SlideShare a Scribd company logo
Defending Web
Applications
Who are we?
Overview
What is the OWASP Top 10?
Injection                         Cross Site Scripting


Broken Authentication & Session
                                  Insecure Direct Object Reference
Management


Cross Site Request Forgery        Security Misconfiguration



Insecure Cryptographic Storage    Failure to Restrict URL Access


Insufficient Transport Layer      Unvalidated Redirects and
Protection                        Forwards
Scene 1 – Attack of the Scanners
Defending Web Applications

§  Implement Monitoring
Scene 2 - Plugin Attacks!
Defending Web Applications

§ Implement Monitoring
§ Patching
§ Penetration Testing
16
Scene 3
Watch out for Admin Interfaces!
Defending Web Applications
§ Implement Monitoring
§ Patching
§ Penetration Testing
§ Strong Authentication
  § For example 2FA
§ Protect Admin Interfaces
  § Limit access
  § SSL/TLS
§ Avoid Password Reuse
Denial of Service vs CloudFlare
Summary
§ Implement Monitoring
§ Patching
§ Penetration Testing
§ Strong Authentication
  § For example 2FA
§ Protect Admin Interfaces
  § Limit access
  § SSL/TLS
§ Avoid Password Reuse
References
§  www.owasp.org
§  www.portswigger.net (Burp)
§  www.ossec.net
§  www.sucuri.net
§  www.cloudflare.com
§  code.google.com/p/google-authenticator/
Defending web applications AISA Techday 2011 Perth

More Related Content

What's hot

Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
gmaran23
 
Web Security - CSP & Web Cryptography
Web Security - CSP & Web CryptographyWeb Security - CSP & Web Cryptography
Web Security - CSP & Web Cryptography
Samsung Open Source Group
 
Node JS reverse shell
Node JS reverse shellNode JS reverse shell
Node JS reverse shell
Madhu Akula
 
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
Samvel Gevorgyan
 
OWASP Serbia - A5 cross-site request forgery
OWASP Serbia - A5 cross-site request forgeryOWASP Serbia - A5 cross-site request forgery
OWASP Serbia - A5 cross-site request forgery
Nikola Milosevic
 
Security threats
Security threatsSecurity threats
Security threats
Mathew Cutler
 
BEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYAN
BEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYANBEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYAN
BEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYAN
Samvel Gevorgyan
 
The WordPress Hosting experience - Bought cheaply and paid dearly? - Jan Löf...
The WordPress Hosting experience - Bought cheaply and paid dearly? - Jan Löf...The WordPress Hosting experience - Bought cheaply and paid dearly? - Jan Löf...
The WordPress Hosting experience - Bought cheaply and paid dearly? - Jan Löf...
Jan Löffler
 
Spring Security
Spring SecuritySpring Security
Spring Security
Boy Tech
 
Spring security
Spring securitySpring security
Spring security
Saurabh Sharma
 
10 things I’ve learnt about web application security
10 things I’ve learnt about web application security10 things I’ve learnt about web application security
10 things I’ve learnt about web application security
James Crowley
 
Phu appsec13
Phu appsec13Phu appsec13
Phu appsec13
drewz lin
 
mod_security introduction at study2study #3
mod_security introduction at study2study #3mod_security introduction at study2study #3
mod_security introduction at study2study #3
Naoya Nakazawa
 
Spring Security
Spring SecuritySpring Security
Spring Security
Sumit Gole
 
Content Security Policy - The application security Swiss Army Knife
Content Security Policy - The application security Swiss Army KnifeContent Security Policy - The application security Swiss Army Knife
Content Security Policy - The application security Swiss Army Knife
Scott Helme
 
Web application Security tools
Web application Security toolsWeb application Security tools
Web application Security tools
Nico Penaredondo
 
Proxy Caches and Web Application Security
Proxy Caches and Web Application SecurityProxy Caches and Web Application Security
Proxy Caches and Web Application Security
Tim Bass
 
Spring Security 3
Spring Security 3Spring Security 3
Spring Security 3
Jason Ferguson
 
