Cláudio André, profile picture
Uploaded byCláudio André
PPTX, PDF1,546 views

Hacker, you shall not pass!

This document discusses common web application vulnerabilities like SQL injection, cross-site scripting (XSS), and cross-site request forgery (CSRF). It provides examples of each vulnerability and demonstrates how they can be exploited. The document also recommends best practices for authentication, authorization, and access control to prevent security issues. It introduces resources from the Open Web Application Security Project (OWASP) like the Top 10 list of vulnerabilities and a directory of vulnerable web applications for testing. The document promotes the use of tools like Burp Suite to aid in security testing of web applications.

Embed presentation

Downloaded 18 times
Hacker, you shall not pass! Web application secure development Cláudio André | claudioandre (at) gmail.com | @clviper
whoami ● 10+ years working in Information Systems ● Penetration Tester @ ● Web applications, Mobile applications and Infrastructure ● Blog: security.claudio.pt
SPECIALLY T
SQL Injection ● SQL query manipulation via input data from client; https://www.owasp.org/index.php/SQL_Injection
SQL Injection ● SQL query manipulation via input data from client; ● String concatenation; https://www.owasp.org/index.php/SQL_Injection
SQL Injection select name from users where user = ‘admin’ and password = ‘ubberpa$$w0rd’ https://www.owasp.org/index.php/SQL_Injection
SQL Injection select name from users where user = ‘admin’ and password = ‘ubberpa$$w0rd’ select name from users where user = ‘admin’ and password = ‘xpto’ or 1=1--’ https://www.owasp.org/index.php/SQL_Injection
SQL Injection Demo
Fixing SQL Injection ● Use of prepared statements (Parameterized Queries) https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
Fixing SQL Injection ● Use of prepared statements (Parameterized Queries) https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
Cross Site Scripting (XSS) ● Injection of malicious scripts via input data from the client; https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29
Cross Site Scripting (XSS) ● Injection of malicious scripts via input data from the client; ● Script reflection on the page; https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29
Cross Site Scripting (XSS) ● Injection of malicious scripts via input data from the client; ● Script reflection on the page; ● Reflected, Stored and DOM based; https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29
Cross Site Scripting (XSS) Request: http://vulnerablesite.local/index?name=Guest Response: <html> <body> <div> Hello Guest </div> </body> </html> https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29
Cross Site Scripting (XSS) Request: http://vulnerablesite.local/index?name=<script>alert(“xss”)</script> Response: <html> <body> <div> Hello <script>alert(“xss”)</script> </div> </body> </html> https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29
Cross Site Scripting (XSS) Request: http://vulnerablesite.local/index?name=<script>alert(“xss”)</script> Response: <html> <body> <div> Hello <script>alert(“xss”)</script> </div> </body> </html> https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29
Cross Site Scripting (XSS) Demo
Fixing XSS ● Not straightforward; ● Start with HTML Escape and Attribute Escape. https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
Cross Site Request Forgery (CSRF) ● Force user to execute unwanted actions on a web application; https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28
Cross Site Request Forgery (CSRF) ● Force user to execute unwanted actions on a web application; ● Session Riding; https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28
Cross Site Request Forgery (CSRF) ● Force user to execute unwanted actions on a web application; ● Session Riding; ● Phishing Attacks https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28
Cross Site Request Forgery (CSRF) Request: http://vulnerablesite.local/changepassword?newpwd=MyS3cr3tPa$$word https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28
Cross Site Request Forgery (CSRF) Request: http://vulnerablesite.local/changepassword?newpwd=MyS3cr3tPa$$word Attack: <img src=”http://vulnerablesite.local/changepassword?newpwd=owned”> https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28
