SlideShare a Scribd company logo

Intro to Web Application Security

Download as PPT, PDF
Rob Ragan
Rob Ragan

Introduction to Web Application Security presented at for the Penn State Information Assurance Club (Fall 2007)

1 of 35
Downloaded 262 times
Information Assurance Club 2007 Understanding Web Application Security
What is Application Security? Application Security encompasses measures taken to prevent exceptions in the security policy of an application or the underlying system vulnerabilities through flaws in the design, development, or deployment of the application. [Wikipedia] Make sure code Properly uses security mechanisms Has no design or implementation flaws
 
 
Application Layer VS Network Layer Application Layer Attackers send attacks inside valid HTTP requests Custom code is manipulated to do something it shouldn’t Security requires software development expertise, not signatures Network Layer Firewall, hardening, patches, IDS, IPS SSL cannot detect or prevent attacks inside HTTP requests Security based on signature database
Test Your Hacking Knowledge What might happen in an application if an attacker… Adds “; rm –rf /” to a menu selection passed to a system call Replaces the unitprice hidden field with -500 Sends 1000000 ‘A’ characters to a login script Figures out the encoding used for cookies Disables all client side Javascript for form validation Adds to the end of an account ID parameter “%27%20OR%201%3d1” Sends 1,000 HTTP requests per second to the search field for an hour
Why Should I Care? How likely is a successful web application attack? Anyone in the world, including insiders, can send an HTTP request to your server Vulnerabilities are highly prevalent Easy to exploit without special tools or knowledge Little chance of being detected Hundreds of thousands of developers with no security background or training Consequences? Corruption or disclosure of database contents Root access to web and application servers Loss of authentication and access control for users Defacement Loss of use / availability Secondary attacks from your site Application security is just as important as Network Security
Attacks Shift Towards Application Layer 75% of All Attacks on Information Security Are Directed to the Web Application Layer 2/3 of All Web Applications Are Vulnerable -Gartner
How Do Attackers Do It? Proxies Browser plugins Vulnerability scanning tools Many attacks can be launched using only a browser and text editor
HyperText Transfer Protocol (HTTP) GET /index.html HTTP/1.1 Host: www.example.com HTTP/1.1 200 OK Date: Mon, 23 April 2007 22:38:34 GMT Server: Apache/1.3.27 (Unix) (Red-Hat/Linux) Last-Modified: Wed, 08 Jan 2003 23:11:55 GMT Etag: "3f80f-1b6-3e1cb03b" Accept-Ranges: bytes Content-Length: 438 Connection: close Content-Type: text/html; charset=UTF-8
HTTPS Just encryption Eavesdropping Protect Passwords Gmail Bypass IPS Doesn't prevent hacking
Transparent Proxy http://fiddler2.com/sandbox/ Fiddler is a HTTP Debugging Proxy which logs all HTTP traffic between your computer and the Internet. Fiddler allows you to inspect all HTTP Traffic, set breakpoints, and "fiddle" with incoming or outgoing data. Fiddler includes a powerful event-based scripting subsystem, and can be extended using any .NET language. Fiddler is freeware and can debug traffic from virtually any application, including Internet Explorer, Mozilla Firefox, Opera, and thousands more. Others: Paros, Web Scarab, etc
Authentication Common Problems Never expire (facebook) Not protected by SSL Easy to forge (cookies) Replay attacks Re-using cookies Preventable with encrypted date/time stamp
Authentication Best Practices Ensure HTTPS is being used Login failures should NOT indicate whether username or password failed Strong password policy (don’t store in clear text) Use brute force countermeasures CAPTCHA Time delay
State Problems HTTP is a stateless protocol Session ID tells client browser who you are Server maintains a map of session objects Hijacking techniques Guessing XSS Not using HTTPS Session ID exposed using URL-rewriting
Session Best Practices Single sign on/off Seemingly random and at least 20 bytes Timeout Use SSL Avoid URL-rewriting (disclosure risk)
Access Control Restricting access Who? What can they see? What can they do? Should exist in UI, BLL, and DAL
Broken Access Control Attacker notices URL indicating role / guest /getAccountInfo They modify it to another directory (role) / admin /getAccountInfo / auth /getAccountInfo Attacker views more accounts than just their own
Cross-Site Scripting (XSS) Web application vulnerability that allows an attacker to execute a malicious script in a victim's web browser How it works Web browsers support scripting languages like Javascript that allow web pages to perform logic If an attacker can get a web server to send their malicious script to a victim, the script executes as if it came from that web site Consequences Steal session cookies Deface websites Information disclosure
XSS Vulnerability Pattern Web app vulnerable to XSS if Attacker can provide malicious user input Site puts user input into a response Search, form field, message board, etc Site doesn't properly validate or sanitize that user input Unless developer is familiar with XSS, it's very likely that proper input validation is not being done
Two Types of XSS Stored XSS Dangerous user input is stored on the site and displayed at some later time Typically found in message boards, guest books, surveys Like leaving a land mine for a victim to trip across on a vulnerable site Reflected XSS Dangerous user input is immediately sent back to the user that submitted it Possibly a malicious link with an embedded script Typically found in search fields, error pages, etc
Cross-site Scripting - Tricks Scripts can only access data from their own site Enforced by the browser “sandbox” SOP Trick: Use an anonymous proxy Scripts can't access the OS or file system Trick: Wscript http://my.3c.ist.psu.edu/rrr174/email.js The browser isn't doing anything abnormal Cheat Sheet: http://ha.ckers.org/xss.html Demos: http://www.attacklabs.com
XSS Real World Example MySpace XSS Worm – Oct 2005 AKA Samy worm Introduced an XSS attack into his own profile When anyone viewed his profile, the attack: added Samy as a 'friend' to that user's profile and infected them with the same XSS attack in their own profile Then, when anyone views the infected profile, starts all over... The exploit: Used 'java\nscript' since 'javascript' was filtered out, String.fromCharCode(34) to generate a double quote, etc. Used XmlHttpRequest (AJAX), so does Yamanner worm 10 hrs – 560 friends, 13 hrs – 6400 friends, 18 hrs - 1,000,000 friends, 19 hrs - entire site down, 22 hrs – site back up again
 
