OWASP Top 10 Web Security Risks Explained
•Download as PPT, PDF•
1 like•897 views
Sharing our agency experience of developing secure web applications for some of the UK's leading high street banks and brands with a focus on the pitfalls you face when developing code in PHP. The talk will contain specific details on the many attack vectors that hackers will use to attempt to access and exploit your site and how you can improve your development process to avoid them. Topics covered will include some old chestnuts like XSS (Cross Site Scripting) and SQL injection through to issues like aSession Hijacking. The talk is aimed at developers who have perhaps not truly considered security of their applications before to developers who would like to extend their knowledge. The talk is aimed at software developers and will contain practical code-based examples and solutions.
![Introduction ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],About me](data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7)
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (19)
Similar to OWASP Top 10 Web Security Risks Explained
Similar to OWASP Top 10 Web Security Risks Explained (20)
Recently uploaded
Recently uploaded (20)
OWASP Top 10 Web Security Risks Explained
- 1. Are you feeling secure – notes from the trenches Paul Lemon @anthonylime http://joind.in/3603
- 3. “ The problem of insecure software is perhaps the most important technical challenge of our time.” – OWASP Testing Guide Introduction. Photo courtesy http://www.flickr.com/photos/katescars/
- 10. Injection http://someserver/script.php?id=1;INSERT INTO members ('email','passwd','login_id','full_name')VALUES ('paul.lemon@gmail.com','hello',‘paul',’Paul Lemon'); Sample Code
- 12. Injection Validation and Parameterised Query
- 16. XSS http://someserver/script.php?name=<script>alert();</script> or http://bit.ly/lYMcHjkj Sample XSS
- 17. XSS http:// host/script.php?name=<script src='http://hacker/script.js' /> Sample XSS
- 18. XSS Potential Exploits - Theft of session cookies - Insertion of content / forms etc - Redirection to malicious sites - Insertion of trojan downloads / keyloggers etc.
- 23. XSS – Trust zones Trusted Not Trusted API Database Web application Browser
- 24. XSS – Trust zones Trusted Not Trusted API Database Your application should be modular too Web application Browser
- 26. XSS Escape all output – context is important
- 27. XSS ?name=<script>alert("hello");</script>& link=javascript:alert('hello') Escape all output – context is important
- 28. XSS ?name=<script>alert("hello");</script>& link=javascript:alert('hello') Escape all output – context is important
- 29. XSS
- 32. Session Exploits
- 38. Session Exploits Man in the middle attacks User logs in… Session Id - Cookie HTTP POST Web application Username / Password
- 39. Session Exploits Man in the middle attacks User logs in… Session Id - Cookie HTTP POST Ahoy! Web application Username / Password
- 40. Session Exploits Man in the middle attacks Username / Password User logs in… Session Id - Cookie HTTP S POST Web application
- 42. Session Exploits Man in the middle attacks User visits a non-secure page Resource downloaded HTTP GET Session Id - Cookie Web application Username / Password User logs in… Session Id - Cookie HTTP S POST Web application
- 43. Session Exploits Man in the middle attacks User visits a non-secure page Resource downloaded HTTP GET Session Id - Cookie Web application Username / Password User logs in… Session Id - Cookie HTTP S POST Web application
- 45. Session Exploits Man in the middle attacks
- 46. Session Exploits Man in the middle attacks
- 47. Session Exploits Man in the middle attacks User visits a non-secure page Resource downloaded HTTP GET Web application Username / Password User logs in… Session Id - Cookie HTTP S POST Web application
- 48. Session Exploits Man in the middle attacks User visits a non-secure page Resource downloaded HTTP GET Curses! Web application Username / Password User logs in… Session Id - Cookie HTTP S POST Web application
