SlideShare a Scribd company logo

AJAX Security - LAC2016

Julia Logan a.k.a. IrishWonder
Julia Logan a.k.a. IrishWonder

Security issues in AJAX applications and how to prevent them

Technology
1 of 17
Download to read offline
AJAX and Security Considerations @irishwonder LAC2016
Why Security Matters • Hacking on the rise • Hacked sites lose traffic • downtime • security warnings • A site getting hacked impacts its rankings eventually
What’s Different about AJAX? • No more or less dangerous per se • However, extra risks due to higher complexity • Extra considerations to keep in mind
AJAX Considerations • AJAX applications will not run with Javascript switched off • Degrade gracefully
Typical Risks • User input (XSS or SQL injection) • User ID or credentials processing by Javascript • Unauthorised access to files on the server
Typical Victims • Standalone AJAX applications • Popular CMS’s with AJAX enhanced functionality • Wordpress plugins using AJAX
Typical Victims
Typical Victims
More Vulnerable Targets
Typical Scenario • A user is authenticated in the code when the page is loaded • A user ID or other credentials are displayed in the URL unencoded, picked up by Javascipt • Unencoded and unauthenticated credentials sent back to server • HACKED!
Insecure WP Plugin Showcase RevSlider • First discovered in 2014 • Affects versions below 4.2 • Affects themes using it inurl:/wp-admin/admin-ajax.php?action=revslider_ajax_action - to find vulnerable revslider plugins !
The Problem Extent
Security Measures • Proper authentication and authorisation checks • User input validation against XSS and SQL injection • Use HTTPS if transmitting sensitive data
HTTPS • Implement correctly • Double check for consistent implementation throughout the site • Incorrect implementation results in additional security risks and hurts SEO performance
Plugins and Themes • Know what you use • Update to the latest (patched) versions
Bonus! • Showcase: RevSlider vulnerability story 
 http://securityaffairs.co/wordpress/35431/cyber-crime/ revslider-plugin-vulnerable.html • How to update a plugin if it’s included in a theme 
 http://www.themepunch.com/faq/update-plugin-packaged- theme/ • Free website malware and security scanner
 https://sitecheck.sucuri.net/ (WARNING: will not catch all security issues but may be of help) • Test your HTTPS https://www.ssllabs.com/ssltest/index.html
@irishwonder BAC, Berlin October 2015 Questions? 
 Feel free to get in touch! • info@irishwonder.com • Twitter: @irishwonder • Slideshare: 
 http://www.slideshare.net/irishwonder/ • LinkedIn: linkedin.com/in/irishwonder • Blogs: 
 http://www.irishwonder.com/blog/ - general SEO
 http://www.irishwonder.syndk8.co.uk/ - darker areas #LAC2016

Recommended

Ajax Security Dangers
Ajax Security DangersAjax Security Dangers
Ajax Security Dangersdrkimsky
 
AJAX: How to Divert Threats
AJAX: How to Divert ThreatsAJAX: How to Divert Threats
AJAX: How to Divert ThreatsCenzic
 
Dzhengis 93098 ajax - security
Dzhengis 93098 ajax - securityDzhengis 93098 ajax - security
Dzhengis 93098 ajax - securitydzhengo44
 
Ajax Security
Ajax SecurityAjax Security
Ajax SecurityRoberto Suggi Liverani
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Web Hacking Intro
Web Hacking IntroWeb Hacking Intro
Web Hacking IntroAditya Kamat
 
Become a Security Ninja
Become a Security NinjaBecome a Security Ninja
Become a Security NinjaPaul Gilzow
 
Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101 Stormpath
 

Recommended

Ajax Security Dangers
Ajax Security DangersAjax Security Dangers
Ajax Security Dangersdrkimsky
 
AJAX: How to Divert Threats
AJAX: How to Divert ThreatsAJAX: How to Divert Threats
AJAX: How to Divert ThreatsCenzic
 
Dzhengis 93098 ajax - security
Dzhengis 93098 ajax - securityDzhengis 93098 ajax - security
Dzhengis 93098 ajax - securitydzhengo44
 
Ajax Security
Ajax SecurityAjax Security
Ajax SecurityRoberto Suggi Liverani
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Web Hacking Intro
Web Hacking IntroWeb Hacking Intro
Web Hacking IntroAditya Kamat
 
Become a Security Ninja
Become a Security NinjaBecome a Security Ninja
Become a Security NinjaPaul Gilzow
 
Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101 Stormpath
 
ASP.NET Web Security
ASP.NET Web SecurityASP.NET Web Security
ASP.NET Web SecuritySharePointRadi
 
Cyber ppt
Cyber pptCyber ppt
Cyber pptkarthik menon
 
Web application attacks
Web application attacksWeb application attacks
Web application attackshruth
 
Spring Security
Spring SecuritySpring Security
Spring SecurityBoy Tech
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Web Hacking
Web HackingWeb Hacking
Web HackingInformation Technology
 
RSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingRSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingJim Manico
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Jay Nagar
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10bilcorry
 
Securing Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationSecuring Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationStormpath
 
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web ServicesWeb 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web ServicesShreeraj Shah
 
Error codes & custom 404s
Error codes & custom 404sError codes & custom 404s
Error codes & custom 404sRonan Dunne, CEH, SSCP
 
Common Web Application Attacks
Common Web Application Attacks Common Web Application Attacks
Common Web Application Attacks Ahmed Sherif
 
Web application attack Presentation
Web application attack PresentationWeb application attack Presentation
Web application attack PresentationKhoa Nguyen
 
Hacking web applications
Hacking web applicationsHacking web applications
Hacking web applicationsAdeel Javaid
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013Edouard de Lansalut
 
Web application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresWeb application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresAung Thu Rha Hein
 
Build A Killer Client For Your REST+JSON API
Build A Killer Client For Your REST+JSON APIBuild A Killer Client For Your REST+JSON API
Build A Killer Client For Your REST+JSON APIStormpath
 
DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)Soham Kansodaria
 
Web Security Attacks
Web Security AttacksWeb Security Attacks
Web Security AttacksSajid Hasan
 
www.webre24h.com - Ajax security
www.webre24h.com - Ajax securitywww.webre24h.com - Ajax security
www.webre24h.com - Ajax securitywebre24h
 
Web hackingtools cf-summit2014
Web hackingtools cf-summit2014Web hackingtools cf-summit2014
Web hackingtools cf-summit2014ColdFusionConference
 

More Related Content

What's hot

Web application attacks
Web application attacksWeb application attacks
Web application attackshruth
 
Spring Security
Spring SecuritySpring Security
Spring SecurityBoy Tech
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
RSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingRSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingJim Manico
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Jay Nagar
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10bilcorry
 
Securing Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationSecuring Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationStormpath
 
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web ServicesWeb 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web ServicesShreeraj Shah
 
Common Web Application Attacks
Common Web Application Attacks Common Web Application Attacks
Common Web Application Attacks Ahmed Sherif
 
Web application attack Presentation
Web application attack PresentationWeb application attack Presentation
Web application attack PresentationKhoa Nguyen
 
Hacking web applications
Hacking web applicationsHacking web applications
Hacking web applicationsAdeel Javaid
 
Web application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresWeb application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresAung Thu Rha Hein
 
Build A Killer Client For Your REST+JSON API
Build A Killer Client For Your REST+JSON APIBuild A Killer Client For Your REST+JSON API
Build A Killer Client For Your REST+JSON APIStormpath
 
DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)Soham Kansodaria
 
Web Security Attacks
Web Security AttacksWeb Security Attacks
Web Security AttacksSajid Hasan
 

What's hot (20)

ASP.NET Web Security
ASP.NET Web SecurityASP.NET Web Security
ASP.NET Web Security
 
Cyber ppt
Cyber pptCyber ppt
Cyber ppt
 
Web application attacks
Web application attacksWeb application attacks
Web application attacks
 
Spring Security
Spring SecuritySpring Security
Spring Security
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
 
Web Hacking
Web HackingWeb Hacking
Web Hacking
 
RSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingRSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP Training
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10
 
Securing Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationSecuring Web Applications with Token Authentication
Securing Web Applications with Token Authentication
 
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web ServicesWeb 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
 
Error codes & custom 404s
Error codes & custom 404sError codes & custom 404s
Error codes & custom 404s
 
Common Web Application Attacks
Common Web Application Attacks Common Web Application Attacks
Common Web Application Attacks
 
Web application attack Presentation
Web application attack PresentationWeb application attack Presentation
Web application attack Presentation
 
Hacking web applications
Hacking web applicationsHacking web applications
Hacking web applications
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013
 
Web application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresWeb application security: Threats & Countermeasures
Web application security: Threats & Countermeasures
 
Build A Killer Client For Your REST+JSON API
Build A Killer Client For Your REST+JSON APIBuild A Killer Client For Your REST+JSON API
Build A Killer Client For Your REST+JSON API
 
DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)
 
Web Security Attacks
Web Security AttacksWeb Security Attacks
Web Security Attacks
 

Similar to AJAX Security - LAC2016

www.webre24h.com - Ajax security
www.webre24h.com - Ajax securitywww.webre24h.com - Ajax security
www.webre24h.com - Ajax securitywebre24h
 
WordPress Security and Best Practices
WordPress Security and Best PracticesWordPress Security and Best Practices
WordPress Security and Best PracticesRobert Vidal
 
Do you lose sleep at night?
Do you lose sleep at night?Do you lose sleep at night?
Do you lose sleep at night?Nathan Van Gheem
 
How to Harden the Security of Your .NET Website
How to Harden the Security of Your .NET WebsiteHow to Harden the Security of Your .NET Website
How to Harden the Security of Your .NET WebsiteDNN
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top TenSecurity Innovation
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxDARSHANBHAVSAR14
 
Essential security measures in ASP.NET MVC
Essential security measures in ASP.NET MVC Essential security measures in ASP.NET MVC
Essential security measures in ASP.NET MVC Rafał Hryniewski
 
The OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyThe OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyAditya Gupta
 
CSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web ApplicationsCSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web ApplicationsAlert Logic
 
Jonathan Singer - Wheezing The Juice.pdf
Jonathan Singer - Wheezing The Juice.pdfJonathan Singer - Wheezing The Juice.pdf
Jonathan Singer - Wheezing The Juice.pdfJonathan Singer
 
Web hackingtools 2015
Web hackingtools 2015Web hackingtools 2015
Web hackingtools 2015devObjective
 
VAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptxVAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptxkarthikvcyber
 
Hacker Proof web app using Functional tests
Hacker Proof web app using Functional testsHacker Proof web app using Functional tests
Hacker Proof web app using Functional testsAnkita Gupta
 
Owasp healthcare cms
Owasp healthcare cmsOwasp healthcare cms
Owasp healthcare cmsuisgslide
 
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_alCss sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_alAlert Logic
 
CSS17: Houston - Protecting Web Apps
CSS17: Houston - Protecting Web AppsCSS17: Houston - Protecting Web Apps
CSS17: Houston - Protecting Web AppsAlert Logic
 
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017Philippe Gamache
 

Similar to AJAX Security - LAC2016 (20)

www.webre24h.com - Ajax security
www.webre24h.com - Ajax securitywww.webre24h.com - Ajax security
www.webre24h.com - Ajax security
 
Web hackingtools cf-summit2014
Web hackingtools cf-summit2014Web hackingtools cf-summit2014
Web hackingtools cf-summit2014
 
WordPress Security and Best Practices
WordPress Security and Best PracticesWordPress Security and Best Practices
WordPress Security and Best Practices
 
Do you lose sleep at night?
Do you lose sleep at night?Do you lose sleep at night?
Do you lose sleep at night?
 
How to Harden the Security of Your .NET Website
How to Harden the Security of Your .NET WebsiteHow to Harden the Security of Your .NET Website
How to Harden the Security of Your .NET Website
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptx
 
Security testautomation
Security testautomationSecurity testautomation
Security testautomation
 
Essential security measures in ASP.NET MVC
Essential security measures in ASP.NET MVC Essential security measures in ASP.NET MVC
Essential security measures in ASP.NET MVC
 
The OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyThe OWASP Zed Attack Proxy
The OWASP Zed Attack Proxy
 
CSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web ApplicationsCSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web Applications
 
Jonathan Singer - Wheezing The Juice.pdf
Jonathan Singer - Wheezing The Juice.pdfJonathan Singer - Wheezing The Juice.pdf
Jonathan Singer - Wheezing The Juice.pdf
 
Web hackingtools 2015
Web hackingtools 2015Web hackingtools 2015
Web hackingtools 2015
 
Web hackingtools 2015
Web hackingtools 2015Web hackingtools 2015
Web hackingtools 2015
 
VAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptxVAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptx
 
Hacker Proof web app using Functional tests
Hacker Proof web app using Functional testsHacker Proof web app using Functional tests
Hacker Proof web app using Functional tests
 
Owasp healthcare cms
Owasp healthcare cmsOwasp healthcare cms
Owasp healthcare cms
 
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_alCss sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
 
CSS17: Houston - Protecting Web Apps
CSS17: Houston - Protecting Web AppsCSS17: Houston - Protecting Web Apps
CSS17: Houston - Protecting Web Apps
 
