Web Application
   Security
 Firewalls will not be able to protect you

   Akash Mahajan – Chapter Lead for null Bangalore
What should keep you up
        at night
• 95% of attacks are against “Web Servers and Web
  Applications” aka Websites
• ...
Web App Attacks
• SQL Injection Attacks




• Number plate to foil an automatic license plate
  scanner!
• An attack which...
Web App Attacks
• Bobby Tables!
Web App Attacks
• XSS was used to get root on a apache.org server in April
  2010
• A popular shopping
  website used to s...
Other Critical Flaws/Attacks
• Cross Site Request Forgery
   o Attacks the user of the application

• Clickjacking
   o Fa...
Solutions/Mitigations
•   Training in Secure Coding for Developers
•   Code Reviews by competent security folks
•   Regula...
About null
• Null – Indian Open Security Community null.co.in
• Registered non-profit society
• 5 active chapters in India...
Akash Mahajan
•   Chapter Lead of null Bangalore
•   Web Security Consultant
•   I hack, test, secure web apps and servers...
Upcoming SlideShare
Loading in …5
×

Web application security

1,408 views
1,376 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,408
On SlideShare
0
From Embeds
0
Number of Embeds
36
Actions
Shares
0
Downloads
32
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Web application security

  1. 1. Web Application Security Firewalls will not be able to protect you Akash Mahajan – Chapter Lead for null Bangalore
  2. 2. What should keep you up at night • 95% of attacks are against “Web Servers and Web Applications” aka Websites • The top 3 verticals compromised were Financial Services, Hospitality and Retail. • More than 60% of attacks were caused by external agents. • Primary attack vector was SQL Injection and was used to install customized malware. • Injection Attacks are #1 critical flaw in applications Sources Verizon DBIR 2010, Whitehat Sec Statistics, OWASP Top 10 2010
  3. 3. Web App Attacks • SQL Injection Attacks • Number plate to foil an automatic license plate scanner! • An attack which allows SQL to be executed as part of the input.
  4. 4. Web App Attacks • Bobby Tables!
  5. 5. Web App Attacks • XSS was used to get root on a apache.org server in April 2010 • A popular shopping website used to sell only books and now sell other stuff as well. • That inner window is an iframe injected in a simple search request. Picture courtesy null Keeda Vulnerability Database
  6. 6. Other Critical Flaws/Attacks • Cross Site Request Forgery o Attacks the user of the application • Clickjacking o Facebook Like attack • Security Mis-configurations o Default passwords in DSL routers • Insecure Cryptographic Storage o Apache Attack • Tiny URLs o Employees trust and click on anything!
  7. 7. Solutions/Mitigations • Training in Secure Coding for Developers • Code Reviews by competent security folks • Regular mining of web server logs • Application Security Practice • Awareness about new attacks • Setup a red team in the company
  8. 8. About null • Null – Indian Open Security Community null.co.in • Registered non-profit society • 5 active chapters in India • We conduct monthly meetings, regular awareness camps and trainings. • More than 1000+ security professionals and enthusiasts in the group. • Null Keeda Vulnerability Database http://keeda.nullcon.net
  9. 9. Akash Mahajan • Chapter Lead of null Bangalore • Web Security Consultant • I hack, test, secure web apps and servers • Help companies become secure on AWS cloud • Website: akashm.com • Email: akashmahajan@gmail.com / aka@null.co.in • Twitter: @makash • Linkedin: www.linkedin.com/in/akashm

×