The document discusses web application security and summarizes the top 10 security issues according to OWASP (Open Web Application Security Project). It provides details on each issue, including examples, prevalence, impact, and recommendations for prevention. The top issues are injection, XSS, broken authentication and session management, insecure direct object references, CSRF, security misconfiguration, failure to restrict URL access, unvalidated redirects, insecure cryptographic storage, and insufficient transport layer protection.
Keeping your web application secure is an ongoing process - new classes of vulnerabilities are discovered with surprising frequency, and if you don't keep on top of them you could be in for a nasty surprise. This talk will discuss both common and obscure vulnerabilities, with real-world examples of attacks that have worked against high profile sites in the past.
At Tuenti, we do two code pushes per week, sometimes modifying thousands of files and running thousands of automated tests and build operations before, to ensure not only that the code works but also that proper localization is applied, bundles are generated and files get deployed to hundreds of servers as fast and reliable as possible.
We use opensource tools like Mercurial, MySQL, Jenkins, Selenium, PHPUnit and Rsync among our own in-house ones, and have different development, testing, staging and production environments.
We had to fight with problems like statics bundling and versioning, syntax errors and of course the fact that we have +100 engineers working on the codebase, sometimes merging and releasing more than a dozen branches the same day. We also switched from Subversion to Mercurial to obtain more flexibility and faster branching operations.
With this talk we will explain the process of how code changes in ourcode repository end up in live code, detailing some practices and tips that we apply.
Keeping your web application secure is an ongoing process - new classes of vulnerabilities are discovered with surprising frequency, and if you don't keep on top of them you could be in for a nasty surprise. This talk will discuss both common and obscure vulnerabilities, with real-world examples of attacks that have worked against high profile sites in the past.
At Tuenti, we do two code pushes per week, sometimes modifying thousands of files and running thousands of automated tests and build operations before, to ensure not only that the code works but also that proper localization is applied, bundles are generated and files get deployed to hundreds of servers as fast and reliable as possible.
We use opensource tools like Mercurial, MySQL, Jenkins, Selenium, PHPUnit and Rsync among our own in-house ones, and have different development, testing, staging and production environments.
We had to fight with problems like statics bundling and versioning, syntax errors and of course the fact that we have +100 engineers working on the codebase, sometimes merging and releasing more than a dozen branches the same day. We also switched from Subversion to Mercurial to obtain more flexibility and faster branching operations.
With this talk we will explain the process of how code changes in ourcode repository end up in live code, detailing some practices and tips that we apply.
Mitigating Java Deserialization attacks from within the JVM (improved version)Apostolos Giannakidis
This deck contains a few improvements based on received feedback, such as the addition of links and reworded some points for clarity.
A talk about the existing ways to mitigate Java deserialization attacks from the JVM. The talk was presented at the BSides Luxembourg conference on October 2017.
It describes the use of Instrumentation Agents and Serialization Filtering and their limitations.
It also talks about Runtime Virtualization and Runtime privilege de-escalation.
At the talk there was also a PoC demo that demonstrated how an Instrumentation Agent could be tampered from a file upload vulnerability at the application level.
Security Vulnerabilities: How to Defend Against ThemMartin Vigo
In recent years it became the norm to wake up to news about hackers, cyber attacks, ransom campaigns and NSA. Since 2003 the Open Web Application Security Project (OWASP) is the go-to reference to learn more about security vulnerabilities. OWASP published a list of the Top 10 most common security issues for Web.
In this talk, we will review the list to learn the details and discuss how to harden and defend our Web applications from those vulnerabilities. If you care about your product and customer's data, want to become a better developer or are simply interested in the kind of cyber attacks delinquents use to compromise websites, this talk is for you.
Introduction to Web Application Security - Blackhoodie US 2018Niranjanaa Ragupathy
This slide deck is structured to start from the basics of web application security and explores common web attacks. The first half is packed with theory, while we are all for jumping into exercises having a solid grasp of the fundamentals will be crucial to your success in webappsec.
The deck dives into XSS, CSRF and SQL injections. It briefly outlines others like XXE, SSRF, logic errors, broken session management, and so on.
