SlideShare a Scribd company logo

Web Application Security - DevFest + GDay George Town 2016

Download as PPTX, PDF
Gareth Davies
Gareth Davies

An introduction to Web Application Security for web application developers (although most principles also apply to mobile and native or embedded apps) at DevFest + GDay George Town 2016. This talk covers the basic principles of infosec (CIA), do's and don't and the top 5 from the OWASP Top 10.

Technology
1 of 23
Web Application Security By Gareth Davies - Mindvalley CTO Founder of www.darknet.org.uk Founder of www.security-forums.com slideshare.com/ShaolinTiger
So, Who am I? • I work at Mindvalley – we hiring! mindvalley.com/careers • Ex penetration testing team lead (hacker for hire) • Founder of prominent infosec blog Darknet.org.uk
Darknet – A Brief History • Started in 1999 on EFnet (IRC) by me • Original IRC co-founder from Penang • Website launched in 2000 • Current format launched in 2006 • Top 5 Infosec Blog • 40,000+ RSS Subscribers • Nominated for multiple awards Full History: http://www.darknet.org.uk/about/
Security-Forums.com – A Brief History • Started in 2002 as the Darknet Forum • Wanted to move away from Usenet • Became the fastest growing infosec forum • Referenced in Microsoft Newsletter • Running phpBB • Sold in 2004 to WindowSecurity.com Visit: http://www.security-forums.com/
This Talk • This talk covers: • The principle of infosec • The basic do’s and don’ts • OWASP Top 10 Who has been hacked before? Who knows the subject well or has worked in infosec? Who is familiar with OWASP Top 10?
An Introduction To Infosec
What is Information Security? • It is quite a vague phrase – but it can be defined. C AI
The CIA Triad •The basic model for Information Security: •Confidentiality (keeping the data secret) •Integrity (keeping the data unchanged) •Availability (keeping the data accessible)
Confidentiality “ Preventing the unauthorized disclosure of information” • Yahoo Hack exposed 500 Million Accounts • Can lead to legal issues • Hacker only needs ‘read’ access
Integrity “ Guarding against improper information modification or destruction” • Less frequent but more damaging • Can remain undetected for long periods (APT) • Hacker does need ‘write’ access
Availability “Ensuring timely and reliable access to the information” • DDoS attacks can be extremely damaging • Very hard to prevent and protect against • Hacker needs NO access
Web App Do’s & Don’ts
NEVER Trust User Input • Validate type, length, format, range • Use regex, JavaScript form validation + Back-end checks • Always whitelist, not blacklist
ALWAYS Protect Data in Transit • Use HTTPS/TLS for EVERYTHING • Use HSTS To Enforce it • Redirect all HTTP users to HTTPS • Make sure your app to DB connections are encrypted
ALWAYS Hash & Salt User Passwords • Hash ALL stored user passwords • Salt all Hashes (globally unique for each user) • Use bcrypt NOT md5 or SHA-1 • Use a validated library, don’t implement yourself
ALWAYS Authenticate Users Safely • Use an existing, mature framework • Consider SSO (login via Facebook/Twitter etc) • Use 2FA for important access (admins/super-users) • Re-authenticate for important actions (like Github/Gmail) • Hide user existence (don’t show ID doesn’t exist error) • Prevent brute forcing with CAPTCHA, rate-limiting etc
OWASP Top 10
A1- Injection • NEVER trust user input! • Separate interpreters from command or query • For SQL this means binding calls in prepared statements • Static analysis tools can scan for this
A2- Broken Auth & Sessions • NEVER store plain-text passwords ANYWHERE • Don’t expose Session IDs • Make sure sessions time-out • Rotate Session IDs properly • Don’t send passwords/sessions over unencrypted lines
A3- Cross-site Scripting (XSS) • NEVER trust user input! • These attacks focus on the browser as the interpreter • Properly escape all untrusted data • Whitelist server-side validation (Second layer) • There are specific auto-sanitization libraries (AntiSamy)
A4- Insecure Object References • NEVER trust user input! (seeing a pattern yet?) • Don’t use easily guessable resource names • User per session or indirect object references • Check access authorization on every request
A5- Security Misconfiguration • Don’t trust default config EVER (Google MongoDB hacks) • Always change default account credentials • Learn about the tools you use and how to secure them • Don’t expose detailed error messages/debug strings • Don’t leave samples on the servers (like php_info.php)
THE END For Stalkers Twitter/Insta: @ShaolinTiger Blog: www.shaolintiger.com Infosec: www.darknet.org.uk This presentation: www.slideshare.net/ShaolinTiger

