SlideShare a Scribd company logo

Web Application Security | A developer's perspective - Insecure Direct Object References

Download as PPTX, PDF
n|u - The Open Security Community
n|u - The Open Security Community

null Bangalore Feb 2014 meet Author: Vamsi Krishna

Technology
1 of 7
Web Application Security - The pitfalls and the brick walls A DEVELOPER’S PERSPECTIVE – INSECURE DIRECT OBJECT REFERENCES
What exactly is it about ?  Authentication and authorization  Insecure Direct Object References  Why does it happen ?  How to fix ?
Authentication - Who are you ?  Authentication is the process of identifying you.  It’s the first step in securing any application or a system.  Usual process follows by the user explicitly telling the system who he is by providing his login credentials
Authorization – What are you ?  Authorization is the process of identifying what permissions the authenticated user has in the current system  Obviously, it starts after authentication  Authorization is usually initiated by the system/application on behalf of a authenticated user, by fetching his permission set from a data store
Insecure Direct Object References  It’s a design flaw, where the system designer/developer expects the user to follow the rules set by the system, without any infrastructure to protect sensitive assets and data, when the user does not go by the rules  This vulnerability is usually exploited by an already authenticated user with some level of access to the system  An authenticated user may exploit a vulnerable system to access sensitive data by changing the parameters passed to the server, to the one’s he is trying to access
Why does it happen ?  A thought process generally referred to as Security through obscurity  Fear of cost involved in authorizing the user on every request  General lack of awareness and oversight
How to fix this ?  Authorization checks for every request by the user  Using cryptographic hashes like MD5 to prevent data manipulation by user

Recommended

Secure Code Warrior - Defense in depth
Secure Code Warrior - Defense in depthSecure Code Warrior - Defense in depth
Secure Code Warrior - Defense in depthSecure Code Warrior
 
Secure Code Warrior - Secure by default
Secure Code Warrior - Secure by defaultSecure Code Warrior - Secure by default
Secure Code Warrior - Secure by defaultSecure Code Warrior
 
Microsoft Enterprise Communications Event
Microsoft Enterprise Communications EventMicrosoft Enterprise Communications Event
Microsoft Enterprise Communications Eventheathermcgough
 
Security-testing presentation
Security-testing presentationSecurity-testing presentation
Security-testing presentationEzhilan Elangovan (Eril)
 
Electronic health records
Electronic health recordsElectronic health records
Electronic health recordsAnurag Deb
 
Testing Web Application Security
Testing Web Application SecurityTesting Web Application Security
Testing Web Application SecurityTed Husted
 
The Complete Web Application Security Testing Checklist
The Complete Web Application Security Testing ChecklistThe Complete Web Application Security Testing Checklist
The Complete Web Application Security Testing ChecklistCigital
 
Get Ready for Web Application Security Testing
Get Ready for Web Application Security TestingGet Ready for Web Application Security Testing
Get Ready for Web Application Security TestingAlan Kan
 

Recommended

Secure Code Warrior - Defense in depth
Secure Code Warrior - Defense in depthSecure Code Warrior - Defense in depth
Secure Code Warrior - Defense in depthSecure Code Warrior
 
Secure Code Warrior - Secure by default
Secure Code Warrior - Secure by defaultSecure Code Warrior - Secure by default
Secure Code Warrior - Secure by defaultSecure Code Warrior
 
Microsoft Enterprise Communications Event
Microsoft Enterprise Communications EventMicrosoft Enterprise Communications Event
Microsoft Enterprise Communications Eventheathermcgough
 
Security-testing presentation
Security-testing presentationSecurity-testing presentation
Security-testing presentationEzhilan Elangovan (Eril)
 
Electronic health records
Electronic health recordsElectronic health records
Electronic health recordsAnurag Deb
 
Testing Web Application Security
Testing Web Application SecurityTesting Web Application Security
Testing Web Application SecurityTed Husted
 
The Complete Web Application Security Testing Checklist
The Complete Web Application Security Testing ChecklistThe Complete Web Application Security Testing Checklist
The Complete Web Application Security Testing ChecklistCigital
 
Get Ready for Web Application Security Testing
Get Ready for Web Application Security TestingGet Ready for Web Application Security Testing
Get Ready for Web Application Security TestingAlan Kan
 