Truetesters presents OWASP Top 10 Web VulnerabilityTrueTesters
This article highlights the OWASP top ten Vulnerability. It also shows how to protect yourself from these vulnerabilities and a few real-world examples of companies affected by these vulnerabilities
Secure coding is the practice of developing computer software in a way that guards against the accidental introduction of security vulnerabilities. Defects, bugs and logic flaws are consistently the primary cause of commonly exploited software vulnerabilities. Through the analysis of thousands of reported vulnerabilities, security professionals have discovered that most vulnerabilities stem from a relatively small number of common software programming errors. By identifying the insecure coding practices that lead to these errors and educating developers on secure alternatives, organizations can take proactive steps to help significantly reduce or eliminate vulnerabilities in software before deployment.
Session by: Akash S Prakash
See the improved version: https://www.slideshare.net/ApostolosGiannakidis/mitigating-java-deserialization-attacks-from-within-the-jvm-improved-version
A talk about the existing ways to mitigate Java deserialization attacks from the JVM. The talk was presented at the BSides Luxembourg conference on October 2017.
It describes the use of Instrumentation Agents and Serialization Filtering and their limitations.
It also talks about Runtime Virtualization and Runtime privilege de-escalation.
At the talk there was also a PoC demo that demonstrated how an Instrumentation Agent could be tampered from a file upload vulnerability at the application level.
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...apidays
apidays LIVE Australia 2021 - Accelerating Digital
September 15 & 16, 2021
Levelling up database security by thinking in APIs
Lindsay Holmwood, Chief Product Officer at Cipherstash
Presentation on Top 10 Vulnerabilities in Web ApplicationMd Mahfuzur Rahman
In this presentation I'm trying to describe the "Top 10 Vulnerabilities in Web Application" according to OWASP (Open Web Application Security Project).
--The top 10 security mistakes that developers make
--How to design software with an assurance of security
At Tuenti, we do 3 code pushes per week, sometimes modifying thousands of files and running thousands of automated tests and build operations before, to ensure not only that the code works but also that proper localization is applied, bundles are generated and files get deployed to hundreds of servers as fast and reliable as possible.
We use opensource tools like Mercurial, MySQL, Jenkins, Selenium, PHPUnit and Rsync among our own in-house ones, and have different development, testing, staging and production environments.
We had to fight with problems like statics bundling and versioning, syntax errors and of course the fact that we have +100 engineers working on the codebase, merging and releasing more than a 15 branches the same day. We also switched from Subversion to Mercurial to obtain more flexibility and faster branching operations.
With this talk we will explain the process of how code changes in ourcode repository end up in live code, detailing some practices and tips that we apply, problems we had and how we solved them.
Erik Schultink's closing keynote at FICOD 2011. He discusses the history of Tuenti, lessons learned along the way, our view of opportunity in the Mobile Web ecosystem today, and the vision of TU addressing that opportunity.
Mitigating Java Deserialization attacks from within the JVM (improved version)Apostolos Giannakidis
This deck contains a few improvements based on received feedback, such as the addition of links and reworded some points for clarity.
A talk about the existing ways to mitigate Java deserialization attacks from the JVM. The talk was presented at the BSides Luxembourg conference on October 2017.
It describes the use of Instrumentation Agents and Serialization Filtering and their limitations.
It also talks about Runtime Virtualization and Runtime privilege de-escalation.
At the talk there was also a PoC demo that demonstrated how an Instrumentation Agent could be tampered from a file upload vulnerability at the application level.
Security Vulnerabilities: How to Defend Against ThemMartin Vigo
In recent years it became the norm to wake up to news about hackers, cyber attacks, ransom campaigns and NSA. Since 2003 the Open Web Application Security Project (OWASP) is the go-to reference to learn more about security vulnerabilities. OWASP published a list of the Top 10 most common security issues for Web.
In this talk, we will review the list to learn the details and discuss how to harden and defend our Web applications from those vulnerabilities. If you care about your product and customer's data, want to become a better developer or are simply interested in the kind of cyber attacks delinquents use to compromise websites, this talk is for you.
Introduction to Web Application Security - Blackhoodie US 2018Niranjanaa Ragupathy
This slide deck is structured to start from the basics of web application security and explores common web attacks. The first half is packed with theory, while we are all for jumping into exercises having a solid grasp of the fundamentals will be crucial to your success in webappsec.
The deck dives into XSS, CSRF and SQL injections. It briefly outlines others like XXE, SSRF, logic errors, broken session management, and so on.
