SlideShare a Scribd company logo

[DevDay2018] Securing the Web - By Sumanth Damarla, Tech Speaker at Mozilla

DevDay.org
DevDay.org

The document discusses web security and tools for assessing vulnerabilities. It covers the top 10 vulnerabilities according to OWASP, including code injection, broken authentication, sensitive data exposure, and more. Examples of each vulnerability are provided. Open source tools for scanning websites for vulnerabilities are also introduced, such as VEGA, OpenVAS, and the Zed Attack Proxy (ZAP). ZAP is highlighted for its features like being open source, easy to use, free, and actively developed by an international team.

Technology
1 of 41
Securing the Web 4.14.2018 Sumanth Damarla Tech Speaker, Mozilla
Importance of Web Security
CEOs worrying about security’s impact on company growth Source: Global State of Information Security Survey 61% 1400 CEOs 83 Countries
OWASP TOP 10 2017 Source: Imperva blog.
Code Injection
Example The application uses untrusted data in the construction of the following vulnerable SQL call: String query = "SELECT * FROM accounts WHERE custID='" + request.getParameter("id") + "'"; In this case, the attacker modifies the ‘id’ parameter value in her browser to send: ' or '1'='1. For example: http://example.com/app/accountView?id=' or '1'='1 This changes the meaning of query to return all the records from the accounts table. More dangerous attacks could modify data or even invoke stored procedures.
• Information leakage • Disclosure of data • Manipulation of stored data • Bypassing authorisation controls Hacker Goals
Broken Authentication
Example Scenario #1: Airline reservations application supports URL rewriting, putting session IDs in the URL: http://example.com/sale/saleitems?sessionid=268544541&dest=Hawaii An authenticated user of the site wants to let his friends know about the sale. He emails the above link without knowing he is also giving away his session ID. When his friends use the link they will use his session and credit card. Scenario #2: Application’s timeouts aren’t set properly. User uses a public computer to access site. Instead of selecting “logout” the user simply closes the browser tab and walks away. Attacker uses the same browser an hour later, and that browser is still authenticated.
• Undermined authorization and accountability controls. • Cause privacy violation. • Identity theft. Hacker Goals Source: Placeholder text. Delete this box if source is not needed
Sensitive Data Exposure
Example Scenario #1: A site simply doesn’t use SSL for all authenticated pages. Attacker simply monitors network traffic (like an open wireless network), and steals the user’s session cookie. Attacker then replays this cookie and hijacks the user’s session, accessing the user’s private data.
XML External Entities
Example Scenario #1: An attacker probes the server's private network by changing the above ENTITY line to: <?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "http://192.168.0.1/secret.txt">]> <foo>&xxe;</foo> Response: HTTP/1.0 200 OK Hello, I'm a file on the local network (behind the firewall)
Scenario #2: An attacker attempts a denial-of-service attack by including a potentially endless file: POST http://example.com/xml HTTP/1.1 <!DOCTYPE foo [ <!ELEMENT foo ANY> <!ENTITY bar "World "> <!ENTITY t1 "&bar;&bar;"> <!ENTITY t2 "&t1;&t1;&t1;&t1;"> <!ENTITY t3 "&t2;&t2;&t2;&t2;&t2;"> ]> <foo> Hello &t3; </foo>
Response: HTTP/1.0 200 OK Hello World World World World World World World World World World World World World World World World World World World World World World World World World World World World World World World World World World World World World World World World
Broken Access Control
Example Scenario #1: An attacker simply force browses to target URLs. Admin rights are required for access to the admin page. http://example.com/app/getappInfo http://example.com/app/admin_getappInfo
Security Misconfiguration
Example Scenario #1: The app server admin console is automatically installed and not removed. Default accounts aren’t changed. Attacker discovers the standard admin pages are on your server, logs in with default passwords, and takes over.
Cross Site Scripting (XSS)
• Cookie stealing • Alert pop-up on page • Redirecting to another website/page/phishing site • Executing browser exploits Hacker Goals Source: Placeholder text. Delete this box if source is not needed
Insecure Deserialization
Example Scenario #1: A PHP forum uses PHP object serialization to save a "super" cookie, containing the user's user ID, role, password hash, and other state: a:4:{i:0;i:132;i:1;s:7:"Mallory";i:2;s:4:"user"; i:3;s:32:"b6a8b3bea87fe0e05022f8f3c88bc960";} An attacker changes the serialized object to give themselves admin privileges: a:4:{i:0;i:1;i:1;s:5:"Alice";i:2;s:5:"admin"; i:3;s:32:"b6a8b3bea87fe0e05022f8f3c88bc960";}
Using Components with Known Vulnerabilities
HEARTBLEED
Insufficient Logging&Monitoring
Example Scenario #1: An open source project forum software run by a small team was hacked using a flaw in its software. The attackers managed to wipe out the internal source code repository containing the next version, and all of the forum contents. Although source could be recovered, the lack of monitoring, logging or alerting led to a far worse breach. The forum software project is no longer active as a result of this issue.
Open Web App Security Tools
VEGA Vulnerability Scanner
• Cross Site Scripting (XSS) • SQL Injection • Directory Traversal • URL Injection • Error Detection • File Uploads • Sensitive Data Discovery Modules used in VEGA
Open Vulnerability Assessment System (OpenVAS)
Zed Attack Proxy(ZAP)
ZAP Features • Open source Cross platform • Easy to install (just requires java 1.7) • Completely free (no paid for 'Pro' version) • Ease of use a priority • Comprehensive help pages • Fully internationalized Translated into a dozen languages • Community based, with involvement actively encouraged • Under active development by an international team of volunteers
ZAP Functionality • Intercepting Proxy • Traditional and AJAX spiders • Automated scanner • Passive scanner • Forced browsing • Fuzzer • Dynamic SSL certificates • Smartcard and Client Digital Certificates support
• Web sockets support • Support for a wide range of scripting languages • Plug-n-Hack support • Authentication and session support • Powerful REST based API • Automatic updating option • Integrated and growing marketplace of add-ons
Thank You @Sumanth_Damarla

