SlideShare a Scribd company logo

TDIS 2014 - Dealing with the risks: web applications

Download as PPSX, PDF
Malik Mesellem
Malik Mesellem

Event: Trusted Digital Identity Symposium 2014 Topic: Dealing with the risks - web applications Location: Living Tomorrow (Brussels Vilvoorde) Organizer: Vasco Data Security

1 of 44
Downloaded 20 times
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Dealing with the risks web applications Malik Mesellem
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. About me  Malik Mesellem, Ethical Hacker  MME BVBA, founded in 2010  Specialized in audits & training  Objective approach, independent  Focus to advise and to educate @MME_IT #bWAPP | ITAudits&SecurityMME
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Dealing with the risks  Contents  Defense needed  Security framework  Attack scenarios  Superbees wanted
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Dealing with the risks  Contents  Defense needed  Security framework  Attack scenarios  Superbees wanted
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Defense needed  Web application security is today's most overlooked aspect of securing the enterprise  Hackers are concentrating their efforts on websites and web applications  Web apps are an attractive target for cyber criminality, cyber warfare and hacktivism
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Defense needed  Why are web applications an attractive target?  Easily available via the Internet (24/7)  Mission-critical business applications with sensitive data  Often direct access to backend data  Traditional firewalls and SSL provide no protection  Many applications are custom-made == vulnerable
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Defense needed  Why are web applications an attractive target?  Easily available via the Internet (24/7)  Mission-critical business applications with sensitive data  Often direct access to backend data  Traditional firewalls and SSL provide no protection  Many applications are custom-made == vulnerable
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. DEFENSE is needed !
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Dealing with the risks  Contents  Defense needed  Security framework  Attack scenarios  Superbees wanted
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Security framework  bWAPP, or a buggy Web APPlication  Deliberately insecure web application, includes all major known web vulnerabilities  Helps security enthusiasts, developers and students to discover and to prevent issues  Prepares one for successful penetration testing and ethical hacking projects
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Security framework  Web application security is not just installing a firewall, or scanning a site for ‘potential’ issues  Black-box penetration testing, simulating real attack scenarios, is still needed!  Confirms potential vulnerabilities, and excludes false positives  Guarantees that your defense measures are working effectively  bWAPP helps to improve your security-testing skills…
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved.
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Security framework  What makes bWAPP so unique?  Well, it has over 100 web vulnerabilities  Covering all major known web bugs  Including all risks from the OWASP Top 10  Focus is not on one specific issue!
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Commercial Web Scanners
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Security framework  Which bug do you want to hack today? (1)  SQL, HTML, SSI, OS Command, XML, XPath, LDAP, PHP Code, Host Header and SMTP injections  Authentication, authorization and session management issues  Malicious, unrestricted file uploads and backdoor files  Arbitrary file access and directory traversals  Heartbleed vulnerability (OpenSSL)  Local and remote file inclusions (LFI/RFI)  Server Side Request Forgery (SSRF)
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Security framework  Which bug do you want to hack today? (2)  Configuration issues: Man-in-the-Middle, Cross-Domain policy file, FTP, SNMP, WebDAV, information disclosures,...  HTTP parameter pollution and HTTP response splitting  XML External Entity attacks (XXE)  HTML5 ClickJacking, Cross-Origin Resource Sharing (CORS) and web storage issues  Unvalidated redirects and forwards  Denial-of-Service (DoS) attacks
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Security framework  Which bug do you want to hack today? (3)  Cross-Site Scripting (XSS), Cross-Site Tracing (XST) and Cross-Site Request Forgery (CSRF)  AJAX and Web Services issues (JSON/XML/SOAP)  Parameter tampering and cookie poisoning  HTTP verb tampering  PHP-CGI remote code execution  Local privilege escalations  And much more 
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Security framework  Which bug do you want to hack today?
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Security framework
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Security framework  External links  Home page - www.itsecgames.com  Download location - sourceforge.net/projects/bwapp  Blog - itsecgames.blogspot.com
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Dealing with the risks  Contents  Defense needed  Security framework  Attack scenarios  Superbees wanted
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. SQL injection  SQL injection is very common in web applications  Occurs when user input is sent to a SQL interpreter as part of a query  The attacker tricks the interpreter into executing unintended SQL queries
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. SQL injection  Injection in the OWASP Top 10
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. SQL injection  Normal operation DATABASE SQL interpreter WEB APP HTML | SQL BROWSER HTML (GET/POST) login password SELECT * FROM table WHERE login = ‘login’ AND password = ‘password’ result HTML SQL
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. DATABASE SQL interpreter WEB APP HTML | SQL BROWSER HTML (GET/POST) login ’ or 1=1-- SELECT * FROM table WHERE login = ‘login’ AND password = ‘’ or 1=1-- ’ result HTML SQL SQL injection  Abnormal operation
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. SQL injection  Simple injections  '--  ' or 'a'='a  ' or 'a'='a'--  ' or '1'='1  ' or 1=1--
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. SQL injection  Union injections  ' UNION SELECT field1, field2 FROM table--  ' UNION SELECT table_name FROM INFORMATION_SCHEMA.TABLES WHERE table_schema=database()--  Stacked queries  '; DROP TABLE table;--
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. SQL Injection
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Don’t try @ home!  SQL injection  Bypassing login forms  Manually extracting data  Automated SQL injection  Website defacement
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved.
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved.
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Cross-Site Scripting  Cross-Site Scripting, or XSS, occurs when an attacker injects a browser script into a web application  Insufficient validation of user-supplied data  Dangerous when it is stored permanently!  XSS can lead to  Website defacements  Phishing / session hijacking  Client-side exploitation
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Cross-Site Scripting  XSS in the OWASP Top 10
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Don’t try @ home!  Cross-Site Scripting  Detecting XSS  Phishing attack  Client-side exploitation
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Heartbleed bug  Vulnerability in the popular OpenSSL cryptographic software library, discovered in April 2014 (!)  Allows stealing information protected by SSL/TLS… just by sending a simple heartbeat request!  Sensitive data that might be stolen  Logon credentials  Session data  Private keys
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Don’t try @ home!  Heartbleed bug  Stealing credentials
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Denial-of-Service  Denial-of-Service attack, or DoS attack  Attacker attempts to prevent legitimate users from accessing the application, server or network  Consumes bandwidth, server sockets, or CPU resources  Distributed Denial-of-Service attack, or DDoS  Popular techniques used by hacktivists
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Denial-of-Service  Newer layer 7 DoS attacks are more powerful!  “Low-bandwidth application layer DoS”  Advantages of layer 7 DoS  Legitimate TCP/UDP connections, difficult to differentiate from normal traffic  Requires lesser number of connections, possibility to stop a web server from a single attack  Reach resource limits of services, regardless of the hardware capabilities of the server
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Denial-of-Service  Layer 7 DoS methods  HTTP Slow Headers  HTTP Slow POST  HTTP Slow Reading  Apache Range Header  SSL/TLS Renegotiation  XML Bombs
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Don’t try @ home!  Denial-of-Service  HTTP Slow POST
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Dealing with the risks  Contents  Defense needed  Security framework  Attack scenarios  Superbees wanted
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Superbees wanted  Hi little bees, during this talk we  Defaced the website  Compromised the server  Compromised a client  Made the server unreachable  Hijacked a session  Stole credentials…
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved.  And we have so much more bugs to exploit…  Definitely time to improve your web security  Defense is needed, security-testing is required!  Downloading bWAPP is a first start  Remember: every bee needs a superbee  Are you that superbee? Superbees wanted @MME_IT #bWAPP
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. About me  Malik Mesellem Email | malik@itsecgames.com LinkedIn | be.linkedin.com/in/malikmesellem Twitter | twitter.com/MME_IT Blog | itsecgames.blogspot.com
Ad