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
 

More from Julia Logan a.k.a. IrishWonder

SEO for the Baltic Region, Translation and Localisation - Mare Balticum 2023 ...
SEO for the Baltic Region, Translation and Localisation - Mare Balticum 2023 ...SEO for the Baltic Region, Translation and Localisation - Mare Balticum 2023 ...
SEO for the Baltic Region, Translation and Localisation - Mare Balticum 2023 ...Julia Logan a.k.a. IrishWonder
 
Controlling Your Links: How to Build a Private Network
Controlling Your Links: How to Build a Private NetworkControlling Your Links: How to Build a Private Network
Controlling Your Links: How to Build a Private NetworkJulia Logan a.k.a. IrishWonder
 
"Catch Me If You Can" - Google vs Spam - Linkdex Gambling Thinktank
"Catch Me If You Can" - Google vs Spam - Linkdex Gambling Thinktank"Catch Me If You Can" - Google vs Spam - Linkdex Gambling Thinktank
"Catch Me If You Can" - Google vs Spam - Linkdex Gambling ThinktankJulia Logan a.k.a. IrishWonder
 
Widely Preached Truths That Are Not Always True - SASCon Mini
Widely Preached Truths That Are Not Always True - SASCon MiniWidely Preached Truths That Are Not Always True - SASCon Mini
Widely Preached Truths That Are Not Always True - SASCon MiniJulia Logan a.k.a. IrishWonder
 
SEO Security Audits - Is Your Site at Risk? - Amsterdam Affiliate Conference
SEO Security Audits - Is Your Site at Risk? - Amsterdam Affiliate ConferenceSEO Security Audits - Is Your Site at Risk? - Amsterdam Affiliate Conference
SEO Security Audits - Is Your Site at Risk? - Amsterdam Affiliate ConferenceJulia Logan a.k.a. IrishWonder
 
Negative SEO: Myths and reality - BrightonSEO April 2013
Negative SEO: Myths and reality - BrightonSEO April 2013Negative SEO: Myths and reality - BrightonSEO April 2013
Negative SEO: Myths and reality - BrightonSEO April 2013Julia Logan a.k.a. IrishWonder
 
Negative SEO: Past, Present and Future - ThinkVis 2013
Negative SEO: Past, Present and Future - ThinkVis 2013Negative SEO: Past, Present and Future - ThinkVis 2013
Negative SEO: Past, Present and Future - ThinkVis 2013Julia Logan a.k.a. IrishWonder
 

More from Julia Logan a.k.a. IrishWonder (19)

SEO for the Baltic Region, Translation and Localisation - Mare Balticum 2023 ...
SEO for the Baltic Region, Translation and Localisation - Mare Balticum 2023 ...SEO for the Baltic Region, Translation and Localisation - Mare Balticum 2023 ...
SEO for the Baltic Region, Translation and Localisation - Mare Balticum 2023 ...
 
2022 Zangoose brochure.pdf
2022 Zangoose brochure.pdf2022 Zangoose brochure.pdf
2022 Zangoose brochure.pdf
 
Zangoose Digital - Bespoke Private Networks
Zangoose Digital - Bespoke Private NetworksZangoose Digital - Bespoke Private Networks
Zangoose Digital - Bespoke Private Networks
 
WordPress Security
WordPress Security WordPress Security
WordPress Security
 
Why We Should Stop Ignoring Bing
Why We Should Stop Ignoring BingWhy We Should Stop Ignoring Bing
Why We Should Stop Ignoring Bing
 
How to Audit a Site for Security
How to Audit a Site for SecurityHow to Audit a Site for Security
How to Audit a Site for Security
 
Preemptive Reputation Management
Preemptive Reputation ManagementPreemptive Reputation Management
Preemptive Reputation Management
 
Content Audit for iGaming - BAC2017
Content Audit for iGaming - BAC2017Content Audit for iGaming - BAC2017
Content Audit for iGaming - BAC2017
 
Wordpress SEO and Security - AAC2016
Wordpress SEO and Security - AAC2016Wordpress SEO and Security - AAC2016
Wordpress SEO and Security - AAC2016
 
Controlling Your Links: How to Build a Private Network
Controlling Your Links: How to Build a Private NetworkControlling Your Links: How to Build a Private Network
Controlling Your Links: How to Build a Private Network
 
It's Not All About Google: Searching for Alternatives
It's Not All About Google: Searching for AlternativesIt's Not All About Google: Searching for Alternatives
It's Not All About Google: Searching for Alternatives
 
