SlideShare a Scribd company logo
1 of 56
Download to read offline
SECURITY ENGINEER
AJIN ABRAHAM
INJECTING SECURITY INTO
WEB APPS WITH RUNTIME
PATCHING
AND CONTEXT LEARNING
▸ Security Engineering @
▸ Research on Runtime Application Self Defence
▸ Authored MobSF, Xenotix and NodeJSScan
▸ Teach Security: https://opsecx.com
▸ Blog: http://opensecurity.in
#WHOAMI
AGENDA : WHAT THE TALK IS ABOUT?
RASP
WAF
WHAT THE TALK IS NOT ABOUT?
APPSEC CHALLENGES
▸ Writing Secure Code is not Easy
▸ Most follows agile development strategies
▸ Frequent releases and builds
▸ Any release can introduce or reintroduce vulnerabilities
▸ Problems by design. 

Ex: Session Hijacking, Credential Stuffing
STATE OF WEB FRAMEWORK SECURITY
▸ Automatic CSRF Token - Anti CSRF
▸ Templates escapes User Input - No XSS
▸ Uses ORM - No SQLi
You need to use secure APIs or write Code to 

enable some of these
Security Bugs happens when people write bad code.
STATE OF WEB FRAMEWORK SECURITY
▸ Anti CSRF - Can easily be turned off/miss configurations
▸ Templates escapes User Input - Just HTML Escape -> XSS
▸ https://jsfiddle.net/1c4f271c/
▸ Uses ORM - SQLi is still possible
▸ http://rails-sqli.org/
STATE OF WEB FRAMEWORK SECURITY
▸ Remote OS Command Execution - No
▸ Remote Code Injection - No
▸ Server Side Template Injection RCE - No
▸ Session Hijacking - No
▸ Verb Tampering - No
▸ File Upload Restriction - No
The list goes on…..
WE NEED TO PREVENT EXPLOITATION
LET’S USE WAF
▸ First WAF AppShield in 1999, almost 18 years of existence
▸ Quick question : How many of you run a WAF in defence/
protection mode?
▸ Most organisations use them, but in monitor mode due

high rate false positives.
▸ Most WAFs use BLACKLISTS
CAN A WAF SOLVE THIS?
20%
70%
10%
False Negatives False Positive Detection
APPLICATION SECURITY RULE OF THUMB
Gets bypassed, today or tomorrow
WHAT WAF SEES?
ATTACK != VULNERABILITY
HOW WAF WORKS
▸ The strength of WAF is the blacklist
▸ They detect Attacks not Vulnerability
▸ WAF has no application context
▸ Doesn’t know if a vulnerability got exploited inside

the app server or not.
WAFGET http://xyz.com APP SERVER
HTTP REQUEST
HTTP RESPONSE
▸ How long they keep on building the black lists?
▸ WAFs used to downgrade your security.
▸ No Perfect Forward Secrecy
▸ Can’t Support elliptic curves like ECDHE
▸ Some started to support with a Reverse Proxy
▸ Organisations are moving to PFS (Heartbleed bug)
▸ SSL Decryption and Re-encryption Overhead
WAF PROBLEMS
TLS 1.3 COMING SOON ….
SO WHAT’S THE IDEAL PLACE FOR SECURITY?
REQUEST
RESPONSE APP SERVER
APP SERVER CORE
SECURITY LAYER
We can do much better.

It’s time to evolve
WAF - > SAST -> DAST -> IAST -> RASP
Attack Detection 

&

Prevention/Neutralization

+

Precise 

Vulnerability Detection

+

Extras
Attack Detection 

&

Prevention
Vulnerability Detection
Precise 

Vulnerability Detection
RUNTIME APPLICATION SELF DEFENCE
▸ Detect both Attacks and Vulnerability
▸ Zero Code Modification and Easy Integration
▸ No Hardware Requirements
▸ Apply defence inside the application
▸ Have Code Level insights
▸ Fewer False positives
▸ Inject Security at Runtime
▸ No use of Blacklists
TYPES OF RASP
▸ Pattern Matching with Blacklist - Old wine in new
bottle (Fancy WAF)
▸ Dynamic Tainting - Good but Performance over head
▸ Virtualisation and Compartmentalisation - Good, but
Less Precise, Container oriented and not application
oriented, Platform Specific (JVM)
▸ Code Instrumentation and Dynamic Whitelist - Good,
but specific to Frameworks, Developer deployed
FOCUS OF RESEARCH
▸ Other AppSec Challenges
▸ Preventing Verb Tampering
▸ Preventing Header Injection
▸ File Upload Protection
▸ Ongoing Research
▸ Preventing Session Hijacking
▸ Preventing Layer 7 DDoS
▸ Credential Stuffing
▸ RASP by API Instrumentation

and Dynamic Whitelist
▸ Securing a vulnerable Python 

Tornado app with Zero Code change.
▸ Code Injection Vulnerabilities
▸ Preventing SQLi
▸ Preventing RCE
▸ Preventing Stored & Reflected XSS
▸ Preventing DOM XSS
RASP BY API INSTRUMENTATION AND DYNAMIC WHITELIST
▸ MONKEY PATCHING
▸ LEXICAL ANALYSIS
▸ CONTEXT DETERMINATION
MONKEY PATCHING
▸ Also know as Runtime Hooking and Patching of functions/
methods.
▸ https://jsfiddle.net/h1gves49/2/
LEXICAL ANALYSIS AND TOKEN GENERATION
▸ A lexical analyzer breaks these syntaxes into a series of
tokens, by removing any whitespace or comments in the
source code.
▸ Lexical analyzer generates error if it sees an invalid token.
LEXICAL ANALYSIS AND TOKEN GENERATION
SYNTAX TOKEN
int KEYWORD
value IDENTIFIER
= OPERATOR
100 CONSTANT
; SYMBOL
INPUT: int value = 100;//value is 100
Normal Lexer
SYNTAX TOKEN
int KEYWORD
WHITESPACE
value IDENTIFIER
WHITESPACE
= OPERATOR
WHITESPACE
100 CONSTANT
; SYMBOL
//value is 100 COMMENT
Custom Lexer
CONTEXT DETERMINATION
HTML PARSER
HTML CODE
DOM TREE
PREVENTING CODE INJECTION VULNERABILITIES
Interpreter cannot distinguish between 

Code and Data
Solve that and you solve the code injection problems
PREVENTING CODE INJECTION VULNERABILITIES
▸ Preventing SQL Injection
▸ Preventing Remote OS Command Execution
▸ Preventing Stored & Reflected Cross Site Scripting
▸ Preventing DOM XSS
SQL INJECTION
SELECT * FROM <user_input>
SQL INJECTION : HOOK
SQL Execution API

cursor.execute(‘SELECT * FROM logs‘)
SQL INJECTION : LEARN
SELECT * FROM logs
SYNTAX TOKEN
SELECT KEYWORD
WHITESPACE
* OPERATOR
WHITESPACE
FROM KEYWORD
WHITESPACE
logs STRING
SQL INJECTION : PROTECT
SYNTAX TOKEN
SELECT KEYWORD
WHITESPACE
* OPERATOR
WHITESPACE
FROM KEYWORD
WHITESPACE
logs STRING
WHITESPACE
AND KEYWORD
WHITESPACE
DROP KEYWORD
WHITESPACE
TABLE KEYWORD
WHITESPACE
admin STRING
SELECT * FROM logs AND DROP TABLE admin
SQL INJECTION : PROTECT
KEYWORD WHITESPACE OPERATOR WHITESPACE KEYWORD WHITESPACE STRING
Rule for Context: SELECT * FROM <user_input>
SELECT * FROM logs
SELECT * FROM history
SELECT * FROM logs AND DROP TABLE admin
KEYWORD WHITESPACE OPERATOR WHITESPACE KEYWORD WHITESPACE STRING 

