The most critical web application security risks - and how to avoid them

•Download as PPTX, PDF•

0 likes•205 views

The document discusses several common web application security risks and methods to avoid them. It covers clickjacking, stealing cookies from HTTPS websites, cross-site request forgery (CSRF), two-factor authentication, use of outdated third-party components, and the importance of continuous integration to enforce secure coding practices. The document provides code examples for different programming languages to implement clickjacking and cookie protections. It emphasizes educating developers about security risks and using automation through continuous integration to help catch vulnerabilities.

The Most Critical Web Application
Security Risks - and how to avoid them

“Earlier this year we identified Clickjacking activity on
our display network...”
Wednesday, May 24, 2017
1
Clickjacking – The Risk

1
Clickjacking – The Risk
It’s not a
video

Delete
Account
1
Clickjacking – The Risk

Click Here to Play a Game
Start a Game
1
Clickjacking – The Risk

Language Code
NodeJS res.setHeader(‘x-frame-options’,’deny’)
NGINX add_header x-frame-options deny;
C# HttpContext.Response.AddHeader("test",
"val");
Python resp.headers[‘x-frame-options'] = ‘deny'
1
Clickjacking – Backend Fixing

1
Clickjacking – Backend Fixing
NGINX requires
only 32 characters
to fix Clickjacking
security hole

2
Bob
John
https://www.google.com
https://www.amazon.com
https://www.ebay.com
Stealing cookies from HTTPS
Websites

2
Stealing cookies from HTTPS
Websites
GET HTTP://www.google.com
301 REDIRECT HTTPS://....
GET HTTPS://www.google.com

$2 Stealing cookies from HTTPS Websites res.cookie(“user_id”,”value”,{secure:true})$

3
Cross-Site Request Forgery
(CSRF)
Bob
NETFLIX Website
Attacker Website
Adding a DVD to the victim's rental queue
Bob Logged in to NetFlix

3
Cross-Site Request Forgery
(CSRF)
POST HTTPS://www.netflix.com
200 OK
www.attackersite.comBob

4
Two factor authentication
Bob
***** 34281
One-Time CodePassword
John

4
Two factor authentication
OneTimeCode = Math.random()
OneTimeCode = sha256(password + iteration)

Now, it’s your turn
3rd party components
5
Find the security issue in the next slide

What are the security issues here?
3rd party components
5

Continuous integration
6
Continuous integration

Clickjacking – Backend Fixing
Be sure that ALL the developers of your app know the
most critical security risks.
Conclusions
Use CI tools that force to write a secure code
Never use old version 3rd party components

THANKS!
Any questions?
You can find me on your Android notification panel
• Turn on Bluetooth & Near-By Feature
• aminadav@backupbox.com
Conclusions

1. The document discusses how to write effective bug bounty reports by understanding what security teams look for in reports. It emphasizes providing detailed reproduction steps, analyzing exploitability and potential impact, and considering the perspective of the security team. 2. Common elements of an effective report include clear reproduction steps, analysis of how an attack could actually work in the real world, and understanding what types of vulnerabilities are important to the specific organization based on their industry and needs. 3. The presentation provides examples of good and bad reports, outlines typical service level agreements, and emphasizes asking questions to understand the priorities and scope of individual security programs.

Koopman Prize Presentation

Linan Huang

The document discusses duplicity games and mechanism design for cyber deception to mitigate insider threats. It proposes a game theoretic model where a defender designs a feature generator to manipulate a user's beliefs and incentivize secure actions. The generator includes components for belief manipulation and incentive modulation. The design ensures the user has no incentive to deviate from the recommended security policy. Principles are discussed for jointly designing the generator, belief manipulator, and incentive modulator to manage incentives and achieve deterrence.

Introduction to Software Security and Best Practices

Maxime ALAY-EDDINE

Lviv js2017 (eleks)

Андрей Вандакуров

The document discusses common web attacks like man-in-the-middle attacks and cross-site scripting. It demonstrates how to perform a man-in-the-middle attack using tools like Cain and Abel. Cookies are explained as data stored on a user's computer when browsing websites. Cross-site request forgery attacks using malicious cookies are also demonstrated. The document provides resources on learning about vulnerabilities from sites like OWASP and CVE, as well as tools for scanning projects and practices for starting with hacking.

