SlideShare a Scribd company logo

Outpost24 webinar - Understanding the 7 deadly web application attack vectors

Download as PPTX, PDF
Outpost24
Outpost24

This document discusses understanding web application attack vectors by examining the 7 deadly vectors: security mechanisms, page creation methods, degree of distribution, authentication, input vectors, active content technologies, and cookies. It describes the risks associated with each vector, such as non-encrypted traffic, server-side vulnerabilities, cross-domain problems spanning applications, and vulnerabilities in scripting languages exploited via active content. The document also covers assessing an application's attack surface based on these vectors, assigning a risk score, and developing an application security program to pay attention to these risks.

1 of 32
Download to read offline
Understanding the 7 deadly web application attack vectors Stephane Konarkowski 22nd July 2020
Helping customers improve security posture since 2001 Full stack security assessment Over 2,000 customers in all regions of the world Really good at breaking technology
What you will learn: • Think like a hacker • Get inside knowledge on how multiple discovery techniques should be used to assess web • Delve into the seven deadly • Top tips on creating a complete security blueprint of your critical web apps and a continuous application security program based on your attack surface 3
We look at your Web Application like a hacker does 4
Pen Tester vs Hacker vs Burglar Hacker Pen TesterBurglar In common 5
Which Vectors are they looking at
7 7 Vectors
Security Mechanism (SM) HTTP HTTPS http://www.bank-example.com Password: abc123 https://www.bank-example.com Password: e99a18c428cb38d5f260853678922e03 1) SSL Certificate Encryption 2) TLS Transport host port ┌───────┴───────┐ ┌┴┐ http://www.example.com:123/forum/questions/?tag=networking&order=newest#top └─┬─┘└───────────┬─────┘└─┬───────────┘└────────┬───────────────┘└┬─┘ scheme authority path query fragment 8
Security Mechanism (SM) Client side Server side Both = Better Input Validation Can be by-pass 9
Security Mechanism (SM) Risk Associated with SM 10 • Non-Encrypted • Intercepted • Stolen Data • Developers often assume that the client won't modify the data • The Web Application Hackers handbook
Page Creation Method (PM) CS runs scripts on your computer after you've loaded a web page. SS runs scripts before the HTML is loaded Server-side code is source to vulnerabilityClient side Server side PHP ASP Java Python Ruby 11
Page Creation Method (PM) Risk Associated with PM 12 • PHP Object Injection • Java deserialization • Server-Side Vulnerabilities Like SQL INJECTION Attacks that cause a hosted application to operate in unexpected or unpredictable ways, can result in private data either leaking out through HTTP responses or logs
Degree of Distribution(DOD) Cross-domain problems are a common source of vulnerabilities WWW.WEBSITE.COM SUBDOMAIN 2nd LEVEL DOMAIN TOP LEVEL DOMAIN More Attack Vectors Spans across 13
Degree of Distribution(DOD) Risk Associated with DOD 14 • A Secure Web Application that connects to other Web Applications or is associated to them Can be attacked from a vulnerable one. • A script from page A can only access data from page B if they are of the same origin.
Authentication (AUTH) Usernames Emails Passwords Domains & much more 15
Authentication (AUTH) Risk Associated with Authentication 16 • Curiosity: Yes • Trusted: To a degree • Important: Maybe • Data: Oh yeah
Input Vectors (IV) The more input vectors the more complex • File Upload • Search Functions • Other Forms • External Engines 17
Input Vectors (IV) Risk Associated with Input Vectors 18 Input Validation Attacks: Cause, Exploits, Impacts Cause: Failure to properly validate data at the entry and exit points of the application Exploits: Injection of malicious input such as code, scripting, commands, that can be interpreted/executed by different targets to exploit vulnerabilities: • Browser: XSS, XFS, HTML-Splitting • Data repositories: SQL Injection, LDAP injection • Server side file processing: XML, XPATH • Application/Server/O.S. :File uploads, Buffer Overflow Impacts: Phishing, Information Disclosure (PII), Data Modification, Denial Of service, Financial Loss, Reputation Loss
Active Content Technology (ACT) • JavaScript • Java Applet • AJAX • & more • Externally Loaded • RIA • RSS 19
Active Content Technology (ACT) Risk Associated with ACT 20 Active content contains programs that trigger automatic actions on a Web page without the user's knowledge or consent. All Web users are regularly exposed to active content. • Code that you have copied • Code that sits on an external side (No control) Vulnerabilities in the scripting language are exploited to carry malicious code, which could be downloaded through a Web browser and executed on a local system without the user's knowledge or consent
Cookies (CS) Own Cookies & 21 • Session • Persistent Foreign Cookies
Cookies (CS) Risk Associated with Cookies • Cross Site Request Forgery Attack (XSRF) • Session Fixation • Cross-Site Scripting • Cookie Tossing Attack • Cookie Overflow Attack • Tracking/Privacy 22
How to Score
24 Attack Surface based on Vectors Attack Surface Max Score: 39,19
Business Criticality • Is this application revenue generating? • Is this application hosting sensitive information and customer data (PII) Update Frequency • No application updates • Application updates occur once a year • Application updates occur several times a year • Updates occur continuously Complexity Level • Application with a high number of pages • Application with dynamic content • Application with multiple inputs (forms) Criticality UpdatesComplexity ARS (Application Risk Score) Understanding your application 25
Application Risk Score (ARS) 26 Application Name Surface Score Criticality Update frequency Appsec Program Availability Confidentiality Integrity demo1.com 20.45 2 2 2 1 5 demo2.com 20.22 3 2 2 2 9 ! CVSS becomes CASS
Attack Surface Radar Airline Other 27
ASP Onboarding Scout Application Security Program (ASP) 28 ?=?
Paying Attention How many have you counted in the presentation? The right answer gets a Free Scout Assessment 29
Takeaways? 30
Takeaways 31 • Yes Cookies are also in that bag • Understand how its built to better defend • Not all of them need an in depth assessment • If you don’t know what you have … • Its not the big door they will open
Stephane Konarkowski Senior Security Consultant sk@outpost24.com Questions?
Ad

Recommended

WEB APPLICATION SECURITY
WEB APPLICATION SECURITYWEB APPLICATION SECURITY
WEB APPLICATION SECURITY
yashwanthlavu
 
WEB APPLICATION SECURITY
WEB APPLICATION SECURITYWEB APPLICATION SECURITY
WEB APPLICATION SECURITY
yashwanthlavu
 
A new web application vulnerability assessment framework
A new web application vulnerability assessment frameworkA new web application vulnerability assessment framework
A new web application vulnerability assessment framework
Mark Jayson Fuentes
 
Web Application Security 101 - 04 Testing Methodology
Web Application Security 101 - 04 Testing MethodologyWeb Application Security 101 - 04 Testing Methodology
Web Application Security 101 - 04 Testing Methodology
Websecurify
 
