SlideShare a Scribd company logo

2014 guestlecture-infosec

Boy Baukema
Boy Baukema

Guestlecture for Hogeschool Zeeland at 12th of March 2014 by Boy Baukema from Ibuildings on the topic of Web Application Security and the OWASP Top 10.

Education
1 of 32
Download to read offline
Boy Baukema 12th March, HZ, Vlissingen Practical Hacking: OWASP Top 10 Wednesday, March 12, 14
So who’s this guy? Boy Baukema Security Specialist & Senior Engineer @ Ibuildings.nl boy@ibuildings.nl twitter: @relaxnow 2 Wednesday, March 12, 14
By what company? Ibuildings (not owned by Apple) 3 Wednesday, March 12, 14
A Security what? Security Specialist: Senior Software Engineer + R&D Security + Security Training + Internal Consulting + Internal Security Audits + External Security Audits 4 Wednesday, March 12, 14
Okay, what’s he doing here? ‣ Introduction (10m) ‣ Before We Dive In (10m) ‣ OWASP TOP 11 2013 (+/- 15m per item) ‣ Where To Next? (10m) 5 Wednesday, March 12, 14
Wednesday, March 12, 14
Wednesday, March 12, 14
Before we dive in... 8 Wednesday, March 12, 14
Ethical Hacking & The (Dutch) Law 9 blog.iusmentis.com Artikel 138ab & 138b Wednesday, March 12, 14
Responsible Disclosure 10 Wednesday, March 12, 14
of 2013 OWASP Top 11 11 Wednesday, March 12, 14
OWASP Top 10 2013 BONUS - Clickjacking 12http://www.youtube.com/watch?v=DRQ8oC2MWAg Wednesday, March 12, 14
A10-Unvalidated Redirects and Forwards 13 Wednesday, March 12, 14
A10-Unvalidated Redirects and Forwards http://goo.gl/Gmzqv https://www.bank.com:login.html@phisher.cn/ http://www.bank.com:login.html@74.125.131.105 http://www.bank.com:login.html@1249739625/ http://www.bank.com:login.html@0x4a.0x7d.0x83.0x69/ http://www.bank.com:login.html@0112.0175.0203.0151/ http://pc-help.org/o%62s%63ur%65%2e%68t%6D 14 Wednesday, March 12, 14
A9-Using Components with Known Vulnerabilities 174.34.252.13 – - [03/Feb/2014:01:01:08 -0500] “POST /index.php? option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a7981f4f e1f5ac65c1246b5f=cf6dd3cf1923c950586d0dd595c8e20b HTTP/1.1″ 500 885 “-” “BOT/0.1 (BOT for JCE)” 174.34.252.13 – - [03/Feb/2014:01:01:08 -0500] “POST /index.php? option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20 HTTP/1.1″ 404 5923 “-” “BOT/0.1 (BOT for JCE)” 174.34.252.13 – - [03/Feb/2014:01:01:08 -0500] “POST /blog/2014/01/14/vulnerability-in-joomla-1-6-1-7- and-2-5-0-2-5-2-being-exploited-now/index.php? option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a7981f4fe1f5a c65c1246b5f=cf6dd3cf1923c950586d0dd595c8e20b HTTP/1.1″ 500 885 “-” “BOT/0.1 (BOT for JCE)” 174.34.252.13 – - [03/Feb/2014:01:01:08 -0500] “POST /blog/2014/01/14/vulnerability-in-joomla-1-6-1-7- and-2-5-0-2-5-2-being-exploited-now/index.php? option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20 HTTP/1.1″ 404 6290 “-” “BOT/0.1 (BOT for JCE)” 174.34.252.13 – - [03/Feb/2014:01:01:10 -0500] “POST /blog/2014/01/14/vulnerability-in-joomla-1-6-1-7- and-2-5-0-2-5-2-being-exploited-now/index.php? option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a7981f4fe1f5a c65c1246b5f=cf6dd3cf1923c950586d0dd595c8e20b HTTP/1.1″ 500 885 “-” “BOT/0.1 (BOT for JCE)” 174.34.252.13 – - [03/Feb/2014:01:01:10 -0500] “POST /blog/2014/01/14/vulnerability-in-joomla-1-6-1-7- and-2-5-0-2-5-2-being-exploited-now/index.php? option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20 HTTP/1.1″ 404 6290 “-” “BOT/0.1 (BOT for JCE)” 174.34.252.13 – - [03/Feb/2014:01:01:11 -0500] “GET /blog/2014/01/14/vulnerability-in-joomla-1-6-1-7- and-2-5-0-2-5-2-being-exploited-now/images/stories/food.php?rf HTTP/1.1″ 404 6237 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6″ 15 Wednesday, March 12, 14
A8-Cross-Site Request Forgery (CSRF) 16http://www.youtube.com/watch?v=vRBihr41JTo Wednesday, March 12, 14
A7-Missing Function Level Access Control 17 Wednesday, March 12, 14
A6-Sensitive Data Exposure 18 Wednesday, March 12, 14
A6-Sensitive Data Exposure 19 Wednesday, March 12, 14
A5-Security Misconfiguration http://www.exploit-db.com/google-dorks/ 20 Wednesday, March 12, 14
A4-Insecure Direct Object References 21 Wednesday, March 12, 14
A3-Cross-Site Scripting (XSS) 22 http://www.youtube.com/watch?v=a9WNy2ZSq8Y Wednesday, March 12, 14
A3-Cross-Site Scripting (XSS) 23 Wednesday, March 12, 14
A2-Broken Authentication and Session Management 24 Wednesday, March 12, 14
A2-Broken Authentication and Session Management ‣ Session Fixation ‣ Missing Session Timeout ‣ Login over HTTP ‣ Unprotected Password Reset 25 Wednesday, March 12, 14
HTTP Strict Transport Security Strict-Transport-Security: ‣ max-age=60000; ‣ includeSubDomains 26 Wednesday, March 12, 14
A1-Injection 27 Wednesday, March 12, 14
Now What? 28 Wednesday, March 12, 14
29 Wednesday, March 12, 14
Conferences, People & Resources ‣ Security.nl ‣ Owasp.org ‣ Hackvertor ‣ Webappsec.io ‣ Chris Cornutt ‣ Bruce Schneider ‣ OWASP BeNeLux ‣ OWASP EU ‣ Hack In The Box ‣ Black Hat Europe 30 Wednesday, March 12, 14
Companies ‣ Fox-IT ‣ Madison Ghurka ‣ Pine ‣ Ibuildings.nl 31 Wednesday, March 12, 14
QUESTIONS 32Slides @ http://www.slideshare.net/relaxnow/2014-guestlectureinfosec Wednesday, March 12, 14

