Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Web application security


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Web application security

  1. 1. Web Application Security Firewalls will not be able to protect you Akash Mahajan – Chapter Lead for null Bangalore
  2. 2. What should keep you up at night • 95% of attacks are against “Web Servers and Web Applications” aka Websites • The top 3 verticals compromised were Financial Services, Hospitality and Retail. • More than 60% of attacks were caused by external agents. • Primary attack vector was SQL Injection and was used to install customized malware. • Injection Attacks are #1 critical flaw in applications Sources Verizon DBIR 2010, Whitehat Sec Statistics, OWASP Top 10 2010
  3. 3. Web App Attacks • SQL Injection Attacks • Number plate to foil an automatic license plate scanner! • An attack which allows SQL to be executed as part of the input.
  4. 4. Web App Attacks • Bobby Tables!
  5. 5. Web App Attacks • XSS was used to get root on a server in April 2010 • A popular shopping website used to sell only books and now sell other stuff as well. • That inner window is an iframe injected in a simple search request. Picture courtesy null Keeda Vulnerability Database
  6. 6. Other Critical Flaws/Attacks • Cross Site Request Forgery o Attacks the user of the application • Clickjacking o Facebook Like attack • Security Mis-configurations o Default passwords in DSL routers • Insecure Cryptographic Storage o Apache Attack • Tiny URLs o Employees trust and click on anything!
  7. 7. Solutions/Mitigations • Training in Secure Coding for Developers • Code Reviews by competent security folks • Regular mining of web server logs • Application Security Practice • Awareness about new attacks • Setup a red team in the company
  8. 8. About null • Null – Indian Open Security Community • Registered non-profit society • 5 active chapters in India • We conduct monthly meetings, regular awareness camps and trainings. • More than 1000+ security professionals and enthusiasts in the group. • Null Keeda Vulnerability Database
  9. 9. Akash Mahajan • Chapter Lead of null Bangalore • Web Security Consultant • I hack, test, secure web apps and servers • Help companies become secure on AWS cloud • Website: • Email: / • Twitter: @makash • Linkedin: