change the stuff inside neural Legion’s repo, but you can just do whatever you want in yours. And if you’re gutsy like me, you might even send them pull requests. Because I do that sometimes and I make issues and things. And so, yes, you can change whatever you want to and. I think that’s pretty good. I like it personally. So let’s go see our actions run. So again in the code section is the workflows and this is the YAML file with the actions like the things it’s supposed to do, but this is it dynamically running. So let’s go click here and then you have to click on your comment, which is why I made a good comment because I have made this mistake before where it’s like, read my file, read me file, read me file, read me file. Did we change another thing in the code? Expect the medium. So I checked that in before we ran. So that’s the only thing we changed was to run on a medium. Okay. Okay, so let’s look at our results. So to see your results, you go and scans. If you don’t see anything here, you click refresh. And then C, one issue for issues. So let’s go check it out. So you just click on it and it’s going to show us all the stuff. So. Status stopped because it had a medium, so it didn’t get to complete all of its scans. See how it’s like I didn’t even get to finish? We have a whole bunch of notifications here. It’s telling me a whole bunch of stuff, but I would rather look through this part. Then I would rather look through this part, then look at the notifications personally. So let’s start so activated modules. DAST So remember, there’s also the feather. We did not fuzz discovery types. Crawler So remember we’re having it crawl and click each link, so it’s very slow. Elapsed time, one minute and 11 seconds. So that’s pretty fast. It scanned the juice shop version that we had running inside of GitHub actions. It discovered 20 entry points. So that’s pretty sweet. It didn’t discover any parameters because it didn’t get to complete its 137 requests, and I guess it did 1.9 requests per second, which sounds pretty darn good. And then although a note, questions are good. So these are the settings that we set, remember. So this is when we started the scan. This is what we told it to crawl. These are the tests we tell it to run. So we wanted it to do four tests. Then did we do third party tests? No. Did we do business logic tests? No. And so these are all of the things that we told it to do. So we also told it specifically to look at the URL queries, the URL fragments and the body. And then this is the repeater we told it to use. So let’s go back to this and then progress. It didn’t finish, and that’s okay. The runtime notifications, I don’t want to read that. We could read an engine log if we wanted to, but mostly I’m just like, Tell me what happened. That’s what I care about. So we can see it Discovered a whole bunch of different pages. And that’s nice. But again, I just want to see the results. Look at this. So let’s go back to our code. So everyone, let’s click here on code. And let’s go to workflow. So again, we’re going to code and then workflows. And then I want to make sure that everyone edited this. And that they actually put medium. So for anyone that’s stuck on issues. Is it because you did not put medium and you put high because the crawler is so slow? Because it’s supposed to be. You did, but still. Oh, you, Val, that sucks. Okay. Hmm. Yours is on Medium. So everyone did the right things and stuff is just being weird. I am sorry this is happening. So you fixtures by rolling back the change you committed in the Read Me file. Oh, interesting. Okay, everyone try rolling back the change in the file and see if that works. So how can I do that? Let’s go to my code and then let’s go to my redmi file. And then I see that there is a history and I’m like, Oh, I regret this decision. Oh, but it’s verified and it’s committed. Honestly, I forget how to like. Roll that back. Read me version. You. Oh, yeah. Here’s a pool. Are you stuck? Okay, so we’re very close to 5050 and. Hmm. Okay. So it would look like 70% of us. We’re like 68%. Oh. Like a pretty good amount. Are ready to go on. And so. Yeah. Is it not going to start a new scan? So how about this? I’m going to show everyone how to kill their scan, and we’re going to do a faster scan. So let’s kill our skin. So I’m going to end the pull. And thank you for running the poll. So let’s go into NeuraLegion and let’s go into scans. So if you still have a scan running, you can click stop. So everyone who scan is just still running, still running, click the stop button. Because I don’t want you to all just have to wait and not get to do the next step. And we’re going to try to figure out why it was doing that. But so everyone we go to scans. This is here, you click on your scan and if it’s running, you click stop. I can’t because it says it’s cute and option is not enabled. Oh no. Oh, okay. I am not sure how to help you, Dieter. And you, Val. Oh, you can just delete it instead. Okay. Do you have the delete option? If you have the delete option, delete the scan. Perfect. Delete it. And then let’s run another scan that will be way shorter and hopefully we’ll get everyone on board. Okay. Oh, good. Awesome. Awesome. Okay. So let’s go. Back to our main code. So we’ll just go here. And then I want everyone to click her file. So again, we’re going to go code here. We’re in our example actions folder that we for we for that project. And then we click code and then we have clicked her file, which is the second one for her file as a reminder. So QA teams make a lot of awesome hard files. So you want to be good friends with your QA team. And basically it’s where they have used a browser and a tool to record them using your product and then they save it as a ha file the automation of it running. And so it has all the discovery points and everything in it. And then we feed that in to the next down and then it knows what it’s doing and it’s like, I’m awesome. Source. So then it’s going to run way faster than the crawler. However, we have set this one, so let’s go look in our workflows. You don’t have the header file. Okay, So for you, Val, did you click in the branches? Do you have multiple branches? And then can you click here for the HA file? And then. Then do you see the HA file here? So everyone should have one called G shop. Ha. You’re all good. Okay. Perfect. Okay. So let’s go and check out how the workflow is slightly different. So we clicked on workflows and we’re going to click on the YAML and we are in the HA file branch. And so if we come down here. It is still set to medium, but we’re going to change this to high and then we are just going to look for one test. So we’re going to change this back to high and we’re going to change it. So it just does the DOM access test. Gardner If we’re going to find something fun.

