SlideShare a Scribd company logo

application security basics

Download as PPTX, PDF
Aravindan A
Aravindan A

appsec basics

Technology
1 of 29
Web Applications (In)Security
Reconnaissance Topics Covered: • Web Application Analysis • Web Application Mapping Module 2–Chapter 1
Web Applications Analysis Topics Covered: • Wireshark • BrowserPlugins • Proxies • Scanners • Fuzzers Module 2–Chapter 1
Wireshark • Profile networktraffic • Capturesrawtraffic • Packetanalyzer • 2.1 – Reconnaissance
Browser Plugins • Show/ChangehowthebrowserinteractswiththeWeb Application • PopularPlugins • TamperData • LiveHTTPHeaders • 2.1 – Reconnaissance Web Server Request Response Browser
Proxies • Control howdatais exchangedbetweenthebrowserandweb app • Canvirtually tamper any request/response • 2.1 – Reconnaissance Web Server Request Response Request Response Browser Proxy
Scanners • Attemptto find vulnerabilities usingknownattacks • Canautomatically try to exploitthe vulnerabilities • 2.1 – Reconnaissance Web Server Database Scanner
Fuzzers • Submit invalid andunexpectedrandomdatatotheweb application • Evaluate how exceptionsare handled • Mightunveil bugsintheapplication code • 2.1 – Reconnaissance Web AppFuzzer
Web Applications Mapping Topics Covered: • Web Applications Mapping • Spiders 2.1–Reconnaissance
Web Applications Mapping • Collect theinfogatheredin theanalysisprocess • Mapeach infoto the appropriate resource • 2.1 – Reconnaissance Database Web Server • SW version • OS version • Net info Web App • Language • … Web Server Lucas
Spiders • Automatically sendrequestsandinterpretresponses • Create a map of the web application resources • 2.1 – Reconnaissance Web AppSpider Database
Web Applications Attacks Topics Covered: • OWASP TOP 10 – 2013 • AdditionalRisks Module 2–Chapter 2
The Game Changer • 2.2 – Web Applications Attacks Tommy HeisenbergLucas • Userinput…Cannot be trusted! Web App Request Response Request Response
OWASP TOP 10 - 2013 A1:Injection A2:BrokenAuthenticationandSessionManagement A3:Cross-SiteScripting(XSS) A4:InsecureDirectObjectReferences A5:SecurityMisconfiguration • 2.2 – Web Applications Attacks A6:SensitiveDataExposure A7: MissingFunctionLevelAccessControl A8:CrossSiteRequestForgery(CSRF) A9:UsingKnownVulnerableComponents A10:UnvalidatedRedirectsandForwards
A1: Injection • Text-basedattacksthatexploit thesyntax of thetargetedinterpreter • 2.2 – Web Applications Attacks OS Command Database Logs XML XML JavaScript JS LDAPAttack Payload
SQL Injections • Database executesthecode in theattackerpayload • 2.2 – Web Applications Attacks SELECT * FROM Movies WHERE Title = a‘ OR 1 = 1 ORDER BY Year data code escape character HTTP Request HTTP Response SQL Query SQL output Database Web Browser Title: Year: Price: a ‘ OR 1 = 1 Eisenberg Web App dumpdump
A2: Broken Auth. and Session Management • Attackerusesexposed credentialsor session IDs to impersonate users • 2.2 – Web Applications Attacks Tommy Eisenberg HTTP Request http://airline.com/login.html HTTP Response http://airline.com/?SESSIONID=03098301 Web App HTTP Request http://airline.com/?SESSIONID=03098301
A3: Cross-Site Scripting (XSS) • Attackpayload storedin applicationdatabase(JavaScript Injection) • Reflected directlyinto the client • 2.2 – Web Applications Attacks Eisenberg Tommy HTTP Request HTTP Request HTTP Response Browser HTTP Request Hackerland Web App
A4: Insecure Direct Object References • Usersable to accessunauthorizedfiles data • 2.2 – Web Applications Attacks Eisenberg HTTP Request http://mybank.com/?acct=1000 HTTP Response http://mybank.com/?acct=1000 HTTP Request http://mybank.com/?acct=1001 HTTP Response http://mybank.com/?acct=1001 Web App
A5: Security Misconfiguration • Anycomponent of anysystemnot properly secured • Defaultaccounts,unpatchedflaws,unprotectedfilesanddirectories • 2.2 – Web Applications Attacks Eisenberg HTTP Request Components: • Operating System • Web Server Software • Web App Technology Database HTTP Request Web Server
A6: Sensitive Data Exposure • Attackergain accessandretrieve sensitive data • Stealingencryptionkeysorcleartextdata • 2.2 – Web Applications Attacks Eisenberg HTTP Request Web App Database HTTP Response Encrypted Data SQL Query Clear Text Data
A7: Missing Function Level Access Control • Private functionsare notprotectedagainstunauthorizedaccess • 2.2 – Web Applications Attacks Eisenberg HTTP Request http://myportal.com/?action=search HTTP Request http://myportal.com/?action=admin Web App
A8: Cross Site Request Forgery (CSRF) • Attackerforges HTTP requestsonbehalf of theuser • Canbeembeddedinimagestags,XSSetc. • Attacksucceedsonlyifuserisauthenticated • 2.2 – Web Applications Attacks Tommy Hackerland Web App Browser HTTP Request http://hackedwebsite.com http://hackedwebsite.com/welcome.html HTTP Response HTTP Request http://mybank.com/transfer?amm=1000&dest=1308921 mybank.com session cookie welcome.html <html>…. <img src= http://mybank.com/transfer? amm=1000&dest=1308921 ……</html> mybank.com session cookie
A9: Using Known Vulnerable Components • Attackerscans, identifies, andexploits vulnerable modules of webapp • Automatedtoolscanbeused • 2.2 – Web Applications Attacks Eisenberg ZAP Web App
A10: Unvalidated Redirects and Forwards • Attackersredirectvictim toa specific website • 2.2 – Web Applications Attacks HTTP Request HTTP Response HTTP Request Hackerland Web App Tommy Browser http://shop.com/prod.jsp?p=120&dest=http://hackerland.com HTTP Response Redirect to http://hackerland.com
Additional Risks Topics Covered: • Clickjacking • Application Denialof Service • Information Leakage Module 2–Chapter 2
Clickjacking • Attackerhidesclickableelements insideaniframe • User unknowinglyinteractswith theattackerpage • 2.2 – Web Applications Attacks Tommy Hackerland HTTP Request Info sent to http://hackerland.com
Application Denial of Service • Attackerconsumes all theavailable systemresources • Webapplicationstakedowntheentire system • Attackercantargetspecific usersor modules of aweb application • Common HTTP DoS attacks: • Slowloris: SlowHTTPHeadersVulnerability • RUDY(R-U-Dead-Yet):Slow HTTPPOSTVulnerability • Slow-ReadDoSAttack • 2.2 – Web Applications Attacks
Information Leakage • Web application reveals sensitive data regarding • Webapplicationitself • Hosting environment • Userdataintoerrorresponses • 2.2 – Web Applications Attacks Eisenberg Web App HTTP Request HTTP Response 503 – DB 192.168.0.23 unreachable