Recommended

July 2012
July 2012July 2012
July 2012Shusaku Hayakawa
 
Javascript: 8 Reasons Every PHP Developer Should Love It
Javascript: 8 Reasons Every PHP Developer Should Love ItJavascript: 8 Reasons Every PHP Developer Should Love It
Javascript: 8 Reasons Every PHP Developer Should Love ItBoy Baukema
 
Vn Macro Eng
Vn Macro EngVn Macro Eng
Vn Macro EngShusaku Hayakawa
 
Vn Macro Jpn
Vn Macro JpnVn Macro Jpn
Vn Macro JpnShusaku Hayakawa
 
Community labs vn 2009 jpn
Community labs vn 2009 jpnCommunity labs vn 2009 jpn
Community labs vn 2009 jpnShusaku Hayakawa
 
Hehehehtest
HehehehtestHehehehtest
Hehehehtesttrent solant
 
Verifying Drupal modules with OWASP ASVS 2014
Verifying Drupal modules with OWASP ASVS 2014Verifying Drupal modules with OWASP ASVS 2014
Verifying Drupal modules with OWASP ASVS 2014Boy Baukema
 
Sync The World
Sync The WorldSync The World
Sync The WorldShusaku Hayakawa
 

Recommended

July 2012
July 2012July 2012
July 2012Shusaku Hayakawa
 
Javascript: 8 Reasons Every PHP Developer Should Love It
Javascript: 8 Reasons Every PHP Developer Should Love ItJavascript: 8 Reasons Every PHP Developer Should Love It
Javascript: 8 Reasons Every PHP Developer Should Love ItBoy Baukema
 
Vn Macro Eng
Vn Macro EngVn Macro Eng
Vn Macro EngShusaku Hayakawa
 
Vn Macro Jpn
Vn Macro JpnVn Macro Jpn
Vn Macro JpnShusaku Hayakawa
 
Community labs vn 2009 jpn
Community labs vn 2009 jpnCommunity labs vn 2009 jpn
Community labs vn 2009 jpnShusaku Hayakawa
 
Hehehehtest
HehehehtestHehehehtest
Hehehehtesttrent solant
 
Verifying Drupal modules with OWASP ASVS 2014
Verifying Drupal modules with OWASP ASVS 2014Verifying Drupal modules with OWASP ASVS 2014
Verifying Drupal modules with OWASP ASVS 2014Boy Baukema
 