Recommended

ZeroNights2013 testing of password policy
ZeroNights2013 testing of password policyZeroNights2013 testing of password policy
ZeroNights2013 testing of password policyAnton Dedov
 
Continuous Integration and Quality Development
Continuous Integration and Quality DevelopmentContinuous Integration and Quality Development
Continuous Integration and Quality DevelopmentGareth Davies
 
Passwords are passé. WebAuthn is simpler, stronger and ready to go
Passwords are passé. WebAuthn is simpler, stronger and ready to goPasswords are passé. WebAuthn is simpler, stronger and ready to go
Passwords are passé. WebAuthn is simpler, stronger and ready to goMichael Furman
 
Web & Cloud Security in the real world
Web & Cloud Security in the real worldWeb & Cloud Security in the real world
Web & Cloud Security in the real worldMadhu Akula
 
Top 3 tips for security documentation
Top 3 tips for security documentationTop 3 tips for security documentation
Top 3 tips for security documentationMichael Furman
 
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017Madhu Akula
 
2013 michael coates-javaone
2013 michael coates-javaone2013 michael coates-javaone
2013 michael coates-javaoneMichael Coates
 
OWASP A4 XML External Entities (XXE)
OWASP A4 XML External Entities (XXE)OWASP A4 XML External Entities (XXE)
OWASP A4 XML External Entities (XXE)Michael Furman
 

Recommended

ZeroNights2013 testing of password policy
ZeroNights2013 testing of password policyZeroNights2013 testing of password policy
ZeroNights2013 testing of password policyAnton Dedov
 
Continuous Integration and Quality Development
Continuous Integration and Quality DevelopmentContinuous Integration and Quality Development
Continuous Integration and Quality DevelopmentGareth Davies
 
Passwords are passé. WebAuthn is simpler, stronger and ready to go
Passwords are passé. WebAuthn is simpler, stronger and ready to goPasswords are passé. WebAuthn is simpler, stronger and ready to go
Passwords are passé. WebAuthn is simpler, stronger and ready to goMichael Furman
 
Web & Cloud Security in the real world
Web & Cloud Security in the real worldWeb & Cloud Security in the real world
Web & Cloud Security in the real worldMadhu Akula
 
Top 3 tips for security documentation
Top 3 tips for security documentationTop 3 tips for security documentation
Top 3 tips for security documentationMichael Furman
 
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017Madhu Akula
 
2013 michael coates-javaone
2013 michael coates-javaone2013 michael coates-javaone
2013 michael coates-javaoneMichael Coates
 
OWASP A4 XML External Entities (XXE)
OWASP A4 XML External Entities (XXE)OWASP A4 XML External Entities (XXE)
OWASP A4 XML External Entities (XXE)Michael Furman
 
Web security
Web security Web security
Web security Kaushal Bhavsar
 
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First SecurityDevbeat Conference - Developer First Security
Devbeat Conference - Developer First SecurityMichael Coates
 
Hijacking Softwares for fun and profit
Hijacking Softwares for fun and profitHijacking Softwares for fun and profit
Hijacking Softwares for fun and profitNipun Jaswal
 