Security Implications of the Cloud
Security Implications of the CloudSecurity Implications of the Cloud
Security Implications of the Cloud
Alert Logic
 
Outpost24 webinar - Demystifying Web Application Security with Attack Surface...
Outpost24 webinar - Demystifying Web Application Security with Attack Surface...Outpost24 webinar - Demystifying Web Application Security with Attack Surface...
Outpost24 webinar - Demystifying Web Application Security with Attack Surface...
Outpost24
 
Security Implications of the Cloud - CSS Dallas Azure
Security Implications of the Cloud - CSS Dallas AzureSecurity Implications of the Cloud - CSS Dallas Azure
Security Implications of the Cloud - CSS Dallas Azure
Alert Logic
 
Web application vulnerability assessment
Web application vulnerability assessmentWeb application vulnerability assessment
Web application vulnerability assessment
Ravikumar Paghdal
 
Testing Web Application Security
Testing Web Application SecurityTesting Web Application Security
Testing Web Application Security
Ted Husted
 
Protecting web aplications with machine learning and security fabric
Protecting web aplications with machine learning and security fabricProtecting web aplications with machine learning and security fabric
Protecting web aplications with machine learning and security fabric
DATA SECURITY SOLUTIONS
 
Important Notes
Important NotesImportant Notes
Important Notes
Usman Abdullah
 
Application Security TRENDS – Lessons Learnt- Firosh Ummer
Application Security TRENDS – Lessons Learnt- Firosh UmmerApplication Security TRENDS – Lessons Learnt- Firosh Ummer
Application Security TRENDS – Lessons Learnt- Firosh Ummer
OWASP-Qatar Chapter
 
Scanning web vulnerabilities
Scanning web vulnerabilitiesScanning web vulnerabilities
Scanning web vulnerabilities
Mohit Dholakiya
 
Edgescan vulnerability stats report 2019 - h-isac-2-2-2019
Edgescan vulnerability stats report 2019 - h-isac-2-2-2019Edgescan vulnerability stats report 2019 - h-isac-2-2-2019
Edgescan vulnerability stats report 2019 - h-isac-2-2-2019
Eoin Keary
 
Vulnerability
VulnerabilityVulnerability
Vulnerability
Mohit Dholakiya
 
TALK Cybersecurity Summit 2017 Slides: Chris Goggans on Vulnerability Assessment
TALK Cybersecurity Summit 2017 Slides: Chris Goggans on Vulnerability AssessmentTALK Cybersecurity Summit 2017 Slides: Chris Goggans on Vulnerability Assessment
TALK Cybersecurity Summit 2017 Slides: Chris Goggans on Vulnerability Assessment
Dawn Yankeelov
 
VSEC LAN Security Assessment Service Profile
VSEC LAN Security Assessment Service ProfileVSEC LAN Security Assessment Service Profile
VSEC LAN Security Assessment Service Profile
Vietnamese Network Security J.S.C
 
Web application security part 02
Web application security part 02Web application security part 02
Web application security part 02
G Prachi
 
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
FFRI, Inc.
 
Device identity
Device identityDevice identity
Device identity
Lan & Wan Solutions
 
Web Security Attacks
Web Security AttacksWeb Security Attacks
Web Security Attacks
Sajid Hasan
 
Mobile platform security models
Mobile platform security modelsMobile platform security models
Mobile platform security models
G Prachi
 
CarolinaCon 2005 Web Application Hacking 101
CarolinaCon 2005 Web Application Hacking 101CarolinaCon 2005 Web Application Hacking 101
CarolinaCon 2005 Web Application Hacking 101
Tyler Shields
 
Web Application Vulnerabilities
Web Application VulnerabilitiesWeb Application Vulnerabilities
Web Application Vulnerabilities
Preetish Panda
 
HCA 530, Week2, Psa i-091516-ransomware notice from fbi
HCA 530, Week2, Psa i-091516-ransomware notice from fbiHCA 530, Week2, Psa i-091516-ransomware notice from fbi
HCA 530, Week2, Psa i-091516-ransomware notice from fbi
Matthew J McMahon
 
Pentesting With Web Services in 2012
Pentesting With Web Services in 2012Pentesting With Web Services in 2012
Pentesting With Web Services in 2012
Ishan Girdhar
 
50063
5006350063
50063
Rui Dong
 
XSS, LFI & CSRF vulnerabilities
XSS, LFI & CSRF vulnerabilitiesXSS, LFI & CSRF vulnerabilities
XSS, LFI & CSRF vulnerabilities
CTM360
 
Web Application Testing for Today’s Biggest and Emerging Threats
Web Application Testing for Today’s Biggest and Emerging ThreatsWeb Application Testing for Today’s Biggest and Emerging Threats
Web Application Testing for Today’s Biggest and Emerging Threats
Alan Kan
 
Jean pier talbot - web is the battlefield - atlseccon2011
Jean pier talbot - web is the battlefield - atlseccon2011Jean pier talbot - web is the battlefield - atlseccon2011
Jean pier talbot - web is the battlefield - atlseccon2011
Atlantic Security Conference
 
Ad

More Related Content

What's hot (20)

Testing Web Application Security
Testing Web Application SecurityTesting Web Application Security
Testing Web Application Security
Ted Husted
 
Protecting web aplications with machine learning and security fabric
Protecting web aplications with machine learning and security fabricProtecting web aplications with machine learning and security fabric
Protecting web aplications with machine learning and security fabric
DATA SECURITY SOLUTIONS
 
Important Notes
Important NotesImportant Notes
Important Notes
Usman Abdullah
 
Application Security TRENDS – Lessons Learnt- Firosh Ummer
Application Security TRENDS – Lessons Learnt- Firosh UmmerApplication Security TRENDS – Lessons Learnt- Firosh Ummer
Application Security TRENDS – Lessons Learnt- Firosh Ummer
OWASP-Qatar Chapter
 
Scanning web vulnerabilities
Scanning web vulnerabilitiesScanning web vulnerabilities
Scanning web vulnerabilities
Mohit Dholakiya
 
Edgescan vulnerability stats report 2019 - h-isac-2-2-2019
Edgescan vulnerability stats report 2019 - h-isac-2-2-2019Edgescan vulnerability stats report 2019 - h-isac-2-2-2019
Edgescan vulnerability stats report 2019 - h-isac-2-2-2019
Eoin Keary
 
Vulnerability
VulnerabilityVulnerability
Vulnerability
Mohit Dholakiya
 
TALK Cybersecurity Summit 2017 Slides: Chris Goggans on Vulnerability Assessment
TALK Cybersecurity Summit 2017 Slides: Chris Goggans on Vulnerability AssessmentTALK Cybersecurity Summit 2017 Slides: Chris Goggans on Vulnerability Assessment
TALK Cybersecurity Summit 2017 Slides: Chris Goggans on Vulnerability Assessment
Dawn Yankeelov
 
VSEC LAN Security Assessment Service Profile
VSEC LAN Security Assessment Service ProfileVSEC LAN Security Assessment Service Profile
VSEC LAN Security Assessment Service Profile
Vietnamese Network Security J.S.C
 
Web application security part 02
Web application security part 02Web application security part 02
Web application security part 02
G Prachi
 
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
FFRI, Inc.
 