XSS– Input Filters Many applications attempt XSS protection with filters Convert < and > to &lt and &gt Strip out HTML tags Eliminate <script> tags Strip out Javascript .NET provides XSS protection by default <%@ Page ValidateRequest=”true” %> Anti-Cross Site Scripting Library http://msdn2.microsoft.com/en-us/security/aa973814.aspx Better to white list input instead of black list VALIDATE USER INPUT!!! TRUST NOTHING FROM THE CLIENT!!!
PSU Webmail XSS https://webmaillite.psu.edu/webmail/inbox.cgi?mailbox = https://my.3c.ist.psu.edu/rrr174/xss.js popMessage param (cookie) Now what? Hijack web access session ID Steal email Go phishing Do anything the user can do
View Passwords javascript:(function(){var s,F,j,f,i; s = %22%22; F = document.forms; for(j=0; j<F.length; ++j) { f = F[j]; for (i=0; i<f.length; ++i) { if (f[i].type.toLowerCase() == %22password%22) s += f[i].value + %22\n%22; } } if (s) alert(%22Passwords in forms on this page:\n\n%22 + s); else alert(%22There are no passwords in forms on this page.%22);})();
CSRF (Sea-Surf) Cross-site request forgery, also known as one click attack or session riding Digg and Amazon have been targets Prevention Include a secret, user-specific token in forms that is verified in addition to the cookie Users can help protect their accounts at poorly designed sites by logging off the site before visiting another, or clearing their browser's cookies at the end of each browser session
Injection Overview Many applications invoke interpreters SQL OS command shell (cmd.exe, perl) Sendmail, LDAP, XPath, XSLT Interpreters take commands and data and execute the instructions Attacker can send malicious data or commands into your application tricking it into behaving differently Frequently interpreters run as root or administrator
SQL Injection – Example Get rows from table based on user provided parameter SELECT * FROM users WHERE SSN='” + ssn + “'” SSN goes from user to web application to database Never validated Attacker sends 123456789' OR '1'='1 Application builds a query SELECT * FROM users WHERE SSN='123456789' OR '1'='1' Returns every user in the database Blind SQL Injection: http://www.0x90.org/releases/absinthe
Prevent SQL Injection Validate user input Stored procedures Parameterized queries Connection strings (Access Control) Prevent DELETE and DROP queries
Injection Demo SQL Injection: Almost every IST student’s web application is vulnerable https://my.3c.ist.psu.edu/jeb5010/customer.php?Name ='%20OR%201=1-- Remote Code Execution: http://scripts.cac.psu.edu/pxn126/finger.cgi
Conclusion Be aware of security threats Train yourself Assess security at every step of the SDLC Define unacceptable risks Then implement policy Ensure accountability Consider commercial solutions (Get help)
Where can I learn more? http://www.owasp.org/index.php/OWASP_Top_Ten_Project http://en.wikipedia.org/wiki/Category:Web_security_exploits http://www.spidynamics.com/spilabs/index.html http://ha.ckers.org http://johnny.ihackstuff.com/ghdb.php http://www.foundstone.com/resources/freetools.htm http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project http://blogged-on.de/xss http://leastprivilege.com Download this presentation http://my.3c.ist.psu.edu/rrr174/webappsec.ppt
Questions? Ask questions and I'll try to answer them
Ad

Recommended

Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101
Cybersecurity Education and Research Centre
 
Student Management System best PPT
Student Management System best PPTStudent Management System best PPT
Student Management System best PPT
Dheeraj Kumar tiwari
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
Priyanka Aash
 
Xss attack
Xss attackXss attack
Xss attack
Manjushree Mashal
 
MALWARE
MALWAREMALWARE
MALWARE
Anupam Das
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
Anurag Srivastava
 
HOSPITAL MANAGEMENT SYSTEM project report
HOSPITAL MANAGEMENT SYSTEM project reportHOSPITAL MANAGEMENT SYSTEM project report
HOSPITAL MANAGEMENT SYSTEM project report
PDEA's college of engineering, Pune
 
Project on sikkim
Project on sikkimProject on sikkim
Project on sikkim
NILESHKUMAR842886
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
Amit Tyagi
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
Software Guru
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
Abdul Wahid
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
WSO2
 
Security Vulnerabilities
Security VulnerabilitiesSecurity Vulnerabilities
Security Vulnerabilities
Marius Vorster
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request Forgery
Daniel Miessler
 
Web application security
Web application securityWeb application security
Web application security
Kapil Sharma
 
Phishing attacks ppt
Phishing attacks pptPhishing attacks ppt
Phishing attacks ppt
Aryan Ragu
 
Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)
Daniel Tumser
 
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
Lenur Dzhemiliev
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
n|u - The Open Security Community
 
Virus & Computer security threats
Virus & Computer security threatsVirus & Computer security threats
Virus & Computer security threats
Azri Abdin
 
Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...
Edureka!
 