- 50. Session Exploits Username / Password User logs in… Session Id – Cookie SECURE HTTP S POST Open Zone of Web application User visits a non-secure page Resource downloaded HTTP GET Session Id Extra Auth – Cookie SECURE Web application
- 51. Session Exploits Username / Password User logs in… Session Id – Cookie SECURE HTTP S POST Secure Zone of Web application User visits a non-secure page Response HTTP S GET/POST/PUT Session Id Extra Auth – Cookie SECURE Extra Auth – Cookie Web application
- 52. XSRF
- 53. XSRF – Sorry no time
- 54. Conclusions
- 55. Conclusions Get someone else to do the work
- 59. Are you feeling secure – notes from the trenches Paul Lemon @anthonylime – paul.lemon@gmail.com http://joind.in/3603
Editor's Notes
- Still occurs in 2011 alone wikipedia lists 8 real world examples Sony Nokia’s Developer Site NetNames DNS records and changed entries redirecting users (of Betfair (Online Gambling), The Telegraph, The Register, The National Geographic, UPS, Acer, Vodafone.com)
- Still occurs in 2011 alone wikipedia lists 8 real world examples Sony Nokia’s Developer Site NetNames DNS records and changed entries redirecting users (of Betfair (Online Gambling), The Telegraph, The Register, The National Geographic, UPS, Acer, Vodafone.com)
- Still occurs in 2011 alone wikipedia lists 8 real world examples Sony Nokia’s Developer Site NetNames DNS records and changed entries redirecting users (of Betfair (Online Gambling), The Telegraph, The Register, The National Geographic, UPS, Acer, Vodafone.com)
- Still occurs in 2011 alone wikipedia lists 8 real world examples Sony Nokia’s Developer Site NetNames DNS records and changed entries redirecting users (of Betfair (Online Gambling), The Telegraph, The Register, The National Geographic, UPS, Acer, Vodafone.com)
- Still occurs in 2011 alone wikipedia lists 8 real world examples Sony Nokia’s Developer Site NetNames DNS records and changed entries redirecting users (of Betfair (Online Gambling), The Telegraph, The Register, The National Geographic, UPS, Acer, Vodafone.com)
- Still occurs in 2011 alone wikipedia lists 8 real world examples Sony Nokia’s Developer Site NetNames DNS records and changed entries redirecting users (of Betfair (Online Gambling), The Telegraph, The Register, The National Geographic, UPS, Acer, Vodafone.com)
- Still occurs in 2011 alone wikipedia lists 8 real world examples Sony Nokia’s Developer Site NetNames DNS records and changed entries redirecting users (of Betfair (Online Gambling), The Telegraph, The Register, The National Geographic, UPS, Acer, Vodafone.com)
- Still occurs in 2011 alone wikipedia lists 8 real world examples Sony Nokia’s Developer Site NetNames DNS records and changed entries redirecting users (of Betfair (Online Gambling), The Telegraph, The Register, The National Geographic, UPS, Acer, Vodafone.com)
- Still occurs in 2011 alone wikipedia lists 8 real world examples Sony Nokia’s Developer Site NetNames DNS records and changed entries redirecting users (of Betfair (Online Gambling), The Telegraph, The Register, The National Geographic, UPS, Acer, Vodafone.com)
- Still occurs in 2011 alone wikipedia lists 8 real world examples Sony Nokia’s Developer Site NetNames DNS records and changed entries redirecting users (of Betfair (Online Gambling), The Telegraph, The Register, The National Geographic, UPS, Acer, Vodafone.com)
- Still occurs in 2011 alone wikipedia lists 8 real world examples Sony Nokia’s Developer Site NetNames DNS records and changed entries redirecting users (of Betfair (Online Gambling), The Telegraph, The Register, The National Geographic, UPS, Acer, Vodafone.com)
- Still occurs in 2011 alone wikipedia lists 8 real world examples Sony Nokia’s Developer Site NetNames DNS records and changed entries redirecting users (of Betfair (Online Gambling), The Telegraph, The Register, The National Geographic, UPS, Acer, Vodafone.com)