 

Speaker 2: Let’s hope so.

 

Speaker 1: So some of the time it runs and some of the times it doesn’t because Bjorn is amazing and he keeps fixing stuff on us. And I mean that as the highest compliment, even though I’m like, Damn it, we just found something cool. And then he fixes it. It’s like he’s on to us. So again, we are in the run CMO file and we’re going to click the edit button and we’re going to fix we’re going to make two changes before we check it in. So scroll right down to the bottom. And then we want to take medium and we’re going to change it to high. So. So breakpoint at high because we did find a token and that’s cool, but we want to see if we can find a high thing and then we’re going to come up here to the test. So this I’m just going to scroll up so everyone can see. So this is in the section of start next plate scan. And we’re going to just we’re going to delete cross-site request forgery. We’re going to delete looking for secret tokens. Oops, I’m ruining the spacing bar is going to be upset. Then I’m going to release the security headers. So then it’s just going to say test and Dom accesses, but like a good little dev. I’m going to press this across here so it looks pretty because it kind of bugs me if my code’s all mess. So. What this means is continue this command on to the next line so that it looks nicer and it’s easier to read because all of that smushed into one line that’s really hard to understand. So we put it into a bunch of lines, so. And. Oh, yeah. So. The reason why that we chose a certain version of juice shop is because juice shop keeps getting fixed by their amazing team. And so we wanted to choose an old version to make sure it would have problems. And I’m looking and I’m forgetting where it’s choosing the exact version. Oh, here it is to shop right here in front of my face specific number. So we chose a specific version, a specific number because we, the newest one, is fixed and it’s not fun to run a scan and have nothing work. So as I recall, as a reminder, just one test Dom access and we’re going to break on high. And so I’m going to click start Commit and I’m going to say break on high, just one test Dom access. And I’m doing this because comments help me remember what I did. So I’m clicking commit change. Now I’m going to go click on Actions. And so Tanya was here, remember, that broke because we found something and now we’re on break on high. So let’s click in here and to see it run, we have to click here. I’m kind of confused why it doesn’t just show you this immediately because I can’t see any human ever coming in here and being like, Yeah, I just want to see a yellow circle. Obviously, I want to see what’s happening. I don’t understand that that UI decision. I have lots of friends that work at GitHub. I should be like, Hey, you know what I would like? I’ll be like, Tanya, we didn’t build it only for you, so it’s doing its thing. But what we really want to see is we want to look in neural legion. And we want to click our friendly refresh button. And we want to see when this comes up. So if we go back to GitHub, we see it’s Docker composing up and so it’s putting up our Docker image. And then it’s going to sleep 10 seconds. And we do this because Docker needs 10 seconds to load. It’s somewhere between seven, eight and 9 seconds. But 10 seconds means it always works. So we sleep 10 seconds and then it’s going to start the next flight scan and as soon as it gets to waiting for scan. As soon as it gets to waiting for issues and pulling the stunt double. Let’s go back into Legion and let’s press our favorite button, the refresh button. But let’s see what’s happening. So. And so that’s why it’s waiting. So maybe it’ll find it, maybe it won’t. But I want to look back at my code for a second. So in our her file. So. I go to her file. And I open it. That’s cool. Thank you for. Sure. I want to see which URL we told it to go look at. So it’s looking at the juice shop main page. But I believe that there is an about page that it might work on. So let’s try pointing it there and see if it finds it. And let’s run the scan one more time and then if we can’t find it, I want us to scan API’s because I don’t want to just spend the whole time waiting. So I’m going to run this and see if I can find it. So let’s click. So again, we’re in code. We’re in the HA file branch. Remember, there’s three branches. We’re choosing the header file one, then we’re going into the HA file and we’re editing it. And the part we’re going to edit. So we have to scroll down. We’re going to scroll down to line 30 and we’re just going to add the word about. That’s it. So we’re adding the word of boat because I think that a boat page might be not really super secure. And then I’m going to commit my changes. So I’m going to put. Pointed to about page and