Recommended

MME Company Presentation
MME Company PresentationMME Company Presentation
MME Company Presentation
Malik Mesellem
 
Top 10 Reasons to Learn Cybersecurity | Why Cybersecurity is Important | Edureka
Top 10 Reasons to Learn Cybersecurity | Why Cybersecurity is Important | EdurekaTop 10 Reasons to Learn Cybersecurity | Why Cybersecurity is Important | Edureka
Top 10 Reasons to Learn Cybersecurity | Why Cybersecurity is Important | Edureka
Edureka!
 
Building Up Network Security: An Introduction
Building Up Network Security: An Introduction Building Up Network Security: An Introduction
Building Up Network Security: An Introduction
Global Knowledge Training
 
Computer Security | Types of Computer Security | Cybersecurity Course | Edureka
Computer Security | Types of Computer Security | Cybersecurity Course | EdurekaComputer Security | Types of Computer Security | Cybersecurity Course | Edureka
Computer Security | Types of Computer Security | Cybersecurity Course | Edureka
Edureka!
 
CyberSecurity Certifications | CyberSecurity Career | CyberSecurity Certifica...
CyberSecurity Certifications | CyberSecurity Career | CyberSecurity Certifica...CyberSecurity Certifications | CyberSecurity Career | CyberSecurity Certifica...
CyberSecurity Certifications | CyberSecurity Career | CyberSecurity Certifica...
Edureka!
 
B.tech cloud technology and information security
B.tech cloud technology and information securityB.tech cloud technology and information security
B.tech cloud technology and information security
iNurture Education Solution pvt ltd
 
Cybersecurity Tools | Popular Tools for Cybersecurity Threats | Cybersecurity...
Cybersecurity Tools | Popular Tools for Cybersecurity Threats | Cybersecurity...Cybersecurity Tools | Popular Tools for Cybersecurity Threats | Cybersecurity...
Cybersecurity Tools | Popular Tools for Cybersecurity Threats | Cybersecurity...
Edureka!
 
The Next Stage of Fraud Protection: IBM Security Trusteer Fraud Protection Suite
The Next Stage of Fraud Protection: IBM Security Trusteer Fraud Protection SuiteThe Next Stage of Fraud Protection: IBM Security Trusteer Fraud Protection Suite
The Next Stage of Fraud Protection: IBM Security Trusteer Fraud Protection Suite
IBM Security
 
Readying your IT Infrastructure for Cloud
Readying your IT Infrastructure for CloudReadying your IT Infrastructure for Cloud
Readying your IT Infrastructure for Cloud
RH
 
Partner Zymbian & Fortinet webinar on Web2.0 security
Partner Zymbian & Fortinet webinar on Web2.0 securityPartner Zymbian & Fortinet webinar on Web2.0 security
Partner Zymbian & Fortinet webinar on Web2.0 security
Zymbian
 
OWASP TOP TEN 2017 RC1
OWASP TOP TEN 2017 RC1OWASP TOP TEN 2017 RC1
OWASP TOP TEN 2017 RC1
Telefónica
 
Cybersecurity education catalog sae september 2021
Cybersecurity education catalog sae september 2021Cybersecurity education catalog sae september 2021
Cybersecurity education catalog sae september 2021
TrustwaveHoldings
 
Kona Site Defender Product Brief - Multi-layered defense to protect websites ...
Kona Site Defender Product Brief - Multi-layered defense to protect websites ...Kona Site Defender Product Brief - Multi-layered defense to protect websites ...
Kona Site Defender Product Brief - Multi-layered defense to protect websites ...
Akamai Technologies
 
02 學校網絡安全漏洞的評估分享, 管理挑戰及趨勢。
02 學校網絡安全漏洞的評估分享, 管理挑戰及趨勢。02 學校網絡安全漏洞的評估分享, 管理挑戰及趨勢。
02 學校網絡安全漏洞的評估分享, 管理挑戰及趨勢。
eLearning Consortium 電子學習聯盟
 
Security With Hosted Exchange
Security With Hosted ExchangeSecurity With Hosted Exchange
Security With Hosted Exchange
Intermedia2013
 
Security in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsSecurity in the cloud protecting your cloud apps
Security in the cloud protecting your cloud apps
Cenzic
 
CEH Training in Gurgaon :SSDN Technologies
CEH Training in Gurgaon :SSDN TechnologiesCEH Training in Gurgaon :SSDN Technologies
CEH Training in Gurgaon :SSDN Technologies
Information Technology
 
The ROI on Intrusion Prevention: Protecting Both Your Network & Investment
The ROI on Intrusion Prevention: Protecting Both Your Network & InvestmentThe ROI on Intrusion Prevention: Protecting Both Your Network & Investment
The ROI on Intrusion Prevention: Protecting Both Your Network & Investment
IBM Security
 
Akamai Intelligent Edge Security
Akamai Intelligent Edge SecurityAkamai Intelligent Edge Security
Akamai Intelligent Edge Security
Akamai Technologies
 
Elementary-Information-Security-Practices
Elementary-Information-Security-PracticesElementary-Information-Security-Practices
Elementary-Information-Security-Practices
Octogence
 
Owasp2013 johannesullrich
Owasp2013 johannesullrichOwasp2013 johannesullrich
Owasp2013 johannesullrich
drewz lin
 
