The document discusses client-state manipulation attacks on web applications. It provides an example of a pizza ordering website that is vulnerable because it stores the price in a hidden form field that can be manipulated by an attacker. Several solutions are presented, including storing state on the server, signing state parameters sent to the client, using POST requests instead of GET, and storing state in cookies. The document cautions that user input cannot be trusted and that computations done in JavaScript are not secure.
This document summarizes literature on detecting phishing attacks. It begins with an introduction defining phishing and explaining the broad scope of the problem. It then outlines the document's objectives and various definitions related to phishing. Several techniques for mitigating, detecting, and evaluating phishing attacks are discussed, including user training, software classification, offensive defense, correction approaches, and prevention. Evaluation metrics and examples of detection methods like passive/active warnings, visual similarity analysis, and blacklists are also summarized. The conclusion recommends education as the best defense and outlines common characteristics of phishing attacks.
An XSS attack is a type of vulnerability that allows malicious scripts to be injected into web pages viewed by other users. There are three main types: reflected XSS occurs when a link containing malicious code is clicked; stored XSS injects code directly into a vulnerable website, potentially affecting many users; DOM-based XSS involves injecting code into a website hosted on a user's local system, allowing the attacker to access that user's browser privileges. The document provides examples of how XSS attacks work and can be used to hijack accounts, insert hostile content, steal cookies, and redirect users.
Student Arpit Patel presented on phishing. Phishing involves tricking users into providing sensitive information like passwords or credit card details through fraudulent websites or emails. The presentation defined phishing, discussed its history and increasing threat levels over time. It covered common phishing techniques, how to identify phishing attempts, and prevention methods like using antivirus software and checking financial statements regularly. The presentation also categorized different types of phishing like deceptive, malware-based, and man-in-the-middle phishing and examined causes and existing/proposed systems to address phishing threats.
This document discusses phishing, which is a form of online fraud that aims to steal users' sensitive information such as usernames, passwords, and credit card details. It does this through deceptive messages that appear to come from legitimate organizations but actually lead to fake websites or download malware. The document provides information on how phishing works, techniques used to detect and prevent it, and tips for users to avoid falling victim to phishing scams.
User Authentication: Passwords and BeyondJim Fenton
The document discusses user authentication beyond passwords. It provides guidance on emphasizing usability, having realistic security expectations, and burdening systems rather than users. It also covers password threats like online guessing, offline attacks, and side channels. It recommends techniques like throttling logins, prohibiting common passwords, using long passphrases, allowing diverse characters, and avoiding hints, expiration, and composition rules.
Cross Site Scripting (XSS) is a vulnerability that allows malicious users to insert client-side code into web pages that is then executed by a user's browser. This code can steal cookies, access private information, perform actions on the user's behalf, and redirect them to malicious websites. XSS works by having the server display input containing malicious JavaScript from a request. There are different types of XSS attacks, including non-persistent, persistent, and DOM-based attacks. Prevention methods include validating, sanitizing, and escaping all user input on the server-side and client-side. Web vulnerability scanners like Burp Suite can help test for XSS and other vulnerabilities.
This document summarizes literature on detecting phishing attacks. It begins with an introduction defining phishing and explaining the broad scope of the problem. It then outlines the document's objectives and various definitions related to phishing. Several techniques for mitigating, detecting, and evaluating phishing attacks are discussed, including user training, software classification, offensive defense, correction approaches, and prevention. Evaluation metrics and examples of detection methods like passive/active warnings, visual similarity analysis, and blacklists are also summarized. The conclusion recommends education as the best defense and outlines common characteristics of phishing attacks.
An XSS attack is a type of vulnerability that allows malicious scripts to be injected into web pages viewed by other users. There are three main types: reflected XSS occurs when a link containing malicious code is clicked; stored XSS injects code directly into a vulnerable website, potentially affecting many users; DOM-based XSS involves injecting code into a website hosted on a user's local system, allowing the attacker to access that user's browser privileges. The document provides examples of how XSS attacks work and can be used to hijack accounts, insert hostile content, steal cookies, and redirect users.
Student Arpit Patel presented on phishing. Phishing involves tricking users into providing sensitive information like passwords or credit card details through fraudulent websites or emails. The presentation defined phishing, discussed its history and increasing threat levels over time. It covered common phishing techniques, how to identify phishing attempts, and prevention methods like using antivirus software and checking financial statements regularly. The presentation also categorized different types of phishing like deceptive, malware-based, and man-in-the-middle phishing and examined causes and existing/proposed systems to address phishing threats.
This document discusses phishing, which is a form of online fraud that aims to steal users' sensitive information such as usernames, passwords, and credit card details. It does this through deceptive messages that appear to come from legitimate organizations but actually lead to fake websites or download malware. The document provides information on how phishing works, techniques used to detect and prevent it, and tips for users to avoid falling victim to phishing scams.
User Authentication: Passwords and BeyondJim Fenton
The document discusses user authentication beyond passwords. It provides guidance on emphasizing usability, having realistic security expectations, and burdening systems rather than users. It also covers password threats like online guessing, offline attacks, and side channels. It recommends techniques like throttling logins, prohibiting common passwords, using long passphrases, allowing diverse characters, and avoiding hints, expiration, and composition rules.
Cross Site Scripting (XSS) is a vulnerability that allows malicious users to insert client-side code into web pages that is then executed by a user's browser. This code can steal cookies, access private information, perform actions on the user's behalf, and redirect them to malicious websites. XSS works by having the server display input containing malicious JavaScript from a request. There are different types of XSS attacks, including non-persistent, persistent, and DOM-based attacks. Prevention methods include validating, sanitizing, and escaping all user input on the server-side and client-side. Web vulnerability scanners like Burp Suite can help test for XSS and other vulnerabilities.