Secure code practices
Secure code practicesSecure code practices
Secure code practices
Hina Rawal
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
Mohammed Danish Amber
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testing
Nezar Alazzabi
 
Spoofing
SpoofingSpoofing
Spoofing
Sanjeev
 
Android Device Hardening
Android Device HardeningAndroid Device Hardening
Android Device Hardening
anupriti
 
Burp suite
Burp suiteBurp suite
Burp suite
SOURABH DESHMUKH
 
Social Engineering: the Bad, Better, and Best Incident Response Plans
Social Engineering: the Bad, Better, and Best Incident Response PlansSocial Engineering: the Bad, Better, and Best Incident Response Plans
Social Engineering: the Bad, Better, and Best Incident Response Plans
Rob Ragan
 
BSidesPGH - Never Surrender - Reducing Social Engineering Risk
BSidesPGH - Never Surrender - Reducing Social Engineering RiskBSidesPGH - Never Surrender - Reducing Social Engineering Risk
BSidesPGH - Never Surrender - Reducing Social Engineering Risk
Rob Ragan
 
Ad

More Related Content

What's hot (20)

Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
Amit Tyagi
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
Software Guru
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
Abdul Wahid
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
WSO2
 
Security Vulnerabilities
Security VulnerabilitiesSecurity Vulnerabilities
Security Vulnerabilities
Marius Vorster
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request Forgery
Daniel Miessler
 
Web application security
Web application securityWeb application security
Web application security
Kapil Sharma
 
Phishing attacks ppt
Phishing attacks pptPhishing attacks ppt
Phishing attacks ppt
Aryan Ragu
 
Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)
Daniel Tumser
 
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
Lenur Dzhemiliev
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
n|u - The Open Security Community
 
Virus & Computer security threats
Virus & Computer security threatsVirus & Computer security threats
Virus & Computer security threats
Azri Abdin
 
Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...
Edureka!
 
Secure code practices
Secure code practicesSecure code practices
Secure code practices
Hina Rawal
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
Mohammed Danish Amber
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testing
Nezar Alazzabi
 
Spoofing
SpoofingSpoofing
Spoofing
Sanjeev
 
Android Device Hardening
Android Device HardeningAndroid Device Hardening
Android Device Hardening
anupriti
 
Burp suite
Burp suiteBurp suite
Burp suite
SOURABH DESHMUKH
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
Amit Tyagi
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
Software Guru
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
Abdul Wahid
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
WSO2
 
Security Vulnerabilities
Security VulnerabilitiesSecurity Vulnerabilities
Security Vulnerabilities
Marius Vorster
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request Forgery
Daniel Miessler
 
Web application security
Web application securityWeb application security
Web application security
Kapil Sharma
 
Phishing attacks ppt
Phishing attacks pptPhishing attacks ppt
Phishing attacks ppt
Aryan Ragu
 
Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)
Daniel Tumser
 
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
Lenur Dzhemiliev
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
n|u - The Open Security Community
 
Virus & Computer security threats
Virus & Computer security threatsVirus & Computer security threats
Virus & Computer security threats
Azri Abdin
 
Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...
Edureka!
 
Secure code practices
Secure code practicesSecure code practices
Secure code practices
Hina Rawal
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
Mohammed Danish Amber
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testing
Nezar Alazzabi
 
Spoofing
SpoofingSpoofing
Spoofing
Sanjeev
 
Android Device Hardening
Android Device HardeningAndroid Device Hardening
Android Device Hardening
anupriti
 
Burp suite
Burp suiteBurp suite
Burp suite
SOURABH DESHMUKH
 

Viewers also liked (18)

Social Engineering: the Bad, Better, and Best Incident Response Plans
Social Engineering: the Bad, Better, and Best Incident Response PlansSocial Engineering: the Bad, Better, and Best Incident Response Plans
Social Engineering: the Bad, Better, and Best Incident Response Plans
Rob Ragan
 
BSidesPGH - Never Surrender - Reducing Social Engineering Risk
BSidesPGH - Never Surrender - Reducing Social Engineering RiskBSidesPGH - Never Surrender - Reducing Social Engineering Risk
BSidesPGH - Never Surrender - Reducing Social Engineering Risk
Rob Ragan
 
Tenacious Diggity - Skinny Dippin in a Sea of Bing
Tenacious Diggity - Skinny Dippin in a Sea of BingTenacious Diggity - Skinny Dippin in a Sea of Bing
Tenacious Diggity - Skinny Dippin in a Sea of Bing
Rob Ragan
 
Attack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack FuAttack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack Fu
Rob Ragan
 
Black Hat 2011 - Pulp Google Hacking: The Next Generation Search Engine Hacki...
Black Hat 2011 - Pulp Google Hacking: The Next Generation Search Engine Hacki...Black Hat 2011 - Pulp Google Hacking: The Next Generation Search Engine Hacki...
Black Hat 2011 - Pulp Google Hacking: The Next Generation Search Engine Hacki...
Rob Ragan
 
CloudBots - Harvesting Crypto Currency Like a Botnet Farmer
CloudBots - Harvesting Crypto Currency Like a Botnet FarmerCloudBots - Harvesting Crypto Currency Like a Botnet Farmer
CloudBots - Harvesting Crypto Currency Like a Botnet Farmer
Rob Ragan
 
Interesting Water Facts
Interesting Water FactsInteresting Water Facts
Interesting Water Facts
Eason Chan
 
How to keep calm and ship it (Juozas Kaziukėnas)
How to keep calm and ship it (Juozas Kaziukėnas)How to keep calm and ship it (Juozas Kaziukėnas)
How to keep calm and ship it (Juozas Kaziukėnas)
Future Insights
 
23 Amazing Lessons Learned From Interviewing The World's Top Developers!
23 Amazing Lessons Learned From Interviewing The World's Top Developers!23 Amazing Lessons Learned From Interviewing The World's Top Developers!
23 Amazing Lessons Learned From Interviewing The World's Top Developers!
Usersnap
 
Google Summer of Code and BeagleBoard.org
Google Summer of Code and BeagleBoard.orgGoogle Summer of Code and BeagleBoard.org
Google Summer of Code and BeagleBoard.org
Drew Fustini
 