Secure Code Warrior - Fail securely
Secure Code Warrior - Fail securelySecure Code Warrior - Fail securely
Secure Code Warrior - Fail securelySecure Code Warrior
 
Secure Software
Secure SoftwareSecure Software
Secure SoftwareBhavya Siddappa
 
Uses , misuses and risk of software
Uses , misuses and risk of softwareUses , misuses and risk of software
Uses , misuses and risk of softwareAbdulJabbar459
 
Security testing
Security testingSecurity testing
Security testingPrecise Testing Solution
 
Uses,mis uses and risk of software
Uses,mis uses and risk of softwareUses,mis uses and risk of software
Uses,mis uses and risk of softwareAHSSAN AKHTAR
 
2019resume
2019resume2019resume
2019resumeJeremiahLanier
 
Security testing presentation
Security testing presentationSecurity testing presentation
Security testing presentationConfiz
 
Web application security - Emstell Technology Consulting
Web application security - Emstell Technology ConsultingWeb application security - Emstell Technology Consulting
Web application security - Emstell Technology ConsultingAyoob Kalathingal
 
Slides
SlidesSlides
SlidesFungayi Makoni
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application SecurityColin English
 
Web application vulnerability upload
Web application vulnerability uploadWeb application vulnerability upload
Web application vulnerability uploadSaidah Manan
 
Developing Web Applications Securely - How to Fix Common Code Vulnerabilities...
Developing Web Applications Securely - How to Fix Common Code Vulnerabilities...Developing Web Applications Securely - How to Fix Common Code Vulnerabilities...
Developing Web Applications Securely - How to Fix Common Code Vulnerabilities...Veracode
 
Web app presentation
Web app presentationWeb app presentation
Web app presentationzahid6
 
Services and Products
Services and ProductsServices and Products
Services and ProductsTechnecessities
 
Vulnerabilities In Industrial Control System
Vulnerabilities In Industrial Control SystemVulnerabilities In Industrial Control System
Vulnerabilities In Industrial Control SystemCentextech
 
Web 2.0 Hacking
Web 2.0 HackingWeb 2.0 Hacking
Web 2.0 Hackingblake101
 
Third Party Access Control
Third Party Access ControlThird Party Access Control
Third Party Access Controlfrancisdinha
 
Security Testing Training With Examples
Security Testing Training With ExamplesSecurity Testing Training With Examples
Security Testing Training With ExamplesAlwin Thayyil
 
Web application testing
Web application testing Web application testing
Web application testing Nora Alriyes
 
Signature Enterprise
Signature EnterpriseSignature Enterprise
Signature EnterpriseBioslimdisk
 
Rebooting Software Development - OWASP AppSecUSA
Rebooting Software Development - OWASP AppSecUSA Rebooting Software Development - OWASP AppSecUSA
Rebooting Software Development - OWASP AppSecUSA Nick Galbreath
 
Owasp Au Rev4
Owasp Au Rev4Owasp Au Rev4
Owasp Au Rev4sumsid1234
 

More Related Content

What's hot

Secure Code Warrior - Fail securely
Secure Code Warrior - Fail securelySecure Code Warrior - Fail securely
Secure Code Warrior - Fail securelySecure Code Warrior
 
Uses , misuses and risk of software
Uses , misuses and risk of softwareUses , misuses and risk of software
Uses , misuses and risk of softwareAbdulJabbar459
 
Uses,mis uses and risk of software
Uses,mis uses and risk of softwareUses,mis uses and risk of software
Uses,mis uses and risk of softwareAHSSAN AKHTAR
 
Security testing presentation
Security testing presentationSecurity testing presentation
Security testing presentationConfiz
 
Web application security - Emstell Technology Consulting
Web application security - Emstell Technology ConsultingWeb application security - Emstell Technology Consulting
Web application security - Emstell Technology ConsultingAyoob Kalathingal
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application SecurityColin English
 
Web application vulnerability upload
Web application vulnerability uploadWeb application vulnerability upload
Web application vulnerability uploadSaidah Manan
 