then I’m going to click commit my changes to this ha file someone put about or aboot we have to spell it correctly and not spell it in Canadian. Uh. Oh, my God. It’s so good. Okay, So. Okay, so now this is going to be running. So let’s go look at our action and we’re going to see it start. So point to the about page. So I’m allowed to run more than one. So it can run both at the same time. So I’m going to click here to see it run because I don’t just like the yellow circle. So eventually this is going to come up and it’s going to get to the good part where it says waiting and pulling. So we want. On this part. Start and exploit scan. And so. Why is it always in cute mode? Is anyone else facing this issue? Chris I don’t know why it’s always in queued mode. I’m going to show everyone just I’m going to repeat briefly what I edited so that someone can catch up with us. So I’m going to go to code and then I’m going to make sure that I am in the HA file branch. And then I’m going to go into the horror file itself. So hopefully I’m answering this live so hopefully the person can see me. So we’re going to go into the file. We’re going to go down to line 30. That’s here and we’re just going to add the word about. And then so you would need to click the edit button, but I don’t want to edit it again because I don’t want to send too many results at the same time. And then you just add on line 30. Just add the word aboot, but really spell it correctly, not Canadian. And then you come down here and then you commit it, and then it’s going to start up your action for you. So now we’re on waiting for issues. I’m going to show my results to everyone. And it’s not finding anything yet, but it’s still running. So we’re going to let it run the whole time. But while we’re doing this, I want to show you a few slides about Dom based cross scripting because I’m not sure if we’re going to run it, but I still want to tell you about it because one, I made really cute slides. Those slides again later. So let’s hit refresh and see if it found it. It might have found it. No, it didn’t find it. That’s okay. Sad face. So this is good and this is bad. So we didn’t find anything. And that’s good because Bjorn and his amazing team of volunteers at the Juice shop group fixed it. It’s kind of sucky for us because I wanted to demo that, but I didn’t want to, like, break juice shop to make it happen. Do you know what I mean? We don’t want to fake it for you. We only want to find genuine vulnerabilities. And so this is what we’ve got. But we have a few minutes left and I’d really like to do some API scanning, so. Let’s do that. So let’s go back to our code and GitHub. So back and GitHub and we’re clicking on our code. And we are going to now pick the branch that says Swagger. So swagger is basically a way to define an API. It’s the open API protocol and you make a swagger file. And I have to say swagger files are actually beautiful. Thank you, Shiva. Swagger files are actually super gorgeous. If you see one, it’s so much prettier than soap, and I like it better. I’m sorry to anyone’s feelings that are hurt that really like soap. I just find open API protocol so much easier to understand and work with. So we’re in our code and we’ve clicked the swagger. And what I want to do is I want to edit the read me so that we kick off a scan. So this is only. Only going to scan the API from juice shop. It’s not going to scan the rest of it. And so this means there’s no web front end that we’re interacting with. And so if we look at the swagger YAML file. Basically, our friends at Legion made this for us. And this is so it can read. See this? It’s reading B2B and then V two, which is where the definition file is. So you would need a link to the API in order to scan it. I heard just some noise, but I guess it’s fine. So title, so new and secure. JSON based API for enterprise customers deprecate deprecated previously offered XML based endpoints and so. I could go through this. But basically this is the stuff that is from Duchamp. Please correct me if I’m wrong, and because we don’t want to write their API, we want their YAML file and we have this so that we can scan it. And so let’s go back to the code. We’re going to make sure we’re in the Swagger branch and let’s edit the read me so that we can do something cool. So I’m going to say here. On your scans APIs, and then I’m going to go down to the bottom. And I’m going to say ruined the read me. It was so nice before Tonya got here. And then I’m going to click Click the commit changes button. Oh, it’s nothing. Make it shorter. Well, tough. Who here is with me? How is the swagger file created? Oh, that is a very good question. Um, bar or art. Would you like to answer that? Because I would say the devs do it, but I want to let bar and or answer if they want to.