Where To Start When Your Environment is Fucked
Where To Start When Your Environment is FuckedWhere To Start When Your Environment is Fucked
Where To Start When Your Environment is FuckedAmanda Berlin
 
AWS Security Strategy
AWS Security StrategyAWS Security Strategy
AWS Security StrategyTeri Radichel
 
Introduction to LavaPasswordFactory
Introduction to LavaPasswordFactoryIntroduction to LavaPasswordFactory
Introduction to LavaPasswordFactoryChristopher Grayson
 
Core strategies to develop defense in depth in AWS
Core strategies to develop defense in depth in AWSCore strategies to develop defense in depth in AWS
Core strategies to develop defense in depth in AWSShane Peden
 
How an Attacker "Audits" Your Software Systems
How an Attacker "Audits" Your Software SystemsHow an Attacker "Audits" Your Software Systems
How an Attacker "Audits" Your Software SystemsSecurity Innovation
 
Ground Zero Training- Metasploit For Web
Ground Zero Training- Metasploit For WebGround Zero Training- Metasploit For Web
Ground Zero Training- Metasploit For WebNipun Jaswal
 
An Introduction To IT Security And Privacy - Servers And More
An Introduction To IT Security And Privacy - Servers And MoreAn Introduction To IT Security And Privacy - Servers And More
An Introduction To IT Security And Privacy - Servers And MoreBlake Carver
 
Top 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajanTop 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajanAkash Mahajan
 
Top Azure security fails and how to avoid them
Top Azure security fails and how to avoid themTop Azure security fails and how to avoid them
Top Azure security fails and how to avoid themKarl Ots
 
TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - Trivadis
TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - TrivadisTechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - Trivadis
TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - TrivadisTrivadis
 
Web application security
Web application securityWeb application security
Web application securityAkash Mahajan
 
AWS Chicago user group meetup on June 24, 2014
AWS Chicago user group meetup on June 24, 2014AWS Chicago user group meetup on June 24, 2014
AWS Chicago user group meetup on June 24, 2014CloudCamp Chicago
 
OWASP Top Ten 2017
OWASP Top Ten 2017OWASP Top Ten 2017
OWASP Top Ten 2017Michael Furman
 
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...Ruby Meditation
 
Security Threats, the Cloud and Your Responsibilities - Evident.io @AWS Pop-u...
Security Threats, the Cloud and Your Responsibilities - Evident.io @AWS Pop-u...Security Threats, the Cloud and Your Responsibilities - Evident.io @AWS Pop-u...
Security Threats, the Cloud and Your Responsibilities - Evident.io @AWS Pop-u...Evident.io
 
Govern Your Cloud: The Foundation for Success
Govern Your Cloud: The Foundation for SuccessGovern Your Cloud: The Foundation for Success
Govern Your Cloud: The Foundation for SuccessAlert Logic
 
Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. Ltd
Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. LtdBeyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. Ltd
Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. LtdNipun Jaswal
 
Advanced Information Gathering AKA Google Hacking
Advanced Information Gathering AKA Google HackingAdvanced Information Gathering AKA Google Hacking
Advanced Information Gathering AKA Google HackingGareth Davies
 
ISACA 2016 Application Security RGJ
ISACA 2016 Application Security RGJISACA 2016 Application Security RGJ
ISACA 2016 Application Security RGJRene Jaspe, CISSP®, CSSLP®
 

More Related Content

What's hot

Devbeat Conference - Developer First Security
Devbeat Conference - Developer First SecurityDevbeat Conference - Developer First Security
Devbeat Conference - Developer First SecurityMichael Coates
 
Hijacking Softwares for fun and profit
Hijacking Softwares for fun and profitHijacking Softwares for fun and profit
Hijacking Softwares for fun and profitNipun Jaswal
 
Where To Start When Your Environment is Fucked
Where To Start When Your Environment is FuckedWhere To Start When Your Environment is Fucked
Where To Start When Your Environment is FuckedAmanda Berlin
 