This document provides an overview of AirCrack-ng, a suite of tools for assessing WiFi network security. It discusses the tools in the AirCrack-ng suite like aircrack-ng for cracking WEP and WPA/WPA2 keys. It also describes commands used like airmon-ng to put interfaces in monitor mode and airodump-ng to capture handshakes. The document explains how to use captured handshakes and wordlists with aircrack-ng to crack network passwords if the password is in the wordlist. It also discusses how to perform WiFi deauthentication attacks to capture new handshakes by forcing clients to reconnect.
This document discusses phishing and prevention techniques. It defines phishing as techniques used by cybercriminals to trick users into revealing sensitive information or installing malware. There are various types of phishing attacks, including email, text, phone calls, and USB devices. Phishing can be mass, spear, or target senior executives. To prevent phishing, the document recommends two-factor authentication, keeping systems updated, scrutinizing links and attachments, and being wary of requests for sensitive information.
Phishing attack, with SSL Encryption and HTTPS WorkingSachin Saini
This presentation contains Introduction of Phishing attack, its types and Various techniques, their impact with real live example, after that its Avoidance, Prevention and Solution. Also it contains brief introduction of SSL and HTTPS with their working.
Spoofing involves falsifying data to masquerade as another user or system. There are several types of spoofing attacks:
IP spoofing involves altering packet source IP addresses to hide the identity of the actual source. URL and referrer spoofing tricks users into thinking they are visiting legitimate sites when they are actually being directed to fake sites controlled by attackers. Caller ID spoofing allows callers to hide their real numbers. Email address spoofing modifies email headers to make emails appear to be from someone other than the actual sender. Spoofing techniques are commonly used by hackers and spammers to conceal their identities and gain illegitimate access.
IP spoofing involves lying about the source IP address in network packets. This allows an attacker to conduct various types of attacks, such as session hijacking, denial of service attacks, and spoofing attacks. Notable examples include Kevin Mitnick's 1994 attack on Tsutomu Shinomura where he determined the victim's TCP sequence number algorithm, and session hijacking attacks where the attacker can eavesdrop or take over communications between two parties. Defenses against IP spoofing involve making it more difficult for attackers to guess sequence numbers or determine addressing patterns if they are blind on the network. However, IP spoofing continues to evolve as a threat as long as different layers of the internet architecture implicitly trust each other.
Basic Network Attacks
The active and passive attacks can be differentiated on the basis of what are they, how they are performed and how much extent of damage they cause to the system resources. But, majorly the active attack modifies the information and causes a lot of damage to the system resources and can affect its operation. Conversely, the passive attack does not make any changes to the system resources and therefore doesn’t causes any damage.
Phishing is the attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money), often for malicious reasons, by masquerading as a trustworthy entity in an electronic communication.
IP spoofing is a technique used to disguise the originating IP address of a packet. It works by forging the source IP address field in the IP header of a packet. Attackers use IP spoofing to conduct denial-of-service attacks, bypass firewall rules, and mask their identity. The document discusses how IP spoofing works, the different types of attackers that use it, and some preventative measures like packet filtering and firewalls that can help mitigate the risks.
OS command injection vulnerabilities occur when user input is not sanitized before being passed to a shell command interpreter. This allows attackers to inject arbitrary commands that will be executed by the server, potentially compromising the server or application data. Command injection vulnerabilities are serious because they may enable attackers to use the server as a platform for launching attacks against other systems. Commix is an open source tool that can detect and exploit command injection vulnerabilities.
This document provides an overview of cross-site request forgery (CSRF) attacks. It discusses how CSRF works, forcing victims to perform actions on a website without their knowledge. Common defenses like using nonces or CAPTCHAs are described. The document also covers how to validate if an issue is truly a CSRF vulnerability and lists some example attack vectors. Key takeaways emphasize the importance of validating any potential CSRF issue affects state, is sensitive, and has non-unique requests.
Command injection is an attack where malicious commands are executed on a system by passing unsafe user input to a shell. It occurs when an app fails to validate input before using it in system commands. This allows attackers to inject arbitrary commands that get run with the app's privileges. To prevent it, apps should strictly validate input against a whitelist and use command APIs instead of passing strings to interpreters supporting redirection.
Web security involves protecting information transmitted over the internet from attacks like viruses, worms, trojans, ransomware, and keyloggers. Users can help secure themselves by using antivirus software, avoiding phishing scams, and reporting spam. Larger attacks often involve botnets, which are networks of infected computers that can overwhelm websites and services with traffic through distributed denial of service attacks.
An unfortunate number of women are becoming victims of cyber crimes. According to a recent study more women are known to use the Internet to enrich their relationships compared to men. Young women, those 18-24, experience certain severe types of harassment at disproportionately high levels: 26% of these young women have been stalked online, and 25% were the target of online sexual harassment. The growing reach of the Internet and the rapid spread of information through mobile devices has presented new opportunities that could put some women at risk, so it’s important to be mindful of the dangers.
This document discusses various types of network attacks and countermeasures. It describes mapping to study a victim's network before attacking, packet sniffing where a host can read unencrypted communication, spoofing where an attacker takes a target's IP address to remain anonymous, and DoS/DDoS attacks which aim to overload services and bring them down. Hijacking combines different attack techniques to disrupt an entire network. The document provides details on each attack method and their techniques.
This document discusses wireless cracking techniques using Kali Linux. It covers setting wireless interfaces to monitor mode, capturing traffic using airodump-ng to crack hidden SSIDs, bypassing MAC filtering, cracking WEP security using aircrack-ng, capturing the 4-way handshake to crack WPA/WPA2 pre-shared keys either through brute force or using pre-computed PMK files to speed up the cracking process. Generating password files with crunch and tools like pyrit, cowpatty and aircrack-ng are also summarized.