Recommended

[DevDay2018] Security Testing - By Thuy Nguyen, Software Engineer at Axon Act...
[DevDay2018] Security Testing - By Thuy Nguyen, Software Engineer at Axon Act...[DevDay2018] Security Testing - By Thuy Nguyen, Software Engineer at Axon Act...
[DevDay2018] Security Testing - By Thuy Nguyen, Software Engineer at Axon Act...DevDay.org
 
[DevDay2018] Hacking for fun and profit - By: Dennis Stötzel, Head of Securit...
[DevDay2018] Hacking for fun and profit - By: Dennis Stötzel, Head of Securit...[DevDay2018] Hacking for fun and profit - By: Dennis Stötzel, Head of Securit...
[DevDay2018] Hacking for fun and profit - By: Dennis Stötzel, Head of Securit...DevDay.org
 
Securing the Web @DevDay Da Nang 2018
Securing the Web @DevDay Da Nang 2018Securing the Web @DevDay Da Nang 2018
Securing the Web @DevDay Da Nang 2018Sumanth Damarla
 
Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Sean Jackson
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10bilcorry
 
Secure programming with php
Secure programming with phpSecure programming with php
Secure programming with phpMohmad Feroz
 
Chapter 14 sql injection
Chapter 14 sql injectionChapter 14 sql injection
Chapter 14 sql injectionnewbie2019
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013Edouard de Lansalut
 

Recommended

[DevDay2018] Security Testing - By Thuy Nguyen, Software Engineer at Axon Act...
[DevDay2018] Security Testing - By Thuy Nguyen, Software Engineer at Axon Act...[DevDay2018] Security Testing - By Thuy Nguyen, Software Engineer at Axon Act...
[DevDay2018] Security Testing - By Thuy Nguyen, Software Engineer at Axon Act...DevDay.org
 
[DevDay2018] Hacking for fun and profit - By: Dennis Stötzel, Head of Securit...
[DevDay2018] Hacking for fun and profit - By: Dennis Stötzel, Head of Securit...[DevDay2018] Hacking for fun and profit - By: Dennis Stötzel, Head of Securit...
[DevDay2018] Hacking for fun and profit - By: Dennis Stötzel, Head of Securit...DevDay.org
 
Securing the Web @DevDay Da Nang 2018
Securing the Web @DevDay Da Nang 2018Securing the Web @DevDay Da Nang 2018
Securing the Web @DevDay Da Nang 2018Sumanth Damarla
 
Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Sean Jackson
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10bilcorry
 
Secure programming with php
Secure programming with phpSecure programming with php
Secure programming with phpMohmad Feroz
 
Chapter 14 sql injection
Chapter 14 sql injectionChapter 14 sql injection
Chapter 14 sql injectionnewbie2019
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013Edouard de Lansalut
 
OWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risksOWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risksKun-Da Wu
 
Secure Programming In Php
Secure Programming In PhpSecure Programming In Php
Secure Programming In PhpAkash Mahajan
 
XSS And SQL Injection Vulnerabilities
XSS And SQL Injection VulnerabilitiesXSS And SQL Injection Vulnerabilities
XSS And SQL Injection VulnerabilitiesMindfire Solutions
 
Top 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilitiesTop 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilitiesTerrance Medina
 
Website Hacking and Preventive Measures
Website Hacking and Preventive MeasuresWebsite Hacking and Preventive Measures
Website Hacking and Preventive MeasuresShubham Takode
 
Secure code practices
Secure code practicesSecure code practices
Secure code practicesHina Rawal
 
Types of sql injection attacks
Types of sql injection attacksTypes of sql injection attacks
Types of sql injection attacksRespa Peter
 
Hacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques UsedHacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques UsedSiddharth Bhattacharya
 
Kioptrix 2014 5
Kioptrix 2014 5Kioptrix 2014 5
Kioptrix 2014 5Jayesh Patel
 
Web application attacks
Web application attacksWeb application attacks
Web application attackshruth
 
Sql Injection Paper
Sql Injection PaperSql Injection Paper
Sql Injection PaperAung Khant
 
Neoito — Secure coding practices
Neoito — Secure coding practicesNeoito — Secure coding practices
Neoito — Secure coding practicesNeoito
 