Developing Web Applications Securely - How to Fix Common Code Vulnerabilities...
Developing Web Applications Securely - How to Fix Common Code Vulnerabilities...Developing Web Applications Securely - How to Fix Common Code Vulnerabilities...
Developing Web Applications Securely - How to Fix Common Code Vulnerabilities...Veracode
 
Web app presentation
Web app presentationWeb app presentation
Web app presentationzahid6
 
Vulnerabilities In Industrial Control System
Vulnerabilities In Industrial Control SystemVulnerabilities In Industrial Control System
Vulnerabilities In Industrial Control SystemCentextech
 
Web 2.0 Hacking
Web 2.0 HackingWeb 2.0 Hacking
Web 2.0 Hackingblake101
 
Third Party Access Control
Third Party Access ControlThird Party Access Control
Third Party Access Controlfrancisdinha
 
Security Testing Training With Examples
Security Testing Training With ExamplesSecurity Testing Training With Examples
Security Testing Training With ExamplesAlwin Thayyil
 
Web application testing
Web application testing Web application testing
Web application testing Nora Alriyes
 
Signature Enterprise
Signature EnterpriseSignature Enterprise
Signature EnterpriseBioslimdisk
 

What's hot (20)

Secure Code Warrior - Fail securely
Secure Code Warrior - Fail securelySecure Code Warrior - Fail securely
Secure Code Warrior - Fail securely
 
Secure Software
Secure SoftwareSecure Software
Secure Software
 
Uses , misuses and risk of software
Uses , misuses and risk of softwareUses , misuses and risk of software
Uses , misuses and risk of software
 
Security testing
Security testingSecurity testing
Security testing
 
Uses,mis uses and risk of software
Uses,mis uses and risk of softwareUses,mis uses and risk of software
Uses,mis uses and risk of software
 
2019resume
2019resume2019resume
2019resume
 
Security testing presentation
Security testing presentationSecurity testing presentation
Security testing presentation
 
Web application security - Emstell Technology Consulting
Web application security - Emstell Technology ConsultingWeb application security - Emstell Technology Consulting
Web application security - Emstell Technology Consulting
 
Slides
SlidesSlides
Slides
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
Web application vulnerability upload
Web application vulnerability uploadWeb application vulnerability upload
Web application vulnerability upload
 
Developing Web Applications Securely - How to Fix Common Code Vulnerabilities...
Developing Web Applications Securely - How to Fix Common Code Vulnerabilities...Developing Web Applications Securely - How to Fix Common Code Vulnerabilities...
Developing Web Applications Securely - How to Fix Common Code Vulnerabilities...
 
Web app presentation
Web app presentationWeb app presentation
Web app presentation
 
Services and Products
Services and ProductsServices and Products
Services and Products
 
Vulnerabilities In Industrial Control System
Vulnerabilities In Industrial Control SystemVulnerabilities In Industrial Control System
Vulnerabilities In Industrial Control System
 
Web 2.0 Hacking
Web 2.0 HackingWeb 2.0 Hacking
Web 2.0 Hacking
 
Third Party Access Control
Third Party Access ControlThird Party Access Control
Third Party Access Control
 
Security Testing Training With Examples
Security Testing Training With ExamplesSecurity Testing Training With Examples
Security Testing Training With Examples
 
Web application testing
Web application testing Web application testing
Web application testing
 
Signature Enterprise
Signature EnterpriseSignature Enterprise
Signature Enterprise
 

Viewers also liked

Rebooting Software Development - OWASP AppSecUSA
Rebooting Software Development - OWASP AppSecUSA Rebooting Software Development - OWASP AppSecUSA
Rebooting Software Development - OWASP AppSecUSA Nick Galbreath
 
Owasp top 10 security threats
Owasp top 10 security threatsOwasp top 10 security threats
Owasp top 10 security threatsVishal Kumar
 
Owasp top-ten-mapping-2015-05-lwc
Owasp top-ten-mapping-2015-05-lwcOwasp top-ten-mapping-2015-05-lwc
Owasp top-ten-mapping-2015-05-lwcKaty Anton
 
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013OWASP OWTF - Summer Storm - OWASP AppSec EU 2013
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013Abraham Aranguren
 
State of OWASP 2015
State of OWASP 2015State of OWASP 2015
State of OWASP 2015tmd800
 