Project Kid Hack - Teaching Kids Security through Gaming at BSidesDE on Novem...

grecsl

Wanna teach your kid to be a hacker but don’t know where to start? Security is a fairly complex topic but games offer the best way for kids to learn the basics. This presentation not only reviews a sample of existing games that teach security fundamentals to a younger audience but also discusses a new crowdsourced project to catalog similar fun and entertaining ways to teach kids security. This project could help spur interest in later university and other programs and potentially a career … or at least make our children a more security-conscience adult in whatever field they choose.

Hackers vs developers

Soumyasanto Sen

Hackers and developers are compared in the document. Hackers are described as skillful with deep technical understanding but often unsocial and focused on breaking systems. Developers are portrayed as true professionals who work with people to build applications and believe they can change the world. The document then provides examples of how hacking can look simple, such as cross-site scripting attacks on websites. It offers suggestions for prevention including input sanitization and access control. Later it discusses hacking in Node.js and risks of SQL and NoSQL injection. Finally it addresses how hacking and development skills could be applied for social good or security testing.

Wanna teach your kid to be a hacker but don't know where to start? Security is a fairly complex topic but games offer the best way for kids to learn the basics. This presentation not only reviews a sample of existing games that teach security fundamentals to a younger audience but also discusses a new crowdsourced project to catalog similar fun and entertaining ways to teach kids security. This project could help spur interest in later university and other programs and potentially a career ... or at least make our children a more security-conscience adult in whatever field they choose.

SecTor '09 - When Web 2.0 Attacks!

Rafal Los

Advanced Malware Analysis

Prathan Phongthiproek

The document discusses security challenges posed by modern malware and web-based attacks. It provides examples of next-generation malware that bypass antivirus detection using techniques like embedding malicious code in Office documents or PDF files. It also discusses how web-based malware has evolved from defacements and DDoS tools to more advanced drive-by download attacks using exploit kits. The document aims to demonstrate malware analysis techniques and how to detect web server backdoors through tools and manual source code reviews. It concludes with a challenge to practice security skills safely.

Securing your Cloud Environment v2

ShapeBlue

DevSecCon Boston 2018: Busted computing by Conor Walsh

DevSecCon

The document provides an overview of security issues related to console gaming. It discusses the gaming threat landscape, including common attack vectors used by modders. It then defines the concept of trusted computing as it relates to gaming consoles. The document proposes a threat model for console gaming and discusses potential future security issues. It concludes by offering recommendations for game developers to help solve security problems, such as employing security best practices, building security into all aspects of development, and obtaining outside security perspectives.

Project KidHack – Teaching the Next Next Generation Security through Gaming a...

grecsl

[2010 CodeEngn Conference 04] window31 - Art of Keylogging 키보드보안과 관계없는 키로거들

GangSeok Lee

2010 CodeEngn Conference 04 각종 논문 데이터나 기타 연구자료들을 살펴보면 키보드보안의 한계점에 대해 지목하고 그것에 대한 보완 대책을 논의하고 있는 내용이 많다. 물론 그러한 학문적인 접근도 중요하지만, 실제 키로깅을 하고 있는 해커의 입장에서는 어떤 식으로 키입력과 계정을 가져가는지 해커의 접근 방법을 살펴보는 것도 필요하다. 일반적으로 해커들은 커널 레벨이나 하드웨어 지식 베이스에 입각한 난해한 기법보다는, 보다 간편하며 실용적인 방법을 통해 계정을 가져간다. 그리고 그 같은 행위는 현재 키보드보안의 커버 범위를 뛰어넘는 새로운 기법을 보여주는 경우가 대다수이다. 이런 상황을 배경으로 실제 기업에서 발생하고 있는 사례나, 유저의 감염케이스를 리버스 엔지니어링으로 살펴보는 시간을 마련했다. 바이너리 해킹의 예술을 맛볼 수 있는 Art of Keylogging 발표에서 키 입력 탈취에 대한 새로운 트렌드를 소개한다. http://codeengn.com/conference/04

Ncc hackers session 4

Jemma Davis

This document provides information about careers in cyber security and encourages learning coding skills. It discusses typical cyber security job roles that pay between $20,000-$130,000 annually. Ethical hacking is mentioned, where hackers can get paid through bug bounty programs for finding vulnerabilities in companies' systems. The document advertises an upcoming hackathon hosted on the Avatao platform for Hackney Community College students to complete challenges and learn about techniques like cross-site scripting.