Introduction To Web security
Introduction To Web securityIntroduction To Web security
Introduction To Web security
YasserElsnbary
 
Configuring SSL on NGNINX and less tricky servers
Configuring SSL on NGNINX and less tricky serversConfiguring SSL on NGNINX and less tricky servers
Configuring SSL on NGNINX and less tricky servers
Axilis
 

What's hot (20)

Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
 
Web Security - CSP & Web Cryptography
Web Security - CSP & Web CryptographyWeb Security - CSP & Web Cryptography
Web Security - CSP & Web Cryptography
 
Node JS reverse shell
Node JS reverse shellNode JS reverse shell
Node JS reverse shell
 
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
 
OWASP Serbia - A5 cross-site request forgery
OWASP Serbia - A5 cross-site request forgeryOWASP Serbia - A5 cross-site request forgery
OWASP Serbia - A5 cross-site request forgery
 
Security threats
Security threatsSecurity threats
Security threats
 
BEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYAN
BEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYANBEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYAN
BEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYAN
 
The WordPress Hosting experience - Bought cheaply and paid dearly? - Jan Löf...
The WordPress Hosting experience - Bought cheaply and paid dearly? - Jan Löf...The WordPress Hosting experience - Bought cheaply and paid dearly? - Jan Löf...
The WordPress Hosting experience - Bought cheaply and paid dearly? - Jan Löf...
 
Spring Security
Spring SecuritySpring Security
Spring Security
 
Spring security
Spring securitySpring security
Spring security
 
10 things I’ve learnt about web application security
10 things I’ve learnt about web application security10 things I’ve learnt about web application security
10 things I’ve learnt about web application security
 
Phu appsec13
Phu appsec13Phu appsec13
Phu appsec13
 
mod_security introduction at study2study #3
mod_security introduction at study2study #3mod_security introduction at study2study #3
mod_security introduction at study2study #3
 
Spring Security
Spring SecuritySpring Security
Spring Security
 
Content Security Policy - The application security Swiss Army Knife
Content Security Policy - The application security Swiss Army KnifeContent Security Policy - The application security Swiss Army Knife
Content Security Policy - The application security Swiss Army Knife
 
Web application Security tools
Web application Security toolsWeb application Security tools
Web application Security tools
 
Proxy Caches and Web Application Security
Proxy Caches and Web Application SecurityProxy Caches and Web Application Security
Proxy Caches and Web Application Security
 
Spring Security 3
Spring Security 3Spring Security 3
Spring Security 3
 
Introduction To Web security
Introduction To Web securityIntroduction To Web security
Introduction To Web security
 
Configuring SSL on NGNINX and less tricky servers
Configuring SSL on NGNINX and less tricky serversConfiguring SSL on NGNINX and less tricky servers
Configuring SSL on NGNINX and less tricky servers
 

Similar to Defending web applications AISA Techday 2011 Perth

OWASP App Sec US - 2010
OWASP App Sec US - 2010OWASP App Sec US - 2010
OWASP App Sec US - 2010
Aditya K Sood
 
OWASP Khartoum - Top 10 A5 - 7th meeting - Cross Site Request Forgery
OWASP Khartoum - Top 10 A5 - 7th meeting - Cross Site Request ForgeryOWASP Khartoum - Top 10 A5 - 7th meeting - Cross Site Request Forgery
OWASP Khartoum - Top 10 A5 - 7th meeting - Cross Site Request Forgery
OWASP Khartoum
 
Atelier Technique - F5 - #ACSS2019
Atelier Technique - F5 - #ACSS2019Atelier Technique - F5 - #ACSS2019
Atelier Technique - F5 - #ACSS2019
African Cyber Security Summit
 
OWASP_Top_10_Introduction_and_Remedies_2017.ppt
OWASP_Top_10_Introduction_and_Remedies_2017.pptOWASP_Top_10_Introduction_and_Remedies_2017.ppt
OWASP_Top_10_Introduction_and_Remedies_2017.ppt
jangomanso
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing Techniques
Avinash Thapa
 