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security RisksOWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security RisksAndre Van Klaveren
 
Pci compliance writing secure code
Pci compliance writing secure codePci compliance writing secure code
Pci compliance writing secure codeMiva
 
OWASP TOP 10 & .NET
OWASP TOP 10 & .NETOWASP TOP 10 & .NET
OWASP TOP 10 & .NETDaniel Krasnokucki
 
Owasp first5 presentation
Owasp first5 presentationOwasp first5 presentation
Owasp first5 presentationAshwini Paranjpe
 
Proxy Caches and Web Application Security
Proxy Caches and Web Application Security Proxy Caches and Web Application Security
Proxy Caches and Web Application Security Tim Bass
 
Protecting data on device with SQLCipher, Stephen Lombardo
Protecting data on device with SQLCipher, Stephen LombardoProtecting data on device with SQLCipher, Stephen Lombardo
Protecting data on device with SQLCipher, Stephen LombardoXamarin
 
How to find Zero day vulnerabilities
How to find Zero day vulnerabilitiesHow to find Zero day vulnerabilities
How to find Zero day vulnerabilitiesMohammed A. Imran
 
Reverse engineering malware
Reverse engineering malwareReverse engineering malware
Reverse engineering malwareCysinfo Cyber Security Community
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Moataz Kamel
 
Pentest Expectations
Pentest ExpectationsPentest Expectations
Pentest ExpectationsIhor Uzhvenko
 

More Related Content

What's hot

OWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risksOWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risksKun-Da Wu
 
Secure Programming In Php
Secure Programming In PhpSecure Programming In Php
Secure Programming In PhpAkash Mahajan
 
XSS And SQL Injection Vulnerabilities
XSS And SQL Injection VulnerabilitiesXSS And SQL Injection Vulnerabilities
XSS And SQL Injection VulnerabilitiesMindfire Solutions
 
Top 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilitiesTop 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilitiesTerrance Medina
 
Website Hacking and Preventive Measures
Website Hacking and Preventive MeasuresWebsite Hacking and Preventive Measures
Website Hacking and Preventive MeasuresShubham Takode
 
Secure code practices
Secure code practicesSecure code practices
Secure code practicesHina Rawal
 
Types of sql injection attacks
Types of sql injection attacksTypes of sql injection attacks
Types of sql injection attacksRespa Peter
 
Hacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques UsedHacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques UsedSiddharth Bhattacharya
 
Web application attacks
Web application attacksWeb application attacks
Web application attackshruth
 
Sql Injection Paper
Sql Injection PaperSql Injection Paper
Sql Injection PaperAung Khant
 
Neoito — Secure coding practices
Neoito — Secure coding practicesNeoito — Secure coding practices
Neoito — Secure coding practicesNeoito
 
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security RisksOWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security RisksAndre Van Klaveren
 
Pci compliance writing secure code
Pci compliance writing secure codePci compliance writing secure code
Pci compliance writing secure codeMiva
 
Proxy Caches and Web Application Security
Proxy Caches and Web Application Security Proxy Caches and Web Application Security
Proxy Caches and Web Application Security Tim Bass
 
Protecting data on device with SQLCipher, Stephen Lombardo
Protecting data on device with SQLCipher, Stephen LombardoProtecting data on device with SQLCipher, Stephen Lombardo
Protecting data on device with SQLCipher, Stephen LombardoXamarin
 
How to find Zero day vulnerabilities
How to find Zero day vulnerabilitiesHow to find Zero day vulnerabilities
How to find Zero day vulnerabilitiesMohammed A. Imran
 

What's hot (20)

OWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risksOWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risks
 
Secure Programming In Php
Secure Programming In PhpSecure Programming In Php
Secure Programming In Php
 
XSS And SQL Injection Vulnerabilities
XSS And SQL Injection VulnerabilitiesXSS And SQL Injection Vulnerabilities
XSS And SQL Injection Vulnerabilities
 
Top 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilitiesTop 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilities
 
Website Hacking and Preventive Measures
Website Hacking and Preventive MeasuresWebsite Hacking and Preventive Measures
Website Hacking and Preventive Measures
 
Secure code practices
Secure code practicesSecure code practices
Secure code practices
 
Types of sql injection attacks
Types of sql injection attacksTypes of sql injection attacks
Types of sql injection attacks
 
Hacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques UsedHacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques Used
 
Kioptrix 2014 5
Kioptrix 2014 5Kioptrix 2014 5
Kioptrix 2014 5
 
Web application attacks
Web application attacksWeb application attacks
Web application attacks
 
Sql Injection Paper
Sql Injection PaperSql Injection Paper
Sql Injection Paper
 
Neoito — Secure coding practices
Neoito — Secure coding practicesNeoito — Secure coding practices
Neoito — Secure coding practices
 
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security RisksOWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
 
Pci compliance writing secure code
Pci compliance writing secure codePci compliance writing secure code
Pci compliance writing secure code
 
OWASP TOP 10 & .NET
OWASP TOP 10 & .NETOWASP TOP 10 & .NET
OWASP TOP 10 & .NET
 
Owasp first5 presentation
Owasp first5 presentationOwasp first5 presentation
Owasp first5 presentation
 