【HITCON FreeTalk 2018 - Spectre & Meltdown 漏洞的修補策略與 risk mitigation】

Hacks in Taiwan (HITCON)

Xss mitigation php [Repaired]

Tinashe Makuti

This document discusses mitigating cross-site scripting (XSS) attacks in PHP. It describes XSS as when an attacker injects scripts into a web application's output that are then executed by a user's browser. The dangers of unmitigated XSS include stolen cookies, deployed trojans, and stolen user data. PHP provides functions like htmlentities(), htmlspecialchars(), get_magic_quotes_gpc(), stripslashes(), and mysql_real_escape_string() to sanitize input and prevent XSS. Examples are given showing how these functions can neutralize dangerous code by converting HTML tags to entities. The document also discusses setting the HttpOnly attribute in PHP to prevent client-side scripts from accessing protected

SEC599 - Breaking The Kill Chain

Erik Van Buggenhout

The document discusses Windows credential attacks and defenses. It describes common credential theft techniques like dumping credentials from LSASS memory using Mimikatz. It then covers various Windows credential hardening defenses over time like Protected Processes, Restricted Admin, and CredentialGuard. It demonstrates CredentialGuard's effectiveness at preventing credential theft compared to normal and older Windows configurations through a lab demo. The presentation aims to educate on real-world credential attacks while showing that effective defense is possible.

Inconvenient Truth(s) - On Application Security (from 2007)

Dinis Cruz

This document discusses inconvenient truths about software security. It notes that there are no standardized security metrics, making it difficult for customers to assess security. It also draws parallels between global warming and the growing impact of insecure software. The document argues that secure software does not currently make business sense for vendors due to a lack of incentives. It warns that society's heavy dependence on software leaves it vulnerable if attacker business models evolve to more effectively monetize exploiting insecure systems at scale. Overall, the document presents several inconvenient realities about the current state of software security.

Crash Course In Brain Surgery

morisson

All You Need is One - A ClickOnce Love Story - Secure360 2015

NetSPI

ClickOnce is a deployment solution that enables fast, easy delivery of packaged software. It is commonly used by organizations to deploy both internal and production-grade software packages, along with their respective updates. By allowing end-users to accept the requested permissions of the software package without the intervention of an administrator, ClickOnce simplifies the deployment and use of robust software solutions. It also provides an excellent opportunity for malicious actors to establish a foothold in your network. In this presentation, we discuss how we combined ClickOnce technology and existing phishing techniques into a new methodology for establishing an initial presence in an environment. By minimizing user interaction, we only require that the user is fooled for “one click” – after that, we already have a foothold in their environment and are ready to pivot and escalate further.

What you need to know about ExPetr ransomware

Kaspersky

1. A ransomware variant called ExPetr first appeared on June 27th, 2017 that affected systems globally through multiple infection vectors. 2. It spreads through stolen credentials and unpatched vulnerabilities, encrypting files using AES128 and displaying fake decryption instructions. 3. Mitigations include patching known exploits like EternalBlue, disabling SMBv1, securing Active Directory, and maintaining offline backups.

Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...

HITCON GIRLS

This document discusses principles of threat attribution through analyzing artifacts left behind by threat actors. It explains that attribution is difficult as there are usually multiple possible explanations but outlines approaches like examining metadata, anomalies, targeting patterns, and mistakes over time. Specific case studies are presented on a hacking back of a command and control server, using stolen certificates to attribute Lazarus, and clues in timestamps and encoding errors that point to Lazarus having Korean origins.

The Sweet Spot of Cyber Intelligence

Tieu Luu

SuprTEK is developing a cyber intelligence solution to correlate threat intelligence data with internal asset and vulnerability findings. The solution ingests multiple data sources, extracts relevant exploit targets from threats, identifies exploitable internal assets, and prioritizes vulnerabilities through scoring based on known threats. Future work includes improving threat intelligence, using machine learning to infer security weaknesses from threats, and validating the solution in a larger enterprise.

Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016

grecsl

In the presentation that threat intel vendors do not want you to see, open source and internal data meets home grown resources to produce actionable threat intelligence that your organization can leverage to stop the bad guys. This presentation discusses and shows examples of using what your already have to bootstrap this capability using existing data management platforms with open and flexible schemas to ease identification of advanced threats. Specific topics covered include the advantages of using open and flexible platforms that can be molded into a data repository, a case tracking system, an indicator database, and more. By analyzing this data organizations can discovery trends across attacks that help them understand their adversaries. An example nosql schema will be release to help attendees create their own implementations.

Defense in Depth: Lessons Learned Securing 200,000 Sites

Pantheon

Have you ever heard: "HTTPS will slow down your site"? How about: "I'm too small of a website, no one will want to hack me."? All too often security misconceptions lead to security apathy. Join us as we debunk these security myths and more! We’ll start at the 10,000-foot level, reviewing common myths about secure development, then zoom in closer for a look at security best practices, concluding with a deep-dive into a few of the most effective attack mitigation strategies. With the battlescars to backup the information, our presenters will leave you with strategies to handle securing your project with confidence.

How to Get CNIC Information System with Paksim Ga.pptx

danishmna97

How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf

Chart Kalyan

Project Management Semester Long Project - Acuity

jpupo2018

Acuity is an innovative learning app designed to transform the way you engage with knowledge. Powered by AI technology, Acuity takes complex topics and distills them into concise, interactive summaries that are easy to read & understand. Whether you're exploring the depths of quantum mechanics or seeking insight into historical events, Acuity provides the key information you need without the burden of lengthy texts.

Similar to The most critical web application security risks - and how to avoid them

Project KidHack - Teaching Kids Security through Gaming at BSidesCharm on Apr...

grecsl

SecTor '09 - When Web 2.0 Attacks!

Rafal Los

Advanced Malware Analysis

Prathan Phongthiproek

Securing your Cloud Environment v2

ShapeBlue

DevSecCon Boston 2018: Busted computing by Conor Walsh

DevSecCon

Project KidHack – Teaching the Next Next Generation Security through Gaming a...

grecsl

[2010 CodeEngn Conference 04] window31 - Art of Keylogging 키보드보안과 관계없는 키로거들

GangSeok Lee

Ncc hackers session 4

Jemma Davis

【HITCON FreeTalk 2018 - Spectre & Meltdown 漏洞的修補策略與 risk mitigation】

Hacks in Taiwan (HITCON)

Xss mitigation php [Repaired]

Tinashe Makuti

SEC599 - Breaking The Kill Chain

Erik Van Buggenhout

Inconvenient Truth(s) - On Application Security (from 2007)

Dinis Cruz

Crash Course In Brain Surgery

morisson

All You Need is One - A ClickOnce Love Story - Secure360 2015

NetSPI

What you need to know about ExPetr ransomware

Kaspersky

Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...

HITCON GIRLS

The Sweet Spot of Cyber Intelligence

Tieu Luu

Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016

grecsl

Defense in Depth: Lessons Learned Securing 200,000 Sites

Pantheon

Similar to The most critical web application security risks - and how to avoid them (19)

Project KidHack - Teaching Kids Security through Gaming at BSidesCharm on Apr...

SecTor '09 - When Web 2.0 Attacks!

Advanced Malware Analysis

Securing your Cloud Environment v2

DevSecCon Boston 2018: Busted computing by Conor Walsh

Project KidHack – Teaching the Next Next Generation Security through Gaming a...

[2010 CodeEngn Conference 04] window31 - Art of Keylogging 키보드보안과 관계없는 키로거들

Ncc hackers session 4

【HITCON FreeTalk 2018 - Spectre & Meltdown 漏洞的修補策略與 risk mitigation】

Xss mitigation php [Repaired]

SEC599 - Breaking The Kill Chain

Inconvenient Truth(s) - On Application Security (from 2007)

Crash Course In Brain Surgery

All You Need is One - A ClickOnce Love Story - Secure360 2015

What you need to know about ExPetr ransomware

Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...