OWASP Top10 2010
OWASP Top10 2010OWASP Top10 2010
OWASP Top10 2010
Tommy Tracx Xaypanya
 
Web Security
Web SecurityWeb Security
Web Security
Gerald Villorente
 
Securing your AngularJS Application
Securing your AngularJS ApplicationSecuring your AngularJS Application
Securing your AngularJS Application
Philippe De Ryck
 
Web application security I
Web application security IWeb application security I
Web application security I
Md Syed Ahamad
 
Using Proxies To Secure Applications And More
Using Proxies To Secure Applications And MoreUsing Proxies To Secure Applications And More
Using Proxies To Secure Applications And More
Josh Sokol
 
Cyber ppt
Cyber pptCyber ppt
Cyber ppt
karthik menon
 
OWASP TOP 10 VULNERABILITIS
OWASP TOP 10 VULNERABILITISOWASP TOP 10 VULNERABILITIS
OWASP TOP 10 VULNERABILITIS
Null Bhubaneswar
 
Web application sec_3
Web application sec_3Web application sec_3
Web application sec_3
vhimsikal
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008
abhijitapatil
 
Security Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramSecurity Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training Program
OpenDNS
 
nCircle Webinar: Get your Black Belt
nCircle Webinar: Get your Black Belt nCircle Webinar: Get your Black Belt
nCircle Webinar: Get your Black Belt
nCircle - a Tripwire Company
 
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Jeremiah Grossman
 
Web Application Scanning 101
Web Application Scanning 101Web Application Scanning 101
Web Application Scanning 101
Sasha Nunke
 
Become a Security Ninja
Become a Security NinjaBecome a Security Ninja
Become a Security Ninja
Paul Gilzow
 
MongoDB World 2019: MongoDB Atlas Security 101 for Developers
MongoDB World 2019: MongoDB Atlas Security 101 for DevelopersMongoDB World 2019: MongoDB Atlas Security 101 for Developers
MongoDB World 2019: MongoDB Atlas Security 101 for Developers
MongoDB
 

Similar to Defending web applications AISA Techday 2011 Perth (20)

OWASP App Sec US - 2010
OWASP App Sec US - 2010OWASP App Sec US - 2010
OWASP App Sec US - 2010
 
OWASP Khartoum - Top 10 A5 - 7th meeting - Cross Site Request Forgery
OWASP Khartoum - Top 10 A5 - 7th meeting - Cross Site Request ForgeryOWASP Khartoum - Top 10 A5 - 7th meeting - Cross Site Request Forgery
OWASP Khartoum - Top 10 A5 - 7th meeting - Cross Site Request Forgery
 
Atelier Technique - F5 - #ACSS2019
Atelier Technique - F5 - #ACSS2019Atelier Technique - F5 - #ACSS2019
Atelier Technique - F5 - #ACSS2019
 
OWASP_Top_10_Introduction_and_Remedies_2017.ppt
OWASP_Top_10_Introduction_and_Remedies_2017.pptOWASP_Top_10_Introduction_and_Remedies_2017.ppt
OWASP_Top_10_Introduction_and_Remedies_2017.ppt
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing Techniques
 
OWASP Top10 2010
OWASP Top10 2010OWASP Top10 2010
OWASP Top10 2010
 
Web Security
Web SecurityWeb Security
Web Security
 
Securing your AngularJS Application
Securing your AngularJS ApplicationSecuring your AngularJS Application
Securing your AngularJS Application
 
Web application security I
Web application security IWeb application security I
Web application security I
 
Using Proxies To Secure Applications And More
Using Proxies To Secure Applications And MoreUsing Proxies To Secure Applications And More
Using Proxies To Secure Applications And More
 
Cyber ppt
Cyber pptCyber ppt
Cyber ppt
 
OWASP TOP 10 VULNERABILITIS
OWASP TOP 10 VULNERABILITISOWASP TOP 10 VULNERABILITIS
OWASP TOP 10 VULNERABILITIS
 
Web application sec_3
Web application sec_3Web application sec_3
Web application sec_3
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008
 