AWS Security Strategy
AWS Security StrategyAWS Security Strategy
AWS Security StrategyTeri Radichel
 
Introduction to LavaPasswordFactory
Introduction to LavaPasswordFactoryIntroduction to LavaPasswordFactory
Introduction to LavaPasswordFactoryChristopher Grayson
 
Core strategies to develop defense in depth in AWS
Core strategies to develop defense in depth in AWSCore strategies to develop defense in depth in AWS
Core strategies to develop defense in depth in AWSShane Peden
 
How an Attacker "Audits" Your Software Systems
How an Attacker "Audits" Your Software SystemsHow an Attacker "Audits" Your Software Systems
How an Attacker "Audits" Your Software SystemsSecurity Innovation
 
Ground Zero Training- Metasploit For Web
Ground Zero Training- Metasploit For WebGround Zero Training- Metasploit For Web
Ground Zero Training- Metasploit For WebNipun Jaswal
 
An Introduction To IT Security And Privacy - Servers And More
An Introduction To IT Security And Privacy - Servers And MoreAn Introduction To IT Security And Privacy - Servers And More
An Introduction To IT Security And Privacy - Servers And MoreBlake Carver
 
Top 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajanTop 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajanAkash Mahajan
 
Top Azure security fails and how to avoid them
Top Azure security fails and how to avoid themTop Azure security fails and how to avoid them
Top Azure security fails and how to avoid themKarl Ots
 
TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - Trivadis
TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - TrivadisTechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - Trivadis
TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - TrivadisTrivadis
 
Web application security
Web application securityWeb application security
Web application securityAkash Mahajan
 
AWS Chicago user group meetup on June 24, 2014
AWS Chicago user group meetup on June 24, 2014AWS Chicago user group meetup on June 24, 2014
AWS Chicago user group meetup on June 24, 2014CloudCamp Chicago
 
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...Ruby Meditation
 
Security Threats, the Cloud and Your Responsibilities - Evident.io @AWS Pop-u...
Security Threats, the Cloud and Your Responsibilities - Evident.io @AWS Pop-u...Security Threats, the Cloud and Your Responsibilities - Evident.io @AWS Pop-u...
Security Threats, the Cloud and Your Responsibilities - Evident.io @AWS Pop-u...Evident.io
 
Govern Your Cloud: The Foundation for Success
Govern Your Cloud: The Foundation for SuccessGovern Your Cloud: The Foundation for Success
Govern Your Cloud: The Foundation for SuccessAlert Logic
 
Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. Ltd
Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. LtdBeyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. Ltd
Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. LtdNipun Jaswal
 

What's hot (20)

Web security
Web security Web security
Web security
 
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First SecurityDevbeat Conference - Developer First Security
Devbeat Conference - Developer First Security
 
Hijacking Softwares for fun and profit
Hijacking Softwares for fun and profitHijacking Softwares for fun and profit
Hijacking Softwares for fun and profit
 
Where To Start When Your Environment is Fucked
Where To Start When Your Environment is FuckedWhere To Start When Your Environment is Fucked
Where To Start When Your Environment is Fucked
 
AWS Security Strategy
AWS Security StrategyAWS Security Strategy
AWS Security Strategy
 
Introduction to LavaPasswordFactory
Introduction to LavaPasswordFactoryIntroduction to LavaPasswordFactory
Introduction to LavaPasswordFactory
 
Core strategies to develop defense in depth in AWS
Core strategies to develop defense in depth in AWSCore strategies to develop defense in depth in AWS
Core strategies to develop defense in depth in AWS
 
How an Attacker "Audits" Your Software Systems
How an Attacker "Audits" Your Software SystemsHow an Attacker "Audits" Your Software Systems
How an Attacker "Audits" Your Software Systems
 
Ground Zero Training- Metasploit For Web
Ground Zero Training- Metasploit For WebGround Zero Training- Metasploit For Web
Ground Zero Training- Metasploit For Web
 