Cross Site Request Forgery (CSRF) Demo
Fixing CSRF ● Synchronizer Token Pattern https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet
Fixing CSRF ● Synchronizer Token Pattern https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet
Triple A ● Authentication ● Authorization ● Access Control
Some best practices on Authentication ● NO PLAIN TEXT!!! Use of strong cryptographic algorithms; https://www.owasp.org/index.php/Authentication_Cheat_Sheet
Some best practices on Authentication ● NO PLAIN TEXT!!! Use of strong cryptographic algorithms; ● No limit for character set and max lengths; https://www.owasp.org/index.php/Authentication_Cheat_Sheet
Some best practices on Authentication ● NO PLAIN TEXT!!! Use of strong cryptographic algorithms; ● No limit for character set and max lengths; ● Enforce strong password policy; https://www.owasp.org/index.php/Authentication_Cheat_Sheet
Some best practices on Authentication ● Prevent Brute-Force Attacks. Implement Captcha. https://www.owasp.org/index.php/Authentication_Cheat_Sheet
Some best practices on Authentication ● Prevent Brute-Force Attacks. Implement Captcha. ● Normalize error messages; https://www.owasp.org/index.php/Authentication_Cheat_Sheet
Access Control ● Vertical Access Control Attack https://www.owasp.org/index.php/Access_Control_Cheat_Sheet
Access Control ● Vertical Access Control Attack https://www.owasp.org/index.php/Access_Control_Cheat_Sheet Request: http://vulnerablesite.local/mainPage
Access Control ● Vertical Access Control Attack https://www.owasp.org/index.php/Access_Control_Cheat_Sheet Request: http://vulnerablesite.local/mainPage Request: http://vulnerablesite.local/adminPage
Access Control ● Horizontal Access Control Attack https://www.owasp.org/index.php/Access_Control_Cheat_Sheet
Access Control ● Horizontal Access Control Attack https://www.owasp.org/index.php/Access_Control_Cheat_Sheet Request: http://vulnerablesite.local/getUserProfile?id=1337
Access Control ● Horizontal Access Control Attack https://www.owasp.org/index.php/Access_Control_Cheat_Sheet Request: http://vulnerablesite.local/getUserProfile?id=1337 Request: http://vulnerablesite.local/getUserProfile?id=1338
Access Control ● Business Logic Access Control Attack https://www.owasp.org/index.php/Access_Control_Cheat_Sheet
Access Control ● Business Logic Access Control Attack https://www.owasp.org/index.php/Access_Control_Cheat_Sheet http://vulnerablesite.local/shop?action=chooseFormat http://vulnerablesite.local/shop?action=makePayment http://vulnerablesite.local/shop?action=downloadMovie
Some best practices on Access Control ● Implement roles and permissions https://www.owasp.org/index.php/Access_Control_Cheat_Sheet
Some best practices on Access Control ● Implement roles and permissions ● Perform authorization validation on all pages. https://www.owasp.org/index.php/Access_Control_Cheat_Sheet
Some best practices on Access Control ● Implement roles and permissions ● Perform authorization validation on all pages. ● Data-Context access controls https://www.owasp.org/index.php/Access_Control_Cheat_Sheet
Open Web Application Security Project (OWASP) ● Not-for-profit charitable organization focused on improving the security of software;
Open Web Application Security Project (OWASP) ● Not-for-profit charitable organization focused on improving the security of software; ● Best practices;
Open Web Application Security Project (OWASP) ● Not-for-profit charitable organization focused on improving the security of software; ● Best practices; ● OWASP Top 10;
OWASP TOP 10 https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
OWASP Vulnerable Web Applications Directory ● Vulnerable web applications for web dev, security auditors and pentesters. ● Offline, Online, Virtual Machines and ISOs. https://www.owasp.org/index.php/OWASP_Vulnerable_Web_Applications_Directory_Project#tab=Main
Portswigger Burp Suite ● Integrated platform for web application security tests.
Portswigger Burp Suite ● Integrated platform for web application security tests. ● Has free version and is cross platform.
Portswigger Burp Suite ● Integrated platform for web application security tests. ● Has free version and is cross platform. ● Not only for infosec guys. Devs should use it.
Hacker, you shall not pass!