Security Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramSecurity Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training Program
 
nCircle Webinar: Get your Black Belt
nCircle Webinar: Get your Black Belt nCircle Webinar: Get your Black Belt
nCircle Webinar: Get your Black Belt
 
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
 
Web Application Scanning 101
Web Application Scanning 101Web Application Scanning 101
Web Application Scanning 101
 
Become a Security Ninja
Become a Security NinjaBecome a Security Ninja
Become a Security Ninja
 
MongoDB World 2019: MongoDB Atlas Security 101 for Developers
MongoDB World 2019: MongoDB Atlas Security 101 for DevelopersMongoDB World 2019: MongoDB Atlas Security 101 for Developers
MongoDB World 2019: MongoDB Atlas Security 101 for Developers
 

Recently uploaded

Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
Jakub Marek
 
JavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green MasterplanJavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green Masterplan
Miro Wengner
 
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and BioinformaticiansBiomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Neo4j
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS  at Code Europe 2024Introduction of Cybersecurity with OSS  at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
Hiroshi SHIBATA
 
June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
Ivanti
 
What is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE?  Session 1 – CoE VisionWhat is an RPA CoE?  Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE Vision
DianaGray10
 
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned",  Igor Ivaniuk"Frontline Battles with DDoS: Best practices and Lessons Learned",  Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
Fwdays
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
Zilliz
 
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing InstancesEnergy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Alpen-Adria-Universität
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
Jason Packer
 
Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |
AstuteBusiness
 
GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)
Javier Junquera
 
Apps Break Data
Apps Break DataApps Break Data
Apps Break Data
Ivo Velitchkov
 
Digital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
Digital Banking in the Cloud: How Citizens Bank Unlocked Their MainframeDigital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
Digital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
Precisely
 
Harnessing the Power of NLP and Knowledge Graphs for Opioid Research
Harnessing the Power of NLP and Knowledge Graphs for Opioid ResearchHarnessing the Power of NLP and Knowledge Graphs for Opioid Research
Harnessing the Power of NLP and Knowledge Graphs for Opioid Research
Neo4j
 
Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving
 
"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota
Fwdays
 
Skybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoptionSkybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoption
Tatiana Kojar
 
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Pitangent Analytics & Technology Solutions Pvt. Ltd
 
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
Jason Yip
 

Recently uploaded (20)

Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
 
JavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green MasterplanJavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green Masterplan
 
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and BioinformaticiansBiomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS  at Code Europe 2024Introduction of Cybersecurity with OSS  at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
 
June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
 
What is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE?  Session 1 – CoE VisionWhat is an RPA CoE?  Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE Vision
 
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned",  Igor Ivaniuk"Frontline Battles with DDoS: Best practices and Lessons Learned",  Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
 
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing InstancesEnergy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
 
Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |
 
GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)
 
Apps Break Data
Apps Break DataApps Break Data
Apps Break Data
 
Digital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
Digital Banking in the Cloud: How Citizens Bank Unlocked Their MainframeDigital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
Digital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
 
Harnessing the Power of NLP and Knowledge Graphs for Opioid Research
Harnessing the Power of NLP and Knowledge Graphs for Opioid ResearchHarnessing the Power of NLP and Knowledge Graphs for Opioid Research
Harnessing the Power of NLP and Knowledge Graphs for Opioid Research
 
Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024
 
"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota
 
Skybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoptionSkybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoption
 