Sync The World
Sync The WorldSync The World
Sync The WorldShusaku Hayakawa
 
Portfolio De Veiculos
Portfolio De VeiculosPortfolio De Veiculos
Portfolio De VeiculosElderMonteiro
 
SURFconext and Mobile
SURFconext and MobileSURFconext and Mobile
SURFconext and MobileBoy Baukema
 
Secure Drupal, from start to finish
Secure Drupal, from start to finishSecure Drupal, from start to finish
Secure Drupal, from start to finishBoy Baukema
 
Dpc14 security as part of Quality Assurance
Dpc14 security as part of Quality AssuranceDpc14 security as part of Quality Assurance
Dpc14 security as part of Quality AssuranceBoy Baukema
 
OWASP ASVS 3 - What's new for level 1?
OWASP ASVS 3 - What's new for level 1?OWASP ASVS 3 - What's new for level 1?
OWASP ASVS 3 - What's new for level 1?Boy Baukema
 
Recursive descent parsing
Recursive descent parsingRecursive descent parsing
Recursive descent parsingBoy Baukema
 
WebAppSec @ Ibuildings in 2014
WebAppSec @ Ibuildings in 2014WebAppSec @ Ibuildings in 2014
WebAppSec @ Ibuildings in 2014Boy Baukema
 
Security as a part of quality assurance
Security as a part of quality assuranceSecurity as a part of quality assurance
Security as a part of quality assuranceBoy Baukema
 
Let's build a parser!
Let's build a parser!Let's build a parser!
Let's build a parser!Boy Baukema
 
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptxHMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptxmarlenawright1
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsTechSoup
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxheathfieldcps1
 
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptxSKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptxAmanpreet Kaur
 
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...ZurliaSoop
 
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...Pooja Bhuva
 
General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...Poonam Aher Patil
 
Single or Multiple melodic lines structure
Single or Multiple melodic lines structureSingle or Multiple melodic lines structure
Single or Multiple melodic lines structuredhanjurrannsibayan2
 
Understanding Accommodations and Modifications
Understanding Accommodations and ModificationsUnderstanding Accommodations and Modifications
Understanding Accommodations and ModificationsMJDuyan
 
Towards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxTowards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxJisc
 
Spellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please PractiseSpellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please PractiseAnaAcapella
 
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptxHMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptxEsquimalt MFRC
 
Graduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - EnglishGraduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - Englishneillewis46
 

More Related Content

Viewers also liked

Portfolio De Veiculos
Portfolio De VeiculosPortfolio De Veiculos
Portfolio De VeiculosElderMonteiro
 
SURFconext and Mobile
SURFconext and MobileSURFconext and Mobile
SURFconext and MobileBoy Baukema
 
Secure Drupal, from start to finish
Secure Drupal, from start to finishSecure Drupal, from start to finish
Secure Drupal, from start to finishBoy Baukema
 
Dpc14 security as part of Quality Assurance
Dpc14 security as part of Quality AssuranceDpc14 security as part of Quality Assurance
Dpc14 security as part of Quality AssuranceBoy Baukema
 
OWASP ASVS 3 - What's new for level 1?
OWASP ASVS 3 - What's new for level 1?OWASP ASVS 3 - What's new for level 1?
OWASP ASVS 3 - What's new for level 1?Boy Baukema
 
Recursive descent parsing
Recursive descent parsingRecursive descent parsing
Recursive descent parsingBoy Baukema
 
WebAppSec @ Ibuildings in 2014
WebAppSec @ Ibuildings in 2014WebAppSec @ Ibuildings in 2014
WebAppSec @ Ibuildings in 2014Boy Baukema
 
Security as a part of quality assurance
Security as a part of quality assuranceSecurity as a part of quality assurance
Security as a part of quality assuranceBoy Baukema
 
Let's build a parser!
Let's build a parser!Let's build a parser!
Let's build a parser!Boy Baukema
 

Viewers also liked (9)

Portfolio De Veiculos
Portfolio De VeiculosPortfolio De Veiculos
Portfolio De Veiculos
 
SURFconext and Mobile
SURFconext and MobileSURFconext and Mobile
SURFconext and Mobile
 
Secure Drupal, from start to finish
Secure Drupal, from start to finishSecure Drupal, from start to finish
Secure Drupal, from start to finish
 
Dpc14 security as part of Quality Assurance
Dpc14 security as part of Quality AssuranceDpc14 security as part of Quality Assurance
Dpc14 security as part of Quality Assurance
 
OWASP ASVS 3 - What's new for level 1?
OWASP ASVS 3 - What's new for level 1?OWASP ASVS 3 - What's new for level 1?
OWASP ASVS 3 - What's new for level 1?
 