More Related Content

PDF
What should I do when my website got hack?
bySumedt Jitpukdebodin
 
PDF
Djangoアプリのデプロイに関するプラクティス / Deploy django application
byMasashi Shibata
 
PDF
Django の認証処理実装パターン / Django Authentication Patterns
byMasashi Shibata
 
PDF
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
byMikhail Egorov
 
PDF
Neat tricks to bypass CSRF-protection
byMikhail Egorov
 
PDF
Security Presentation for Boulder WordPress Meetup
byAngela Bowman
 
PDF
Securing AEM webapps by hacking them
byMikhail Egorov
 
PDF
Nir goldshlager Killing a bug bounty program - twice Hack In The Box 2012
byNir Goldshlager
 
What should I do when my website got hack?
bySumedt Jitpukdebodin
 
Djangoアプリのデプロイに関するプラクティス / Deploy django application
byMasashi Shibata
 
Django の認証処理実装パターン / Django Authentication Patterns
byMasashi Shibata
 
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
byMikhail Egorov
 
Neat tricks to bypass CSRF-protection
byMikhail Egorov
 
Security Presentation for Boulder WordPress Meetup
byAngela Bowman
 
Securing AEM webapps by hacking them
byMikhail Egorov
 
Nir goldshlager Killing a bug bounty program - twice Hack In The Box 2012
byNir Goldshlager
 

What's hot

PDF
A Hacker's perspective on AEM applications security
byMikhail Egorov
 
PPTX
JavaScript Performance (at SFJS)
bySteve Souders
 
PDF
Hacking Adobe Experience Manager sites
byMikhail Egorov
 
PPTX
Poisoning Google images
bylukash4
 
PPTX
High Performance Web Components
bySteve Souders
 
PPTX
High Performance HTML5 (SF HTML5 UG)
bySteve Souders
 
PDF
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
byMikhail Egorov
 
PPTX
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter
byNilesh Sapariya
 
PDF
Integrating WordPress With Web APIs
byrandyhoyt
 
PDF
Fun With Spring Security
byBurt Beckwith
 
PDF
Api
byrandyhoyt
 
PDF
Technieken & tools @ Joomla! Performance Expert Sessie
bySander Potjer
 
PDF
What should a hacker know about WebDav?
byMikhail Egorov
 
PPT
Fav
byhelloppt
 
PDF
Development Security Framework based on Owasp Esapi for JSF2.0
byRakesh Kachhadiya
 
PDF
Subresource Integrity
byPhilippe De Ryck
 
PPTX
Spring Security
byBoy Tech
 
PDF
Cracking into embedded devices and beyond
byamiable_indian
 
PPT
Building rock solid software in the real world
byOmni Adams
 
PPTX
W3 conf hill-html5-security-realities
byBrad Hill
 
A Hacker's perspective on AEM applications security
byMikhail Egorov
 
JavaScript Performance (at SFJS)
bySteve Souders
 
Hacking Adobe Experience Manager sites
byMikhail Egorov
 
Poisoning Google images
bylukash4
 
High Performance Web Components
bySteve Souders
 
High Performance HTML5 (SF HTML5 UG)
bySteve Souders
 
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
byMikhail Egorov
 
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter
byNilesh Sapariya
 
Integrating WordPress With Web APIs
byrandyhoyt
 
Fun With Spring Security
byBurt Beckwith
 
Api
byrandyhoyt
 
Technieken & tools @ Joomla! Performance Expert Sessie
bySander Potjer
 
What should a hacker know about WebDav?
byMikhail Egorov
 
Fav
byhelloppt
 
Development Security Framework based on Owasp Esapi for JSF2.0
byRakesh Kachhadiya
 
Subresource Integrity
byPhilippe De Ryck
 
Spring Security
byBoy Tech
 
Cracking into embedded devices and beyond
byamiable_indian
 
Building rock solid software in the real world
byOmni Adams
 
W3 conf hill-html5-security-realities
byBrad Hill
 

Viewers also liked

PPT
URLs and Domains (SMX East 2008)
byNathan Buggia
 
PPT
International SEO
byiProspect Canada
 
PPTX
Adobe AEM(6.0-6.1)_AEM Forms(6.1-6.2)_Developer_KrishnaChaitanya Palla
byKrishna Chaitanya Palla
 
PPTX
How to Develop a Secure Web Application and Stay in Mind? (PHDays 3)
byVladimir Kochetkov
 
PPTX
Error codes & custom 404s
byRonan Dunne, CEH, SSCP
 
PPTX
How to Choose a Domain Name (tips to buy and register the best domains)
byPickaweb
 
PDF
Infrastructure as Data with Ansible for easier Continuous Delivery
byCarlo Bonamico
 
PDF
Is my Web Application secure? OWASP Top Ten Security Risks and Beyond...
byCarlo Bonamico
 
PPTX
AEM - Client Libraries
byPrabhdeep Singh
 
PDF
Null bhopal Sep 2016: What it Takes to Secure a Web Application
byAnant Shrivastava
 