Bar exam tips
Bar exam tipsBar exam tips
Bar exam tips
BarExamMind
 
Instructivo casio g shock ga 100
Instructivo casio g shock ga 100Instructivo casio g shock ga 100
Instructivo casio g shock ga 100
Israel González
 
Overcoming Confirmation Bias en route to becoming an Active Bystander in Supp...
Overcoming Confirmation Bias en route to becoming an Active Bystander in Supp...Overcoming Confirmation Bias en route to becoming an Active Bystander in Supp...
Overcoming Confirmation Bias en route to becoming an Active Bystander in Supp...
Dawn Bazely
 
Social Mobile ads for Nurse & Allied Health Recruiting Feb 2016
Social Mobile ads for Nurse & Allied Health Recruiting Feb 2016Social Mobile ads for Nurse & Allied Health Recruiting Feb 2016
Social Mobile ads for Nurse & Allied Health Recruiting Feb 2016
Purplegator
 
Webinar "Innovatie in e-commerce"
Webinar "Innovatie in e-commerce"Webinar "Innovatie in e-commerce"
Webinar "Innovatie in e-commerce"
Stefan Vermeulen
 
Private sector skills - what value to the NHS?
Private sector skills - what value to the NHS?Private sector skills - what value to the NHS?
Private sector skills - what value to the NHS?
Nigel Brindley
 
ESP8266をはじめよう
ESP8266をはじめようESP8266をはじめよう
ESP8266をはじめよう
Kei Yoshimura
 
425 cac tinh huong vi du ve lam sang x oa50
425 cac tinh huong vi du ve lam sang x oa50425 cac tinh huong vi du ve lam sang x oa50
425 cac tinh huong vi du ve lam sang x oa50
Thanh Liem Vo
 
Social Engineering: the Bad, Better, and Best Incident Response Plans
Social Engineering: the Bad, Better, and Best Incident Response PlansSocial Engineering: the Bad, Better, and Best Incident Response Plans
Social Engineering: the Bad, Better, and Best Incident Response Plans
Rob Ragan
 
BSidesPGH - Never Surrender - Reducing Social Engineering Risk
BSidesPGH - Never Surrender - Reducing Social Engineering RiskBSidesPGH - Never Surrender - Reducing Social Engineering Risk
BSidesPGH - Never Surrender - Reducing Social Engineering Risk
Rob Ragan
 
Tenacious Diggity - Skinny Dippin in a Sea of Bing
Tenacious Diggity - Skinny Dippin in a Sea of BingTenacious Diggity - Skinny Dippin in a Sea of Bing
Tenacious Diggity - Skinny Dippin in a Sea of Bing
Rob Ragan
 
Attack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack FuAttack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack Fu
Rob Ragan
 
Black Hat 2011 - Pulp Google Hacking: The Next Generation Search Engine Hacki...
Black Hat 2011 - Pulp Google Hacking: The Next Generation Search Engine Hacki...Black Hat 2011 - Pulp Google Hacking: The Next Generation Search Engine Hacki...
Black Hat 2011 - Pulp Google Hacking: The Next Generation Search Engine Hacki...
Rob Ragan
 
CloudBots - Harvesting Crypto Currency Like a Botnet Farmer
CloudBots - Harvesting Crypto Currency Like a Botnet FarmerCloudBots - Harvesting Crypto Currency Like a Botnet Farmer
CloudBots - Harvesting Crypto Currency Like a Botnet Farmer
Rob Ragan
 
Interesting Water Facts
Interesting Water FactsInteresting Water Facts
Interesting Water Facts
Eason Chan
 
How to keep calm and ship it (Juozas Kaziukėnas)
How to keep calm and ship it (Juozas Kaziukėnas)How to keep calm and ship it (Juozas Kaziukėnas)
How to keep calm and ship it (Juozas Kaziukėnas)
Future Insights
 
23 Amazing Lessons Learned From Interviewing The World's Top Developers!
23 Amazing Lessons Learned From Interviewing The World's Top Developers!23 Amazing Lessons Learned From Interviewing The World's Top Developers!
23 Amazing Lessons Learned From Interviewing The World's Top Developers!
Usersnap
 
Google Summer of Code and BeagleBoard.org
Google Summer of Code and BeagleBoard.orgGoogle Summer of Code and BeagleBoard.org
Google Summer of Code and BeagleBoard.org
Drew Fustini
 
Bar exam tips
Bar exam tipsBar exam tips
Bar exam tips
BarExamMind
 
Instructivo casio g shock ga 100
Instructivo casio g shock ga 100Instructivo casio g shock ga 100
Instructivo casio g shock ga 100
Israel González
 
Overcoming Confirmation Bias en route to becoming an Active Bystander in Supp...
Overcoming Confirmation Bias en route to becoming an Active Bystander in Supp...Overcoming Confirmation Bias en route to becoming an Active Bystander in Supp...
Overcoming Confirmation Bias en route to becoming an Active Bystander in Supp...
Dawn Bazely
 
Social Mobile ads for Nurse & Allied Health Recruiting Feb 2016
Social Mobile ads for Nurse & Allied Health Recruiting Feb 2016Social Mobile ads for Nurse & Allied Health Recruiting Feb 2016
Social Mobile ads for Nurse & Allied Health Recruiting Feb 2016
Purplegator
 
Webinar "Innovatie in e-commerce"
Webinar "Innovatie in e-commerce"Webinar "Innovatie in e-commerce"
Webinar "Innovatie in e-commerce"
Stefan Vermeulen
 
Private sector skills - what value to the NHS?
Private sector skills - what value to the NHS?Private sector skills - what value to the NHS?
Private sector skills - what value to the NHS?
Nigel Brindley
 