OWASP Free Training - SF2014 - Keary and Manico
OWASP Free Training - SF2014 - Keary and ManicoOWASP Free Training - SF2014 - Keary and Manico
OWASP Free Training - SF2014 - Keary and ManicoEoin Keary
 
RSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingRSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingJim Manico
 
OWASP Open SAMM
OWASP Open SAMMOWASP Open SAMM
OWASP Open SAMMintive
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10bilcorry
 
The OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyThe OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyAditya Gupta
 
[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10OWASP
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
OWASP WTE - Now in the Cloud!
OWASP WTE - Now in the Cloud!OWASP WTE - Now in the Cloud!
OWASP WTE - Now in the Cloud!Matt Tesauro
 
ng-owasp: OWASP Top 10 for AngularJS Applications
ng-owasp: OWASP Top 10 for AngularJS Applicationsng-owasp: OWASP Top 10 for AngularJS Applications
ng-owasp: OWASP Top 10 for AngularJS ApplicationsKevin Hakanson
 
Owasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesMarco Morana
 
Web application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresWeb application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresAung Thu Rha Hein
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 

Viewers also liked (20)

Rebooting Software Development - OWASP AppSecUSA
Rebooting Software Development - OWASP AppSecUSA Rebooting Software Development - OWASP AppSecUSA
Rebooting Software Development - OWASP AppSecUSA
 
Owasp Au Rev4
Owasp Au Rev4Owasp Au Rev4
Owasp Au Rev4
 
Owasp top 10 security threats
Owasp top 10 security threatsOwasp top 10 security threats
Owasp top 10 security threats
 
Owasp top-ten-mapping-2015-05-lwc
Owasp top-ten-mapping-2015-05-lwcOwasp top-ten-mapping-2015-05-lwc
Owasp top-ten-mapping-2015-05-lwc
 
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013OWASP OWTF - Summer Storm - OWASP AppSec EU 2013
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013
 
State of OWASP 2015
State of OWASP 2015State of OWASP 2015
State of OWASP 2015
 
OWASP Free Training - SF2014 - Keary and Manico
OWASP Free Training - SF2014 - Keary and ManicoOWASP Free Training - SF2014 - Keary and Manico
OWASP Free Training - SF2014 - Keary and Manico
 
RSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingRSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP Training
 
OWASP Top Ten in Practice
OWASP Top Ten in PracticeOWASP Top Ten in Practice
OWASP Top Ten in Practice
 
OWASP Open SAMM
OWASP Open SAMMOWASP Open SAMM
OWASP Open SAMM
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10
 
Basic of SSDLC
Basic of SSDLCBasic of SSDLC
Basic of SSDLC
 
The OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyThe OWASP Zed Attack Proxy
The OWASP Zed Attack Proxy
 
[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
 
OWASP WTE - Now in the Cloud!
OWASP WTE - Now in the Cloud!OWASP WTE - Now in the Cloud!
OWASP WTE - Now in the Cloud!
 
ng-owasp: OWASP Top 10 for AngularJS Applications
ng-owasp: OWASP Top 10 for AngularJS Applicationsng-owasp: OWASP Top 10 for AngularJS Applications
ng-owasp: OWASP Top 10 for AngularJS Applications
 
Owasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root Causes
 
Web application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresWeb application security: Threats & Countermeasures
Web application security: Threats & Countermeasures
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
 

Similar to Web Application Security | A developer's perspective - Insecure Direct Object References

Web Programming - 12 Authentication and Authorization
Web Programming - 12 Authentication and AuthorizationWeb Programming - 12 Authentication and Authorization
Web Programming - 12 Authentication and AuthorizationAndiNurkholis1
 
Web authentication & authorization
Web authentication & authorizationWeb authentication & authorization
Web authentication & authorizationAlexandru Pasaila
 
Chapter 3 security principals
Chapter 3 security principalsChapter 3 security principals
Chapter 3 security principalsnewbie2019
 
Defending broken access control in .NET
Defending broken access control in .NETDefending broken access control in .NET
Defending broken access control in .NETSupriya G
 
Vulnerability Assessment and Penetration Testing Framework by Falgun Rathod
Vulnerability Assessment and Penetration Testing Framework by Falgun RathodVulnerability Assessment and Penetration Testing Framework by Falgun Rathod
Vulnerability Assessment and Penetration Testing Framework by Falgun RathodFalgun Rathod
 