Recommended

How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top TenSecurity Innovation
 
Hacking mobile apps
Hacking mobile appsHacking mobile apps
Hacking mobile appskunwaratul hax0r
 
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Security Innovation
 
BHUSA 2021 - Cloud with a Chance of APT
BHUSA 2021 - Cloud with a Chance of APTBHUSA 2021 - Cloud with a Chance of APT
BHUSA 2021 - Cloud with a Chance of APTDouglas Bienstock
 
Burp intruder
Burp intruderBurp intruder
Burp intruderpenetration Tester
 
(SACON) Sudarshan Pisupati & Sahir Hidayatullah - active deception sacon
(SACON) Sudarshan Pisupati & Sahir Hidayatullah - active deception sacon(SACON) Sudarshan Pisupati & Sahir Hidayatullah - active deception sacon
(SACON) Sudarshan Pisupati & Sahir Hidayatullah - active deception saconPriyanka Aash
 
APIdays Paris 2019 - RASP for APIs and Microservices by Jean-Baptiste Aviat, ...
APIdays Paris 2019 - RASP for APIs and Microservices by Jean-Baptiste Aviat, ...APIdays Paris 2019 - RASP for APIs and Microservices by Jean-Baptiste Aviat, ...
APIdays Paris 2019 - RASP for APIs and Microservices by Jean-Baptiste Aviat, ...apidays
 
The presentation on my "Shadow Admins" research
The presentation on my "Shadow Admins" researchThe presentation on my "Shadow Admins" research
The presentation on my "Shadow Admins" researchAsaf Hecht
 

Recommended

How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top TenSecurity Innovation
 
Hacking mobile apps
Hacking mobile appsHacking mobile apps
Hacking mobile appskunwaratul hax0r
 
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Security Innovation
 
BHUSA 2021 - Cloud with a Chance of APT
BHUSA 2021 - Cloud with a Chance of APTBHUSA 2021 - Cloud with a Chance of APT
BHUSA 2021 - Cloud with a Chance of APTDouglas Bienstock
 