ESP8266をはじめよう
ESP8266をはじめようESP8266をはじめよう
ESP8266をはじめよう
Kei Yoshimura
 
425 cac tinh huong vi du ve lam sang x oa50
425 cac tinh huong vi du ve lam sang x oa50425 cac tinh huong vi du ve lam sang x oa50
425 cac tinh huong vi du ve lam sang x oa50
Thanh Liem Vo
 
Ad

Similar to Intro to Web Application Security (20)

Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008
abhijitapatil
 
Web application attacks
Web application attacksWeb application attacks
Web application attacks
hruth
 
webapplicationattacks-101005070110-phpapp02.pptx
webapplicationattacks-101005070110-phpapp02.pptxwebapplicationattacks-101005070110-phpapp02.pptx
webapplicationattacks-101005070110-phpapp02.pptx
SyedAliShahid3
 
4.Xss
4.Xss4.Xss
4.Xss
phanleson
 
Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Owasp top 10_openwest_2019
Owasp top 10_openwest_2019
Sean Jackson
 
04. xss and encoding
04. xss and encoding04. xss and encoding
04. xss and encoding
Eoin Keary
 
Protecting Your Web Site From SQL Injection & XSS
Protecting Your Web Site From SQL Injection & XSSProtecting Your Web Site From SQL Injection & XSS
Protecting Your Web Site From SQL Injection & XSS
skyhawk133
 
Session7-XSS & CSRF
Session7-XSS & CSRFSession7-XSS & CSRF
Session7-XSS & CSRF
zakieh alizadeh
 
Xss.e xopresentation from eXo SEA
Xss.e xopresentation from eXo SEAXss.e xopresentation from eXo SEA
Xss.e xopresentation from eXo SEA
Thuy_Dang
 
WebApps_Lecture_15.ppt
WebApps_Lecture_15.pptWebApps_Lecture_15.ppt
WebApps_Lecture_15.ppt
OmprakashVerma56
 
Why You Need A Web Application Firewall
Why You Need A Web Application FirewallWhy You Need A Web Application Firewall
Why You Need A Web Application Firewall
Port80 Software
 
Secure Code Warrior - Cross site scripting
Secure Code Warrior - Cross site scriptingSecure Code Warrior - Cross site scripting
Secure Code Warrior - Cross site scripting
Secure Code Warrior
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )
Jay Nagar
 
Andrews whitakrer lecture18-security.ppt
Andrews whitakrer lecture18-security.pptAndrews whitakrer lecture18-security.ppt
Andrews whitakrer lecture18-security.ppt
SilverGold16
 
302 Content Server Security Challenges And Best Practices
302 Content Server Security Challenges And Best Practices302 Content Server Security Challenges And Best Practices
302 Content Server Security Challenges And Best Practices
phanleson
 
Security In PHP Applications
Security In PHP ApplicationsSecurity In PHP Applications
Security In PHP Applications
Aditya Mooley
 
Phpnw security-20111009
Phpnw security-20111009Phpnw security-20111009
Phpnw security-20111009
Paul Lemon
 
Security Tech Talk
Security Tech TalkSecurity Tech Talk
Security Tech Talk
Mallikarjun Reddy
 
Reflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site ScriptingReflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site Scripting
InMobi Technology
 
Application Security Part 1 Threat Defense In Client Server Applications ...
Application Security Part 1 Threat Defense In Client Server Applications ...Application Security Part 1 Threat Defense In Client Server Applications ...
Application Security Part 1 Threat Defense In Client Server Applications ...
Greg Sohl
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008
abhijitapatil
 
Web application attacks
Web application attacksWeb application attacks
Web application attacks
hruth
 
webapplicationattacks-101005070110-phpapp02.pptx
webapplicationattacks-101005070110-phpapp02.pptxwebapplicationattacks-101005070110-phpapp02.pptx
webapplicationattacks-101005070110-phpapp02.pptx
SyedAliShahid3
 
4.Xss
4.Xss4.Xss
4.Xss
phanleson
 
Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Owasp top 10_openwest_2019
Owasp top 10_openwest_2019
Sean Jackson
 
04. xss and encoding
04. xss and encoding04. xss and encoding
04. xss and encoding
Eoin Keary
 
Protecting Your Web Site From SQL Injection & XSS
Protecting Your Web Site From SQL Injection & XSSProtecting Your Web Site From SQL Injection & XSS
Protecting Your Web Site From SQL Injection & XSS
skyhawk133
 
Session7-XSS & CSRF
Session7-XSS & CSRFSession7-XSS & CSRF
Session7-XSS & CSRF
zakieh alizadeh
 
Xss.e xopresentation from eXo SEA
Xss.e xopresentation from eXo SEAXss.e xopresentation from eXo SEA
Xss.e xopresentation from eXo SEA
Thuy_Dang
 
WebApps_Lecture_15.ppt
WebApps_Lecture_15.pptWebApps_Lecture_15.ppt
WebApps_Lecture_15.ppt
OmprakashVerma56
 
Why You Need A Web Application Firewall
Why You Need A Web Application FirewallWhy You Need A Web Application Firewall
Why You Need A Web Application Firewall
Port80 Software
 
Secure Code Warrior - Cross site scripting
Secure Code Warrior - Cross site scriptingSecure Code Warrior - Cross site scripting
Secure Code Warrior - Cross site scripting
Secure Code Warrior
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )
Jay Nagar
 
Andrews whitakrer lecture18-security.ppt
Andrews whitakrer lecture18-security.pptAndrews whitakrer lecture18-security.ppt
Andrews whitakrer lecture18-security.ppt
SilverGold16
 
302 Content Server Security Challenges And Best Practices
302 Content Server Security Challenges And Best Practices302 Content Server Security Challenges And Best Practices
302 Content Server Security Challenges And Best Practices
phanleson
 
Security In PHP Applications
Security In PHP ApplicationsSecurity In PHP Applications
Security In PHP Applications
Aditya Mooley
 