The document outlines various web application vulnerabilities and defenses. It discusses outdated software, guessable passwords, exposed source code, client-side issues, authentication errors, injections, and cross-site scripting. It recommends strong defenses like updating software, encrypting source code, validating all user input, and using tools like mod_security to analyze code and monitor activity. The goal is to close vulnerabilities at each layer of a web application to prevent hackers from accessing sensitive data like databases.
The document discusses phishing, which refers to attempts by criminals to acquire sensitive information such as usernames, passwords, and credit card details by disguising themselves as a trustworthy entity through fraudulent emails or websites. It provides details on how phishing works, what information phishers typically ask for, signs of phishing messages to watch out for, and steps individuals can take to protect themselves, including using antivirus software, firewalls, and caution when receiving suspicious emails or entering information on websites.
Sneha Chauhan presented on cyber crime and security techniques. The presentation discussed how the growth of the internet in India has led to new opportunities but also disadvantages like cyber crime. Several types of cyber crimes were defined, including hacking, denial of service attacks, and software piracy. The presentation provided safety tips to prevent cyber crime and outlined cyber security techniques such as using antivirus software, firewalls, and maintaining backups. It also discussed public key cryptography and private key cryptography.
Web application attacks can take many forms, including cross-site scripting (XSS), SQL injection, parameter tampering, command injection, session management issues, cookie poisoning, directory traversal, cross-site request forgery, and buffer overflows. XSS is a vulnerability that allows malicious JavaScript code to be injected and run in a user's browser, potentially accessing data. SQL injection involves inserting SQL commands into a database query to gain unauthorized access. Parameter tampering modifies URL parameters to change expected behavior.
Phishing is an attempt to acquire personal information like usernames, passwords, credit card details by pretending to be a trustworthy entity. It began in 1995 targeting AOL users and has increased in threat level and sophistication over time. Phishers target customers of banks and payment services for financial gain through identity theft. They employ techniques like spear phishing, clone phishing and website forgery. While phishing emails affect a small percentage of recipients, they can yield significant financial rewards for phishers with little effort. Users can detect and prevent phishing by keeping software updated, using firewalls, avoiding links in suspicious emails, and never responding to requests for personal information.
1) The document provides steps for developers to implement online payments on a merchant website using RESTful APIs from a payment company.
2) Developers are instructed to create a payment token by making an API call to the payment company's sandbox server and including the merchant's API key.
3) JavaScript code is then inserted into the merchant website to initialize the payment process by referencing the payment token and API keys. When a customer enters their payment details, it is sent to the payment company for processing without exposing sensitive card data.
4) The payment company returns a token to the merchant server, which then needs to call the payment company's API to verify the payment using the token, thus completing the transaction.
Restoring Abandoned Destroyed Phone, Found a lot of broken phones and more!https://linktr.ee/hmaadi https://linktr.ee/hmaad
Restoring Abandoned Destroyed Phone, Found a lot of broken phones and more!https://linktr.ee/hmaadi https://linktr.ee/hmaadihttps://uii.io/ref/hmaadihttps://uii.io/ref/hmaadii
This document provides an overview of AirCrack-ng, a suite of tools for assessing WiFi network security. It discusses the tools in the AirCrack-ng suite like aircrack-ng for cracking WEP and WPA/WPA2 keys. It also describes commands used like airmon-ng to put interfaces in monitor mode and airodump-ng to capture handshakes. The document explains how to use captured handshakes and wordlists with aircrack-ng to crack network passwords if the password is in the wordlist. It also discusses how to perform WiFi deauthentication attacks to capture new handshakes by forcing clients to reconnect.
This document discusses phishing and prevention techniques. It defines phishing as techniques used by cybercriminals to trick users into revealing sensitive information or installing malware. There are various types of phishing attacks, including email, text, phone calls, and USB devices. Phishing can be mass, spear, or target senior executives. To prevent phishing, the document recommends two-factor authentication, keeping systems updated, scrutinizing links and attachments, and being wary of requests for sensitive information.
Phishing attack, with SSL Encryption and HTTPS WorkingSachin Saini
This presentation contains Introduction of Phishing attack, its types and Various techniques, their impact with real live example, after that its Avoidance, Prevention and Solution. Also it contains brief introduction of SSL and HTTPS with their working.
Spoofing involves falsifying data to masquerade as another user or system. There are several types of spoofing attacks:
IP spoofing involves altering packet source IP addresses to hide the identity of the actual source. URL and referrer spoofing tricks users into thinking they are visiting legitimate sites when they are actually being directed to fake sites controlled by attackers. Caller ID spoofing allows callers to hide their real numbers. Email address spoofing modifies email headers to make emails appear to be from someone other than the actual sender. Spoofing techniques are commonly used by hackers and spammers to conceal their identities and gain illegitimate access.
IP spoofing involves lying about the source IP address in network packets. This allows an attacker to conduct various types of attacks, such as session hijacking, denial of service attacks, and spoofing attacks. Notable examples include Kevin Mitnick's 1994 attack on Tsutomu Shinomura where he determined the victim's TCP sequence number algorithm, and session hijacking attacks where the attacker can eavesdrop or take over communications between two parties. Defenses against IP spoofing involve making it more difficult for attackers to guess sequence numbers or determine addressing patterns if they are blind on the network. However, IP spoofing continues to evolve as a threat as long as different layers of the internet architecture implicitly trust each other.
Basic Network Attacks
The active and passive attacks can be differentiated on the basis of what are they, how they are performed and how much extent of damage they cause to the system resources. But, majorly the active attack modifies the information and causes a lot of damage to the system resources and can affect its operation. Conversely, the passive attack does not make any changes to the system resources and therefore doesn’t causes any damage.
