SlideShare a Scribd company logo

"The Web Is Broken" by Bipin Upadhyay

Can be used as a introductory presentation to web security basics. Contains intro on Attacks to Preventions Tips, organized neatly. http://codeinmybug.wordpress.com/2007/10/12/the-web-is-broken/

1 of 63
Download to read offline
The Web Is Broken
      Why every feature is, in fact, a loophole!
The first matrix I designed was quite
             naturally, perfect. It was a work of art.
          Flawless. Sublime. A triumph only equaled by
                     its monumental failure.
Bipin Upadhyay                                   http://projectbee.org
RoadMap
    •    Introduction
    •    Attacks
    •    The Arsenal
    •    Breaking the Web
    •    Preventing the Breakage




Bipin Upadhyay                     http://projectbee.org
RoadMap…
    •    Introduction
    •    Attacks
    •    The Arsenal
    •    Breaking the Web
    •    Preventing the Breakage




Bipin Upadhyay                     http://projectbee.org
Who Am I?
    • I am SpiderMan

    • Apart from that, I:
          – am a part of ADMS
          – work on WebAppSec
          – am co-author of a yet to be released book

    • I can be pinged @:
          – http://blog.projectbee.org
          – Om-[AT]-PROJectBee-[DOT]-org

Bipin Upadhyay                                     http://projectbee.org
Web 1.0 versus Web 2.0




Bipin Upadhyay                            http://projectbee.org
Ad

Recommended

Are Today’s Good Practices… Tomorrow’s Performance Anti-Patterns?
Are Today’s Good Practices… Tomorrow’s Performance Anti-Patterns?Are Today’s Good Practices… Tomorrow’s Performance Anti-Patterns?
Are Today’s Good Practices… Tomorrow’s Performance Anti-Patterns?Andy Davies
 
Real World Web Standards
Real World Web StandardsReal World Web Standards
Real World Web Standardsgleddy
 
Speed is Essential for a Great Web Experience
Speed is Essential for a Great Web ExperienceSpeed is Essential for a Great Web Experience
Speed is Essential for a Great Web ExperienceAndy Davies
 
Sniffing the Mobile Context
Sniffing the Mobile ContextSniffing the Mobile Context
Sniffing the Mobile ContextAndy Davies
 
Stefan Judis "Did we(b development) lose the right direction?"
Stefan Judis "Did we(b development) lose the right direction?"Stefan Judis "Did we(b development) lose the right direction?"
Stefan Judis "Did we(b development) lose the right direction?"Fwdays
 
Going Fast on the Mobile Web
Going Fast on the Mobile WebGoing Fast on the Mobile Web
Going Fast on the Mobile WebJason Grigsby
 
Mobile Web Performance - Getting and Staying Fast
Mobile Web Performance -  Getting and Staying FastMobile Web Performance -  Getting and Staying Fast
Mobile Web Performance - Getting and Staying FastAndy Davies
 

More Related Content

What's hot

Mobile Web Speed Bumps
Mobile Web Speed BumpsMobile Web Speed Bumps
Mobile Web Speed BumpsNicholas Zakas
 
Web Performance Workshop - Velocity London 2013
Web Performance Workshop - Velocity London 2013Web Performance Workshop - Velocity London 2013
Web Performance Workshop - Velocity London 2013Andy Davies
 
Semantic Web For Distributed Social Networks
Semantic Web For Distributed Social NetworksSemantic Web For Distributed Social Networks
Semantic Web For Distributed Social NetworksDavid Peterson
 
Making Mobile Sites Faster
Making Mobile Sites FasterMaking Mobile Sites Faster
Making Mobile Sites FasterAndy Davies
 
Speed is Essential for a Great Web Experience (Canvas Conf Version)
Speed is Essential for a Great Web Experience (Canvas Conf Version)Speed is Essential for a Great Web Experience (Canvas Conf Version)
Speed is Essential for a Great Web Experience (Canvas Conf Version)Andy Davies
 
The web is too slow
The web is too slow The web is too slow
The web is too slow Andy Davies
 
Webspam (English Version)
Webspam (English Version)Webspam (English Version)
Webspam (English Version)Dirk Haun
 
What does the browser pre-loader do?
What does the browser pre-loader do?What does the browser pre-loader do?
What does the browser pre-loader do?Andy Davies
 
Speed is Essential for a Great Web Experience
Speed is Essential for a Great Web ExperienceSpeed is Essential for a Great Web Experience
Speed is Essential for a Great Web ExperienceAndy Davies
 
Are Today’s Good Practices… Tomorrow’s Performance Anti-Patterns?
Are Today’s Good Practices… Tomorrow’s Performance Anti-Patterns?Are Today’s Good Practices… Tomorrow’s Performance Anti-Patterns?
Are Today’s Good Practices… Tomorrow’s Performance Anti-Patterns?Andy Davies
 
The Case for HTTP/2 - Internetdagarna 2015 - Stockholm
The Case for HTTP/2  - Internetdagarna 2015 - StockholmThe Case for HTTP/2  - Internetdagarna 2015 - Stockholm
The Case for HTTP/2 - Internetdagarna 2015 - StockholmAndy Davies
 
State of jQuery '09
State of jQuery '09State of jQuery '09
State of jQuery '09jeresig
 
Everything you wanted to know about crawling, but didn't know where to ask
Everything you wanted to know about crawling, but didn't know where to askEverything you wanted to know about crawling, but didn't know where to ask
Everything you wanted to know about crawling, but didn't know where to askBill Slawski
 
[cssdevconf] Adaptive Images in Responsive Web Design
[cssdevconf] Adaptive Images in Responsive Web Design[cssdevconf] Adaptive Images in Responsive Web Design
[cssdevconf] Adaptive Images in Responsive Web DesignChristopher Schmitt
 
The Case for HTTP/2 - EpicFEL Sept 2015
The Case for HTTP/2 - EpicFEL Sept 2015The Case for HTTP/2 - EpicFEL Sept 2015
The Case for HTTP/2 - EpicFEL Sept 2015Andy Davies
 