 

Speaker 2: Sure. So Swagger file is usually created automatically from the development framework. If we’re talking about more common development framework, like you must know Angular or React or Ruby on Rails or the Django. All of those have their own methods to automatically describe the APIs you’re building inside your products and then to export them in this kind of file. Now, swagger is also called open API, so maybe you know it better by that name.

Speaker 1: Yeah, the open API protocol, but then we call it a swagger file. I know. It’s weird. What’s gonna see our stuff running. Wait. We want to go to actions. And then ruined the redmi. And then we’re clicking here. And it’s still Docker composing up. So it’s doing its thing. And then once it gets to start an exploit scam, then we can come over here. We’re going to go to scans very briefly while we’re waiting. I want to talk about the results from our first scanner result. So it actually found things. And. I want to talk about these results just for a minute. These results are the things that help you fix your tool. These are the things that help you make sure that your code is actually secure. And as you can see, there’s a secret leak. So if we click here, it tells us exactly where. The leak is. So it’s unresolved. We haven’t fixed it. And you can assign a person if you want to, but I can only assign myself obviously, I want to make Barr fix it. That’s what everyone does. We make bar do all the work. So details. So the engine detected a clear text API token that should not be available to the public. This is very bad. If your app is doing this, you need to fix this immediately. The fact that it tells you where it is in the code, the fact that it explains how to fix it is really helpful. So additional information. So it looks like it’s a gooey app client ID because the token type is that so? I’m pretty sure that’s what it is. And obviously, of course, we will explain this to the juice shop folks, because I know that they actually want to make scanners not be able to find things. And it obviously all of you are ethical security people. So when you find problems and things, you repeat them. And this is why we’re scanning an old version of do shop, because Bjorn’s team wants to make scanners not be able to find stuff. And they want you to have to do manual security testing on their really, really fun shop. So there’s additional information. And the way they did it was basically they just did a get on this and then it was asking for an API key and it was giving it one disconcerting. Oh, also there is always a link here on all of the pages where it’ll bring you out and tell you even more stuff. And for some of them, Norwegian has built their own articles and their own code samples, etc. to help you fix it. And then some of them, they’re like, everyone always has this problem. Like we can get the same advice that every single other tool gives because it’s a really good advice. So it kind of depends on the things that you’ve found. So, Oh, I’m going to Marcus resolved. Ha ha ha ha. Look how awesome I appear. So let’s go back to my scan results. And then so I pretended that I fixed it. And then. We’re missing a security header, which is obviously so like. I am a big fan of security headers. I think they’re really important. It’s like one or two lines of code that helps you in case of an emergency. I know that a lot of people are like a lot of dads especially are like, Oh, we don’t need it, but it’s another layer of security. So if the crap hits the fan, you make sure you have an umbrella and making sure that you’re using a content security policy header, making sure you’re using strict transport security. I don’t really advise on the ex access protection header anymore. It’s sort of being phased out. I would argue it’s deprecated. So like you can like you can just accept the risk of that warning if you want to. And then misconfigured access control allow origin header again, like you want your access control to be really strict and although it takes time to fix those things, it’s really really worth it. Because having two layers of defence so really good code and then on top of that security headers, stopping things from happening is really important. Content Security policy header. If you have it listing all the resources for your app really, really locked down with CSPs, what you can do is that then you can like. So if you were vulnerable to DOM based cross-site scripting, like the first thing that any malicious actor does, they’re like, Oh, you have access. Great. They always call out somewhere else to like a huge script because generally you’re only going to allow this much and not pages and pages. And so they call out and then the CSPs will stop them from being able to do that. Security headers are very important. Second layer of security for your app. It’s like wearing a seatbelt in a car. I mean, not pretending your car is a bumper car is the number one way. Like good driving is the number one way to protect your car. But having a seat belt is in case bad things happen. You’re ready for it. So I will get off my high horse called security headers and answer the question. Okay, so error process complete with error code one. Oh, okay. So let’s go look at that. Having problem with the first can with timeout issue and repeater status is still disconnected. Uh oh. Okay. Let me go to my scan results and let me see what my scan is doing. So it is running the scan on the swagger file. It’s at 3 minutes and 35 seconds and it has found my missing security headers. It doesn’t have the API token in this API, so that’s why we’re not going to find that. All right, let’s check out our scans. Oh, well, there’s all sorts of other tests. I feel like a super duper duper test would be good. Okay. Broken Crystal is awesome. Oh, look how many things we found. Okay, so let’s look at the shop crawler and see. Oh, 349 requests. Sweet. Wow.

Speaker 2: About broken crystals. Make sure to apply more tests if you want to see more exciting results, because I think in our default we have like only the security headers and the dome access. But there is much, much, much more there. So you are free to just add all of those.

Speaker 1: I’m running another test now. I like what I can play more. So. Edit. Okay, So the parts where we choose, the tests are near. Here they are. So. Paste and ruining our beautiful line, so. Oh, but no, no commas, everyone. It’s really important you don’t put the comments. So it just is a space in between. So remove the commas. Actually, how about I do this? I’m going to do a slash and then I’m going to put enter. Is that okay? Should that work for my cool.

Speaker 2: Wait, the too. So the tool, like the two dashes. I think that’s not an.

Speaker 1: O that’s the different test. Yeah. Yeah, it’s different.

Speaker 2: It should be like the either.

Speaker 1: Okay, cool. And you had RFI. RFI twice. So I guess, like, you really, really want.

Speaker 2: To find it, so. Oh, so one was RFI and one was L if I.

Speaker 1: Oh, it was. Oh, Oops. It looks like they’re both RFI. But they were.

Speaker 2: RF. Yes, it.

Speaker 1: Was my turn. If we want to find the stuff. So I’m just going to. Oh, and also I’m going to put that lowercase. Oops. So I’m just going to copy and paste this into the chat in case anyone wants to just copy and paste it with us. So you can just copy that if you desire. So now I’m going to call this all the tests and then I’m going to put broken crystals so we know what we’re testing. Oh, Tanya, spelling crystals. There we go. So I’m going to commit changes. And then we’re going to see that round in in a minute or two. So let’s look. Oops. No, not I want to look at my scans. So. Oh, so we’ve already found more things in the crawler of juice shop. Oh, questions. Starting the crawler again. By editing the red mean the first one stopped on wait for issues API test error process completed with exit code one. Is there a dock that describes the different tests to run? Oh, that’s a good question. Bars there. Is there a document or like a link on your website to all the different tests that there are and what they mean?

Speaker 2: Good question. I think there is just getting us the link right now. They can also just start a new scan on the UI if they want. Right. And that will show them all the tests with explanations. That’s true. Just clicking on the new scan, just click your scan without the cl I.

Speaker 1: Tanya.

Speaker 2: And click on to.

Speaker 1: Scan tests.

Speaker 2: We’re there now. There you go.

Speaker 1: Ooh.

Speaker 2: Each of them has an explanation with the eye next to.