The Sweet Spot of Cyber Intelligence

Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016

Defense in Depth: Lessons Learned Securing 200,000 Sites

Recently uploaded

How to Get CNIC Information System with Paksim Ga.pptx

danishmna97

How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf

Chart Kalyan

Project Management Semester Long Project - Acuity

jpupo2018

Serial Arm Control in Real Time Presentation

tolgahangng

Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...

saastr

Digital Marketing Trends in 2024 | Guide for Staying Ahead

Wask

https://www.wask.co/ebooks/digital-marketing-trends-in-2024 Feeling lost in the digital marketing whirlwind of 2024? Technology is changing, consumer habits are evolving, and staying ahead of the curve feels like a never-ending pursuit. This e-book is your compass. Dive into actionable insights to handle the complexities of modern marketing. From hyper-personalization to the power of user-generated content, learn how to build long-term relationships with your audience and unlock the secrets to success in the ever-shifting digital landscape.

AI 101: An Introduction to the Basics and Impact of Artificial Intelligence

IndexBug

20240609 QFM020 Irresponsible AI Reading List May 2024

Matthew Sinclair

Mariano G Tinti - Decoding SpaceX

Mariano Tinti

Your One-Stop Shop for Python Success: Top 10 US Python Development Providers

akankshawande

June Patch Tuesday

Ivanti

Ivanti’s Patch Tuesday breakdown goes beyond patching your applications and brings you the intelligence and guidance needed to prioritize where to focus your attention first. Catch early analysis on our Ivanti blog, then join industry expert Chris Goettl for the Patch Tuesday Webinar Event. There we’ll do a deep dive into each of the bulletins and give guidance on the risks associated with the newly-identified vulnerabilities.

“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...

Edge AI and Vision Alliance

For the full video of this presentation, please visit: https://www.edge-ai-vision.com/2024/06/building-and-scaling-ai-applications-with-the-nx-ai-manager-a-presentation-from-network-optix/ Robin van Emden, Senior Director of Data Science at Network Optix, presents the “Building and Scaling AI Applications with the Nx AI Manager,” tutorial at the May 2024 Embedded Vision Summit. In this presentation, van Emden covers the basics of scaling edge AI solutions using the Nx tool kit. He emphasizes the process of developing AI models and deploying them globally. He also showcases the conversion of AI models and the creation of effective edge AI pipelines, with a focus on pre-processing, model conversion, selecting the appropriate inference engine for the target hardware and post-processing. van Emden shows how Nx can simplify the developer’s life and facilitate a rapid transition from concept to production-ready applications.He provides valuable insights into developing scalable and efficient edge AI solutions, with a strong focus on practical implementation.

TrustArc Webinar - 2024 Global Privacy Survey

TrustArc

How does your privacy program stack up against your peers? What challenges are privacy teams tackling and prioritizing in 2024? In the fifth annual Global Privacy Benchmarks Survey, we asked over 1,800 global privacy professionals and business executives to share their perspectives on the current state of privacy inside and outside of their organizations. This year’s report focused on emerging areas of importance for privacy and compliance professionals, including considerations and implications of Artificial Intelligence (AI) technologies, building brand trust, and different approaches for achieving higher privacy competence scores. See how organizational priorities and strategic approaches to data security and privacy are evolving around the globe. This webinar will review: - The top 10 privacy insights from the fifth annual Global Privacy Benchmarks Survey - The top challenges for privacy leaders, practitioners, and organizations in 2024 - Key themes to consider in developing and maintaining your privacy program

Energy Efficient Video Encoding for Cloud and Edge Computing Instances

Alpen-Adria-Universität

Introduction of Cybersecurity with OSS at Code Europe 2024

Hiroshi SHIBATA

I develop the Ruby programming language, RubyGems, and Bundler, which are package managers for Ruby. Today, I will introduce how to enhance the security of your application using open-source software (OSS) examples from Ruby and RubyGems. The first topic is CVE (Common Vulnerabilities and Exposures). I have published CVEs many times. But what exactly is a CVE? I'll provide a basic understanding of CVEs and explain how to detect and handle vulnerabilities in OSS. Next, let's discuss package managers. Package managers play a critical role in the OSS ecosystem. I'll explain how to manage library dependencies in your application. I'll share insights into how the Ruby and RubyGems core team works to keep our ecosystem safe. By the end of this talk, you'll have a better understanding of how to safeguard your code.

Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf

Malak Abu Hammad

Discover how MongoDB Atlas and vector search technology can revolutionize your application's search capabilities. This comprehensive presentation covers: * What is Vector Search? * Importance and benefits of vector search * Practical use cases across various industries * Step-by-step implementation guide * Live demos with code snippets * Enhancing LLM capabilities with vector search * Best practices and optimization strategies Perfect for developers, AI enthusiasts, and tech leaders. Learn how to leverage MongoDB Atlas to deliver highly relevant, context-aware search results, transforming your data retrieval process. Stay ahead in tech innovation and maximize the potential of your applications. #MongoDB #VectorSearch #AI #SemanticSearch #TechInnovation #DataScience #LLM #MachineLearning #SearchTechnology

HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU

panagenda

Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-und-domino-lizenzkostenreduzierung-in-der-welt-von-dlau/ DLAU und die Lizenzen nach dem CCB- und CCX-Modell sind für viele in der HCL-Community seit letztem Jahr ein heißes Thema. Als Notes- oder Domino-Kunde haben Sie vielleicht mit unerwartet hohen Benutzerzahlen und Lizenzgebühren zu kämpfen. Sie fragen sich vielleicht, wie diese neue Art der Lizenzierung funktioniert und welchen Nutzen sie Ihnen bringt. Vor allem wollen Sie sicherlich Ihr Budget einhalten und Kosten sparen, wo immer möglich. Das verstehen wir und wir möchten Ihnen dabei helfen! Wir erklären Ihnen, wie Sie häufige Konfigurationsprobleme lösen können, die dazu führen können, dass mehr Benutzer gezählt werden als nötig, und wie Sie überflüssige oder ungenutzte Konten identifizieren und entfernen können, um Geld zu sparen. Es gibt auch einige Ansätze, die zu unnötigen Ausgaben führen können, z. B. wenn ein Personendokument anstelle eines Mail-Ins für geteilte Mailboxen verwendet wird. Wir zeigen Ihnen solche Fälle und deren Lösungen. Und natürlich erklären wir Ihnen das neue Lizenzmodell. Nehmen Sie an diesem Webinar teil, bei dem HCL-Ambassador Marc Thomas und Gastredner Franz Walder Ihnen diese neue Welt näherbringen. Es vermittelt Ihnen die Tools und das Know-how, um den Überblick zu bewahren. Sie werden in der Lage sein, Ihre Kosten durch eine optimierte Domino-Konfiguration zu reduzieren und auch in Zukunft gering zu halten. Diese Themen werden behandelt - Reduzierung der Lizenzkosten durch Auffinden und Beheben von Fehlkonfigurationen und überflüssigen Konten - Wie funktionieren CCB- und CCX-Lizenzen wirklich? - Verstehen des DLAU-Tools und wie man es am besten nutzt - Tipps für häufige Problembereiche, wie z. B. Team-Postfächer, Funktions-/Testbenutzer usw. - Praxisbeispiele und Best Practices zum sofortigen Umsetzen

Generating privacy-protected synthetic data using Secludy and Milvus

Zilliz

During this demo, the founders of Secludy will demonstrate how their system utilizes Milvus to store and manipulate embeddings for generating privacy-protected synthetic data. Their approach not only maintains the confidentiality of the original data but also enhances the utility and scalability of LLMs under privacy constraints. Attendees, including machine learning engineers, data scientists, and data managers, will witness first-hand how Secludy's integration with Milvus empowers organizations to harness the power of LLMs securely and efficiently.

Choosing The Best AWS Service For Your Website + API.pptx

Brandon Minnick, MBA

Have you ever been confused by the myriad of choices offered by AWS for hosting a website or an API? Lambda, Elastic Beanstalk, Lightsail, Amplify, S3 (and more!) can each host websites + APIs. But which one should we choose? Which one is cheapest? Which one is fastest? Which one will scale to meet our needs? Join me in this session as we dive into each AWS hosting service to determine which one is best for your scenario and explain why!

GenAI Pilot Implementation in the organizations

kumardaparthi1024

Recently uploaded (20)

How to Get CNIC Information System with Paksim Ga.pptx

How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf

Project Management Semester Long Project - Acuity

Serial Arm Control in Real Time Presentation

Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...

