• Like
Web application security
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Web application security



Published in Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads


Total Views
On SlideShare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide


  • 1. Web Application Security Firewalls will not be able to protect you Akash Mahajan – Chapter Lead for null Bangalore
  • 2. What should keep you up at night • 95% of attacks are against “Web Servers and Web Applications” aka Websites • The top 3 verticals compromised were Financial Services, Hospitality and Retail. • More than 60% of attacks were caused by external agents. • Primary attack vector was SQL Injection and was used to install customized malware. • Injection Attacks are #1 critical flaw in applications Sources Verizon DBIR 2010, Whitehat Sec Statistics, OWASP Top 10 2010
  • 3. Web App Attacks • SQL Injection Attacks • Number plate to foil an automatic license plate scanner! • An attack which allows SQL to be executed as part of the input.
  • 4. Web App Attacks • Bobby Tables!
  • 5. Web App Attacks • XSS was used to get root on a apache.org server in April 2010 • A popular shopping website used to sell only books and now sell other stuff as well. • That inner window is an iframe injected in a simple search request. Picture courtesy null Keeda Vulnerability Database
  • 6. Other Critical Flaws/Attacks • Cross Site Request Forgery o Attacks the user of the application • Clickjacking o Facebook Like attack • Security Mis-configurations o Default passwords in DSL routers • Insecure Cryptographic Storage o Apache Attack • Tiny URLs o Employees trust and click on anything!
  • 7. Solutions/Mitigations • Training in Secure Coding for Developers • Code Reviews by competent security folks • Regular mining of web server logs • Application Security Practice • Awareness about new attacks • Setup a red team in the company
  • 8. About null • Null – Indian Open Security Community null.co.in • Registered non-profit society • 5 active chapters in India • We conduct monthly meetings, regular awareness camps and trainings. • More than 1000+ security professionals and enthusiasts in the group. • Null Keeda Vulnerability Database http://keeda.nullcon.net
  • 9. Akash Mahajan • Chapter Lead of null Bangalore • Web Security Consultant • I hack, test, secure web apps and servers • Help companies become secure on AWS cloud • Website: akashm.com • Email: akashmahajan@gmail.com / aka@null.co.in • Twitter: @makash • Linkedin: www.linkedin.com/in/akashm