Proxy Caches and Web Application Security
Proxy Caches and Web Application Security Proxy Caches and Web Application Security
Proxy Caches and Web Application Security
 
Protecting data on device with SQLCipher, Stephen Lombardo
Protecting data on device with SQLCipher, Stephen LombardoProtecting data on device with SQLCipher, Stephen Lombardo
Protecting data on device with SQLCipher, Stephen Lombardo
 
How to find Zero day vulnerabilities
How to find Zero day vulnerabilitiesHow to find Zero day vulnerabilities
How to find Zero day vulnerabilities
 
Reverse engineering malware
Reverse engineering malwareReverse engineering malware
Reverse engineering malware
 

Similar to [DevDay2018] Securing the Web - By Sumanth Damarla, Tech Speaker at Mozilla

Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Moataz Kamel
 
Pentest Expectations
Pentest ExpectationsPentest Expectations
Pentest ExpectationsIhor Uzhvenko
 
Defending Against Attacks With Rails
Defending Against Attacks With RailsDefending Against Attacks With Rails
Defending Against Attacks With RailsTony Amoyal
 
Writing Secure Code – Threat Defense
Writing Secure Code – Threat DefenseWriting Secure Code – Threat Defense
Writing Secure Code – Threat Defenseamiable_indian
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelinesZakaria SMAHI
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applicationsDevnology
 
Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)Peter Sabev
 
Andrews whitakrer lecture18-security.ppt
Andrews whitakrer lecture18-security.pptAndrews whitakrer lecture18-security.ppt
Andrews whitakrer lecture18-security.pptSilverGold16
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...IBM Security
 
Owasp Top 10 2017
Owasp Top 10 2017Owasp Top 10 2017
Owasp Top 10 2017SamsonMuoki
 
Ethical_Hacking_ppt
Ethical_Hacking_pptEthical_Hacking_ppt
Ethical_Hacking_pptNarayanan
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008abhijitapatil
 
6 - Web Application Security.pptx
6 - Web Application Security.pptx6 - Web Application Security.pptx
6 - Web Application Security.pptxAlmaOraevi
 
Drive By Downloads: How To Avoid Getting a Cap Popped in Your App
Drive By Downloads: How To Avoid Getting a Cap Popped in Your App Drive By Downloads: How To Avoid Getting a Cap Popped in Your App
Drive By Downloads: How To Avoid Getting a Cap Popped in Your App Cenzic
 
Securing the Web @RivieraDev2016
Securing the Web @RivieraDev2016Securing the Web @RivieraDev2016
Securing the Web @RivieraDev2016Sumanth Damarla
 

Similar to [DevDay2018] Securing the Web - By Sumanth Damarla, Tech Speaker at Mozilla (20)

Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
 
Pentest Expectations
Pentest ExpectationsPentest Expectations
Pentest Expectations
 
Defending Against Attacks With Rails
Defending Against Attacks With RailsDefending Against Attacks With Rails
Defending Against Attacks With Rails
 
Secure Software Engineering
Secure Software EngineeringSecure Software Engineering
Secure Software Engineering
 
Writing Secure Code – Threat Defense
Writing Secure Code – Threat DefenseWriting Secure Code – Threat Defense
Writing Secure Code – Threat Defense
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applications
 
Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)
 
Andrews whitakrer lecture18-security.ppt
Andrews whitakrer lecture18-security.pptAndrews whitakrer lecture18-security.ppt
Andrews whitakrer lecture18-security.ppt
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
 
Owasp web security
Owasp web securityOwasp web security
Owasp web security
 
Owasp Top 10 2017
Owasp Top 10 2017Owasp Top 10 2017
Owasp Top 10 2017
 
Ethical_Hacking_ppt
Ethical_Hacking_pptEthical_Hacking_ppt
Ethical_Hacking_ppt
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008
 
6 - Web Application Security.pptx
6 - Web Application Security.pptx6 - Web Application Security.pptx
6 - Web Application Security.pptx
 
Drive By Downloads: How To Avoid Getting a Cap Popped in Your App
Drive By Downloads: How To Avoid Getting a Cap Popped in Your App Drive By Downloads: How To Avoid Getting a Cap Popped in Your App
Drive By Downloads: How To Avoid Getting a Cap Popped in Your App
 
Securing the Web @RivieraDev2016
Securing the Web @RivieraDev2016Securing the Web @RivieraDev2016
Securing the Web @RivieraDev2016
 
Let's shield Liferay
Let's shield LiferayLet's shield Liferay
Let's shield Liferay
 
Security Awareness
Security AwarenessSecurity Awareness
Security Awareness
 
Starwest 2008
Starwest 2008Starwest 2008
Starwest 2008
 

More from DevDay.org

[DevDay2019] Lean UX - By Bryant Castro, Bryant Castro at Wizeline
[DevDay2019] Lean UX - By Bryant Castro, Bryant Castro at Wizeline[DevDay2019] Lean UX - By Bryant Castro, Bryant Castro at Wizeline
[DevDay2019] Lean UX - By Bryant Castro, Bryant Castro at WizelineDevDay.org
 