Burp intruder
Burp intruderBurp intruder
Burp intruderpenetration Tester
 
(SACON) Sudarshan Pisupati & Sahir Hidayatullah - active deception sacon
(SACON) Sudarshan Pisupati & Sahir Hidayatullah - active deception sacon(SACON) Sudarshan Pisupati & Sahir Hidayatullah - active deception sacon
(SACON) Sudarshan Pisupati & Sahir Hidayatullah - active deception saconPriyanka Aash
 
APIdays Paris 2019 - RASP for APIs and Microservices by Jean-Baptiste Aviat, ...
APIdays Paris 2019 - RASP for APIs and Microservices by Jean-Baptiste Aviat, ...APIdays Paris 2019 - RASP for APIs and Microservices by Jean-Baptiste Aviat, ...
APIdays Paris 2019 - RASP for APIs and Microservices by Jean-Baptiste Aviat, ...apidays
 
The presentation on my "Shadow Admins" research
The presentation on my "Shadow Admins" researchThe presentation on my "Shadow Admins" research
The presentation on my "Shadow Admins" researchAsaf Hecht
 
Vulnerability intelligence with vulners.com
Vulnerability intelligence with vulners.comVulnerability intelligence with vulners.com
Vulnerability intelligence with vulners.comIgor Bulatenko
 
7 Vulnerabilities In Your Web Application That Can Open The Door To Security ...
7 Vulnerabilities In Your Web Application That Can Open The Door To Security ...7 Vulnerabilities In Your Web Application That Can Open The Door To Security ...
7 Vulnerabilities In Your Web Application That Can Open The Door To Security ...Inspirisys Solutions Limited
 
The Hacker's Guide to the Passwordless Galaxy - Webinar 23.6.21 by Asaf Hecht
The Hacker's Guide to the Passwordless Galaxy - Webinar 23.6.21 by Asaf HechtThe Hacker's Guide to the Passwordless Galaxy - Webinar 23.6.21 by Asaf Hecht
The Hacker's Guide to the Passwordless Galaxy - Webinar 23.6.21 by Asaf HechtAsaf Hecht
 
CIS13: APIs, Identity, and Securing the Enterprise
CIS13: APIs, Identity, and Securing the EnterpriseCIS13: APIs, Identity, and Securing the Enterprise
CIS13: APIs, Identity, and Securing the EnterpriseCloudIDSummit
 
Web security and OWASP
Web security and OWASPWeb security and OWASP
Web security and OWASPIsuru Samaraweera
 
Foreman Single Sign-On Made Easy with Keycloak
Foreman Single Sign-On Made Easy with KeycloakForeman Single Sign-On Made Easy with Keycloak
Foreman Single Sign-On Made Easy with KeycloakNikhil Kathole
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & TestingDeepu S Nath
 
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense MechanismsCh 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense MechanismsSam Bowne
 
IglooConf 2019 Secure your Azure applications like a pro
IglooConf 2019 Secure your Azure applications like a proIglooConf 2019 Secure your Azure applications like a pro
IglooConf 2019 Secure your Azure applications like a proKarl Ots
 
Step by step guide for web application security testing
Step by step guide for web application security testingStep by step guide for web application security testing
Step by step guide for web application security testingAvyaan, Web Security Company in India
 
CNIT 128: 6: Mobile services and mobile Web (part 1: Beginning Through OAuth)
CNIT 128: 6: Mobile services and mobile Web (part 1: Beginning Through OAuth)CNIT 128: 6: Mobile services and mobile Web (part 1: Beginning Through OAuth)
CNIT 128: 6: Mobile services and mobile Web (part 1: Beginning Through OAuth)Sam Bowne
 
IoT: Detect abnormal device behavior and disconnect devices automatically
IoT: Detect abnormal device behavior and disconnect devices automaticallyIoT: Detect abnormal device behavior and disconnect devices automatically
IoT: Detect abnormal device behavior and disconnect devices automaticallyAWS Germany
 
Top 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajanTop 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajanAkash Mahajan
 
The Cloud Security Rules
The Cloud Security RulesThe Cloud Security Rules
The Cloud Security RulesKai Roer
 
Sql Injection
Sql InjectionSql Injection
Sql InjectionAju Thomas
 
Web application security
Web application securityWeb application security
Web application securityAkash Mahajan
 
Troopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can YouTroopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can YouDouglas Bienstock
 
CSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web ApplicationsCSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web ApplicationsAlert Logic
 
PIDS research slides from MALCON 2018 conference - Asaf Hecht
PIDS research slides from MALCON 2018 conference - Asaf HechtPIDS research slides from MALCON 2018 conference - Asaf Hecht
PIDS research slides from MALCON 2018 conference - Asaf HechtAsaf Hecht
 