Recursive descent parsing
Recursive descent parsingRecursive descent parsing
Recursive descent parsing
 
WebAppSec @ Ibuildings in 2014
WebAppSec @ Ibuildings in 2014WebAppSec @ Ibuildings in 2014
WebAppSec @ Ibuildings in 2014
 
Security as a part of quality assurance
Security as a part of quality assuranceSecurity as a part of quality assurance
Security as a part of quality assurance
 
Let's build a parser!
Let's build a parser!Let's build a parser!
Let's build a parser!
 

Recently uploaded

HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptxHMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptxmarlenawright1
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsTechSoup
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxheathfieldcps1
 
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptxSKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptxAmanpreet Kaur
 
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...ZurliaSoop
 
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...Pooja Bhuva
 
General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...Poonam Aher Patil
 
Single or Multiple melodic lines structure
Single or Multiple melodic lines structureSingle or Multiple melodic lines structure
Single or Multiple melodic lines structuredhanjurrannsibayan2
 
Understanding Accommodations and Modifications
Understanding Accommodations and ModificationsUnderstanding Accommodations and Modifications
Understanding Accommodations and ModificationsMJDuyan
 
Towards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxTowards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxJisc
 
Spellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please PractiseSpellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please PractiseAnaAcapella
 
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptxHMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptxEsquimalt MFRC
 
Graduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - EnglishGraduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - Englishneillewis46
 
Sociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning ExhibitSociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning Exhibitjbellavia9
 
ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.MaryamAhmad92
 
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdfUGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdfNirmal Dwivedi
 
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptxMaritesTamaniVerdade
 
How to setup Pycharm environment for Odoo 17.pptx
How to setup Pycharm environment for Odoo 17.pptxHow to setup Pycharm environment for Odoo 17.pptx
How to setup Pycharm environment for Odoo 17.pptxCeline George
 
Google Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptxGoogle Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptxDr. Sarita Anand
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfagholdier
 

Recently uploaded (20)

HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptxHMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The Basics
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptx
 
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptxSKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
 
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
 
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
 
General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...
 
Single or Multiple melodic lines structure
Single or Multiple melodic lines structureSingle or Multiple melodic lines structure
Single or Multiple melodic lines structure
 
Understanding Accommodations and Modifications
Understanding Accommodations and ModificationsUnderstanding Accommodations and Modifications
Understanding Accommodations and Modifications
 
Towards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxTowards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptx
 
Spellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please PractiseSpellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please Practise
 
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptxHMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
 
Graduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - EnglishGraduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - English
 
Sociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning ExhibitSociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning Exhibit
 
ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.
 
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdfUGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
 
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
 
How to setup Pycharm environment for Odoo 17.pptx
How to setup Pycharm environment for Odoo 17.pptxHow to setup Pycharm environment for Odoo 17.pptx
How to setup Pycharm environment for Odoo 17.pptx
 
Google Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptxGoogle Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptx
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdf
 