Phishing is the attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money), often for malicious reasons, by masquerading as a trustworthy entity in an electronic communication.
IP spoofing is a technique used to disguise the originating IP address of a packet. It works by forging the source IP address field in the IP header of a packet. Attackers use IP spoofing to conduct denial-of-service attacks, bypass firewall rules, and mask their identity. The document discusses how IP spoofing works, the different types of attackers that use it, and some preventative measures like packet filtering and firewalls that can help mitigate the risks.
OS command injection vulnerabilities occur when user input is not sanitized before being passed to a shell command interpreter. This allows attackers to inject arbitrary commands that will be executed by the server, potentially compromising the server or application data. Command injection vulnerabilities are serious because they may enable attackers to use the server as a platform for launching attacks against other systems. Commix is an open source tool that can detect and exploit command injection vulnerabilities.
This document provides an overview of cross-site request forgery (CSRF) attacks. It discusses how CSRF works, forcing victims to perform actions on a website without their knowledge. Common defenses like using nonces or CAPTCHAs are described. The document also covers how to validate if an issue is truly a CSRF vulnerability and lists some example attack vectors. Key takeaways emphasize the importance of validating any potential CSRF issue affects state, is sensitive, and has non-unique requests.
Command injection is an attack where malicious commands are executed on a system by passing unsafe user input to a shell. It occurs when an app fails to validate input before using it in system commands. This allows attackers to inject arbitrary commands that get run with the app's privileges. To prevent it, apps should strictly validate input against a whitelist and use command APIs instead of passing strings to interpreters supporting redirection.
Web security involves protecting information transmitted over the internet from attacks like viruses, worms, trojans, ransomware, and keyloggers. Users can help secure themselves by using antivirus software, avoiding phishing scams, and reporting spam. Larger attacks often involve botnets, which are networks of infected computers that can overwhelm websites and services with traffic through distributed denial of service attacks.
An unfortunate number of women are becoming victims of cyber crimes. According to a recent study more women are known to use the Internet to enrich their relationships compared to men. Young women, those 18-24, experience certain severe types of harassment at disproportionately high levels: 26% of these young women have been stalked online, and 25% were the target of online sexual harassment. The growing reach of the Internet and the rapid spread of information through mobile devices has presented new opportunities that could put some women at risk, so it’s important to be mindful of the dangers.
This document discusses various types of network attacks and countermeasures. It describes mapping to study a victim's network before attacking, packet sniffing where a host can read unencrypted communication, spoofing where an attacker takes a target's IP address to remain anonymous, and DoS/DDoS attacks which aim to overload services and bring them down. Hijacking combines different attack techniques to disrupt an entire network. The document provides details on each attack method and their techniques.
This document discusses wireless cracking techniques using Kali Linux. It covers setting wireless interfaces to monitor mode, capturing traffic using airodump-ng to crack hidden SSIDs, bypassing MAC filtering, cracking WEP security using aircrack-ng, capturing the 4-way handshake to crack WPA/WPA2 pre-shared keys either through brute force or using pre-computed PMK files to speed up the cracking process. Generating password files with crunch and tools like pyrit, cowpatty and aircrack-ng are also summarized.
The document outlines various web application vulnerabilities and defenses. It discusses outdated software, guessable passwords, exposed source code, client-side issues, authentication errors, injections, and cross-site scripting. It recommends strong defenses like updating software, encrypting source code, validating all user input, and using tools like mod_security to analyze code and monitor activity. The goal is to close vulnerabilities at each layer of a web application to prevent hackers from accessing sensitive data like databases.
The document discusses phishing, which refers to attempts by criminals to acquire sensitive information such as usernames, passwords, and credit card details by disguising themselves as a trustworthy entity through fraudulent emails or websites. It provides details on how phishing works, what information phishers typically ask for, signs of phishing messages to watch out for, and steps individuals can take to protect themselves, including using antivirus software, firewalls, and caution when receiving suspicious emails or entering information on websites.
Sneha Chauhan presented on cyber crime and security techniques. The presentation discussed how the growth of the internet in India has led to new opportunities but also disadvantages like cyber crime. Several types of cyber crimes were defined, including hacking, denial of service attacks, and software piracy. The presentation provided safety tips to prevent cyber crime and outlined cyber security techniques such as using antivirus software, firewalls, and maintaining backups. It also discussed public key cryptography and private key cryptography.
Web application attacks can take many forms, including cross-site scripting (XSS), SQL injection, parameter tampering, command injection, session management issues, cookie poisoning, directory traversal, cross-site request forgery, and buffer overflows. XSS is a vulnerability that allows malicious JavaScript code to be injected and run in a user's browser, potentially accessing data. SQL injection involves inserting SQL commands into a database query to gain unauthorized access. Parameter tampering modifies URL parameters to change expected behavior.
Phishing is an attempt to acquire personal information like usernames, passwords, credit card details by pretending to be a trustworthy entity. It began in 1995 targeting AOL users and has increased in threat level and sophistication over time. Phishers target customers of banks and payment services for financial gain through identity theft. They employ techniques like spear phishing, clone phishing and website forgery. While phishing emails affect a small percentage of recipients, they can yield significant financial rewards for phishers with little effort. Users can detect and prevent phishing by keeping software updated, using firewalls, avoiding links in suspicious emails, and never responding to requests for personal information.
1) The document provides steps for developers to implement online payments on a merchant website using RESTful APIs from a payment company.
2) Developers are instructed to create a payment token by making an API call to the payment company's sandbox server and including the merchant's API key.