Jenkins Terraform Vault
Jenkins Terraform VaultJenkins Terraform Vault
Jenkins Terraform VaultShrivatsa Upadhye
 
Mobile_app_security
Mobile_app_securityMobile_app_security
Mobile_app_securityHassan El Hadary
 
Amish Umesh - Future Of Web App Testing - ClubHack2007
Amish Umesh - Future Of Web App Testing - ClubHack2007Amish Umesh - Future Of Web App Testing - ClubHack2007
Amish Umesh - Future Of Web App Testing - ClubHack2007ClubHack
 

More Related Content

What's hot

Vulnerability intelligence with vulners.com
Vulnerability intelligence with vulners.comVulnerability intelligence with vulners.com
Vulnerability intelligence with vulners.comIgor Bulatenko
 
7 Vulnerabilities In Your Web Application That Can Open The Door To Security ...
7 Vulnerabilities In Your Web Application That Can Open The Door To Security ...7 Vulnerabilities In Your Web Application That Can Open The Door To Security ...
7 Vulnerabilities In Your Web Application That Can Open The Door To Security ...Inspirisys Solutions Limited
 
The Hacker's Guide to the Passwordless Galaxy - Webinar 23.6.21 by Asaf Hecht
The Hacker's Guide to the Passwordless Galaxy - Webinar 23.6.21 by Asaf HechtThe Hacker's Guide to the Passwordless Galaxy - Webinar 23.6.21 by Asaf Hecht
The Hacker's Guide to the Passwordless Galaxy - Webinar 23.6.21 by Asaf HechtAsaf Hecht
 
CIS13: APIs, Identity, and Securing the Enterprise
CIS13: APIs, Identity, and Securing the EnterpriseCIS13: APIs, Identity, and Securing the Enterprise
CIS13: APIs, Identity, and Securing the EnterpriseCloudIDSummit
 
Foreman Single Sign-On Made Easy with Keycloak
Foreman Single Sign-On Made Easy with KeycloakForeman Single Sign-On Made Easy with Keycloak
Foreman Single Sign-On Made Easy with KeycloakNikhil Kathole
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & TestingDeepu S Nath
 
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense MechanismsCh 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense MechanismsSam Bowne
 
IglooConf 2019 Secure your Azure applications like a pro
IglooConf 2019 Secure your Azure applications like a proIglooConf 2019 Secure your Azure applications like a pro
IglooConf 2019 Secure your Azure applications like a proKarl Ots
 
CNIT 128: 6: Mobile services and mobile Web (part 1: Beginning Through OAuth)
CNIT 128: 6: Mobile services and mobile Web (part 1: Beginning Through OAuth)CNIT 128: 6: Mobile services and mobile Web (part 1: Beginning Through OAuth)
CNIT 128: 6: Mobile services and mobile Web (part 1: Beginning Through OAuth)Sam Bowne
 
IoT: Detect abnormal device behavior and disconnect devices automatically
IoT: Detect abnormal device behavior and disconnect devices automaticallyIoT: Detect abnormal device behavior and disconnect devices automatically
IoT: Detect abnormal device behavior and disconnect devices automaticallyAWS Germany
 
Top 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajanTop 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajanAkash Mahajan
 
The Cloud Security Rules
The Cloud Security RulesThe Cloud Security Rules
The Cloud Security RulesKai Roer
 
Web application security
Web application securityWeb application security
Web application securityAkash Mahajan
 
Troopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can YouTroopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can YouDouglas Bienstock
 
CSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web ApplicationsCSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web ApplicationsAlert Logic
 
PIDS research slides from MALCON 2018 conference - Asaf Hecht
PIDS research slides from MALCON 2018 conference - Asaf HechtPIDS research slides from MALCON 2018 conference - Asaf Hecht
PIDS research slides from MALCON 2018 conference - Asaf HechtAsaf Hecht
 

What's hot (20)

Vulnerability intelligence with vulners.com
Vulnerability intelligence with vulners.comVulnerability intelligence with vulners.com
Vulnerability intelligence with vulners.com
 
7 Vulnerabilities In Your Web Application That Can Open The Door To Security ...
7 Vulnerabilities In Your Web Application That Can Open The Door To Security ...7 Vulnerabilities In Your Web Application That Can Open The Door To Security ...
7 Vulnerabilities In Your Web Application That Can Open The Door To Security ...
 