Truetesters presents OWASP Top 10 Web VulnerabilityTrueTesters
This article highlights the OWASP top ten Vulnerability. It also shows how to protect yourself from these vulnerabilities and a few real-world examples of companies affected by these vulnerabilities
Secure coding is the practice of developing computer software in a way that guards against the accidental introduction of security vulnerabilities. Defects, bugs and logic flaws are consistently the primary cause of commonly exploited software vulnerabilities. Through the analysis of thousands of reported vulnerabilities, security professionals have discovered that most vulnerabilities stem from a relatively small number of common software programming errors. By identifying the insecure coding practices that lead to these errors and educating developers on secure alternatives, organizations can take proactive steps to help significantly reduce or eliminate vulnerabilities in software before deployment.
Session by: Akash S Prakash
See the improved version: https://www.slideshare.net/ApostolosGiannakidis/mitigating-java-deserialization-attacks-from-within-the-jvm-improved-version
A talk about the existing ways to mitigate Java deserialization attacks from the JVM. The talk was presented at the BSides Luxembourg conference on October 2017.
It describes the use of Instrumentation Agents and Serialization Filtering and their limitations.
It also talks about Runtime Virtualization and Runtime privilege de-escalation.
At the talk there was also a PoC demo that demonstrated how an Instrumentation Agent could be tampered from a file upload vulnerability at the application level.
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...apidays
apidays LIVE Australia 2021 - Accelerating Digital
September 15 & 16, 2021
Levelling up database security by thinking in APIs
Lindsay Holmwood, Chief Product Officer at Cipherstash
Presentation on Top 10 Vulnerabilities in Web ApplicationMd Mahfuzur Rahman
In this presentation I'm trying to describe the "Top 10 Vulnerabilities in Web Application" according to OWASP (Open Web Application Security Project).
--The top 10 security mistakes that developers make
--How to design software with an assurance of security
At Tuenti, we do 3 code pushes per week, sometimes modifying thousands of files and running thousands of automated tests and build operations before, to ensure not only that the code works but also that proper localization is applied, bundles are generated and files get deployed to hundreds of servers as fast and reliable as possible.
We use opensource tools like Mercurial, MySQL, Jenkins, Selenium, PHPUnit and Rsync among our own in-house ones, and have different development, testing, staging and production environments.
We had to fight with problems like statics bundling and versioning, syntax errors and of course the fact that we have +100 engineers working on the codebase, merging and releasing more than a 15 branches the same day. We also switched from Subversion to Mercurial to obtain more flexibility and faster branching operations.
With this talk we will explain the process of how code changes in ourcode repository end up in live code, detailing some practices and tips that we apply, problems we had and how we solved them.
Erik Schultink's closing keynote at FICOD 2011. He discusses the history of Tuenti, lessons learned along the way, our view of opportunity in the Mobile Web ecosystem today, and the vision of TU addressing that opportunity.
Tuenti Mobile by Davide Mendolia
Mobile devices are becoming one of the most used platform to connect to Internet, In Tuenti we are putting a focus on mobile platforms through applications and mobile web, discover how we are building m.tuenti.com.
Use of a palette of technologies like mobile device detection and capabilities on the server and the client side that help us to server different version as Plain HTML or HTML5.
How we try to bring the best user experience to every device adapting the possibles interactions based on the features or limitations of each them.
The presentation starts with some basic theory on types. Later, different classifications for type systems are described, with the static/dynamic and strong/weak dimensions the ones we spend more time on.
The third topic addressed is how the mix of polimorsfism with covariance and descendant hiding affects the type system, and what new problems arise and have to be addressed by the type system.
We finished the presentation with a discussion about pros and cons of the PHP type system.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
3. Web App security
● Anonymous attackers
● Worldwide access
● Shared environment for all users
● Easy distribution, profitable
● On top of all other components security:
○ Network security
○ OS security
○ Server software security
○ Social Engineering
○ Even more! browsers, plugins, virus, user computer
security, shared computers, open wifis...
5. Web App security
Humans (developers) are the bigger risk
Give tools, frameworks & policies so no
developer has to ever think how to secure up
things. Should be clear and the easiest path.
But there is no perfect security...