PPT
Effective Strategic Planning Workshop
byCyber Sari-Sari
 
PPTX
Microsoft Azure vs Amazon Web Services (AWS) Services & Feature Mapping
byIlyas F ☁☁☁
 
URLs and Domains (SMX East 2008)
byNathan Buggia
 
International SEO
byiProspect Canada
 
Adobe AEM(6.0-6.1)_AEM Forms(6.1-6.2)_Developer_KrishnaChaitanya Palla
byKrishna Chaitanya Palla
 
How to Develop a Secure Web Application and Stay in Mind? (PHDays 3)
byVladimir Kochetkov
 
Error codes & custom 404s
byRonan Dunne, CEH, SSCP
 
How to Choose a Domain Name (tips to buy and register the best domains)
byPickaweb
 
Infrastructure as Data with Ansible for easier Continuous Delivery
byCarlo Bonamico
 
Is my Web Application secure? OWASP Top Ten Security Risks and Beyond...
byCarlo Bonamico
 
AEM - Client Libraries
byPrabhdeep Singh
 
Null bhopal Sep 2016: What it Takes to Secure a Web Application
byAnant Shrivastava
 
Effective Strategic Planning Workshop
byCyber Sari-Sari
 
Microsoft Azure vs Amazon Web Services (AWS) Services & Feature Mapping
byIlyas F ☁☁☁
 

Similar to Hacker, you shall not pass!

PPT
WebApps_Lecture_15.ppt
byOmprakashVerma56
 
PDF
2013 OWASP Top 10
bybilcorry
 
PPTX
OWASP top 10-2013
bytmd800
 
PPTX
Owasp top 10_-_2010 presentation
byIslam Azeddine Mennouchi
 
PDF
Web application sec_3
byvhimsikal
 
PDF
Web Application Security and Awareness
byAbdul Rahman Sherzad
 
PDF
Secure coding presentation Oct 3 2020
byMoataz Kamel
 
PDF
Devbeat Conference - Developer First Security
byMichael Coates
 
PDF
Lets Make our Web Applications Secure
byAryashree Pritikrishna
 
PPTX
6 - Web Application Security.pptx
byAlmaOraevi
 
PPTX
OWASP_Top_Ten_Proactive_Controls_v2.pptx
byFernandoVizer
 
PDF
Web security and OWASP
byIsuru Samaraweera
 
PPTX
Solving Labs for Common Web Vulnerabilities: A Hands-On Guide
byBoston Institute of Analytics
 
ODP
The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20
byTabăra de Testare
 
PPTX
Presentation on Web Attacks
byVivek Sinha Anurag
 
PDF
Web vulnerabilities
byOleksandr Kovalchuk
 
PPTX
ASP.NET security vulnerabilities
byAleksandar Bozinovski
 
PDF
Security Awareness
byLucas Hendrich
 
PPTX
Owasp top-ten-mapping-2015-05-lwc
byKaty Anton
 
PDF
Web Security.pdf
byAdityaKumar1548
 
WebApps_Lecture_15.ppt
byOmprakashVerma56
 
2013 OWASP Top 10
bybilcorry
 
OWASP top 10-2013
bytmd800
 
Owasp top 10_-_2010 presentation
byIslam Azeddine Mennouchi
 
Web application sec_3
byvhimsikal
 
Web Application Security and Awareness
byAbdul Rahman Sherzad
 
Secure coding presentation Oct 3 2020
byMoataz Kamel
 
Devbeat Conference - Developer First Security
byMichael Coates
 
Lets Make our Web Applications Secure
byAryashree Pritikrishna
 
6 - Web Application Security.pptx
byAlmaOraevi
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
byFernandoVizer
 
Web security and OWASP
byIsuru Samaraweera
 
Solving Labs for Common Web Vulnerabilities: A Hands-On Guide
byBoston Institute of Analytics
 
The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20
byTabăra de Testare
 
Presentation on Web Attacks
byVivek Sinha Anurag
 
Web vulnerabilities
byOleksandr Kovalchuk
 
ASP.NET security vulnerabilities
byAleksandar Bozinovski
 
Security Awareness
byLucas Hendrich
 
Owasp top-ten-mapping-2015-05-lwc
byKaty Anton
 
Web Security.pdf
byAdityaKumar1548
 

More from Cláudio André

PPTX
Droidstat-X, Android Applications Security Analyser Xmind Generator
byCláudio André
 
