Tokopedia Web Security Workshop

On Thursday, 11 July 2019, Tokopedia IT Security team had successfully held the first IT Security Workshop — Web Application Security. The workshop was attended by 25 selected participants out of the 350 enthusiastic registrants across Indonesia that come from various industries, including the technology industry.

The workshop was opened by Setiawan Hermanto (The Head of IT Security Tokopedia) and mentored by Dwi Andi Suharyanto (IT Security Senior Lead), Sulhaedir (Senior IT Security Analyst), Deny Febriyanto (IT Security Analyst), and Rahmat Ramadhan (Senior IT Security Analyst). All the workshop contents and activities were self-prepared and self-curated by the mentors to ensure that the participants could fully understand the session.

In the beginning of the workshop, Tokopedia team shared the approaches used by attackers or penetration testers in doing their activities. Tokopedia team then introduced the intermediate and advanced level of hacking, such as Blind SQL Injection to RCE, Insecure Deserialization to RCE, Local File Inclusion to RCE, XSS (Cross-site Scripting) to RCE, and SSRF (Server Side Request Forgery) to RCE. RCE stands for Remote Code Execution, which is the higher stack of hacking to run any commands in the targeted server.

We start the first session with Blind SQL Injection to RCE topic. Blind SQL Injection is a type of SQL Injection attack that asks the database true or false questions and determines the answer based on the application’s response. In this topic, the participants were asked to extract data from the database with the Blind SQL Injection technique. The mentor also presented how to use “Burp Suite Repeater” to help the process of Blind SQL Injection.

Afterward, we continued to Insecure Deserialization to RCE as the next session. Insecure Deserialization is a vulnerability which occurs when untrusted data is used to abuse the logic of an application. In this session, participants were using “Burp Suite” to find out a vulnerable function call used by the web apps and leading to Insecure Deserialization which can be abused to gain RCE.

The third session is Local File Inclusion to RCE. Local File Inclusion (LFI) is an attack to trick the web application into exposing or running files on the web server. An LFI attack may lead to information disclosure, remote code execution, or even Cross-site Scripting (XSS). In this session, the participants could use LFI to read a file stored in the system. Then, the applications wrote the access log with every session to “/var/lib/PHP/sessions/sess_PHPSESSID” that could be abused to get an RCE. Here, the participants need to set their “User-Agent” to a PHP script to get the RCE running.

The fourth session is Server Side Request Forgery (SSRF). Server Side Request Forgery or SSRF is a vulnerability that occurs when an attacker forces a server to perform requests on their behalf. In this session, participants were using the bug to add SSH access to the system. In this case, participants needed to find the real IP of the system as it was hidden behind the load balancer. Participants could use the SSRF bug to load Burp Collaborator domain or https://webhook.site/ to find the real IP.

On the last session, Tokopedia team introduced XSS (Cross-Site Scripting). The participants accessed a WordPress website that is vulnerable to XSS. There is an “Admin” account which refreshed the vulnerable page every 30 seconds. The participants needed to code their XSS script to make the “Admin” add their shell to the site so that it helps them to get RCE.

In general, for each topic, the mentor introduced the principle followed by hands-on sessions using the provided gear. The hands-on sessions were useful for the participants to understand the material better by exercising the given knowledge. During the hands-on sessions, the participants were following the given instructions seriously.

The mentors who are the IT Security Threat (Red) team had exhibited their prominent capabilities in elevating the level of application security, validating their expertise on the discourse. I hope this culture of knowledge-sharing will continue to maximize our impacts to a greater scale.

At the end of the day, it felt personally rewarding for me to be able to share professional knowledge and skills to the participants. I believe that knowledge sharing brings endless benefits to the company: it leads to a rise in creative problem solving as well as preserves and enhances the pre-existing knowledge that we have today.

See you in another IT Security Workshop!