7. Top 10 security issues in webapps
From OWASP (risks != frequency)
1. Injection
2. XSS
3. Broken auth, session management
4. Insecure direct object references
5. CSRF
6. Security misconfiguration
7. Failure to restrict URL access
8. Unvalidated redirects
9. Insecure crypto storage
10. Insufficient transport layer protection
8. Top 10 security issues in webapps
1. Injection
2. XSS
3. Broken auth, session management
4. Insecure direct object references
5. CSRF
6. Security misconfiguration
7. Failure to restrict URL access
8. Unvalidated redirects
9. Insecure crypto storage
10. Insufficient transport layer protection
9. 1. Injection flaws
Trick services to execute unintended
commands to gain control or access
unauthorized data.
● Several types:
○ SQL
○ OS execution
○ LDAP
○ XPath
○ NoSQL
○ uploads
10. 1. Injection flaws
● Explotability: EASY
● Prevalence: COMMON
● Detectability: AVERAGE
● Impact: SEVERE
● Prevention:
○ Keep untrusted data separate from commands
● How:
○ Use safe, parametrized apis vs writting code to be
executed by interpreter.
○ Escape special chars depending on interpreter.
○ Data cast, whitelist input validation.
11. 1. Injection flaws: SQL
● http://example.com/?id=' or '1'='1
● Explicit cast, escaping IN-PLACE
○ mysqli_escape_string()
○ ...
● Use prepared statements
○ Provides data separation
○ Client-side implementations (PDO)
○ SELECT * FROM table where id=?
● Use safe apis for query generation
○ $mysqlService->select($table, $pk, $fields,
$where...)
● Safe ORM framework
○ $storage->read($keys);
12. 1. Injection flaws: OS
● Don't use OS execution :)
● Escape
○ escapeshellarg
13. 1. Injection flaws: uploads
● Don't put them on public folder
● Don't use user-provided data for names
● Whitelist extensions
● Validate content
● Store separately from app (DB, separate
servers)
● Ensure write permissions are the minimum
possible
14. Top 10 security issues in webapps
1. Injection
2. XSS
3. Broken auth, session management
4. Insecure direct object references
5. CSRF
6. Security misconfiguration
7. Failure to restrict URL access
8. Unvalidated redirects
9. Insecure crypto storage
10. Insufficient transport layer protection
15. 2. XSS
Trick services to return browser-executable
code to user/s.
● Several classifications:
○ Breaking context vs sub-context
○ Persistant vs non-persistent
○ Traditional vs DOM
16. 2. XSS
● Explotability: AVERAGE
● Prevalence: WIDESPREAD
● Detectability: EASY
● Impact: MODERATE
● Prevention:
○ Escape untrusted data depending on context
○ HTTP-Only Cookie mitigation is useless
● How:
○ Escape everything (even safe vars)
○ Escape in TEMPLATES (context aware)
○ Other (URL params) in specialized safe apis
○ Unit test
17. 2. XSS: Classification by context
● Breaking context:
○ <a href="?id<?=$_GET['id']?>">
○ "<script> ...
○ Easy to detect & test
■ Unit-test templates with all injections for all vars
and validate html
● Non breaking context:
○ <a href="<?=$_GET['url']?>">
○ javascript: ...
○ HARD TO DETECT
18. 2. XSS: Classification by persistance
● Persistant
○ Data gets stored in DB
○ Users will be hit by regular navigation
○ Easier to test (templates)
● Non persistant
○ A request with some params returns XSS
○ Users need to be trick to navigate into the malicious
link
○ More frequent (No results for 'blah')
○ Somewhat harder to test (cover error messages,
non-template based responses)
19. 2. XSS: Classification by mode
● Traditional
○ Just by exploiting browser parsing
○ Easy to test
● DOM
○ Cheating on JS
■ data from server injected in DOM
● Use innerText
● Do not compose html in JS
■ parsing data from uri, forms as 'safe'
○ Pretty hard to test. Avoid missuse, provide safe apis.
20. 2. XSS
@tuenti
● Escape on templates
● Escape everything, even what doesn't need
to be escaped:
○ <?=View::escape_unsafe($html)?>
● Link generation framework
● Tests for templates, controllers
21. 2. XSS: HTML
● Never put untrusted data in:
○ <script> contents
○ HTML comments
○ tag/attribute names
○ <style> contents
● Contexts: Content, attributes, url params,
urls, js...
● Rich formating
○ Use alternative markup lang
■ Markdown
■ Textile
○ Filter HTML (white listing, carefull!!!)