Device identity
Device identityDevice identity
Device identity
Lan & Wan Solutions
 
Web Security Attacks
Web Security AttacksWeb Security Attacks
Web Security Attacks
Sajid Hasan
 
Mobile platform security models
Mobile platform security modelsMobile platform security models
Mobile platform security models
G Prachi
 
CarolinaCon 2005 Web Application Hacking 101
CarolinaCon 2005 Web Application Hacking 101CarolinaCon 2005 Web Application Hacking 101
CarolinaCon 2005 Web Application Hacking 101
Tyler Shields
 
Web Application Vulnerabilities
Web Application VulnerabilitiesWeb Application Vulnerabilities
Web Application Vulnerabilities
Preetish Panda
 
HCA 530, Week2, Psa i-091516-ransomware notice from fbi
HCA 530, Week2, Psa i-091516-ransomware notice from fbiHCA 530, Week2, Psa i-091516-ransomware notice from fbi
HCA 530, Week2, Psa i-091516-ransomware notice from fbi
Matthew J McMahon
 
Pentesting With Web Services in 2012
Pentesting With Web Services in 2012Pentesting With Web Services in 2012
Pentesting With Web Services in 2012
Ishan Girdhar
 
50063
5006350063
50063
Rui Dong
 
XSS, LFI & CSRF vulnerabilities
XSS, LFI & CSRF vulnerabilitiesXSS, LFI & CSRF vulnerabilities
XSS, LFI & CSRF vulnerabilities
CTM360
 
Testing Web Application Security
Testing Web Application SecurityTesting Web Application Security
Testing Web Application Security
Ted Husted
 
Protecting web aplications with machine learning and security fabric
Protecting web aplications with machine learning and security fabricProtecting web aplications with machine learning and security fabric
Protecting web aplications with machine learning and security fabric
DATA SECURITY SOLUTIONS
 
Important Notes
Important NotesImportant Notes
Important Notes
Usman Abdullah
 
Application Security TRENDS – Lessons Learnt- Firosh Ummer
Application Security TRENDS – Lessons Learnt- Firosh UmmerApplication Security TRENDS – Lessons Learnt- Firosh Ummer
Application Security TRENDS – Lessons Learnt- Firosh Ummer
OWASP-Qatar Chapter
 
Scanning web vulnerabilities
Scanning web vulnerabilitiesScanning web vulnerabilities
Scanning web vulnerabilities
Mohit Dholakiya
 
Edgescan vulnerability stats report 2019 - h-isac-2-2-2019
Edgescan vulnerability stats report 2019 - h-isac-2-2-2019Edgescan vulnerability stats report 2019 - h-isac-2-2-2019
Edgescan vulnerability stats report 2019 - h-isac-2-2-2019
Eoin Keary
 
Vulnerability
VulnerabilityVulnerability
Vulnerability
Mohit Dholakiya
 
TALK Cybersecurity Summit 2017 Slides: Chris Goggans on Vulnerability Assessment
TALK Cybersecurity Summit 2017 Slides: Chris Goggans on Vulnerability AssessmentTALK Cybersecurity Summit 2017 Slides: Chris Goggans on Vulnerability Assessment
TALK Cybersecurity Summit 2017 Slides: Chris Goggans on Vulnerability Assessment
Dawn Yankeelov
 
VSEC LAN Security Assessment Service Profile
VSEC LAN Security Assessment Service ProfileVSEC LAN Security Assessment Service Profile
VSEC LAN Security Assessment Service Profile
Vietnamese Network Security J.S.C
 
Web application security part 02
Web application security part 02Web application security part 02
Web application security part 02
G Prachi
 
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
FFRI, Inc.
 
Device identity
Device identityDevice identity
Device identity
Lan & Wan Solutions
 
Web Security Attacks
Web Security AttacksWeb Security Attacks
Web Security Attacks
Sajid Hasan
 
Mobile platform security models
Mobile platform security modelsMobile platform security models
Mobile platform security models
G Prachi
 
CarolinaCon 2005 Web Application Hacking 101
CarolinaCon 2005 Web Application Hacking 101CarolinaCon 2005 Web Application Hacking 101
CarolinaCon 2005 Web Application Hacking 101
Tyler Shields
 
Web Application Vulnerabilities
Web Application VulnerabilitiesWeb Application Vulnerabilities
Web Application Vulnerabilities
Preetish Panda
 
HCA 530, Week2, Psa i-091516-ransomware notice from fbi
HCA 530, Week2, Psa i-091516-ransomware notice from fbiHCA 530, Week2, Psa i-091516-ransomware notice from fbi
HCA 530, Week2, Psa i-091516-ransomware notice from fbi
Matthew J McMahon
 
Pentesting With Web Services in 2012
Pentesting With Web Services in 2012Pentesting With Web Services in 2012
Pentesting With Web Services in 2012
Ishan Girdhar
 
50063
5006350063
50063
Rui Dong
 
XSS, LFI & CSRF vulnerabilities
XSS, LFI & CSRF vulnerabilitiesXSS, LFI & CSRF vulnerabilities
XSS, LFI & CSRF vulnerabilities
CTM360
 

Similar to Outpost24 webinar - Understanding the 7 deadly web application attack vectors (20)

Web Application Testing for Today’s Biggest and Emerging Threats
Web Application Testing for Today’s Biggest and Emerging ThreatsWeb Application Testing for Today’s Biggest and Emerging Threats
Web Application Testing for Today’s Biggest and Emerging Threats
Alan Kan
 
Jean pier talbot - web is the battlefield - atlseccon2011
Jean pier talbot - web is the battlefield - atlseccon2011Jean pier talbot - web is the battlefield - atlseccon2011
Jean pier talbot - web is the battlefield - atlseccon2011
Atlantic Security Conference
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 seba
Sebastien Deleersnyder
 
Bank One App Sec Training
Bank One App Sec TrainingBank One App Sec Training
Bank One App Sec Training
Mike Spaulding
 
tas-s6-software-engineering-slide-deck-secure-software-architecture.pptx
tas-s6-software-engineering-slide-deck-secure-software-architecture.pptxtas-s6-software-engineering-slide-deck-secure-software-architecture.pptx
tas-s6-software-engineering-slide-deck-secure-software-architecture.pptx
Mostafa Taghizade
 