Digital Marketing Trends in 2024 | Guide for Staying Ahead

AI 101: An Introduction to the Basics and Impact of Artificial Intelligence

20240609 QFM020 Irresponsible AI Reading List May 2024

Mariano G Tinti - Decoding SpaceX

Your One-Stop Shop for Python Success: Top 10 US Python Development Providers

June Patch Tuesday

“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...

TrustArc Webinar - 2024 Global Privacy Survey

Energy Efficient Video Encoding for Cloud and Edge Computing Instances

Introduction of Cybersecurity with OSS at Code Europe 2024

Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf

HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU

Generating privacy-protected synthetic data using Secludy and Milvus

Choosing The Best AWS Service For Your Website + API.pptx

GenAI Pilot Implementation in the organizations

The most critical web application security risks - and how to avoid them

1. The Most Critical Web Application Security Risks - and how to avoid them

2. 1 Real World Stories

3. “Earlier this year we identified Clickjacking activity on our display network...” Wednesday, May 24, 2017 1 Clickjacking – The Risk

4. 1 Clickjacking – The Risk It’s not a video

5. Delete Account 1 Clickjacking – The Risk

6. Click Here to Play a Game Start a Game 1 Clickjacking – The Risk

7. Start a Game 1 Clickjacking – The Risk

8. Click Here to Play a Game Start a Game 1 Clickjacking – The Risk

9. 1 Clickjacking – Android

10. 1 Clickjacking – Frontend Fixing

11. Clickjacking – Backend Fixing 1

12. Language Code NodeJS res.setHeader(‘x-frame-options’,’deny’) NGINX add_header x-frame-options deny; C# HttpContext.Response.AddHeader("test", "val"); Python resp.headers[‘x-frame-options'] = ‘deny' 1 Clickjacking – Backend Fixing

13. 1 Clickjacking – Backend Fixing NGINX requires only 32 characters to fix Clickjacking security hole

14. 2 Stealing cookies from HTTPS Websites

15. 2 Bob John https://www.google.com https://www.amazon.com https://www.ebay.com Stealing cookies from HTTPS Websites

16. 2 Stealing cookies from HTTPS Websites GET HTTP://www.google.com 301 REDIRECT HTTPS://.... GET HTTPS://www.google.com

17. 2 Stealing cookies from HTTPS Websites

18. 2 S*tealing cookies from HTTPS Websites

19. 2 Stealing cookies from HTTPS Websites

20. 2 Stealing cookies from HTTPS Websites res.cookie(“user_id”,”value”,{secure:true})

21. Cross-Site Request Forgery 3

22. 3 Cross-Site Request Forgery (CSRF) Bob NETFLIX Website Attacker Website Adding a DVD to the victim's rental queue Bob Logged in to NetFlix

23. 3 Cross-Site Request Forgery (CSRF) POST HTTPS://www.netflix.com 200 OK www.attackersite.comBob

24. 4 Two factor authentication

25. 4 Two factor authentication Bob ***** 34281 One-Time CodePassword John

26. 4 Two factor authentication

27. 4 Two factor authentication Bob ***** 34281 One-Time CodePassword John

28. 4 Two factor authentication OneTimeCode = Math.random() OneTimeCode = sha256(password + iteration)

29. Now, it’s your turn 3rd party components 5 Find the security issue in the next slide

30. What are the security issues here? 3rd party components 5

31. 3rd party components 5

32. 3rd party components 5

33. Continuous integration 6 Continuous integration

34. Continuous integration 6

35. Continuous integration 6

36. Clickjacking – Backend Fixing Be sure that ALL the developers of your app know the most critical security risks. Conclusions Use CI tools that force to write a secure code Never use old version 3rd party components

37. THANKS! Any questions? You can find me on your Android notification panel • Turn on Bluetooth & Near-By Feature • aminadav@backupbox.com Conclusions

The most critical web application security risks - and how to avoid them

Recommended

Recommended

More Related Content

Similar to The most critical web application security risks - and how to avoid them

Similar to The most critical web application security risks - and how to avoid them (19)

Recently uploaded

Recently uploaded (20)

The most critical web application security risks - and how to avoid them