Phpnw security-20111009
Phpnw security-20111009Phpnw security-20111009
Phpnw security-20111009
Paul Lemon
 
Security Tech Talk
Security Tech TalkSecurity Tech Talk
Security Tech Talk
Mallikarjun Reddy
 
Reflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site ScriptingReflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site Scripting
InMobi Technology
 
Application Security Part 1 Threat Defense In Client Server Applications ...
Application Security Part 1 Threat Defense In Client Server Applications ...Application Security Part 1 Threat Defense In Client Server Applications ...
Application Security Part 1 Threat Defense In Client Server Applications ...
Greg Sohl
 
Ad

More from Rob Ragan (7)

Nbt hacker fight
Nbt hacker fightNbt hacker fight
Nbt hacker fight
Rob Ragan
 
Expose Yourself Without Insecurity: Cloud Breach Patterns
Expose Yourself Without Insecurity: Cloud Breach PatternsExpose Yourself Without Insecurity: Cloud Breach Patterns
Expose Yourself Without Insecurity: Cloud Breach Patterns
Rob Ragan
 
DeadDropSF - Better Red Than Dead
DeadDropSF - Better Red Than DeadDeadDropSF - Better Red Than Dead
DeadDropSF - Better Red Than Dead
Rob Ragan
 
Interop 2017 - Defeating Social Engineering, BEC, and Phishing
Interop 2017 - Defeating Social Engineering, BEC, and PhishingInterop 2017 - Defeating Social Engineering, BEC, and Phishing
Interop 2017 - Defeating Social Engineering, BEC, and Phishing
Rob Ragan
 
Lord of the Bing - Black Hat USA 2010
Lord of the Bing - Black Hat USA 2010Lord of the Bing - Black Hat USA 2010
Lord of the Bing - Black Hat USA 2010
Rob Ragan
 
Filter Evasion: Houdini on the Wire
Filter Evasion: Houdini on the WireFilter Evasion: Houdini on the Wire
Filter Evasion: Houdini on the Wire
Rob Ragan
 
Static Analysis: The Art of Fighting without Fighting
Static Analysis: The Art of Fighting without FightingStatic Analysis: The Art of Fighting without Fighting
Static Analysis: The Art of Fighting without Fighting
Rob Ragan
 
Nbt hacker fight
Nbt hacker fightNbt hacker fight
Nbt hacker fight
Rob Ragan
 
Expose Yourself Without Insecurity: Cloud Breach Patterns
Expose Yourself Without Insecurity: Cloud Breach PatternsExpose Yourself Without Insecurity: Cloud Breach Patterns
Expose Yourself Without Insecurity: Cloud Breach Patterns
Rob Ragan
 
DeadDropSF - Better Red Than Dead
DeadDropSF - Better Red Than DeadDeadDropSF - Better Red Than Dead
DeadDropSF - Better Red Than Dead
Rob Ragan
 
Interop 2017 - Defeating Social Engineering, BEC, and Phishing
Interop 2017 - Defeating Social Engineering, BEC, and PhishingInterop 2017 - Defeating Social Engineering, BEC, and Phishing
Interop 2017 - Defeating Social Engineering, BEC, and Phishing
Rob Ragan
 
Lord of the Bing - Black Hat USA 2010
Lord of the Bing - Black Hat USA 2010Lord of the Bing - Black Hat USA 2010
Lord of the Bing - Black Hat USA 2010
Rob Ragan
 
Filter Evasion: Houdini on the Wire
Filter Evasion: Houdini on the WireFilter Evasion: Houdini on the Wire
Filter Evasion: Houdini on the Wire
Rob Ragan
 
Static Analysis: The Art of Fighting without Fighting
Static Analysis: The Art of Fighting without FightingStatic Analysis: The Art of Fighting without Fighting
Static Analysis: The Art of Fighting without Fighting
Rob Ragan
 

Recently uploaded (20)

How analogue intelligence complements AI
How analogue intelligence complements AIHow analogue intelligence complements AI
How analogue intelligence complements AI
Paul Rowe
 
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc
 
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Aqusag Technologies
 
Rusty Waters: Elevating Lakehouses Beyond Spark
Rusty Waters: Elevating Lakehouses Beyond SparkRusty Waters: Elevating Lakehouses Beyond Spark
Rusty Waters: Elevating Lakehouses Beyond Spark
carlyakerly1
 
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdfSAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
Precisely
 
Big Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur MorganBig Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur Morgan
Arthur Morgan
 
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptxSpecial Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
shyamraj55
 
Electronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploitElectronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploit
niftliyevhuseyn
 
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In FranceManifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
chb3
 
Complete Guide to Advanced Logistics Management Software in Riyadh.pdf
Complete Guide to Advanced Logistics Management Software in Riyadh.pdfComplete Guide to Advanced Logistics Management Software in Riyadh.pdf
Complete Guide to Advanced Logistics Management Software in Riyadh.pdf
Software Company
 
2025-05-Q4-2024-Investor-Presentation.pptx
2025-05-Q4-2024-Investor-Presentation.pptx2025-05-Q4-2024-Investor-Presentation.pptx
2025-05-Q4-2024-Investor-Presentation.pptx
Samuele Fogagnolo
 
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven InsightsAndrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell
 
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptxDevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
Justin Reock
 
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
SOFTTECHHUB
 
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
organizerofv
 
How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?
Daniel Lehner
 
HCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser EnvironmentsHCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser Environments
panagenda
 
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
BookNet Canada
 
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Impelsys Inc.
 