Top Application Security Trends of 2012
Top Application Security Trends of 2012Top Application Security Trends of 2012
Top Application Security Trends of 2012
DaveEdwards12
 
How Can I Reduce The Risk Of A Cyber-Attack?
How Can I Reduce The Risk Of A Cyber-Attack?How Can I Reduce The Risk Of A Cyber-Attack?
How Can I Reduce The Risk Of A Cyber-Attack?
Osei Fortune
 
Cloud Security Engineering - Tools and Techniques
Cloud Security Engineering - Tools and TechniquesCloud Security Engineering - Tools and Techniques
Cloud Security Engineering - Tools and Techniques
Gokul Alex
 
Network security, seriously?
Network security, seriously?Network security, seriously?
Network security, seriously?
Peter Wood
 
Web application security
Web application securityWeb application security
Web application security
Jin Castor
 
Are you fighting_new_threats_with_old_weapons
Are you fighting_new_threats_with_old_weaponsAre you fighting_new_threats_with_old_weapons
Are you fighting_new_threats_with_old_weapons
Bhargav Modi
 
Domain 5 of the CEH: Web Application Hacking
Domain 5 of the CEH: Web Application HackingDomain 5 of the CEH: Web Application Hacking
Domain 5 of the CEH: Web Application Hacking
ShivamSharma909
 
CEH Domain 5.pdf
CEH Domain 5.pdfCEH Domain 5.pdf
CEH Domain 5.pdf
infosec train
 
How to Stop Man in the Browser Attacks
How to Stop Man in the Browser AttacksHow to Stop Man in the Browser Attacks
How to Stop Man in the Browser Attacks
Imperva
 
Vulnerabilities are bugs, Let's Test For Them!
Vulnerabilities are bugs, Let's Test For Them!Vulnerabilities are bugs, Let's Test For Them!
Vulnerabilities are bugs, Let's Test For Them!
VAddy
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the Cloud
Alert Logic
 
Men in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the BrowserMen in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the Browser
Source Conference
 
DEVSECOPS_the_beginning.ppt
DEVSECOPS_the_beginning.pptDEVSECOPS_the_beginning.ppt
DEVSECOPS_the_beginning.ppt
schwarz10
 
Vulnerabilities are bugs, Let's test for them!
Vulnerabilities are bugs, Let's test for them!Vulnerabilities are bugs, Let's test for them!
Vulnerabilities are bugs, Let's test for them!
ichikaway
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application Security
Prateek Jain
 
Web Application Testing for Today’s Biggest and Emerging Threats
Web Application Testing for Today’s Biggest and Emerging ThreatsWeb Application Testing for Today’s Biggest and Emerging Threats
Web Application Testing for Today’s Biggest and Emerging Threats
Alan Kan
 
Jean pier talbot - web is the battlefield - atlseccon2011
Jean pier talbot - web is the battlefield - atlseccon2011Jean pier talbot - web is the battlefield - atlseccon2011
Jean pier talbot - web is the battlefield - atlseccon2011
Atlantic Security Conference
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 seba
Sebastien Deleersnyder
 
Bank One App Sec Training
Bank One App Sec TrainingBank One App Sec Training
Bank One App Sec Training
Mike Spaulding
 
tas-s6-software-engineering-slide-deck-secure-software-architecture.pptx
tas-s6-software-engineering-slide-deck-secure-software-architecture.pptxtas-s6-software-engineering-slide-deck-secure-software-architecture.pptx
tas-s6-software-engineering-slide-deck-secure-software-architecture.pptx
Mostafa Taghizade
 
Top Application Security Trends of 2012
Top Application Security Trends of 2012Top Application Security Trends of 2012
Top Application Security Trends of 2012
DaveEdwards12
 
How Can I Reduce The Risk Of A Cyber-Attack?
How Can I Reduce The Risk Of A Cyber-Attack?How Can I Reduce The Risk Of A Cyber-Attack?
How Can I Reduce The Risk Of A Cyber-Attack?
Osei Fortune
 
Cloud Security Engineering - Tools and Techniques
Cloud Security Engineering - Tools and TechniquesCloud Security Engineering - Tools and Techniques
Cloud Security Engineering - Tools and Techniques
Gokul Alex
 
Network security, seriously?
Network security, seriously?Network security, seriously?
Network security, seriously?
Peter Wood
 
Web application security
Web application securityWeb application security
Web application security
Jin Castor
 
Are you fighting_new_threats_with_old_weapons
Are you fighting_new_threats_with_old_weaponsAre you fighting_new_threats_with_old_weapons
Are you fighting_new_threats_with_old_weapons
Bhargav Modi
 
Domain 5 of the CEH: Web Application Hacking
Domain 5 of the CEH: Web Application HackingDomain 5 of the CEH: Web Application Hacking
Domain 5 of the CEH: Web Application Hacking
ShivamSharma909
 
CEH Domain 5.pdf
CEH Domain 5.pdfCEH Domain 5.pdf
CEH Domain 5.pdf
infosec train
 
How to Stop Man in the Browser Attacks
How to Stop Man in the Browser AttacksHow to Stop Man in the Browser Attacks
How to Stop Man in the Browser Attacks
Imperva
 
Vulnerabilities are bugs, Let's Test For Them!
Vulnerabilities are bugs, Let's Test For Them!Vulnerabilities are bugs, Let's Test For Them!
Vulnerabilities are bugs, Let's Test For Them!
VAddy
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the Cloud
Alert Logic
 
Men in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the BrowserMen in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the Browser
Source Conference
 
DEVSECOPS_the_beginning.ppt
DEVSECOPS_the_beginning.pptDEVSECOPS_the_beginning.ppt
DEVSECOPS_the_beginning.ppt
schwarz10
 
Vulnerabilities are bugs, Let's test for them!
Vulnerabilities are bugs, Let's test for them!Vulnerabilities are bugs, Let's test for them!
Vulnerabilities are bugs, Let's test for them!
ichikaway
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application Security
Prateek Jain
 
Ad

More from Outpost24 (20)

Outpost24 webinar - A fresh look into the underground card shop ecosystem
Outpost24 webinar - A fresh look into the underground card shop ecosystemOutpost24 webinar - A fresh look into the underground card shop ecosystem
Outpost24 webinar - A fresh look into the underground card shop ecosystem
Outpost24
 
Outpost24 webinar Why API security matters and how to get it right.pdf
Outpost24 webinar Why API security matters and how to get it right.pdfOutpost24 webinar Why API security matters and how to get it right.pdf
Outpost24 webinar Why API security matters and how to get it right.pdf
Outpost24
 
Outpost24 webinar - The new CISO imperative: connecting technical vulnerabili...
Outpost24 webinar - The new CISO imperative: connecting technical vulnerabili...Outpost24 webinar - The new CISO imperative: connecting technical vulnerabili...
Outpost24 webinar - The new CISO imperative: connecting technical vulnerabili...
Outpost24
 