The Hacker's Guide to the Passwordless Galaxy - Webinar 23.6.21 by Asaf Hecht
The Hacker's Guide to the Passwordless Galaxy - Webinar 23.6.21 by Asaf HechtThe Hacker's Guide to the Passwordless Galaxy - Webinar 23.6.21 by Asaf Hecht
The Hacker's Guide to the Passwordless Galaxy - Webinar 23.6.21 by Asaf Hecht
 
CIS13: APIs, Identity, and Securing the Enterprise
CIS13: APIs, Identity, and Securing the EnterpriseCIS13: APIs, Identity, and Securing the Enterprise
CIS13: APIs, Identity, and Securing the Enterprise
 
Web security and OWASP
Web security and OWASPWeb security and OWASP
Web security and OWASP
 
Foreman Single Sign-On Made Easy with Keycloak
Foreman Single Sign-On Made Easy with KeycloakForeman Single Sign-On Made Easy with Keycloak
Foreman Single Sign-On Made Easy with Keycloak
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & Testing
 
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense MechanismsCh 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
 
IglooConf 2019 Secure your Azure applications like a pro
IglooConf 2019 Secure your Azure applications like a proIglooConf 2019 Secure your Azure applications like a pro
IglooConf 2019 Secure your Azure applications like a pro
 
Step by step guide for web application security testing
Step by step guide for web application security testingStep by step guide for web application security testing
Step by step guide for web application security testing
 
CNIT 128: 6: Mobile services and mobile Web (part 1: Beginning Through OAuth)
CNIT 128: 6: Mobile services and mobile Web (part 1: Beginning Through OAuth)CNIT 128: 6: Mobile services and mobile Web (part 1: Beginning Through OAuth)
CNIT 128: 6: Mobile services and mobile Web (part 1: Beginning Through OAuth)
 
IoT: Detect abnormal device behavior and disconnect devices automatically
IoT: Detect abnormal device behavior and disconnect devices automaticallyIoT: Detect abnormal device behavior and disconnect devices automatically
IoT: Detect abnormal device behavior and disconnect devices automatically
 
Top 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajanTop 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajan
 
The Cloud Security Rules
The Cloud Security RulesThe Cloud Security Rules
The Cloud Security Rules
 
Sql Injection
Sql InjectionSql Injection
Sql Injection
 
Web application security
Web application securityWeb application security
Web application security
 
Troopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can YouTroopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can You
 
CSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web ApplicationsCSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web Applications
 
PIDS research slides from MALCON 2018 conference - Asaf Hecht
PIDS research slides from MALCON 2018 conference - Asaf HechtPIDS research slides from MALCON 2018 conference - Asaf Hecht
PIDS research slides from MALCON 2018 conference - Asaf Hecht
 
Jenkins Terraform Vault
Jenkins Terraform VaultJenkins Terraform Vault
Jenkins Terraform Vault
 

Similar to application security basics

Amish Umesh - Future Of Web App Testing - ClubHack2007
Amish Umesh - Future Of Web App Testing - ClubHack2007Amish Umesh - Future Of Web App Testing - ClubHack2007
Amish Umesh - Future Of Web App Testing - ClubHack2007ClubHack
 
www.webre24h.com - Ajax security
www.webre24h.com - Ajax securitywww.webre24h.com - Ajax security
www.webre24h.com - Ajax securitywebre24h
 
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_alCss sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_alAlert Logic
 
CSS17: Houston - Protecting Web Apps
CSS17: Houston - Protecting Web AppsCSS17: Houston - Protecting Web Apps
CSS17: Houston - Protecting Web AppsAlert Logic
 
Xfocus xcon 2008_aks_oknock
Xfocus xcon 2008_aks_oknockXfocus xcon 2008_aks_oknock
Xfocus xcon 2008_aks_oknockownerkhan
 
IBM AppScan Standard - The Web Application Security Solution
IBM AppScan Standard - The Web Application Security SolutionIBM AppScan Standard - The Web Application Security Solution
IBM AppScan Standard - The Web Application Security Solutionhearme limited company
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017TriNimbus
 
Basic security and Barracuda VRS
Basic security and Barracuda VRSBasic security and Barracuda VRS
Basic security and Barracuda VRSAravindan A
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...grecsl
 
Cloud mz cto_roundtable
Cloud mz cto_roundtableCloud mz cto_roundtable
Cloud mz cto_roundtableeaiti
 
Scaling-up and Automating Web Application Security Tech Talk
Scaling-up and Automating Web Application Security Tech TalkScaling-up and Automating Web Application Security Tech Talk
Scaling-up and Automating Web Application Security Tech TalkNetsparker
 
Breaking Fraud & Bot Detection Solutions
Breaking Fraud & Bot Detection SolutionsBreaking Fraud & Bot Detection Solutions
Breaking Fraud & Bot Detection SolutionsMayank Dhiman
 
How to Stop Man in the Browser Attacks
How to Stop Man in the Browser AttacksHow to Stop Man in the Browser Attacks
How to Stop Man in the Browser AttacksImperva
 