Tolly Report: Stopping Attacks You Can't See
Tolly Report: Stopping Attacks You Can't SeeTolly Report: Stopping Attacks You Can't See
Tolly Report: Stopping Attacks You Can't See
IBM Security
 
CHFI Certification
CHFI CertificationCHFI Certification
CHFI Certification
SagarNegi10
 
Malware on Smartphones and Tablets: The Inconvenient Truth
Malware on Smartphones and Tablets: The Inconvenient TruthMalware on Smartphones and Tablets: The Inconvenient Truth
Malware on Smartphones and Tablets: The Inconvenient Truth
IBM Security
 
CompTIA Security+ Certification | Sec+
CompTIA Security+ Certification | Sec+ CompTIA Security+ Certification | Sec+
CompTIA Security+ Certification | Sec+
SagarNegi10
 
CISSO Certification| CISSO Training | CISSO
CISSO Certification| CISSO Training | CISSOCISSO Certification| CISSO Training | CISSO
CISSO Certification| CISSO Training | CISSO
SagarNegi10
 
A Career in Cybersecurity
A Career in CybersecurityA Career in Cybersecurity
A Career in Cybersecurity
lfh663
 
OpenSouthCode '19 - Application Security Fundamentals [2019-May-25]
OpenSouthCode '19 - Application Security Fundamentals [2019-May-25]OpenSouthCode '19 - Application Security Fundamentals [2019-May-25]
OpenSouthCode '19 - Application Security Fundamentals [2019-May-25]
AngelGomezRomero
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
sudip pudasaini
 
7 Ways to Stay 7 Years Ahead of the Threat
7 Ways to Stay 7 Years Ahead of the Threat7 Ways to Stay 7 Years Ahead of the Threat
7 Ways to Stay 7 Years Ahead of the Threat
IBM Security
 
Ad

More Related Content

What's hot (20)

Readying your IT Infrastructure for Cloud
Readying your IT Infrastructure for CloudReadying your IT Infrastructure for Cloud
Readying your IT Infrastructure for Cloud
RH
 
Partner Zymbian & Fortinet webinar on Web2.0 security
Partner Zymbian & Fortinet webinar on Web2.0 securityPartner Zymbian & Fortinet webinar on Web2.0 security
Partner Zymbian & Fortinet webinar on Web2.0 security
Zymbian
 
OWASP TOP TEN 2017 RC1
OWASP TOP TEN 2017 RC1OWASP TOP TEN 2017 RC1
OWASP TOP TEN 2017 RC1
Telefónica
 
Cybersecurity education catalog sae september 2021
Cybersecurity education catalog sae september 2021Cybersecurity education catalog sae september 2021
Cybersecurity education catalog sae september 2021
TrustwaveHoldings
 
Kona Site Defender Product Brief - Multi-layered defense to protect websites ...
Kona Site Defender Product Brief - Multi-layered defense to protect websites ...Kona Site Defender Product Brief - Multi-layered defense to protect websites ...
Kona Site Defender Product Brief - Multi-layered defense to protect websites ...
Akamai Technologies
 
02 學校網絡安全漏洞的評估分享, 管理挑戰及趨勢。
02 學校網絡安全漏洞的評估分享, 管理挑戰及趨勢。02 學校網絡安全漏洞的評估分享, 管理挑戰及趨勢。
02 學校網絡安全漏洞的評估分享, 管理挑戰及趨勢。
eLearning Consortium 電子學習聯盟
 
Security With Hosted Exchange
Security With Hosted ExchangeSecurity With Hosted Exchange
Security With Hosted Exchange
Intermedia2013
 
Security in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsSecurity in the cloud protecting your cloud apps
Security in the cloud protecting your cloud apps
Cenzic
 
CEH Training in Gurgaon :SSDN Technologies
CEH Training in Gurgaon :SSDN TechnologiesCEH Training in Gurgaon :SSDN Technologies
CEH Training in Gurgaon :SSDN Technologies
Information Technology
 
The ROI on Intrusion Prevention: Protecting Both Your Network & Investment
The ROI on Intrusion Prevention: Protecting Both Your Network & InvestmentThe ROI on Intrusion Prevention: Protecting Both Your Network & Investment
The ROI on Intrusion Prevention: Protecting Both Your Network & Investment
IBM Security
 
Akamai Intelligent Edge Security
Akamai Intelligent Edge SecurityAkamai Intelligent Edge Security
Akamai Intelligent Edge Security
Akamai Technologies
 
Elementary-Information-Security-Practices
Elementary-Information-Security-PracticesElementary-Information-Security-Practices
Elementary-Information-Security-Practices
Octogence
 
Owasp2013 johannesullrich
Owasp2013 johannesullrichOwasp2013 johannesullrich
Owasp2013 johannesullrich
drewz lin
 
Tolly Report: Stopping Attacks You Can't See
Tolly Report: Stopping Attacks You Can't SeeTolly Report: Stopping Attacks You Can't See
Tolly Report: Stopping Attacks You Can't See
IBM Security
 
CHFI Certification
CHFI CertificationCHFI Certification
CHFI Certification
SagarNegi10
 
Malware on Smartphones and Tablets: The Inconvenient Truth
Malware on Smartphones and Tablets: The Inconvenient TruthMalware on Smartphones and Tablets: The Inconvenient Truth
Malware on Smartphones and Tablets: The Inconvenient Truth
IBM Security
 
CompTIA Security+ Certification | Sec+
CompTIA Security+ Certification | Sec+ CompTIA Security+ Certification | Sec+
CompTIA Security+ Certification | Sec+
SagarNegi10
 
CISSO Certification| CISSO Training | CISSO
CISSO Certification| CISSO Training | CISSOCISSO Certification| CISSO Training | CISSO
CISSO Certification| CISSO Training | CISSO
SagarNegi10
 
A Career in Cybersecurity
A Career in CybersecurityA Career in Cybersecurity
A Career in Cybersecurity
lfh663
 
OpenSouthCode '19 - Application Security Fundamentals [2019-May-25]
OpenSouthCode '19 - Application Security Fundamentals [2019-May-25]OpenSouthCode '19 - Application Security Fundamentals [2019-May-25]
OpenSouthCode '19 - Application Security Fundamentals [2019-May-25]
AngelGomezRomero
 
Readying your IT Infrastructure for Cloud
Readying your IT Infrastructure for CloudReadying your IT Infrastructure for Cloud
Readying your IT Infrastructure for Cloud
RH
 