Mobile App Development Company in Saudi Arabia
Mobile App Development Company in Saudi ArabiaMobile App Development Company in Saudi Arabia
Mobile App Development Company in Saudi Arabia
Steve Jonas
 
How analogue intelligence complements AI
How analogue intelligence complements AIHow analogue intelligence complements AI
How analogue intelligence complements AI
Paul Rowe
 
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc
 
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Aqusag Technologies
 
Rusty Waters: Elevating Lakehouses Beyond Spark
Rusty Waters: Elevating Lakehouses Beyond SparkRusty Waters: Elevating Lakehouses Beyond Spark
Rusty Waters: Elevating Lakehouses Beyond Spark
carlyakerly1
 
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdfSAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
Precisely
 
Big Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur MorganBig Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur Morgan
Arthur Morgan
 
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptxSpecial Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
shyamraj55
 
Electronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploitElectronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploit
niftliyevhuseyn
 
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In FranceManifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
chb3
 
Complete Guide to Advanced Logistics Management Software in Riyadh.pdf
Complete Guide to Advanced Logistics Management Software in Riyadh.pdfComplete Guide to Advanced Logistics Management Software in Riyadh.pdf
Complete Guide to Advanced Logistics Management Software in Riyadh.pdf
Software Company
 
2025-05-Q4-2024-Investor-Presentation.pptx
2025-05-Q4-2024-Investor-Presentation.pptx2025-05-Q4-2024-Investor-Presentation.pptx
2025-05-Q4-2024-Investor-Presentation.pptx
Samuele Fogagnolo
 
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven InsightsAndrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell
 
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptxDevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
Justin Reock
 
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
SOFTTECHHUB
 
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
organizerofv
 
How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?
Daniel Lehner
 
HCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser EnvironmentsHCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser Environments
panagenda
 
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
BookNet Canada
 
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Impelsys Inc.
 
Mobile App Development Company in Saudi Arabia
Mobile App Development Company in Saudi ArabiaMobile App Development Company in Saudi Arabia
Mobile App Development Company in Saudi Arabia
Steve Jonas
 