[DevDay2019] Why you'll lose without UX Design - By Szilard Toth, CTO at e·pi...
[DevDay2019] Why you'll lose without UX Design - By Szilard Toth, CTO at e·pi...[DevDay2019] Why you'll lose without UX Design - By Szilard Toth, CTO at e·pi...
[DevDay2019] Why you'll lose without UX Design - By Szilard Toth, CTO at e·pi...DevDay.org
 
[DevDay2019] Things i wish I knew when I was a 23-year-old Developer - By Chr...
[DevDay2019] Things i wish I knew when I was a 23-year-old Developer - By Chr...[DevDay2019] Things i wish I knew when I was a 23-year-old Developer - By Chr...
[DevDay2019] Things i wish I knew when I was a 23-year-old Developer - By Chr...DevDay.org
 
[DevDay2019] Designing design teams - Christopher Nguyen, UX Manager at Wizeline
[DevDay2019] Designing design teams - Christopher Nguyen, UX Manager at Wizeline[DevDay2019] Designing design teams - Christopher Nguyen, UX Manager at Wizeline
[DevDay2019] Designing design teams - Christopher Nguyen, UX Manager at WizelineDevDay.org
 
[DevDay2019] Growth Hacking - How to double the benefits of your startup with...
[DevDay2019] Growth Hacking - How to double the benefits of your startup with...[DevDay2019] Growth Hacking - How to double the benefits of your startup with...
[DevDay2019] Growth Hacking - How to double the benefits of your startup with...DevDay.org
 
[DevDay2019] Collaborate or die: The designers’ guide to working with develop...
[DevDay2019] Collaborate or die: The designers’ guide to working with develop...[DevDay2019] Collaborate or die: The designers’ guide to working with develop...
[DevDay2019] Collaborate or die: The designers’ guide to working with develop...DevDay.org
 
[DevDay2019] How AI is changing the future of Software Testing? - By Vui Nguy...
[DevDay2019] How AI is changing the future of Software Testing? - By Vui Nguy...[DevDay2019] How AI is changing the future of Software Testing? - By Vui Nguy...
[DevDay2019] How AI is changing the future of Software Testing? - By Vui Nguy...DevDay.org
 
[DevDay2019] Hands-on Machine Learning on Google Cloud Platform - By Thanh Le...
[DevDay2019] Hands-on Machine Learning on Google Cloud Platform - By Thanh Le...[DevDay2019] Hands-on Machine Learning on Google Cloud Platform - By Thanh Le...
[DevDay2019] Hands-on Machine Learning on Google Cloud Platform - By Thanh Le...DevDay.org
 
[DevDay2019] Micro Frontends Architecture - By Thang Pham, Senior Software En...
[DevDay2019] Micro Frontends Architecture - By Thang Pham, Senior Software En...[DevDay2019] Micro Frontends Architecture - By Thang Pham, Senior Software En...
[DevDay2019] Micro Frontends Architecture - By Thang Pham, Senior Software En...DevDay.org
 
[DevDay2019] Power of Test Automation and DevOps combination - One click savi...
[DevDay2019] Power of Test Automation and DevOps combination - One click savi...[DevDay2019] Power of Test Automation and DevOps combination - One click savi...
[DevDay2019] Power of Test Automation and DevOps combination - One click savi...DevDay.org
 
[DevDay2019] How do I test AI models? - By Minh Hoang, Senior QA Engineer at KMS
[DevDay2019] How do I test AI models? - By Minh Hoang, Senior QA Engineer at KMS[DevDay2019] How do I test AI models? - By Minh Hoang, Senior QA Engineer at KMS
[DevDay2019] How do I test AI models? - By Minh Hoang, Senior QA Engineer at KMSDevDay.org
 
[DevDay2019] How to quickly become a Senior Engineer - By Tran Anh Minh, CEO ...
[DevDay2019] How to quickly become a Senior Engineer - By Tran Anh Minh, CEO ...[DevDay2019] How to quickly become a Senior Engineer - By Tran Anh Minh, CEO ...
[DevDay2019] How to quickly become a Senior Engineer - By Tran Anh Minh, CEO ...DevDay.org
 
[Devday2019] Dev start-up - By Le Trung, Founder & CEO at Hifiveplus and Edu...
[Devday2019] Dev start-up - By Le Trung, Founder & CEO at Hifiveplus and Edu...[Devday2019] Dev start-up - By Le Trung, Founder & CEO at Hifiveplus and Edu...
[Devday2019] Dev start-up - By Le Trung, Founder & CEO at Hifiveplus and Edu...DevDay.org
 
[DevDay2019] Web Development In 2019 - A Practical Guide - By Hoang Nhu Vinh,...
[DevDay2019] Web Development In 2019 - A Practical Guide - By Hoang Nhu Vinh,...[DevDay2019] Web Development In 2019 - A Practical Guide - By Hoang Nhu Vinh,...
[DevDay2019] Web Development In 2019 - A Practical Guide - By Hoang Nhu Vinh,...DevDay.org
 