- Still occurs in 2011 alone wikipedia lists 8 real world examples Sony Nokia’s Developer Site NetNames DNS records and changed entries redirecting users (of Betfair (Online Gambling), The Telegraph, The Register, The National Geographic, UPS, Acer, Vodafone.com)
- Still occurs in 2011 alone wikipedia lists 8 real world examples Sony Nokia’s Developer Site NetNames DNS records and changed entries redirecting users (of Betfair (Online Gambling), The Telegraph, The Register, The National Geographic, UPS, Acer, Vodafone.com)
- Still occurs in 2011 alone wikipedia lists 8 real world examples Sony Nokia’s Developer Site NetNames DNS records and changed entries redirecting users (of Betfair (Online Gambling), The Telegraph, The Register, The National Geographic, UPS, Acer, Vodafone.com)
- Still occurs in 2011 alone wikipedia lists 8 real world examples Sony Nokia’s Developer Site NetNames DNS records and changed entries redirecting users (of Betfair (Online Gambling), The Telegraph, The Register, The National Geographic, UPS, Acer, Vodafone.com)
- Still occurs in 2011 alone wikipedia lists 8 real world examples Sony Nokia’s Developer Site NetNames DNS records and changed entries redirecting users (of Betfair (Online Gambling), The Telegraph, The Register, The National Geographic, UPS, Acer, Vodafone.com)
- Still occurs in 2011 alone wikipedia lists 8 real world examples Sony Nokia’s Developer Site NetNames DNS records and changed entries redirecting users (of Betfair (Online Gambling), The Telegraph, The Register, The National Geographic, UPS, Acer, Vodafone.com)
- Still occurs in 2011 alone wikipedia lists 8 real world examples Sony Nokia’s Developer Site NetNames DNS records and changed entries redirecting users (of Betfair (Online Gambling), The Telegraph, The Register, The National Geographic, UPS, Acer, Vodafone.com)
- Still occurs in 2011 alone wikipedia lists 8 real world examples Sony Nokia’s Developer Site NetNames DNS records and changed entries redirecting users (of Betfair (Online Gambling), The Telegraph, The Register, The National Geographic, UPS, Acer, Vodafone.com)
- Still occurs in 2011 alone wikipedia lists 8 real world examples Sony Nokia’s Developer Site NetNames DNS records and changed entries redirecting users (of Betfair (Online Gambling), The Telegraph, The Register, The National Geographic, UPS, Acer, Vodafone.com)
- Still occurs in 2011 alone wikipedia lists 8 real world examples Sony Nokia’s Developer Site NetNames DNS records and changed entries redirecting users (of Betfair (Online Gambling), The Telegraph, The Register, The National Geographic, UPS, Acer, Vodafone.com)
- Still occurs in 2011 alone wikipedia lists 8 real world examples Sony Nokia’s Developer Site NetNames DNS records and changed entries redirecting users (of Betfair (Online Gambling), The Telegraph, The Register, The National Geographic, UPS, Acer, Vodafone.com)
- Still occurs in 2011 alone wikipedia lists 8 real world examples Sony Nokia’s Developer Site NetNames DNS records and changed entries redirecting users (of Betfair (Online Gambling), The Telegraph, The Register, The National Geographic, UPS, Acer, Vodafone.com)
- Still occurs in 2011 alone wikipedia lists 8 real world examples Sony Nokia’s Developer Site NetNames DNS records and changed entries redirecting users (of Betfair (Online Gambling), The Telegraph, The Register, The National Geographic, UPS, Acer, Vodafone.com)
- Still occurs in 2011 alone wikipedia lists 8 real world examples Sony Nokia’s Developer Site NetNames DNS records and changed entries redirecting users (of Betfair (Online Gambling), The Telegraph, The Register, The National Geographic, UPS, Acer, Vodafone.com)
- Still occurs in 2011 alone wikipedia lists 8 real world examples Sony Nokia’s Developer Site NetNames DNS records and changed entries redirecting users (of Betfair (Online Gambling), The Telegraph, The Register, The National Geographic, UPS, Acer, Vodafone.com)