Partner Zymbian & Fortinet webinar on Web2.0 security
Partner Zymbian & Fortinet webinar on Web2.0 securityPartner Zymbian & Fortinet webinar on Web2.0 security
Partner Zymbian & Fortinet webinar on Web2.0 security
Zymbian
 
OWASP TOP TEN 2017 RC1
OWASP TOP TEN 2017 RC1OWASP TOP TEN 2017 RC1
OWASP TOP TEN 2017 RC1
Telefónica
 
Cybersecurity education catalog sae september 2021
Cybersecurity education catalog sae september 2021Cybersecurity education catalog sae september 2021
Cybersecurity education catalog sae september 2021
TrustwaveHoldings
 
Kona Site Defender Product Brief - Multi-layered defense to protect websites ...
Kona Site Defender Product Brief - Multi-layered defense to protect websites ...Kona Site Defender Product Brief - Multi-layered defense to protect websites ...
Kona Site Defender Product Brief - Multi-layered defense to protect websites ...
Akamai Technologies
 
02 學校網絡安全漏洞的評估分享, 管理挑戰及趨勢。
02 學校網絡安全漏洞的評估分享, 管理挑戰及趨勢。02 學校網絡安全漏洞的評估分享, 管理挑戰及趨勢。
02 學校網絡安全漏洞的評估分享, 管理挑戰及趨勢。
eLearning Consortium 電子學習聯盟
 
Security With Hosted Exchange
Security With Hosted ExchangeSecurity With Hosted Exchange
Security With Hosted Exchange
Intermedia2013
 
Security in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsSecurity in the cloud protecting your cloud apps
Security in the cloud protecting your cloud apps
Cenzic
 
CEH Training in Gurgaon :SSDN Technologies
CEH Training in Gurgaon :SSDN TechnologiesCEH Training in Gurgaon :SSDN Technologies
CEH Training in Gurgaon :SSDN Technologies
Information Technology
 
The ROI on Intrusion Prevention: Protecting Both Your Network & Investment
The ROI on Intrusion Prevention: Protecting Both Your Network & InvestmentThe ROI on Intrusion Prevention: Protecting Both Your Network & Investment
The ROI on Intrusion Prevention: Protecting Both Your Network & Investment
IBM Security
 
Akamai Intelligent Edge Security
Akamai Intelligent Edge SecurityAkamai Intelligent Edge Security
Akamai Intelligent Edge Security
Akamai Technologies
 
Elementary-Information-Security-Practices
Elementary-Information-Security-PracticesElementary-Information-Security-Practices
Elementary-Information-Security-Practices
Octogence
 
Owasp2013 johannesullrich
Owasp2013 johannesullrichOwasp2013 johannesullrich
Owasp2013 johannesullrich
drewz lin
 
Tolly Report: Stopping Attacks You Can't See
Tolly Report: Stopping Attacks You Can't SeeTolly Report: Stopping Attacks You Can't See
Tolly Report: Stopping Attacks You Can't See
IBM Security
 
CHFI Certification
CHFI CertificationCHFI Certification
CHFI Certification
SagarNegi10
 
Malware on Smartphones and Tablets: The Inconvenient Truth
Malware on Smartphones and Tablets: The Inconvenient TruthMalware on Smartphones and Tablets: The Inconvenient Truth
Malware on Smartphones and Tablets: The Inconvenient Truth
IBM Security
 
CompTIA Security+ Certification | Sec+
CompTIA Security+ Certification | Sec+ CompTIA Security+ Certification | Sec+
CompTIA Security+ Certification | Sec+
SagarNegi10
 
CISSO Certification| CISSO Training | CISSO
CISSO Certification| CISSO Training | CISSOCISSO Certification| CISSO Training | CISSO
CISSO Certification| CISSO Training | CISSO
SagarNegi10
 
A Career in Cybersecurity
A Career in CybersecurityA Career in Cybersecurity
A Career in Cybersecurity
lfh663
 
OpenSouthCode '19 - Application Security Fundamentals [2019-May-25]
OpenSouthCode '19 - Application Security Fundamentals [2019-May-25]OpenSouthCode '19 - Application Security Fundamentals [2019-May-25]
OpenSouthCode '19 - Application Security Fundamentals [2019-May-25]
AngelGomezRomero
 

Similar to TDIS 2014 - Dealing with the risks: web applications (20)

Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
sudip pudasaini
 
7 Ways to Stay 7 Years Ahead of the Threat
7 Ways to Stay 7 Years Ahead of the Threat7 Ways to Stay 7 Years Ahead of the Threat
7 Ways to Stay 7 Years Ahead of the Threat
IBM Security
 
Black Duck & IBM Present: Application Security in the Age of Open Source
Black Duck & IBM Present: Application Security in the Age of Open SourceBlack Duck & IBM Present: Application Security in the Age of Open Source
Black Duck & IBM Present: Application Security in the Age of Open Source
Black Duck by Synopsys
 
The Business Case for Enterprise Endpoint Protection: Can You Afford Not To?
The Business Case for Enterprise Endpoint Protection: Can You Afford Not To?The Business Case for Enterprise Endpoint Protection: Can You Afford Not To?
The Business Case for Enterprise Endpoint Protection: Can You Afford Not To?
IBM Security
 
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemManaging Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix Ecosystem
Denim Group
 
Mobile Payments: Protecting Apps and Data from Emerging Risks
Mobile Payments: Protecting Apps and Data from Emerging RisksMobile Payments: Protecting Apps and Data from Emerging Risks
Mobile Payments: Protecting Apps and Data from Emerging Risks
IBM Security
 
Stopping Advanced Attacks on their Onset: A Practical Look at Modern Day Prev...
Stopping Advanced Attacks on their Onset: A Practical Look at Modern Day Prev...Stopping Advanced Attacks on their Onset: A Practical Look at Modern Day Prev...
Stopping Advanced Attacks on their Onset: A Practical Look at Modern Day Prev...
IBM Security
 
Malware in a JAR: How Rogue Java Applications Compromise your Endpoints
Malware in a JAR: How Rogue Java Applications Compromise your EndpointsMalware in a JAR: How Rogue Java Applications Compromise your Endpoints
Malware in a JAR: How Rogue Java Applications Compromise your Endpoints
IBM Security
 
5 Key Ways to Incorporate Security Protection into your Organization’s Mobile...
5 Key Ways to Incorporate Security Protection into your Organization’s Mobile...5 Key Ways to Incorporate Security Protection into your Organization’s Mobile...
5 Key Ways to Incorporate Security Protection into your Organization’s Mobile...
IBM Security
 