22. 2. XSS: JS
● Encode with xNNN (" might break HTML
that is parsed before)
● Prefer reading values from dom
● URL pieces are not safe
● Beware of double context: setInterval('...'),
eval()
23. 2. XSS: JSON
● Easy to escape (single context)
● Can put the load on the browser (harder to
test)
● Avoid mixing contexts (json on html, or json
with/for html)
● Eval json as js can trigger js execution
○ Safe, full json encoding in server (never use half-
baked json templates!!!)
○ Use the slow json-parse.js vs json.js regexp
validation
● Be aware of context. content-type!
24. Top 10 security issues in webapps
1. Injection
2. XSS
3. Broken auth, session management
4. Insecure direct object references
5. CSRF
6. Security misconfiguration
7. Failure to restrict URL access
8. Unvalidated redirects
9. Insecure crypto storage
10. Insufficient transport layer protection
25. 3. Auth & Session
Attack authentication and sessions to gain
control over an account.
● Passwords
● Session issues
26. 3. Auth & Session
● Explotability: AVERAGE
● Prevalence: COMMON
● Detectability: AVERAGE
● Impact: SEVERE
● Prevention:
○ SSL, good session handling, detect auth brute force,
avoid plain text passwords, strong password
recovery, user sessions control (logout, history,
close all), detect anomalous login patterns...
27. 3. Auth & Session
● Passwords
○ Use SSL or digest auth
○ Enforce good passwords, rotation
○ Store passwords securely (constant time salted
hashes)
○ fight phising (easy URL, educate users)
● Authentication
○ Don't make distintions between bad login / password
○ Reset to hide real logins, time-limited tokens, old
password invalidate resets
○ Detect brute force, lock accounts
○ Watch misconfigurations
○ Specially on admin, secondary platforms
28. 3. Auth & Session
● Sessions
○ Random Ids, >= 128 bit
○ Use SSL
○ Use secure=yes, httponly for cookies
○ No session fixation
○ No session ids in URLs
○ Change session id on priviledge scalation or switch
between http->https
○ Expiration
○ Offer logout, history, close all
○ Do not send cookies to CDNs, non-principal sites
29. Top 10 security issues in webapps
1. Injection
2. XSS
3. Broken auth, session management
4. Insecure direct object references
5. CSRF
6. Security misconfiguration
7. Failure to restrict URL access
8. Unvalidated redirects
9. Insecure crypto storage
10. Insufficient transport layer protection
30. 4. Direct object references
Apps usually map backend objects to URLs.
An attacker might bypass privacy and
authentication by accessing directly to
resources if don't do the appropiate checks.
● Trusted params
● Images
31. 4. Direct object references
● Explotability: EASY
● Prevalence: COMMON
● Detectability: EASY
● Impact: MODERATE
● Prevention:
○ Properly check privacy on all objects
○ Good policy on where to put the privacy check
○ Do not trust params. Sign params is an option
○ Hide real db keys (show pos X in search Y, /me)
○ Make urls hard to guess
33. 4. Direct object references
● Never check privacy on controllers
● Never check privacy on storage layer
● Privacy in backend api methods
○ With entry point documentation
○ Clear responsibility for privacy!
○ Most of the time implicit with good api design
○ Good performance
○ Easy to use privacy framework
34. 4. Direct object references
● Documentation
/*
* @epoint-changes-state YES
* @epoint-privacy-control IMPLICIT
* - Only deletes current user tag if exists.
* @epoint-summary Deletes the current user's tag on a photo
*...
*/
public function deleteMyTag($photoKey) {
$userId = CurrentUser::getId();
...
35. 4. Direct object references
● Privacy framework api
○ TPrivacy::hasAnyOf / hasAllOf
○ + Privacy providers
if (TPrivacy::hasAnyOf(
CurrentUser::getId() == $photoOwner,
array('TagApi', TagApi::IS_TAGGED, $photoKey),
array('...
...
)) {
36. Top 10 security issues in webapps
1. Injection
2. XSS
3. Broken auth, session management
4. Insecure direct object references
5. CSRF
6. Security misconfiguration
7. Failure to restrict URL access
8. Unvalidated redirects
9. Insecure crypto storage
10. Insufficient transport layer protection
37. 5. CSRF
Cross site request forgery [CSFR in tuenti :)]
Trick a authenticated user to submit requests to
a service and do actions without consent. The
browser will send the cookies and the request
might look legit.