[DevDay2019] Opportunities and challenges for human resources during the digi...
[DevDay2019] Opportunities and challenges for human resources during the digi...[DevDay2019] Opportunities and challenges for human resources during the digi...
[DevDay2019] Opportunities and challenges for human resources during the digi...DevDay.org
 
[DevDay2019] Python Machine Learning with Jupyter Notebook - By Nguyen Huu Th...
[DevDay2019] Python Machine Learning with Jupyter Notebook - By Nguyen Huu Th...[DevDay2019] Python Machine Learning with Jupyter Notebook - By Nguyen Huu Th...
[DevDay2019] Python Machine Learning with Jupyter Notebook - By Nguyen Huu Th...DevDay.org
 
[DevDay2019] Do you dockerize? Are your containers safe? - By Pham Hong Khanh...
[DevDay2019] Do you dockerize? Are your containers safe? - By Pham Hong Khanh...[DevDay2019] Do you dockerize? Are your containers safe? - By Pham Hong Khanh...
[DevDay2019] Do you dockerize? Are your containers safe? - By Pham Hong Khanh...DevDay.org
 
[DevDay2019] Develop a web application with Kubernetes - By Nguyen Xuan Phong...
[DevDay2019] Develop a web application with Kubernetes - By Nguyen Xuan Phong...[DevDay2019] Develop a web application with Kubernetes - By Nguyen Xuan Phong...
[DevDay2019] Develop a web application with Kubernetes - By Nguyen Xuan Phong...DevDay.org
 
[DevDay2019] Paradigm shift towards effective Scrum - By Tam Doan, Agile Coac...
[DevDay2019] Paradigm shift towards effective Scrum - By Tam Doan, Agile Coac...[DevDay2019] Paradigm shift towards effective Scrum - By Tam Doan, Agile Coac...
[DevDay2019] Paradigm shift towards effective Scrum - By Tam Doan, Agile Coac...DevDay.org
 
[DevDay2019] JAM Stack - By Ngo Thi Ni, Web Developer at Agility IO
[DevDay2019] JAM Stack - By Ngo Thi Ni, Web Developer at Agility IO[DevDay2019] JAM Stack - By Ngo Thi Ni, Web Developer at Agility IO
[DevDay2019] JAM Stack - By Ngo Thi Ni, Web Developer at Agility IODevDay.org
 

More from DevDay.org (20)

[DevDay2019] Lean UX - By Bryant Castro, Bryant Castro at Wizeline
[DevDay2019] Lean UX - By Bryant Castro, Bryant Castro at Wizeline[DevDay2019] Lean UX - By Bryant Castro, Bryant Castro at Wizeline
[DevDay2019] Lean UX - By Bryant Castro, Bryant Castro at Wizeline
 
[DevDay2019] Why you'll lose without UX Design - By Szilard Toth, CTO at e·pi...
[DevDay2019] Why you'll lose without UX Design - By Szilard Toth, CTO at e·pi...[DevDay2019] Why you'll lose without UX Design - By Szilard Toth, CTO at e·pi...
[DevDay2019] Why you'll lose without UX Design - By Szilard Toth, CTO at e·pi...
 
[DevDay2019] Things i wish I knew when I was a 23-year-old Developer - By Chr...
[DevDay2019] Things i wish I knew when I was a 23-year-old Developer - By Chr...[DevDay2019] Things i wish I knew when I was a 23-year-old Developer - By Chr...
[DevDay2019] Things i wish I knew when I was a 23-year-old Developer - By Chr...
 
[DevDay2019] Designing design teams - Christopher Nguyen, UX Manager at Wizeline
[DevDay2019] Designing design teams - Christopher Nguyen, UX Manager at Wizeline[DevDay2019] Designing design teams - Christopher Nguyen, UX Manager at Wizeline
[DevDay2019] Designing design teams - Christopher Nguyen, UX Manager at Wizeline
 
[DevDay2019] Growth Hacking - How to double the benefits of your startup with...
[DevDay2019] Growth Hacking - How to double the benefits of your startup with...[DevDay2019] Growth Hacking - How to double the benefits of your startup with...
[DevDay2019] Growth Hacking - How to double the benefits of your startup with...
 
[DevDay2019] Collaborate or die: The designers’ guide to working with develop...
[DevDay2019] Collaborate or die: The designers’ guide to working with develop...[DevDay2019] Collaborate or die: The designers’ guide to working with develop...
[DevDay2019] Collaborate or die: The designers’ guide to working with develop...
 
[DevDay2019] How AI is changing the future of Software Testing? - By Vui Nguy...
[DevDay2019] How AI is changing the future of Software Testing? - By Vui Nguy...[DevDay2019] How AI is changing the future of Software Testing? - By Vui Nguy...
[DevDay2019] How AI is changing the future of Software Testing? - By Vui Nguy...
 
[DevDay2019] Hands-on Machine Learning on Google Cloud Platform - By Thanh Le...
[DevDay2019] Hands-on Machine Learning on Google Cloud Platform - By Thanh Le...[DevDay2019] Hands-on Machine Learning on Google Cloud Platform - By Thanh Le...
[DevDay2019] Hands-on Machine Learning on Google Cloud Platform - By Thanh Le...
 