WHITESPACE KEYWORD WHITESPACE KEYWORD WHITESPACE KEYWORD WHITESPACE STRING
DEMO
REMOTE OS COMMAND INJECTION
ping -c 3 <user input>
REMOTE OS COMMAND INJECTION : HOOK
Command Execution API

os.system(ping -c 3 127.0.0.1)
REMOTE OS COMMAND INJECTION : LEARN
ping -c 3 127.0.0.1
SYNTAX TOKEN
ping EXECUTABLE
WHITESPACE
-c ARGUMENT_DASH
WHITESPACE
3 NUMBER
WHITESPACE
127.0.0.1 IP_OR_DOMAIN
REMOTE OS COMMAND INJECTION : PROTECT
ping -c 3 127.0.0.1 & cat /etc/passwd
SYNTAX TOKEN
ping EXECUTABLE
WHITESPACE
-c ARGUMENT_DASH
WHITESPACE
3 NUMBER
WHITESPACE
127.0.0.1 IP_OR_DOMAIN
WHITESPACE
& SPLITTER
WHITESPACE
cat EXECUTABLE
WHITESPACE
/etc/passwd UNIX_PATH
REMOTE OS COMMAND INJECTION : PROTECT
EXECUTABLE WHITESPACE ARGUMENT_DASH WHITESPACE NUMBER WHITESPACE IP_OR_DOMAIN
Rule for Context: ping -c 3 <user_input>
ping -c 3 127.0.0.1

ping -c 3 google.com
ping -c 3 127.0.0.1 & cat /etc/passwd 

EXECUTABLE WHITESPACE ARGUMENT_DASH WHITESPACE NUMBER WHITESPACE IP_OR_DOMAIN

WHITESPACE SPLITTER WHITESPACE EXECUTABLE WHITESPACE UNIX_PATH
DEMO
CROSS SITE SCRIPTING
<body><h1>hello {{user_input1}} </h1></body>

<script> var x=‘{{user_input2}}’;</script>
CROSS SITE SCRIPTING : HOOK
Template Rendering API



template.render(“<body><h1>hello {{user_input1}}

</h1></body><script> var x=‘{{user_input2}}’;

</script>“, user_input1, user_input2)
CROSS SITE SCRIPTING : CONTEXT DETERMINATION
Parsing the DOM Tree
<body><h1>hello {{user_input1}}

</h1></body><script> var x=‘{{user_input2}}’;

</script>
HTML_CONTEXT
JAVASCRIPT_VALUE_CONTEXT
CROSS SITE SCRIPTING : PROTECT
<body><h1>hello {{user_input1}} </h1></body>

<script> var x=‘{{user_input2}}’;</script>
<body><h1>hello World </h1></body>

<script> var x=‘Hello World’;</script>
user_input1 = “World”

user_input2 = “Hello World”
CROSS SITE SCRIPTING : PROTECT
<body><h1>hello &lt;script&gt;alert(0)&lt;/
script&gt; </h1></body>

<script> var x=‘';alert(0);//x3C/scriptx3E’;</
script>
user_input1 = “<script>alert(0)</script>”

user_input2 = “‘;alert(0);//</script>”
DEMO
PREVENTING DOM XSS
https://jsfiddle.net/vno23woL/3/
▸ Inject Security into JavaScript Frameworks
▸ Common JavaScript Frameworks - jQuery, AngularJS, MustacheJS etc…
▸ DOMPurify - https://github.com/cure53/DOMPurify
▸ jPurify - https://github.com/cure53/jPurify
OTHER APPSEC CHALLENGES
▸ Preventing Verb Tampering
▸ Preventing Header Injection
▸ File Upload Protection
▸ Preventing Path Traversal
▸ WAFs blindly blocks TRACE and OPTION Request
▸ Hook HTTP Request API
▸ Learn the HTTP Verbs and Generate Whitelist
▸ Block if not in the list
PREVENTING VERB TAMPERING
DEMO
PREVENTING HEADER INJECTION
▸ Unlike WAF we don’t have to keep a blacklist 

of every possible encoded combination of 

“%0a” and “%0d”
▸ Hook HTTP Request API
▸ Look for “%0a,%0d“ in HTTP Request Headers
▸ Block if Present
DEMO
FILE UPLOAD PROTECTION
▸ Classic File Upload Bypass

image.jpg.php, image.php3 etc.
▸ Hook File/IO API : 

io.open(“/tmp/nice.jpg”, 'wb')
▸ Learn file extensions to create a whitelist.
▸ Block any unknown file extensions

io.open(“/tmp/nice.py”, 'wb')
DEMO
PREVENTING PATH TRAVERSAL
▸ WAF Looks for
PREVENTING PATH TRAVERSAL
▸ Hook File/IO API:

io.open(“/read_dir/index.txt”, ‘rb')
▸ Learn directories and file extensions
▸ Block any unknown directories and file extensions

io.open(“/read_dir/../../etc/passwd”, 'rb')
DEMO
ON GOING RESEARCH
▸ Preventing Session Hijacking
▸ Preventing Layer 7 DDoS
▸ Credential Stuffing
THE RASP ADVANTAGES
▸ Accurate and Precise in Vulnerability Detection & Prevention
▸ Code Level Insight (Line no, Stack trace)
▸ Not based on Heuristics - Zero/Negligible False Positives
▸ No SSL Decryption and Re-encryption overhead
▸ Doesn’t Downgrade your Security
▸ Preemptive security - Zero Day protection
▸ Zero Code Change and easy integration



pip install rasp_module

import rasp_module
BIGGEST ADVANTAGE
Now you can deploy it on protection mode
CHARACTERISTICS OF AN IDEAL RASP
▸ Ideal RASP should have minimal Performance impact
▸ Should not introduce vulnerabilities
▸ Must not consume PII of users
▸ Should not learn the bad stuff
▸ Should be a “real RASP” not a fancy WAF with Blacklist.
▸ Minimal Configuration and Easy deployment
THAT’S ALL FOLKS!
▸ Thanks to
▸ Zaid Al Hamami, Mike Milner, Steve
Williams, Oliver Lavery

(Team IMMUNIO inc).
▸ Kamaiah, Francis, Bharadwaj,
Surendar, Sinu, Vivek 

(Team Yodlee Security Office - YSO)
▸ Due Credits
▸ Graphics/Image Owners
@ajinabraham
ajin25@gmail.com

More Related Content

What's hot

Defend Your Data Now with the MITRE ATT&CK Framework
Defend Your Data Now with the MITRE ATT&CK FrameworkDefend Your Data Now with the MITRE ATT&CK Framework
Defend Your Data Now with the MITRE ATT&CK FrameworkTripwire
 
Understanding Application Threat Modelling & Architecture
 Understanding Application Threat Modelling & Architecture Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & ArchitecturePriyanka Aash
 
Technical Architecture of RASP Technology
Technical Architecture of RASP TechnologyTechnical Architecture of RASP Technology
Technical Architecture of RASP TechnologyPriyanka Aash
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligencemohamed nasri
 
Mobil Sistemler ve Uygulama Güvenliği
Mobil Sistemler ve Uygulama GüvenliğiMobil Sistemler ve Uygulama Güvenliği
Mobil Sistemler ve Uygulama GüvenliğiBGA Cyber Security
 
Benefits of Web Application Firewall
Benefits of Web Application FirewallBenefits of Web Application Firewall
Benefits of Web Application Firewalldavidjohnrace
 