Speaker 1: Nice. Backup listening tests of backup files are accessible. Ooh, we don’t want that. Let’s look through some of these. Well, I’m stalling a bit. But O’Brien still seems to be stuck. Can someone reach out on a. On the text and help make sure that Joe Biden gets to run the scam because they’re still on process completed with exit code one. Or then can you copy and paste into the chat? Like what? What like anything else that. So which parts did you do? And maybe we can make a scan together. So no open questions. Um. Because I want to I don’t know. I want everyone to get to do a scan because it’s fun. Cookie security. So did you turn on the secure header or did you turn on the HTTP only header? HTML injection. Don’t. Don’t. Dom. Local File Inclusion. Guys and then remote file inclusion. Okay. Oh Baynes, get going to copy and paste some stuff for us so we know what’s going on. This is sweet. This is sweet. Business logic test. Proceed anyway. Yeah. Darn right. Third party tests. Oh. Oh, yeah. Let’s do it. Not all the tests. Additional settings. Concurrent requests. Hmm. Smart scan. So the smart scan means that. They’ve added a bunch of logic to the to the scanner. And so when you click the smart scan, it uses the logic and so it makes better decisions, skip static parameters. PA, Why would we want to skip static parameters?

Speaker 2: Why would we do that? So static parameters usually just waste our time. For example, most of you might have noticed that some JavaScript files have in the end some kind of a version equal and then some kind of a number. And whatever you do with this number, you can change it and change it, but nothing will happen because it’s just like a static parameter that may be only relevant for analytics or maybe full log analysis later, and there are a lot of those type of parameters. So skip static params means before we start scanning, we’re validating each of those parameters to see if they make any change in how the application behaves if we play around with them. If. If it does, it will be attacked. If not, then we just skip them to save your time.

Speaker 1: So. Oh. Been sent me the like their settings that they had. So they’re in the crawler and like they’re breaking on medium. So they should be finding a bunch of things like it should be breaking and their tests were the four tests, like the original four. So I don’t think it’s that they’ve changed something. I think something else is wrong and I’m not quite sure. Could you reach out?

Speaker 2: Yes, sure. Are they on Discord obeying?

Speaker 1: Are you on discord? So. Oh, mine is in the chat for sure, because we’re chatting.

Speaker 2: Just.

Speaker 1: Oh, yes, as benzie. So B.

Speaker 2: O.

Speaker 1: And z, y.

Speaker 2: Z and chain.

Speaker 1: Okay, cool. Thank you for helping us understand. Oh, okay. So I want to go back to here. I’m going to cancel and not run this. So we see. So basically, like usually before you put something in the C, I see that you always manually scan the thing, right? Because you want to make sure the tool works and you want to make sure that you find the stuff and you’ve configured it correctly. And so like in my CD, I would probably just scan for the things that scare me the most. So it goes really fast and then I would schedule. So down here schedule I would be scheduling a reoccurring scan on a regular basis and then I would want to have those results like. If there’s highs, I would want to have it like alert me right away that there’s something scary happening. Like, you definitely want to do continuous scanning. So like scan less in your CI CD because you want to go fast and then scan everything like once a week at least, because being able to just like, choose a schedule, that’s honestly, that’s really sweet. Okay, But let’s look at my scan results. So broken crystals, we got some problems, yo. So first, let’s look at due shop. Because it found six. So it found more lows than before. I just found more instances of it, didn’t it? Let’s see. So. So we saw those ones before. Missing Content Type Options Header. Missing X Frames Option Header Bar. Oh, poor Drew Sharp. So let’s go back to our scans and see what’s going on with them. Broken crystals. So this is with less tests. So we’re so we just did four tests, if you can see. And the other one, we’re doing a whole bunch of tests. So I want to look through these results and then I’m going to look through the other one. Okay. So let’s look at our results. So first of all, it found that there. Oh, it has to. Oh, it has gets imposts. I see. I see. So these are. Oh, interesting. Because these are gifts and posts. Assets forms JavaScript. Under. Vulnerabilities, guys. You won’t find the vulnerability folder on a regular app, just to be clear. By the way, I’ve enabled you to go. Oh, also like. We can do just like a regular scan. So. Okay. So, um. Let’s let’s set up a new scan, like a direct scan, because it’ll be faster because it’s not going through GitHub actions. Broken Crystal’s Chris. Crystals, direct scan. And we’re going to do crawler, right? I don’t have a hard file already. Ignore regex? Nope. So scan template now I don’t have a template.

Speaker 2: Yeah. No. No need.

Speaker 1: Yeah. Do we? Yeah. We want to do everything.

Speaker 2: So go to the scan test and let’s just scan everything.

Speaker 1: Oh, that don’t. And then so I’m doing all of these, but I also want to do business logic, and I also want to do third party tests, because why not? And then scheduling. We’re not scheduling it. We want it now and then additional settings. So concurrent requests ten, that’s reasonable. We want to do the SMART scan. We want to skip stack parameters because those are boring. They don’t change.

Speaker 2: Let’s add the URL path.

Speaker 1: Cool. You have turned your URL path and headers on Amazon significantly increase the tax service. Yeah. Obviously we want to do that. Additional host. Know those are enough hosts. Shall we run? Do we need to select a repeater? No, because we’re doing directory. We don’t need one. Let’s do it. Oh, by Andrea, thanks for joining us. Okay, so your X scan. But I want to look I want to look at this one that was doing the full scan while we’re waiting for that to start doing results. So if anyone has specific things you want to see, that’s cool. But otherwise you’re just going to keep seeing what I want to see. So I like seeing all these tests running. That’s right. Do my bidding, destroy my stuff. So, so far, unauthorized cross-site request forgery from Brown Method Post bar. Remember when I was asking about unauthorized cross site request forgery and we’re discussing it? Do you want to tell them about why it’s called unauthorized?