PPTX
This is the secure droid you are looking for
byCláudio André
 
PDF
Is my app secure?
byCláudio André
 
PPTX
A day in the life of a pentester
byCláudio André
 
PPTX
Mobile application (in)security - 2nd Integrity Smart Executive Breakfast
byCláudio André
 
PPTX
Mobile (in)security ?
byCláudio André
 
PPTX
Pentesting Android Applications
byCláudio André
 
Droidstat-X, Android Applications Security Analyser Xmind Generator
byCláudio André
 
This is the secure droid you are looking for
byCláudio André
 
Is my app secure?
byCláudio André
 
A day in the life of a pentester
byCláudio André
 
Mobile application (in)security - 2nd Integrity Smart Executive Breakfast
byCláudio André
 
Mobile (in)security ?
byCláudio André
 
Pentesting Android Applications
byCláudio André
 

Recently uploaded

PDF
Generative AI in 2026: Hype, Bubble, Winter or The Real Deal?
byDr. Tathagat Varma
 
PDF
8 LLM Surveys https://tinyurl.com/bdz8e6fp
byBob Marcus
 
PDF
TrustArc Webinar - Assessing AI Risk with Confidence
byTrustArc
 
PDF
Security Technologys: Access Control, Firewall, VPN
byShielaLasala
 
PPTX
The Landscape of Computer Software Development Companies
byYash Singh
 
PDF
Usage Control for Process Discovery through a Trusted Execution Environment
byValerioGoretti
 
PDF
Greetings All Students Update 3 by Mia Corp
by©LDMMIA, ©Reiki Yoga
 
PDF
API206-S: Transforming Supply Chains with Amazon Bedrock AgentCore - AWS re:I...
byChris Bingham
 
PDF
Generative AI in UiPath: Mastering the Generative Extractor for Intelligent D...
byDianaGray10
 
PDF
AI Technology important knowledge ......
byutkarshj2007
 
PDF
Unlocking the Power of Salesforce Architecture: Frameworks for Effective Solu...
byvarsha30tiwari
 
PPTX
RISE with SAP for Automotive - S4 HANA Value.pptx
byAmira Jemi
 
PDF
Digit Expo 2025 - EICC Edinburgh 27th November
byRay Bugg
 
PDF
TPPmark2025 Kenta Inoue's answer 12/04/2025
byKenta Inoue
 
PDF
Safeguarding AI-Based Financial Infrastructure
byYasir Naveed Riaz
 
DOCX
Introduction to the World of Computers (Hardware & Software)
byALIABBAS ABASOV
 
PDF
The Ultimate Guide to Problem Management Dashboards for IT Teams.pdf
byomnex systems
 
PDF
Guided Substation Engineering with CoMPAS: Simplifying IEC 61850
byDanBrown980551
 
PDF
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
PDF
ElyriaSoftware — Powering the Future with Blockchain Innovation
byElyria Software
 
Generative AI in 2026: Hype, Bubble, Winter or The Real Deal?
byDr. Tathagat Varma
 
8 LLM Surveys https://tinyurl.com/bdz8e6fp
byBob Marcus
 
TrustArc Webinar - Assessing AI Risk with Confidence
byTrustArc
 
Security Technologys: Access Control, Firewall, VPN
byShielaLasala
 
The Landscape of Computer Software Development Companies
byYash Singh
 
Usage Control for Process Discovery through a Trusted Execution Environment
byValerioGoretti
 
Greetings All Students Update 3 by Mia Corp
by©LDMMIA, ©Reiki Yoga
 
API206-S: Transforming Supply Chains with Amazon Bedrock AgentCore - AWS re:I...
byChris Bingham
 
Generative AI in UiPath: Mastering the Generative Extractor for Intelligent D...
byDianaGray10
 
AI Technology important knowledge ......
byutkarshj2007
 
Unlocking the Power of Salesforce Architecture: Frameworks for Effective Solu...
byvarsha30tiwari
 
RISE with SAP for Automotive - S4 HANA Value.pptx
byAmira Jemi
 
Digit Expo 2025 - EICC Edinburgh 27th November
byRay Bugg
 
TPPmark2025 Kenta Inoue's answer 12/04/2025
byKenta Inoue
 
Safeguarding AI-Based Financial Infrastructure
byYasir Naveed Riaz
 
Introduction to the World of Computers (Hardware & Software)
byALIABBAS ABASOV
 
The Ultimate Guide to Problem Management Dashboards for IT Teams.pdf
byomnex systems
 
Guided Substation Engineering with CoMPAS: Simplifying IEC 61850
byDanBrown980551
 
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
ElyriaSoftware — Powering the Future with Blockchain Innovation
byElyria Software
 

Hacker, you shall not pass!