Research challenges and issues in web security
Research challenges and issues in web securityResearch challenges and issues in web security
Research challenges and issues in web security
IAEME Publication
 
Remote Workforces Secure by Barracuda
Remote Workforces Secure by BarracudaRemote Workforces Secure by Barracuda
Remote Workforces Secure by Barracuda
Prime Infoserv
 
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
Reducing Your Attack Surface & Your Role in Cloud Workload ProtectionReducing Your Attack Surface & Your Role in Cloud Workload Protection
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
Alert Logic
 
Ola Wittenby - Hotlandskapet på Internet
Ola Wittenby - Hotlandskapet på Internet Ola Wittenby - Hotlandskapet på Internet
Ola Wittenby - Hotlandskapet på Internet
IBM Sverige
 
Mining attackers mind
Mining attackers mindMining attackers mind
Mining attackers mind
keyuradmin
 
IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...
IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...
IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...
Luigi Delgrosso
 
The anatomy of a spear phishing attack
The anatomy of a spear phishing attackThe anatomy of a spear phishing attack
The anatomy of a spear phishing attack
Vade Secure
 
Solution Brief
Solution BriefSolution Brief
Solution Brief
webhostingguy
 
DataMindsConnect2018_SECDEVOPS
DataMindsConnect2018_SECDEVOPSDataMindsConnect2018_SECDEVOPS
DataMindsConnect2018_SECDEVOPS
Tobias Koprowski
 
03 secure the computer
03 secure the computer03 secure the computer
03 secure the computer
Ministry of Education Malaysia
 
Reducing Your Attack Surface and Yuor Role in Cloud Workload Protection
Reducing Your Attack Surface and Yuor Role in Cloud Workload ProtectionReducing Your Attack Surface and Yuor Role in Cloud Workload Protection
Reducing Your Attack Surface and Yuor Role in Cloud Workload Protection
Alert Logic
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
sudip pudasaini
 
7 Ways to Stay 7 Years Ahead of the Threat
7 Ways to Stay 7 Years Ahead of the Threat7 Ways to Stay 7 Years Ahead of the Threat
7 Ways to Stay 7 Years Ahead of the Threat
IBM Security
 
Black Duck & IBM Present: Application Security in the Age of Open Source
Black Duck & IBM Present: Application Security in the Age of Open SourceBlack Duck & IBM Present: Application Security in the Age of Open Source
Black Duck & IBM Present: Application Security in the Age of Open Source
Black Duck by Synopsys
 
The Business Case for Enterprise Endpoint Protection: Can You Afford Not To?
The Business Case for Enterprise Endpoint Protection: Can You Afford Not To?The Business Case for Enterprise Endpoint Protection: Can You Afford Not To?
The Business Case for Enterprise Endpoint Protection: Can You Afford Not To?
IBM Security
 
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemManaging Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix Ecosystem
Denim Group
 
Mobile Payments: Protecting Apps and Data from Emerging Risks
Mobile Payments: Protecting Apps and Data from Emerging RisksMobile Payments: Protecting Apps and Data from Emerging Risks
Mobile Payments: Protecting Apps and Data from Emerging Risks
IBM Security
 
Stopping Advanced Attacks on their Onset: A Practical Look at Modern Day Prev...
Stopping Advanced Attacks on their Onset: A Practical Look at Modern Day Prev...Stopping Advanced Attacks on their Onset: A Practical Look at Modern Day Prev...
Stopping Advanced Attacks on their Onset: A Practical Look at Modern Day Prev...
IBM Security
 
Malware in a JAR: How Rogue Java Applications Compromise your Endpoints
Malware in a JAR: How Rogue Java Applications Compromise your EndpointsMalware in a JAR: How Rogue Java Applications Compromise your Endpoints
Malware in a JAR: How Rogue Java Applications Compromise your Endpoints
IBM Security
 
5 Key Ways to Incorporate Security Protection into your Organization’s Mobile...
5 Key Ways to Incorporate Security Protection into your Organization’s Mobile...5 Key Ways to Incorporate Security Protection into your Organization’s Mobile...
5 Key Ways to Incorporate Security Protection into your Organization’s Mobile...
IBM Security
 
Research challenges and issues in web security
Research challenges and issues in web securityResearch challenges and issues in web security
Research challenges and issues in web security
IAEME Publication
 
Remote Workforces Secure by Barracuda
Remote Workforces Secure by BarracudaRemote Workforces Secure by Barracuda
Remote Workforces Secure by Barracuda
Prime Infoserv
 
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
Reducing Your Attack Surface & Your Role in Cloud Workload ProtectionReducing Your Attack Surface & Your Role in Cloud Workload Protection
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
Alert Logic
 
Ola Wittenby - Hotlandskapet på Internet
Ola Wittenby - Hotlandskapet på Internet Ola Wittenby - Hotlandskapet på Internet
Ola Wittenby - Hotlandskapet på Internet
IBM Sverige
 
Mining attackers mind
Mining attackers mindMining attackers mind
Mining attackers mind
keyuradmin
 
IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...
IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...
IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...
Luigi Delgrosso
 
The anatomy of a spear phishing attack
The anatomy of a spear phishing attackThe anatomy of a spear phishing attack
The anatomy of a spear phishing attack
Vade Secure
 
Solution Brief
Solution BriefSolution Brief
Solution Brief
webhostingguy
 
DataMindsConnect2018_SECDEVOPS
DataMindsConnect2018_SECDEVOPSDataMindsConnect2018_SECDEVOPS
DataMindsConnect2018_SECDEVOPS
Tobias Koprowski
 
03 secure the computer
03 secure the computer03 secure the computer
03 secure the computer
Ministry of Education Malaysia
 
Reducing Your Attack Surface and Yuor Role in Cloud Workload Protection
Reducing Your Attack Surface and Yuor Role in Cloud Workload ProtectionReducing Your Attack Surface and Yuor Role in Cloud Workload Protection
Reducing Your Attack Surface and Yuor Role in Cloud Workload Protection
Alert Logic
 
Ad

Recently uploaded (20)

Wood Age and Trees of life - talk at Newcastle City Library
Wood Age and Trees of life - talk at Newcastle City LibraryWood Age and Trees of life - talk at Newcastle City Library
Wood Age and Trees of life - talk at Newcastle City Library
Woods for the Trees
 
Bidding World Conference 2027 - NSGF Mexico.pdf
Bidding World Conference 2027 - NSGF Mexico.pdfBidding World Conference 2027 - NSGF Mexico.pdf
Bidding World Conference 2027 - NSGF Mexico.pdf
ISGF - International Scout and Guide Fellowship
 
