[Mrs. Roberts receives a call from her son's school.] Caller: Hi, This is your son's school. We're having some computer trouble.
Mrs. Roberts: Oh, dear - did he break something? Caller: In a way –
Caller: Did you really name your son Robert'); DROP TABLE Students;-- ? Mrs. Roberts: Oh, yes. Little Bobby Tables, we call him.
Caller: Well, we've lost this year's student records. I hope you're happy. Mrs. Roberts: And I hope you've learned to sanitize your database inputs.
XSS, Command Injection, Security Misconfiguration
Web & Cloud Security in the real world
Web & Cloud Security
Madhu Akula - Profile
• Information Security Researcher
• Chapter Lead & Speaker null
• Acknowledged by US Department of
• Found bugs in Google, Microsoft,
Yahoo, Adobe … etc.
• Open Source Contributor
• Interested in Automation & DevOps
• Never ending learner !
This is for educational purpose only, I
am not responsible for any illegal
activities done by any one.
Web Security Statistics
Common Web Attacks
• Cross Site Scripting (XSS)
• SQL Injection
• Information Disclosure
• Remote Code Execution
• Cross Site Port Attacks
• Reflected File Download
• SQL Injection is one of the most used vectors
when malicious people want to create a new
• SQL injection occurs when untrusted data is
sent to an interpreter as part of a command
• It causes attacker to take control over the
• SQL Injection Attack
• Number plate to foil an automatic license plate scanner !
• An attack which allows SQL to be executed as part of the
Bobby Tables !
Cross Site Scripting
• XSS flaw occurs whenever an application takes
untrusted data and sends it to a web browser
without proper validation and escaping.
• XSS allows attackers to execute scripts in the
victim’s browser which can hijack user sessions,
deface web sites, or redirect user to malicious
• One of the most in-famous example is the MySpace
Samy worm. In less than a day he got more a million
friends and MySpace had to be shutdown.
• A XSS bug occurring on the website registration page
can enable theft of registration details.
• There are many exploitation frameworks for this
vulnerability like BEEF, Xenotics, etc.
• Good security requires having a secure
configuration defined and deployed for the
applications, frameworks, application server,
web server, database server, and platform.
Network Solutions were offering
wordpress installation on a shared
server. The main configuration file wp-
config.php was world readable. It
causes Mass hack of wordpress based
Remote Code Execution
An attacker's ability to execute any
commands of the attacker's choice on a
target machine or in a target process.
Recent Popular Zero Days
• Java Deserialization Vulnerability
• Venom Vulnerability
• Beast Vulnerability
• Poodle Vulnerability
• Heartbleed Vulnerability
• Shell Shock Vulnerability
Threats Service Provider vs On-Premise
App Insecurity Scenario
• App has Local File Inclusion bug
• The AWS root credentials are being used
• They are stored in a world readable file on the server
• Attacker reads the credentials and starts multiple large
instances to mine bitcoins
• Victim saddled with a massive bill at the end of the
Infra Insecurity Scenario
• MySQL Production database is listening on external port
• Developers work directly on production database and
requires SQL Management Software
• They log in using the root user of MySQL Database
server and a simple password
• Attacker runs a bruteforce script and cracks the
password, gains full access to the database.
Data Insecurity Scenario
• Database is getting backed up regularly.
• Due to performance reasons, database wasn’t encrypted
when initial backups were done.
• Dev team moves to newer type SSDs and doesn’t
decommission older HDDs.
• Attacker finds older HDDs, does forensics for data
recovery and sell the data for profit.
10 Steps for Cloud
• Enumerate all the network interfaces
• List all the running services
• Harden each service separately based on best practices.
• Secure remote access for server management(SSH,
• Check operating system patch levels
• Harden networking parameters of the kernel (Linux)
• Enable a host firewall
• Do an inventory all user accounts on the server and
• Enable centralized logging
• Enable encryption on disks, storage, etc.
Missuses of Cloud