Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Web Security: A Journey - UC San Diego

853 views

Published on

A short introduction to the root causes of security issues with web applications and HTTP.

Published in: Software
  • I made $2,600 with this. I already have 7 days with this... ●●● https://tinyurl.com/make2793amonth
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • I made $2,600 with this. I already have 7 days with this... ★★★ http://ishbv.com/surveys6/pdf
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

Web Security: A Journey - UC San Diego

  1. 1. net-square UCSD July '15 Web Security: A Journey Saumil Shah CEO Net Square UC San Diego – 23 July 2015
  2. 2. net-square UCSD July '15 Saumil Shah @therealsaumil saumilshah hacker speaker trainer entrepreneur traveler photographer calligrapher kite-flyer software breaker rebel global net-square.com
  3. 3. net-square UCSD July '15 WE ARE HACKERS WE PUSH THE ENVELOPE WE THRIVE ON FACTS AND LOGIC.. ..AND LATERAL THINKING WE QUESTION AND CHALLENGE AND WORK ON LIMITED RESOURCES
  4. 4. net-square UCSD July '15 Enter the WEB
  5. 5. net-square UCSD July '15 HTTP •  Deliver HTML pages to browsers. •  Cross platform document delivery. •  Application independent. •  Standard markup. •  CLIENT: Web browser •  SERVER: HTTP server
  6. 6. net-square UCSD July '15 Web Applications WebServer App Server DB
  7. 7. net-square UCSD July '15 Client/Server vs. Web Apps Application Protocol Authentication Concurrent Sessions Data Representation DataValidation Business Logic Presentation HTTP Authentication Concurrent Sessions Data Representation DataValidation Business Logic Presentation
  8. 8. net-square UCSD July '15 Application Delivery HTTP Authentication Statefulness Data Types Data Validation CGI HTML JS AJAX Flash HTML5 Silverlight Web sockets Web workers Local storage
  9. 9. net-square UCSD July '15 Browser Architecture DOM HTML+CSS Javascript ActiveX mimetypes toolbars Flash libraries <div> <img> <iframe> <body> <form> <input> <table> <style> <object> <embed> <script>
  10. 10. net-square UCSD July '15 1995-1998
  11. 11. net-square UCSD July '15
  12. 12. net-square UCSD July '15
  13. 13. net-square UCSD July '15 2008-present
  14. 14. net-square UCSD July '15 A Revival
  15. 15. net-square UCSD July '15 What shall your response be? GET / HTTP/1.0 GET /nonexist.ent HTTP/1.0
  16. 16. net-square UCSD July '15 What shall your response be? ZOMFG / HTTP/1.0 GET / HTTP/3.0 GET / JUNK/1.0
  17. 17. net-square UCSD July '15 The responders Test Apache Microsoft IIS SunONE GET / HTTP/1.0 200 200 200 GET /nonexist.ent HTTP/1.0 404 404 404 DELETE / HTTP/1.0 405 403 401 GET / HTTP/3.0 400 200 505 GET / JUNK/1.0 200 400 none
  18. 18. net-square UCSD July '15 x=hello&x=world •  A: "hello" •  B: "world" •  C: "hello, world" •  D: WTF
  19. 19. net-square UCSD July '15 x=hello&x=world Web Server Value of x Apache "world" IBM HTTP Server "hello" Domino "world" IIS "hello, world" Tomcat "hello" Python/Zope Array ['hello', 'world']
  20. 20. net-square UCSD July '15 Sources of Software Errors User Input Race Condition Environment Resource Exhaustion
  21. 21. net-square UCSD July '15 The "banana" test I CAN HAZ BANANA?
  22. 22. net-square UCSD July '15 Circle of HTTP Trust Your Users
  23. 23. net-square UCSD July '15 The user's going to pick dancing pigs over security every time. Bruce Schneier
  24. 24. net-square UCSD July '15 Technology in the hands of users
  25. 25. net-square UCSD July '15 Thank You... Questions? saumil@net-square.com @therealsaumil

×