It seems like every day that another company's logo is plastered across the media and they have lost thousands, if not millions of customer records. This kind of data loss is damaging to a company's reputation and their customers have little control of their private information. Attackers often want this data for financial gain or to embarrass that company. There are several methods a malicious attacker will use to gain access to this data. Injection-based attacks leverage an application's lack of input validation to extract information and allow for unauthorized data access. In addition, the platform on which the application resides can be leveraged to gain unauthorized admin access and ultimately, data access. Both scenarios will be discussed and demonstrated in this talk. Finally, mitigating steps will be discussed at every level of the attack. The approach will be a defense in depth model that will proactively protect a web application. While there is no silver bullet against a determined attacker, these mitigations will make their lives more difficult.
11. ◉Provides free documentation on offensive and
defensive application measures
◉Curated “OWASP Top Ten” Vulnerabilities
◉OWASP Web Testing Guide
◉Contains material for:
Web Applications
Mobile
Software Development
Tools
15. Injection Attacks
◉Occurs when unintended data is sent to an
application
◉Proper input validation / server-side validation
is not being performed
◉A dynamically built query can be altered to
execute arbitrary calls or requests
◉Common Types of Injection
SQL
XML
OS Command
22. Misconfigurations
◉Serves as a catchup for many facets of the
implementation
◉Can occur at all levels of the technology stack
◉Identifies both technical and procedural
weaknesses
35. OWASP SAMM
◉Software Assurance Maturity Model
◉Integrating Assessment and Review Activities
throughout your SDLC
◉Based on your organization’s security drivers
◉https://www.owasp.org/index.php/Category:Softw
are_Assurance_Maturity_Model
36. Static Reviews
Source code reviews
that are incorporated
throughout the
development cycle.
A Note About
Testing Types
Dynamic Testing
Assessment of the final
solution in an
operational context.
37. SQL Injection
Prevention
◉OWASP has language specific recommendations
◉Parameterized Queries
◉Input Validation – White Listing
◉Escaping User Input
◉https://www.owasp.org/index.php/SQL_Injection_
Prevention_Cheat_Sheet#Defense_Option_1:_Pr
epared_Statements_.28Parameterized_Queries.
29