What is penetration testing and why is it important for a business to invest ...
What is penetration testing and why is it important for a business to invest ...What is penetration testing and why is it important for a business to invest ...
What is penetration testing and why is it important for a business to invest ...Alisha Henderson
 
Database Security Concepts | Introduction to Database Security
Database Security Concepts | Introduction to Database SecurityDatabase Security Concepts | Introduction to Database Security
Database Security Concepts | Introduction to Database SecurityRaj vardhan
 
BeyondCorp New York Meetup: Closing the Adherence Gap
BeyondCorp New York Meetup: Closing the Adherence GapBeyondCorp New York Meetup: Closing the Adherence Gap
BeyondCorp New York Meetup: Closing the Adherence GapIvan Dwyer
 
Remote Access Policy Is A Normal Thing
Remote Access Policy Is A Normal ThingRemote Access Policy Is A Normal Thing
Remote Access Policy Is A Normal ThingKaren Oliver
 
Depandability in Software Engineering SE16
Depandability in Software Engineering SE16Depandability in Software Engineering SE16
Depandability in Software Engineering SE16koolkampus
 
CompTIA Security+ Module1: Security fundamentals
CompTIA Security+ Module1: Security fundamentalsCompTIA Security+ Module1: Security fundamentals
CompTIA Security+ Module1: Security fundamentalsGanbayar Sukhbaatar
 
System Security Sem 2(Module 1).pptx
System Security Sem 2(Module 1).pptxSystem Security Sem 2(Module 1).pptx
System Security Sem 2(Module 1).pptxrahulkumarcscsf21
 
Comprehensive Analysis of Contemporary Information Security Challenges
Comprehensive Analysis of Contemporary Information Security ChallengesComprehensive Analysis of Contemporary Information Security Challenges
Comprehensive Analysis of Contemporary Information Security Challengessidraasif9090
 

Similar to Web Application Security | A developer's perspective - Insecure Direct Object References (20)

Broken Authentication and Authorization(1).pptx
Broken Authentication and Authorization(1).pptxBroken Authentication and Authorization(1).pptx
Broken Authentication and Authorization(1).pptx
 
P3 m2
P3 m2P3 m2
P3 m2
 
Web Programming - 12 Authentication and Authorization
Web Programming - 12 Authentication and AuthorizationWeb Programming - 12 Authentication and Authorization
Web Programming - 12 Authentication and Authorization
 
Chapter006
Chapter006Chapter006
Chapter006
 
AbedElilahElmahmoumP1.pptx
AbedElilahElmahmoumP1.pptxAbedElilahElmahmoumP1.pptx
AbedElilahElmahmoumP1.pptx
 
SCWCD : Secure web
SCWCD : Secure webSCWCD : Secure web
SCWCD : Secure web
 
SCWCD : Secure web : CHAP : 7
SCWCD : Secure web : CHAP : 7SCWCD : Secure web : CHAP : 7
SCWCD : Secure web : CHAP : 7
 
Web authentication & authorization
Web authentication & authorizationWeb authentication & authorization
Web authentication & authorization
 
Chapter 3 security principals
Chapter 3 security principalsChapter 3 security principals
Chapter 3 security principals
 
Defending broken access control in .NET
Defending broken access control in .NETDefending broken access control in .NET
Defending broken access control in .NET
 
Vulnerability Assessment and Penetration Testing Framework by Falgun Rathod
Vulnerability Assessment and Penetration Testing Framework by Falgun RathodVulnerability Assessment and Penetration Testing Framework by Falgun Rathod
Vulnerability Assessment and Penetration Testing Framework by Falgun Rathod
 
Security Testing
Security TestingSecurity Testing
Security Testing
 
What is penetration testing and why is it important for a business to invest ...
What is penetration testing and why is it important for a business to invest ...What is penetration testing and why is it important for a business to invest ...
What is penetration testing and why is it important for a business to invest ...
 