OWASP Top 10 - 2017
OWASP Top 10 - 2017OWASP Top 10 - 2017
OWASP Top 10 - 2017HackerOne
 
Methods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall EngMethods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall EngDmitry Evteev
 
Web Application Penetration Testing Introduction
Web Application Penetration Testing IntroductionWeb Application Penetration Testing Introduction
Web Application Penetration Testing Introductiongbud7
 
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesAbraham Aranguren
 
Tatil Öncesi Güvenlik Kontrol Listesi.pdf
Tatil Öncesi Güvenlik Kontrol Listesi.pdfTatil Öncesi Güvenlik Kontrol Listesi.pdf
Tatil Öncesi Güvenlik Kontrol Listesi.pdfBGA Cyber Security
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing Priyanka Aash
 
How to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrikeHow to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrikeAdam Barrera
 
Mobil Uygulama Güvenlik Testlerinde Sertifika Sabitleme Özelliğinin Atlatılması
Mobil Uygulama Güvenlik Testlerinde Sertifika Sabitleme Özelliğinin AtlatılmasıMobil Uygulama Güvenlik Testlerinde Sertifika Sabitleme Özelliğinin Atlatılması
Mobil Uygulama Güvenlik Testlerinde Sertifika Sabitleme Özelliğinin AtlatılmasıBGA Cyber Security
 
Web Application Firewall intro
Web Application Firewall introWeb Application Firewall intro
Web Application Firewall introRich Helton
 
Encoded Attacks And Countermeasures
Encoded Attacks And CountermeasuresEncoded Attacks And Countermeasures
Encoded Attacks And CountermeasuresMarco Morana
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASPMarco Morana
 

What's hot (20)

Defend Your Data Now with the MITRE ATT&CK Framework
Defend Your Data Now with the MITRE ATT&CK FrameworkDefend Your Data Now with the MITRE ATT&CK Framework
Defend Your Data Now with the MITRE ATT&CK Framework
 
Understanding Application Threat Modelling & Architecture
 Understanding Application Threat Modelling & Architecture Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture
 
Technical Architecture of RASP Technology
Technical Architecture of RASP TechnologyTechnical Architecture of RASP Technology
Technical Architecture of RASP Technology
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
 
Burp suite
Burp suiteBurp suite
Burp suite
 
Mobil Sistemler ve Uygulama Güvenliği
Mobil Sistemler ve Uygulama GüvenliğiMobil Sistemler ve Uygulama Güvenliği
Mobil Sistemler ve Uygulama Güvenliği
 
Benefits of Web Application Firewall
Benefits of Web Application FirewallBenefits of Web Application Firewall
Benefits of Web Application Firewall
 
OWASP Top 10 - 2017
OWASP Top 10 - 2017OWASP Top 10 - 2017
OWASP Top 10 - 2017
 
Methods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall EngMethods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall Eng
 
Web Application Penetration Testing Introduction
Web Application Penetration Testing IntroductionWeb Application Penetration Testing Introduction
Web Application Penetration Testing Introduction
 
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
 
Tatil Öncesi Güvenlik Kontrol Listesi.pdf
Tatil Öncesi Güvenlik Kontrol Listesi.pdfTatil Öncesi Güvenlik Kontrol Listesi.pdf
Tatil Öncesi Güvenlik Kontrol Listesi.pdf
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
 
How to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrikeHow to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrike
 
Mobil Uygulama Güvenlik Testlerinde Sertifika Sabitleme Özelliğinin Atlatılması
Mobil Uygulama Güvenlik Testlerinde Sertifika Sabitleme Özelliğinin AtlatılmasıMobil Uygulama Güvenlik Testlerinde Sertifika Sabitleme Özelliğinin Atlatılması
Mobil Uygulama Güvenlik Testlerinde Sertifika Sabitleme Özelliğinin Atlatılması
 
Threat Intelligence
Threat IntelligenceThreat Intelligence
Threat Intelligence
 
Web Application Firewall intro
Web Application Firewall introWeb Application Firewall intro
Web Application Firewall intro
 
Encoded Attacks And Countermeasures
Encoded Attacks And CountermeasuresEncoded Attacks And Countermeasures
Encoded Attacks And Countermeasures
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASP
 

Viewers also liked

AntiVirus Evasion Reconstructed - Veil 3.0
AntiVirus Evasion Reconstructed - Veil 3.0AntiVirus Evasion Reconstructed - Veil 3.0
AntiVirus Evasion Reconstructed - Veil 3.0CTruncer
 
Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017Daniel Bohannon
 
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAjin Abraham
 
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Ajin Abraham
 
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...Ajin Abraham
 
Design in Tech Report 2017
Design in Tech Report 2017Design in Tech Report 2017
Design in Tech Report 2017John Maeda
 
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Ajin Abraham
 
Abusing Google Apps and Data API: Google is My Command and Control Center
Abusing Google Apps and Data API: Google is My Command and Control CenterAbusing Google Apps and Data API: Google is My Command and Control Center
Abusing Google Apps and Data API: Google is My Command and Control CenterAjin Abraham
 
TEDx Manchester: AI & The Future of Work
TEDx Manchester: AI & The Future of WorkTEDx Manchester: AI & The Future of Work
TEDx Manchester: AI & The Future of WorkVolker Hirsch
 
Indice de bienveillance des marques - Agence Change 2017 présentation
Indice de bienveillance des marques - Agence Change 2017 présentationIndice de bienveillance des marques - Agence Change 2017 présentation
Indice de bienveillance des marques - Agence Change 2017 présentationAmelle Nebia
 
WAI-ARIAの考え方と使い方を整理しよう
WAI-ARIAの考え方と使い方を整理しようWAI-ARIAの考え方と使い方を整理しよう
WAI-ARIAの考え方と使い方を整理しようNozomi Sawada
 
Advanced search and Top-k queries in Cassandra - Cassandra Summit Europe 2014
Advanced search and Top-k queries in Cassandra - Cassandra Summit Europe 2014Advanced search and Top-k queries in Cassandra - Cassandra Summit Europe 2014
Advanced search and Top-k queries in Cassandra - Cassandra Summit Europe 2014Andrés de la Peña
 
The Power of the Log
The Power of the LogThe Power of the Log
The Power of the LogBen Stopford
 
Workshop: Docker on Elastic Beanstalk
Workshop: Docker on Elastic BeanstalkWorkshop: Docker on Elastic Beanstalk
Workshop: Docker on Elastic Beanstalk輝 子安
 
Xenotix XSS Exploit Framework: Clubhack 2012
Xenotix XSS Exploit Framework: Clubhack 2012 Xenotix XSS Exploit Framework: Clubhack 2012
Xenotix XSS Exploit Framework: Clubhack 2012 Ajin Abraham
 
How Ofsted evaluates special educational needs and disabilities provision in ...
How Ofsted evaluates special educational needs and disabilities provision in ...How Ofsted evaluates special educational needs and disabilities provision in ...
How Ofsted evaluates special educational needs and disabilities provision in ...Ofsted
 
10 Must-Know Commercial Real Estate Terms
10 Must-Know Commercial Real Estate Terms10 Must-Know Commercial Real Estate Terms
10 Must-Know Commercial Real Estate TermsREoptimizer®
 
OWASP Xenotix XSS Exploit Framework v3 : Nullcon Goa 2013
OWASP Xenotix XSS Exploit Framework v3 : Nullcon Goa 2013OWASP Xenotix XSS Exploit Framework v3 : Nullcon Goa 2013
OWASP Xenotix XSS Exploit Framework v3 : Nullcon Goa 2013Ajin Abraham
 