● Image tags (get)
● Forms (post)
● ...
38. 5. CSRF
● Explotability: AVERAGE
● Prevalence: WIDESPREAD
● Detectability: EASY
● Impact: MODERATE
● Prevention:
○ Require a non-predictable token param on all
actions that modify state
○ Use POST for all actions that modify state
○ Use custom header in ajax requests
○ Check Origin header when available!!!
39. 5. CSRF
@tuenti:
● Before was check when using a post param
○ Default values caused us issues
● Now explicit annotation on controllers
○ @ChangesState
● Evangelize developers
40. Top 10 security issues in webapps
1. Injection
2. XSS
3. Broken auth, session management
4. Insecure direct object references
5. CSRF
6. Security misconfiguration
7. Failure to restrict URL access
8. Unvalidated redirects
9. Insecure crypto storage
10. Insufficient transport layer protection
42. 6. Security misconfiguration
● Explotability: EASY
● Prevalence: COMMON
● Detectability: EASY
● Impact: MODERATE
● Prevention:
○ Develop install & configuration procedures
○ Document services and subscribe to updates
○ Hide services versions when possible
○ Separate components to minimize risks
43. 6. Security misconfiguration
@tuenti:
● we are big >1k servers
○ + possibilities for some issue
● But...
○ We use config management (pupet)
○ Good deployment procedures, documentation
○ Very isolated services
○ Few generic web components
○ Good systems team
44. Top 10 security issues in webapps
1. Injection
2. XSS
3. Broken auth, session management
4. Insecure direct object references
5. CSRF
6. Security misconfiguration
7. Failure to restrict URL access
8. Unvalidated redirects
9. Insecure crypto storage
10. Insufficient transport layer protection
46. 7. URL access
● Explotability: EASY
● Prevalence: UNCOMMON
● Detectability: AVERAGE
● Impact: MODERATE
● Prevention:
○ Deny by default
○ Deploy by selection
47. 7. URL access
@tuenti
● Good deploy system
● Splited environments for production and dev
● Most non-public services restricted to vpn +
centralized auth
48. Top 10 security issues in webapps
1. Injection
2. XSS
3. Broken auth, session management
4. Insecure direct object references
5. CSRF
6. Security misconfiguration
7. Failure to restrict URL access
8. Unvalidated redirects
9. Insecure crypto storage
10. Insufficient transport layer protection
49. 8. Unvalidated redirects
Use a service redirect to trick users into clicking
on a link (belongs to valid service) and achieve
more effective phising/virus
downloads/revenue.
50. 8. Unvalidated redirects
● Explotability: AVERAGE
● Prevalence: UNCOMMON
● Detectability: EASY
● Impact: MODERATE
● Prevention:
○ Don't expose destination URL as param, use
references to a white list
○ Ensure end URLs are safe (Safe search, user
reporting tools...)
51. Top 10 security issues in webapps
1. Injection
2. XSS
3. Broken auth, session management
4. Insecure direct object references
5. CSRF
6. Security misconfiguration
7. Failure to restrict URL access
8. Unvalidated redirects
9. Insecure crypto storage
10. Insufficient transport layer protection
52. 9. Insecure crypto storage
Some data is sensible enought to require being
stored encripted/hashed, to protect it from
being stolen.
Unsalted hashes might be exploitable, backups
might contain keys or cleartext, services might
expose decrypt mecanisms, internal attacks
might have access to keys.
53. 9. Insecure crypto storage
● Explotability: DIFFICULT
● Prevalence: UNCOMMON
● Detectability: DIFFICULT
● Impact: SEVERE
● Prevention:
○ Keep backups encripted, don't store keys on same
place.
○ Use salted hashes and constant time hashes
○ Ensure keys are protected
○ Don't offer full info (credit card XXXX 1234)
54. Top 10 security issues in webapps
1. Injection
2. XSS
3. Broken auth, session management
4. Insecure direct object references
5. CSRF
6. Security misconfiguration
7. Failure to restrict URL access
8. Unvalidated redirects
9. Insecure crypto storage
10. Insufficient transport layer protection
55. 10. Transport layer protection
An attacker might sniff traffic of your users to
steal sessions to retrieve data, do spam...
