USB devices are so convenient. Whenever we need to store small amounts of data, we use a USB stick. Everyone owns one and we generally trust it to be safe. USB keys are one of the main ways to do industrial espionage, but attacks against random civilians and companies are also common.

The 2018 Honeywell report on USB threat to industrial operators analyzed a sample of 50 locations. Energy, chemical manufacturing, pulp & paper, oil & gas and other industrial facilities were concerned by the study. Among the locations targeted, 44% blocked a suspicious file originating from USB ports and 15% of the threats detected and blocked were high-profile threats, like Stuxnet, Wannacry and Mirai.

Internet of Things security is a current topic, however penetration testing on connected devices are far from being a widespread practice. Most manufacturers prioritize product functionalities and design first. However, even with a “security by design” approach, pentesting remains essential to know the real security risks, and then to take the necessary measures.

What is a Cross Site Request Forgery Attack?

The CSRF is an attack that forces an end user to perform unwanted actions and without noticing on a web application he/she is currently authenticated.
CSRF attacks specifically target requests that make modifications, not data theft, because the attacker has no way of seeing the response of the falsified request. The outcome of the actions is what interests the attacker.

This type of attack is based on the fact that when a user is authenticated on an application, it will usually provide a session ID that its browser stores in a cookie.

Each time the user sends a request to the server, the browser will also automatically send this session cookie. You can find in linked article more information about CSRF attacks.

Keep in mind that a CSRF attack only needs that the user stays connected (without having an open page or tab of the website) to be working.

We often think that a firewall restrictive enough protects the access to non-open services. We also believe that only a compromise machine can give access to the internal network. We are indeed wrong, and that’s what we are going to see with a web application vulnerability: The Server-Side Request Forgery, or SSRF.

What is an SSRF?

From a vulnerable web application, an SSRF makes possible to interact with the server, in order to extract files and to find its other active services. But there is more. It is also possible to scan the internal network to cartography IP and open ports.

During our audits, we often encounter user enumerations that could be easily avoided with the right methods. In this article, we will discuss user enumerations on login forms, password reset forms, and account creation forms. However, user enumerations may be present on other features, such as search forms or message submissions.

The usual way to manage users’ sessions in a PHP application is to use session cookies, named “PHPSESSID” by default. When a user connects to the application, it generates a unique session identifier, that is stored on the server and then returned to the client with the “Set-Cookie” header. With that, the session cookie is stored on the web browser.
Cookies are designed to be systematically sent back to the server, on every request. That solution is a good way to handle usual user login and logout scenarios.

However, this type of mechanics does not allow multiple platforms or applications to easily authenticate a user with a single session. Also, the server needs to keep the session’s state and data in its memory.

This series of articles will walk you through the most important topics about security and mobile applications, whatever the platform is (iOS, Android or others).
The objective is to demystify the different aspects of mobile security, in simple words.

This third episode will walk you through vulnerabilities related to data transportation.

This series of articles will walk you through the most important topics about security and mobile applications, whatever the platform is (iOS, Android or others).
The objective is to demystify the different aspects of mobile security, in simple words.

This second episode makes a focus on insecure data storage.

This series of articles will walk you through the most important topics about security and mobile applications, whatever the platform is (iOS, Android or others).
The objective is to demystify the different aspects of mobile security, in simple words.

Topic number 1 this week: Server-side controls

Like many frameworks, Symfony provides built-in security. Symfony is pretty secure as a framework, but it would be a big mistake to entirely rely on that reputation to ensure the security of any application. Because every application is different, the security context is different. Therefore, developers still have a big role in ensuring everything is properly configured and tested.

Input filtering, authentication and session management… This series of articles will go through the different mechanisms that you, as a Symfony developer, can use to make sure the application you develop is safe and reliable.
And because built-in security does not necessarily mean “already done”, we will see what is really important and common pitfalls.