Speaker 2: Sure. So unauthorized means that there is no authorization playing playing a role here. So it doesn’t matter if you have a cookie or not or an authorization header or not. It’s basically just some form that does not have a CSS or protection. This means that it’s usually also maybe a bit uninteresting. That’s why it’s low severity, but it can still affect users and that’s why you should make sure that forms and other parameter based entry points have protection against ksf.

Speaker 1: Yeah. So like if you’re doing a transaction on your site, you probably want the people to be in an authorized state. So you might be finding that there is a problem, that it’s not passing a cookie like you don’t have a session going. So usually you would have a session going if you’re doing a transaction, but. Sometimes transactions happen in their kind of OC. If that makes sense. Like it’s unauthorized. So let’s say I’m putting. So let’s say this happened recently where I was like, Oh, I’m going to buy cool seeds because I like garden. And my mom sent me this really cool site called Rare Seeds. And so I was just putting lots of things into my shopping cart to see how much it would be because I buy too many seeds. Other women buy shoes, I buy seeds. That’s okay. And I wasn’t authorized yet because I hadn’t made an account yet, so I wasn’t logged in. But I did have a session going and so it’s like if someone was impersonating me, it’s not really a security issue. Like worst case scenario, it’s going to empty my shopping cart, which by the way, it did. And I was pissed. Then I made an account and I was like, They’re awesome at farming and they’re not great at session management. It’s very sad to have all my stuff, like because like I spent a lot of time deciding which seeds I wanted. So yes, that is a great thank you for explaining. Barb. So then it’s also saying you’re missing a bunch of security headers which we’ve already discussed are not good. And then what else? So there’s. As page six, six of six. I want to just show me all of them. Yeah. Because it’s showing me. Oh, now it is showing me one, two, three, four, five, six. So that’s good, actually. So it’s just another security header that’s missing and they’re all low. So let’s go back to our scans and see if there’s anything that’s more exciting. Oh, wow. So we’re now remember, we’re doing a direct scan so it will be faster without doing it in the CIC because it’s directly from their cloud to their cloud. So that’s as fast as you can do it. And so in this one, as you recall, we’re doing a whole lot of tests like we’re doing way, way more. And so it has done a lot of requests. That’s awesome. And we found mediums. So I’m very excited by this. So let’s show. Oh, it’s showing 25 items per page. Perfect. So medium CV, CV, Full path disclosure. And default log location. So let’s start with the first one. So this is a 2020 vulnerability. See how it says CVE 2020. So that means it came out this year. So it’s it’s a during pandemic vulnerability. Okay, so let’s see what’s going on here. Can it tell me more if I click on it? Well, tell me more. Issue. Overview. Good. Loading up so regex and oh my gosh, jQuery. I’ve had so many vulnerabilities with jQuery so regex and its jQuery html pre-filter sometimes may introduce cross scripting so that’s pretty crappy. Make sure to update the component to its latest version or at least the latest stable vulnerability free version. Grammar. Grammar Bar. Bars like I’m ignoring you, Tonya. Known and public component vulnerability. So possible exposure. Yeah, it’s known if there’s a CVT, that means anyone can know about it. And it also means that. It’s a lot easier to exploit because there’s information available on it. So updating jQuery is your best bet. Also, like jQuery is just like so many bad things happen. No, I’m not going to mark his result because I am not actually going to resolve it. I’m not going to state that right now. That sounds like a lot of work. So let’s look at the other one. So this is. So these are two right next to each other in the sea of land. I wonder what is going on with that. So let’s look at this. Dun dun dun. Very similar, but in a I wonder if this isn’t a slightly different section. This looks like it’s the same one. I thought we clicked on 23, not 22. Let’s look again. Let’s go back. Scan. So issues. Oh, yeah. So the first one was 23. Because it’s weird, because it looks like like the vulnerability it’s explaining.

Speaker 2: Oh, most likely the story behind it is that they fixed it in the 22 and then they read it was either bypassed like the fix was bypassed and it just had the same issue again.

Speaker 1: Oh, my gosh. I so see that as definitely true and happening.

Speaker 2: By the way, for high severity.

Speaker 1: Nice. Okay. I want to go look at those now. Yeah. How many people do we have left on our thing that are real attendees? Because I want them to see. Okay, let’s look at the highs. Hies. Command injection. Hi, Hata. Thank you for staying. Let’s look at OWS command injection, because that is bad for OSS Operating system. Command injection. Ooh, very bad. O command cat password file. That’s very bad. Oh, hi. Oh, fine. Thank you for saying so. During command injection, the software that constructs a system command usually using externally influenced input does not properly neutralize the input from special elements, but are able to modify the initially intended command. Thumbs down bad user input. Bad user input validation. So this occurred when injecting been. So this is a password file that you don’t want anyone to get. So we definitely don’t want this is very bad. So suggested remedy assume all input is malicious. Um, yes. I literally just recorded a story time episode about this. All input is malicious. Don’t trust anyone, not even your mom. And it’s a story about the time my mom sent me a virus by accident. But the point is, is like any input should be validated before you use it, and it needs to be known safe. Need to reject all stuff that so bad. Oh, so they just removed up time and changed it to show me the stuff I want. So evil. Bah, So evil. Welcome to Broken Crystals. Oh, I love it. Let’s go back and look at some of the other stuff. So. Down, down, down, down, down, down, down, down, down. And 2019. Oh my gosh. I had trouble with Bootstrap as well in 2019. So let’s look at this excess and data template data content and data title. So because there’s three, they get to be a hi properties of tooltip pop over. Oh my gosh. And it’s not even like mandatory, super important valuable features. It’s the tooltip feature. So make sure to update the component to its latest version, or at least to the latest stable vulnerability free version known and public component vulnerability. Very bad. So component bootstrap. I have a video of me updating this and I swear a lot in it. So exercise in three different parts. Oh, gosh, that’s so unfortunate. I’m glad someone found it. And so then I could fix it. I literally had this exact vulnerability in the desktop project in our our Azure website that I made so that we could do awful things to it. Oh, wow. Okay, So let’s go back to our scan and check out more issues. So there’s four highs, but three of them are the same one. So three are command injection. Cool. And we’re showing.