SharePoint 2010 - Tips and Tricks of the Trade - Avoiding Administrative Blun...
SharePoint 2010 - Tips and Tricks of the Trade - Avoiding Administrative Blun...SharePoint 2010 - Tips and Tricks of the Trade - Avoiding Administrative Blun...
SharePoint 2010 - Tips and Tricks of the Trade - Avoiding Administrative Blun...Dan Usher
 
Hacker Proof web app using Functional tests
Hacker Proof web app using Functional testsHacker Proof web app using Functional tests
Hacker Proof web app using Functional testsAnkita Gupta
 
Cloud Security Engineering - Tools and Techniques
Cloud Security Engineering - Tools and TechniquesCloud Security Engineering - Tools and Techniques
Cloud Security Engineering - Tools and TechniquesGokul Alex
 

Similar to application security basics (20)

Mobile_app_security
Mobile_app_securityMobile_app_security
Mobile_app_security
 
Amish Umesh - Future Of Web App Testing - ClubHack2007
Amish Umesh - Future Of Web App Testing - ClubHack2007Amish Umesh - Future Of Web App Testing - ClubHack2007
Amish Umesh - Future Of Web App Testing - ClubHack2007
 
www.webre24h.com - Ajax security
www.webre24h.com - Ajax securitywww.webre24h.com - Ajax security
www.webre24h.com - Ajax security
 
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_alCss sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
 
CSS17: Houston - Protecting Web Apps
CSS17: Houston - Protecting Web AppsCSS17: Houston - Protecting Web Apps
CSS17: Houston - Protecting Web Apps
 
Xfocus xcon 2008_aks_oknock
Xfocus xcon 2008_aks_oknockXfocus xcon 2008_aks_oknock
Xfocus xcon 2008_aks_oknock
 
IBM AppScan Standard - The Web Application Security Solution
IBM AppScan Standard - The Web Application Security SolutionIBM AppScan Standard - The Web Application Security Solution
IBM AppScan Standard - The Web Application Security Solution
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017
 
Isys20261 lecture 09
Isys20261 lecture 09Isys20261 lecture 09
Isys20261 lecture 09
 
Basic security and Barracuda VRS
Basic security and Barracuda VRSBasic security and Barracuda VRS
Basic security and Barracuda VRS
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
 
Cloud mz cto_roundtable
Cloud mz cto_roundtableCloud mz cto_roundtable
Cloud mz cto_roundtable
 
Scaling-up and Automating Web Application Security Tech Talk
Scaling-up and Automating Web Application Security Tech TalkScaling-up and Automating Web Application Security Tech Talk
Scaling-up and Automating Web Application Security Tech Talk
 
Breaking Fraud & Bot Detection Solutions
Breaking Fraud & Bot Detection SolutionsBreaking Fraud & Bot Detection Solutions
Breaking Fraud & Bot Detection Solutions
 
How to Stop Man in the Browser Attacks
How to Stop Man in the Browser AttacksHow to Stop Man in the Browser Attacks
How to Stop Man in the Browser Attacks
 
SharePoint 2010 - Tips and Tricks of the Trade - Avoiding Administrative Blun...
SharePoint 2010 - Tips and Tricks of the Trade - Avoiding Administrative Blun...SharePoint 2010 - Tips and Tricks of the Trade - Avoiding Administrative Blun...
SharePoint 2010 - Tips and Tricks of the Trade - Avoiding Administrative Blun...
 
Hacker Proof web app using Functional tests
Hacker Proof web app using Functional testsHacker Proof web app using Functional tests
Hacker Proof web app using Functional tests
 
Web Security
Web SecurityWeb Security
Web Security
 
Cloud Security Engineering - Tools and Techniques
Cloud Security Engineering - Tools and TechniquesCloud Security Engineering - Tools and Techniques
Cloud Security Engineering - Tools and Techniques
 

More from Aravindan A

Application delivery
Application deliveryApplication delivery
Application deliveryAravindan A
 
Barracuda WAF deployment in AWS
Barracuda WAF deployment in AWSBarracuda WAF deployment in AWS
Barracuda WAF deployment in AWSAravindan A
 
Barracuda WAF Deployment in Microsoft Azure
Barracuda WAF Deployment in Microsoft AzureBarracuda WAF Deployment in Microsoft Azure
Barracuda WAF Deployment in Microsoft AzureAravindan A
 
Api sec demo_updated_v2
Api sec demo_updated_v2Api sec demo_updated_v2
Api sec demo_updated_v2Aravindan A
 
WAF CC Introduction
WAF CC IntroductionWAF CC Introduction
WAF CC IntroductionAravindan A
 
System administration
System administrationSystem administration
System administrationAravindan A
 
