This document discusses web and cloud security challenges. It begins with an introduction of the speaker and their background in security research. Various web attacks like SQL injection, cross-site scripting, and remote code execution are explained. Cloud security threats from misconfigured applications and infrastructure are also examined, including real-world examples. Best practices for hardening systems and securing data in the cloud are provided. Resources for further learning about web and cloud security are listed at the end.

1. Web & Cloud Security
in the
Real World
Madhu Akula
@madhuakula

2. Madhu Akula - Profile
• Information Security Researcher
• Chapter Lead & Speaker null
• Acknowledged by US Department of
Homeland Security.
• Found bugs in Google, Microsoft,
Yahoo, Adobe … etc.
• Open Source Contributor
• Interested in Automation & DevOps
• Never ending learner !
www.madhuakula.com

3. This is for educational purpose only, I
am not responsible for any illegal
activities done by any one.

4. Let’s talk about
Social Engineering

5. My Experience !

6. Fake Emails

7. Demo

8. Data Breaches in Wild
http://www.idtheftcenter.org/ITRC-Surveys-

9. Sample Web Architecture

10. Web Security Statistics
http://www.imperva.com/docs/HII_Web_Application_Attack_Report_

11. Common Web Attacks
• Cross Site Scripting (XSS)
• SQL Injection
• Information Disclosure
• Remote Code Execution
Recent :
• Cross Site Port Attacks
• Reflected File Download
• Etc…

12. SQL Injection
• SQL Injection is one of the most used vectors
when malicious people want to create a new
botnet.
• SQL injection occurs when untrusted data is
sent to an interpreter as part of a command
• It causes attacker to take control over the
database

13. • SQL Injection Attack
• Number plate to foil an automatic license plate scanner !
• An attack which allows SQL to be executed as part of the
input

14. Bobby Tables !
https://www.explainxkcd.com/wiki/index.php/327:_Exploits_of_a_Mom

15. Cross Site Scripting
• XSS flaw occurs whenever an application takes
untrusted data and sends it to a web browser
without proper validation and escaping.
• XSS allows attackers to execute scripts in the
victim’s browser which can hijack user sessions,
deface web sites, or redirect user to malicious
sites.

16. Example
• One of the most in-famous example is the MySpace
Samy worm. In less than a day he got more a million
friends and MySpace had to be shutdown.
• A XSS bug occurring on the website registration page
can enable theft of registration details.
• There are many exploitation frameworks for this
vulnerability like BEEF, Xenotics, etc.

17. Information Disclosure
• Good security requires having a secure
configuration defined and deployed for the
applications, frameworks, application server,
web server, database server, and platform.

18. Example
Network Solutions were offering
wordpress installation on a shared
server. The main configuration file wp-
config.php was world readable. It
causes Mass hack of wordpress based
websites.

19. Remote Code Execution
An attacker's ability to execute any
commands of the attacker's choice on a
target machine or in a target process.

20. Recent Popular Zero Days
• Java Deserialization Vulnerability
• Venom Vulnerability
• Beast Vulnerability
• Poodle Vulnerability
• Heartbleed Vulnerability
• Shell Shock Vulnerability
• Etc
SSL
Related

21. Demo

22. Let’s talk about Cloud

24. Threats Service Provider vs On-Premise
https://www.rackspace.com/knowledge_center/whitepaper/alert-logic-state-of-cloud-security-report-

25. App Insecurity Scenario
• App has Local File Inclusion bug
• The AWS root credentials are being used
• They are stored in a world readable file on the server
• Attacker reads the credentials and starts multiple large
instances to mine bitcoins
• Victim saddled with a massive bill at the end of the
month
http://www.slideshare.net/akashm/security-in-the-cloud-workshop-

26. Infra Insecurity Scenario
• MySQL Production database is listening on external port
• Developers work directly on production database and
requires SQL Management Software
• They log in using the root user of MySQL Database
server and a simple password
• Attacker runs a bruteforce script and cracks the
password, gains full access to the database.
http://www.slideshare.net/akashm/security-in-the-cloud-workshop-

27. Heartbleed
https://xkcd.com/1354/

31. Data Insecurity Scenario
• Database is getting backed up regularly.
• Due to performance reasons, database wasn’t encrypted
when initial backups were done.
• Dev team moves to newer type SSDs and doesn’t
decommission older HDDs.
• Attacker finds older HDDs, does forensics for data
recovery and sell the data for profit.
http://www.slideshare.net/akashm/security-in-the-cloud-workshop-

32. 10 Steps for Cloud
• Enumerate all the network interfaces
• List all the running services
• Harden each service separately based on best practices.
• Secure remote access for server management(SSH,
RDP)
• Check operating system patch levels

33. • Harden networking parameters of the kernel (Linux)
• Enable a host firewall
• Do an inventory all user accounts on the server and
audit them
• Enable centralized logging
• Enable encryption on disks, storage, etc.

34. Missuses of Cloud
(Recent Attacks)
http://thehackernews.c
om/

36. Resources
• null – null.co.in
• Security Tube – securitytube.net
• OWASP – owasp.org
• CSA – cloudsecurityalliance.org
• Google – Google.com

37. My info while I answer your questions
Madhu Akula
Information Security Researcher
www.madhuakula.com
Twitter : @madhuakula
madhu.akula@hotmail.com | +91-9676865642