Reflections on an ngo peace conference in zimbabwe
Reflections on an ngo peace conference in zimbabweReflections on an ngo peace conference in zimbabwe
Reflections on an ngo peace conference in zimbabwe
jujuaw05
 
A Bot Identification Model and Tool Based on GitHub Activity Sequences
A Bot Identification Model and Tool Based on GitHub Activity SequencesA Bot Identification Model and Tool Based on GitHub Activity Sequences
A Bot Identification Model and Tool Based on GitHub Activity Sequences
natarajan8993
 
THE SEXUAL HARASSMENT OF WOMAN AT WORKPLACE (PREVENTION, PROHIBITION & REDRES...
THE SEXUAL HARASSMENT OF WOMAN AT WORKPLACE (PREVENTION, PROHIBITION & REDRES...THE SEXUAL HARASSMENT OF WOMAN AT WORKPLACE (PREVENTION, PROHIBITION & REDRES...
THE SEXUAL HARASSMENT OF WOMAN AT WORKPLACE (PREVENTION, PROHIBITION & REDRES...
ASHISHKUMAR504404
 
Speech 3-A Vision for Tomorrow for GE2025
Speech 3-A Vision for Tomorrow for GE2025Speech 3-A Vision for Tomorrow for GE2025
Speech 3-A Vision for Tomorrow for GE2025
Noraini Yunus
 
Bidding World Conference 2027-NSGF Senegal.pdf
Bidding World Conference 2027-NSGF Senegal.pdfBidding World Conference 2027-NSGF Senegal.pdf
Bidding World Conference 2027-NSGF Senegal.pdf
ISGF - International Scout and Guide Fellowship
 
Lec 3 - Chapter 2 Carl Jung’s Theory of Personality.pptx
Lec 3 - Chapter 2 Carl Jung’s Theory of Personality.pptxLec 3 - Chapter 2 Carl Jung’s Theory of Personality.pptx
Lec 3 - Chapter 2 Carl Jung’s Theory of Personality.pptx
TayyabaSiddiqui12
 
Setup & Implementation of OutSystems Cloud Connector ODC
Setup & Implementation of OutSystems Cloud Connector ODCSetup & Implementation of OutSystems Cloud Connector ODC
Setup & Implementation of OutSystems Cloud Connector ODC
outsystemspuneusergr
 
Bidding World Conference 2027 - Ghana.pptx
Bidding World Conference 2027 - Ghana.pptxBidding World Conference 2027 - Ghana.pptx
Bidding World Conference 2027 - Ghana.pptx
ISGF - International Scout and Guide Fellowship
 
ICSE 2025 Keynote: Software Sustainability and its Engineering: How far have ...
ICSE 2025 Keynote: Software Sustainability and its Engineering: How far have ...ICSE 2025 Keynote: Software Sustainability and its Engineering: How far have ...
ICSE 2025 Keynote: Software Sustainability and its Engineering: How far have ...
patricialago3459
 
Key Elements of a Procurement Plan.docx.
Key Elements of a Procurement Plan.docx.Key Elements of a Procurement Plan.docx.
Key Elements of a Procurement Plan.docx.
NeoRakodu
 
ICONX - Presentation - Mining RACE - english - international
ICONX - Presentation - Mining RACE - english - internationalICONX - Presentation - Mining RACE - english - international
ICONX - Presentation - Mining RACE - english - international
Bitcoin Mining RACE
 
Profit Growth Drivers for Small Business.pdf
Profit Growth Drivers for Small Business.pdfProfit Growth Drivers for Small Business.pdf
Profit Growth Drivers for Small Business.pdf
TheodoreHawkins
 
kurtlewin theory of motivation -181226082203.pptx
kurtlewin theory of motivation -181226082203.pptxkurtlewin theory of motivation -181226082203.pptx
kurtlewin theory of motivation -181226082203.pptx
TayyabaSiddiqui12
 
Updated treatment of hypothyroidism, causes and symptoms
Updated treatment of hypothyroidism, causes and symptomsUpdated treatment of hypothyroidism, causes and symptoms
Updated treatment of hypothyroidism, causes and symptoms
Mohammed Ahmed Bamashmos
 
Besu Shibpur Enquesta 2012 Intra College General Quiz Finals.pptx
Besu Shibpur Enquesta 2012 Intra College General Quiz Finals.pptxBesu Shibpur Enquesta 2012 Intra College General Quiz Finals.pptx
Besu Shibpur Enquesta 2012 Intra College General Quiz Finals.pptx
Rajdeep Chakraborty
 
Effects of physical activity, exercise and sedentary behaviors to
Effects of physical activity, exercise and sedentary behaviors toEffects of physical activity, exercise and sedentary behaviors to
Effects of physical activity, exercise and sedentary behaviors to
DancanNyabuto
 
Speech 2-Unity in Diversity, Strength in Solidarity
Speech 2-Unity in Diversity, Strength in SolidaritySpeech 2-Unity in Diversity, Strength in Solidarity
Speech 2-Unity in Diversity, Strength in Solidarity
Noraini Yunus
 
Microsoft Azure Data Fundamentals (DP-900) Exam Dumps & Questions 2025.pdf
Microsoft Azure Data Fundamentals (DP-900) Exam Dumps & Questions 2025.pdfMicrosoft Azure Data Fundamentals (DP-900) Exam Dumps & Questions 2025.pdf
Microsoft Azure Data Fundamentals (DP-900) Exam Dumps & Questions 2025.pdf
MinniePfeiffer
 
Wood Age and Trees of life - talk at Newcastle City Library
Wood Age and Trees of life - talk at Newcastle City LibraryWood Age and Trees of life - talk at Newcastle City Library
Wood Age and Trees of life - talk at Newcastle City Library
Woods for the Trees
 
Bidding World Conference 2027 - NSGF Mexico.pdf
Bidding World Conference 2027 - NSGF Mexico.pdfBidding World Conference 2027 - NSGF Mexico.pdf
Bidding World Conference 2027 - NSGF Mexico.pdf
ISGF - International Scout and Guide Fellowship
 
Reflections on an ngo peace conference in zimbabwe
Reflections on an ngo peace conference in zimbabweReflections on an ngo peace conference in zimbabwe
Reflections on an ngo peace conference in zimbabwe
jujuaw05
 
A Bot Identification Model and Tool Based on GitHub Activity Sequences
A Bot Identification Model and Tool Based on GitHub Activity SequencesA Bot Identification Model and Tool Based on GitHub Activity Sequences
A Bot Identification Model and Tool Based on GitHub Activity Sequences
natarajan8993
 