"Catch Me If You Can" - Google vs Spam - Linkdex Gambling Thinktank
"Catch Me If You Can" - Google vs Spam - Linkdex Gambling Thinktank"Catch Me If You Can" - Google vs Spam - Linkdex Gambling Thinktank
"Catch Me If You Can" - Google vs Spam - Linkdex Gambling Thinktank
 
Widely Preached Truths That Are Not Always True - SASCon Mini
Widely Preached Truths That Are Not Always True - SASCon MiniWidely Preached Truths That Are Not Always True - SASCon Mini
Widely Preached Truths That Are Not Always True - SASCon Mini
 
SEO Security Audits - Is Your Site at Risk? - Amsterdam Affiliate Conference
SEO Security Audits - Is Your Site at Risk? - Amsterdam Affiliate ConferenceSEO Security Audits - Is Your Site at Risk? - Amsterdam Affiliate Conference
SEO Security Audits - Is Your Site at Risk? - Amsterdam Affiliate Conference
 
SEO Security Audits - SMX London
SEO Security Audits - SMX LondonSEO Security Audits - SMX London
SEO Security Audits - SMX London
 
Negative SEO: Myths and reality - BrightonSEO April 2013
Negative SEO: Myths and reality - BrightonSEO April 2013Negative SEO: Myths and reality - BrightonSEO April 2013
Negative SEO: Myths and reality - BrightonSEO April 2013
 
State of Search RIMC 2013
State of Search RIMC 2013State of Search RIMC 2013
State of Search RIMC 2013
 
Negative SEO: Past, Present and Future - ThinkVis 2013
Negative SEO: Past, Present and Future - ThinkVis 2013Negative SEO: Past, Present and Future - ThinkVis 2013
Negative SEO: Past, Present and Future - ThinkVis 2013
 
So You Want to Know About AdSense?
So You Want to Know About AdSense?So You Want to Know About AdSense?
So You Want to Know About AdSense?
 

Recently uploaded

Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfjimielynbastida
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsAndrey Dotsenko
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 

Recently uploaded (20)

Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdf
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 

AJAX Security - LAC2016

  • 2. Why Security Matters • Hacking on the rise • Hacked sites lose traffic • downtime • security warnings • A site getting hacked impacts its rankings eventually
  • 3. What’s Different about AJAX? • No more or less dangerous per se • However, extra risks due to higher complexity • Extra considerations to keep in mind
  • 4. AJAX Considerations • AJAX applications will not run with Javascript switched off • Degrade gracefully
  • 5. Typical Risks • User input (XSS or SQL injection) • User ID or credentials processing by Javascript • Unauthorised access to files on the server
  • 6. Typical Victims • Standalone AJAX applications • Popular CMS’s with AJAX enhanced functionality • Wordpress plugins using AJAX
  • 10. Typical Scenario • A user is authenticated in the code when the page is loaded • A user ID or other credentials are displayed in the URL unencoded, picked up by Javascipt • Unencoded and unauthenticated credentials sent back to server • HACKED!
  • 11. Insecure WP Plugin Showcase RevSlider • First discovered in 2014 • Affects versions below 4.2 • Affects themes using it inurl:/wp-admin/admin-ajax.php?action=revslider_ajax_action - to find vulnerable revslider plugins !
  • 13. Security Measures • Proper authentication and authorisation checks • User input validation against XSS and SQL injection • Use HTTPS if transmitting sensitive data
  • 14. HTTPS • Implement correctly • Double check for consistent implementation throughout the site • Incorrect implementation results in additional security risks and hurts SEO performance
  • 15. Plugins and Themes • Know what you use • Update to the latest (patched) versions
  • 16. Bonus! • Showcase: RevSlider vulnerability story 
 http://securityaffairs.co/wordpress/35431/cyber-crime/ revslider-plugin-vulnerable.html • How to update a plugin if it’s included in a theme 
 http://www.themepunch.com/faq/update-plugin-packaged- theme/ • Free website malware and security scanner
 https://sitecheck.sucuri.net/ (WARNING: will not catch all security issues but may be of help) • Test your HTTPS https://www.ssllabs.com/ssltest/index.html
  • 17. @irishwonder BAC, Berlin October 2015 Questions? 
 Feel free to get in touch! • info@irishwonder.com • Twitter: @irishwonder • Slideshare: 
 http://www.slideshare.net/irishwonder/ • LinkedIn: linkedin.com/in/irishwonder • Blogs: 
 http://www.irishwonder.com/blog/ - general SEO
 http://www.irishwonder.syndk8.co.uk/ - darker areas #LAC2016