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
 
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
 

Defending web applications AISA Techday 2011 Perth

Editor's Notes

  1. Hi, we ’re Dave and Christian. Last couple of years we ’ ve spoken at Tech Day on breaking web applications. This year, taking a different approach: how to defend web applications from attack.
  2. Today we ’re going to tell you a story .. and this story is broken into a few scenes .. in fact .. it’s more like a movie then a story .. anyway. For each of the scenes will highlight the impacts of a particular attack, and then relate that back to an identified OWASP Top 10 Risk .. then we ’ll discuss the controls implemented, and some not implemented. Before we begin though, we thought it worthwhile to have a quick refresher of the OWASP Top 10 for 2010
  3. The goal of the Top 10 project is to raise awareness about application security by identifying some of the most critical risks facing organizations. Each of the Top 10, as classified by OWASP, consider the attack vector, the prevalence of the weakness, how easy it is to detect the weakness, technical impact and business impact. We don ’ t have time to cover all of the 10, but we ’ ll be referring back to these periodically throughout our scenarios.
  4. Lets tell you a story of Steve. Steve runs a medium sized business selling widgets to the happy customers of Perth, and over the past few years he's been aggressively expanding his business. What first started off as word-of-mouth marketing shifted to print marketing and after returning from a business conference over east realises that he's not tapping into that market at all, I mean, he has a static website that mainly links to their email address, but they're not actively promoting or selling online. So after talking with a few other people in similar positions he decides he ’s going to do it.. He’s going to set up a blog.. Sound pretty familiar? How many people out there have a blog? What about, how many of you have read a blog? Whilst our examples are heavily related to blogging engines, these impacts and controls are equally applicable to micro sites, commercial off the shelf, 3rd party developed open source, sharepoint, owa, turnkey deployed apps. You don ’t always have the expertise or the ability to fix the code directly, so you may not be able to fix the underlying source code issues, but instead implementing other defensive mechanisms.
  5. Demo: - demonstrate the site briefly. - Jump to attacker demonstrating Nikto .. - Jump back to the site .. ?? Or to an admin, who has no idea? - Explain that we ’ve now enabled OSSEC to monitor the Apache logs with email alerting and active-response. - Jump back to attacker, demonstrating Nikto, - Jump back to the admin and show the email/alert notification.
  6. The impacts of scanning alone are a little difficult to quantify: Potential performance impact or DoS if the scanning is aggressive Scanning is often followed by other attacks If the attacker ’s scan finds vulnerabilities, they will often attempt to exploit.
  7. The defensive strategy from this example scenario is quite simple - monitoring. Almost all systems , web-servers, applications have some form of default logging The important step is leveraging this logging (in near real time) to know when your system is under attack (or compromised!) Open source (OSSEC / SNORT) or commercial HIDS products can really help out here. In a worst case scenario, if your web application was compromised, being able to respond quickly to the compromise can limit the impact or damage caused by the compromise. It can help to limit the amount of sensitive information that is exposed Limit the potential reputational damage (eg. Defacement) The latest Verizon data breach investigations report found that 74% of their incidents took “weeks” to “months” between ‘compromise’ and ‘discovery’.. how much would that cost your organisation? Another feature of OSSEC that we didn ’t demonstrate, or enable, was “Active Response”. This feature enables particular actions based on alerts Eg. If you get a large number of “400” response codes from the same source IP address, it usually means that you are being scanned. Temporarily deny them access to your server with a local firewall rule. If this was enabled, the nikto scans would have all but crawled to a stop. An alternative approach to monitoring is through services like Sucuri Cloud-based / SaaS monitoring of public / published web content If content changes are detected, raise an alert Not as pro-active as HIDS (only really useful to detect compromises) but useful all the same.
  8. Demo - the plugin, version. - back to the attacker, using the exploit, the ability to upload arbitrary content? - Back to the admin, patch the plugin - back to the attacker, trying the exploit again.
  9. The impacts of a web application compromise can be many and varied: Loss of sensitive information (eg. Customer data) Potentially leading to customer ID theft and subsequent fraud Leading to customer dissatisfaction and loss of business Defacement Potential reputational damage Distribution of malware Again, potential reputational damage