Top 5 Deep Learning and AI Stories 3/9
Top 5 Deep Learning and AI Stories 3/9Top 5 Deep Learning and AI Stories 3/9
Top 5 Deep Learning and AI Stories 3/9NVIDIA
 

Viewers also liked (20)

AntiVirus Evasion Reconstructed - Veil 3.0
AntiVirus Evasion Reconstructed - Veil 3.0AntiVirus Evasion Reconstructed - Veil 3.0
AntiVirus Evasion Reconstructed - Veil 3.0
 
Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017
 
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
 
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
 
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
 
Design in Tech Report 2017
Design in Tech Report 2017Design in Tech Report 2017
Design in Tech Report 2017
 
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
 
Abusing Google Apps and Data API: Google is My Command and Control Center
Abusing Google Apps and Data API: Google is My Command and Control CenterAbusing Google Apps and Data API: Google is My Command and Control Center
Abusing Google Apps and Data API: Google is My Command and Control Center
 
TEDx Manchester: AI & The Future of Work
TEDx Manchester: AI & The Future of WorkTEDx Manchester: AI & The Future of Work
TEDx Manchester: AI & The Future of Work
 
はじめての vSRX on AWS
はじめての vSRX on AWSはじめての vSRX on AWS
はじめての vSRX on AWS
 
Indice de bienveillance des marques - Agence Change 2017 présentation
Indice de bienveillance des marques - Agence Change 2017 présentationIndice de bienveillance des marques - Agence Change 2017 présentation
Indice de bienveillance des marques - Agence Change 2017 présentation
 
WAI-ARIAの考え方と使い方を整理しよう
WAI-ARIAの考え方と使い方を整理しようWAI-ARIAの考え方と使い方を整理しよう
WAI-ARIAの考え方と使い方を整理しよう
 
Advanced search and Top-k queries in Cassandra - Cassandra Summit Europe 2014
Advanced search and Top-k queries in Cassandra - Cassandra Summit Europe 2014Advanced search and Top-k queries in Cassandra - Cassandra Summit Europe 2014
Advanced search and Top-k queries in Cassandra - Cassandra Summit Europe 2014
 
The Power of the Log
The Power of the LogThe Power of the Log
The Power of the Log
 
Workshop: Docker on Elastic Beanstalk
Workshop: Docker on Elastic BeanstalkWorkshop: Docker on Elastic Beanstalk
Workshop: Docker on Elastic Beanstalk
 
Xenotix XSS Exploit Framework: Clubhack 2012
Xenotix XSS Exploit Framework: Clubhack 2012 Xenotix XSS Exploit Framework: Clubhack 2012
Xenotix XSS Exploit Framework: Clubhack 2012
 
How Ofsted evaluates special educational needs and disabilities provision in ...
How Ofsted evaluates special educational needs and disabilities provision in ...How Ofsted evaluates special educational needs and disabilities provision in ...
How Ofsted evaluates special educational needs and disabilities provision in ...
 
10 Must-Know Commercial Real Estate Terms
10 Must-Know Commercial Real Estate Terms10 Must-Know Commercial Real Estate Terms
10 Must-Know Commercial Real Estate Terms
 
OWASP Xenotix XSS Exploit Framework v3 : Nullcon Goa 2013
OWASP Xenotix XSS Exploit Framework v3 : Nullcon Goa 2013OWASP Xenotix XSS Exploit Framework v3 : Nullcon Goa 2013
OWASP Xenotix XSS Exploit Framework v3 : Nullcon Goa 2013
 
Top 5 Deep Learning and AI Stories 3/9
Top 5 Deep Learning and AI Stories 3/9Top 5 Deep Learning and AI Stories 3/9
Top 5 Deep Learning and AI Stories 3/9
 

Similar to Injecting Security into vulnerable web apps at Runtime

Внедрение безопасности в веб-приложениях в среде выполнения
Внедрение безопасности в веб-приложениях в среде выполненияВнедрение безопасности в веб-приложениях в среде выполнения
Внедрение безопасности в веб-приложениях в среде выполненияPositive Hack Days
 
System Hardening Using Ansible
System Hardening Using AnsibleSystem Hardening Using Ansible
System Hardening Using AnsibleSonatype
 
The Dev, Sec and Ops of API Security - API World
The Dev, Sec and Ops of API Security - API WorldThe Dev, Sec and Ops of API Security - API World
The Dev, Sec and Ops of API Security - API World42Crunch
 
Automating Security Testing with the OWTF
Automating Security Testing with the OWTFAutomating Security Testing with the OWTF
Automating Security Testing with the OWTFJerod Brennen
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) securityNahidul Kibria
 
OWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxOWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxnmk42194
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxjohnpragasam1
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxazida3
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxcgt38842
 
How the antiviruses work
How the antiviruses workHow the antiviruses work
How the antiviruses workDawid Golak
 
Building Secure Apps in the Cloud
Building Secure Apps in the CloudBuilding Secure Apps in the Cloud
Building Secure Apps in the CloudAtlassian
 
10 Mistakes Hackers Want You to Make
10 Mistakes Hackers Want You to Make10 Mistakes Hackers Want You to Make
10 Mistakes Hackers Want You to MakeJoe Kutner
 
DevSecOps - automating security
DevSecOps - automating securityDevSecOps - automating security
DevSecOps - automating securityJohn Staveley
 
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationNull bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationAnant Shrivastava
 
DevOps and the Future of Enterprise Security
DevOps and the Future of Enterprise SecurityDevOps and the Future of Enterprise Security
DevOps and the Future of Enterprise SecurityPriyanka Aash
 
Problems with parameters b sides-msp
Problems with parameters b sides-mspProblems with parameters b sides-msp
Problems with parameters b sides-mspMike Saunders
 
香港六合彩
香港六合彩香港六合彩
香港六合彩baoyin
 

Similar to Injecting Security into vulnerable web apps at Runtime (20)

Внедрение безопасности в веб-приложениях в среде выполнения
Внедрение безопасности в веб-приложениях в среде выполненияВнедрение безопасности в веб-приложениях в среде выполнения
Внедрение безопасности в веб-приложениях в среде выполнения
 
System Hardening Using Ansible
System Hardening Using AnsibleSystem Hardening Using Ansible
System Hardening Using Ansible
 
The Dev, Sec and Ops of API Security - API World
The Dev, Sec and Ops of API Security - API WorldThe Dev, Sec and Ops of API Security - API World
The Dev, Sec and Ops of API Security - API World
 
Automating Security Testing with the OWTF
Automating Security Testing with the OWTFAutomating Security Testing with the OWTF
Automating Security Testing with the OWTF
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) security
 
OWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxOWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptx
 
Cyber ppt
Cyber pptCyber ppt
Cyber ppt
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
How the antiviruses work
How the antiviruses workHow the antiviruses work
How the antiviruses work
 
Building Secure Apps in the Cloud
Building Secure Apps in the CloudBuilding Secure Apps in the Cloud
Building Secure Apps in the Cloud
 
10 Mistakes Hackers Want You to Make
10 Mistakes Hackers Want You to Make10 Mistakes Hackers Want You to Make
10 Mistakes Hackers Want You to Make
 
DevSecOps - automating security
DevSecOps - automating securityDevSecOps - automating security
DevSecOps - automating security
 
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationNull bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web Application
 
OWASP Top10 2010
OWASP Top10 2010OWASP Top10 2010
OWASP Top10 2010
 
DevOps and the Future of Enterprise Security
DevOps and the Future of Enterprise SecurityDevOps and the Future of Enterprise Security
DevOps and the Future of Enterprise Security
 
Problems with parameters b sides-msp
Problems with parameters b sides-mspProblems with parameters b sides-msp
Problems with parameters b sides-msp
 