Outpost24 Webinar - Five steps to build a killer Application Security Program
Outpost24 Webinar - Five steps to build a killer Application Security ProgramOutpost24 Webinar - Five steps to build a killer Application Security Program
Outpost24 Webinar - Five steps to build a killer Application Security Program
Outpost24
 
Outpost24 webinar - How to protect your organization from credential theft
Outpost24 webinar - How to protect your organization from credential theftOutpost24 webinar - How to protect your organization from credential theft
Outpost24 webinar - How to protect your organization from credential theft
Outpost24
 
Outpost24 webinar : Beating hackers at their own game 2022 predictions
Outpost24 webinar : Beating hackers at their own game 2022 predictionsOutpost24 webinar : Beating hackers at their own game 2022 predictions
Outpost24 webinar : Beating hackers at their own game 2022 predictions
Outpost24
 
Outpost24 webinar - Enhance user security to stop the cyber-attack cycle
Outpost24 webinar - Enhance user security to stop the cyber-attack cycleOutpost24 webinar - Enhance user security to stop the cyber-attack cycle
Outpost24 webinar - Enhance user security to stop the cyber-attack cycle
Outpost24
 
Outpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK Framework
Outpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK FrameworkOutpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK Framework
Outpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK Framework
Outpost24
 
Outpost24 webinar: best practice for external attack surface management
Outpost24 webinar: best practice for external attack surface managementOutpost24 webinar: best practice for external attack surface management
Outpost24 webinar: best practice for external attack surface management
Outpost24
 
Outpost24 webinar: The state of ransomware in 2021 and how to limit your expo...
Outpost24 webinar: The state of ransomware in 2021 and how to limit your expo...Outpost24 webinar: The state of ransomware in 2021 and how to limit your expo...
Outpost24 webinar: The state of ransomware in 2021 and how to limit your expo...
Outpost24
 
Outpost24 Webinar - DevOps to DevSecOps: delivering quality and secure develo...
Outpost24 Webinar - DevOps to DevSecOps: delivering quality and secure develo...Outpost24 Webinar - DevOps to DevSecOps: delivering quality and secure develo...
Outpost24 Webinar - DevOps to DevSecOps: delivering quality and secure develo...
Outpost24
 
Outpost24 webinar - Why asset discovery is the missing link to enterprise vul...
Outpost24 webinar - Why asset discovery is the missing link to enterprise vul...Outpost24 webinar - Why asset discovery is the missing link to enterprise vul...
Outpost24 webinar - Why asset discovery is the missing link to enterprise vul...
Outpost24
 
Outpost24 webinar - Api security
Outpost24 webinar - Api securityOutpost24 webinar - Api security
Outpost24 webinar - Api security
Outpost24
 
Outpost24 Webinar - CISO conversation behind the cyber security technology
Outpost24 Webinar - CISO conversation behind the cyber security technologyOutpost24 Webinar - CISO conversation behind the cyber security technology
Outpost24 Webinar - CISO conversation behind the cyber security technology
Outpost24
 
Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...
Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...
Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...
Outpost24
 
Outpost24 webinar - How to secure cloud services in the DevOps fast lane
Outpost24 webinar - How to secure cloud services in the DevOps fast laneOutpost24 webinar - How to secure cloud services in the DevOps fast lane
Outpost24 webinar - How to secure cloud services in the DevOps fast lane
Outpost24
 
Outpost24 webinar - Winning the cybersecurity race with predictive vulnerabil...
Outpost24 webinar - Winning the cybersecurity race with predictive vulnerabil...Outpost24 webinar - Winning the cybersecurity race with predictive vulnerabil...
Outpost24 webinar - Winning the cybersecurity race with predictive vulnerabil...
Outpost24
 
Outpost24 webinar - Bridging your cyber hygiene gap to prevent enterprise hac...
Outpost24 webinar - Bridging your cyber hygiene gap to prevent enterprise hac...Outpost24 webinar - Bridging your cyber hygiene gap to prevent enterprise hac...
Outpost24 webinar - Bridging your cyber hygiene gap to prevent enterprise hac...
Outpost24
 
Outpost24 webinar mastering container security in modern day dev ops
Outpost24 webinar mastering container security in modern day dev opsOutpost24 webinar mastering container security in modern day dev ops
Outpost24 webinar mastering container security in modern day dev ops
Outpost24
 
Outpost24 webinar - Protecting Cezanne HR’s cloud web application with contin...
Outpost24 webinar - Protecting Cezanne HR’s cloud web application with contin...Outpost24 webinar - Protecting Cezanne HR’s cloud web application with contin...
Outpost24 webinar - Protecting Cezanne HR’s cloud web application with contin...
Outpost24
 
Outpost24 webinar - A fresh look into the underground card shop ecosystem
Outpost24 webinar - A fresh look into the underground card shop ecosystemOutpost24 webinar - A fresh look into the underground card shop ecosystem
Outpost24 webinar - A fresh look into the underground card shop ecosystem
Outpost24
 
Outpost24 webinar Why API security matters and how to get it right.pdf
Outpost24 webinar Why API security matters and how to get it right.pdfOutpost24 webinar Why API security matters and how to get it right.pdf
Outpost24 webinar Why API security matters and how to get it right.pdf
Outpost24
 
Outpost24 webinar - The new CISO imperative: connecting technical vulnerabili...
Outpost24 webinar - The new CISO imperative: connecting technical vulnerabili...Outpost24 webinar - The new CISO imperative: connecting technical vulnerabili...
Outpost24 webinar - The new CISO imperative: connecting technical vulnerabili...
Outpost24
 
Outpost24 Webinar - Five steps to build a killer Application Security Program
Outpost24 Webinar - Five steps to build a killer Application Security ProgramOutpost24 Webinar - Five steps to build a killer Application Security Program
Outpost24 Webinar - Five steps to build a killer Application Security Program
Outpost24
 
Outpost24 webinar - How to protect your organization from credential theft
Outpost24 webinar - How to protect your organization from credential theftOutpost24 webinar - How to protect your organization from credential theft
Outpost24 webinar - How to protect your organization from credential theft
Outpost24
 
Outpost24 webinar : Beating hackers at their own game 2022 predictions
Outpost24 webinar : Beating hackers at their own game 2022 predictionsOutpost24 webinar : Beating hackers at their own game 2022 predictions
Outpost24 webinar : Beating hackers at their own game 2022 predictions
Outpost24
 
Outpost24 webinar - Enhance user security to stop the cyber-attack cycle
Outpost24 webinar - Enhance user security to stop the cyber-attack cycleOutpost24 webinar - Enhance user security to stop the cyber-attack cycle
Outpost24 webinar - Enhance user security to stop the cyber-attack cycle
Outpost24
 
Outpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK Framework
Outpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK FrameworkOutpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK Framework
Outpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK Framework
Outpost24
 
Outpost24 webinar: best practice for external attack surface management
Outpost24 webinar: best practice for external attack surface managementOutpost24 webinar: best practice for external attack surface management
Outpost24 webinar: best practice for external attack surface management
Outpost24
 
Outpost24 webinar: The state of ransomware in 2021 and how to limit your expo...
Outpost24 webinar: The state of ransomware in 2021 and how to limit your expo...Outpost24 webinar: The state of ransomware in 2021 and how to limit your expo...
Outpost24 webinar: The state of ransomware in 2021 and how to limit your expo...
Outpost24
 
Outpost24 Webinar - DevOps to DevSecOps: delivering quality and secure develo...
Outpost24 Webinar - DevOps to DevSecOps: delivering quality and secure develo...Outpost24 Webinar - DevOps to DevSecOps: delivering quality and secure develo...
Outpost24 Webinar - DevOps to DevSecOps: delivering quality and secure develo...
Outpost24
 
Outpost24 webinar - Why asset discovery is the missing link to enterprise vul...
Outpost24 webinar - Why asset discovery is the missing link to enterprise vul...Outpost24 webinar - Why asset discovery is the missing link to enterprise vul...
Outpost24 webinar - Why asset discovery is the missing link to enterprise vul...
Outpost24
 
Outpost24 webinar - Api security
Outpost24 webinar - Api securityOutpost24 webinar - Api security
Outpost24 webinar - Api security
Outpost24
 
Outpost24 Webinar - CISO conversation behind the cyber security technology
Outpost24 Webinar - CISO conversation behind the cyber security technologyOutpost24 Webinar - CISO conversation behind the cyber security technology
Outpost24 Webinar - CISO conversation behind the cyber security technology
Outpost24
 
Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...
Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...
Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...
Outpost24
 
Outpost24 webinar - How to secure cloud services in the DevOps fast lane
Outpost24 webinar - How to secure cloud services in the DevOps fast laneOutpost24 webinar - How to secure cloud services in the DevOps fast lane
Outpost24 webinar - How to secure cloud services in the DevOps fast lane
Outpost24
 
Outpost24 webinar - Winning the cybersecurity race with predictive vulnerabil...
Outpost24 webinar - Winning the cybersecurity race with predictive vulnerabil...Outpost24 webinar - Winning the cybersecurity race with predictive vulnerabil...
Outpost24 webinar - Winning the cybersecurity race with predictive vulnerabil...
Outpost24
 
Outpost24 webinar - Bridging your cyber hygiene gap to prevent enterprise hac...
Outpost24 webinar - Bridging your cyber hygiene gap to prevent enterprise hac...Outpost24 webinar - Bridging your cyber hygiene gap to prevent enterprise hac...
Outpost24 webinar - Bridging your cyber hygiene gap to prevent enterprise hac...
Outpost24
 
Outpost24 webinar mastering container security in modern day dev ops
Outpost24 webinar mastering container security in modern day dev opsOutpost24 webinar mastering container security in modern day dev ops
Outpost24 webinar mastering container security in modern day dev ops
Outpost24
 
Outpost24 webinar - Protecting Cezanne HR’s cloud web application with contin...
Outpost24 webinar - Protecting Cezanne HR’s cloud web application with contin...Outpost24 webinar - Protecting Cezanne HR’s cloud web application with contin...
Outpost24 webinar - Protecting Cezanne HR’s cloud web application with contin...
Outpost24
 
Ad

Recently uploaded (20)

Interactive odoo dashboards for sales, CRM , Inventory, Invoice, Purchase, Pr...
Interactive odoo dashboards for sales, CRM , Inventory, Invoice, Purchase, Pr...Interactive odoo dashboards for sales, CRM , Inventory, Invoice, Purchase, Pr...
Interactive odoo dashboards for sales, CRM , Inventory, Invoice, Purchase, Pr...
AxisTechnolabs
 
Top 10 Client Portal Software Solutions for 2025.docx
Top 10 Client Portal Software Solutions for 2025.docxTop 10 Client Portal Software Solutions for 2025.docx
Top 10 Client Portal Software Solutions for 2025.docx
Portli
 
Mastering Fluent Bit: Ultimate Guide to Integrating Telemetry Pipelines with ...
Mastering Fluent Bit: Ultimate Guide to Integrating Telemetry Pipelines with ...Mastering Fluent Bit: Ultimate Guide to Integrating Telemetry Pipelines with ...
Mastering Fluent Bit: Ultimate Guide to Integrating Telemetry Pipelines with ...
Eric D. Schabell
 
How can one start with crypto wallet development.pptx
How can one start with crypto wallet development.pptxHow can one start with crypto wallet development.pptx
How can one start with crypto wallet development.pptx
laravinson24
 
Societal challenges of AI: biases, multilinguism and sustainability
Societal challenges of AI: biases, multilinguism and sustainabilitySocietal challenges of AI: biases, multilinguism and sustainability
Societal challenges of AI: biases, multilinguism and sustainability
Jordi Cabot
 
Implementing promises with typescripts, step by step
Implementing promises with typescripts, step by stepImplementing promises with typescripts, step by step
Implementing promises with typescripts, step by step
Ran Wahle
 
Exceptional Behaviors: How Frequently Are They Tested? (AST 2025)
Exceptional Behaviors: How Frequently Are They Tested? (AST 2025)Exceptional Behaviors: How Frequently Are They Tested? (AST 2025)
Exceptional Behaviors: How Frequently Are They Tested? (AST 2025)
Andre Hora
 
Not So Common Memory Leaks in Java Webinar
Not So Common Memory Leaks in Java WebinarNot So Common Memory Leaks in Java Webinar
Not So Common Memory Leaks in Java Webinar
Tier1 app
 
Exploring Wayland: A Modern Display Server for the Future
Exploring Wayland: A Modern Display Server for the FutureExploring Wayland: A Modern Display Server for the Future
Exploring Wayland: A Modern Display Server for the Future
ICS
 
F-Secure Freedome VPN 2025 Crack Plus Activation New Version
F-Secure Freedome VPN 2025 Crack Plus Activation New VersionF-Secure Freedome VPN 2025 Crack Plus Activation New Version
F-Secure Freedome VPN 2025 Crack Plus Activation New Version
saimabibi60507
 
Proactive Vulnerability Detection in Source Code Using Graph Neural Networks:...
Proactive Vulnerability Detection in Source Code Using Graph Neural Networks:...Proactive Vulnerability Detection in Source Code Using Graph Neural Networks:...
Proactive Vulnerability Detection in Source Code Using Graph Neural Networks:...
Ranjan Baisak
 
Odoo ERP for Education Management to Streamline Your Education Process
Odoo ERP for Education Management to Streamline Your Education ProcessOdoo ERP for Education Management to Streamline Your Education Process
Odoo ERP for Education Management to Streamline Your Education Process
iVenture Team LLP
 