3) JavaScript code is then inserted into the merchant website to initialize the payment process by referencing the payment token and API keys. When a customer enters their payment details, it is sent to the payment company for processing without exposing sensitive card data.
4) The payment company returns a token to the merchant server, which then needs to call the payment company's API to verify the payment using the token, thus completing the transaction.
Restoring Abandoned Destroyed Phone, Found a lot of broken phones and more!https://linktr.ee/hmaadi https://linktr.ee/hmaad
Restoring Abandoned Destroyed Phone, Found a lot of broken phones and more!https://linktr.ee/hmaadi https://linktr.ee/hmaadihttps://uii.io/ref/hmaadihttps://uii.io/ref/hmaadii
The talk gives an introduction to the NextGenPSD2 OAuth SCA mode and explains security considerations implementors should take into account when implementing it. This advice will go beyond the text of the NextGenPSD2 Spec and will be based on the latest OAuth Security Guidelines (https://tools.ietf.org/html/draft-ietf-oauth-security-topics) and work being conducted at OpenID Foundations FAPI working group.
The document discusses building scalable game payment systems using HTML5 and PayPal Digital Goods. It describes the architecture involving client and server-side components, PayPal Digital Goods, HTML5 LocalStorage, and jQuery. It then covers implementing the payment and inventory management flows, including fetching tokens, committing payments, verifying purchases, and retrieving local storage purchases. Finally, it discusses setting up product webhooks for functions like user identity, payment recording and verification, and inventory management.
This document discusses integrating Salesforce with Google Doubleclick by obtaining an access token to call the Doubleclick API. It explains setting up a project in the Google Developer Console to get a client ID and secret. It then covers using the client ID/secret to get an authorization code from Google, exchanging that code for an access token, and making authenticated API calls by including the access token in the SOAP request header. Sample code is provided for the key steps of getting the authorization code, exchanging it for a token, and making a callout to the Doubleclick API.
This slide deck gives an introduction to OAuth 2.0, starting with some concepts, explaining the flow plus a few hints. The reminder of the slides are about implementing an OAuth 2.0 server using the Apache Amber library (renamed to Apache Oltu lately). My impression is that many developers shy away as soon as they hear "security" and so I did not only want to talk about the concepts of OAuth 2.0 but also wanted to show how easily you can implement an OAuth 2.0 server ... hope it reduces the fear of contact a bit ... ;-)
The document discusses various PHP security concerns such as SQL injection, cross-site scripting, and code injection. It recommends validating all user input, disabling register globals, using prepared statements, and encoding output to prevent attacks. Proper server configuration and input sanitization are important defenses against security vulnerabilities.
Video available at http://www.youtube.com/watch?v=4sQYYCx_CQM&feature=em-share_video_user
Presentation on In-App Payments with HTML5 at Silicon Valley Code Camp (October 7th, 2012)
OAuth 2.0 – A standard is coming of age by Uwe FriedrichsenCodemotion
OAuth is a widespread web-based standard. It’s purpose is to provide safe inter-application access to web resources without having to reveal passwords or other sensible credentials across the wire or to third party applications. After lots of tough discussions for two and a half years version 2.0 of this standard has been released – finally.
This session gives you an introduction to OAuth 2.0. You will understand its concepts as well as its limitations and pitfalls. You will also learn how it feels to write your own OAuth 2.0 based application based on real-life code examples.
What do we expect? A total compromise.
• Account Takeover
• Logic Bypass
• Remote Code Execution
• Easy Exploitation
What do we get? OWASP daily work.
• XSS
• CSRF
• Session Fixation
• IDOR
• Information Disclosure
• Unlimited Email Spam
• ARP poisoning
• Mountable NFS volumes
What are we bored of in the reports?
• Versions
• Ciphers
• Headers
• Checklists
• False Positives
• Automatic Reports
How to get an empty pretest report?
Talk given at DDDx London on 27th of April about how to implement long running processes in Domain Driven Design properly. Describes patterns like Process Manager and Saga.
How to Build an Indivo X Personal Health AppBen Adida
Indivo X allows developers to build personal health apps that integrate with Indivo health records. The four key steps to building an app are: 1) defining the app's scope and functionality, 2) implementing authentication and authorization via OAuth, 3) making REST API calls to read and write data, and 4) using provided UI widgets for features like auto-complete and sharing/audit controls. The process aims to make app development simple while enabling access to rich health record data.
This document provides an overview of in-flash payments which allow seamless payments within games without interrupting gameplay. It describes how in-flash payments work, the benefits for users and developers, and how to integrate the payments platform via API. The document also outlines the product architecture, security objectives, and roadmap for additional features and currencies. Integration instructions are provided in multiple steps including collecting user data, configuring the payments service, and handling events for requests.
in this presentation we give a brief intro to Social Gold, an overview of the in-flash solution architecture followed by a step by step integration example.
A sequence of requests and responses from one browser to one (or more) sites
Session can be long or short
Without session management:
Users would have to constantly re-authenticate
Session management:
Authorize user once
All subsequent requests are tied to user
Browser cookie:
Set-Cookie: SessionToken=fduhye63sfdb
Embedd in all URL links:
https://site.com/checkout ? SessionToken=kh7y3b
In a hidden form field:
<input type=“hidden” name=“sessionid” value=“kh7y3b”>
This document discusses using the PayPal REST API to integrate PayPal payment functionality into a website. It includes information about registering as a PayPal developer, creating test accounts, making API calls to create payments, links to PayPal's developer documentation, and code samples in PHP for setting up API credentials, creating payments, executing payments, and handling callbacks.
Web security-–-everything-we-know-is-wrong-eoin-kearydrewz lin
1) Web application security is often approached incorrectly, focusing too much on annual penetration tests and compliance, rather than ongoing monitoring and prevention through the development process.
