Your SlideShare is downloading. ×
Web application security
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Web application security

595
views

Published on

Published in: Technology

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
595
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Web Application Security
    Firewalls will not be able to protect you
    AkashMahajan – Chapter Lead for null Bangalore
  • 2. What should keep you up at night
    95% of attacks are against “Web Servers and Web Applications” aka Websites
    The top 3 verticals compromised were Financial Services, Hospitality and Retail.
    More than 60% of attacks were caused by external agents.
    Primary attack vector was SQL Injection and was used to install customized malware.
    Injection Attacks are #1 critical flaw in applications
    Sources Verizon DBIR 2010, Whitehat Sec Statistics, OWASP Top 10 2010
  • 3. Web App Attacks
    SQL Injection Attacks
    Number plate to foil an automatic license plate scanner!
    An attack which allows SQL to be executed as part of the input.
  • 4. Web App Attacks
    Bobby Tables!
  • 5. Web App Attacks
    XSS was used to get root on a apache.org server in April 2010
    A popular shopping website used to sell only books and now sell other stuff as well.
    That inner window is an iframe injected in a simple search request.
    Picture courtesy null Keeda Vulnerability Database
  • 6. Other Critical Flaws/Attacks
    Cross Site Request Forgery
    Attacks the user of the application
    Clickjacking
    Facebook Like attack
    SecurityMis-configurations
    Default passwords in DSL routers
    Insecure Cryptographic Storage
    Apache Attack
    Tiny URLs
    Employees trust and click on anything!
  • 7. Solutions/Mitigations
    Training inSecure Coding for Developers
    Code Reviews by competent security folks
    Regular mining of web server logs
    Application Security Practice
    Awareness about new attacks
    Setup a red team in the company
  • 8. About null
    Null – Indian Open Security Community null.co.in
    Registered non-profit society
    5 active chapters in India
    We conduct monthly meetings, regular awareness camps and trainings.
    More than 1000+ security professionals and enthusiasts in the group.
    Null Keeda Vulnerability Database http://keeda.nullcon.net
  • 9. AkashMahajan
    • Chapter Lead of null Bangalore
    Web Security Consultant
    I hack, test, secure web apps and servers
    Help companies become secure on AWS cloud
    Website: akashm.com
    Email: akashmahajan@gmail.com / aka@null.co.in
    Twitter: @makash
    Linkedin: www.linkedin.com/in/akashm