- Still occurs in 2011 alone wikipedia lists 8 real world examples Sony Nokia’s Developer Site NetNames DNS records and changed entries redirecting users (of Betfair (Online Gambling), The Telegraph, The Register, The National Geographic, UPS, Acer, Vodafone.com)
- Still occurs in 2011 alone wikipedia lists 8 real world examples Sony Nokia’s Developer Site NetNames DNS records and changed entries redirecting users (of Betfair (Online Gambling), The Telegraph, The Register, The National Geographic, UPS, Acer, Vodafone.com)
- Still occurs in 2011 alone wikipedia lists 8 real world examples Sony Nokia’s Developer Site NetNames DNS records and changed entries redirecting users (of Betfair (Online Gambling), The Telegraph, The Register, The National Geographic, UPS, Acer, Vodafone.com)
- Still occurs in 2011 alone wikipedia lists 8 real world examples Sony Nokia’s Developer Site NetNames DNS records and changed entries redirecting users (of Betfair (Online Gambling), The Telegraph, The Register, The National Geographic, UPS, Acer, Vodafone.com)
- Still occurs in 2011 alone wikipedia lists 8 real world examples Sony Nokia’s Developer Site NetNames DNS records and changed entries redirecting users (of Betfair (Online Gambling), The Telegraph, The Register, The National Geographic, UPS, Acer, Vodafone.com)
- Still occurs in 2011 alone wikipedia lists 8 real world examples Sony Nokia’s Developer Site NetNames DNS records and changed entries redirecting users (of Betfair (Online Gambling), The Telegraph, The Register, The National Geographic, UPS, Acer, Vodafone.com)
- Still occurs in 2011 alone wikipedia lists 8 real world examples Sony Nokia’s Developer Site NetNames DNS records and changed entries redirecting users (of Betfair (Online Gambling), The Telegraph, The Register, The National Geographic, UPS, Acer, Vodafone.com)
- Still occurs in 2011 alone wikipedia lists 8 real world examples Sony Nokia’s Developer Site NetNames DNS records and changed entries redirecting users (of Betfair (Online Gambling), The Telegraph, The Register, The National Geographic, UPS, Acer, Vodafone.com)
- Still occurs in 2011 alone wikipedia lists 8 real world examples Sony Nokia’s Developer Site NetNames DNS records and changed entries redirecting users (of Betfair (Online Gambling), The Telegraph, The Register, The National Geographic, UPS, Acer, Vodafone.com)
- Still occurs in 2011 alone wikipedia lists 8 real world examples Sony Nokia’s Developer Site NetNames DNS records and changed entries redirecting users (of Betfair (Online Gambling), The Telegraph, The Register, The National Geographic, UPS, Acer, Vodafone.com)
- Still occurs in 2011 alone wikipedia lists 8 real world examples Sony Nokia’s Developer Site NetNames DNS records and changed entries redirecting users (of Betfair (Online Gambling), The Telegraph, The Register, The National Geographic, UPS, Acer, Vodafone.com)
- Still occurs in 2011 alone wikipedia lists 8 real world examples Sony Nokia’s Developer Site NetNames DNS records and changed entries redirecting users (of Betfair (Online Gambling), The Telegraph, The Register, The National Geographic, UPS, Acer, Vodafone.com)
- Still occurs in 2011 alone wikipedia lists 8 real world examples Sony Nokia’s Developer Site NetNames DNS records and changed entries redirecting users (of Betfair (Online Gambling), The Telegraph, The Register, The National Geographic, UPS, Acer, Vodafone.com)
- Still occurs in 2011 alone wikipedia lists 8 real world examples Sony Nokia’s Developer Site NetNames DNS records and changed entries redirecting users (of Betfair (Online Gambling), The Telegraph, The Register, The National Geographic, UPS, Acer, Vodafone.com)
- Still occurs in 2011 alone wikipedia lists 8 real world examples Sony Nokia’s Developer Site NetNames DNS records and changed entries redirecting users (of Betfair (Online Gambling), The Telegraph, The Register, The National Geographic, UPS, Acer, Vodafone.com)