An Introduction To IT Security And Privacy - Servers And More
An Introduction To IT Security And Privacy - Servers And MoreAn Introduction To IT Security And Privacy - Servers And More
An Introduction To IT Security And Privacy - Servers And More
 
Top 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajanTop 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajan
 
Top Azure security fails and how to avoid them
Top Azure security fails and how to avoid themTop Azure security fails and how to avoid them
Top Azure security fails and how to avoid them
 
TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - Trivadis
TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - TrivadisTechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - Trivadis
TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - Trivadis
 
Web application security
Web application securityWeb application security
Web application security
 
AWS Chicago user group meetup on June 24, 2014
AWS Chicago user group meetup on June 24, 2014AWS Chicago user group meetup on June 24, 2014
AWS Chicago user group meetup on June 24, 2014
 
OWASP Top Ten 2017
OWASP Top Ten 2017OWASP Top Ten 2017
OWASP Top Ten 2017
 
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
 
Security Threats, the Cloud and Your Responsibilities - Evident.io @AWS Pop-u...
Security Threats, the Cloud and Your Responsibilities - Evident.io @AWS Pop-u...Security Threats, the Cloud and Your Responsibilities - Evident.io @AWS Pop-u...
Security Threats, the Cloud and Your Responsibilities - Evident.io @AWS Pop-u...
 
Govern Your Cloud: The Foundation for Success
Govern Your Cloud: The Foundation for SuccessGovern Your Cloud: The Foundation for Success
Govern Your Cloud: The Foundation for Success
 
Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. Ltd
Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. LtdBeyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. Ltd
Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. Ltd
 

Viewers also liked

Advanced Information Gathering AKA Google Hacking
Advanced Information Gathering AKA Google HackingAdvanced Information Gathering AKA Google Hacking
Advanced Information Gathering AKA Google HackingGareth Davies
 
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Ajin Abraham
 
Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016Jeremiah Grossman
 
Het zegemeer
Het zegemeerHet zegemeer
Het zegemeerlode64
 
High Performance Wordpress
High Performance WordpressHigh Performance Wordpress
High Performance WordpressGareth Davies
 
Онлайн-семинары от А до Я
Онлайн-семинары от А до ЯОнлайн-семинары от А до Я
Онлайн-семинары от А до ЯPavel Levushkan
 
Proyectos creativos con tic trabajo nº 2
Proyectos creativos con tic trabajo nº 2Proyectos creativos con tic trabajo nº 2
Proyectos creativos con tic trabajo nº 2Erick Cinat
 
Forskningskonferansenovkompr2012
Forskningskonferansenovkompr2012Forskningskonferansenovkompr2012
Forskningskonferansenovkompr2012Ellen Røsjø
 
Hinojosa urgilez
Hinojosa urgilezHinojosa urgilez
Hinojosa urgilezspacexxi
 
Юзабилити лаборатория как процесс
Юзабилити лаборатория как процессЮзабилити лаборатория как процесс
Юзабилити лаборатория как процессДмитрий Силаев
 
банкоматы методология исследования
банкоматы методология исследованиябанкоматы методология исследования
банкоматы методология исследованияДмитрий Силаев
 
мобильный банкинг: юзабилити-исследование_сравнение
мобильный банкинг: юзабилити-исследование_сравнениемобильный банкинг: юзабилити-исследование_сравнение
мобильный банкинг: юзабилити-исследование_сравнениеДмитрий Силаев
 

Viewers also liked (20)

Advanced Information Gathering AKA Google Hacking
Advanced Information Gathering AKA Google HackingAdvanced Information Gathering AKA Google Hacking
Advanced Information Gathering AKA Google Hacking
 
ISACA 2016 Application Security RGJ
ISACA 2016 Application Security RGJISACA 2016 Application Security RGJ
ISACA 2016 Application Security RGJ
 