2014 guestlecture-infosec

  • 1. Boy Baukema 12th March, HZ, Vlissingen Practical Hacking: OWASP Top 10 Wednesday, March 12, 14
  • 2. So who’s this guy? Boy Baukema Security Specialist & Senior Engineer @ Ibuildings.nl boy@ibuildings.nl twitter: @relaxnow 2 Wednesday, March 12, 14
  • 3. By what company? Ibuildings (not owned by Apple) 3 Wednesday, March 12, 14
  • 4. A Security what? Security Specialist: Senior Software Engineer + R&D Security + Security Training + Internal Consulting + Internal Security Audits + External Security Audits 4 Wednesday, March 12, 14
  • 5. Okay, what’s he doing here? ‣ Introduction (10m) ‣ Before We Dive In (10m) ‣ OWASP TOP 11 2013 (+/- 15m per item) ‣ Where To Next? (10m) 5 Wednesday, March 12, 14
  • 8. Before we dive in... 8 Wednesday, March 12, 14
  • 9. Ethical Hacking & The (Dutch) Law 9 blog.iusmentis.com Artikel 138ab & 138b Wednesday, March 12, 14
  • 11. of 2013 OWASP Top 11 11 Wednesday, March 12, 14
  • 12. OWASP Top 10 2013 BONUS - Clickjacking 12http://www.youtube.com/watch?v=DRQ8oC2MWAg Wednesday, March 12, 14
  • 13. A10-Unvalidated Redirects and Forwards 13 Wednesday, March 12, 14
  • 14. A10-Unvalidated Redirects and Forwards http://goo.gl/Gmzqv https://www.bank.com:login.html@phisher.cn/ http://www.bank.com:login.html@74.125.131.105 http://www.bank.com:login.html@1249739625/ http://www.bank.com:login.html@0x4a.0x7d.0x83.0x69/ http://www.bank.com:login.html@0112.0175.0203.0151/ http://pc-help.org/o%62s%63ur%65%2e%68t%6D 14 Wednesday, March 12, 14
  • 15. A9-Using Components with Known Vulnerabilities 174.34.252.13 – - [03/Feb/2014:01:01:08 -0500] “POST /index.php? option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a7981f4f e1f5ac65c1246b5f=cf6dd3cf1923c950586d0dd595c8e20b HTTP/1.1″ 500 885 “-” “BOT/0.1 (BOT for JCE)” 174.34.252.13 – - [03/Feb/2014:01:01:08 -0500] “POST /index.php? option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20 HTTP/1.1″ 404 5923 “-” “BOT/0.1 (BOT for JCE)” 174.34.252.13 – - [03/Feb/2014:01:01:08 -0500] “POST /blog/2014/01/14/vulnerability-in-joomla-1-6-1-7- and-2-5-0-2-5-2-being-exploited-now/index.php? option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a7981f4fe1f5a c65c1246b5f=cf6dd3cf1923c950586d0dd595c8e20b HTTP/1.1″ 500 885 “-” “BOT/0.1 (BOT for JCE)” 174.34.252.13 – - [03/Feb/2014:01:01:08 -0500] “POST /blog/2014/01/14/vulnerability-in-joomla-1-6-1-7- and-2-5-0-2-5-2-being-exploited-now/index.php? option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20 HTTP/1.1″ 404 6290 “-” “BOT/0.1 (BOT for JCE)” 174.34.252.13 – - [03/Feb/2014:01:01:10 -0500] “POST /blog/2014/01/14/vulnerability-in-joomla-1-6-1-7- and-2-5-0-2-5-2-being-exploited-now/index.php? option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a7981f4fe1f5a c65c1246b5f=cf6dd3cf1923c950586d0dd595c8e20b HTTP/1.1″ 500 885 “-” “BOT/0.1 (BOT for JCE)” 174.34.252.13 – - [03/Feb/2014:01:01:10 -0500] “POST /blog/2014/01/14/vulnerability-in-joomla-1-6-1-7- and-2-5-0-2-5-2-being-exploited-now/index.php? option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20 HTTP/1.1″ 404 6290 “-” “BOT/0.1 (BOT for JCE)” 174.34.252.13 – - [03/Feb/2014:01:01:11 -0500] “GET /blog/2014/01/14/vulnerability-in-joomla-1-6-1-7- and-2-5-0-2-5-2-being-exploited-now/images/stories/food.php?rf HTTP/1.1″ 404 6237 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6″ 15 Wednesday, March 12, 14
  • 16. A8-Cross-Site Request Forgery (CSRF) 16http://www.youtube.com/watch?v=vRBihr41JTo Wednesday, March 12, 14
  • 17. A7-Missing Function Level Access Control 17 Wednesday, March 12, 14
  • 21. A4-Insecure Direct Object References 21 Wednesday, March 12, 14
  • 24. A2-Broken Authentication and Session Management 24 Wednesday, March 12, 14
  • 25. A2-Broken Authentication and Session Management ‣ Session Fixation ‣ Missing Session Timeout ‣ Login over HTTP ‣ Unprotected Password Reset 25 Wednesday, March 12, 14
  • 26. HTTP Strict Transport Security Strict-Transport-Security: ‣ max-age=60000; ‣ includeSubDomains 26 Wednesday, March 12, 14
  • 30. Conferences, People & Resources ‣ Security.nl ‣ Owasp.org ‣ Hackvertor ‣ Webappsec.io ‣ Chris Cornutt ‣ Bruce Schneider ‣ OWASP BeNeLux ‣ OWASP EU ‣ Hack In The Box ‣ Black Hat Europe 30 Wednesday, March 12, 14
  • 31. Companies ‣ Fox-IT ‣ Madison Ghurka ‣ Pine ‣ Ibuildings.nl 31 Wednesday, March 12, 14