Database Security Concepts | Introduction to Database Security
Database Security Concepts | Introduction to Database SecurityDatabase Security Concepts | Introduction to Database Security
Database Security Concepts | Introduction to Database Security
 
BeyondCorp New York Meetup: Closing the Adherence Gap
BeyondCorp New York Meetup: Closing the Adherence GapBeyondCorp New York Meetup: Closing the Adherence Gap
BeyondCorp New York Meetup: Closing the Adherence Gap
 
Remote Access Policy Is A Normal Thing
Remote Access Policy Is A Normal ThingRemote Access Policy Is A Normal Thing
Remote Access Policy Is A Normal Thing
 
Depandability in Software Engineering SE16
Depandability in Software Engineering SE16Depandability in Software Engineering SE16
Depandability in Software Engineering SE16
 
CompTIA Security+ Module1: Security fundamentals
CompTIA Security+ Module1: Security fundamentalsCompTIA Security+ Module1: Security fundamentals
CompTIA Security+ Module1: Security fundamentals
 
System Security Sem 2(Module 1).pptx
System Security Sem 2(Module 1).pptxSystem Security Sem 2(Module 1).pptx
System Security Sem 2(Module 1).pptx
 
Comprehensive Analysis of Contemporary Information Security Challenges
Comprehensive Analysis of Contemporary Information Security ChallengesComprehensive Analysis of Contemporary Information Security Challenges
Comprehensive Analysis of Contemporary Information Security Challenges
 

More from n|u - The Open Security Community

Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...n|u - The Open Security Community
 

More from n|u - The Open Security Community (20)

Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)
 
Osint primer
Osint primerOsint primer
Osint primer
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
 
Nmap basics
Nmap basicsNmap basics
Nmap basics
 
Metasploit primary
Metasploit primaryMetasploit primary
Metasploit primary
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
 
Introduction to TLS 1.3
Introduction to TLS 1.3Introduction to TLS 1.3
Introduction to TLS 1.3
 
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teaming
 
Owning a company through their logs
Owning a company through their logsOwning a company through their logs
Owning a company through their logs
 
Introduction to shodan
Introduction to shodanIntroduction to shodan
Introduction to shodan
 
Cloud security
Cloud security Cloud security
Cloud security
 
Detecting persistence in windows
Detecting persistence in windowsDetecting persistence in windows
Detecting persistence in windows
 
Frida - Objection Tool Usage
Frida - Objection Tool UsageFrida - Objection Tool Usage
Frida - Objection Tool Usage
 
OSQuery - Monitoring System Process
OSQuery - Monitoring System ProcessOSQuery - Monitoring System Process
OSQuery - Monitoring System Process
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Security
 
Extensible markup language attacks
Extensible markup language attacksExtensible markup language attacks
Extensible markup language attacks
 
Linux for hackers
Linux for hackersLinux for hackers
Linux for hackers
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentesting
 

Recently uploaded

New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 

Recently uploaded (20)

New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 

Web Application Security | A developer's perspective - Insecure Direct Object References

  • 1. Web Application Security - The pitfalls and the brick walls A DEVELOPER’S PERSPECTIVE – INSECURE DIRECT OBJECT REFERENCES
  • 2. What exactly is it about ?  Authentication and authorization  Insecure Direct Object References  Why does it happen ?  How to fix ?
  • 3. Authentication - Who are you ?  Authentication is the process of identifying you.  It’s the first step in securing any application or a system.  Usual process follows by the user explicitly telling the system who he is by providing his login credentials
  • 4. Authorization – What are you ?  Authorization is the process of identifying what permissions the authenticated user has in the current system  Obviously, it starts after authentication  Authorization is usually initiated by the system/application on behalf of a authenticated user, by fetching his permission set from a data store
  • 5. Insecure Direct Object References  It’s a design flaw, where the system designer/developer expects the user to follow the rules set by the system, without any infrastructure to protect sensitive assets and data, when the user does not go by the rules  This vulnerability is usually exploited by an already authenticated user with some level of access to the system  An authenticated user may exploit a vulnerable system to access sensitive data by changing the parameters passed to the server, to the one’s he is trying to access
  • 6. Why does it happen ?  A thought process generally referred to as Security through obscurity  Fear of cost involved in authorizing the user on every request  General lack of awareness and oversight
  • 7. How to fix this ?  Authorization checks for every request by the user  Using cryptographic hashes like MD5 to prevent data manipulation by user