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
 
Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016
 
Ev yapimi
Ev yapimiEv yapimi
Ev yapimi
 
Het zegemeer
Het zegemeerHet zegemeer
Het zegemeer
 
High Performance Wordpress
High Performance WordpressHigh Performance Wordpress
High Performance Wordpress
 
Онлайн-семинары от А до Я
Онлайн-семинары от А до ЯОнлайн-семинары от А до Я
Онлайн-семинары от А до Я
 
Glass
GlassGlass
Glass
 
Proyectos creativos con tic trabajo nº 2
Proyectos creativos con tic trabajo nº 2Proyectos creativos con tic trabajo nº 2
Proyectos creativos con tic trabajo nº 2
 
Linkedinslide
LinkedinslideLinkedinslide
Linkedinslide
 
Forskningskonferansenovkompr2012
Forskningskonferansenovkompr2012Forskningskonferansenovkompr2012
Forskningskonferansenovkompr2012
 
Blogging WTF?
Blogging WTF?Blogging WTF?
Blogging WTF?
 
Hinojosa urgilez
Hinojosa urgilezHinojosa urgilez
Hinojosa urgilez
 
Юзабилити лаборатория как процесс
Юзабилити лаборатория как процессЮзабилити лаборатория как процесс
Юзабилити лаборатория как процесс
 
банкоматы методология исследования
банкоматы методология исследованиябанкоматы методология исследования
банкоматы методология исследования
 
Ev yapimi
Ev yapimiEv yapimi
Ev yapimi
 
How to learn english
How to learn englishHow to learn english
How to learn english
 
Memòria pràctiques Màster
Memòria pràctiques MàsterMemòria pràctiques Màster
Memòria pràctiques Màster
 
мобильный банкинг: юзабилити-исследование_сравнение
мобильный банкинг: юзабилити-исследование_сравнениемобильный банкинг: юзабилити-исследование_сравнение
мобильный банкинг: юзабилити-исследование_сравнение
 

Similar to Web Application Security - DevFest + GDay George Town 2016

Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Michael Pirnat
 
OWASP Top 10 Web Vulnerabilities from DCC 04/14
OWASP Top 10 Web Vulnerabilities from DCC 04/14OWASP Top 10 Web Vulnerabilities from DCC 04/14
OWASP Top 10 Web Vulnerabilities from DCC 04/14Chris Holwerda
 
Drupal Security Intro
Drupal Security IntroDrupal Security Intro
Drupal Security IntroCash Williams
 
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFOWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFBrian Huff
 
So Your Company Hired A Pentester
So Your Company Hired A PentesterSo Your Company Hired A Pentester
So Your Company Hired A PentesterNorthBayWeb
 
H4CK1N6 - Web Application Security
H4CK1N6 - Web Application SecurityH4CK1N6 - Web Application Security
H4CK1N6 - Web Application SecurityOliver Hader
 
Slides for the #JavaOne Session ID: CON11881
Slides for the #JavaOne Session ID: CON11881Slides for the #JavaOne Session ID: CON11881
Slides for the #JavaOne Session ID: CON11881Masoud Kalali
 
Java EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFishJava EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFishMarkus Eisele
 
Securing Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationSecuring Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationStormpath
 
Your Web Application Is Most Likely Insecure
Your Web Application Is Most Likely InsecureYour Web Application Is Most Likely Insecure
Your Web Application Is Most Likely InsecureAchievers Tech
 
Owasp top10salesforce
Owasp top10salesforceOwasp top10salesforce
Owasp top10salesforcegbreavin
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
DefCamp 2013 - Http header analysis
DefCamp 2013 - Http header analysisDefCamp 2013 - Http header analysis
DefCamp 2013 - Http header analysisDefCamp
 
iOS Security - Secure-iOS-Guidelines - Apple | iOS | Swift
iOS Security - Secure-iOS-Guidelines - Apple | iOS | Swift iOS Security - Secure-iOS-Guidelines - Apple | iOS | Swift
iOS Security - Secure-iOS-Guidelines - Apple | iOS | Swift Bunty Madan
 