[wvbcn] Adaptive Images in Responsive Web Design
[wvbcn] Adaptive Images in Responsive Web Design[wvbcn] Adaptive Images in Responsive Web Design
[wvbcn] Adaptive Images in Responsive Web DesignChristopher Schmitt
 
The Big Picture: Responsive Images in Action #scd14
The Big Picture: Responsive Images in Action #scd14The Big Picture: Responsive Images in Action #scd14
The Big Picture: Responsive Images in Action #scd14Matthias Lau
 
Preconnect, prefetch, prerender...
Preconnect, prefetch, prerender...Preconnect, prefetch, prerender...
Preconnect, prefetch, prerender...MilanAryal
 
Prebrowsing - Velocity NY 2013
Prebrowsing - Velocity NY 2013Prebrowsing - Velocity NY 2013
Prebrowsing - Velocity NY 2013Steve Souders
 
Word 2 tha mutha.anit no price of god.thumbnail.html.doc
Word 2 tha mutha.anit no price of god.thumbnail.html.docWord 2 tha mutha.anit no price of god.thumbnail.html.doc
Word 2 tha mutha.anit no price of god.thumbnail.html.docAztanian
 

What's hot (20)

Mobile Web Speed Bumps
Mobile Web Speed BumpsMobile Web Speed Bumps
Mobile Web Speed Bumps
 
Web Performance Workshop - Velocity London 2013
Web Performance Workshop - Velocity London 2013Web Performance Workshop - Velocity London 2013
Web Performance Workshop - Velocity London 2013
 
Semantic Web For Distributed Social Networks
Semantic Web For Distributed Social NetworksSemantic Web For Distributed Social Networks
Semantic Web For Distributed Social Networks
 
Making Mobile Sites Faster
Making Mobile Sites FasterMaking Mobile Sites Faster
Making Mobile Sites Faster
 
Speed is Essential for a Great Web Experience (Canvas Conf Version)
Speed is Essential for a Great Web Experience (Canvas Conf Version)Speed is Essential for a Great Web Experience (Canvas Conf Version)
Speed is Essential for a Great Web Experience (Canvas Conf Version)
 
The web is too slow
The web is too slow The web is too slow
The web is too slow
 
Webspam (English Version)
Webspam (English Version)Webspam (English Version)
Webspam (English Version)
 
What does the browser pre-loader do?
What does the browser pre-loader do?What does the browser pre-loader do?
What does the browser pre-loader do?
 
Speed is Essential for a Great Web Experience
Speed is Essential for a Great Web ExperienceSpeed is Essential for a Great Web Experience
Speed is Essential for a Great Web Experience
 
Are Today’s Good Practices… Tomorrow’s Performance Anti-Patterns?
Are Today’s Good Practices… Tomorrow’s Performance Anti-Patterns?Are Today’s Good Practices… Tomorrow’s Performance Anti-Patterns?
Are Today’s Good Practices… Tomorrow’s Performance Anti-Patterns?
 
The Case for HTTP/2 - Internetdagarna 2015 - Stockholm
The Case for HTTP/2  - Internetdagarna 2015 - StockholmThe Case for HTTP/2  - Internetdagarna 2015 - Stockholm
The Case for HTTP/2 - Internetdagarna 2015 - Stockholm
 
State of jQuery '09
State of jQuery '09State of jQuery '09
State of jQuery '09
 
Everything you wanted to know about crawling, but didn't know where to ask
Everything you wanted to know about crawling, but didn't know where to askEverything you wanted to know about crawling, but didn't know where to ask
Everything you wanted to know about crawling, but didn't know where to ask
 
[cssdevconf] Adaptive Images in Responsive Web Design
[cssdevconf] Adaptive Images in Responsive Web Design[cssdevconf] Adaptive Images in Responsive Web Design
[cssdevconf] Adaptive Images in Responsive Web Design
 
The Case for HTTP/2 - EpicFEL Sept 2015
The Case for HTTP/2 - EpicFEL Sept 2015The Case for HTTP/2 - EpicFEL Sept 2015
The Case for HTTP/2 - EpicFEL Sept 2015
 
[wvbcn] Adaptive Images in Responsive Web Design
[wvbcn] Adaptive Images in Responsive Web Design[wvbcn] Adaptive Images in Responsive Web Design
[wvbcn] Adaptive Images in Responsive Web Design
 
The Big Picture: Responsive Images in Action #scd14
The Big Picture: Responsive Images in Action #scd14The Big Picture: Responsive Images in Action #scd14
The Big Picture: Responsive Images in Action #scd14
 
Preconnect, prefetch, prerender...
Preconnect, prefetch, prerender...Preconnect, prefetch, prerender...
Preconnect, prefetch, prerender...
 
Prebrowsing - Velocity NY 2013
Prebrowsing - Velocity NY 2013Prebrowsing - Velocity NY 2013
Prebrowsing - Velocity NY 2013
 
Word 2 tha mutha.anit no price of god.thumbnail.html.doc
Word 2 tha mutha.anit no price of god.thumbnail.html.docWord 2 tha mutha.anit no price of god.thumbnail.html.doc
Word 2 tha mutha.anit no price of god.thumbnail.html.doc
 

Viewers also liked

[Phpcamp]Shindig An OpenSocial container
[Phpcamp]Shindig An OpenSocial container[Phpcamp]Shindig An OpenSocial container
[Phpcamp]Shindig An OpenSocial containerBipin Upadhyay
 
Session Hijacking
Session HijackingSession Hijacking
Session HijackingCaleb Sima
 
CSRF: ways to exploit, ways to prevent
CSRF: ways to exploit, ways to preventCSRF: ways to exploit, ways to prevent
CSRF: ways to exploit, ways to preventPaulius Leščinskas
 
'Malware Analysis' by PP Singh
'Malware Analysis' by PP Singh'Malware Analysis' by PP Singh
'Malware Analysis' by PP SinghBipin Upadhyay
 