THE SEXUAL HARASSMENT OF WOMAN AT WORKPLACE (PREVENTION, PROHIBITION & REDRES...
THE SEXUAL HARASSMENT OF WOMAN AT WORKPLACE (PREVENTION, PROHIBITION & REDRES...THE SEXUAL HARASSMENT OF WOMAN AT WORKPLACE (PREVENTION, PROHIBITION & REDRES...
THE SEXUAL HARASSMENT OF WOMAN AT WORKPLACE (PREVENTION, PROHIBITION & REDRES...
ASHISHKUMAR504404
 
Speech 3-A Vision for Tomorrow for GE2025
Speech 3-A Vision for Tomorrow for GE2025Speech 3-A Vision for Tomorrow for GE2025
Speech 3-A Vision for Tomorrow for GE2025
Noraini Yunus
 
Bidding World Conference 2027-NSGF Senegal.pdf
Bidding World Conference 2027-NSGF Senegal.pdfBidding World Conference 2027-NSGF Senegal.pdf
Bidding World Conference 2027-NSGF Senegal.pdf
ISGF - International Scout and Guide Fellowship
 
Lec 3 - Chapter 2 Carl Jung’s Theory of Personality.pptx
Lec 3 - Chapter 2 Carl Jung’s Theory of Personality.pptxLec 3 - Chapter 2 Carl Jung’s Theory of Personality.pptx
Lec 3 - Chapter 2 Carl Jung’s Theory of Personality.pptx
TayyabaSiddiqui12
 
Setup & Implementation of OutSystems Cloud Connector ODC
Setup & Implementation of OutSystems Cloud Connector ODCSetup & Implementation of OutSystems Cloud Connector ODC
Setup & Implementation of OutSystems Cloud Connector ODC
outsystemspuneusergr
 
Bidding World Conference 2027 - Ghana.pptx
Bidding World Conference 2027 - Ghana.pptxBidding World Conference 2027 - Ghana.pptx
Bidding World Conference 2027 - Ghana.pptx
ISGF - International Scout and Guide Fellowship
 
ICSE 2025 Keynote: Software Sustainability and its Engineering: How far have ...
ICSE 2025 Keynote: Software Sustainability and its Engineering: How far have ...ICSE 2025 Keynote: Software Sustainability and its Engineering: How far have ...
ICSE 2025 Keynote: Software Sustainability and its Engineering: How far have ...
patricialago3459
 
Key Elements of a Procurement Plan.docx.
Key Elements of a Procurement Plan.docx.Key Elements of a Procurement Plan.docx.
Key Elements of a Procurement Plan.docx.
NeoRakodu
 
ICONX - Presentation - Mining RACE - english - international
ICONX - Presentation - Mining RACE - english - internationalICONX - Presentation - Mining RACE - english - international
ICONX - Presentation - Mining RACE - english - international
Bitcoin Mining RACE
 
Profit Growth Drivers for Small Business.pdf
Profit Growth Drivers for Small Business.pdfProfit Growth Drivers for Small Business.pdf
Profit Growth Drivers for Small Business.pdf
TheodoreHawkins
 
kurtlewin theory of motivation -181226082203.pptx
kurtlewin theory of motivation -181226082203.pptxkurtlewin theory of motivation -181226082203.pptx
kurtlewin theory of motivation -181226082203.pptx
TayyabaSiddiqui12
 
Updated treatment of hypothyroidism, causes and symptoms
Updated treatment of hypothyroidism, causes and symptomsUpdated treatment of hypothyroidism, causes and symptoms
Updated treatment of hypothyroidism, causes and symptoms
Mohammed Ahmed Bamashmos
 
Besu Shibpur Enquesta 2012 Intra College General Quiz Finals.pptx
Besu Shibpur Enquesta 2012 Intra College General Quiz Finals.pptxBesu Shibpur Enquesta 2012 Intra College General Quiz Finals.pptx
Besu Shibpur Enquesta 2012 Intra College General Quiz Finals.pptx
Rajdeep Chakraborty
 
Effects of physical activity, exercise and sedentary behaviors to
Effects of physical activity, exercise and sedentary behaviors toEffects of physical activity, exercise and sedentary behaviors to
Effects of physical activity, exercise and sedentary behaviors to
DancanNyabuto
 
Speech 2-Unity in Diversity, Strength in Solidarity
Speech 2-Unity in Diversity, Strength in SolidaritySpeech 2-Unity in Diversity, Strength in Solidarity
Speech 2-Unity in Diversity, Strength in Solidarity
Noraini Yunus
 
Microsoft Azure Data Fundamentals (DP-900) Exam Dumps & Questions 2025.pdf
Microsoft Azure Data Fundamentals (DP-900) Exam Dumps & Questions 2025.pdfMicrosoft Azure Data Fundamentals (DP-900) Exam Dumps & Questions 2025.pdf
Microsoft Azure Data Fundamentals (DP-900) Exam Dumps & Questions 2025.pdf
MinniePfeiffer
 