Lesson 6 web based attacks
Lesson 6 web based attacksLesson 6 web based attacks
Lesson 6 web based attacksFrank Victory
 
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...AlienVault
 
Demystifying Web Application Security - JSFoo 2018
Demystifying Web Application Security - JSFoo 2018Demystifying Web Application Security - JSFoo 2018
Demystifying Web Application Security - JSFoo 2018shyamsesh
 
Attacking Web Applications
Attacking Web ApplicationsAttacking Web Applications
Attacking Web ApplicationsSasha Goldshtein
 

Similar to Web Application Security - DevFest + GDay George Town 2016 (20)

Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
 
OWASP Top 10 Web Vulnerabilities from DCC 04/14
OWASP Top 10 Web Vulnerabilities from DCC 04/14OWASP Top 10 Web Vulnerabilities from DCC 04/14
OWASP Top 10 Web Vulnerabilities from DCC 04/14
 
Drupal Security Intro
Drupal Security IntroDrupal Security Intro
Drupal Security Intro
 
Web security and OWASP
Web security and OWASPWeb security and OWASP
Web security and OWASP
 
Spa Secure Coding Guide
Spa Secure Coding GuideSpa Secure Coding Guide
Spa Secure Coding Guide
 
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFOWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
 
So Your Company Hired A Pentester
So Your Company Hired A PentesterSo Your Company Hired A Pentester
So Your Company Hired A Pentester
 
H4CK1N6 - Web Application Security
H4CK1N6 - Web Application SecurityH4CK1N6 - Web Application Security
H4CK1N6 - Web Application Security
 
Slides for the #JavaOne Session ID: CON11881
Slides for the #JavaOne Session ID: CON11881Slides for the #JavaOne Session ID: CON11881
Slides for the #JavaOne Session ID: CON11881
 
Java EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFishJava EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFish
 
Securing Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationSecuring Web Applications with Token Authentication
Securing Web Applications with Token Authentication
 
Your Web Application Is Most Likely Insecure
Your Web Application Is Most Likely InsecureYour Web Application Is Most Likely Insecure
Your Web Application Is Most Likely Insecure
 
Owasp top10salesforce
Owasp top10salesforceOwasp top10salesforce
Owasp top10salesforce
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
DefCamp 2013 - Http header analysis
DefCamp 2013 - Http header analysisDefCamp 2013 - Http header analysis
DefCamp 2013 - Http header analysis
 
iOS Security - Secure-iOS-Guidelines - Apple | iOS | Swift
iOS Security - Secure-iOS-Guidelines - Apple | iOS | Swift iOS Security - Secure-iOS-Guidelines - Apple | iOS | Swift
iOS Security - Secure-iOS-Guidelines - Apple | iOS | Swift
 
Lesson 6 web based attacks
Lesson 6 web based attacksLesson 6 web based attacks
Lesson 6 web based attacks
 
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
 
Demystifying Web Application Security - JSFoo 2018
Demystifying Web Application Security - JSFoo 2018Demystifying Web Application Security - JSFoo 2018
Demystifying Web Application Security - JSFoo 2018
 
Attacking Web Applications
Attacking Web ApplicationsAttacking Web Applications
Attacking Web Applications
 

Recently uploaded

Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 

Recently uploaded (20)

Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 

Web Application Security - DevFest + GDay George Town 2016

  • 1. Web Application Security By Gareth Davies - Mindvalley CTO Founder of www.darknet.org.uk Founder of www.security-forums.com slideshare.com/ShaolinTiger
  • 2. So, Who am I? • I work at Mindvalley – we hiring! mindvalley.com/careers • Ex penetration testing team lead (hacker for hire) • Founder of prominent infosec blog Darknet.org.uk
  • 3. Darknet – A Brief History • Started in 1999 on EFnet (IRC) by me • Original IRC co-founder from Penang • Website launched in 2000 • Current format launched in 2006 • Top 5 Infosec Blog • 40,000+ RSS Subscribers • Nominated for multiple awards Full History: http://www.darknet.org.uk/about/
  • 4. Security-Forums.com – A Brief History • Started in 2002 as the Darknet Forum • Wanted to move away from Usenet • Became the fastest growing infosec forum • Referenced in Microsoft Newsletter • Running phpBB • Sold in 2004 to WindowSecurity.com Visit: http://www.security-forums.com/
  • 5. This Talk • This talk covers: • The principle of infosec • The basic do’s and don’ts • OWASP Top 10 Who has been hacked before? Who knows the subject well or has worked in infosec? Who is familiar with OWASP Top 10?
  • 7. What is Information Security? • It is quite a vague phrase – but it can be defined. C AI
  • 8. The CIA Triad •The basic model for Information Security: •Confidentiality (keeping the data secret) •Integrity (keeping the data unchanged) •Availability (keeping the data accessible)
  • 9. Confidentiality “ Preventing the unauthorized disclosure of information” • Yahoo Hack exposed 500 Million Accounts • Can lead to legal issues • Hacker only needs ‘read’ access
  • 10. Integrity “ Guarding against improper information modification or destruction” • Less frequent but more damaging • Can remain undetected for long periods (APT) • Hacker does need ‘write’ access
  • 11. Availability “Ensuring timely and reliable access to the information” • DDoS attacks can be extremely damaging • Very hard to prevent and protect against • Hacker needs NO access
  • 12. Web App Do’s & Don’ts
  • 13. NEVER Trust User Input • Validate type, length, format, range • Use regex, JavaScript form validation + Back-end checks • Always whitelist, not blacklist
  • 14. ALWAYS Protect Data in Transit • Use HTTPS/TLS for EVERYTHING • Use HSTS To Enforce it • Redirect all HTTP users to HTTPS • Make sure your app to DB connections are encrypted
  • 15. ALWAYS Hash & Salt User Passwords • Hash ALL stored user passwords • Salt all Hashes (globally unique for each user) • Use bcrypt NOT md5 or SHA-1 • Use a validated library, don’t implement yourself
  • 16. ALWAYS Authenticate Users Safely • Use an existing, mature framework • Consider SSO (login via Facebook/Twitter etc) • Use 2FA for important access (admins/super-users) • Re-authenticate for important actions (like Github/Gmail) • Hide user existence (don’t show ID doesn’t exist error) • Prevent brute forcing with CAPTCHA, rate-limiting etc
  • 18. A1- Injection • NEVER trust user input! • Separate interpreters from command or query • For SQL this means binding calls in prepared statements • Static analysis tools can scan for this
  • 19. A2- Broken Auth & Sessions • NEVER store plain-text passwords ANYWHERE • Don’t expose Session IDs • Make sure sessions time-out • Rotate Session IDs properly • Don’t send passwords/sessions over unencrypted lines
  • 20. A3- Cross-site Scripting (XSS) • NEVER trust user input! • These attacks focus on the browser as the interpreter • Properly escape all untrusted data • Whitelist server-side validation (Second layer) • There are specific auto-sanitization libraries (AntiSamy)
  • 21. A4- Insecure Object References • NEVER trust user input! (seeing a pattern yet?) • Don’t use easily guessable resource names • User per session or indirect object references • Check access authorization on every request
  • 22. A5- Security Misconfiguration • Don’t trust default config EVER (Google MongoDB hacks) • Always change default account credentials • Learn about the tools you use and how to secure them • Don’t expose detailed error messages/debug strings • Don’t leave samples on the servers (like php_info.php)
  • 23. THE END For Stalkers Twitter/Insta: @ShaolinTiger Blog: www.shaolintiger.com Infosec: www.darknet.org.uk This presentation: www.slideshare.net/ShaolinTiger