OWASP an Introduction
OWASP an Introduction OWASP an Introduction
OWASP an Introduction
 
香港六合彩
香港六合彩香港六合彩
香港六合彩
 

More from Ajin Abraham

Injecting Security into Web apps at Runtime Whitepaper
Injecting Security into Web apps at Runtime WhitepaperInjecting Security into Web apps at Runtime Whitepaper
Injecting Security into Web apps at Runtime WhitepaperAjin Abraham
 
Hacking Tizen: The OS of everything - Whitepaper
Hacking Tizen: The OS of everything - WhitepaperHacking Tizen: The OS of everything - Whitepaper
Hacking Tizen: The OS of everything - WhitepaperAjin Abraham
 
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Ajin Abraham
 
Abusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox AddonsAbusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox AddonsAjin Abraham
 
Exploit Research and Development Megaprimer: DEP Bypassing with ROP Chains
Exploit Research and Development Megaprimer: DEP Bypassing with ROP ChainsExploit Research and Development Megaprimer: DEP Bypassing with ROP Chains
Exploit Research and Development Megaprimer: DEP Bypassing with ROP ChainsAjin Abraham
 
Exploit Research and Development Megaprimer: Win32 Egghunter
Exploit Research and Development Megaprimer: Win32 EgghunterExploit Research and Development Megaprimer: Win32 Egghunter
Exploit Research and Development Megaprimer: Win32 EgghunterAjin Abraham
 
Exploit Research and Development Megaprimer: mona.py, Exploit Writer's Swiss ...
Exploit Research and Development Megaprimer: mona.py, Exploit Writer's Swiss ...Exploit Research and Development Megaprimer: mona.py, Exploit Writer's Swiss ...
Exploit Research and Development Megaprimer: mona.py, Exploit Writer's Swiss ...Ajin Abraham
 
Exploit Research and Development Megaprimer: Unicode Based Exploit Development
Exploit Research and Development Megaprimer: Unicode Based Exploit DevelopmentExploit Research and Development Megaprimer: Unicode Based Exploit Development
Exploit Research and Development Megaprimer: Unicode Based Exploit DevelopmentAjin Abraham
 
Exploit Research and Development Megaprimer: Buffer overflow for beginners
Exploit Research and Development Megaprimer: Buffer overflow for beginnersExploit Research and Development Megaprimer: Buffer overflow for beginners
Exploit Research and Development Megaprimer: Buffer overflow for beginnersAjin Abraham
 
Pwning with XSS: from alert() to reverse shell: Defcon Banglore 2013
Pwning with XSS: from alert() to reverse shell: Defcon Banglore 2013Pwning with XSS: from alert() to reverse shell: Defcon Banglore 2013
Pwning with XSS: from alert() to reverse shell: Defcon Banglore 2013Ajin Abraham
 
Abusing, Exploiting and Pwning with Firefox Add-ons: OWASP Appsec 2013 Presen...
Abusing, Exploiting and Pwning with Firefox Add-ons: OWASP Appsec 2013 Presen...Abusing, Exploiting and Pwning with Firefox Add-ons: OWASP Appsec 2013 Presen...
Abusing, Exploiting and Pwning with Firefox Add-ons: OWASP Appsec 2013 Presen...Ajin Abraham
 
Abusing, Exploiting and Pwning with Firefox Add-ons
Abusing, Exploiting and Pwning with Firefox Add-onsAbusing, Exploiting and Pwning with Firefox Add-ons
Abusing, Exploiting and Pwning with Firefox Add-onsAjin Abraham
 
Wi-Fi Security with Wi-Fi P+
Wi-Fi Security with Wi-Fi P+Wi-Fi Security with Wi-Fi P+
Wi-Fi Security with Wi-Fi P+Ajin Abraham
 
Shellcoding in linux
Shellcoding in linuxShellcoding in linux
Shellcoding in linuxAjin Abraham
 
Phishing With Data URI
Phishing With Data URIPhishing With Data URI
Phishing With Data URIAjin Abraham
 
Buffer overflow for Beginners
Buffer overflow for BeginnersBuffer overflow for Beginners
Buffer overflow for BeginnersAjin Abraham
 

More from Ajin Abraham (16)

Injecting Security into Web apps at Runtime Whitepaper
Injecting Security into Web apps at Runtime WhitepaperInjecting Security into Web apps at Runtime Whitepaper
Injecting Security into Web apps at Runtime Whitepaper
 
Hacking Tizen: The OS of everything - Whitepaper
Hacking Tizen: The OS of everything - WhitepaperHacking Tizen: The OS of everything - Whitepaper
Hacking Tizen: The OS of everything - Whitepaper
 
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
 
Abusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox AddonsAbusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox Addons
 
Exploit Research and Development Megaprimer: DEP Bypassing with ROP Chains
Exploit Research and Development Megaprimer: DEP Bypassing with ROP ChainsExploit Research and Development Megaprimer: DEP Bypassing with ROP Chains
Exploit Research and Development Megaprimer: DEP Bypassing with ROP Chains
 
Exploit Research and Development Megaprimer: Win32 Egghunter
Exploit Research and Development Megaprimer: Win32 EgghunterExploit Research and Development Megaprimer: Win32 Egghunter
Exploit Research and Development Megaprimer: Win32 Egghunter
 
Exploit Research and Development Megaprimer: mona.py, Exploit Writer's Swiss ...
Exploit Research and Development Megaprimer: mona.py, Exploit Writer's Swiss ...Exploit Research and Development Megaprimer: mona.py, Exploit Writer's Swiss ...
Exploit Research and Development Megaprimer: mona.py, Exploit Writer's Swiss ...
 
Exploit Research and Development Megaprimer: Unicode Based Exploit Development
Exploit Research and Development Megaprimer: Unicode Based Exploit DevelopmentExploit Research and Development Megaprimer: Unicode Based Exploit Development
Exploit Research and Development Megaprimer: Unicode Based Exploit Development
 
Exploit Research and Development Megaprimer: Buffer overflow for beginners
Exploit Research and Development Megaprimer: Buffer overflow for beginnersExploit Research and Development Megaprimer: Buffer overflow for beginners
Exploit Research and Development Megaprimer: Buffer overflow for beginners
 
Pwning with XSS: from alert() to reverse shell: Defcon Banglore 2013
Pwning with XSS: from alert() to reverse shell: Defcon Banglore 2013Pwning with XSS: from alert() to reverse shell: Defcon Banglore 2013
Pwning with XSS: from alert() to reverse shell: Defcon Banglore 2013
 
Abusing, Exploiting and Pwning with Firefox Add-ons: OWASP Appsec 2013 Presen...
Abusing, Exploiting and Pwning with Firefox Add-ons: OWASP Appsec 2013 Presen...Abusing, Exploiting and Pwning with Firefox Add-ons: OWASP Appsec 2013 Presen...
Abusing, Exploiting and Pwning with Firefox Add-ons: OWASP Appsec 2013 Presen...
 