2) Many vulnerabilities are introduced through third party libraries and dependencies, which are not properly tested or managed. Continuous testing across the full software supply chain is needed.
3) Not all vulnerabilities are equal - context is important. A risk-based approach should prioritize the most critical issues based on factors like impact, likelihood, and the development environment. Compliance alone does not ensure real security.
This document summarizes a presentation about the mobile security Linux distribution Santoku Linux. It discusses how Santoku Linux was created by modifying Lubuntu to include mobile forensic and security tools from the company viaForensics. Some key tools discussed include AFLogical OSE for Android logical acquisitions, iPhone Backup Analyzer, and utilities for analyzing mobile malware samples. Real-world examples of analyzing the Any.DO task manager app and Korean banking malware are also provided.
This document discusses sandboxing untrusted JavaScript from third parties to improve security. It proposes a two-tier sandbox architecture that uses JavaScript libraries and wrappers, without requiring browser modifications. Untrusted code is executed in an isolated environment defined by policy code, and can only access approved APIs. This approach aims to mediate access between code and the browser securely and efficiently while maintaining compatibility with existing third-party scripts.
This document discusses how HTML5 features can be used for authentication purposes and addresses some security challenges. It describes APIs like local storage, canvas, geolocation, and notifications that could be leveraged for authentication factors like passwords, patterns, and one-time passwords. However, it also notes risks like storing sensitive data on devices, spoofing locations, and notifications not being reliable. The document advocates using HTML5 responsibly and understanding privacy and user behavior when designing authentication solutions.
Owasp advanced mobile-application-code-review-techniques-v0.2drewz lin
The document discusses code review techniques for advanced mobile applications. It begins with an overview of why mobile security is important given the rise in mobile usage. It then discusses different mobile application types and architectures that can be code reviewed, including native, hybrid, and HTML5 applications. The document outlines the goals of mobile application code reviews, such as understanding the application and finding security vulnerabilities. It provides the methodology for conducting code reviews, which includes gaining access to source code, understanding the technology, threat modeling, analyzing the code, and creating automation scripts. Finally, it discusses specific vulnerabilities that may be found in Windows Phone, hybrid, Android, and iOS applications.
The document discusses research conducted by Gregg Ganley and Gavin Black at MITRE in FY13-14 on iOS mobile application security. It describes their work on a tool called iMAS (iOS Mobile Application Security) which aims to provide additional security controls and containment for native iOS applications. iMAS addresses vulnerabilities related to runtime access, device access, application access, data at rest, and threats from app stores/malware. It utilizes techniques like encrypted code modules, forced inlining, secure MDM and more to raise security levels above standard iOS but below a fully customized/rooted mobile device environment. The document outlines the motivation, capabilities and future research directions for the iMAS project.
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfdrewz lin
This document discusses how to defeat cross-site scripting (XSS) and cross-site request forgery (XSRF) when using JavaServer Faces (JSF) frameworks. It covers validating user input, encoding output, and protecting view states to prevent XSS, as well as configuring JSF implementations to protect against XSRF by encrypting view states and adding tokens to URLs. The presentation emphasizes testing validation, encoding, and protection in specific JSF implementations since behaviors can differ.
This document summarizes a presentation on defending against CSRF (cross-site request forgery) attacks. It discusses four main design patterns for CSRF defenses: the synchronizer token pattern, double submit cookies, challenge-response systems, and checking the referrer header. It then provides details on implementing these patterns, specifically looking at libraries and features in .NET, .NET MVC, Anticsrf, CSRFGuard, and HDIV that can help implement CSRF tokens and validation. The document covers the tradeoffs of different approaches and considerations for using them effectively on the code and server level.
Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21drewz lin
This document provides an overview of the OWASP Broken Web Applications (OWASP BWA) project. It discusses the background and motivation for the project, describes the current status including what applications are included in the virtual machine, outlines future plans, and solicits feedback to help guide and expand the project. The goal of OWASP BWA is to provide a free, open-source virtual machine containing a variety of intentionally vulnerable web applications to aid in testing tools and techniques for finding and addressing security issues.
This document provides a summary of a presentation by Robert Hansen on the future of browser security. Hansen argues that while browser developers want to improve security and privacy, their companies' business models focused on advertising revenue prohibit them from doing so. He outlines various techniques used by advertisers and browser companies to track users against their preferences. Hansen advocates for technical controls that allow users to opt out of tracking through a "can not track" approach, rather than relying on ineffective "do not track" policies. He concludes by discussing WhiteHat Security's focus on privacy and their plans to add more security and privacy features to their Aviator browser.
Appsec usa2013 js_libinsecurity_stefanodipaoladrewz lin
This document summarizes Stefano di Paola's talk on security issues with JavaScript libraries. It discusses how jQuery's $() method can be considered a "sink" that executes HTML passed to it, including examples of XSS via jQuery selectors and AJAX calls. It also covers problems with JSON parsing regular expressions, AngularJS expression injection, and credentials exposed in URLs. Solutions proposed include validating all input, auditing third-party libraries, and moving away from approaches like eval() that execute untrusted code.
Appsec2013 presentation-dickson final-with_all_final_editsdrewz lin
(1) A study surveyed 600 software developers and found that most did not have a basic understanding of software security concepts, with 73% failing an initial survey and the average score being 59% before training. (2) However, after training, developers' understanding of key concepts increased, with some areas like cross-site scripting seeing a 20 percentage point gain. (3) The study concluded that targeted security training can improve developers' knowledge in the short-term, though retention of this knowledge may require refresher training over time.