Speaker 2: All the new HTML injection ones.

Speaker 1: Oh, cool. So normally you don’t get to have your own person from NeuraLegion in helping you with your scan. Just to be clear, you don’t get to rent a bar just because you want one. It’s a way better, though, just to be clear. It’s like way more fun. And sometimes they send you cat memes and just saying. OC so HTML injections. So this means injecting some HTML into places where you should not be able to do that. Hmm. Let’s look. HTML injection allows an attacker to inject certain HTML tags in a vulnerable parameter, and this happens because the application isn’t properly handling user supplied data, which is another sentence or way of saying user input validation. Yo, it’s very important. It’s literally the most important thing. How hard is it to update the bootstrap? So I found it a bit of a pain in the ass. So I have there’s a video on my YouTube called Bug Slang and for 4 hours I just like fixed bugs because the guest for the dev swap show had to cancel last minute, but I still wanted to have a show and I knew I had to fix those things. And so I updated from DOT. I opted my version of dot net core. I updated the bootstrap and I updated jQuery all at the same time. I can find the video for you if you want. It’s boring and slow, however it’s really useful. That makes sense. So how hard is it to update? So like pressing the update button is never that hard. The problem is that it’s connected to a whole bunch of stuff and it might break one of those things and then you have to troubleshoot that. That’s the part that’s difficult and updating your framework because bootstrap is part of your jQuery framework. And so there might be things that need to be changed in your code so that they work properly and so that everything is still beautiful. And making things beautiful, to be clear, is my super Kryptonite weakness as a developer. All my stuff’s ugly and so I updated it. But the dev swap website was just the default Azure website with our branding put on top of it and I changed the color of blue to our blue and that’s it. So it didn’t do that much. However, when I updated, I can’t remember I updated something else and then Microsoft added What did they add? They added a header somewhere where it did like the GDPR warning. And then that because I had content security policy header and I wasn’t allowing the third party thing to show on my thing and I was calling out to it, it broke all my menus and looked like complete crap for my demos for the next couple of weeks. And then my friend Abel was like, I’ll help you fix it because he used to be part of the desktop project, but then he was really busy and the igniter was happening. So we’re both like flying all over the world and pretty indisposed. And so basically my demos looked really crappy for like a few months and that sucked. So how difficult is it to update? It depends on how good you are at JavaScript and fixing problem, because I was like, my menu is broken and he’s like, just turn off the security header is like able, do not turn off my security header. So basically, like I had to put on my approved list for my content security policy header, a bunch of third party things that they had added as part of this GDPR like, except this cookie warning thing. And that was annoying the end. Okay, so let’s look at this more. So all user supplied data needs to be sanitized. I could not agree with the statement more. I want to share this as this. It’s going to wear it in point to it. Whenever I have meetings with certain clients, I’ll be like, like, here’s your penthouse results. Like what happened in like this. And then it’s like, don’t trust any user input ever. Not even if it’s from your best friend. So it executes unauthorized code or commands and it can bypass a protection mechanism. Yes, it’s very bad. It’s really not good. And so they injected a whole bunch of tags, which can potentially you mark this as multiple vulnerabilities because you successfully injected a bunch of tags or it’s just like it’s one big vulnerability for them to fix. So let’s look at a couple more results and then we’re probably going to wrap up because I actually have to go in 10 minutes because I’m getting my bangs trimmed. That’s right. I have a mask and I’m going to the hairdresser because I literally cannot see like that. Something needs to be done about this. Okay. So total issues, 18 mediums. I like how you’re like, we try not to be too wordy. Okay, let’s look at full path disclosure ou default login location. Let’s look at that first. And then we’ll look at full path disclosure, which could also be known as insecure direct object reference if you’re an OCD person. If you have questions, we are nearing the end, so put them in the chat if you have some. So a default location for the website was detected this. This is usually used for administrative accounts and its location is pretty darn easy to guess. So use a location that’s like way less obvious. Super hidden login. Yes. Implement login throttling and or temporary account lockout? Yes. That’s great advice. Also, if possible, disable remote login by third party services such as PHP, my admin php. So that’s great advice actually. Good job. Awesome. So now let’s look at. More results, specifically full path disclosure. Oh, so. Oh, my gosh. I want to look at oops. Full disclosure vulnerabilities enable an attacker to see the path to a web route file. So what that means is they can try to directly reference that and see if they can get that. And that is quite dangerous. Oh, by ovine, Thank you so much. I really appreciate it. Yes, definitely. Reach out on the discord. And thank you so much for coming. I appreciate it. The Norwegian guys will definitely be happy to hear from you. Okay. So we don’t want them finding stuff in our route directory. We don’t want them finding anything except for our beautiful website gooey that’s fully secure and all of a sudden users are supposed to see in. That’s it. And so this is potentially not really great. So detected was user share. Oh, my gosh. We don’t want to show that. Oh, good evening. So O detected systems Linux. Yeah. So the user shareholder in Linux. There is a lot of stuff in there. We definitely don’t want to actually share that, even though the folders name share so found in URL detected was that a new fake cookie was added with the same name but with a different value appended to the end of the cookies? Oh my. And it’s still let it in. Well, that’s disconcerting. Okay. So to fix this vulnerability. So this is the part that we all want to know the most. Disable bug information on the web servers configuration. Yes. Yes. We don’t want to be giving any information to malicious actors. We want them to try to fingerprint us and find out as little as possible. We want to be more difficult to attack than any of the jerk faces. Want to spend time on us. Right. Because quite often they’re not attacking you. In particular, what they’re attacking is specifically because it’s easy or because they’re trying to generally do a bunch of things. It’s very rare that an advanced attacker has selected you as a very specific long term target, in which case you need to get to know the Norwegian people really well and you need to definitely use the buzzer. But what we want to be is more difficult to attack than all the other websites they visited, so they leave us alone. That’s generally for most businesses. Good enough security posture. And so we definitely want to disable the Web servers configuration information and then improve error handling and parsing of cookies. And oh my gosh. Yeah. So the exceptions and errors will not leak internal information 100%, give the least amount of information possible and give information that is specifically helpful to a regular normal user. A regular normal user does not need to know about your system files ever. The regular normal users like I need to reset my password. Tonya I forget it or I saved the wrong thing into my password. Manager for Tonya. I need to put more money in my account or whatever. They don’t generally need to know what they don’t ever need to know what your internal files are. Okay. So this is pretty cool that we caught a bunch of stuff. Let’s look at all the scans. Actually, 18 medium sweet broken crystals is pretty fantastic. I like it. And briefly, let me see if it’s still in here. I want to just check out what it looks like and then I think we need to do a wrap, guys. Oh, my God. So evil’s floating head in bars now, laughing at me. Laughing. And I know that that is cool. Oh, my gosh, This is the best.