Ad

TDIS 2014 - Dealing with the risks: web applications

  • 1. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Dealing with the risks web applications Malik Mesellem
  • 2. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. About me  Malik Mesellem, Ethical Hacker  MME BVBA, founded in 2010  Specialized in audits & training  Objective approach, independent  Focus to advise and to educate @MME_IT #bWAPP | ITAudits&SecurityMME
  • 3. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Dealing with the risks  Contents  Defense needed  Security framework  Attack scenarios  Superbees wanted
  • 4. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Dealing with the risks  Contents  Defense needed  Security framework  Attack scenarios  Superbees wanted
  • 5. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Defense needed  Web application security is today's most overlooked aspect of securing the enterprise  Hackers are concentrating their efforts on websites and web applications  Web apps are an attractive target for cyber criminality, cyber warfare and hacktivism
  • 6. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Defense needed  Why are web applications an attractive target?  Easily available via the Internet (24/7)  Mission-critical business applications with sensitive data  Often direct access to backend data  Traditional firewalls and SSL provide no protection  Many applications are custom-made == vulnerable
  • 7. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Defense needed  Why are web applications an attractive target?  Easily available via the Internet (24/7)  Mission-critical business applications with sensitive data  Often direct access to backend data  Traditional firewalls and SSL provide no protection  Many applications are custom-made == vulnerable
  • 8. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. DEFENSE is needed !
  • 9. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Dealing with the risks  Contents  Defense needed  Security framework  Attack scenarios  Superbees wanted
  • 10. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Security framework  bWAPP, or a buggy Web APPlication  Deliberately insecure web application, includes all major known web vulnerabilities  Helps security enthusiasts, developers and students to discover and to prevent issues  Prepares one for successful penetration testing and ethical hacking projects
  • 11. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Security framework  Web application security is not just installing a firewall, or scanning a site for ‘potential’ issues  Black-box penetration testing, simulating real attack scenarios, is still needed!  Confirms potential vulnerabilities, and excludes false positives  Guarantees that your defense measures are working effectively  bWAPP helps to improve your security-testing skills…
  • 12. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved.
  • 13. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Security framework  What makes bWAPP so unique?  Well, it has over 100 web vulnerabilities  Covering all major known web bugs  Including all risks from the OWASP Top 10  Focus is not on one specific issue!
  • 14. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Commercial Web Scanners
  • 15. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Security framework  Which bug do you want to hack today? (1)  SQL, HTML, SSI, OS Command, XML, XPath, LDAP, PHP Code, Host Header and SMTP injections  Authentication, authorization and session management issues  Malicious, unrestricted file uploads and backdoor files  Arbitrary file access and directory traversals  Heartbleed vulnerability (OpenSSL)  Local and remote file inclusions (LFI/RFI)  Server Side Request Forgery (SSRF)
  • 16. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Security framework  Which bug do you want to hack today? (2)  Configuration issues: Man-in-the-Middle, Cross-Domain policy file, FTP, SNMP, WebDAV, information disclosures,...  HTTP parameter pollution and HTTP response splitting  XML External Entity attacks (XXE)  HTML5 ClickJacking, Cross-Origin Resource Sharing (CORS) and web storage issues  Unvalidated redirects and forwards  Denial-of-Service (DoS) attacks
  • 17. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Security framework  Which bug do you want to hack today? (3)  Cross-Site Scripting (XSS), Cross-Site Tracing (XST) and Cross-Site Request Forgery (CSRF)  AJAX and Web Services issues (JSON/XML/SOAP)  Parameter tampering and cookie poisoning  HTTP verb tampering  PHP-CGI remote code execution  Local privilege escalations  And much more 
  • 18. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Security framework  Which bug do you want to hack today?
  • 19. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Security framework
  • 20. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Security framework  External links  Home page - www.itsecgames.com  Download location - sourceforge.net/projects/bwapp  Blog - itsecgames.blogspot.com
  • 21. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Dealing with the risks  Contents  Defense needed  Security framework  Attack scenarios  Superbees wanted
  • 22. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. SQL injection  SQL injection is very common in web applications  Occurs when user input is sent to a SQL interpreter as part of a query  The attacker tricks the interpreter into executing unintended SQL queries
  • 23. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. SQL injection  Injection in the OWASP Top 10
  • 24. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. SQL injection  Normal operation DATABASE SQL interpreter WEB APP HTML | SQL BROWSER HTML (GET/POST) login password SELECT * FROM table WHERE login = ‘login’ AND password = ‘password’ result HTML SQL
  • 25. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. DATABASE SQL interpreter WEB APP HTML | SQL BROWSER HTML (GET/POST) login ’ or 1=1-- SELECT * FROM table WHERE login = ‘login’ AND password = ‘’ or 1=1-- ’ result HTML SQL SQL injection  Abnormal operation
  • 26. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. SQL injection  Simple injections  '--  ' or 'a'='a  ' or 'a'='a'--  ' or '1'='1  ' or 1=1--
  • 27. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. SQL injection  Union injections  ' UNION SELECT field1, field2 FROM table--  ' UNION SELECT table_name FROM INFORMATION_SCHEMA.TABLES WHERE table_schema=database()--  Stacked queries  '; DROP TABLE table;--
  • 28. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. SQL Injection
  • 29. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Don’t try @ home!  SQL injection  Bypassing login forms  Manually extracting data  Automated SQL injection  Website defacement
  • 30. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved.
  • 31. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved.
  • 32. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Cross-Site Scripting  Cross-Site Scripting, or XSS, occurs when an attacker injects a browser script into a web application  Insufficient validation of user-supplied data  Dangerous when it is stored permanently!  XSS can lead to  Website defacements  Phishing / session hijacking  Client-side exploitation
  • 33. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Cross-Site Scripting  XSS in the OWASP Top 10
  • 34. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Don’t try @ home!  Cross-Site Scripting  Detecting XSS  Phishing attack  Client-side exploitation
  • 35. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Heartbleed bug  Vulnerability in the popular OpenSSL cryptographic software library, discovered in April 2014 (!)  Allows stealing information protected by SSL/TLS… just by sending a simple heartbeat request!  Sensitive data that might be stolen  Logon credentials  Session data  Private keys
  • 36. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Don’t try @ home!  Heartbleed bug  Stealing credentials
  • 37. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Denial-of-Service  Denial-of-Service attack, or DoS attack  Attacker attempts to prevent legitimate users from accessing the application, server or network  Consumes bandwidth, server sockets, or CPU resources  Distributed Denial-of-Service attack, or DDoS  Popular techniques used by hacktivists
  • 38. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Denial-of-Service  Newer layer 7 DoS attacks are more powerful!  “Low-bandwidth application layer DoS”  Advantages of layer 7 DoS  Legitimate TCP/UDP connections, difficult to differentiate from normal traffic  Requires lesser number of connections, possibility to stop a web server from a single attack  Reach resource limits of services, regardless of the hardware capabilities of the server
  • 39. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Denial-of-Service  Layer 7 DoS methods  HTTP Slow Headers  HTTP Slow POST  HTTP Slow Reading  Apache Range Header  SSL/TLS Renegotiation  XML Bombs
  • 40. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Don’t try @ home!  Denial-of-Service  HTTP Slow POST
  • 41. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Dealing with the risks  Contents  Defense needed  Security framework  Attack scenarios  Superbees wanted
  • 42. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Superbees wanted  Hi little bees, during this talk we  Defaced the website  Compromised the server  Compromised a client  Made the server unreachable  Hijacked a session  Stole credentials…
  • 43. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved.  And we have so much more bugs to exploit…  Definitely time to improve your web security  Defense is needed, security-testing is required!  Downloading bWAPP is a first start  Remember: every bee needs a superbee  Are you that superbee? Superbees wanted @MME_IT #bWAPP
  • 44. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. About me  Malik Mesellem Email | [email protected] LinkedIn | be.linkedin.com/in/malikmesellem Twitter | twitter.com/MME_IT Blog | itsecgames.blogspot.com