  • 1.
    Hacker, you shallnot pass! Web application secure development Cláudio André | claudioandre (at) gmail.com | @clviper
  • 2.
    whoami ● 10+ yearsworking in Information Systems ● Penetration Tester @ ● Web applications, Mobile applications and Infrastructure ● Blog: security.claudio.pt
  • 4.
  • 5.
    SQL Injection ● SQLquery manipulation via input data from client; https://www.owasp.org/index.php/SQL_Injection
  • 6.
    SQL Injection ● SQLquery manipulation via input data from client; ● String concatenation; https://www.owasp.org/index.php/SQL_Injection
  • 7.
    SQL Injection select namefrom users where user = ‘admin’ and password = ‘ubberpa$$w0rd’ https://www.owasp.org/index.php/SQL_Injection
  • 8.
    SQL Injection select namefrom users where user = ‘admin’ and password = ‘ubberpa$$w0rd’ select name from users where user = ‘admin’ and password = ‘xpto’ or 1=1--’ https://www.owasp.org/index.php/SQL_Injection
  • 9.
  • 10.
    Fixing SQL Injection ●Use of prepared statements (Parameterized Queries) https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
  • 11.
    Fixing SQL Injection ●Use of prepared statements (Parameterized Queries) https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
  • 12.
    Cross Site Scripting(XSS) ● Injection of malicious scripts via input data from the client; https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29
  • 13.
    Cross Site Scripting(XSS) ● Injection of malicious scripts via input data from the client; ● Script reflection on the page; https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29
  • 14.
    Cross Site Scripting(XSS) ● Injection of malicious scripts via input data from the client; ● Script reflection on the page; ● Reflected, Stored and DOM based; https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29
  • 15.
    Cross Site Scripting(XSS) Request: http://vulnerablesite.local/index?name=Guest Response: <html> <body> <div> Hello Guest </div> </body> </html> https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29
  • 16.
    Cross Site Scripting(XSS) Request: http://vulnerablesite.local/index?name=<script>alert(“xss”)</script> Response: <html> <body> <div> Hello <script>alert(“xss”)</script> </div> </body> </html> https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29
  • 17.
    Cross Site Scripting(XSS) Request: http://vulnerablesite.local/index?name=<script>alert(“xss”)</script> Response: <html> <body> <div> Hello <script>alert(“xss”)</script> </div> </body> </html> https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29
  • 18.
  • 19.
    Fixing XSS ● Notstraightforward; ● Start with HTML Escape and Attribute Escape. https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
  • 20.
    Cross Site RequestForgery (CSRF) ● Force user to execute unwanted actions on a web application; https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28
  • 21.
    Cross Site RequestForgery (CSRF) ● Force user to execute unwanted actions on a web application; ● Session Riding; https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28
  • 22.
    Cross Site RequestForgery (CSRF) ● Force user to execute unwanted actions on a web application; ● Session Riding; ● Phishing Attacks https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28
  • 23.
    Cross Site RequestForgery (CSRF) Request: http://vulnerablesite.local/changepassword?newpwd=MyS3cr3tPa$$word https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28
  • 24.
    Cross Site RequestForgery (CSRF) Request: http://vulnerablesite.local/changepassword?newpwd=MyS3cr3tPa$$word Attack: <img src=”http://vulnerablesite.local/changepassword?newpwd=owned”> https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28
  • 25.
    Cross Site RequestForgery (CSRF) Demo
  • 26.
    Fixing CSRF ● SynchronizerToken Pattern https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet
  • 27.
    Fixing CSRF ● SynchronizerToken Pattern https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet
  • 28.
    Triple A ● Authentication ●Authorization ● Access Control
  • 29.