[DevDay2019] Micro Frontends Architecture - By Thang Pham, Senior Software En...
[DevDay2019] Micro Frontends Architecture - By Thang Pham, Senior Software En...[DevDay2019] Micro Frontends Architecture - By Thang Pham, Senior Software En...
[DevDay2019] Micro Frontends Architecture - By Thang Pham, Senior Software En...
 
[DevDay2019] Power of Test Automation and DevOps combination - One click savi...
[DevDay2019] Power of Test Automation and DevOps combination - One click savi...[DevDay2019] Power of Test Automation and DevOps combination - One click savi...
[DevDay2019] Power of Test Automation and DevOps combination - One click savi...
 
[DevDay2019] How do I test AI models? - By Minh Hoang, Senior QA Engineer at KMS
[DevDay2019] How do I test AI models? - By Minh Hoang, Senior QA Engineer at KMS[DevDay2019] How do I test AI models? - By Minh Hoang, Senior QA Engineer at KMS
[DevDay2019] How do I test AI models? - By Minh Hoang, Senior QA Engineer at KMS
 
[DevDay2019] How to quickly become a Senior Engineer - By Tran Anh Minh, CEO ...
[DevDay2019] How to quickly become a Senior Engineer - By Tran Anh Minh, CEO ...[DevDay2019] How to quickly become a Senior Engineer - By Tran Anh Minh, CEO ...
[DevDay2019] How to quickly become a Senior Engineer - By Tran Anh Minh, CEO ...
 
[Devday2019] Dev start-up - By Le Trung, Founder & CEO at Hifiveplus and Edu...
[Devday2019] Dev start-up - By Le Trung, Founder & CEO at Hifiveplus and Edu...[Devday2019] Dev start-up - By Le Trung, Founder & CEO at Hifiveplus and Edu...
[Devday2019] Dev start-up - By Le Trung, Founder & CEO at Hifiveplus and Edu...
 
[DevDay2019] Web Development In 2019 - A Practical Guide - By Hoang Nhu Vinh,...
[DevDay2019] Web Development In 2019 - A Practical Guide - By Hoang Nhu Vinh,...[DevDay2019] Web Development In 2019 - A Practical Guide - By Hoang Nhu Vinh,...
[DevDay2019] Web Development In 2019 - A Practical Guide - By Hoang Nhu Vinh,...
 
[DevDay2019] Opportunities and challenges for human resources during the digi...
[DevDay2019] Opportunities and challenges for human resources during the digi...[DevDay2019] Opportunities and challenges for human resources during the digi...
[DevDay2019] Opportunities and challenges for human resources during the digi...
 
[DevDay2019] Python Machine Learning with Jupyter Notebook - By Nguyen Huu Th...
[DevDay2019] Python Machine Learning with Jupyter Notebook - By Nguyen Huu Th...[DevDay2019] Python Machine Learning with Jupyter Notebook - By Nguyen Huu Th...
[DevDay2019] Python Machine Learning with Jupyter Notebook - By Nguyen Huu Th...
 
[DevDay2019] Do you dockerize? Are your containers safe? - By Pham Hong Khanh...
[DevDay2019] Do you dockerize? Are your containers safe? - By Pham Hong Khanh...[DevDay2019] Do you dockerize? Are your containers safe? - By Pham Hong Khanh...
[DevDay2019] Do you dockerize? Are your containers safe? - By Pham Hong Khanh...
 
[DevDay2019] Develop a web application with Kubernetes - By Nguyen Xuan Phong...
[DevDay2019] Develop a web application with Kubernetes - By Nguyen Xuan Phong...[DevDay2019] Develop a web application with Kubernetes - By Nguyen Xuan Phong...
[DevDay2019] Develop a web application with Kubernetes - By Nguyen Xuan Phong...
 
[DevDay2019] Paradigm shift towards effective Scrum - By Tam Doan, Agile Coac...
[DevDay2019] Paradigm shift towards effective Scrum - By Tam Doan, Agile Coac...[DevDay2019] Paradigm shift towards effective Scrum - By Tam Doan, Agile Coac...
[DevDay2019] Paradigm shift towards effective Scrum - By Tam Doan, Agile Coac...
 
[DevDay2019] JAM Stack - By Ngo Thi Ni, Web Developer at Agility IO
[DevDay2019] JAM Stack - By Ngo Thi Ni, Web Developer at Agility IO[DevDay2019] JAM Stack - By Ngo Thi Ni, Web Developer at Agility IO
[DevDay2019] JAM Stack - By Ngo Thi Ni, Web Developer at Agility IO
 

Recently uploaded

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Angeliki Cooney
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Orbitshub
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfOverkill Security
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 

Recently uploaded (20)