56. 10. Transport layer protection
● Explotability: DIFFICULT
● Prevalence: COMMON
● Detectability: EASY
● Impact: MODERATE
● Prevention:
○ Ensure to use SSL on all requests & resources
loaded.
○ Change session ids when switching to https.
○ If optional, try to detect shared IPs and auto-enable
on those.
57. Top 10 security issues in webapps
1. Injection
2. XSS
3. Broken auth, session management
4. Insecure direct object references
5. CSRF
6. Security misconfiguration
7. Failure to restrict URL access
8. Unvalidated redirects
9. Insecure crypto storage
10. Insufficient transport layer protection
11. Extras
58. 11. Extras: Cross domain data leak
Ajax is changing the web apps, with js-rich
clients that request data.
Beware of exposing JS / JSON user data
through GET requests without CSRF
tokens/headers! <script> tag is not Cross
Domain safe!
● Require custom header (needs
XMLhttpRequest) keep using GET
● Check origin header
59. 11. Extras: Clickjacking
Trick users to click/copy content on your page
(by-passing CSRF) by using a hidden frame
● Use Frame-options
● Some anti-frame JS (hard)
○ top.location might not be accesible, cause JS error
○ redirections might be cancelled
○ Best (not pretty):
blank page with link target _blank, if top.
location == self.location, add content
60. 11. Extras: Unicode
● Filter special unicode that can break design
● UTF encoding might bypass your XSS-filters
● UTF url encoding might bypass directory
checks...
● NULL code %00 might bypass suffixes
61. 11. Extras: HTTP/Mail Headers
● Are subject to CR/LF injection, leading to
○ XSS
○ Spam
○ redirection
○ ...
● Use safe api
62. 11. Extras: People
● People is always the weakest link
● Phising
○ Educate
○ Good urls
○ Design
○ Referer analysis
○ React
● Self-inflicted JS injection
○ Educate
○ Filter content, be aware of surges
64. No input validation?
Minimize malformed data, make it match
business needs.
NOT as primary method to avoid XSS,
injection...
● Rules:
○ SERVER SIDE
○ Apply to all (form, url params, cookies, http headers)
○ Define whitelists of valid chars
○ Define length
○ Business on top of that
65. No input validation?
● Even thought, tuenti has a good validation
system:
○ Based on annotations on controllers.
○ At data layer (storage definition)
● Makes exploits harder
● Good practice, clean code
● Explicit args in controllers
67. Logging, stats, counters
● Very important for security
● Stats:
○ Detect issues, patterns to take measures.
● Logs
○ Analize issues.
● Counters
○ Detect & react to malicious activity
68. Error handling
● Sanitize error messages, use same
templating system
● Do not provide information to users
● Control debug mode
● Dangers:
○ Log review tools (XSS)
○ As payload upload mecanism
69. Community
● Take care of community!
○ Thank security researchers
○ Reply fast
○ <24h fix policy
○ Tipically <2h!
○ Hall of FAME!!!
● How to report
○ Standard box security@tuenti.com + dns entries
○ Regular user support
○ Researchers know us
71. Browser XSS protections
● Reflexion XSS protection
○ Different implementations IE8, chrome
○ Adds issues, new problems
○ Non perfect, might improve?
72. Client side templates
● Data only requests are easier to escape
● It's harder to inject data into client-side
templates (only persistent XSS)
● Templates might work in DOM mode
● SLOW in non recent browsers
73. Better JS
● More secure mashups
○ Google Caja...
● More enterprise JS
○ Dart, GWT, Closure, CoffeeScript
74. Plugins ... Apis ... Browsers
● Flash plugin will die!
● But new HTML5 apis will bring more issues
● Browsers extensions nightmare
75. Avoid cookies
Using XMLHttpRequest with sid as param, from
rich JS apps. Destination domain that does not
have cookies.
● Decreases attack vectors on:
○ CSRF
○ Click jacking
77. Content Security Policy (Mozilla)
● Restricts a lot of attacking vectors
○ Forbids inline javascript
○ Forbids dynamic js code: eval, setTimeout(<string>)
○ Restricts inline data source (can be reverted for
images for example)
○ Whitelist sources for each type of content (js, css,
images, ajax...)
○ Configures frame permissions better
● Hard to implement in complex sites
○ twitter mobile is using it
○ Reports issues (to detect attacks, debug/testing
phase)