This document summarizes Bruno Gonçalves de Oliveira's talk on hacking web file servers for iOS. It introduces Bruno and his background in offensive security and discusses how iOS devices store a lot of information and mobile applications are often poorly designed and vulnerable. It provides examples of vulnerable file storage apps, outlines features and vulnerabilities like lack of encryption, authentication, XSS issues, and path traversal flaws. The document demonstrates exploits like unauthorized access to file systems on jailbroken devices and how to find vulnerable systems through mDNS queries. It concludes that mobile apps are the future but designers still do not prioritize security and there are too many apps for users to vet carefully.
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitationsdrewz lin
This document discusses forensic investigations of web exploitations. It presents a scenario where a web server in a DMZ zone was exploited but logs are unavailable, so network traffic must be analyzed. Wireshark will be used to analyze a PCAP file of recorded traffic to determine what happened and find any traces of commands or malware. The document also provides information on the costs of different types of cyber attacks, how to decode HTTP requests, and discusses tools that can be used for network forensics investigations like Wireshark, tcpdump, and Xplico.
Appsec2013 assurance tagging-robert martindrewz lin
The document discusses engineering software systems to be more secure against attacks. It notes that reducing a system's attack surface alone is not enough, as software and networks are too complex and it is impossible to know all vulnerabilities. It then discusses characteristics of advanced persistent threats, including that the initial attack may go unnoticed and adversaries cannot be fully kept out. Finally, it argues that taking a threat-driven perspective beyond just operational defense can help balance mitigation with detection and response.
The document summarizes a presentation on vulnerabilities found in SCADA systems between 2009-2013. It analyzed vulnerabilities by component, with the majority (66%) found in communication components like Modbus and DNP3 protocols. Examples of vulnerabilities are described for several devices. Real-world issues with SCADA systems are discussed like lack of authentication and patching. Recommendations are provided like auditing SCADA networks, implementing secure protocols and password policies, and keeping systems updated.
This 3-page document discusses the real-world challenges of implementing an agile software development lifecycle (SDLC) approach from the perspectives of Chris Eng and Ryan O'Boyle. It was presented at the OWASP AppSec USA conference on November 20, 2013 and focuses on practical lessons learned and best practices for incorporating security throughout an agile SDLC.
This document outlines a presentation given by Simón Roses Femerling on software security verification tools. It discusses BinSecSweeper, an open source tool created by VulnEx to scan binaries and check that security best practices were followed in development. The presentation covers using BinSecSweeper to verify in-house software, assess a company's software security posture, and compare the security of popular browsers. Examples of plugin checks and reports generated by BinSecSweeper are also provided.
1. CHAPTER 7
Client-State
Manipulation
Slides adapted from "Foundations of Security: What Every Programmer
Needs To Know" by Neil Daswani, Christoph Kern, and Anita Kesavan
(ISBN 1590597842; http://www.foundationsofsecurity.com). Except as
otherwise noted, the content of this presentation is licensed under the
Creative Commons 3.0 License.
2. Agenda
Web application – collection of programs used by
server to reply to client (browser) requests
Often accept user input: don’t trust, validate!
HTTP is stateless, servers don’t keep state
To conduct transactions, web apps have state
State info may be sent to client who echoes it back in
future requests
Example Exploit: “Hidden” parameters in HTML
are not really hidden, can be manipulated
3. 7.1. Pizza Delivery Web Site
Example
Web app for delivering pizza
Online order form: order.html – say user buys one
pizza @ $5.50
Confirmation form: generated by confirm_order
script, asks user to verify purchase, price is sent as
hidden form field
Fulfillment: submit_order script handles user’s
order received as GET request from confirmation
form (pay & price variables embedded as
parameters in URL)
4. 7.1. Pizza Web Site Code
Confirmation Form:
<HTML><head><title>Pay for Pizza</title></head>
<body><form action="submit_order" method="GET">
<p> The total cost is 5.50. Are you sure you
would like to order? </p>
<input type="hidden" name="price" value="5.50">
<input type="submit" name="pay" value="yes">
<input type="submit" name="pay" value="no">
</form></body></HTML>
if (pay = yes) {
Submit success = authorize_credit_card_charge(price);
if (success) {
Order settle_transaction(price);
dispatch_delivery_person();
Script: } else { // Could not authorize card
tell_user_card_declined();
}
} else { display_transaction_cancelled_page(); // no}
5. 7.1. Buying Pizza Example
Order 1 Pizza
Credit
Web Confirm $5.50 Web Submit Card
Browser
Server Order Payment
(Client) $5.50 Gateway
Price Stored in Attacker will modify
Hidden Form Variable
submit_order?price=5.50
9. 7.1.1. Attack Scenario (4)
Changes price in source, reloads page!
Browser sends request:
GET /submit_order?price=0.01&pay=yes HTTP/1.1
Hidden form variables are essentially in clear
10. 7.1.1. Attack Scenario (5)
Order 1 Pizza
Credit
Web Confirm $5.50 Web Submit Card
Browser
Server Order Payment
(Client) $0.01 Gateway
Attacker modified
Price!
11. 7.1.1. Attack Scenario (6)
Command-line tools to generate HTTP requests
curl or Wget automates & speeds up attack:
curl https://www.deliver-me-pizza.com/submit_order
?price=0.01&pay=yes
Even against POST, can specify params as
arguments to curl or wget command
curl -dprice=0.01 -dpay=yes https://www.deliver-me-
pizza.com/submit_order
wget --post-data 'price=0.01&pay=yes'
https://www.deliver-me-pizza.com/submit_order
12. 7.1.2. Solution 1: Authoritative
State Stays on Server
Server sends session-id to client
Server has table mapping session-ids to prices
Randomly generated (hard to guess) 128-bit id sent in
hidden form field instead of the price.