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 

[DevDay2018] Securing the Web - By Sumanth Damarla, Tech Speaker at Mozilla

  • 1. Securing the Web 4.14.2018 Sumanth Damarla Tech Speaker, Mozilla
  • 2. Importance of Web Security
  • 3. CEOs worrying about security’s impact on company growth Source: Global State of Information Security Survey 61% 1400 CEOs 83 Countries
  • 4. OWASP TOP 10 2017 Source: Imperva blog.
  • 6. Example The application uses untrusted data in the construction of the following vulnerable SQL call: String query = "SELECT * FROM accounts WHERE custID='" + request.getParameter("id") + "'"; In this case, the attacker modifies the ‘id’ parameter value in her browser to send: ' or '1'='1. For example: http://example.com/app/accountView?id=' or '1'='1 This changes the meaning of query to return all the records from the accounts table. More dangerous attacks could modify data or even invoke stored procedures.
  • 7.
  • 8. • Information leakage • Disclosure of data • Manipulation of stored data • Bypassing authorisation controls Hacker Goals
  • 10. Example Scenario #1: Airline reservations application supports URL rewriting, putting session IDs in the URL: http://example.com/sale/saleitems?sessionid=268544541&dest=Hawaii An authenticated user of the site wants to let his friends know about the sale. He emails the above link without knowing he is also giving away his session ID. When his friends use the link they will use his session and credit card. Scenario #2: Application’s timeouts aren’t set properly. User uses a public computer to access site. Instead of selecting “logout” the user simply closes the browser tab and walks away. Attacker uses the same browser an hour later, and that browser is still authenticated.
  • 11.
  • 12. • Undermined authorization and accountability controls. • Cause privacy violation. • Identity theft. Hacker Goals Source: Placeholder text. Delete this box if source is not needed
  • 14. Example Scenario #1: A site simply doesn’t use SSL for all authenticated pages. Attacker simply monitors network traffic (like an open wireless network), and steals the user’s session cookie. Attacker then replays this cookie and hijacks the user’s session, accessing the user’s private data.
  • 16. Example Scenario #1: An attacker probes the server's private network by changing the above ENTITY line to: <?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "http://192.168.0.1/secret.txt">]> <foo>&xxe;</foo> Response: HTTP/1.0 200 OK Hello, I'm a file on the local network (behind the firewall)
  • 17. Scenario #2: An attacker attempts a denial-of-service attack by including a potentially endless file: POST http://example.com/xml HTTP/1.1 <!DOCTYPE foo [ <!ELEMENT foo ANY> <!ENTITY bar "World "> <!ENTITY t1 "&bar;&bar;"> <!ENTITY t2 "&t1;&t1;&t1;&t1;"> <!ENTITY t3 "&t2;&t2;&t2;&t2;&t2;"> ]> <foo> Hello &t3; </foo>
  • 18. Response: HTTP/1.0 200 OK Hello World World World World World World World World World World World World World World World World World World World World World World World World World World World World World World World World World World World World World World World World
  • 20. Example Scenario #1: An attacker simply force browses to target URLs. Admin rights are required for access to the admin page. http://example.com/app/getappInfo http://example.com/app/admin_getappInfo
  • 22. Example Scenario #1: The app server admin console is automatically installed and not removed. Default accounts aren’t changed. Attacker discovers the standard admin pages are on your server, logs in with default passwords, and takes over.
  • 24.
  • 25. • Cookie stealing • Alert pop-up on page • Redirecting to another website/page/phishing site • Executing browser exploits Hacker Goals Source: Placeholder text. Delete this box if source is not needed
  • 27. Example Scenario #1: A PHP forum uses PHP object serialization to save a "super" cookie, containing the user's user ID, role, password hash, and other state: a:4:{i:0;i:132;i:1;s:7:"Mallory";i:2;s:4:"user"; i:3;s:32:"b6a8b3bea87fe0e05022f8f3c88bc960";} An attacker changes the serialized object to give themselves admin privileges: a:4:{i:0;i:1;i:1;s:5:"Alice";i:2;s:5:"admin"; i:3;s:32:"b6a8b3bea87fe0e05022f8f3c88bc960";}
  • 28. Using Components with Known Vulnerabilities
  • 31. Example Scenario #1: An open source project forum software run by a small team was hacked using a flaw in its software. The attackers managed to wipe out the internal source code repository containing the next version, and all of the forum contents. Although source could be recovered, the lack of monitoring, logging or alerting led to a far worse breach. The forum software project is no longer active as a result of this issue.
  • 32. Open Web App Security Tools
  • 34. • Cross Site Scripting (XSS) • SQL Injection • Directory Traversal • URL Injection • Error Detection • File Uploads • Sensitive Data Discovery Modules used in VEGA
  • 35. Open Vulnerability Assessment System (OpenVAS)
  • 37. ZAP Features • Open source Cross platform • Easy to install (just requires java 1.7) • Completely free (no paid for 'Pro' version) • Ease of use a priority • Comprehensive help pages • Fully internationalized Translated into a dozen languages • Community based, with involvement actively encouraged • Under active development by an international team of volunteers
  • 38. ZAP Functionality • Intercepting Proxy • Traditional and AJAX spiders • Automated scanner • Passive scanner • Forced browsing • Fuzzer • Dynamic SSL certificates • Smartcard and Client Digital Certificates support
  • 39. • Web sockets support • Support for a wide range of scripting languages • Plug-n-Hack support • Authentication and session support • Powerful REST based API • Automatic updating option • Integrated and growing marketplace of add-ons
  • 40.