CyberLab CCEH Session - 11 Session Hijacking
CyberLab CCEH Session - 11 Session HijackingCyberLab CCEH Session - 11 Session Hijacking
CyberLab CCEH Session - 11 Session HijackingCyberLab
 
Protect you site from CSRF
Protect you site from CSRFProtect you site from CSRF
Protect you site from CSRFAcquia
 
CEH - Module 11 : Session Hijacking
CEH - Module 11 : Session HijackingCEH - Module 11 : Session Hijacking
CEH - Module 11 : Session HijackingAvirot Mitamura
 
"Http protocol and other stuff" by Bipin Upadhyay
"Http protocol and other stuff" by Bipin Upadhyay"Http protocol and other stuff" by Bipin Upadhyay
"Http protocol and other stuff" by Bipin UpadhyayBipin Upadhyay
 
XSS and CSRF with HTML5
XSS and CSRF with HTML5XSS and CSRF with HTML5
XSS and CSRF with HTML5Shreeraj Shah
 
CSRF_RSA_2008_Jeremiah_Grossman
CSRF_RSA_2008_Jeremiah_GrossmanCSRF_RSA_2008_Jeremiah_Grossman
CSRF_RSA_2008_Jeremiah_Grossmanguestdb261a
 
Introduction to CSRF Attacks & Defense
Introduction to CSRF Attacks & DefenseIntroduction to CSRF Attacks & Defense
Introduction to CSRF Attacks & DefenseSurya Subhash
 
Session Hijacking ppt
Session Hijacking pptSession Hijacking ppt
Session Hijacking pptHarsh Kevadia
 

Viewers also liked (17)

[Phpcamp]Shindig An OpenSocial container
[Phpcamp]Shindig An OpenSocial container[Phpcamp]Shindig An OpenSocial container
[Phpcamp]Shindig An OpenSocial container
 
Session Hijacking
Session HijackingSession Hijacking
Session Hijacking
 
CSRF: ways to exploit, ways to prevent
CSRF: ways to exploit, ways to preventCSRF: ways to exploit, ways to prevent
CSRF: ways to exploit, ways to prevent
 
Session hijacking
Session hijackingSession hijacking
Session hijacking
 
'Malware Analysis' by PP Singh
'Malware Analysis' by PP Singh'Malware Analysis' by PP Singh
'Malware Analysis' by PP Singh
 
Php Camp Open Social
Php Camp  Open SocialPhp Camp  Open Social
Php Camp Open Social
 
CyberLab CCEH Session - 11 Session Hijacking
CyberLab CCEH Session - 11 Session HijackingCyberLab CCEH Session - 11 Session Hijacking
CyberLab CCEH Session - 11 Session Hijacking
 
Session hijacking
Session hijackingSession hijacking
Session hijacking
 
Protect you site from CSRF
Protect you site from CSRFProtect you site from CSRF
Protect you site from CSRF
 
CEH - Module 11 : Session Hijacking
CEH - Module 11 : Session HijackingCEH - Module 11 : Session Hijacking
CEH - Module 11 : Session Hijacking
 
"Http protocol and other stuff" by Bipin Upadhyay
"Http protocol and other stuff" by Bipin Upadhyay"Http protocol and other stuff" by Bipin Upadhyay
"Http protocol and other stuff" by Bipin Upadhyay
 
XSS and CSRF with HTML5
XSS and CSRF with HTML5XSS and CSRF with HTML5
XSS and CSRF with HTML5
 
Php Development Stack
Php Development StackPhp Development Stack
Php Development Stack
 
CSRF_RSA_2008_Jeremiah_Grossman
CSRF_RSA_2008_Jeremiah_GrossmanCSRF_RSA_2008_Jeremiah_Grossman
CSRF_RSA_2008_Jeremiah_Grossman
 
Session hijacking
Session hijackingSession hijacking
Session hijacking
 
Introduction to CSRF Attacks & Defense
Introduction to CSRF Attacks & DefenseIntroduction to CSRF Attacks & Defense
Introduction to CSRF Attacks & Defense
 
Session Hijacking ppt
Session Hijacking pptSession Hijacking ppt
Session Hijacking ppt
 

Similar to "The Web Is Broken" by Bipin Upadhyay

Securing Rails
Securing RailsSecuring Rails
Securing RailsAlex Payne
 
Total Browser Pwnag3 V1.0 Public
Total Browser Pwnag3   V1.0 PublicTotal Browser Pwnag3   V1.0 Public
Total Browser Pwnag3 V1.0 PublicRafal Los
 
Coworking 7th Floor
Coworking 7th FloorCoworking 7th Floor
Coworking 7th Floorfabiomasetti
 
GDD Japan 2009 - Designing OpenSocial Apps For Speed and Scale
GDD Japan 2009 - Designing OpenSocial Apps For Speed and ScaleGDD Japan 2009 - Designing OpenSocial Apps For Speed and Scale
GDD Japan 2009 - Designing OpenSocial Apps For Speed and ScalePatrick Chanezon
 
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRF
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRFBe Afraid. Be Very Afraid. Javascript security, XSS & CSRF
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRFMark Stanton
 
Douglas Knudsen - Great Mash Up
Douglas Knudsen - Great Mash UpDouglas Knudsen - Great Mash Up
Douglas Knudsen - Great Mash Up360|Conferences
 
Enterprise Security mit Spring Security
Enterprise Security mit Spring SecurityEnterprise Security mit Spring Security
Enterprise Security mit Spring SecurityMike Wiesner
 
Xfocus xcon 2008_aks_oknock
Xfocus xcon 2008_aks_oknockXfocus xcon 2008_aks_oknock
Xfocus xcon 2008_aks_oknockownerkhan
 
iPhone Development For Experienced Web Developers
iPhone Development For Experienced Web DevelopersiPhone Development For Experienced Web Developers
iPhone Development For Experienced Web Developerslisab517
 
Functional Web Apps with WebMachine Framework - Mikhail Bortnyk
Functional Web Apps with WebMachine Framework - Mikhail BortnykFunctional Web Apps with WebMachine Framework - Mikhail Bortnyk
Functional Web Apps with WebMachine Framework - Mikhail BortnykRuby Meditation
 
Functional Web Apps with WebMachine Framework
Functional Web Apps with WebMachine FrameworkFunctional Web Apps with WebMachine Framework
Functional Web Apps with WebMachine FrameworkAmoniac OÜ
 
Clearspring Widgetsphere
Clearspring WidgetsphereClearspring Widgetsphere
Clearspring Widgetsphereeraz
 
Abusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec gloryAbusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec gloryPriyanka Aash
 
Pyruvate, a reasonably fast, non-blocking, multithreaded WSGI server
Pyruvate, a reasonably fast, non-blocking, multithreaded WSGI serverPyruvate, a reasonably fast, non-blocking, multithreaded WSGI server
Pyruvate, a reasonably fast, non-blocking, multithreaded WSGI serverPloneFoundation
 
Scaling Drupal: Not IF... HOW
Scaling Drupal: Not IF... HOWScaling Drupal: Not IF... HOW
Scaling Drupal: Not IF... HOWTreehouse Agency
 
MonoRails - GoGaRuCo 2012
MonoRails - GoGaRuCo 2012MonoRails - GoGaRuCo 2012
MonoRails - GoGaRuCo 2012jackdanger
 
How To Internet: The Magic Words
How To Internet:  The Magic WordsHow To Internet:  The Magic Words
How To Internet: The Magic WordsDavid Newbury
 
Socket applications
Socket applicationsSocket applications
Socket applicationsJoão Moura
 

Similar to "The Web Is Broken" by Bipin Upadhyay (20)

Securing Rails
Securing RailsSecuring Rails
Securing Rails
 
Total Browser Pwnag3 V1.0 Public
Total Browser Pwnag3   V1.0 PublicTotal Browser Pwnag3   V1.0 Public
Total Browser Pwnag3 V1.0 Public
 
Coworking 7th Floor
Coworking 7th FloorCoworking 7th Floor
Coworking 7th Floor
 
GDD Japan 2009 - Designing OpenSocial Apps For Speed and Scale
GDD Japan 2009 - Designing OpenSocial Apps For Speed and ScaleGDD Japan 2009 - Designing OpenSocial Apps For Speed and Scale
GDD Japan 2009 - Designing OpenSocial Apps For Speed and Scale
 
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRF
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRFBe Afraid. Be Very Afraid. Javascript security, XSS & CSRF
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRF
 
Douglas Knudsen - Great Mash Up
Douglas Knudsen - Great Mash UpDouglas Knudsen - Great Mash Up
Douglas Knudsen - Great Mash Up
 
Enterprise Security mit Spring Security
Enterprise Security mit Spring SecurityEnterprise Security mit Spring Security
Enterprise Security mit Spring Security
 
Xfocus xcon 2008_aks_oknock
Xfocus xcon 2008_aks_oknockXfocus xcon 2008_aks_oknock
Xfocus xcon 2008_aks_oknock
 
iPhone Development For Experienced Web Developers
iPhone Development For Experienced Web DevelopersiPhone Development For Experienced Web Developers
iPhone Development For Experienced Web Developers
 
Functional Web Apps with WebMachine Framework - Mikhail Bortnyk
Functional Web Apps with WebMachine Framework - Mikhail BortnykFunctional Web Apps with WebMachine Framework - Mikhail Bortnyk
Functional Web Apps with WebMachine Framework - Mikhail Bortnyk
 
Functional Web Apps with WebMachine Framework
Functional Web Apps with WebMachine FrameworkFunctional Web Apps with WebMachine Framework
Functional Web Apps with WebMachine Framework
 
Clearspring Widgetsphere
Clearspring WidgetsphereClearspring Widgetsphere
Clearspring Widgetsphere
 
Abusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec gloryAbusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec glory
 
Pyruvate, a reasonably fast, non-blocking, multithreaded WSGI server
Pyruvate, a reasonably fast, non-blocking, multithreaded WSGI serverPyruvate, a reasonably fast, non-blocking, multithreaded WSGI server
Pyruvate, a reasonably fast, non-blocking, multithreaded WSGI server
 
Scaling Drupal: Not IF... HOW
Scaling Drupal: Not IF... HOWScaling Drupal: Not IF... HOW
Scaling Drupal: Not IF... HOW
 
MonoRails - GoGaRuCo 2012
MonoRails - GoGaRuCo 2012MonoRails - GoGaRuCo 2012
MonoRails - GoGaRuCo 2012
 
How To Internet: The Magic Words
How To Internet:  The Magic WordsHow To Internet:  The Magic Words
How To Internet: The Magic Words
 
Recent Rogueware
Recent RoguewareRecent Rogueware
Recent Rogueware
 
Socket applications
Socket applicationsSocket applications
Socket applications
 
Data Visualization
Data VisualizationData Visualization
Data Visualization
 

Recently uploaded

Leveraging SLF4j for Effective Logging in IBM App Connect Enterprise.docx
Leveraging SLF4j for Effective Logging in IBM App Connect Enterprise.docxLeveraging SLF4j for Effective Logging in IBM App Connect Enterprise.docx
Leveraging SLF4j for Effective Logging in IBM App Connect Enterprise.docxVotarikari Shravan
 
"DevOps Practisting Platform on EKS with Karpenter autoscaling", Dmytro Kozhevin
"DevOps Practisting Platform on EKS with Karpenter autoscaling", Dmytro Kozhevin"DevOps Practisting Platform on EKS with Karpenter autoscaling", Dmytro Kozhevin
"DevOps Practisting Platform on EKS with Karpenter autoscaling", Dmytro KozhevinFwdays
 
Digital Transformation Strategy & Plan Templates - www.beyondthecloud.digital...
Digital Transformation Strategy & Plan Templates - www.beyondthecloud.digital...Digital Transformation Strategy & Plan Templates - www.beyondthecloud.digital...
Digital Transformation Strategy & Plan Templates - www.beyondthecloud.digital...MarcovanHurne2
 
Traffic Signboard Classification with Voice alert to the driver.pptx
Traffic Signboard Classification with Voice alert to the driver.pptxTraffic Signboard Classification with Voice alert to the driver.pptx
Traffic Signboard Classification with Voice alert to the driver.pptxharimaxwell0712
 
21ST CENTURY LITERACY FROM TRADITIONAL TO MODERN
21ST CENTURY LITERACY FROM TRADITIONAL TO MODERN21ST CENTURY LITERACY FROM TRADITIONAL TO MODERN
21ST CENTURY LITERACY FROM TRADITIONAL TO MODERNRonnelBaroc
 
How we think about an advisor tech stack
How we think about an advisor tech stackHow we think about an advisor tech stack
How we think about an advisor tech stackSummit
 
Power of 2024 - WITforce Odyssey.pptx.pdf
Power of 2024 - WITforce Odyssey.pptx.pdfPower of 2024 - WITforce Odyssey.pptx.pdf
Power of 2024 - WITforce Odyssey.pptx.pdfkatalinjordans1
 
"Running Open-Source LLM models on Kubernetes", Volodymyr Tsap
"Running Open-Source LLM models on Kubernetes",  Volodymyr Tsap"Running Open-Source LLM models on Kubernetes",  Volodymyr Tsap
"Running Open-Source LLM models on Kubernetes", Volodymyr TsapFwdays
 
Dev Dives: Leverage APIs and Gen AI to power automations for RPA and software...
Dev Dives: Leverage APIs and Gen AI to power automations for RPA and software...Dev Dives: Leverage APIs and Gen AI to power automations for RPA and software...
Dev Dives: Leverage APIs and Gen AI to power automations for RPA and software...UiPathCommunity
 
Progress Report: Ministry of IT under Dr. Umar Saif Aug 23-Feb'24
Progress Report: Ministry of IT under Dr. Umar Saif Aug 23-Feb'24Progress Report: Ministry of IT under Dr. Umar Saif Aug 23-Feb'24
Progress Report: Ministry of IT under Dr. Umar Saif Aug 23-Feb'24Umar Saif
 
"AIRe - AI Reliability Engineering", Denys Vasyliev
"AIRe - AI Reliability Engineering", Denys Vasyliev"AIRe - AI Reliability Engineering", Denys Vasyliev
"AIRe - AI Reliability Engineering", Denys VasylievFwdays
 
Automation Ops Series: Session 1 - Introduction and setup DevOps for UiPath p...
Automation Ops Series: Session 1 - Introduction and setup DevOps for UiPath p...Automation Ops Series: Session 1 - Introduction and setup DevOps for UiPath p...
Automation Ops Series: Session 1 - Introduction and setup DevOps for UiPath p...DianaGray10
 
"How we created an SRE team in Temabit as a part of FOZZY Group in conditions...
"How we created an SRE team in Temabit as a part of FOZZY Group in conditions..."How we created an SRE team in Temabit as a part of FOZZY Group in conditions...
"How we created an SRE team in Temabit as a part of FOZZY Group in conditions...Fwdays
 
How AI and ChatGPT are changing cybersecurity forever.pptx
How AI and ChatGPT are changing cybersecurity forever.pptxHow AI and ChatGPT are changing cybersecurity forever.pptx
How AI and ChatGPT are changing cybersecurity forever.pptxInfosec
 
Bringing nullability into existing code - dammit is not the answer.pptx
Bringing nullability into existing code - dammit is not the answer.pptxBringing nullability into existing code - dammit is not the answer.pptx
Bringing nullability into existing code - dammit is not the answer.pptxMaarten Balliauw
 
Act Like an Owner, Challenge Like a VC by former CPO, Tripadvisor
Act Like an Owner,  Challenge Like a VC by former CPO, TripadvisorAct Like an Owner,  Challenge Like a VC by former CPO, Tripadvisor
Act Like an Owner, Challenge Like a VC by former CPO, TripadvisorProduct School
 
Battle of React State Managers in frontend applications
Battle of React State Managers in frontend applicationsBattle of React State Managers in frontend applications
Battle of React State Managers in frontend applicationsEvangelia Mitsopoulou
 
Confoo 2024 Gettings started with OpenAI and data science
Confoo 2024 Gettings started with OpenAI and data scienceConfoo 2024 Gettings started with OpenAI and data science
Confoo 2024 Gettings started with OpenAI and data scienceSusan Ibach
 
AI Act & Standardization: UNINFO involvement
AI Act & Standardization: UNINFO involvementAI Act & Standardization: UNINFO involvement
AI Act & Standardization: UNINFO involvementMimmo Squillace
 
H3 Platform CXL Solution_Memory Fabric Forum.pptx
H3 Platform CXL Solution_Memory Fabric Forum.pptxH3 Platform CXL Solution_Memory Fabric Forum.pptx
H3 Platform CXL Solution_Memory Fabric Forum.pptxMemory Fabric Forum
 

Recently uploaded (20)

Leveraging SLF4j for Effective Logging in IBM App Connect Enterprise.docx
Leveraging SLF4j for Effective Logging in IBM App Connect Enterprise.docxLeveraging SLF4j for Effective Logging in IBM App Connect Enterprise.docx
Leveraging SLF4j for Effective Logging in IBM App Connect Enterprise.docx
 
"DevOps Practisting Platform on EKS with Karpenter autoscaling", Dmytro Kozhevin
"DevOps Practisting Platform on EKS with Karpenter autoscaling", Dmytro Kozhevin"DevOps Practisting Platform on EKS with Karpenter autoscaling", Dmytro Kozhevin
"DevOps Practisting Platform on EKS with Karpenter autoscaling", Dmytro Kozhevin
 
Digital Transformation Strategy & Plan Templates - www.beyondthecloud.digital...
Digital Transformation Strategy & Plan Templates - www.beyondthecloud.digital...Digital Transformation Strategy & Plan Templates - www.beyondthecloud.digital...
Digital Transformation Strategy & Plan Templates - www.beyondthecloud.digital...
 
Traffic Signboard Classification with Voice alert to the driver.pptx
Traffic Signboard Classification with Voice alert to the driver.pptxTraffic Signboard Classification with Voice alert to the driver.pptx
Traffic Signboard Classification with Voice alert to the driver.pptx
 
21ST CENTURY LITERACY FROM TRADITIONAL TO MODERN
21ST CENTURY LITERACY FROM TRADITIONAL TO MODERN21ST CENTURY LITERACY FROM TRADITIONAL TO MODERN
21ST CENTURY LITERACY FROM TRADITIONAL TO MODERN
 
How we think about an advisor tech stack
How we think about an advisor tech stackHow we think about an advisor tech stack
How we think about an advisor tech stack
 
Power of 2024 - WITforce Odyssey.pptx.pdf
Power of 2024 - WITforce Odyssey.pptx.pdfPower of 2024 - WITforce Odyssey.pptx.pdf
Power of 2024 - WITforce Odyssey.pptx.pdf
 
"Running Open-Source LLM models on Kubernetes", Volodymyr Tsap
"Running Open-Source LLM models on Kubernetes",  Volodymyr Tsap"Running Open-Source LLM models on Kubernetes",  Volodymyr Tsap
"Running Open-Source LLM models on Kubernetes", Volodymyr Tsap
 
Dev Dives: Leverage APIs and Gen AI to power automations for RPA and software...
Dev Dives: Leverage APIs and Gen AI to power automations for RPA and software...Dev Dives: Leverage APIs and Gen AI to power automations for RPA and software...
Dev Dives: Leverage APIs and Gen AI to power automations for RPA and software...
 
Progress Report: Ministry of IT under Dr. Umar Saif Aug 23-Feb'24
Progress Report: Ministry of IT under Dr. Umar Saif Aug 23-Feb'24Progress Report: Ministry of IT under Dr. Umar Saif Aug 23-Feb'24
Progress Report: Ministry of IT under Dr. Umar Saif Aug 23-Feb'24
 
"AIRe - AI Reliability Engineering", Denys Vasyliev
"AIRe - AI Reliability Engineering", Denys Vasyliev"AIRe - AI Reliability Engineering", Denys Vasyliev
"AIRe - AI Reliability Engineering", Denys Vasyliev
 
Automation Ops Series: Session 1 - Introduction and setup DevOps for UiPath p...
Automation Ops Series: Session 1 - Introduction and setup DevOps for UiPath p...Automation Ops Series: Session 1 - Introduction and setup DevOps for UiPath p...
Automation Ops Series: Session 1 - Introduction and setup DevOps for UiPath p...
 
"How we created an SRE team in Temabit as a part of FOZZY Group in conditions...
"How we created an SRE team in Temabit as a part of FOZZY Group in conditions..."How we created an SRE team in Temabit as a part of FOZZY Group in conditions...
"How we created an SRE team in Temabit as a part of FOZZY Group in conditions...
 
How AI and ChatGPT are changing cybersecurity forever.pptx
How AI and ChatGPT are changing cybersecurity forever.pptxHow AI and ChatGPT are changing cybersecurity forever.pptx
How AI and ChatGPT are changing cybersecurity forever.pptx
 
Bringing nullability into existing code - dammit is not the answer.pptx
Bringing nullability into existing code - dammit is not the answer.pptxBringing nullability into existing code - dammit is not the answer.pptx
Bringing nullability into existing code - dammit is not the answer.pptx
 
Act Like an Owner, Challenge Like a VC by former CPO, Tripadvisor
Act Like an Owner,  Challenge Like a VC by former CPO, TripadvisorAct Like an Owner,  Challenge Like a VC by former CPO, Tripadvisor
Act Like an Owner, Challenge Like a VC by former CPO, Tripadvisor
 
Battle of React State Managers in frontend applications
Battle of React State Managers in frontend applicationsBattle of React State Managers in frontend applications
Battle of React State Managers in frontend applications
 
Confoo 2024 Gettings started with OpenAI and data science
Confoo 2024 Gettings started with OpenAI and data scienceConfoo 2024 Gettings started with OpenAI and data science
Confoo 2024 Gettings started with OpenAI and data science
 
AI Act & Standardization: UNINFO involvement
AI Act & Standardization: UNINFO involvementAI Act & Standardization: UNINFO involvement
AI Act & Standardization: UNINFO involvement
 
H3 Platform CXL Solution_Memory Fabric Forum.pptx
H3 Platform CXL Solution_Memory Fabric Forum.pptxH3 Platform CXL Solution_Memory Fabric Forum.pptx
H3 Platform CXL Solution_Memory Fabric Forum.pptx
 

"The Web Is Broken" by Bipin Upadhyay

  • 1. The Web Is Broken Why every feature is, in fact, a loophole!
  • 2. The first matrix I designed was quite naturally, perfect. It was a work of art. Flawless. Sublime. A triumph only equaled by its monumental failure. Bipin Upadhyay http://projectbee.org
  • 3. RoadMap • Introduction • Attacks • The Arsenal • Breaking the Web • Preventing the Breakage Bipin Upadhyay http://projectbee.org
  • 4. RoadMap… • Introduction • Attacks • The Arsenal • Breaking the Web • Preventing the Breakage Bipin Upadhyay http://projectbee.org
  • 5. Who Am I? • I am SpiderMan • Apart from that, I: – am a part of ADMS – work on WebAppSec – am co-author of a yet to be released book • I can be pinged @: – http://blog.projectbee.org – Om-[AT]-PROJectBee-[DOT]-org Bipin Upadhyay http://projectbee.org
  • 6. Web 1.0 versus Web 2.0 Bipin Upadhyay http://projectbee.org
  • 8. Fundamentals ntals, ndame Fu he same re, still t ss or mo le Bipin Upadhyay http://projectbee.org
  • 9. Fundamentals… User User Firewall / IDS Web server (Server side scripts like PHP, ASP, JSP etc.) Database Database Bipin Upadhyay http://projectbee.org
  • 10. Network Sec. versus Web Sec. Ports 0 80 443 Attacker Web Server 65535 Firewall/IDS/IPS Bipin Upadhyay http://projectbee.org
  • 11. Network Sec. versus Web Sec… Ports 0 Victim Malicious OR Compromised 65535 Web Server Firewall/NATed IP Bipin Upadhyay http://projectbee.org
  • 12. How serious is the matter! • 90% of web applications have serious vulnerabilities –Gartner Group • 78% of attacks are at the web application level –Symantec • XSS and SQLI replacing buffer overflows as the favourite hacker initiative –Mitre • Every 8-9/10 sites vulnerable to XSS –WASC Bipin Upadhyay http://projectbee.org
  • 13. How serious is the matter!... Bipin Upadhyay http://projectbee.org
  • 14. How serious is the matter!... Bipin Upadhyay http://projectbee.org
  • 15. What’s @ Stake • Money • Data • Reputation • Faith/Trust • and… Bipin Upadhyay http://projectbee.org
  • 16. What’s @ Stake… •… Bipin Upadhyay http://projectbee.org
  • 17. It’s a Mythical World out there… • Myths often prevail rationality. • Myths often are the cause of devastation. Bipin Upadhyay http://projectbee.org
  • 18. Myth Buster • Myth: – My developers have implemented security • Reality: – Security ain’t no feature dude! It’s a metrics. Bipin Upadhyay http://projectbee.org
  • 19. Myth Buster… • Myth: – Security is a non-functional requirement • Reality: – By definition, Yes! Bipin Upadhyay http://projectbee.org
  • 20. Myth Buster… • Myth: – We use blah-blah framework. We’re safe • Reality: – Frameworks are encouraged. Human brain isn’t. Bipin Upadhyay http://projectbee.org
  • 21. Myth Buster… • Myth: – Java is secure by design • Reality: – May be! But web isn’t… nor is human brain. Bipin Upadhyay http://projectbee.org
  • 22. Myth Buster… • Myth: – SSL is secure from sniffing • Reality: – Far from it. It’s difficult for sure, though Bipin Upadhyay http://projectbee.org
  • 23. Myth Buster… • Myth: – Procedures means no SQL Injection • Reality: – Not always. Bipin Upadhyay http://projectbee.org
  • 24. Myth Buster… • Myth: – I use firewall. I am safe. • Reality: – So what? Your browser ports are open. Bipin Upadhyay http://projectbee.org
  • 25. Myth Buster… • Myth: – I use latest antivirus and my system is patched. • Reality: – Big Deal!!! Bipin Upadhyay http://projectbee.org
  • 26. Myth Buster… • Myth: – I browse net from inside a LAN. • Reality: – Urghhh! Browser dude, browser! Bipin Upadhyay http://projectbee.org
  • 27. Myth Buster… • Myth: – Human stupidity is infinite • Reality: – There you go! ☺ Bipin Upadhyay http://projectbee.org
  • 28. RoadMap… • Introduction • Attacks • The Arsenal • Breaking the Web • Preventing the Breakage Bipin Upadhyay http://projectbee.org
  • 29. Injection Attacks • A form of attack where the user input manipulates the underlying platform in an undesired way. • Several variants:- – SQL Injection – Command Injection – LDAP Injection – XPATH Injection – XML Injection – JSON Injection Bipin Upadhyay http://projectbee.org
  • 30. SQL Injections Bipin Upadhyay http://projectbee.org
  • 31. XSS • OWASP Top - 10 2007 #1 • Any type of user input that is reflected back to the user without being purified. • Input can be HTML, CSS, or Javascript • Two kinds --Persistent & Non-Persistent XSS Bipin Upadhyay http://projectbee.org
  • 32. XSS… • XSS attacks include, but not limited to: – Cookie Theft & Session Hijacking – Site Defacement & Phishing – Key logging – History Theft – Port Scanning – CSRF & Web Worms – DoS-ing – … limited only by imagination Bipin Upadhyay http://projectbee.org
  • 33. CSRF • Also called Unauthorized Requests. • The server is punished/exploited for trusting the user. • CSRF is, arguably, more dangerous than XSS. • Doesn’t necessarily require javascript. • OWASP Top - 10 2007 #5, (also called the Sleeping Giant) Bipin Upadhyay http://projectbee.org
  • 34. Cookie Poisoning • Cookies sometimes store confidential data • This information can be manipulated for fun and profit. e.g., price of a product on an ecommerce site Bipin Upadhyay http://projectbee.org
  • 35. HTTP Response Splitting • Attacker splits Http Response into two. • Watch out for redirection scripts using user input in response headers • CR-LF (0x0d & 0x0a) is the key to response splitting • Web/browser cache poisoning, XSS etc. attacks possible Bipin Upadhyay http://projectbee.org
  • 36. Google Hacking • Search engines index all permissible documents inside the web tree • These data can be recovered using special queries: – site:<sitename> – inurl:<string> – intitle:<string> – filetype:<string> Bipin Upadhyay http://projectbee.org
  • 37. Scary Cracks • Credit Cards & Google • Google.com UTF-7 XSS Vulnerability • Yamanner • “Samy is my Hero” OR Samy Worm • Bank Of India Hack • GMail CSRF Vulnerability Bipin Upadhyay http://projectbee.org
  • 38. RoadMap… • Introduction • Attacks • The Arsenal • Breaking the Web • Preventing the Breakage Bipin Upadhyay http://projectbee.org
  • 39. The Arsenal • A Web browser • Textbox/Textarea • Iframe • TamperData/TamperIE • WebScarab • Fuzzer (Crowbar) • Google Bipin Upadhyay http://projectbee.org
  • 40. RoadMap… • Introduction • Attacks • The Arsenal • Breaking the Web • Preventing the Breakage Bipin Upadhyay http://projectbee.org
  • 41. Google Hacking • Search engines index anything and everything • Demo Bipin Upadhyay http://projectbee.org
  • 42. Exploiting Mistakes • Client side validation isn’t enough • Demo • “Clues in Codes/Comments” • Demo • Insecure implementation of “Forgot Password” feature • Demo Bipin Upadhyay http://projectbee.org
  • 43. Exploiting Mistakes… • Too verbose error messages • Demo • Cookie Isn’t for sensitive data • Demo • Brute forcing Session id • Demo Bipin Upadhyay http://projectbee.org
  • 44. Exploiting Zero Days • URI Vulnerabilities • Demo Bipin Upadhyay http://projectbee.org
  • 45. Injection Attacks • SQL Injections • Demo • Command Injection • Demo • XPATH Injection • Demo Bipin Upadhyay http://projectbee.org
  • 46. XSS Family • XSS (Cross Site Scripting) • Demo • XSS and encoding mistakes • Demo • CSRF, the sleeping Giant • Demo Bipin Upadhyay http://projectbee.org
  • 47. Http Response Splitting • Why user is evil? • Demo Bipin Upadhyay http://projectbee.org
  • 48. RoadMap… • Introduction • Attacks • The Arsenal • Breaking the Web • Preventing the Breakage Bipin Upadhyay http://projectbee.org
  • 49. SDLC • Integrate security into SDLC Design Coding Testing Deployment Bipin Upadhyay http://projectbee.org
  • 50. Design Phase • Stick to standards • Encourage usage of well-proven frameworks • Prefer Whitelisting over Blacklisting • Prefer Onion Model over Garlic Model Bipin Upadhyay http://projectbee.org
  • 51. Coding Phase • Do NOT trust the user. • Do NOT rely on Client side validation. • Prefer HttpOnly Cookie to avoid cookie theft • Use nonces to prevent CSRF • Don’t just hash passwords, salt them too • Avoid too verbose/meaningful error messages Bipin Upadhyay http://projectbee.org
  • 52. Coding Phase… • Proper encoding can avoid most problems • Input Encoding – prefer UTF-8 and ISO-8859-1 – refer http://ha.ckers.org/charsets.html • Output Encoding – avoid rich html input from user – decimal encode input before displaying – refer OWASP_Encoding_Project Bipin Upadhyay http://projectbee.org
  • 53. Coding Phase… • Sanitize anything that comes from the user. Bipin Upadhyay http://projectbee.org
  • 54. Coding Phase… • Filter Metacharacters: • < %3c > %3e • | %7c ‘ %60 • & %26 ( %28 • %od %0a .. • / %2f %5c • RegEx are your friend • Use Stored Procedures • Prefer usage of bind variables in SQL statement Bipin Upadhyay http://projectbee.org
  • 55. Testing Phase • Code Auditing: – OWASP – LAPSE plugin (Java) – SPI Dynamics’ DevInspect (Java & .NET), etc. • Web Application Scanners – w3af – Watchfire AppScan – SPI Dynamics’ WebInspect, etc. • No substitute for an experienced human eye Bipin Upadhyay http://projectbee.org
  • 56. Deployment Phase • Keep out of the Web Tree; use robots.txt • Set minimal permissions • Keep the system patched & patched • Use Web Application Firewall – urlScan – ModSecurity – SecureIIS, etc. …but, most importantly Bipin Upadhyay http://projectbee.org
  • 57. Education pers. d e v el o r ate you Educ Bipin Upadhyay http://projectbee.org
  • 58. Final Words • www was designed for information exchange • Today, too much is at stake • Ignorance, no longer a bliss • Take responsibility and… Bipin Upadhyay http://projectbee.org
  • 59. Final Words… …be prepared. “Do you know what HTML 5.0 and XHTML2.0 has in store for us? You don't even want to know…” –Ronald van den Heetkamp Bipin Upadhyay http://projectbee.org
  • 60. …and Finally, String.fromCharCode(84,104,97,110,107,32,89,1 11,117,33) i.e., Thank You! ☺ Bipin Upadhyay http://projectbee.org
  • 61. Acknowledgements • Lalit Patel (http://lalit.org) & Lucky (http://reboot.in) • http://flickr.com • http://flickr.com/photos/jeanetteb1/1400824517 • http://flickr.com/photos/jbhalper/334521840 • http://flickr.com/photos/hondawang/566041603 • http://flickr.com/photos/14018070@N08/1438910620 • http://flickr.com/photos/44368636@N00/76684587 • http://www.cyberpunkreview.com/images/matrixreloaded63.jpg • www.flickr.com/photos/johnengler/211482969 • http://www.flickr.com/photos/lamkevin/458083458 • http://www.flickr.com/photos/beavis/459281241 • http://flickr.com/photos/briansolis/326278887 • http://www.flickr.com/photos/focus2capture/297232107 • http://flickr.com/photos/complexify/97303317 • http://flickr.com/photos/amyking/142161588 • http://xkcd.com/327/ Bipin Upadhyay http://projectbee.org
  • 62. References • http://search.yahoo.com (To be safer) • http://0x000000.com • http://ha.ckers.org • http://sla.ckers.org • http://gnucitizen.com • XSS Attacks (Syngress Publications) • PenTesting for Web Applications (Wrox) • Hacking Exposed (Tata McGraw Hill) • 19 Deadly Sins of Sotware Security (Tata McGraw Hill) • OWASP & WASC • David Kierznowski, Amit Klien, Jeremiah Grossman, Gareth Hayes, Andres Riancho, Ronald, RSnake, pdp, Billy Rios, Nate, Thor,…. ……………………………. a lot many Bipin Upadhyay http://projectbee.org
  • 63. Got Questions??? Shoot them Bipin Upadhyay http://projectbee.org