Full Cracked Resolume Arena Latest Version
Full Cracked Resolume Arena Latest VersionFull Cracked Resolume Arena Latest Version
Full Cracked Resolume Arena Latest Version
jonesmichealj2
 
Adobe Marketo Engage Champion Deep Dive - SFDC CRM Synch V2 & Usage Dashboards
Adobe Marketo Engage Champion Deep Dive - SFDC CRM Synch V2 & Usage DashboardsAdobe Marketo Engage Champion Deep Dive - SFDC CRM Synch V2 & Usage Dashboards
Adobe Marketo Engage Champion Deep Dive - SFDC CRM Synch V2 & Usage Dashboards
BradBedford3
 
The Significance of Hardware in Information Systems.pdf
The Significance of Hardware in Information Systems.pdfThe Significance of Hardware in Information Systems.pdf
The Significance of Hardware in Information Systems.pdf
drewplanas10
 
DVDFab Crack FREE Download Latest Version 2025
DVDFab Crack FREE Download Latest Version 2025DVDFab Crack FREE Download Latest Version 2025
DVDFab Crack FREE Download Latest Version 2025
younisnoman75
 
Microsoft Excel Core Points Training.pptx
Microsoft Excel Core Points Training.pptxMicrosoft Excel Core Points Training.pptx
Microsoft Excel Core Points Training.pptx
Mekonnen
 
Get & Download Wondershare Filmora Crack Latest [2025]
Get & Download Wondershare Filmora Crack Latest [2025]Get & Download Wondershare Filmora Crack Latest [2025]
Get & Download Wondershare Filmora Crack Latest [2025]
saniaaftab72555
 
PDF Reader Pro Crack Latest Version FREE Download 2025
PDF Reader Pro Crack Latest Version FREE Download 2025PDF Reader Pro Crack Latest Version FREE Download 2025
PDF Reader Pro Crack Latest Version FREE Download 2025
mu394968
 
🌱 Green Grafana 🌱 Essentials_ Data, Visualizations and Plugins.pdf
🌱 Green Grafana 🌱 Essentials_ Data, Visualizations and Plugins.pdf🌱 Green Grafana 🌱 Essentials_ Data, Visualizations and Plugins.pdf
🌱 Green Grafana 🌱 Essentials_ Data, Visualizations and Plugins.pdf
Imma Valls Bernaus
 
Interactive odoo dashboards for sales, CRM , Inventory, Invoice, Purchase, Pr...
Interactive odoo dashboards for sales, CRM , Inventory, Invoice, Purchase, Pr...Interactive odoo dashboards for sales, CRM , Inventory, Invoice, Purchase, Pr...
Interactive odoo dashboards for sales, CRM , Inventory, Invoice, Purchase, Pr...
AxisTechnolabs
 
Top 10 Client Portal Software Solutions for 2025.docx
Top 10 Client Portal Software Solutions for 2025.docxTop 10 Client Portal Software Solutions for 2025.docx
Top 10 Client Portal Software Solutions for 2025.docx
Portli
 
Mastering Fluent Bit: Ultimate Guide to Integrating Telemetry Pipelines with ...
Mastering Fluent Bit: Ultimate Guide to Integrating Telemetry Pipelines with ...Mastering Fluent Bit: Ultimate Guide to Integrating Telemetry Pipelines with ...
Mastering Fluent Bit: Ultimate Guide to Integrating Telemetry Pipelines with ...
Eric D. Schabell
 
How can one start with crypto wallet development.pptx
How can one start with crypto wallet development.pptxHow can one start with crypto wallet development.pptx
How can one start with crypto wallet development.pptx
laravinson24
 
Societal challenges of AI: biases, multilinguism and sustainability
Societal challenges of AI: biases, multilinguism and sustainabilitySocietal challenges of AI: biases, multilinguism and sustainability
Societal challenges of AI: biases, multilinguism and sustainability
Jordi Cabot
 
Implementing promises with typescripts, step by step
Implementing promises with typescripts, step by stepImplementing promises with typescripts, step by step
Implementing promises with typescripts, step by step
Ran Wahle
 
Exceptional Behaviors: How Frequently Are They Tested? (AST 2025)
Exceptional Behaviors: How Frequently Are They Tested? (AST 2025)Exceptional Behaviors: How Frequently Are They Tested? (AST 2025)
Exceptional Behaviors: How Frequently Are They Tested? (AST 2025)
Andre Hora
 
Not So Common Memory Leaks in Java Webinar
Not So Common Memory Leaks in Java WebinarNot So Common Memory Leaks in Java Webinar
Not So Common Memory Leaks in Java Webinar
Tier1 app
 
Exploring Wayland: A Modern Display Server for the Future
Exploring Wayland: A Modern Display Server for the FutureExploring Wayland: A Modern Display Server for the Future
Exploring Wayland: A Modern Display Server for the Future
ICS
 
F-Secure Freedome VPN 2025 Crack Plus Activation New Version
F-Secure Freedome VPN 2025 Crack Plus Activation New VersionF-Secure Freedome VPN 2025 Crack Plus Activation New Version
F-Secure Freedome VPN 2025 Crack Plus Activation New Version
saimabibi60507
 
Proactive Vulnerability Detection in Source Code Using Graph Neural Networks:...
Proactive Vulnerability Detection in Source Code Using Graph Neural Networks:...Proactive Vulnerability Detection in Source Code Using Graph Neural Networks:...
Proactive Vulnerability Detection in Source Code Using Graph Neural Networks:...
Ranjan Baisak
 
Odoo ERP for Education Management to Streamline Your Education Process
Odoo ERP for Education Management to Streamline Your Education ProcessOdoo ERP for Education Management to Streamline Your Education Process
Odoo ERP for Education Management to Streamline Your Education Process
iVenture Team LLP
 
Full Cracked Resolume Arena Latest Version
Full Cracked Resolume Arena Latest VersionFull Cracked Resolume Arena Latest Version
Full Cracked Resolume Arena Latest Version
jonesmichealj2
 
Adobe Marketo Engage Champion Deep Dive - SFDC CRM Synch V2 & Usage Dashboards
Adobe Marketo Engage Champion Deep Dive - SFDC CRM Synch V2 & Usage DashboardsAdobe Marketo Engage Champion Deep Dive - SFDC CRM Synch V2 & Usage Dashboards
Adobe Marketo Engage Champion Deep Dive - SFDC CRM Synch V2 & Usage Dashboards
BradBedford3
 
The Significance of Hardware in Information Systems.pdf
The Significance of Hardware in Information Systems.pdfThe Significance of Hardware in Information Systems.pdf
The Significance of Hardware in Information Systems.pdf
drewplanas10
 