<input type="hidden" name="session-id"
value="3927a837e947df203784d309c8372b8e">
New Request
GET /submit_order?session-id=3927a837e947df203784d309c8372b8e
&pay=yes HTTP/1.1
13. 7.1.2. Solution 1 Changes
submit_order script changes:
if (pay = yes) {
price = lookup(session-id); // in table
if (price != NULL) {
// same as before
}
else { // Cannot find session
display_transaction_cancelled_page();
log_client_IP_and_info(); }
} else {
// same no case
}
14. 7.1.2. Session Management
128-bit session-id, n = # of session-ids
Limitchance of correct guess to n/2128.
Time-out idle session-ids
Clear expired session-ids
Session-id: hash random # & IP address – harder to
attack (also need to spoof IP)
Con: server requires DB lookup for each request
Performance bottleneck – possible DoS from
attackers sending random session-ids
Distribute DB, load balance requests
15. 7.1.3. Solution 2:
Signed State To Client
Keep Server stateless, attach a signature to
state and send to client
Can detect tampering through MACs
Sign whole transaction (based on all parameters)
Security based on secret key known only to server
<input type="hidden" name="item-id" value="1384634">
<input type="hidden" name="qty" value="1">
<input type="hidden" name="address" value="123 Main St, Stanford, CA">
<input type="hidden" name="credit_card_no" value="5555 1234 4321 9876">
<input type="hidden" name="exp_date" value="1/2012">
<input type="hidden" name="price" value="5.50">
<input type="hidden" name="signature"
value="a2a30984f302c843284e9372438b33d2">
16. 7.1.3. Solution 2 Analysis
Changes in submit_order script:
if (pay = yes) {
// Aggregate transaction state parameters
// Note: | is concatenation operator, # a delimiter.
state = item-id | # | qty | # | address | # |
credit_card_no | # | exp_date | # | price;
//Compute message authentication code with server key K.
signature_check = MAC(K, state);
if (signature == signature_check) { // proceed normally }
else { // Invalid signature: cancel & log }
} else { // no pay – cancel}
Can detect tampered state vars from invalid signature
Performance Hit
Compute MACs when processing HTTP requests
Stream state info to client -> extra bandwidth
17. 7.2. POST Instead of GET
GET: form params (e.g. session-id) leak in URL
Could anchor these links in lieu of hidden form fields
Alice sends Meg URL in e-mail, Meg follows it &
continues transaction w/o Alice’s consent
Referers can leak through outlinks:
This <a href="http://www.grocery-store-site.com/"> link
Sends request: GET / HTTP/1.1 Referer:
https://www.deliver-me-pizza.com/submit_order?
session-id=3927a837e947df203784d309c8372b8e
Session-id leaked to grocery-store-site’s logs!
18. 7.2. Benefits of POST
POST /submit_order HTTP/1.1
POST Content-Type: application/x-www-form-urlencoded
Request: Content-Length: 45
session-id%3D3927a837e947df203784d309c8372b8e
Session-id not visible in URL
Pasting into e-mail wouldn’t leak it
Slightly inconvenient for user, but more secure
Referers can still leak w/o user interaction
Instead of link, image:
<a href=http://www.grocery-store-site.com/banner.gif>
GET request for banner.gif still leaks session-id
19. 7.3. Cookies
Cookie - piece of state maintained by client
Server gives cookie to client
Client returns cookie to server in HTTP requests
Ex: session-id in cookie in lieu of hidden form field
HTTP/1.1 200 OK
Set-Cookie: session-id=3927a837e947df203784d309c8372b8e; secure
Securedictates using SSL
Browser Replies:
GET /submit_order?pay=yes HTTP/1.1
Cookie: session-id=3927a837e947df203784d309c8372b8e
20. 7.3. Problems with Cookies
Cookies are associated with browser
Sent back w/ each request, no hidden field to tack on
If user doesn’t log out, attacker can use same
browser to impersonate user
Session-ids should have limited lifetime
21. 7.4. JavaScript (1)
Popular client-side scripting language
Ex: Compute prices of an order:
<html><head><title>Order Pizza</title></head><body>
<form action="submit_order" method="GET" name="f">
How many pizzas would you like to order?
<input type="text" name="qty" value="1" onKeyUp="computePrice();">
<input type="hidden" name="price" value="5.50"><br>
<input type="submit" name="Order" value="Pay">
<input type="submit" name="Cancel" value="Cancel">
<script>
function computePrice() {
f.price.value = 5.50 * f.qty.value; // compute new value
f.Order.value = "Pay " + f.price.value // update price
}
</script>
</body></html>
22. 7.4. JavaScript (2)
Evil user can just delete JavaScript code,
substitute desired parameters & submit!
Could also just submit request & bypass JavaScript
GET /submit_order?qty=1000&price=0&Order=Pay
Warning: data validation or computations done
by JavaScript cannot be trusted by server
Attackermay alter script in HTML code to modify
computations
Must be redone on server to verify
23. Summary
Web applications need to maintain state
HTTP stateless
Hidden form fields, cookies
Session-management, server with state…
Don’t trust user input!
keep state on server (space-expensive)
Or sign transaction params (bandwidth-expensive)
Use cookies, be wary of cross-site attacks (c.f. ch.10)
No JavaScript for computations & validations
Editor's Notes
Welcome to SEC103 on Secure Programming Techniques. In this course, I assume that you have some background in computer security, but now you want to put that background to use. For example, in the Computer Security Principles and Introduction To Cryptography courses, we cover topics such concerning trust and encryption. In this course, we put these principles into to practice, and I’ll show you have to write secure code that builds security into your applications from the ground up.
Also, validating input at client (i.e., with JavaScript) is ineffective for security