Abusing, Exploiting and Pwning with Firefox Add-ons
Abusing, Exploiting and Pwning with Firefox Add-onsAbusing, Exploiting and Pwning with Firefox Add-ons
Abusing, Exploiting and Pwning with Firefox Add-ons
 
Wi-Fi Security with Wi-Fi P+
Wi-Fi Security with Wi-Fi P+Wi-Fi Security with Wi-Fi P+
Wi-Fi Security with Wi-Fi P+
 
Shellcoding in linux
Shellcoding in linuxShellcoding in linux
Shellcoding in linux
 
Phishing With Data URI
Phishing With Data URIPhishing With Data URI
Phishing With Data URI
 
Buffer overflow for Beginners
Buffer overflow for BeginnersBuffer overflow for Beginners
Buffer overflow for Beginners
 

Recently uploaded

Extra-120324-Visite-Entreprise-icare.pdf
Extra-120324-Visite-Entreprise-icare.pdfExtra-120324-Visite-Entreprise-icare.pdf
Extra-120324-Visite-Entreprise-icare.pdfInfopole1
 
Top 10 Squarespace Development Companies
Top 10 Squarespace Development CompaniesTop 10 Squarespace Development Companies
Top 10 Squarespace Development CompaniesTopCSSGallery
 
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - Tech
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - TechWebinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - Tech
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - TechProduct School
 
Emil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptx
Emil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptxEmil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptx
Emil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptxNeo4j
 
Graphene Quantum Dots-Based Composites for Biomedical Applications
Graphene Quantum Dots-Based Composites for  Biomedical ApplicationsGraphene Quantum Dots-Based Composites for  Biomedical Applications
Graphene Quantum Dots-Based Composites for Biomedical Applicationsnooralam814309
 
The Importance of Indoor Air Quality (English)
The Importance of Indoor Air Quality (English)The Importance of Indoor Air Quality (English)
The Importance of Indoor Air Quality (English)IES VE
 
Patch notes explaining DISARM Version 1.4 update
Patch notes explaining DISARM Version 1.4 updatePatch notes explaining DISARM Version 1.4 update
Patch notes explaining DISARM Version 1.4 updateadam112203
 
Stobox 4: Revolutionizing Investment in Real-World Assets Through Tokenization
Stobox 4: Revolutionizing Investment in Real-World Assets Through TokenizationStobox 4: Revolutionizing Investment in Real-World Assets Through Tokenization
Stobox 4: Revolutionizing Investment in Real-World Assets Through TokenizationStobox
 
20140402 - Smart house demo kit
20140402 - Smart house demo kit20140402 - Smart house demo kit
20140402 - Smart house demo kitJamie (Taka) Wang
 
Introduction to RAG (Retrieval Augmented Generation) and its application
Introduction to RAG (Retrieval Augmented Generation) and its applicationIntroduction to RAG (Retrieval Augmented Generation) and its application
Introduction to RAG (Retrieval Augmented Generation) and its applicationKnoldus Inc.
 
Trailblazer Community - Flows Workshop (Session 2)
Trailblazer Community - Flows Workshop (Session 2)Trailblazer Community - Flows Workshop (Session 2)
Trailblazer Community - Flows Workshop (Session 2)Muhammad Tiham Siddiqui
 
TrustArc Webinar - How to Live in a Post Third-Party Cookie World
TrustArc Webinar - How to Live in a Post Third-Party Cookie WorldTrustArc Webinar - How to Live in a Post Third-Party Cookie World
TrustArc Webinar - How to Live in a Post Third-Party Cookie WorldTrustArc
 
UiPath Studio Web workshop series - Day 2
UiPath Studio Web workshop series - Day 2UiPath Studio Web workshop series - Day 2
UiPath Studio Web workshop series - Day 2DianaGray10
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
 
How to become a GDSC Lead GDSC MI AOE.pptx
How to become a GDSC Lead GDSC MI AOE.pptxHow to become a GDSC Lead GDSC MI AOE.pptx
How to become a GDSC Lead GDSC MI AOE.pptxKaustubhBhavsar6
 
2024.03.12 Cost drivers of cultivated meat production.pdf
2024.03.12 Cost drivers of cultivated meat production.pdf2024.03.12 Cost drivers of cultivated meat production.pdf
2024.03.12 Cost drivers of cultivated meat production.pdfThe Good Food Institute
 
SIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENT
SIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENTSIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENT
SIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENTxtailishbaloch
 
CyberSecurity - Computers In Libraries 2024
CyberSecurity - Computers In Libraries 2024CyberSecurity - Computers In Libraries 2024
CyberSecurity - Computers In Libraries 2024Brian Pichman
 
The New Cloud World Order Is FinOps (Slideshow)
The New Cloud World Order Is FinOps (Slideshow)The New Cloud World Order Is FinOps (Slideshow)
The New Cloud World Order Is FinOps (Slideshow)codyslingerland1
 
UiPath Studio Web workshop series - Day 4
UiPath Studio Web workshop series - Day 4UiPath Studio Web workshop series - Day 4
UiPath Studio Web workshop series - Day 4DianaGray10
 

Recently uploaded (20)

Extra-120324-Visite-Entreprise-icare.pdf
Extra-120324-Visite-Entreprise-icare.pdfExtra-120324-Visite-Entreprise-icare.pdf
Extra-120324-Visite-Entreprise-icare.pdf
 
Top 10 Squarespace Development Companies
Top 10 Squarespace Development CompaniesTop 10 Squarespace Development Companies
Top 10 Squarespace Development Companies
 
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - Tech
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - TechWebinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - Tech
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - Tech
 
Emil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptx
Emil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptxEmil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptx
Emil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptx
 
Graphene Quantum Dots-Based Composites for Biomedical Applications
Graphene Quantum Dots-Based Composites for  Biomedical ApplicationsGraphene Quantum Dots-Based Composites for  Biomedical Applications
Graphene Quantum Dots-Based Composites for Biomedical Applications
 
The Importance of Indoor Air Quality (English)
The Importance of Indoor Air Quality (English)The Importance of Indoor Air Quality (English)
The Importance of Indoor Air Quality (English)
 
Patch notes explaining DISARM Version 1.4 update
Patch notes explaining DISARM Version 1.4 updatePatch notes explaining DISARM Version 1.4 update
Patch notes explaining DISARM Version 1.4 update
 
Stobox 4: Revolutionizing Investment in Real-World Assets Through Tokenization
Stobox 4: Revolutionizing Investment in Real-World Assets Through TokenizationStobox 4: Revolutionizing Investment in Real-World Assets Through Tokenization
Stobox 4: Revolutionizing Investment in Real-World Assets Through Tokenization
 
20140402 - Smart house demo kit
20140402 - Smart house demo kit20140402 - Smart house demo kit
20140402 - Smart house demo kit
 
Introduction to RAG (Retrieval Augmented Generation) and its application
Introduction to RAG (Retrieval Augmented Generation) and its applicationIntroduction to RAG (Retrieval Augmented Generation) and its application
Introduction to RAG (Retrieval Augmented Generation) and its application
 
Trailblazer Community - Flows Workshop (Session 2)
Trailblazer Community - Flows Workshop (Session 2)Trailblazer Community - Flows Workshop (Session 2)
Trailblazer Community - Flows Workshop (Session 2)
 
TrustArc Webinar - How to Live in a Post Third-Party Cookie World
TrustArc Webinar - How to Live in a Post Third-Party Cookie WorldTrustArc Webinar - How to Live in a Post Third-Party Cookie World
TrustArc Webinar - How to Live in a Post Third-Party Cookie World
 
UiPath Studio Web workshop series - Day 2
UiPath Studio Web workshop series - Day 2UiPath Studio Web workshop series - Day 2
UiPath Studio Web workshop series - Day 2
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
How to become a GDSC Lead GDSC MI AOE.pptx
How to become a GDSC Lead GDSC MI AOE.pptxHow to become a GDSC Lead GDSC MI AOE.pptx
How to become a GDSC Lead GDSC MI AOE.pptx
 
2024.03.12 Cost drivers of cultivated meat production.pdf
2024.03.12 Cost drivers of cultivated meat production.pdf2024.03.12 Cost drivers of cultivated meat production.pdf
2024.03.12 Cost drivers of cultivated meat production.pdf
 
SIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENT
SIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENTSIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENT
SIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENT
 
CyberSecurity - Computers In Libraries 2024
CyberSecurity - Computers In Libraries 2024CyberSecurity - Computers In Libraries 2024
CyberSecurity - Computers In Libraries 2024
 
The New Cloud World Order Is FinOps (Slideshow)
The New Cloud World Order Is FinOps (Slideshow)The New Cloud World Order Is FinOps (Slideshow)
The New Cloud World Order Is FinOps (Slideshow)
 
UiPath Studio Web workshop series - Day 4
UiPath Studio Web workshop series - Day 4UiPath Studio Web workshop series - Day 4
UiPath Studio Web workshop series - Day 4
 

Injecting Security into vulnerable web apps at Runtime

  • 1. SECURITY ENGINEER AJIN ABRAHAM INJECTING SECURITY INTO WEB APPS WITH RUNTIME PATCHING AND CONTEXT LEARNING
  • 2. ▸ Security Engineering @ ▸ Research on Runtime Application Self Defence ▸ Authored MobSF, Xenotix and NodeJSScan ▸ Teach Security: https://opsecx.com ▸ Blog: http://opensecurity.in #WHOAMI
  • 3. AGENDA : WHAT THE TALK IS ABOUT? RASP WAF WHAT THE TALK IS NOT ABOUT?
  • 4. APPSEC CHALLENGES ▸ Writing Secure Code is not Easy ▸ Most follows agile development strategies ▸ Frequent releases and builds ▸ Any release can introduce or reintroduce vulnerabilities ▸ Problems by design. 
 Ex: Session Hijacking, Credential Stuffing
  • 5. STATE OF WEB FRAMEWORK SECURITY ▸ Automatic CSRF Token - Anti CSRF ▸ Templates escapes User Input - No XSS ▸ Uses ORM - No SQLi You need to use secure APIs or write Code to 
 enable some of these Security Bugs happens when people write bad code.
  • 6. STATE OF WEB FRAMEWORK SECURITY ▸ Anti CSRF - Can easily be turned off/miss configurations ▸ Templates escapes User Input - Just HTML Escape -> XSS ▸ https://jsfiddle.net/1c4f271c/ ▸ Uses ORM - SQLi is still possible ▸ http://rails-sqli.org/
  • 7. STATE OF WEB FRAMEWORK SECURITY ▸ Remote OS Command Execution - No ▸ Remote Code Injection - No ▸ Server Side Template Injection RCE - No ▸ Session Hijacking - No ▸ Verb Tampering - No ▸ File Upload Restriction - No The list goes on…..
  • 8. WE NEED TO PREVENT EXPLOITATION LET’S USE WAF
  • 9. ▸ First WAF AppShield in 1999, almost 18 years of existence ▸ Quick question : How many of you run a WAF in defence/ protection mode? ▸ Most organisations use them, but in monitor mode due
 high rate false positives. ▸ Most WAFs use BLACKLISTS CAN A WAF SOLVE THIS? 20% 70% 10% False Negatives False Positive Detection
  • 10. APPLICATION SECURITY RULE OF THUMB Gets bypassed, today or tomorrow
  • 11. WHAT WAF SEES? ATTACK != VULNERABILITY
  • 12. HOW WAF WORKS ▸ The strength of WAF is the blacklist ▸ They detect Attacks not Vulnerability ▸ WAF has no application context ▸ Doesn’t know if a vulnerability got exploited inside
 the app server or not. WAFGET http://xyz.com APP SERVER HTTP REQUEST HTTP RESPONSE
  • 13. ▸ How long they keep on building the black lists? ▸ WAFs used to downgrade your security. ▸ No Perfect Forward Secrecy ▸ Can’t Support elliptic curves like ECDHE ▸ Some started to support with a Reverse Proxy ▸ Organisations are moving to PFS (Heartbleed bug) ▸ SSL Decryption and Re-encryption Overhead WAF PROBLEMS
  • 14. TLS 1.3 COMING SOON ….
  • 15. SO WHAT’S THE IDEAL PLACE FOR SECURITY? REQUEST RESPONSE APP SERVER APP SERVER CORE SECURITY LAYER
  • 16. We can do much better.
 It’s time to evolve WAF - > SAST -> DAST -> IAST -> RASP Attack Detection 
 &
 Prevention/Neutralization
 +
 Precise 
 Vulnerability Detection
 +
 Extras Attack Detection 
 &
 Prevention Vulnerability Detection Precise 
 Vulnerability Detection
  • 17. RUNTIME APPLICATION SELF DEFENCE ▸ Detect both Attacks and Vulnerability ▸ Zero Code Modification and Easy Integration ▸ No Hardware Requirements ▸ Apply defence inside the application ▸ Have Code Level insights ▸ Fewer False positives ▸ Inject Security at Runtime ▸ No use of Blacklists
  • 18. TYPES OF RASP ▸ Pattern Matching with Blacklist - Old wine in new bottle (Fancy WAF) ▸ Dynamic Tainting - Good but Performance over head ▸ Virtualisation and Compartmentalisation - Good, but Less Precise, Container oriented and not application oriented, Platform Specific (JVM) ▸ Code Instrumentation and Dynamic Whitelist - Good, but specific to Frameworks, Developer deployed
  • 19. FOCUS OF RESEARCH ▸ Other AppSec Challenges ▸ Preventing Verb Tampering ▸ Preventing Header Injection ▸ File Upload Protection ▸ Ongoing Research ▸ Preventing Session Hijacking ▸ Preventing Layer 7 DDoS ▸ Credential Stuffing ▸ RASP by API Instrumentation
 and Dynamic Whitelist ▸ Securing a vulnerable Python 
 Tornado app with Zero Code change. ▸ Code Injection Vulnerabilities ▸ Preventing SQLi ▸ Preventing RCE ▸ Preventing Stored & Reflected XSS ▸ Preventing DOM XSS
  • 20. RASP BY API INSTRUMENTATION AND DYNAMIC WHITELIST ▸ MONKEY PATCHING ▸ LEXICAL ANALYSIS ▸ CONTEXT DETERMINATION
  • 21. MONKEY PATCHING ▸ Also know as Runtime Hooking and Patching of functions/ methods. ▸ https://jsfiddle.net/h1gves49/2/
  • 22. LEXICAL ANALYSIS AND TOKEN GENERATION ▸ A lexical analyzer breaks these syntaxes into a series of tokens, by removing any whitespace or comments in the source code. ▸ Lexical analyzer generates error if it sees an invalid token.
  • 23. LEXICAL ANALYSIS AND TOKEN GENERATION SYNTAX TOKEN int KEYWORD value IDENTIFIER = OPERATOR 100 CONSTANT ; SYMBOL INPUT: int value = 100;//value is 100 Normal Lexer SYNTAX TOKEN int KEYWORD WHITESPACE value IDENTIFIER WHITESPACE = OPERATOR WHITESPACE 100 CONSTANT ; SYMBOL //value is 100 COMMENT Custom Lexer
  • 25. PREVENTING CODE INJECTION VULNERABILITIES Interpreter cannot distinguish between 
 Code and Data Solve that and you solve the code injection problems
  • 26. PREVENTING CODE INJECTION VULNERABILITIES ▸ Preventing SQL Injection ▸ Preventing Remote OS Command Execution ▸ Preventing Stored & Reflected Cross Site Scripting ▸ Preventing DOM XSS
  • 27. SQL INJECTION SELECT * FROM <user_input>
  • 28. SQL INJECTION : HOOK SQL Execution API
 cursor.execute(‘SELECT * FROM logs‘)
  • 29. SQL INJECTION : LEARN SELECT * FROM logs SYNTAX TOKEN SELECT KEYWORD WHITESPACE * OPERATOR WHITESPACE FROM KEYWORD WHITESPACE logs STRING
  • 30. SQL INJECTION : PROTECT SYNTAX TOKEN SELECT KEYWORD WHITESPACE * OPERATOR WHITESPACE FROM KEYWORD WHITESPACE logs STRING WHITESPACE AND KEYWORD WHITESPACE DROP KEYWORD WHITESPACE TABLE KEYWORD WHITESPACE admin STRING SELECT * FROM logs AND DROP TABLE admin
  • 31. SQL INJECTION : PROTECT KEYWORD WHITESPACE OPERATOR WHITESPACE KEYWORD WHITESPACE STRING Rule for Context: SELECT * FROM <user_input> SELECT * FROM logs SELECT * FROM history SELECT * FROM logs AND DROP TABLE admin KEYWORD WHITESPACE OPERATOR WHITESPACE KEYWORD WHITESPACE STRING 
 WHITESPACE KEYWORD WHITESPACE KEYWORD WHITESPACE KEYWORD WHITESPACE STRING
  • 32. DEMO
  • 33. REMOTE OS COMMAND INJECTION ping -c 3 <user input>
  • 34. REMOTE OS COMMAND INJECTION : HOOK Command Execution API
 os.system(ping -c 3 127.0.0.1)
  • 35. REMOTE OS COMMAND INJECTION : LEARN ping -c 3 127.0.0.1 SYNTAX TOKEN ping EXECUTABLE WHITESPACE -c ARGUMENT_DASH WHITESPACE 3 NUMBER WHITESPACE 127.0.0.1 IP_OR_DOMAIN
  • 36. REMOTE OS COMMAND INJECTION : PROTECT ping -c 3 127.0.0.1 & cat /etc/passwd SYNTAX TOKEN ping EXECUTABLE WHITESPACE -c ARGUMENT_DASH WHITESPACE 3 NUMBER WHITESPACE 127.0.0.1 IP_OR_DOMAIN WHITESPACE & SPLITTER WHITESPACE cat EXECUTABLE WHITESPACE /etc/passwd UNIX_PATH
  • 37. REMOTE OS COMMAND INJECTION : PROTECT EXECUTABLE WHITESPACE ARGUMENT_DASH WHITESPACE NUMBER WHITESPACE IP_OR_DOMAIN Rule for Context: ping -c 3 <user_input> ping -c 3 127.0.0.1
 ping -c 3 google.com ping -c 3 127.0.0.1 & cat /etc/passwd 
 EXECUTABLE WHITESPACE ARGUMENT_DASH WHITESPACE NUMBER WHITESPACE IP_OR_DOMAIN
 WHITESPACE SPLITTER WHITESPACE EXECUTABLE WHITESPACE UNIX_PATH
  • 38. DEMO
  • 39. CROSS SITE SCRIPTING <body><h1>hello {{user_input1}} </h1></body>
 <script> var x=‘{{user_input2}}’;</script>
  • 40. CROSS SITE SCRIPTING : HOOK Template Rendering API
 