DVDFab Crack FREE Download Latest Version 2025
DVDFab Crack FREE Download Latest Version 2025DVDFab Crack FREE Download Latest Version 2025
DVDFab Crack FREE Download Latest Version 2025
younisnoman75
 
Microsoft Excel Core Points Training.pptx
Microsoft Excel Core Points Training.pptxMicrosoft Excel Core Points Training.pptx
Microsoft Excel Core Points Training.pptx
Mekonnen
 
Get & Download Wondershare Filmora Crack Latest [2025]
Get & Download Wondershare Filmora Crack Latest [2025]Get & Download Wondershare Filmora Crack Latest [2025]
Get & Download Wondershare Filmora Crack Latest [2025]
saniaaftab72555
 
PDF Reader Pro Crack Latest Version FREE Download 2025
PDF Reader Pro Crack Latest Version FREE Download 2025PDF Reader Pro Crack Latest Version FREE Download 2025
PDF Reader Pro Crack Latest Version FREE Download 2025
mu394968
 
🌱 Green Grafana 🌱 Essentials_ Data, Visualizations and Plugins.pdf
🌱 Green Grafana 🌱 Essentials_ Data, Visualizations and Plugins.pdf🌱 Green Grafana 🌱 Essentials_ Data, Visualizations and Plugins.pdf
🌱 Green Grafana 🌱 Essentials_ Data, Visualizations and Plugins.pdf
Imma Valls Bernaus
 

Outpost24 webinar - Understanding the 7 deadly web application attack vectors

  • 1. Understanding the 7 deadly web application attack vectors Stephane Konarkowski 22nd July 2020
  • 2. Helping customers improve security posture since 2001 Full stack security assessment Over 2,000 customers in all regions of the world Really good at breaking technology
  • 3. What you will learn: • Think like a hacker • Get inside knowledge on how multiple discovery techniques should be used to assess web • Delve into the seven deadly • Top tips on creating a complete security blueprint of your critical web apps and a continuous application security program based on your attack surface 3
  • 4. We look at your Web Application like a hacker does 4
  • 5. Pen Tester vs Hacker vs Burglar Hacker Pen TesterBurglar In common 5
  • 6. Which Vectors are they looking at
  • 8. Security Mechanism (SM) HTTP HTTPS http://www.bank-example.com Password: abc123 https://www.bank-example.com Password: e99a18c428cb38d5f260853678922e03 1) SSL Certificate Encryption 2) TLS Transport host port ┌───────┴───────┐ ┌┴┐ http://www.example.com:123/forum/questions/?tag=networking&order=newest#top └─┬─┘└───────────┬─────┘└─┬───────────┘└────────┬───────────────┘└┬─┘ scheme authority path query fragment 8
  • 9. Security Mechanism (SM) Client side Server side Both = Better Input Validation Can be by-pass 9
  • 10. Security Mechanism (SM) Risk Associated with SM 10 • Non-Encrypted • Intercepted • Stolen Data • Developers often assume that the client won't modify the data • The Web Application Hackers handbook
  • 11. Page Creation Method (PM) CS runs scripts on your computer after you've loaded a web page. SS runs scripts before the HTML is loaded Server-side code is source to vulnerabilityClient side Server side PHP ASP Java Python Ruby 11
  • 12. Page Creation Method (PM) Risk Associated with PM 12 • PHP Object Injection • Java deserialization • Server-Side Vulnerabilities Like SQL INJECTION Attacks that cause a hosted application to operate in unexpected or unpredictable ways, can result in private data either leaking out through HTTP responses or logs
  • 13. Degree of Distribution(DOD) Cross-domain problems are a common source of vulnerabilities WWW.WEBSITE.COM SUBDOMAIN 2nd LEVEL DOMAIN TOP LEVEL DOMAIN More Attack Vectors Spans across 13
  • 14. Degree of Distribution(DOD) Risk Associated with DOD 14 • A Secure Web Application that connects to other Web Applications or is associated to them Can be attacked from a vulnerable one. • A script from page A can only access data from page B if they are of the same origin.
  • 16. Authentication (AUTH) Risk Associated with Authentication 16 • Curiosity: Yes • Trusted: To a degree • Important: Maybe • Data: Oh yeah
  • 17. Input Vectors (IV) The more input vectors the more complex • File Upload • Search Functions • Other Forms • External Engines 17
  • 18. Input Vectors (IV) Risk Associated with Input Vectors 18 Input Validation Attacks: Cause, Exploits, Impacts Cause: Failure to properly validate data at the entry and exit points of the application Exploits: Injection of malicious input such as code, scripting, commands, that can be interpreted/executed by different targets to exploit vulnerabilities: • Browser: XSS, XFS, HTML-Splitting • Data repositories: SQL Injection, LDAP injection • Server side file processing: XML, XPATH • Application/Server/O.S. :File uploads, Buffer Overflow Impacts: Phishing, Information Disclosure (PII), Data Modification, Denial Of service, Financial Loss, Reputation Loss
  • 19. Active Content Technology (ACT) • JavaScript • Java Applet • AJAX • & more • Externally Loaded • RIA • RSS 19
  • 20. Active Content Technology (ACT) Risk Associated with ACT 20 Active content contains programs that trigger automatic actions on a Web page without the user's knowledge or consent. All Web users are regularly exposed to active content. • Code that you have copied • Code that sits on an external side (No control) Vulnerabilities in the scripting language are exploited to carry malicious code, which could be downloaded through a Web browser and executed on a local system without the user's knowledge or consent
  • 21. Cookies (CS) Own Cookies & 21 • Session • Persistent Foreign Cookies
  • 22. Cookies (CS) Risk Associated with Cookies • Cross Site Request Forgery Attack (XSRF) • Session Fixation • Cross-Site Scripting • Cookie Tossing Attack • Cookie Overflow Attack • Tracking/Privacy 22
  • 24. 24 Attack Surface based on Vectors Attack Surface Max Score: 39,19
  • 25. Business Criticality • Is this application revenue generating? • Is this application hosting sensitive information and customer data (PII) Update Frequency • No application updates • Application updates occur once a year • Application updates occur several times a year • Updates occur continuously Complexity Level • Application with a high number of pages • Application with dynamic content • Application with multiple inputs (forms) Criticality UpdatesComplexity ARS (Application Risk Score) Understanding your application 25
  • 26. Application Risk Score (ARS) 26 Application Name Surface Score Criticality Update frequency Appsec Program Availability Confidentiality Integrity demo1.com 20.45 2 2 2 1 5 demo2.com 20.22 3 2 2 2 9 ! CVSS becomes CASS
  • 29. Paying Attention How many have you counted in the presentation? The right answer gets a Free Scout Assessment 29
  • 31. Takeaways 31 • Yes Cookies are also in that bag • Understand how its built to better defend • Not all of them need an in depth assessment • If you don’t know what you have … • Its not the big door they will open