WEBVTT - This file was automatically generated by VIMEO 1 00:00:00.400 --> 00:00:03.200 Welcome to the third and last part of insufficient logging and 2 00:00:03.200 --> 00:00:04.200 monitoring session. 3 00:00:06.200 --> 00:00:08.700 In this part, we will discuss mitigation. 4 00:00:09.500 --> 00:00:12.600 We will start discussing what makes an application vulnerable. And 5 00:00:12.600 --> 00:00:15.300 then we will handle ask just shop, vulnerable source 6 00:00:15.300 --> 00:00:18.600 code, before closing, this session. We will discuss how 7 00:00:18.600 --> 00:00:22.100 to avoid such vulnerabilities when auditable 8 00:00:21.100 --> 00:00:24.500 events, such as login, either successful or 9 00:00:24.500 --> 00:00:27.600 failed attempts. And high-value transactions are not locked 10 00:00:27.600 --> 00:00:31.300 or log messages. Do not include enough details, applications 11 00:00:30.300 --> 00:00:33.700 are at risk. If logs 12 00:00:33.700 --> 00:00:36.700 are stored locally, only or they are not monitored for 13 00:00:36.700 --> 00:00:39.100 suspicious activity, then they won't help. 14 00:00:39.400 --> 00:00:42.400 Stations to detect and mitigate security incidents on 15 00:00:42.400 --> 00:00:45.400 a timely fashion. If allergen thresholds are 16 00:00:45.400 --> 00:00:48.300 not, well, adjusted or response, Collision process are 17 00:00:48.300 --> 00:00:51.400 not in place or effective. Then militias activity, may 18 00:00:51.400 --> 00:00:54.200 still pass, unnoticed the same is valid. If all 19 00:00:54.200 --> 00:00:58.600 this fails under attack due to high traffic or load already 20 00:00:58.600 --> 00:01:01.300 discussed security misconfigurations, may make logs 21 00:01:01.300 --> 00:01:04.100 and alerting events available to regular users and 22 00:01:04.100 --> 00:01:07.700 attackers leaving the application vulnerable. Let's 23 00:01:07.700 --> 00:01:09.300 now have a look at the source code. 24 00:01:09.400 --> 00:01:09.500 Okay. 25 00:01:11.600 --> 00:01:14.700 From projects page, we will jump straight to the GitHub repo. 26 00:01:23.600 --> 00:01:26.400 We are looking for the server.js script where 27 00:01:26.400 --> 00:01:28.500 we should find a log in route setup. 28 00:01:48.200 --> 00:01:51.500 The login function is implemented in the road /. Login 29 00:01:51.500 --> 00:01:54.600 dot J's file. Let's jump to the implementation. 30 00:01:57.900 --> 00:02:00.200 This is a server-side source code responsible to 31 00:02:00.200 --> 00:02:01.300 perform the login. 32 00:02:07.600 --> 00:02:10.500 First, we have a database query to bring the matching records. 33 00:02:23.300 --> 00:02:26.500 This source code Branch corresponds to a successful login. 34 00:02:26.200 --> 00:02:29.500 The after login function is called, let's 35 00:02:29.500 --> 00:02:30.900 check its implementation. 36 00:02:37.300 --> 00:02:40.000 All its logic is focused on finding or creating a 37 00:02:40.300 --> 00:02:43.400 new user shopping basket. Nothing related to the login. 38 00:02:52.900 --> 00:02:55.500 Back to the login function, failed. Login attempts 39 00:02:55.500 --> 00:02:58.800 are handled in this source code Branch again. 40 00:02:58.300 --> 00:03:01.600 No logging just a 401 HTTP 41 00:03:01.600 --> 00:03:03.400 response, tax code has returned. 42 00:03:05.200 --> 00:03:08.500 In case of exception, the next Express framework, Handler 43 00:03:08.500 --> 00:03:11.200 is called. Let's get back to the main 44 00:03:11.200 --> 00:03:14.300 server. Dot J's file, and check how they are handling is 45 00:03:14.300 --> 00:03:14.800 set up. 46 00:03:39.200 --> 00:03:43.500 Errors are handled by the air handler function provided 47 00:03:43.500 --> 00:03:46.300 by the node.js package, with the same name. 48 00:03:59.700 --> 00:04:02.400 According to the package documentation. It is only 49 00:04:02.400 --> 00:04:05.200 intended to be used in development. But this is 50 00:04:05.200 --> 00:04:07.400 the only error handling Juice Shop uses. 51 00:04:12.500 --> 00:04:15.400 Still, according to the documentation full, Lahore stack 52 00:04:15.400 --> 00:04:18.600 traces and internal details of any object passed to. This module 53 00:04:18.600 --> 00:04:20.400 will be sent back to the client. 54 00:04:21.600 --> 00:04:24.200 This makes sense since we didn't see any her log 55 00:04:24.200 --> 00:04:27.300 files, during the exploitation part, and in several other 56 00:04:27.300 --> 00:04:30.300 sessions. We have got a horse client-side including such 57 00:04:30.300 --> 00:04:31.100 information. 58 00:04:33.400 --> 00:04:36.400 Either successful in failed, login attempts, should be logged, as 59 00:04:36.400 --> 00:04:39.300 well as input, validation failures. Such 60 00:04:39.300 --> 00:04:42.900 logs should include sufficient user context to identify suspicious 61 00:04:42.900 --> 00:04:45.600 or malicious accounts and help for sufficient 62 00:04:45.600 --> 00:04:48.800 time to allow delayed forensic analysis. Choose 63 00:04:48.800 --> 00:04:51.400 standard formats for logging enabling logs 64 00:04:51.400 --> 00:04:54.400 to be consumed by a centralized log management solution. 65 00:04:55.600 --> 00:04:58.400 High-value transactions should have an audit trail with 66 00:04:58.400 --> 00:05:01.900 Integrity controls to prevent tampering and deletion an 67 00:05:01.900 --> 00:05:04.500 append-only database table, or similar may 68 00:05:04.500 --> 00:05:07.400 be an F. But nowadays, you can take advantage of other 69 00:05:07.400 --> 00:05:11.100 Technologies, such as blockchain, adopting, 70 00:05:10.100 --> 00:05:13.700 a security incident and event management solution 71 00:05:13.700 --> 00:05:16.400 will certainly help implementing effective, monitoring and 72 00:05:16.400 --> 00:05:19.500 alerting a dedicated team in the proper incident 73 00:05:19.500 --> 00:05:22.500 response. And Recovery plan will get your organization in 74 00:05:22.500 --> 00:05:24.700 a better shape to handle security incidents. 75 00:05:24.800 --> 00:05:27.500 Apparently, I hope you have enjoyed our 76 00:05:27.500 --> 00:05:30.600 journey through the top 10, most common web application security, 77 00:05:30.600 --> 00:05:33.200 risks. You can continue practicing on 78 00:05:33.200 --> 00:05:36.200 all hospitals shop. There are several other vulnerabilities to 79 00:05:36.200 --> 00:05:39.200 find, remember to check our apps website that 80 00:05:39.200 --> 00:05:42.500 allows plot Arc and join your local chapter. Cheers.