Intro to Web Application Security

  • 1. Information Assurance Club 2007 Understanding Web Application Security
  • 2. What is Application Security? Application Security encompasses measures taken to prevent exceptions in the security policy of an application or the underlying system vulnerabilities through flaws in the design, development, or deployment of the application. [Wikipedia] Make sure code Properly uses security mechanisms Has no design or implementation flaws
  • 3.  
  • 4.  
  • 5. Application Layer VS Network Layer Application Layer Attackers send attacks inside valid HTTP requests Custom code is manipulated to do something it shouldn’t Security requires software development expertise, not signatures Network Layer Firewall, hardening, patches, IDS, IPS SSL cannot detect or prevent attacks inside HTTP requests Security based on signature database
  • 6. Test Your Hacking Knowledge What might happen in an application if an attacker… Adds “; rm –rf /” to a menu selection passed to a system call Replaces the unitprice hidden field with -500 Sends 1000000 ‘A’ characters to a login script Figures out the encoding used for cookies Disables all client side Javascript for form validation Adds to the end of an account ID parameter “%27%20OR%201%3d1” Sends 1,000 HTTP requests per second to the search field for an hour
  • 7. Why Should I Care? How likely is a successful web application attack? Anyone in the world, including insiders, can send an HTTP request to your server Vulnerabilities are highly prevalent Easy to exploit without special tools or knowledge Little chance of being detected Hundreds of thousands of developers with no security background or training Consequences? Corruption or disclosure of database contents Root access to web and application servers Loss of authentication and access control for users Defacement Loss of use / availability Secondary attacks from your site Application security is just as important as Network Security
  • 8. Attacks Shift Towards Application Layer 75% of All Attacks on Information Security Are Directed to the Web Application Layer 2/3 of All Web Applications Are Vulnerable -Gartner
  • 9. How Do Attackers Do It? Proxies Browser plugins Vulnerability scanning tools Many attacks can be launched using only a browser and text editor
  • 10. HyperText Transfer Protocol (HTTP) GET /index.html HTTP/1.1 Host: www.example.com HTTP/1.1 200 OK Date: Mon, 23 April 2007 22:38:34 GMT Server: Apache/1.3.27 (Unix) (Red-Hat/Linux) Last-Modified: Wed, 08 Jan 2003 23:11:55 GMT Etag: &quot;3f80f-1b6-3e1cb03b&quot; Accept-Ranges: bytes Content-Length: 438 Connection: close Content-Type: text/html; charset=UTF-8
  • 11. HTTPS Just encryption Eavesdropping Protect Passwords Gmail Bypass IPS Doesn't prevent hacking
  • 12. Transparent Proxy http://fiddler2.com/sandbox/ Fiddler is a HTTP Debugging Proxy which logs all HTTP traffic between your computer and the Internet. Fiddler allows you to inspect all HTTP Traffic, set breakpoints, and &quot;fiddle&quot; with incoming or outgoing data. Fiddler includes a powerful event-based scripting subsystem, and can be extended using any .NET language. Fiddler is freeware and can debug traffic from virtually any application, including Internet Explorer, Mozilla Firefox, Opera, and thousands more. Others: Paros, Web Scarab, etc
  • 13. Authentication Common Problems Never expire (facebook) Not protected by SSL Easy to forge (cookies) Replay attacks Re-using cookies Preventable with encrypted date/time stamp
  • 14. Authentication Best Practices Ensure HTTPS is being used Login failures should NOT indicate whether username or password failed Strong password policy (don’t store in clear text) Use brute force countermeasures CAPTCHA Time delay
  • 15. State Problems HTTP is a stateless protocol Session ID tells client browser who you are Server maintains a map of session objects Hijacking techniques Guessing XSS Not using HTTPS Session ID exposed using URL-rewriting
  • 16. Session Best Practices Single sign on/off Seemingly random and at least 20 bytes Timeout Use SSL Avoid URL-rewriting (disclosure risk)
  • 17. Access Control Restricting access Who? What can they see? What can they do? Should exist in UI, BLL, and DAL
  • 18. Broken Access Control Attacker notices URL indicating role / guest /getAccountInfo They modify it to another directory (role) / admin /getAccountInfo / auth /getAccountInfo Attacker views more accounts than just their own
  • 19. Cross-Site Scripting (XSS) Web application vulnerability that allows an attacker to execute a malicious script in a victim's web browser How it works Web browsers support scripting languages like Javascript that allow web pages to perform logic If an attacker can get a web server to send their malicious script to a victim, the script executes as if it came from that web site Consequences Steal session cookies Deface websites Information disclosure
  • 20. XSS Vulnerability Pattern Web app vulnerable to XSS if Attacker can provide malicious user input Site puts user input into a response Search, form field, message board, etc Site doesn't properly validate or sanitize that user input Unless developer is familiar with XSS, it's very likely that proper input validation is not being done
  • 21. Two Types of XSS Stored XSS Dangerous user input is stored on the site and displayed at some later time Typically found in message boards, guest books, surveys Like leaving a land mine for a victim to trip across on a vulnerable site Reflected XSS Dangerous user input is immediately sent back to the user that submitted it Possibly a malicious link with an embedded script Typically found in search fields, error pages, etc
  • 22. Cross-site Scripting - Tricks Scripts can only access data from their own site Enforced by the browser “sandbox” SOP Trick: Use an anonymous proxy Scripts can't access the OS or file system Trick: Wscript http://my.3c.ist.psu.edu/rrr174/email.js The browser isn't doing anything abnormal Cheat Sheet: http://ha.ckers.org/xss.html Demos: http://www.attacklabs.com
  • 23. XSS Real World Example MySpace XSS Worm – Oct 2005 AKA Samy worm Introduced an XSS attack into his own profile When anyone viewed his profile, the attack: added Samy as a 'friend' to that user's profile and infected them with the same XSS attack in their own profile Then, when anyone views the infected profile, starts all over... The exploit: Used 'java\nscript' since 'javascript' was filtered out, String.fromCharCode(34) to generate a double quote, etc. Used XmlHttpRequest (AJAX), so does Yamanner worm 10 hrs – 560 friends, 13 hrs – 6400 friends, 18 hrs - 1,000,000 friends, 19 hrs - entire site down, 22 hrs – site back up again
  • 24.  
  • 25. XSS– Input Filters Many applications attempt XSS protection with filters Convert < and > to &lt and &gt Strip out HTML tags Eliminate <script> tags Strip out Javascript .NET provides XSS protection by default <%@ Page ValidateRequest=”true” %> Anti-Cross Site Scripting Library http://msdn2.microsoft.com/en-us/security/aa973814.aspx Better to white list input instead of black list VALIDATE USER INPUT!!! TRUST NOTHING FROM THE CLIENT!!!
  • 26. PSU Webmail XSS https://webmaillite.psu.edu/webmail/inbox.cgi?mailbox = https://my.3c.ist.psu.edu/rrr174/xss.js popMessage param (cookie) Now what? Hijack web access session ID Steal email Go phishing Do anything the user can do
  • 27. View Passwords javascript:(function(){var s,F,j,f,i; s = %22%22; F = document.forms; for(j=0; j<F.length; ++j) { f = F[j]; for (i=0; i<f.length; ++i) { if (f[i].type.toLowerCase() == %22password%22) s += f[i].value + %22\n%22; } } if (s) alert(%22Passwords in forms on this page:\n\n%22 + s); else alert(%22There are no passwords in forms on this page.%22);})();
  • 28. CSRF (Sea-Surf) Cross-site request forgery, also known as one click attack or session riding Digg and Amazon have been targets Prevention Include a secret, user-specific token in forms that is verified in addition to the cookie Users can help protect their accounts at poorly designed sites by logging off the site before visiting another, or clearing their browser's cookies at the end of each browser session
  • 29. Injection Overview Many applications invoke interpreters SQL OS command shell (cmd.exe, perl) Sendmail, LDAP, XPath, XSLT Interpreters take commands and data and execute the instructions Attacker can send malicious data or commands into your application tricking it into behaving differently Frequently interpreters run as root or administrator
  • 30. SQL Injection – Example Get rows from table based on user provided parameter SELECT * FROM users WHERE SSN='” + ssn + “'” SSN goes from user to web application to database Never validated Attacker sends 123456789' OR '1'='1 Application builds a query SELECT * FROM users WHERE SSN='123456789' OR '1'='1' Returns every user in the database Blind SQL Injection: http://www.0x90.org/releases/absinthe
  • 31. Prevent SQL Injection Validate user input Stored procedures Parameterized queries Connection strings (Access Control) Prevent DELETE and DROP queries
  • 32. Injection Demo SQL Injection: Almost every IST student’s web application is vulnerable https://my.3c.ist.psu.edu/jeb5010/customer.php?Name ='%20OR%201=1-- Remote Code Execution: http://scripts.cac.psu.edu/pxn126/finger.cgi
  • 33. Conclusion Be aware of security threats Train yourself Assess security at every step of the SDLC Define unacceptable risks Then implement policy Ensure accountability Consider commercial solutions (Get help)
  • 34. Where can I learn more? http://www.owasp.org/index.php/OWASP_Top_Ten_Project http://en.wikipedia.org/wiki/Category:Web_security_exploits http://www.spidynamics.com/spilabs/index.html http://ha.ckers.org http://johnny.ihackstuff.com/ghdb.php http://www.foundstone.com/resources/freetools.htm http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project http://blogged-on.de/xss http://leastprivilege.com Download this presentation http://my.3c.ist.psu.edu/rrr174/webappsec.ppt
  • 35. Questions? Ask questions and I'll try to answer them