Advanced networking
Advanced networkingAdvanced networking
Advanced networkingAravindan A
 
Application delivery
Application deliveryApplication delivery
Application deliveryAravindan A
 
Advanced security in Barracuda WAF
Advanced security in Barracuda WAFAdvanced security in Barracuda WAF
Advanced security in Barracuda WAFAravindan A
 
general protocol basics
general protocol basicsgeneral protocol basics
general protocol basicsAravindan A
 

More from Aravindan A (15)

Application delivery
Application deliveryApplication delivery
Application delivery
 
Barracuda WAF deployment in AWS
Barracuda WAF deployment in AWSBarracuda WAF deployment in AWS
Barracuda WAF deployment in AWS
 
Barracuda WAF Deployment in Microsoft Azure
Barracuda WAF Deployment in Microsoft AzureBarracuda WAF Deployment in Microsoft Azure
Barracuda WAF Deployment in Microsoft Azure
 
Api sec demo_updated_v2
Api sec demo_updated_v2Api sec demo_updated_v2
Api sec demo_updated_v2
 
WAF CC Introduction
WAF CC IntroductionWAF CC Introduction
WAF CC Introduction
 
System administration
System administrationSystem administration
System administration
 
Devops
DevopsDevops
Devops
 
Advanced networking
Advanced networkingAdvanced networking
Advanced networking
 
Reporting
ReportingReporting
Reporting
 
Logging intro
Logging introLogging intro
Logging intro
 
Application delivery
Application deliveryApplication delivery
Application delivery
 
Access control
Access controlAccess control
Access control
 
Advanced security in Barracuda WAF
Advanced security in Barracuda WAFAdvanced security in Barracuda WAF
Advanced security in Barracuda WAF
 
WAF deployment
WAF deploymentWAF deployment
WAF deployment
 
general protocol basics
general protocol basicsgeneral protocol basics
general protocol basics
 

Recently uploaded

The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 

Recently uploaded (20)