  10. How does this relate back to the OWASP Top 10? In this instance, the exploit was actively exploiting a “ Remote File Inclusion ” vulnerability Very prevalent a couple of years ago in older versions of PHP Was included in OWASP ’ s Top 10 of 2007. Current PHP disables the ability to ‘ include ’ remote content by default, and as a result RFI fell off the OWASP Top 10 of 2010. Application compromise could also arise from other vulnerabilities in the OWASP Top 10: Injection (SQL injection, command injection) Broken authentication Failure to restrict URL access and others…
  11. There are a few defensive strategies that are relevant to this demonstation: Again, monitoring would have been useful. If we had HIDS in place, Stevie would have been alerted to the compromise Patching is the second strategy. Ideally this type of vulnerability could be addressed with code-changes. But you may not have access to the source, or the skills to fix the code -> therefore, patching is the best approach Important to patch comprehensively: OS, Web server, web application, any add-in components Penetration testing can also be really useful If you are pro-actively identifying vulnerabilities in your web applications, you can fix these issues before they are exploited by attackers
  12. You can also see how the patch for this software removed the vulnerable statements. This was easy enough by looking for the offending ‘require’ statements.
  13. Demo: - Show admin interface - Demonstrate attacker utilising Burp ’s intruder to brute-force password - Go back to admin - Enable the Google Authenticator 2FA plugin - Attacker tries again - Also mention/demonstrate/show them implementing .htaccess rules to limit access.
  14. The impacts from this scenario would be very similar to the last Once the attacker has access to the administrative interface, they could do pretty much whatever they liked: Deface the site Upload their own content (eg. PHP shells) Extract sensitive information Add links to malware Create additional wordpress users
  15. This example relates directly to OWASP ’ s “ Broken Authentication and Session Management ” risk. Whilst Wordpress ’ authentication method isn ’ t exactly “ broken ” , out of the box it is pretty weak: No SSL protection, so credentials are exposed to eavesdropping No account lockout No password complexity controls You can also see a selection of other good Authentication controls by reviewing the “ Authentication Verification Requirements ” in OWASPs Application Security Verification Standard (ASVS).
  16. The defensive strategy that we demonstrated in this example was strengthening authentication. We implemented 2FA. This would render the brute force password attack useless Also, removes the risk of eavesdropping credentials, or credential theft through key-logging malware Could also strengthen auth by adding password complexity, account lockout, etc. Other strategies that are relevant to this scenario are: Protect administative interfaces Limit the source IP addresses that can connect Implement SSL protection on admin interfaces to avoid eavesdropping Avoid password re-use If you use the same password on your wordpress admin interface as you do for webmail, if your webmail password is compromised the attackers could use this to attack wordpress. There has been a lot of this happening recently (eg. HBGary).
  17. The final defensive strategy that we wanted to talk about relates to DoS. It wasn ’t possible to put together a video for this, but we thought it was relevant to add into the mix. If DoS is one of your concerns for your web application, you should really consider leveraging a service like Cloudflare. Cloudflare essentially provide a reverse proxy service, wrapped up in DoS and DDoS protection controls. Instead of pointing your DNS record for your web application directly at your web server, you point it to cloudflare. Cloudflare receive HTTP requests from your site ’s visitors. They ensure that the requests are valid (ie. Not part of a DoS / DDoS attack) before forwarding the request onto your web server. Their service offerings start at free and there are commercial options above this. A testament to the quality of Cloudflare ’s service were this years’ Lulzsec / Anonymous operations. Lulzsec were compromising many high profile organisations ’ sites and publishing the compromised data on their website. They were obviously attracting a lot of attention from a number of fronts and many groups were attempting to take their website off the air – unsuccessfully. Lulzsec were using Cloudflare to protect their website. You ’ve got to think -> if Cloudflare is good enough for Lulzsec, it is probably good enough for my organisation
  18. So, in summary, we have tried to present some pragmatic and low-cost controls that you can use to protect your Internet web applications. Although OWASP ’ s primary focus is on fixing web vulnerabilities through developer education and code remediation, all of the measures we presented can generally be implemented without touching a line of code. We certainly can ’ t guarantee that if you do all of these things, your site won ’ t be attacked or compromised… But the likelihood of a compromise is reduced… And the impact from a compromise should also be reduced. Thanks for your time. I hope that this presentation has provided you with some value. We ’ ve included some references on the next slide to the tools and services that we have referenced in the presentation. Hopefully this slide pack will be available for download after the event, if you are interested in further reading. We invite any questions…
  19. Questions?