 template.render(“<body><h1>hello {{user_input1}}
 </h1></body><script> var x=‘{{user_input2}}’;
 </script>“, user_input1, user_input2)
  • 41. CROSS SITE SCRIPTING : CONTEXT DETERMINATION Parsing the DOM Tree <body><h1>hello {{user_input1}}
 </h1></body><script> var x=‘{{user_input2}}’;
 </script> HTML_CONTEXT JAVASCRIPT_VALUE_CONTEXT
  • 42. CROSS SITE SCRIPTING : PROTECT <body><h1>hello {{user_input1}} </h1></body>
 <script> var x=‘{{user_input2}}’;</script> <body><h1>hello World </h1></body>
 <script> var x=‘Hello World’;</script> user_input1 = “World”
 user_input2 = “Hello World”
  • 43. CROSS SITE SCRIPTING : PROTECT <body><h1>hello &lt;script&gt;alert(0)&lt;/ script&gt; </h1></body>
 <script> var x=‘';alert(0);//x3C/scriptx3E’;</ script> user_input1 = “<script>alert(0)</script>”
 user_input2 = “‘;alert(0);//</script>”
  • 44. DEMO
  • 45. PREVENTING DOM XSS https://jsfiddle.net/vno23woL/3/ ▸ Inject Security into JavaScript Frameworks ▸ Common JavaScript Frameworks - jQuery, AngularJS, MustacheJS etc… ▸ DOMPurify - https://github.com/cure53/DOMPurify ▸ jPurify - https://github.com/cure53/jPurify
  • 46. OTHER APPSEC CHALLENGES ▸ Preventing Verb Tampering ▸ Preventing Header Injection ▸ File Upload Protection ▸ Preventing Path Traversal
  • 47. ▸ WAFs blindly blocks TRACE and OPTION Request ▸ Hook HTTP Request API ▸ Learn the HTTP Verbs and Generate Whitelist ▸ Block if not in the list PREVENTING VERB TAMPERING DEMO
  • 48. PREVENTING HEADER INJECTION ▸ Unlike WAF we don’t have to keep a blacklist 
 of every possible encoded combination of 
 “%0a” and “%0d” ▸ Hook HTTP Request API ▸ Look for “%0a,%0d“ in HTTP Request Headers ▸ Block if Present DEMO
  • 49. FILE UPLOAD PROTECTION ▸ Classic File Upload Bypass
 image.jpg.php, image.php3 etc. ▸ Hook File/IO API : 
 io.open(“/tmp/nice.jpg”, 'wb') ▸ Learn file extensions to create a whitelist. ▸ Block any unknown file extensions
 io.open(“/tmp/nice.py”, 'wb') DEMO
  • 51. PREVENTING PATH TRAVERSAL ▸ Hook File/IO API:
 io.open(“/read_dir/index.txt”, ‘rb') ▸ Learn directories and file extensions ▸ Block any unknown directories and file extensions
 io.open(“/read_dir/../../etc/passwd”, 'rb') DEMO
  • 52. ON GOING RESEARCH ▸ Preventing Session Hijacking ▸ Preventing Layer 7 DDoS ▸ Credential Stuffing
  • 53. THE RASP ADVANTAGES ▸ Accurate and Precise in Vulnerability Detection & Prevention ▸ Code Level Insight (Line no, Stack trace) ▸ Not based on Heuristics - Zero/Negligible False Positives ▸ No SSL Decryption and Re-encryption overhead ▸ Doesn’t Downgrade your Security ▸ Preemptive security - Zero Day protection ▸ Zero Code Change and easy integration
 
 pip install rasp_module
 import rasp_module
  • 54. BIGGEST ADVANTAGE Now you can deploy it on protection mode
  • 55. CHARACTERISTICS OF AN IDEAL RASP ▸ Ideal RASP should have minimal Performance impact ▸ Should not introduce vulnerabilities ▸ Must not consume PII of users ▸ Should not learn the bad stuff ▸ Should be a “real RASP” not a fancy WAF with Blacklist. ▸ Minimal Configuration and Easy deployment
  • 56. THAT’S ALL FOLKS! ▸ Thanks to ▸ Zaid Al Hamami, Mike Milner, Steve Williams, Oliver Lavery
 (Team IMMUNIO inc). ▸ Kamaiah, Francis, Bharadwaj, Surendar, Sinu, Vivek 
 (Team Yodlee Security Office - YSO) ▸ Due Credits ▸ Graphics/Image Owners @ajinabraham ajin25@gmail.com