Speaker 2: He’s too respectful. He won’t do it out loud.

Speaker 1: Oh, my God, I love this. And it’s so lovely how his head’s creepily moving up and down his head. Oh, my gosh. I love this.

Speaker 2: I gather that you don’t recognize the head.

Speaker 1: Well, isn’t this isn’t this the guy from Breaking Bad? Oh, yeah.

Speaker 2: That’s the point of the crystal. It was crystal meth.

Speaker 1: Crystal meth? Yeah, very. The worst type of crystal evil crystal. Oh, my gosh. This is so I have to say, I’m enjoying how beautiful that your. You’re totally vulnerable. App is testimonials. Oh my gosh. I should. Can I put a testimonial of silly stuff? This was the most I feel like my testimonial should be. This is the most beautiful, intentionally vulnerable web app ever. Also, it’s fun to have our laugh at me.

Speaker 2: That’s by our marketing team.

Speaker 1: Oh, my God. It’s no good. Okay. It is time for us to wrap up. Do any users have any last questions? I want to thank you so much for coming, because there are so many things that you can do on the Internet right now. There are lots of different events and Saturday or Saturdays and there’s lots of fun things you could be doing, including this fun thing. So I appreciate you joining us. We’re not be fun without you. The Neural Legion people also. Really. Thank you so much. Thank you, Arthur. Yes, right. Oh, my gosh. This app so fun. So I don’t think you should ever take this app down. Just to be clear, It’s so great. Thank you so much. I’m going to just put out one more slide for just a second so that you know how to get a hold of all of us in case you need to. Because I think that you might want to visit this website narrowly and also mine, which is it here? So I have our faces on top of it. So perhaps follow are Legion online because they might be sharing more cool stuff like videos of their brother and follow me because I’m a nerd on the internet. And with that, we all want to thank you. I know the guys are being quiet, but they’re really they’re happy you came. We’re all very happy you came. So thank you so very much.

Speaker 2: Thank you. Thank you.

Speaker 1: Thank you. And please feel free to reach out to us. Definitely NeuraLegion can send you is going to for sure send you the link to the video and then a link where probably my slides will just be at that link and it’ll have all the pertinent information and the links for you. And I think that’s it. And you should all still continue to have action or not action access to the tool so you can continue playing with it and the GitHub action, you can continue scanning their broken crystals with it and having fun basically, and try running different tests and see where you get with that. I think we need to close the workshop for today.

Speaker 2: Thanks, everybody who joins. Awesome.

Speaker 1: Pleasure.

Speaker 2: A lot of fun.

Speaker 1: Oh, my gosh. Yes. Actually, this was super duper duper fun. Oh, thank you. Thank you. 

Speaker 2: Thank you. Thanks, everybody.

Speaker 1: Thank you. Bye, everyone.

Speaker 2: Bye bye. Bye.