    Some best practiceson Authentication ● NO PLAIN TEXT!!! Use of strong cryptographic algorithms; https://www.owasp.org/index.php/Authentication_Cheat_Sheet
  • 30.
    Some best practiceson Authentication ● NO PLAIN TEXT!!! Use of strong cryptographic algorithms; ● No limit for character set and max lengths; https://www.owasp.org/index.php/Authentication_Cheat_Sheet
  • 31.
    Some best practiceson Authentication ● NO PLAIN TEXT!!! Use of strong cryptographic algorithms; ● No limit for character set and max lengths; ● Enforce strong password policy; https://www.owasp.org/index.php/Authentication_Cheat_Sheet
  • 32.
    Some best practiceson Authentication ● Prevent Brute-Force Attacks. Implement Captcha. https://www.owasp.org/index.php/Authentication_Cheat_Sheet
  • 33.
    Some best practiceson Authentication ● Prevent Brute-Force Attacks. Implement Captcha. ● Normalize error messages; https://www.owasp.org/index.php/Authentication_Cheat_Sheet
  • 34.
    Access Control ● VerticalAccess Control Attack https://www.owasp.org/index.php/Access_Control_Cheat_Sheet
  • 35.
    Access Control ● VerticalAccess Control Attack https://www.owasp.org/index.php/Access_Control_Cheat_Sheet Request: http://vulnerablesite.local/mainPage
  • 36.
    Access Control ● VerticalAccess Control Attack https://www.owasp.org/index.php/Access_Control_Cheat_Sheet Request: http://vulnerablesite.local/mainPage Request: http://vulnerablesite.local/adminPage
  • 37.
    Access Control ● HorizontalAccess Control Attack https://www.owasp.org/index.php/Access_Control_Cheat_Sheet
  • 38.
    Access Control ● HorizontalAccess Control Attack https://www.owasp.org/index.php/Access_Control_Cheat_Sheet Request: http://vulnerablesite.local/getUserProfile?id=1337
  • 39.
    Access Control ● HorizontalAccess Control Attack https://www.owasp.org/index.php/Access_Control_Cheat_Sheet Request: http://vulnerablesite.local/getUserProfile?id=1337 Request: http://vulnerablesite.local/getUserProfile?id=1338
  • 40.
    Access Control ● BusinessLogic Access Control Attack https://www.owasp.org/index.php/Access_Control_Cheat_Sheet
  • 41.
    Access Control ● BusinessLogic Access Control Attack https://www.owasp.org/index.php/Access_Control_Cheat_Sheet http://vulnerablesite.local/shop?action=chooseFormat http://vulnerablesite.local/shop?action=makePayment http://vulnerablesite.local/shop?action=downloadMovie
  • 42.
    Some best practiceson Access Control ● Implement roles and permissions https://www.owasp.org/index.php/Access_Control_Cheat_Sheet
  • 43.
    Some best practiceson Access Control ● Implement roles and permissions ● Perform authorization validation on all pages. https://www.owasp.org/index.php/Access_Control_Cheat_Sheet
  • 44.
    Some best practiceson Access Control ● Implement roles and permissions ● Perform authorization validation on all pages. ● Data-Context access controls https://www.owasp.org/index.php/Access_Control_Cheat_Sheet
  • 45.
    Open Web ApplicationSecurity Project (OWASP) ● Not-for-profit charitable organization focused on improving the security of software;
  • 46.
    Open Web ApplicationSecurity Project (OWASP) ● Not-for-profit charitable organization focused on improving the security of software; ● Best practices;
  • 47.
    Open Web ApplicationSecurity Project (OWASP) ● Not-for-profit charitable organization focused on improving the security of software; ● Best practices; ● OWASP Top 10;
  • 48.
  • 49.
    OWASP Vulnerable WebApplications Directory ● Vulnerable web applications for web dev, security auditors and pentesters. ● Offline, Online, Virtual Machines and ISOs. https://www.owasp.org/index.php/OWASP_Vulnerable_Web_Applications_Directory_Project#tab=Main
  • 50.
    Portswigger Burp Suite ●Integrated platform for web application security tests.
  • 51.
    Portswigger Burp Suite ●Integrated platform for web application security tests. ● Has free version and is cross platform.
  • 52.
    Portswigger Burp Suite ●Integrated platform for web application security tests. ● Has free version and is cross platform. ● Not only for infosec guys. Devs should use it.