The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 

application security basics

  • 2. Reconnaissance Topics Covered: • Web Application Analysis • Web Application Mapping Module 2–Chapter 1
  • 3. Web Applications Analysis Topics Covered: • Wireshark • BrowserPlugins • Proxies • Scanners • Fuzzers Module 2–Chapter 1
  • 4. Wireshark • Profile networktraffic • Capturesrawtraffic • Packetanalyzer • 2.1 – Reconnaissance
  • 5. Browser Plugins • Show/ChangehowthebrowserinteractswiththeWeb Application • PopularPlugins • TamperData • LiveHTTPHeaders • 2.1 – Reconnaissance Web Server Request Response Browser
  • 6. Proxies • Control howdatais exchangedbetweenthebrowserandweb app • Canvirtually tamper any request/response • 2.1 – Reconnaissance Web Server Request Response Request Response Browser Proxy
  • 7. Scanners • Attemptto find vulnerabilities usingknownattacks • Canautomatically try to exploitthe vulnerabilities • 2.1 – Reconnaissance Web Server Database Scanner
  • 8. Fuzzers • Submit invalid andunexpectedrandomdatatotheweb application • Evaluate how exceptionsare handled • Mightunveil bugsintheapplication code • 2.1 – Reconnaissance Web AppFuzzer
  • 9. Web Applications Mapping Topics Covered: • Web Applications Mapping • Spiders 2.1–Reconnaissance
  • 10. Web Applications Mapping • Collect theinfogatheredin theanalysisprocess • Mapeach infoto the appropriate resource • 2.1 – Reconnaissance Database Web Server • SW version • OS version • Net info Web App • Language • … Web Server Lucas
  • 11. Spiders • Automatically sendrequestsandinterpretresponses • Create a map of the web application resources • 2.1 – Reconnaissance Web AppSpider Database
  • 12. Web Applications Attacks Topics Covered: • OWASP TOP 10 – 2013 • AdditionalRisks Module 2–Chapter 2
  • 13. The Game Changer • 2.2 – Web Applications Attacks Tommy HeisenbergLucas • Userinput…Cannot be trusted! Web App Request Response Request Response
  • 14. OWASP TOP 10 - 2013 A1:Injection A2:BrokenAuthenticationandSessionManagement A3:Cross-SiteScripting(XSS) A4:InsecureDirectObjectReferences A5:SecurityMisconfiguration • 2.2 – Web Applications Attacks A6:SensitiveDataExposure A7: MissingFunctionLevelAccessControl A8:CrossSiteRequestForgery(CSRF) A9:UsingKnownVulnerableComponents A10:UnvalidatedRedirectsandForwards
  • 15. A1: Injection • Text-basedattacksthatexploit thesyntax of thetargetedinterpreter • 2.2 – Web Applications Attacks OS Command Database Logs XML XML JavaScript JS LDAPAttack Payload
  • 16. SQL Injections • Database executesthecode in theattackerpayload • 2.2 – Web Applications Attacks SELECT * FROM Movies WHERE Title = a‘ OR 1 = 1 ORDER BY Year data code escape character HTTP Request HTTP Response SQL Query SQL output Database Web Browser Title: Year: Price: a ‘ OR 1 = 1 Eisenberg Web App dumpdump
  • 17. A2: Broken Auth. and Session Management • Attackerusesexposed credentialsor session IDs to impersonate users • 2.2 – Web Applications Attacks Tommy Eisenberg HTTP Request http://airline.com/login.html HTTP Response http://airline.com/?SESSIONID=03098301 Web App HTTP Request http://airline.com/?SESSIONID=03098301
  • 18. A3: Cross-Site Scripting (XSS) • Attackpayload storedin applicationdatabase(JavaScript Injection) • Reflected directlyinto the client • 2.2 – Web Applications Attacks Eisenberg Tommy HTTP Request HTTP Request HTTP Response Browser HTTP Request Hackerland Web App
  • 19. A4: Insecure Direct Object References • Usersable to accessunauthorizedfiles data • 2.2 – Web Applications Attacks Eisenberg HTTP Request http://mybank.com/?acct=1000 HTTP Response http://mybank.com/?acct=1000 HTTP Request http://mybank.com/?acct=1001 HTTP Response http://mybank.com/?acct=1001 Web App
  • 20. A5: Security Misconfiguration • Anycomponent of anysystemnot properly secured • Defaultaccounts,unpatchedflaws,unprotectedfilesanddirectories • 2.2 – Web Applications Attacks Eisenberg HTTP Request Components: • Operating System • Web Server Software • Web App Technology Database HTTP Request Web Server
  • 21. A6: Sensitive Data Exposure • Attackergain accessandretrieve sensitive data • Stealingencryptionkeysorcleartextdata • 2.2 – Web Applications Attacks Eisenberg HTTP Request Web App Database HTTP Response Encrypted Data SQL Query Clear Text Data
  • 22. A7: Missing Function Level Access Control • Private functionsare notprotectedagainstunauthorizedaccess • 2.2 – Web Applications Attacks Eisenberg HTTP Request http://myportal.com/?action=search HTTP Request http://myportal.com/?action=admin Web App
  • 23. A8: Cross Site Request Forgery (CSRF) • Attackerforges HTTP requestsonbehalf of theuser • Canbeembeddedinimagestags,XSSetc. • Attacksucceedsonlyifuserisauthenticated • 2.2 – Web Applications Attacks Tommy Hackerland Web App Browser HTTP Request http://hackedwebsite.com http://hackedwebsite.com/welcome.html HTTP Response HTTP Request http://mybank.com/transfer?amm=1000&dest=1308921 mybank.com session cookie welcome.html <html>…. <img src= http://mybank.com/transfer? amm=1000&dest=1308921 ……</html> mybank.com session cookie
  • 24. A9: Using Known Vulnerable Components • Attackerscans, identifies, andexploits vulnerable modules of webapp • Automatedtoolscanbeused • 2.2 – Web Applications Attacks Eisenberg ZAP Web App
  • 25. A10: Unvalidated Redirects and Forwards • Attackersredirectvictim toa specific website • 2.2 – Web Applications Attacks HTTP Request HTTP Response HTTP Request Hackerland Web App Tommy Browser http://shop.com/prod.jsp?p=120&dest=http://hackerland.com HTTP Response Redirect to http://hackerland.com
  • 26. Additional Risks Topics Covered: • Clickjacking • Application Denialof Service • Information Leakage Module 2–Chapter 2
  • 27. Clickjacking • Attackerhidesclickableelements insideaniframe • User unknowinglyinteractswith theattackerpage • 2.2 – Web Applications Attacks Tommy Hackerland HTTP Request Info sent to http://hackerland.com
  • 28. Application Denial of Service • Attackerconsumes all theavailable systemresources • Webapplicationstakedowntheentire system • Attackercantargetspecific usersor modules of aweb application • Common HTTP DoS attacks: • Slowloris: SlowHTTPHeadersVulnerability • RUDY(R-U-Dead-Yet):Slow HTTPPOSTVulnerability • Slow-ReadDoSAttack • 2.2 – Web Applications Attacks
  • 29. Information Leakage • Web application reveals sensitive data regarding • Webapplicationitself • Hosting environment • Userdataintoerrorresponses • 2.2 – Web Applications Attacks Eisenberg Web App HTTP Request HTTP Response 503 – DB 192.168.0.23 unreachable