Your SlideShare is downloading. ×

Web application security

1,254

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,254
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
31
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Web Application Security Firewalls will not be able to protect you Akash Mahajan – Chapter Lead for null Bangalore
  • 2. What should keep you up at night • 95% of attacks are against “Web Servers and Web Applications” aka Websites • The top 3 verticals compromised were Financial Services, Hospitality and Retail. • More than 60% of attacks were caused by external agents. • Primary attack vector was SQL Injection and was used to install customized malware. • Injection Attacks are #1 critical flaw in applications Sources Verizon DBIR 2010, Whitehat Sec Statistics, OWASP Top 10 2010
  • 3. Web App Attacks • SQL Injection Attacks • Number plate to foil an automatic license plate scanner! • An attack which allows SQL to be executed as part of the input.
  • 4. Web App Attacks • Bobby Tables!
  • 5. Web App Attacks • XSS was used to get root on a apache.org server in April 2010 • A popular shopping website used to sell only books and now sell other stuff as well. • That inner window is an iframe injected in a simple search request. Picture courtesy null Keeda Vulnerability Database
  • 6. Other Critical Flaws/Attacks • Cross Site Request Forgery o Attacks the user of the application • Clickjacking o Facebook Like attack • Security Mis-configurations o Default passwords in DSL routers • Insecure Cryptographic Storage o Apache Attack • Tiny URLs o Employees trust and click on anything!
  • 7. Solutions/Mitigations • Training in Secure Coding for Developers • Code Reviews by competent security folks • Regular mining of web server logs • Application Security Practice • Awareness about new attacks • Setup a red team in the company
  • 8. About null • Null – Indian Open Security Community null.co.in • Registered non-profit society • 5 active chapters in India • We conduct monthly meetings, regular awareness camps and trainings. • More than 1000+ security professionals and enthusiasts in the group. • Null Keeda Vulnerability Database http://keeda.nullcon.net
  • 9. Akash Mahajan • Chapter Lead of null Bangalore • Web Security Consultant • I hack, test, secure web apps and servers • Help companies become secure on AWS cloud • Website: akashm.com • Email: akashmahajan@gmail.com / aka@null.co.in • Twitter: @makash • Linkedin: www.linkedin.com/in/akashm

×