Web Application Security: The Land that Information Security Forgot

Jeremiah Grossman
Jeremiah GrossmanFounder & CEO at Undisclosed
[object Object],[object Object],[object Object],[object Object],Copyright 2001 WhiteHat Security All Rights Reserved
Topics ,[object Object],[object Object],[object Object],2001 © WhiteHat Security, Inc.
Topics ,[object Object],[object Object],[object Object],[object Object],[object Object],2001 © WhiteHat Security, Inc.
But Why!? ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],2001 © WhiteHat Security, Inc.
How much easier can it get!? Oh right. Unicode 2001 © WhiteHat Security, Inc.
Web Application The Simple Definition ,[object Object],[object Object],[object Object],[object Object],2001 © WhiteHat Security, Inc.
Web Security Layers 2001 © WhiteHat Security, Inc.
The Implementation ,[object Object],[object Object],[object Object],[object Object],[object Object],E-Commerce Shopping Auctions Banking Stock Trading Just Plain Crazy Printers PDA’s Cell Phones System Configuration .NET/Passport 2001 © WhiteHat Security, Inc.
Firewall 2001 © WhiteHat Security, Inc.
2001 © WhiteHat Security, Inc.
Common Web Application Security Mistakes 2001 © WhiteHat Security, Inc.
Trusting Client-Side Data ,[object Object],[object Object],[object Object],[object Object],2001 © WhiteHat Security, Inc.
Trusting Client-Side Data ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],2001 © WhiteHat Security, Inc.
Trusting Client-Side Data ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],2001 © WhiteHat Security, Inc.
Unescaped Special Characters ,[object Object],[object Object],[object Object],[object Object],2001 © WhiteHat Security, Inc.
HTML Character Filtering ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],2001 © WhiteHat Security, Inc.
More mistakes… ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],2001 © WhiteHat Security, Inc.
Information & Discovery ,[object Object],[object Object],[object Object],[object Object],[object Object],2001 © WhiteHat Security, Inc.
Spidering/Site Crawling ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],Tools: WGET http://www.gnu.org/software/wget/wget.html 2001 © WhiteHat Security, Inc.
Identifiable Characteristics ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],2001 © WhiteHat Security, Inc.
Error and Response Codes ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],2001 © WhiteHat Security, Inc.
File/Application Enumeration ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],2001 © WhiteHat Security, Inc.
File/Application Enumeration ,[object Object],[object Object],[object Object],[object Object],[object Object],2001 © WhiteHat Security, Inc.
Network Reconnaissance ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],2001 © WhiteHat Security, Inc.
Input Manipulation Parameter Tampering "Twiddling Bits." ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],2001 © WhiteHat Security, Inc.
Cross-Site Scripting Bad name given to a dangerous security issue ,[object Object],[object Object],[object Object],[object Object],[object Object],2001 © WhiteHat Security, Inc.
Client-Side Scripting Languages ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],2001 © WhiteHat Security, Inc.
Accessing the DOM & Outside the DOM ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],2001 © WhiteHat Security, Inc.
Authentication/Authorization “Hand in the cookie jar.” ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],2001 © WhiteHat Security, Inc.
The Scenarios ,[object Object],[object Object],[object Object],[object Object],[object Object],2001 © WhiteHat Security, Inc.
CSS Danger “The Remote Launch Pad.” ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],2001 © WhiteHat Security, Inc.
Dangerous HTML “HTML Bad” ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],2001 © WhiteHat Security, Inc.
Dangerous Attributes “Attributes Bad” ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],2001 © WhiteHat Security, Inc.
Filter Bypassing "JavaScript is a Cockroach" ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],2001 © WhiteHat Security, Inc.
Testing the Filters ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],2001 © WhiteHat Security, Inc.
SCRIPT TAG ,[object Object],[object Object],[object Object],[object Object],[object Object],2001 © WhiteHat Security, Inc.
SRCing JavaScript Protocol ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],2001 © WhiteHat Security, Inc.
SRCing JavaScript Protocol w/ HTML Entities ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],2001 © WhiteHat Security, Inc.
AND CURLY ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],2001 © WhiteHat Security, Inc.
Style Tag Conversion ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],2001 © WhiteHat Security, Inc.
Using CSS ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],2001 © WhiteHat Security, Inc.
Using CSS ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],2001 © WhiteHat Security, Inc.
Twiddling Bits ,[object Object],[object Object],[object Object],2001 © WhiteHat Security, Inc.
Power of the Semi-Colon piping input to the command line. ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],2001 © WhiteHat Security, Inc.
Power of Special Characters piping input to the command line. ,[object Object],[object Object],[object Object],[object Object],2001 © WhiteHat Security, Inc.
Power of the Dots and Slashes piping input to the command line. ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],2001 © WhiteHat Security, Inc.
More Filter Bypassing ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],2001 © WhiteHat Security, Inc.
More bits… ,[object Object],[object Object],2001 © WhiteHat Security, Inc.
System Mis-Configurations “patches, patches, and more patches…" ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],2001 © WhiteHat Security, Inc.
Other Dirty Tricks “Abuse can be far more time consuming, costly and dangerous” ,[object Object],[object Object],[object Object],[object Object],2001 © WhiteHat Security, Inc.
Other Dirty Tricks “Abuse can be far more time consuming, costly and dangerous” ,[object Object],[object Object],[object Object],[object Object],[object Object],2001 © WhiteHat Security, Inc.
Thank You BlackHat and Attendees Questions? ,[object Object],[object Object],[object Object],[object Object],[object Object],2001 © WhiteHat Security, Inc.
1 of 52

Web Application Security: The Land that Information Security Forgot

Download to read offline
Technology

Web Application Security: The Land that Information Security Forgot Today, the vast majority of those within information security have heard about web application security and posses at least a vague understanding of the risks involved. However, the multitude of attacks which make this area of security important, for the most part, go undocumented, unexplained and misunderstood. As a result, our web applications become undefended and at the mercy of a determined attacker. In order to gain a deeper understanding of the threats, witnessing these attacks first hand is essential. Make no mistake, insecure and unprotected web applications are the fastest, easiest, and arguably the most utilized route to compromise networks and exploit users. What's worse is that conventional security measures lack the proper safeguards and offer little protection, resulting in nothing more than a "false sense of security". This discussion will cover theory surrounding some of the more dangerous web application attacks, examples of the attack in action, and possible countermeasures. Founder and chairman of WhiteHat Security, and former information security officer with Yahoo!. As information security officer at Yahoo!, Jeremiah was designing, auditing, and penetration-testing the huge company's web applications which demand highest security. During his past 5 years of employment, Jeremiah has been researching and applying information security with special emphasis on prevention of web application sabotage. Grossman has presented "Web Application Security" talks at many security conventions such as the Defcon, Air Force and Technology Conference, ToorCon, and others. Jeremiah is a lead contributor to the "Open Web Application Security Project" www.owasp.com and considered to be among the foremost web security experts.

Jeremiah Grossman
Jeremiah GrossmanFounder & CEO at Undisclosed

Recommended

Rich Web App Security - Keeping your application safe by
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeJeremiah Grossman
8.1K views38 slides
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri... by
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Jeremiah Grossman
2.5K views36 slides
Phishing with Super Bait by
Phishing with Super BaitPhishing with Super Bait
Phishing with Super BaitJeremiah Grossman
2.4K views37 slides
Top Ten Web Hacking Techniques – 2008 by
Top Ten Web Hacking Techniques – 2008Top Ten Web Hacking Techniques – 2008
Top Ten Web Hacking Techniques – 2008Jeremiah Grossman
1.2K views51 slides
Web Hacking by
Web HackingWeb Hacking
Web HackingInformation Technology
13.2K views54 slides
Top Ten Web Hacking Techniques (2008) by
Top Ten Web Hacking Techniques (2008)Top Ten Web Hacking Techniques (2008)
Top Ten Web Hacking Techniques (2008)Jeremiah Grossman
7K views50 slides

More Related Content

What's hot

Web Security: A Primer for Developers by
Web Security: A Primer for DevelopersWeb Security: A Primer for Developers
Web Security: A Primer for DevelopersMike North
1.1K views44 slides
4.Xss by
4.Xss4.Xss
4.Xssphanleson
1.2K views45 slides
Website hacking and prevention (All Tools,Topics & Technique ) by
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Jay Nagar
669 views180 slides
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011 by
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011Samvel Gevorgyan
3K views6 slides
BEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYAN by
BEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYANBEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYAN
BEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYANSamvel Gevorgyan
24.2K views88 slides
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin... by
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...CODE BLUE
2.1K views62 slides

What's hot(20)

Web Security: A Primer for Developers by Mike North
Web Security: A Primer for DevelopersWeb Security: A Primer for Developers
Web Security: A Primer for Developers
Mike North1.1K views
4.Xss by phanleson
4.Xss4.Xss
4.Xss
phanleson1.2K views
Website hacking and prevention (All Tools,Topics & Technique ) by Jay Nagar
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )
Jay Nagar669 views
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011 by Samvel Gevorgyan
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
Samvel Gevorgyan3K views
BEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYAN by Samvel Gevorgyan
BEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYANBEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYAN
BEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYAN
Samvel Gevorgyan24.2K views
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin... by CODE BLUE
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
CODE BLUE2.1K views
Web browser privacy and security by amiable_indian
Web browser privacy and security Web browser privacy and security
Web browser privacy and security
amiable_indian2.3K views
Browser Security by Roberto Suggi Liverani
Browser SecurityBrowser Security
Browser Security
Roberto Suggi Liverani16.4K views
JSFoo Chennai 2012 by Krishna T
JSFoo Chennai 2012JSFoo Chennai 2012
JSFoo Chennai 2012
Krishna T999 views
Web Security - Introduction v.1.3 by Oles Seheda
Web Security - Introduction v.1.3Web Security - Introduction v.1.3
Web Security - Introduction v.1.3
Oles Seheda78.6K views
Clickjacking DevCon2011 by Krishna T
Clickjacking DevCon2011Clickjacking DevCon2011
Clickjacking DevCon2011
Krishna T2.8K views
Html5 security by Krishna T
Html5 securityHtml5 security
Html5 security
Krishna T2.6K views
Secure web messaging in HTML5 by Krishna T
Secure web messaging in HTML5Secure web messaging in HTML5
Secure web messaging in HTML5
Krishna T2K views
WhiteHat Security "Website Security Statistics Report" (Q1'09) by Jeremiah Grossman
WhiteHat Security "Website Security Statistics Report" (Q1'09)WhiteHat Security "Website Security Statistics Report" (Q1'09)
WhiteHat Security "Website Security Statistics Report" (Q1'09)
Jeremiah Grossman3.6K views
2010: A Web Hacking Odyssey - Top Ten Hacks of the Year by Jeremiah Grossman
2010: A Web Hacking Odyssey - Top Ten Hacks of the Year2010: A Web Hacking Odyssey - Top Ten Hacks of the Year
2010: A Web Hacking Odyssey - Top Ten Hacks of the Year
Jeremiah Grossman12.7K views
Browser Internals-Same Origin Policy by Krishna T
Browser Internals-Same Origin PolicyBrowser Internals-Same Origin Policy
Browser Internals-Same Origin Policy
Krishna T4.2K views
Starwest 2008 by Caleb Sima
Starwest 2008Starwest 2008
Starwest 2008
Caleb Sima798 views
Top Ten Web Hacking Techniques (2010) by Jeremiah Grossman
Top Ten Web Hacking Techniques (2010)Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)
Jeremiah Grossman5.7K views
Security In .Net Framework by Ramakanta Behera
Security In .Net FrameworkSecurity In .Net Framework
Security In .Net Framework
Ramakanta Behera538 views
New Insights into Clickjacking by Marco Balduzzi
New Insights into ClickjackingNew Insights into Clickjacking
New Insights into Clickjacking
Marco Balduzzi4.9K views

Viewers also liked

Code by the sea: Web Application Security by
Code by the sea: Web Application SecurityCode by the sea: Web Application Security
Code by the sea: Web Application SecurityBoy Baukema
324 views46 slides
Ibuildings ISO 27001 lunchbox by
Ibuildings ISO 27001 lunchboxIbuildings ISO 27001 lunchbox
Ibuildings ISO 27001 lunchboxBoy Baukema
204 views19 slides
Mod8 vlans by
Mod8 vlansMod8 vlans
Mod8 vlansMohan Kumaresan
1K views36 slides
Introducing WPFand XAML by
Introducing WPFand XAMLIntroducing WPFand XAML
Introducing WPFand XAMLMindfire Solutions
792 views15 slides
Vulnerability Management In An Application Security World by
Vulnerability Management In An Application Security WorldVulnerability Management In An Application Security World
Vulnerability Management In An Application Security WorldDenim Group
1.6K views32 slides
Introduction to Web Application Penetration Testing by
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingAnurag Srivastava
2.2K views27 slides

Viewers also liked(20)

Code by the sea: Web Application Security by Boy Baukema
Code by the sea: Web Application SecurityCode by the sea: Web Application Security
Code by the sea: Web Application Security
Boy Baukema324 views
Ibuildings ISO 27001 lunchbox by Boy Baukema
Ibuildings ISO 27001 lunchboxIbuildings ISO 27001 lunchbox
Ibuildings ISO 27001 lunchbox
Boy Baukema204 views
Mod8 vlans by Mohan Kumaresan
Mod8 vlansMod8 vlans
Mod8 vlans
Mohan Kumaresan1K views
Introducing WPFand XAML by Mindfire Solutions
Introducing WPFand XAMLIntroducing WPFand XAML
Introducing WPFand XAML
Mindfire Solutions792 views
Vulnerability Management In An Application Security World by Denim Group
Vulnerability Management In An Application Security WorldVulnerability Management In An Application Security World
Vulnerability Management In An Application Security World
Denim Group1.6K views
Introduction to Web Application Penetration Testing by Anurag Srivastava
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
Anurag Srivastava2.2K views
Top 10 Web App Security Risks by Sperasoft
Top 10 Web App Security RisksTop 10 Web App Security Risks
Top 10 Web App Security Risks
Sperasoft17.8K views
Web Application Security by Chris Hillman
Web Application SecurityWeb Application Security
Web Application Security
Chris Hillman974 views
Vlans by 1 2d
VlansVlans
Vlans
1 2d1.4K views
Web application security by Kapil Sharma
Web application securityWeb application security
Web application security
Kapil Sharma3.2K views
Essentials of Web Application Security: what it is, why it matters and how to... by Cenzic
Essentials of Web Application Security: what it is, why it matters and how to...Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...
Cenzic1.8K views
Proxy Caches and Web Application Security by Tim Bass
Proxy Caches and Web Application Security Proxy Caches and Web Application Security
Proxy Caches and Web Application Security
Tim Bass2.3K views
Attack All the Layers: What's Working during Pentests (OWASP NYC) by Scott Sutherland
Attack All the Layers: What's Working during Pentests (OWASP NYC)Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)
Scott Sutherland2K views
Web Application Security with PHP by jikbal
Web Application Security with PHPWeb Application Security with PHP
Web Application Security with PHP
jikbal51.6K views
Web Application Security: Introduction to common classes of security flaws an... by Thoughtworks
Web Application Security: Introduction to common classes of security flaws an...Web Application Security: Introduction to common classes of security flaws an...
Web Application Security: Introduction to common classes of security flaws an...
Thoughtworks4.2K views
Hardening Microservices Security: Building a Layered Defense Strategy by Cloudflare
Hardening Microservices Security: Building a Layered Defense StrategyHardening Microservices Security: Building a Layered Defense Strategy
Hardening Microservices Security: Building a Layered Defense Strategy
Cloudflare13.6K views
Link Reclamation Strategies by patrickstox
Link Reclamation Strategies Link Reclamation Strategies
Link Reclamation Strategies
patrickstox29.6K views
Everyone Screws Up HTTPS by patrickstox
Everyone Screws Up HTTPSEveryone Screws Up HTTPS
Everyone Screws Up HTTPS
patrickstox29.7K views
Latest Trends in Web Application Security by Cloudflare
Latest Trends in Web Application SecurityLatest Trends in Web Application Security
Latest Trends in Web Application Security
Cloudflare19.1K views
EtherChannel by Thomas Moegli
EtherChannelEtherChannel
EtherChannel
Thomas Moegli2.6K views

Similar to Web Application Security: The Land that Information Security Forgot

Bh europe-01-grossman by
Bh europe-01-grossmanBh europe-01-grossman
Bh europe-01-grossmananiba2000
475 views40 slides
Web Application Security and Release of "WhiteHat Arsenal" by
Web Application Security and Release of "WhiteHat Arsenal"Web Application Security and Release of "WhiteHat Arsenal"
Web Application Security and Release of "WhiteHat Arsenal"Jeremiah Grossman
668 views44 slides
Defcon9 Presentation2001 by
Defcon9 Presentation2001Defcon9 Presentation2001
Defcon9 Presentation2001Miguel Ibarra
1.2K views63 slides
Web Application Security - "In theory and practice" by
Web Application Security - "In theory and practice"Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"Jeremiah Grossman
2K views63 slides
Application Security by
Application SecurityApplication Security
Application Securitynirola
5.2K views55 slides
Writing Secure Code – Threat Defense by
Writing Secure Code – Threat DefenseWriting Secure Code – Threat Defense
Writing Secure Code – Threat Defenseamiable_indian
1.4K views45 slides

Similar to Web Application Security: The Land that Information Security Forgot(20)

Bh europe-01-grossman by aniba2000
Bh europe-01-grossmanBh europe-01-grossman
Bh europe-01-grossman
aniba2000475 views
Web Application Security and Release of "WhiteHat Arsenal" by Jeremiah Grossman
Web Application Security and Release of "WhiteHat Arsenal"Web Application Security and Release of "WhiteHat Arsenal"
Web Application Security and Release of "WhiteHat Arsenal"
Jeremiah Grossman668 views
Defcon9 Presentation2001 by Miguel Ibarra
Defcon9 Presentation2001Defcon9 Presentation2001
Defcon9 Presentation2001
Miguel Ibarra1.2K views
Web Application Security - "In theory and practice" by Jeremiah Grossman
Web Application Security - "In theory and practice"Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"
Jeremiah Grossman2K views
Application Security by nirola
Application SecurityApplication Security
Application Security
nirola5.2K views
Writing Secure Code – Threat Defense by amiable_indian
Writing Secure Code – Threat DefenseWriting Secure Code – Threat Defense
Writing Secure Code – Threat Defense
amiable_indian1.4K views
Top 10 Web Hacks 2012 by Matt Johansen
Top 10 Web Hacks 2012Top 10 Web Hacks 2012
Top 10 Web Hacks 2012
Matt Johansen29.5K views
Security Tech Talk by Mallikarjun Reddy
Security Tech TalkSecurity Tech Talk
Security Tech Talk
Mallikarjun Reddy411 views
DODN2009 - Jump Start Silverlight by Clint Edmonson
DODN2009 - Jump Start SilverlightDODN2009 - Jump Start Silverlight
DODN2009 - Jump Start Silverlight
Clint Edmonson1.2K views
Module 12 (web application vulnerabilities) by Wail Hassan
Module 12 (web application vulnerabilities)Module 12 (web application vulnerabilities)
Module 12 (web application vulnerabilities)
Wail Hassan107 views
Hacking Client Side Insecurities by amiable_indian
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecurities
amiable_indian2.5K views
Web 20 Security - Vordel by guest2a1135
Web 20 Security - VordelWeb 20 Security - Vordel
Web 20 Security - Vordel
guest2a1135557 views
XCS110_All_Slides.pdf by ssuser01066a
XCS110_All_Slides.pdfXCS110_All_Slides.pdf
XCS110_All_Slides.pdf
ssuser01066a6 views
Meetup DotNetCode Owasp by dotnetcode
Meetup DotNetCode Owasp Meetup DotNetCode Owasp
Meetup DotNetCode Owasp
dotnetcode111 views
[CB20] Operation I am Tom: How APT actors move laterally in corporate network... by CODE BLUE
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
CODE BLUE221 views
Penetration testing web application web application (in) security by Nahidul Kibria
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) security
Nahidul Kibria2.7K views
Web Application Security by Abdul Wahid
Web Application SecurityWeb Application Security
Web Application Security
Abdul Wahid49K views
Cross interface attack by piyushml20
Cross interface attackCross interface attack
Cross interface attack
piyushml20280 views
Cross Interface Attacks by n|u - The Open Security Community
Cross Interface AttacksCross Interface Attacks
Cross Interface Attacks
n|u - The Open Security Community1.2K views
Web Attacks - Top threats - 2010 by Shreeraj Shah
Web Attacks - Top threats - 2010Web Attacks - Top threats - 2010
Web Attacks - Top threats - 2010
Shreeraj Shah5.5K views

More from Jeremiah Grossman

All these vulnerabilities, rarely matter by
All these vulnerabilities, rarely matterAll these vulnerabilities, rarely matter
All these vulnerabilities, rarely matterJeremiah Grossman
306 views30 slides
How to Determine Your Attack Surface in the Healthcare Sector by
How to Determine Your Attack Surface in the Healthcare SectorHow to Determine Your Attack Surface in the Healthcare Sector
How to Determine Your Attack Surface in the Healthcare SectorJeremiah Grossman
276 views25 slides
The Attack Surface of the Healthcare Industry by
The Attack Surface of the Healthcare IndustryThe Attack Surface of the Healthcare Industry
The Attack Surface of the Healthcare IndustryJeremiah Grossman
563 views28 slides
Exploring the Psychological Mechanisms used in Ransomware Splash Screens by
Exploring the Psychological Mechanisms used in Ransomware Splash ScreensExploring the Psychological Mechanisms used in Ransomware Splash Screens
Exploring the Psychological Mechanisms used in Ransomware Splash ScreensJeremiah Grossman
661 views20 slides
What the Kidnapping & Ransom Economy Teaches Us About Ransomware by
What the Kidnapping & Ransom Economy Teaches Us About RansomwareWhat the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareJeremiah Grossman
2.5K views52 slides
What the Kidnapping & Ransom Economy Teaches Us About Ransomware by
What the Kidnapping & Ransom Economy Teaches Us About RansomwareWhat the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareJeremiah Grossman
3.8K views49 slides

More from Jeremiah Grossman(20)

All these vulnerabilities, rarely matter by Jeremiah Grossman
All these vulnerabilities, rarely matterAll these vulnerabilities, rarely matter
All these vulnerabilities, rarely matter
Jeremiah Grossman306 views
How to Determine Your Attack Surface in the Healthcare Sector by Jeremiah Grossman
How to Determine Your Attack Surface in the Healthcare SectorHow to Determine Your Attack Surface in the Healthcare Sector
How to Determine Your Attack Surface in the Healthcare Sector
Jeremiah Grossman276 views
The Attack Surface of the Healthcare Industry by Jeremiah Grossman
The Attack Surface of the Healthcare IndustryThe Attack Surface of the Healthcare Industry
The Attack Surface of the Healthcare Industry
Jeremiah Grossman563 views
Exploring the Psychological Mechanisms used in Ransomware Splash Screens by Jeremiah Grossman
Exploring the Psychological Mechanisms used in Ransomware Splash ScreensExploring the Psychological Mechanisms used in Ransomware Splash Screens
Exploring the Psychological Mechanisms used in Ransomware Splash Screens
Jeremiah Grossman661 views
What the Kidnapping & Ransom Economy Teaches Us About Ransomware by Jeremiah Grossman
What the Kidnapping & Ransom Economy Teaches Us About RansomwareWhat the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
Jeremiah Grossman2.5K views
What the Kidnapping & Ransom Economy Teaches Us About Ransomware by Jeremiah Grossman
What the Kidnapping & Ransom Economy Teaches Us About RansomwareWhat the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
Jeremiah Grossman3.8K views
Next Generation Endpoint Prtection Buyers Guide by Jeremiah Grossman
Next Generation Endpoint Prtection Buyers GuideNext Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers Guide
Jeremiah Grossman816 views
Can Ransomware Ever Be Defeated? by Jeremiah Grossman
Can Ransomware Ever Be Defeated?Can Ransomware Ever Be Defeated?
Can Ransomware Ever Be Defeated?
Jeremiah Grossman749 views
Ransomware is Here: Fundamentals Everyone Needs to Know by Jeremiah Grossman
Ransomware is Here: Fundamentals Everyone Needs to KnowRansomware is Here: Fundamentals Everyone Needs to Know
Ransomware is Here: Fundamentals Everyone Needs to Know
Jeremiah Grossman4K views
Web Application Security Statistics Report 2016 by Jeremiah Grossman
Web Application Security Statistics Report 2016Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016
Jeremiah Grossman1.5K views
15 Years of Web Security: The Rebellious Teenage Years by Jeremiah Grossman
15 Years of Web Security: The Rebellious Teenage Years15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years
Jeremiah Grossman6.2K views
15 Years of Web Security: The Rebellious Teenage Years by Jeremiah Grossman
15 Years of Web Security: The Rebellious Teenage Years15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years
Jeremiah Grossman2.6K views
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015) by Jeremiah Grossman
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Jeremiah Grossman2.1K views
WhiteHat’s Website Security Statistics Report 2015 by Jeremiah Grossman
WhiteHat’s Website Security Statistics Report 2015WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015
Jeremiah Grossman5.1K views
No More Snake Oil: Why InfoSec Needs Security Guarantees by Jeremiah Grossman
No More Snake Oil: Why InfoSec Needs Security GuaranteesNo More Snake Oil: Why InfoSec Needs Security Guarantees
No More Snake Oil: Why InfoSec Needs Security Guarantees
Jeremiah Grossman4.6K views
WhiteHat Security 2014 Statistics Report Explained by Jeremiah Grossman
WhiteHat Security 2014 Statistics Report ExplainedWhiteHat Security 2014 Statistics Report Explained
WhiteHat Security 2014 Statistics Report Explained
Jeremiah Grossman1.4K views
WhiteHat 2014 Website Security Statistics Report by Jeremiah Grossman
WhiteHat 2014 Website Security Statistics ReportWhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics Report
Jeremiah Grossman3.1K views
Million Browser Botnet by Jeremiah Grossman
Million Browser BotnetMillion Browser Botnet
Million Browser Botnet
Jeremiah Grossman6.9K views
WhiteHat Security Website Statistics [Full Report] (2013) by Jeremiah Grossman
WhiteHat Security Website Statistics [Full Report] (2013)WhiteHat Security Website Statistics [Full Report] (2013)
WhiteHat Security Website Statistics [Full Report] (2013)
Jeremiah Grossman3K views
WhiteHat’s 12th Website Security Statistics [Full Report] by Jeremiah Grossman
WhiteHat’s 12th Website Security Statistics [Full Report]WhiteHat’s 12th Website Security Statistics [Full Report]
WhiteHat’s 12th Website Security Statistics [Full Report]
Jeremiah Grossman3.1K views

Recently uploaded

Ransomware is Knocking your Door_Final.pdf by
Ransomware is Knocking your Door_Final.pdfRansomware is Knocking your Door_Final.pdf
Ransomware is Knocking your Door_Final.pdfSecurity Bootcamp
55 views46 slides
Voice Logger - Telephony Integration Solution at Aegis by
Voice Logger - Telephony Integration Solution at AegisVoice Logger - Telephony Integration Solution at Aegis
Voice Logger - Telephony Integration Solution at AegisNirmal Sharma
39 views1 slide
Design Driven Network Assurance by
Design Driven Network AssuranceDesign Driven Network Assurance
Design Driven Network AssuranceNetwork Automation Forum
15 views42 slides
Attacking IoT Devices from a Web Perspective - Linux Day by
Attacking IoT Devices from a Web Perspective - Linux Day Attacking IoT Devices from a Web Perspective - Linux Day
Attacking IoT Devices from a Web Perspective - Linux Day Simone Onofri
16 views68 slides
Case Study Copenhagen Energy and Business Central.pdf by
Case Study Copenhagen Energy and Business Central.pdfCase Study Copenhagen Energy and Business Central.pdf
Case Study Copenhagen Energy and Business Central.pdfAitana
16 views3 slides

Recently uploaded(20)

Ransomware is Knocking your Door_Final.pdf by Security Bootcamp
Ransomware is Knocking your Door_Final.pdfRansomware is Knocking your Door_Final.pdf
Ransomware is Knocking your Door_Final.pdf
Security Bootcamp55 views
Voice Logger - Telephony Integration Solution at Aegis by Nirmal Sharma
Voice Logger - Telephony Integration Solution at AegisVoice Logger - Telephony Integration Solution at Aegis
Voice Logger - Telephony Integration Solution at Aegis
Nirmal Sharma39 views
Design Driven Network Assurance by Network Automation Forum
Design Driven Network AssuranceDesign Driven Network Assurance
Design Driven Network Assurance
Network Automation Forum15 views
Attacking IoT Devices from a Web Perspective - Linux Day by Simone Onofri
Attacking IoT Devices from a Web Perspective - Linux Day Attacking IoT Devices from a Web Perspective - Linux Day
Attacking IoT Devices from a Web Perspective - Linux Day
Simone Onofri16 views
Case Study Copenhagen Energy and Business Central.pdf by Aitana
Case Study Copenhagen Energy and Business Central.pdfCase Study Copenhagen Energy and Business Central.pdf
Case Study Copenhagen Energy and Business Central.pdf
Aitana16 views
METHOD AND SYSTEM FOR PREDICTING OPTIMAL LOAD FOR WHICH THE YIELD IS MAXIMUM ... by Prity Khastgir IPR Strategic India Patent Attorney Amplify Innovation
METHOD AND SYSTEM FOR PREDICTING OPTIMAL LOAD FOR WHICH THE YIELD IS MAXIMUM ...METHOD AND SYSTEM FOR PREDICTING OPTIMAL LOAD FOR WHICH THE YIELD IS MAXIMUM ...
METHOD AND SYSTEM FOR PREDICTING OPTIMAL LOAD FOR WHICH THE YIELD IS MAXIMUM ...
Prity Khastgir IPR Strategic India Patent Attorney Amplify Innovation29 views
Automating a World-Class Technology Conference; Behind the Scenes of CiscoLive by Network Automation Forum
Automating a World-Class Technology Conference; Behind the Scenes of CiscoLiveAutomating a World-Class Technology Conference; Behind the Scenes of CiscoLive
Automating a World-Class Technology Conference; Behind the Scenes of CiscoLive
Network Automation Forum31 views
Evolving the Network Automation Journey from Python to Platforms by Network Automation Forum
Evolving the Network Automation Journey from Python to PlatformsEvolving the Network Automation Journey from Python to Platforms
Evolving the Network Automation Journey from Python to Platforms
Network Automation Forum13 views
SAP Automation Using Bar Code and FIORI.pdf by Virendra Rai, PMP
SAP Automation Using Bar Code and FIORI.pdfSAP Automation Using Bar Code and FIORI.pdf
SAP Automation Using Bar Code and FIORI.pdf
Virendra Rai, PMP23 views
Business Analyst Series 2023 - Week 3 Session 5 by DianaGray10
Business Analyst Series 2023 - Week 3 Session 5Business Analyst Series 2023 - Week 3 Session 5
Business Analyst Series 2023 - Week 3 Session 5
DianaGray10248 views
virtual reality.pptx by G036GaikwadSnehal
virtual reality.pptxvirtual reality.pptx
virtual reality.pptx
G036GaikwadSnehal11 views
Five Things You SHOULD Know About Postman by Postman
Five Things You SHOULD Know About PostmanFive Things You SHOULD Know About Postman
Five Things You SHOULD Know About Postman
Postman33 views
AMAZON PRODUCT RESEARCH.pdf by JerikkLaureta
AMAZON PRODUCT RESEARCH.pdfAMAZON PRODUCT RESEARCH.pdf
AMAZON PRODUCT RESEARCH.pdf
JerikkLaureta26 views
Empathic Computing: Delivering the Potential of the Metaverse by Mark Billinghurst
Empathic Computing: Delivering the Potential of the MetaverseEmpathic Computing: Delivering the Potential of the Metaverse
Empathic Computing: Delivering the Potential of the Metaverse
Mark Billinghurst478 views
Melek BEN MAHMOUD.pdf by MelekBenMahmoud
Melek BEN MAHMOUD.pdfMelek BEN MAHMOUD.pdf
Melek BEN MAHMOUD.pdf
MelekBenMahmoud14 views
Serverless computing with Google Cloud (2023-24) by wesley chun
Serverless computing with Google Cloud (2023-24)Serverless computing with Google Cloud (2023-24)
Serverless computing with Google Cloud (2023-24)
wesley chun11 views
Vertical User Stories by Moisés Armani Ramírez
Vertical User StoriesVertical User Stories
Vertical User Stories
Moisés Armani Ramírez14 views
Special_edition_innovator_2023.pdf by WillDavies22
Special_edition_innovator_2023.pdfSpecial_edition_innovator_2023.pdf
Special_edition_innovator_2023.pdf
WillDavies2217 views
Data Integrity for Banking and Financial Services by Precisely
Data Integrity for Banking and Financial ServicesData Integrity for Banking and Financial Services
Data Integrity for Banking and Financial Services
Precisely21 views
handbook for web 3 adoption.pdf by Liveplex
handbook for web 3 adoption.pdfhandbook for web 3 adoption.pdf
handbook for web 3 adoption.pdf
Liveplex22 views

Web Application Security: The Land that Information Security Forgot

  • 1.
  • 2.
  • 3.
  • 4.
  • 5. How much easier can it get!? Oh right. Unicode 2001 © WhiteHat Security, Inc.
  • 6.
  • 7. Web Security Layers 2001 © WhiteHat Security, Inc.
  • 8.
  • 9. Firewall 2001 © WhiteHat Security, Inc.
  • 10. 2001 © WhiteHat Security, Inc.
  • 11. Common Web Application Security Mistakes 2001 © WhiteHat Security, Inc.
  • 12.
  • 13.
  • 14.
  • 15.
  • 16.
  • 17.
  • 18.
  • 19.
  • 20.
  • 21.
  • 22.
  • 23.
  • 24.
  • 25.
  • 26.
  • 27.
  • 28.
  • 29.
  • 30.
  • 31.
  • 32.
  • 33.
  • 34.
  • 35.
  • 36.
  • 37.
  • 38.
  • 39.
  • 40.
  • 41.
  • 42.
  • 43.
  • 44.
  • 45.
  • 46.
  • 47.
  • 48.
  • 49.
  • 50.
  • 51.
  • 52.